Is it possible to execute part of the decompiled code?
I am currently trying to solve a reversing challenge, where c code is compiled for a 32bit linux system.
To solve this challenge I am trying to make use of ghidra but am faced with a few issues. A bit of a summary what I have done up to this point:
I have two OS available to me, one 64bit Linux System on my Laptop and this 64bit Windows 10. Apparantly the programm was compiled with gcc without a -g option making ghidra fail to debug the programm. Manually debugging it with gdb in Terminal is possible but terrible to use (at least for me).
So all I can do is look at the assembler code in the CodeBrowser of Ghidra and its respective decomipled c code. With that I got to understand that some of the instructions are decrypted during the runtime of the programm and in order to further analyse the code, I want to be able to execute parts of the instructions to slowly but surely decrypt and understand the hidden parts of the programm.
That being said, the only issue here is that I do not know how I can do that. I have noticed that ghidra has the ability to run java code, but all the examples I looked at that were provided by ghidra allow me to only patch hardcoded instructions into the programm but not to actually execute/evaluate them.
My specific issue at hand is following part of the programm (green marked part):
Ghidra has all the knowledge it needs to execute this part and I just do not know how to do that. I could of cause do it by hand, but that is just boring and not really why I am doing these challenges and that is the same reason as why I am not looking for finished scripts that unpack this programm for me but for a way to execute my analysis.
Finally to summarize my question: I am asking for a way to execute the green marked decrypting part of the targeted programm in ghidra without starting the debugger (since the ghidra debugger keeps failing on me).
I think you are mixing up a few things here. You say:
the programm was compiled with gcc without a -g option making ghidra fail to debug the programm
The debug information added with -g makes it easier to analyze and debug a program because you have information that would have otherwise have to be recovered by reverse engineering. This should not have an influence on whether you can run the program under a debugger in the first place, and as you noted running it with gdb in the terminal works. The Ghidra debugger basically just runs gdb in the background and attaches to it to exchange information, so it should work.
You have a few options now:
1. Get the Ghidra Debugger to run with this binary
Whatever issue you are encountering with the Ghidra debugger is probably a valid question for https://reverseengineering.stackexchange.com/
From then on you can pursue your initial plan to solve this via debugging.
2. Write a GhidraScript to reimplement the decryption
Understand the basic idea of what you recognized correctly as some kind of decryption loop. Then you can use one of Ghidra's scripting options[0] to write a simple script that reimplements this decryption, but writes the decrypted values to the Ghidra memory directly.
Any scripting language will obviously include basic arithmetic operations like + -, and xor and loops, and the Ghidra API provides the functions byte getByte(Address address) and setByte(Address address, byte value). If you encounter any issues or API questions while writing this script that will also be a valid follow up question for the RE Stack Exchange.
This approach has the advantage that you can then statically analyse the resulting data inside Ghidra again, e.g. disassemble the resulting code.
[0] Ghidra natively supports Python 2.7 and Java based Scripts and a rudimentary Python REPL, but there are other options like Jupyter and Script based Kotlin or Ruby, Kotlin and Clojure Scripts
- In C python, accessing the bytecode evaluation stack
- Angr unconstrained state has the same address as a found state
- Recovery of local names in .Net
- How to understand the operand encoding of Renesas M16C bit instructions?
- Can i reverse engineer my own dll?
- How to use Hibernate reverse engineering to create annotatedClasses style?
- Force compile (missing source files)
- How to open network adapter properties via Windows API?
- "Not enough data for store" while solving Angr CTF example
- Reverse Engineering an Installer
- Best practice for storing and protecting private API keys in applications
- Why does dup2(2) function has no effect here?
- How can an Android app receive UI updates without HTTP requests?
- What does "0010 ^0.16 ___u8_ iv;" in Hex-Rays IDA Pro mean?
- What Does the "Arguments" Field in the Functions Tab of IDA Represent?
- whatsapp sniffing ssl traffic with wireshark
- Reverse engineer LCD Protocol used in MPC2000XL
- Hibernate Duplicate class name exception
- How to analyze binary file?
- Get a look at the temporary files a process creates
- How to put password on apk?
- Unable to Intercept Requests with Mitmproxy: Getting "502 Bad Gateway" Error
- Modded APK displaying errors with minimal edits
- How to debug a windows driver with IDA and use its corresponding IDB?
- How to avoid reverse engineering of an APK file
- Getting the exact timestamp of a Stack Exchange chat message
- Is it possible to define a C++ function where one parameter is passed via the EAX register?
- How to create a Datasheet for Elden Ring Save-Files
- Which is the path of the libapp.so in flutter apps?
- How do I detect if there is a CRC in a sequence of bytes?