Mark PLT Functions as Thunks

[misson20000]

When PLT entries are processed, symbols are created for each entry, and usually analysis automatically determines these to be functions, but it does not mark them as thunks to their actual implementations. Marking thunk functions improves navigation and makes it easier to (ab)use version tracking to apply sdk markup to sysmodules, since otherwise it can get confused by the sdk's use of dynamic binding compared to the sysmodule's use of static binding (implied matches fail, and the name-based correlators produce multiple matches).

https://github.com/Adubbz/Ghidra-Switch-Loader/blob/a9dc0f231978ca1fae8290735024bce89d63a57d/src/main/java/adubbz/nx/loader/common/NXProgramBuilder.java#L377-L389

[misson20000]

Actually, it seems that there is already an existing analyzer that is supposed to do this automatically, but if the .plt section isn't already disassembled it will fail because the SymbolicPropogator won't be able to fetch instructions.

[fkelava]

Hello,

I'm reviving this issue as it is causing a few issues for me at present.

Normally, an AARCH64 ELF would have its .plt and .got sections disassembled at import time, which is a prerequisite for Ghidra's built-in AARCH64 ELF PLT Thunks analyzer to work. The Switch loader does not seem to apply this behavior to NROs, which means no function in the .plt section is marked as a thunk. For large binaries, fixing this by hand is slightly prohibitive.

It also somewhat breaks the BSim workflow introduced in Ghidra 11, making function comparisons between Switch and PC versions of games more difficult.

Could this be looked into? I don't mind giving it a go myself if you can point me in the right direction.

[TSRBerry]

Normally, an AARCH64 ELF would have its .plt and .got sections disassembled at import time, which is a prerequisite for Ghidra's built-in AARCH64 ELF PLT Thunks analyzer to work.

Oh I see, I didn't know about this.

I don't mind giving it a go myself if you can point me in the right direction.

I'm currently short on time, so I won't be looking into this for a bit. plt sections are dealt with here: https://github.com/Adubbz/Ghidra-Switch-Loader/blob/8c2ec80fb8488da61f55fdad4460984f82d7dd8b/src/main/java/adubbz/nx/loader/common/NXProgramBuilder.java#L208

If you need to get a pointer for something specific, let me know.

[fkelava]

I've found a way around this. Clearing the entire .plt section, including functions, then disassembling, then re-running AARCH64 ELF PLT Thunks properly marks them as thunks.

It's a good enough workaround for my needs.