-
Notifications
You must be signed in to change notification settings - Fork 61
Importing Into Ghidra
The basic tutorial video on the Ghidra website shows how to import a simple Windows binary into Ghidra for analysis and that is fine for the Windows game.dat or WorldBuilder.exe files. However if you try and import a macOS universal binary you will find that its actually an archive of two or more binaries and requires more steps to import these binaries correctly. Importing data exported by other users is also slightly more complicated
- Import the universal macOS binary as directed by the basic Ghidra tutorial. When you do it will prompt you that it has detected nested file within the binary and ask you what kind of import to do.
- Select Batch to bring up the batch importer to import both types of binary. The x86 binary will likely be the primary binary you reference, but the PowerPC binary is useful for getting an alternative opinion on the decompilation of the code and for showing where byte swapping was done to support the big endian architecture.
-
Assuming you are happy to import both binaries, click OK. You may also want to select the option to strip any container paths.
-
The import will proceed on the binaries you selected and you will be taken back to the project window. You can then proceed on either of the binaries as though you had just imported one.
Note that it is also possible to import them one at a time using the "Filesystem" option instead of "Batch" which is not covered here.
-
Get some importable xml data such as found on the Useful Analysis Links page.
-
Import the relevant binary and perform the initial analysis on it as per the basic video guide from the Ghidra download page.
-
From the CodeBrowser window, select
File > Add To Program...
and browse to the xml file you are going to import from. -
In the import window that opens, you can either click OK to import everything from the xml file or you can select options to limit what you import.
- The xml files provided in the Useful Analysis Links page contain only type data and function symbols so limiting the import as above shouldn't make a difference.