I am currently trying to solve a reversing challenge, where c code is compiled for a 32bit linux system.
To solve this challenge I am trying to make use of ghidra but am faced with a few issues. A bit of a summary what I have done up to this point:
I have two OS available to me, one 64bit Linux System on my Laptop and this 64bit Windows 10. Apparantly the programm was compiled with gcc without a -g option making ghidra fail to debug the programm. Manually debugging it with gdb in Terminal is possible but terrible to use (at least for me).
So all I can do is look at the assembler code in the CodeBrowser of Ghidra and its respective decomipled c code. With that I got to understand that some of the instructions are decrypted during the runtime of the programm and in order to further analyse the code, I want to be able to execute parts of the instructions to slowly but surely decrypt and understand the hidden parts of the programm.
That being said, the only issue here is that I do not know how I can do that. I have noticed that ghidra has the ability to run java code, but all the examples I looked at that were provided by ghidra allow me to only patch hardcoded instructions into the programm but not to actually execute/evaluate them.
My specific issue at hand is following part of the programm (green marked part):
Ghidra has all the knowledge it needs to execute this part and I just do not know how to do that. I could of cause do it by hand, but that is just boring and not really why I am doing these challenges and that is the same reason as why I am not looking for finished scripts that unpack this programm for me but for a way to execute my analysis.
Finally to summarize my question: I am asking for a way to execute the green marked decrypting part of the targeted programm in ghidra without starting the debugger (since the ghidra debugger keeps failing on me).
I think you are mixing up a few things here. You say:
the programm was compiled with gcc without a -g option making ghidra fail to debug the programm
The debug information added with -g makes it easier to analyze and debug a program because you have information that would have otherwise have to be recovered by reverse engineering. This should not have an influence on whether you can run the program under a debugger in the first place, and as you noted running it with gdb in the terminal works. The Ghidra debugger basically just runs gdb in the background and attaches to it to exchange information, so it should work.
You have a few options now:
1. Get the Ghidra Debugger to run with this binary
Whatever issue you are encountering with the Ghidra debugger is probably a valid question for https://reverseengineering.stackexchange.com/
From then on you can pursue your initial plan to solve this via debugging.
2. Write a GhidraScript to reimplement the decryption
Understand the basic idea of what you recognized correctly as some kind of decryption loop. Then you can use one of Ghidra's scripting options[0] to write a simple script that reimplements this decryption, but writes the decrypted values to the Ghidra memory directly.
Any scripting language will obviously include basic arithmetic operations like + -, and xor and loops, and the Ghidra API provides the functions byte getByte(Address address) and setByte(Address address, byte value). If you encounter any issues or API questions while writing this script that will also be a valid follow up question for the RE Stack Exchange.
This approach has the advantage that you can then statically analyse the resulting data inside Ghidra again, e.g. disassemble the resulting code.
[0] Ghidra natively supports Python 2.7 and Java based Scripts and a rudimentary Python REPL, but there are other options like Jupyter and Script based Kotlin or Ruby, Kotlin and Clojure Scripts
Has anyone started to work with the CUDA5 SDK?
I have an old project that uses some cutil functions, but they've been abandoned in the new one.
The solution was that most functions can be translated from cutil*/cut* to a similar named sdk* equivalent from the helper*.h headers...
As an example:
cutStartTimer becomes sdkCreateTimer
Just that simple...
Has anyone started to work with the CUDA5 SDK?
Probably.
Has anyone translated some cutil definitions to CUDA5?
Maybe. But why not just use the new header files intended to replace it? Quoted from the Beta release notes:
Prior to CUDA 5.0, CUDA Sample projects referenced a utility library
with header and source files called cutil. This has been removed with
the CUDA Samples in CUDA 5.0, and replaced with header files found
in CUDA Samples\v5.0\C\common\inc
helper_cuda.h, helper_cuda_gl.h, helper_cuda_drvapi.h, helper_functions.h,
helper_image.h, helper_math.h, helper_string.h, and helper_timer.h
These files provide utility functions for CUDA device initialization,
CUDA error checking, string parsing, image file loading and saving, and
timing functions. The CUDA Samples projects no longer have references
and dependencies to cutil, and will now use these helper functions
going forward.
Everyone (at least everyone who uses a compiled language) has faced compilation errors but how many times do you get to actually crash the compiler?
I've had my fair share of "internal compiler errors" but most went away just by re-compiling. Do you have a (minimal) piece of code that crashes the compiler?
I write the compiler we use, so it crashes sometimes.
easy.
// -*- C++ -*-
template <int n>
class Foo : public Foo<n+1>
{
};
int main(int, char*[])
{
Foo<0> x;
return 0;
};
ejgottl#luna:~/tmp$ g++ -ftemplate-depth-1000000 -Wall foo.cpp -o foo
g++: Internal error: Segmentation fault (program cc1plus)
Please submit a full bug report.
See `<URL:http://gcc.gnu.org/bugs.html>` for instructions.
For Debian GNU/Linux specific bug reporting instructions, see
`<URL:file:///usr/share/doc/gcc-4.2/README.Bugs>`.
I haven't made GHC (a Haskell compiler) crash yet, but I've gotten it to error out with a
My brain just exploded.
I can't handle pattern bindings for existentially-quantified constructors.
It's pretty easy to work around, and you don't hit this unless you have some tricky (and usually wrong) design, but it probably wins as the best compiler error message ever.
VC catches it gracefully now, but in the mid 90's, this would crashed both Microsoft C++ and Borland C++ compilers:
struct MyClass
{
MyClass operator->() { return *this; }
};
int main(int argc, char* argv[])
{
MyClass A;
A->x;
}
An overloaded operator-> is intrinsically recursive. The function is expected to return a pointer, which oper-> is again applied to. This fragment made code generation infinitely recursive.
Actionscript 3.0:
switch(on_some_variable)
{
}
Empty switch = Kaboom!
Visual C++ 9.0 SP1
this just happened to me
------ Build started: Project: pdfp, Configuration: Debug Win32 ------
Compiling...
reader.cpp
xref.cpp
c:\projects\pdfp\xref.cpp(52) : fatal error C1001: An internal error has occurred in the compiler.
(compiler file 'f:\dd\vctools\compiler\cxxfe\sl\p1\c\toil.c', line 8569)
To work around this problem, try simplifying or changing the program near the locations listed above.
Please choose the Technical Support command on the Visual C++
Help menu, or open the Technical Support help file for more information
Generating Code...
Build log was saved at "file://c:\Projects\pdfp\Debug\BuildLog.htm"
pdfp - 1 error(s), 0 warning(s)
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========
Well, this didn't actually crash the compiler -- It was merely a bug were VC++ wouldn't accept perfectly good code. (details provided here).
The odd this about it was that it was only triggered when three fairly obscure conditions were all met. Moving one line of code was all that was needed for an effective workaround. And one of the needed pre-conditions was "using namespace std;" which is widely discouraged in production code.
Nevertheless, messages asking how to fix the problem were a staple on Microsoft VC++ newsgroups. I couldn't figure out how so many people stumbled onto an obscure bug. So, eventually, I asked someone.....
The exact code needed to trigger the bug was an example in Stroustrup's "The C++ Programming Langauge". (*)
(*) Note, I'm not saying he did it on purpose. I sure he tested it under a UNIX variant of C++, and was completely unaware of it's affect on VC++.
I've seen a few compiler bugs in the C# compiler (all edge cases, all reported appropriately) and confirmed some crashes provoked by other people.
The scariest compiler (of a sort) bug I've encountered was a JIT bug in one version of Java. It was quite reproducible, but caused the VM to go down. Adding a fairly no-op statement (I can't remember exactly what offhand - possibly just declaring an extra local variable with an initial value) moved it away from whatever corner case it happened to be - and it was fixed in a later version.
This crashed the C64 BASIC:
PRINT 0 + "" +- 0
Yes, especially when it's an old or undermaintained compiler (GCC 2.95, Tendra in C++ mode). I don't keep the pieces of code around, though.
Visual C++ 5. 'Nuff said.
Oops, forgot an 'e' in typedef and crashed the compiler.
typdef struct kGUIColor GameColor;
c:\source\kgui\samples\space\space.cpp(35) : fatal error C1001: INTERNAL COMPILER ERROR
(compiler file 'msc1.cpp', line 2708)
Please choose the Technical Support command on the Visual C++
Help menu, or open the Technical Support help file for more information
Today VS2003SP1 gave me a C1001 (Internal Compiler Error) complaining about compiler file 'msc1.cpp', line 2708) because of this:
struct PATTERN {
…
};
It turns out that the problem was that the structure name I was trying to define (PATTERN) was already a typedef in the GDI for a brush type. However instead of telling me that the symbol is already defined (like it does for most other things) it not only did not point to the structure as the problem—I narrowed the problem down to it by selectively commenting out blocks until the error went away—but it also gave me the aforementioned cryptic error which has nothing to do with the file specified—which I can’t even find to examine the line in question. :|
I was able to reproduce it with the following code:
typedef int SOMETHINGOROTHER;
struct SOMETHINGOROTHER {};
> fatal error C1001: INTERNAL COMPILER ERROR
> (compiler file 'msc1.cpp', line 2708) …
Whereas the following code gives the expected error message:
struct SOMETHINGOROTHER {};
typedef int SOMETHINGOROTHER;
> 'SOMETHINGOROTHER' : redefinition; different basic types
Clearly the problem is in the compiler’s structure handling routine.
I wonder if VS2005+ do better…
Here's a way to crash the VS2003 C++ compiler.
typedef map<int,int> Tmap;
private: Tmap; * m_map;
This will result in a crash and the following error message
fatal error C1001: INTERNAL COMPILER
ERROR (compiler file 'msc1.cpp', line
2708) Please choose the Technical
Support command on the Visual C++ Help
menu, or open the Technical Support
help file for more information
Remove the semicolon immediately after Tmap (second line which defines m_map) to eliminate the error.
In a project I was working in, some specific usages of Boost Lambda expressions could make the Visual C++ compiler crash. (We were using Visual Studio 2003)
The compiler would only crash during the release build, a debug build would work fine.
There had been a religious war raging through the team about the appropriate usage of the lambda libraries, I was almost grateful that the compiler settled it for us. :-)
In version 1.2.x of the Mono C# compiler would crash quite a bit with complicated code (if I remember correctly, nested anonymous delegates). Fortunately with 2.x release, I haven't seen any crashes.
At my previous job we had a simulator which was notorious for being able to crash (ICE) compilers or cause them to generate incorrect code. And when the code actually was generated correctly, ofter the compiler took 15 minutes for a single source file. Visual Studio was never (as long as I worked there) able to compile the simulator core.
The core was automatically generated from a DSL, and the generated code often pushed the compiler to its limits.
Upgrading to a new version of GCC often caused widespread nervosity: will the new version work?
Thanks to #Nick, this crashes VS2005.
template<typename Res, typename T>
Res operator_cast(const T& t)
{
return t.operator Res();
}
int main()
{
return operator_cast<int>(0);
}
I've crashed a compiler before by running it out of memory.
Give a DOS compiler about 0.5mb of source code. Crunch.
When you get a message "Catastrophic Failure" you know you're trying....
Michael
I use both pcc and gcc to compile my old OS project.
I found a bug with how both pcc and gcc handle a non-trivial piece of code and it crashed pcc.
(chars are signed on my platform)
struct{
char myvalue:1;
}mystruct;
pcc crashed because all bitfield values must be int though, so it's really more buggy there, but gcc handles it wrongly. See, if you think about it, it is signed, but only has room for one bit. So therefore, it only can store 0 and -1. Well, gcc handles it wrong by storing 0 or 1.
VC++ has crashed on me when compiling C++ if template usage is messed up (e.g., missing out on a closing ">").
I did. Some Delphi versions (lets say #4) crashed very often with cryptic error messages.
The newer versions (2006 and more) are stable but not rock solid. (7 was great in that case).
Compiler crashes often occur with large edits, and debug sessions of complex projects (lots of dll's). Most of the time a restart of the ide is enough. But sometimes you need to restart the PC.
O and I once crashed OS2 along with the compiler because the swapfile grew too large.
One time when I used the generators example from the Python docs, it broke the version of Python we were using. The same week, one of my colleagues managed to misuse the FFI such that any calculation involving the number 3 would crash python.
The Microsoft Xbox 360 compiler can crash easily. I was given source code with Japanese comments and when converted to regular text one of the last characters on the line was a '\' so it continued the comment onto the next line. If the next line was a switch command, then the compiler crashes.
//wierd japanese characters here %^$$\
switch(n)
{
case 0:
.....
break;
case 1:
.....
break;
}
I have crashed Delphi 7 many times asking it to compile legacy dos code.
The prime culprit seems to be any qualification of something as being in the system unit. This won't always blow it up but when it blows up on such stuff I look through and rewrite anything that requires such an override and the problem goes away.
The blowups are 100% reproduceable but I have never managed to make a simple test case. It doesn't actually crash the compiler most of the time, you usually get an error that has nothing to do with the problem and may be hundreds of lines from it. The environment is destabilized, save and exit is ok but don't think of doing anything else.
Back in the stone age with Borland Pascal 7 (the last dos version) I broke it many times. No crash, just incorrect and inconsistent code emission. I finally learned to keep the .EXE (not counting debug info) below 3mb. The farther beyond that I went the more unstable it got.
I've crashed VC++ a number of times, usually with template code. But that's not the most interesting crash...
I crashed the VS2005 Team System compiler with the /analyze option compiling my shared code library which compiled without error without the switch, and on VS2008 with and without the switch. Of course MS wasn't very interested because it was a bug in the old version of the compiler, but I thought it was pretty interesting.
I managed to segfault the Python interpreter. Of course, I was working on a C extension at the time and getting it not-quite-right.
It doesn't happen as much as it used to, but occasionally the ASP.net precompiler has issues - I haven't seen it personally, but I have fixed a problem on another project once where they had name clashes because they weren't using namespaces properly (caused compiler crashes) during pre-compile.
In the good old days (unmanaged MSVC++) we had the odd compiler crash usually due to linking in external static win32 classes (.lib) and a couple of odd bits of code occasionally caused issues, but these were all picked up very quickly.
I don't know if I would call it crashing, but sdcc (Small Device C Compiler) fails at compiling code formed in a particular way:
Target: 8051
Code had to execute in a 512 byte cache loaded from an external tester
Tester is in control and stores the code - cache can't fetch the next page
No function calls allowed - the PC (program counter) would skip to a place not resident in cache; preprocessor macros were used to accomplish modular coding practice
Jumps (branching) allowed if it doesn't skip out of the cache
No const values - in the data section of the program code which causes code in cache to fetch something not in cache - preprocessor constant (#define) OK here
The preprocessor macros are unrolled resulting in flat, but large code - everything in main(); execution skips the startup code (setting up the stack, etc) and starts at the beginning of main()
Relevant part of this answer:
Occasionally, sdcc would refuse to compile syntactically correct code, with a message about running out of memory. This even happened compiling on 64-bit boxes with 8GB of RAM.
The solution in these cases was to split the firmware into separate pieces and compile them separately and execute them separately. The pieces may have been able to be linked back together, but at that point it didn't matter.
I didn't try it, but the Keil 8051 compiler probably could have handled the problematic code.