Some examples of how to use the library in practice (a lot of this is code I wrote during my work as a reverse-engineer).
Since this library is still in development, there's not much to show off yet. But I plan to share snippets of things I write during my daily work here.
Scripts to serve as examples, and maybe to ensure everything works smoothly in ghidralib. Scripts here are often rewritten Ghidra examples, or very small deobfuscation scripts.
- SwitchOverride: Fixup a switch statement at the pointer location (in 40 lines of code, original has 110).
- DumpHighPcode: Dump high-level Pcode of a function (in 4 lines of code, original has 103).
- EmulatorHooks: An example of how to use the emulator to emulate a single function, including a simple printf hook.
- Context Recovery: Iterates over calls to the string deobfuscation function, recovers the call parameters, and decrypts the obfuscated strings.
- Fix "Unaffected" Registers: Fix broken "unaffected" registers in the whole program by traversing the call graph and editing function signatures.
- Recover Function Pointers: Recovering function pointers. Iterate over MOVs in a function, and use the decompilation of the function referenced by the second MOV operand to automatically rename and retype the function pointer from the first parameter. And all of that in just ~20 lines of code!
- Lumma Pattern Based Deobfuscation: A deobfuscation script that uses a byte pattern finder and assembly patching engine to easily overcome one of Lumma stealer obfuscation techniques.
- Asm Level Data Flow: Simple data flow analysis at the x86 assembly level.
This script analyses a function, and looks for the "LEA ECX, [source]" instructions followed later
by "MOV [target], EAX", and then creates a label at
[target]calledptr_[source_string_name].
- DumpFunctionAST: pretty print a function structure (AST) as recovered by the decompiler. This is novel: as far as I know there was no publicly available script that did this.