Replies: 4 comments
-
I find the https://github.com/evm-sec/high-pcode (pcode-ast), what is this? |
Beta Was this translation helpful? Give feedback.
-
Do you mean interface as in that (third-party) window shown in the blog post: Or do you mean the data structure that allows you to write code like this: The first one: I don't think so. The second one: yes, check out edit Actually, take a look at Finally, if you want to do things like the example from the blog post ("Practical example: annotating the custom import table of a malware sample"), GHidra can do this just fine. |
Beta Was this translation helpful? Give feedback.
-
If I understand correctly, Pcode in Ghidra should be the micro code of hexray ? |
Beta Was this translation helpful? Give feedback.
-
Yes, that's a good comparison. Pcode in Ghidra can be low-level or high-level (informally, this mostly means "before optimization" and "after optimization and processing by decompiler"). I believe low-level pcode is lower-level than hexrays ucode, while high level pcode is definitely higher-level (for example, "call" opcode have recovered parameters) Some of the abstraction levels that you can work on in Ghidra are:
I wrote a quick PoC, and for this function: void main2(undefined4 *param_1,int param_2) {
BSTR bstrString;
do {
bstrString = (BSTR)*param_1;
if (bstrString != NULL) {
*param_1 = 0;
oleaut32.SysFreeString(bstrString);
}
param_1 = param_1 + 1;
param_2 += -1;
} while (param_2 != 0);
return;
} you get the following syntax tree: (list@NO ADDRESS):
(plain@00669e98):
(dowhile@NO ADDRESS):
(list@NO ADDRESS):
(properif@NO ADDRESS):
(plain@00669e9e):
669e9e (register, 0x18, 4) MULTIEQUAL (register, 0x8, 4) , (register, 0x18, 4)
669e9e (register, 0xc, 4) MULTIEQUAL (register, 0x0, 4) , (register, 0xc, 4)
669e9e (unique, 0x10000021, 4) LOAD (const, 0x1a1, 4) , (register, 0xc, 4)
669e9e (unique, 0x9380, 4) CAST (unique, 0x10000021, 4)
669ea0 (register, 0x206, 1) INT_NOTEQUAL (unique, 0x9380, 4) , (const, 0x0, 4)
669ea2 --- CBRANCH (ram, 0x669eb0, 1) , (register, 0x206, 1)
(plain@00669ea4):
669ea4 --- STORE (const, 0x1a1, 4) , (register, 0xc, 4) , (const, 0x0, 4)
669eab --- CALL (ram, 0x6653e4, 8) , (unique, 0x9380, 4)
(plain@00669eb0):
669eb0 (register, 0xc, 4) PTRADD (register, 0xc, 4) , (const, 0x1, 4) , (const, 0x4, 4)
669eb3 (register, 0x18, 4) INT_ADD (register, 0x18, 4) , (const, 0xffffffff, 4)
669eb3 (register, 0x206, 1) INT_NOTEQUAL (register, 0x18, 4) , (const, 0x0, 4)
669eb4 --- CBRANCH (ram, 0x669e9e, 1) , (register, 0x206, 1)
(plain@00669eb6):
669eb8 --- RETURN (const, 0x0, 4) Which is a... similar abstarction level to Ctree, I think? |
Beta Was this translation helpful? Give feedback.
-
Is there an interface in ghidra that corresponds to ida hexrays' ctree?
I hope to use ghidra's decompilation information to analyze the program.
Ida hexrays expose the api for developer to access the decompiled assembly code, ctree is the ast used by hexrays.
https://www.elastic.co/security-labs/introduction-to-hexrays-decompilation-internals
Beta Was this translation helpful? Give feedback.
All reactions