Ghinja is unable to find the decompiler output of a function which exists in the Ghidra project.

[RhettVX]

Ghinja: 1.8 Ghidra: 10.1.1 Java: 17.0.1 Binary Ninja: 2.4.2846 Personal Windows 10: 10.0.19042 Build 19042

Ghinja is unable to find the decompiler output of a function despite it existing in the created Ghidra project. I can provide the project files privately.

[Martyx00]

Could be an issue with offset. For each binary you should be able to find the folder ghinja_projects inside the binaryninja folder in your home/user folder. Inside that folder, there is one file for each decompiled function, there is also a decomp_offset file in that folder. Can you compare contents of that file, with the image base of the file when you load it into the Ghidra?

[RhettVX]

Apologies for such a late response. The value inside decomp_offset is 4198415, the image base in Ghidra is 00400000.

[Martyx00]

This means that the first function identified by the Ghidra is at 0x40100F. Can you confirm that the first function in BinaryNinja is also at this location? Sometimes it happens that Ghidra and BinaryNinja have different image bases (say 0x14000 vs 0x04000), however, if one of the tools found a first function which the other did not, then there is a problem, the offset calculation will be off (this will likely results in all functions in that binary being broken). Would it be possible to share the file?

[RhettVX]

Looks like there are two functions before the function in BN at the Ghidra offset:

Then nothing detected in Ghidra:

I can share the file through a DM or email if you would like to take a look.

[Martyx00]

Seems like it is the offset issue. One more thing (we can avoid you sharing the binary actually). Can you uncomment this line: https://github.com/Martyx00/ghinja/blob/e9391cf3288d99584c9fb3af65f28f2ece18f695/__init__.py#L216 and share the output from the cosnole? Thanks :)

[RhettVX]

Loaded native plugin arch_arm64
Loaded native plugin arch_armv7
Loaded native plugin arch_mips
Loaded native plugin arch_ppc
Loaded native plugin arch_x86
Loaded native plugin cryptoplugin
Loaded native plugin platform_decree
Loaded native plugin platform_freebsd
Loaded native plugin platform_linux
Loaded native plugin platform_mac
Loaded native plugin platform_windows
Loaded native plugin loadpdb
Loaded python3 plugin 'Martyx00_ghinja'
Loaded native plugin pythonplugin
Loaded UI plugin triage
Added windows-x86 entry point at 0x139cb26
Type library 'imm32.dll' imported
Type library 'kernel32.dll' imported
Type library 'user32.dll' imported
Type library 'gdi32.dll' imported
Type library 'msacm32.dll' imported
Type library 'winmm.dll' imported
Type library 'iphlpapi.dll' imported
Type library 'comctl32.dll' imported
Type library 'dinput8.dll' imported
Type library 'shlwapi.dll' imported
Type library 'version.dll' imported
Type library 'ws2_32.dll' imported
Type library 'ole32.dll' imported
Type library 'oleaut32.dll' imported
Type library 'd3d9.dll' imported
PDBFileName: *****************************
Type library 'shell32.dll' imported
Type library 'rpcrt4.dll' imported
Type library 'secur32.dll' imported
Type library 'advapi32.dll' imported
PE parsing took 3.065 seconds
GHIDRA OFFSET: 0x40100f DIFF: 0xa ROUND: 0x100
Analysis update took 2.546 seconds
GHIDRA OFFSET: 0x40100f DIFF: 0xa ROUND: 0x100

[Martyx00]

I have just pushed a dirty fix that could address that. Could you please try? In case it does not work try deleting all Ghinja output (the whole folder for the given file). Let me know if it got any better :)

[RhettVX]

Yep, things seem to be in working order now, thanks much!

[Martyx00]

Closing with a new release: https://github.com/Martyx00/ghinja/commit/fe3fab3d7e51fe53cd6a75279465c08413043bc3