ghidra full of thunk functions
I am trying to do a crackme in ghidra. I was already able to find the answer but I want to know how I would have done this "properly" as I used a debugger and looked at strings. In the image below you can see obviously there are a lot of thunk functions but honestly to me they just look like printf's. I don't know how to fix it so I can get actually readable function names or if there isn't a way.
I assumed it may have had something to do with an error I get when I try to analyse the file which I get an error about the PDB file. I tried to recompile the msdia140.dll because I am using visual studio 2019 but I just got build errors when I tried to.
TL;DR how do I make it so that the image below isn't full of thunk functions and is actually readable in a way as those look like printf functions.
I assumed it may have had something to do with an error I get when I try to analyse the file which I get an error about the PDB file
I am assuming the error message is "Unable to locate PDB file "[...]" with matching GUID [...]". If so, this is due to the fact that you don't have the PDB file - the file containing debugging information - of the program you are currently reverse engineering. This is normal in case of a crackme I'd say.
TL;DR how do I make it so that the image below isn't full of thunk functions and is actually readable in a way as those look like printf functions.
well this is the actual work you need to do as a reverse engineer: start understanding what those functions do and set names (and data types).
Apart from situations like MSIL or Java, where there is lots of metadata present in the compiled binary, Ghidra has no way to determine function names automatically. A slightly worse statement is true for variables: in many architectures there isn't even a concept of a variable in machine code.
Ghidra has some heuristics to help you with the manual process: When it prefixes thunk_ for example, it means that the function in question is assessed to simply pass control to another destination function. Or the call to the API function system was already correctly named.
The good news is that you already started some of the work: Based on function arguments or based on your dynamic analysis, you already guessed that thunk_FUN_00d83950 may be printf. So right-click on the function you want to rename and click "Rename Function". Also make sure to notice the the hot-key listed in the menu - you will need it a lot.
Other functions will need additional analysis work: double click those and try to figure out, what they do. Or - as you did before and which is a very powerful technique - combine your static reverse engineering efforts with dynamic analysis.
After correcting some function names you might also want to change their types. Right-Click it those again, select "Edit Function Signature", and make adjustments in the window that appears. In case of printf, which has variadic arguments, it may be necessary to select "Varargs" on the right.
- Get timestamp from old data file
- Is it possible to binary patch an uncritical compare instruction of /boot/vmlinuz and make it run as normal?
- How does the following code detect hooking in iOS?
- Shellcode stub got exited right after executed in Buffer Overflow Exploitation
- How to Read Arguments in a Function Call with Frida
- How to decompile DEX into Java source code?
- What's the purpose of this [1] at the end of struct declaration?
- How I can find all unused import programmatically?
- Unable to Intercept Requests with Mitmproxy: Getting "502 Bad Gateway" Error
- How to rename dynamic symbols in arm elf .so file?
- how do i convert Smali files to readable classes
- How to analyze binary file?
- whenever i attempt to upload the code on my Smowcode ide; it keeps continuously uploading with Bearfoos threat notification coming up always
- Reverse engineer LCD Protocol used in MPC2000XL
- How to record(reverse-engineer) PCI transactions on Linux
- GDB print stl (ex. std::vector) with no debug symbols
- Extracting an archive created via Java RandomAccessFile with PHP
- How do I decompile a .NET EXE into readable C# source code?
- Decode suspected timestamps
- Binary Bomb Phase 5 - lookup table translation -> string compare
- Bomb lab phase 5 - 6 char string, movzbl load, and $0xf, %ecx, and index an array with that?
- Patched Rust binary in Ghidra on MacOS (AARCH64) results in process killed
- What's the difference between .rdata and .idata segments?
- Structure of MPEG-4 "©xyz" box
- How do you extract classes' source code from a dll file?
- How to fix VFP asm code made for armeabi (arm5 or 6) to run on ARM v7?
- Sniffing/logging your own Android Bluetooth traffic
- Reverse engineer Core Data 'mom' file
- How can I generate a UML diagram in VSC from Python code?
- How to get `MediumLevelILVar` type variable reference In Binary ninja with Python api?