search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
49.06k stars 5.65k forks source link

windows 32bit PE executable loses external refs from import table after default analysis #6636

Open nico-abram opened 2 weeks ago

nico-abram commented 2 weeks ago

A windows 32bit PE executable I tried running ghidra on loses external refs from import table after default analysis

To Reproduce Steps to reproduce the behavior:

  1. Import the attached (At the bottom) binary into ghidra (It's the crackme from https://crackmes.one/crackme/5ab77f5333c5d40ad448c11a )
  2. Open Ghidra CodeBrowser on it
  3. Reject the analysis, and don't run any analysis
  4. Examine the lstrcmpA import from kernel32.dll : imagen 
                             **************************************************************
                         *                POINTER to EXTERNAL FUNCTION                *
                         **************************************************************
                         undefined lstrcmpA()
         undefined         AL:1           <RETURN>
                         695  lstrcmpA  <<not bound>>
    00405034 7c 52 00 00     addr       KERNEL32.DLL::lstrcmpA
  5. Run the default analysis
  6. Check the address from earlier (0x00405034) The external refs were lost: imagen imagen

I've narrowed down the offending analysis to this set: apply data archives, call fix-up installers, data reference and subroutine references Running them together results in the issue, disabling any of them stops it.

Expected behavior I would expect the default analysis settings to not break/corrupt the import tables.

Environment (please complete the following information):

file: crackme.zip