Ghidra loader scripts

All 680x0 related coding posts in this section please.

Moderators: simonsunnyboy, Mug UK, Zorro 2, Moderator Team

czietz
Hardware Guru
Hardware Guru
Posts: 1006
Joined: Tue May 24, 2016 6:47 pm

Ghidra loader scripts

Postby czietz » Sat Apr 06, 2019 10:32 am

Inspired by sarnau's recent post, I worked on adding support for Atari TOS programs and ROM images to the open-source reverse engineering framework (i.e. powerful disassembler and more) Ghidra. As it turns out, a full-fledged, "first-class" file format support would need to be written in Java and Ghidra would need to be recompiled. (Unlike with Radare2 and IDA, it does not seem to be possible to add a file format to Ghidra in a scripting language.)

However, one can use the powerful scripting (Python or Java) API of Ghidra to import the files using a generic binary file format importer and afterwards modifying the result to create TEXT, DATA, BSS sections (in case of a program) or to set the address range correctly (in case of a TOS ROM).

You can find my scripts at https://github.com/czietz/ghidraScripts_for_Atari. Note that I'm fairly new to Ghidra and the scripts build on what I learned about its API in a few hours from the sample scripts and documentation. Most likely, I'm not doing everything the optimal way. :wink:

User avatar
ggn
Atari God
Atari God
Posts: 1258
Joined: Sat Dec 28, 2002 4:49 pm

Re: Ghidra loader scripts

Postby ggn » Sat Apr 06, 2019 2:00 pm

Pretty good :). I also have a strong aversion to python so I'd probably never get this done, so it's good that someone else did it!
is 73 Falcon patched atari games enough ? ^^

User avatar
dhedberg
Atari God
Atari God
Posts: 1123
Joined: Mon Aug 30, 2010 8:36 am
Contact:

Re: Ghidra loader scripts

Postby dhedberg » Sat Apr 06, 2019 7:23 pm

Thanks! I think I'll have to have a go with Ghidra!
Thanks also for the link to page with the quick overview. Too bad Ghidra is written in Java... and just as GGN I'm not a fan of Python either.
Daniel, New Beat - http://newbeat.atari.org. Like demos? Have a look at our new Falcon030 demo and feel the JOY.

czietz
Hardware Guru
Hardware Guru
Posts: 1006
Joined: Tue May 24, 2016 6:47 pm

Re: Ghidra loader scripts

Postby czietz » Fri Apr 12, 2019 4:51 pm

Updates:
- I have added symbol table support to the PRG importer.
- I have added a script to load a.out-format object files, including symbols, as created by gcc.

czietz
Hardware Guru
Hardware Guru
Posts: 1006
Joined: Tue May 24, 2016 6:47 pm

Re: Ghidra loader scripts

Postby czietz » Sat Apr 13, 2019 1:12 pm

Update: Started function ID database for MiNTLib.

A nice feature of Ghidra is Function ID. Quoting the documentation: »Function ID is an analyzer that performs function identification analysis on a program. [...] Function ID is suitable for identifying statically linked libraries [...]. Because of the hashing strategy, functions remain identifiable even if the library is relocated during linking.«

I added a database for MiNTLib as provided by Vincent Rivière's m68k-atari-mint cross-tools. Currently it only contains the standard C library for the 68000 target. mintlib.fidbf needs to be copied to Ghidra/Features/FunctionID/data. When loading a program built using this MiNTLib version, Ghidra can be told via Analysis -> One Shot -> Function ID to identify any standard library functions, greatly simplifying analysis of unknown programs.

E.g. you can see in this screenshot how it has auto-identified a call to printf:
functionid.png
You do not have the required permissions to view the files attached to this post.

User avatar
mfro
Atari Super Hero
Atari Super Hero
Posts: 807
Joined: Thu Aug 02, 2012 10:33 am
Location: SW Germany

Re: Ghidra loader scripts

Postby mfro » Sun Apr 14, 2019 1:20 pm

czietz wrote:...I added a database for MiNTLib as provided by Vincent Rivière's m68k-atari-mint cross-tools. Currently it only contains the standard C library for the 68000 target. mintlib.fidbf needs to be copied to Ghidra/Features/FunctionID/data. When loading a program built using this MiNTLib version, Ghidra can be told via Analysis -> One Shot -> Function ID to identify any standard library functions, greatly simplifying analysis of unknown programs.


So if you want to trick the NSA, you better write your malicious library following this patterns doing something completely different inside? :twisted:


Social Media

     

Return to “680x0”

Who is online

Users browsing this forum: No registered users and 5 guests