search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
50.65k stars 5.78k forks source link

Dynamic listing creates wrong sized pointer #4127

Open astrelsky opened 2 years ago

astrelsky commented 2 years ago

To Reproduce Steps to reproduce the behavior:

  1. Load a 32 bit pe, dbeng in vm
  2. Run it until main is reached
  3. Go to esp in the dynamic listing
  4. Create a pointer.

Maybe it has to do with why I always see Ghidra loading the 64 bit sleigh spec or a completely different architecture in some cases when opening the debugger tool.

I'm also just now noticing the instructions are the 64 bit variant in the dynamic listing as well.

d-millar commented 2 years ago

Am pretty sure this is a known issue, but will try to find the ticket and maybe dig in to see what the underlying cause is. My recollection was this is a non-trivial problem.

astrelsky commented 2 years ago

Am pretty sure this is a known issue, but will try to find the ticket and maybe dig in to see what the underlying cause is. My recollection was this is a non-trivial problem.

It doesn't really seem to cause any problems but now that you mention it I think I do remember something about it

d-millar commented 2 years ago

Still searching, but, if you need to, am pretty sure you can hit T and put a pointer32 there.

astrelsky commented 2 years ago

Still searching, but, if you need to, am pretty sure you can hit T and put a pointer32 there.

That's what I ultimately ended up doing. This is mostly an aesthetic and inconvenience problem.

Wall-AF commented 2 years ago

You could also try <type>*32.

astrelsky commented 2 years ago

So I did actually encounter a problem I think is related to this. I created a struct in the dynamic listing and when I tried to change the type of a pointer field I would get an error every time I tried to move in the dynamic listing. I'm going to attempt to reproduce it later to get some logs.

:/ I can't seem to reproduce it and unfortunately the original logs are gone with a vm snapshot restore.

d-millar commented 2 years ago

@astrelsky Talked about this yesterday with @nsadeveloper789 - he was aware of the issue with struct's. Apparently, this is related to more complex issues involving the DataTypeManager, which is in the process of being modified. So, the good news is it's being worked; the bad news, of course, no current workable solution.

astrelsky commented 2 years ago

@astrelsky Talked about this yesterday with @nsadeveloper789 - he was aware of the issue with struct's. Apparently, this is related to more complex issues involving the DataTypeManager, which is in the process of being modified. So, the good news is it's being worked; the bad news, of course, no current workable solution.

Ok not a problem. I've only encountered it once so far.

XdotCore commented 2 months ago

This is still an issue, but <type>*32 still works as a fix.