Ghidra disassembler

Development tools discussion area.
Post Reply
User avatar
tautology
Posts: 372
Joined: Wed Sep 01, 2010 2:26 pm
Contact:

Ghidra disassembler

Post by tautology » Tue Mar 12, 2019 2:28 pm

The IT security world (or at least the reverse engineering) has been playing en masse with NSA's ghidra (https://ghidra-sre.org) disassembler, an open source version disassembler and decompiler, similar to IDA pro.

As it supports 6502, I had a go with it last night and with some mangling it comes out a lot better than the other disassemblers I've been using in the past.

It obviously needs some BBC specific tuning, but I've a load of label files for MOS specific and am adding the structures for OSWORD to my local instance.

User avatar
sbadger
Posts: 373
Joined: Mon Mar 25, 2013 1:12 pm
Location: Farnham, Surrey
Contact:

Re: Ghidra disassembler

Post by sbadger » Fri Mar 15, 2019 11:53 am

did you firewall the app or have a port monitor open when running? 8-[
So many projects, so little time...

User avatar
tricky
Posts: 3283
Joined: Tue Jun 21, 2011 8:25 am
Contact:

Re: Ghidra disassembler

Post by tricky » Fri Mar 15, 2019 12:10 pm

Do you think it is better than IDA?
I haven't really given it a chance, but IDA certainly has its querks.

User avatar
BigEd
Posts: 2400
Joined: Sun Jan 24, 2010 10:24 am
Location: West
Contact:

Re: Ghidra disassembler

Post by BigEd » Fri Mar 15, 2019 12:18 pm

The HN discussion has this to say:
Why this is important (for those uninitiated):
  • Ghidra is basically the first real competitor to IDA Pro, the extremely expensive and often pirated state-of-the-art software for reverse engineering. Nothing else has come close to IDA Pro.
  • Ghidra is open-source, IDA Pro is not.
  • Ghidra has a lot of really cool features that IDA Pro doesn't, such as decompiling binaries to pseudo-C code.
  • It's also collaborative, which is interesting because multiple people can reverse engineer the same binary at the same time -- something IDA only got VERY recently.

tom_seddon
Posts: 263
Joined: Mon Aug 29, 2005 11:42 pm
Contact:

Re: Ghidra disassembler

Post by tom_seddon » Fri Mar 15, 2019 4:30 pm

I've been giving Ghidra a go, and I'm not finding it very good for 6502 stuff (yet?). The main problem I've got with it is that when it finds an instruction with a register+constant addressing mode, if it can figure out the value of the register, it treats the effective address as the byte of interest, and tries to make a symbol for it. This is good for some architectures, but not for 6502, where for indexed addressing modes you almost always want a symbol made just for the base address, and for the index to be ignored.

This causes particular problems with loops that run backwards through a table - you get a symbol for the last byte of the table, but not the table itself. Which is kind of useless. Stack Overflow q from me, with an example: https://reverseengineering.stackexchang ... ions/20810

I haven't figured out a good way around this yet, as this assumption appears to be quite embedded, but one of the answers to my question suggested writing a custom 6502 analyzer, which I'm going to try to do. Some instructions about setting up Eclipse for writing a Ghidra plugin: https://m.habr.com/en/post/443318/ - I've got a plugin that loads and activates when a 6502 program is loaded, but it doesn't do anything useful yet.
sbadger wrote:
Fri Mar 15, 2019 11:53 am
did you firewall the app or have a port monitor open when running? 8-[
I'm assuming that if the NSA wanted anything from me, they'd have got it already, whether I run this thing or not :)

--Tom

P.S. You can modify the 6502 description so that indexed addressing modes are treated as only accessing the base address, and then Ghidra will generate labels in the right place, but this makes a mess of the C decompiler output, which I was hoping not to have to do. (I'm not sure how useful the decompiler output of hand-written assembly language will prove to be, especially not 6502 assembly language, but you know, maybe it'll come in handy...)

Post Reply