Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Ghidra doesn't work well against dropbox binary

See original GitHub issue

Summary: Ghidra 9.0.4 doesn’t work well against the dropbox binary.

Versions used: Ghidra 9.0.4 on Ubuntu 18.04 LTS host.

Target binary: https://clientupdates.dropboxstatic.com/dbx-releng/client/dropbox-lnx.x86_64-73.4.118.tar.gz (open the 23 MB dropbox binary contained in this archive).

Reproduction steps: Navigate to _PyEval_EvalFrameDefault function and compare the Ghidra disassembly with the corresponding disassembly from IDA Freeware .

Problem: It seems that Ghidra is unable to parse this function completely (the disassembly is incomplete). It also doesn’t recover the switch case labels.

I am attaching from IDA Freeware for this function. IDA Freeware works very well (and automatically) against this function and is able to recover all the switch case labels.

ida-nice-job

Is there a way to get similar results from Ghidra?

I am hoping to use Ghidra in my work, if possible.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

2reactions
dev747368commented, Jun 10, 2019

Another thing you can experiment with is changing the image base when importing the binary. This binary is PIC, and Ghidra defaults to forcing it away from 0x00000 to 0x100000, but the DWARF side of things isn’t keeping up with that. If you change the image base back to 0 (which can cause its own small difficulties for other things in Ghidra), the dwarf data will line up.

1reaction
kholiacommented, Jun 11, 2019

If you change the image base back to 0 (which can cause its own small difficulties for other things in Ghidra), the dwarf data will line up.

Doing so helped a lot.

yay-ghidra

The disassembly is not broken now and it seems that switch case labels were also recovered.

Time to learn some GHIDRA scripting to port this IDA script to GHIDRA.

Thank you!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Executable Stack Challenge 247CTF. - HackMD
This can be done by installing ghidra, starting a new project, importing the binary, and then going to functions > main. Once we...
Read more >
Malware Analysis Notes - UMBC Computer Science
We discuss the various types of malware, including executable binaries, malicious PDFs, and exploit kits. The most popular tools used for analyzing malicious ......
Read more >
Low Level Visualization via Debuggers | Vinnie dot Work
When running gdbserver from a remote system, GDB has the capabiltiy to download the binaries and their symbols on the fly, whereas rizin...
Read more >
Unanswered 'ghidra' Questions - Stack Overflow
If there is a piece of hardware connected that is not on the whitelist, ... I'm reversing a simple binary in Ghidra and...
Read more >
Demystifying Binary Lifters Through the Lens of Downstream ...
“expressiveness” of binary lifters, and reveal how well the lifted ... program are correctly analyzed, and hence do not need to be.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Bitfield support in decompiler

Next page

Negated structure offsets