Git Product home page Git Product logo

ghida's Introduction

GhIDA - Ghidra Decompiler for IDA Pro

GhIDA logo

GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in IDA.

How does it work?

Decompiler image

Select a function, both in the Graph view or in the Text View. Then, Press CTRL+ALT+D or (Edit > Plugins > GhIDA Decompiler). Wait a few seconds and a new window will open showing the decompiled code of the function.

GhIDA requires either a local installation of Ghidra or the Ghidraaas server.

The plugin correctly handles x86 and x64 PE and ELF binaries.

Read more about all the GhIDA features in the Features section.

If you want to discover how GhIDA works under the hood, read the Technical details section.

Features

Decompiler settings image

GhIDA provides the following features:

  • Synchronization of the disassembler view with the decompiler view

  • Decompiled code syntax highlight

  • Code navigation by double-clicking on symbols' name

  • Add comments in the decompiler view

  • Symbols renaming (limited to XML exported symbols and few others)

  • Symbols highlight on disassembler and decompiler view

  • Decompiled code and comments cache

  • Store setting options.

More information are provided in the Features description section.

Requirements

  • GhIDA has a Python 2 and Python 3 version:

    • For Python 2 requires IDA Pro 7.x
    • For Python 3 requires IDA Pro >= 7.4
    • GhIDA is not compatible with IDA Home

  • requests and pygments Python (2 or 3) packages

  • A local installation of Ghidra or Ghidraaas.

    • Use Ghidra version 9.1.2

Installation

Decompiler settings image

  • Install requests and pygments in Python 2 or Python 3.
pip install requests
pip install pygments

  • Download the latest release from the release page.

  • Copy ghida.py and the ghida_plugin folder in the plugins folder of your IDA Pro installation.

  • The first time GhIDA is launched (Ctrl+Alt+D or Edit > Plugins > GhIDA Decompiler), a settings form is displayed, as shown in the previous image.

    • If you want to use GhIDA with a local installation of Ghidra:

    • Otherwise, if you want to use Ghidraaas:

      • Launch a local instance of the server using the Ghidraaas docker container
      • Check the Use Ghidraaas server box, and insert http://0.0.0.0:8080/ghidra/api.

  • To run GhIDA:

    • Ctrl+Alt+D
    • Edit > Plugins > GhIDA Decompiler
    • (in the disassembler view) right click > Decompile function with GhIDA

  • To reopen the decompiler view:

    • Either run GhIDA again (see the previous point), or View > Open subviews > GhIDA decomp view.

Suggestions for the best user experience

  • Open the decompile view side-to-side with the disassembler view, and keep active the synchronization between the two views.
  • When you rename a symbol (e.g., a function name), rename it in the decompile view, it will be updated automatically in the disasm view too. Otherwise, you will need to delete the decompiled code from the cache and decompile the function again.
  • If the program is rebased, all the caches (decompiler, comments, symbol table) are invalidated. Functions must be decompiled again.
  • It's possible to change the TIMEOUT value for the Ghidra analysis in ghida_plugin/lib.py. By default, it's set to 300 seconds, but it may be increased if needed. Please, do not modify the value of COUNTER_MAX or SLEEP_LENGTH, since they are all related.

Features description

Synchronization

By default, the disassembler view is synchronized with the decompiler view. By clicking on different functions both in IDA Graph view or Text View, the decompiler view is updated accordingly. This behaviour is particularly useful if the decompiler view is displayed side-to-side with the disassembler view.

To disable the synchronization (in the disassembler view) right-click > Disable decompiler view synchronization.

Code syntax highlight

Decompiled code is syntax-highlighted using the pygments Python library.

Code navigation

In the decompiler view, double click (or right-click > Goto) over the name of a function to open it in the decompile and disassembler view. If the function has not been decompiled yet, then press CTRL+ALT+D if you want to decompile it.

Comments

GhIDA allows to insert and update comments in the decompile view. The comment will be displayed at the end of the selected line, separated by //.

To add a comment (in the decompiler view) press : or right-click > Add comment and insert the comment in the dialog.

Comments are stored internally, and are automatically added whenever a function is decompiled. They also persist when the GhIDA cached code is invalidated. Moreover, if the corresponding option is selected in the configuration menu, cached comments are dumped to file and then loaded at the next opening. The cache is saved in JSON format in the temporary folder.

Symbols renaming

To rename a symbol (in the decompiler view) select the symbol you want rename, press N (or right-click > Rename), then insert the new name in the dialog.

Due to the different syntax used by Ghidra and IDA, only a subset of the symbols can be renamed.

Symbols highlight

In the decompiler view, when clicking on a symbol, all the other occurrences of the same symbol are highlighted. The plugin also highlights the corresponding symbols in the disassembler view, but it is limited to XML exported symbols and few others.

Decompiled code and comments cache

GhIDA cache the results of the decompilation and automatically shows the decompiled code when a cached decompilation is requested. However, if the user updates the symbols in IDA, or performs any other action that requires the code to be decompiled again, the user can remove a decompiled code from the cache.

To remove the code from the cache (in the disassembler view) right-click > Clear cache for current function.

If the corresponding option is selected in the configuration, cached code is dumped to file and loaded at the next opening. The cache is saved in JSON format in the temporary folder.

Store setting options

To avoid retype GhIDA configuration each time IDA is opened, the configuration is saved in a JSON file in the temporary folder.

Technical details

Under the hood, GhIDA exports the IDA project using idaxml.py, a Python library shipped with Ghidra, then it directly invokes Ghidra in headless mode without requiring any additional analysis. When GhIDA is called the first time, it uses idaxml to create two files: a XML file which embeds a program description according to the IDA analysis (including functions, data, symbols, comments, etc) and a .bytes file that contains the binary code of the program under analysis. While the binary file does not change during the time, the XML file is recreated each time the user invalidates the GhIDA cache, in order to take into account the updates the user did in the program analysis. To obtain the decompiled code, GhIDA uses FunctionDecompile.py, a Ghidra plugin in Python that exports to a JSON file the decompiled code of a selected function.

Exporting the IDA's IDB and calling Ghidra in headless mode add a small overhead to the decompilation process, but it allows to abstract the low-level communication with the Ghidra decompiler.

Development

Ghida outputs to the IDA console some messages related to the main operations, using the following syntax:

  • GhIDA [DEBUG] display a debug message
  • GhIDA [WARNING] display a warning message
  • GhIDA [!] display an error message

Improvements

  • Check the support for other file formats (other than PE and ELF) and architectures (other than x86 and x64): idaxml may require specific checks during the project export phase.
  • Improve the syntax conversion algorithm from Ghidra to IDA and vice versa. This will increase the number of symbols that can be highlighted or renamed.
  • Add a batch-mode option that decompiles all the functions in the background and cache them.

Bugs and suggestion

If you discover a bug, or you have any improvements or suggestions, please open an issue.

Be sure to include as many details as possible in order to reproduce the bug.

License

GhIDA is licensed under the Apache License 2.0.

idaxml.py is a library shipped with Ghidra and it is distributed under the Apache License 2.0.

Acknowledgement

Thanks to all the people from Talos Malware Research Team for the insightful comments and suggestions.

ghida's People

Contributors

cclauss avatar finchy avatar hluwa avatar jamiesinn avatar jimmy-sonny avatar wumb0 avatar xentrick avatar yrp604 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

heruix crackercat k3v1n1990s sakamaki-izayoi nipunjaswal peterg75 cybermonitor e4ck akpotter piowind zysyyz cclauss johndoex1 secretnonempty 309746069 up777 mewbak freemanzyq hello-xbugs wumb0 seth1002 tccontre azzahrah 4144 veath1 chengsheng0623 lallouslab chubbymaggie leonw7 trib0r3 xentrick reversetools bambooeric ajaymas quinn-yan modulexcite igromanru tsarpaul useful-stuff sung3r t2l4b alehacksp x-ecutionner gitmesam anovickis paxcut clayne cellois arryboom savobit goodget555 tesseract19 zyt755 hugmyndakassi lordgarfio inno157 anafsah webstorage119 facebook-cloud cmarczewski crudd gmh5225 louis-xer naga90122 fwr00t xsip fainlabs su-vikas synthwave-systems seanpm2001

ghida's Issues

OSX permission denied 

GhIDA:: [DEBUG] found 0 symbols
GhIDA:: [INFO] XML exporting completed
GhIDA:: [DEBUG] decompiled cache miss (20026418)
GhIDA:: [DEBUG] Decompiling 20026418
GhIDA:: [DEBUG] EXPORT_XML_FILE: False
GhIDA:: [!] [Errno 13] Permission denied
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.
GhIDA:: [DEBUG] DisasmsHandler HELLO
GhIDA:: [DEBUG] EXPORT_XML_FILE: False
GhIDA:: [DEBUG] decompiled cache miss (20026418)
GhIDA:: [DEBUG] Decompiling 20026418
GhIDA:: [DEBUG] EXPORT_XML_FILE: False
GhIDA:: [!] [Errno 13] Permission denied
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

GhIDA decompilation wrapper error

am trying to use GhIDA in my local computer with:
IDA Pro 7.5
Ghidra 9.1.2
python3.7

I found several issues as:

lib.py: import Queue, does not work because in python3 it is named to queue.
ghida.py: the custom icon idaapi.load_custom_icon needs a path not data.

But the main problem is the following:

GhIDA decompilation wrapper error module 'sys' has no attribute 'exc_type'

Any idea?

error executing init.py

IDAPython: error executing init.py: nothing to repeat

Refer to the message window to see the full error log.

i have both Python 3x and Python 2x installed, as soon as i launch IDA Pro 7.3 (64-bit) i get this error. License is valid.
Java is correctly installed and PATH is configured (followed the Ghidra installation guide)

Ghidra headless analysis failed

Thanks for the Project.
when I use GhIDA Decompiler, got a "Ghidra headless analysis failed" error.
many times with various files. same error.
image

GhIDA:: [INFO] Ghidra headless (timeout: 300s)
GhIDA:: [INFO] Waiting Ghidra headless analysis to finish...
GhIDA:: [!] 'module' object has no attribute 'killpg'
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

IDA Version: 7.2.181105 Windows
Python Version:Python 2.7.15
Ghidra Path :C:\Program Files\ghidra_9.0.4
Java Version:jdk-11.0.4

and I also have this error

GhIDA:: [DEBUG] Reading GhIDA configuration
('GHIDA_CONF.load_save_cached_code', True)
('GHIDA_CONF.load_save_cached_comments', True)
GhIDA:: [DEBUG] code_cache_path: c:\users\edz\appdata\local\temp\decompiled_cache_3407694CA26AC630BBAD34D07BAFE340.json
GhIDA:: [DEBUG] loading decomp cache from json
GhIDA:: [!] error while loading code from c:\users\edz\appdata\local\temp\decompiled_cache_3407694CA26AC630BBAD34D07BAFE340.json
GhIDA:: [DEBUG] comments_cache_path: c:\users\edz\appdata\local\temp\comments_cache_3407694CA26AC630BBAD34D07BAFE340.json
GhIDA:: [DEBUG] loading comments cache from json
GhIDA:: [!] error while loading comments from c:\users\edz\appdata\local\temp\comments_cache_3407694CA26AC630BBAD34D07BAFE340.json
GhIDA:: [DEBUG] Registering handlers
GhIDA [DEBUG] ScreenEAHook initialized

running command line
"C:\Program Files\ghidra_9.0.4\support\analyzeHeadless.bat" . Temp -import C:\Users\EDZ\source\repos\ConsoleApplication1\test\3407694CA26AC630BBAD34D07BAFE340_JVLNU.xml -scriptPath "C:\Program Files\IDA 7.2\plugins\ghida_plugin\ghidra_plugin" -postScript FunctionDecompile.py 411357 c:\users\edz\appdata\local\temp\411357_5ddduh -noanalysis -deleteProject

Ghidra headless analysis failed

I use IDA pro 7.5, Ghidra 9.2.2 lastest, python 3.7.9
I'm trying to test decompile function in IDA with GhidraDec but not working any function :(
image

XML Exporter v5.0.1 : SDK 750
-----------------------------------------------------------
Exporting XML <PROGRAM> document ....
Processing PROGRAM                 CPU time: 0.0010
Processing DATATYPES               CPU time: 0.0010
Processing MEMORY_MAP              CPU time: 0.0560
Processing REGISTER_VALUES         CPU time: 0.0020
Processing CODE                    CPU time: 0.0020
Processing DATA                    CPU time: 0.0620
Processing COMMENTS                CPU time: 0.0050
Processing PROGRAM_ENTRY_POINTS    CPU time: 0.0000
Processing SYMBOL_TABLE            CPU time: 0.0030
Processing FUNCTIONS               CPU time: 0.0050
Processing MARKUP                  CPU time: 0.0080
                             Total CPU time: 0.6618
--------------------------------------
PROGRAM                           1
INFO_SOURCE                       1
PROCESSOR                         1
COMPILER                          1
DATATYPES                         1
STRUCTURE                         4
MEMBER                           13
MEMORY_MAP                        1
MEMORY_SECTION                    8
MEMORY_CONTENTS                   8
REGISTER_VALUES                   1
REGISTER_VALUE_RANGE             24
CODE                              1
CODE_BLOCK                       34
DATA                              1
DEFINED_DATA                    103
TYPEINFO_CMT                     92
COMMENTS                          1
COMMENT                          41
PROGRAM_ENTRY_POINTS              1
PROGRAM_ENTRY_POINT               1
SYMBOL_TABLE                      1
SYMBOL                           53
FUNCTIONS                         1
FUNCTION                         30
ADDRESS_RANGE                    30
STACK_FRAME                      16
STACK_VAR                         5
MARKUP                            1
MEMORY_REFERENCE                  1
--------------------------------------
Total XML Elements:             477
Database exported to: D:\C_Data\Desktop\TestJS\b47183de13c96177deeeb1983faf4172_OGHFm.xml
GhIDA:: [INFO] XML exporting completed
GhIDA:: [INFO] Ghidra headless (timeout: 300s)
GhIDA:: [INFO] Waiting Ghidra headless analysis to finish...
GhIDA:: [INFO] Ghidra analysis completed!
GhIDA:: [!] Expecting value: line 1 column 1 (char 0)
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

No module named 'comments_cache'

Hi, I have a problem with running this problem, because of weird python import issue:

C:\Program Files\IDA Pro 7.4\plugins\ghida.py: No module named 'comments_cache'
Traceback (most recent call last):
  File "C:\Program Files\IDA Pro 7.4\python\3\ida_idaapi.py", line 593, in IDAPython_ExecScript
    exec(code, g)
  File "C:/Program Files/IDA Pro 7.4/plugins/ghida.py", line 37, in <module>
    import ghida_plugin as gl
  File "C:/Program Files/IDA Pro 7.4/plugins\ghida_plugin\__init__.py", line 26, in <module>
    from comments_cache import *
ModuleNotFoundError: No module named 'comments_cache'

I know that:

  • module exists,
  • can be imported if we are running python shell in ghida_plugin dir, but not from parent directory where ghida.py is located
  • I'm guessing is somehow related how __init__.py works :/

About disassembly

Can the plugin support disassembly of arm architecture?

I use it to disassemble the arm program and an error occurs:

{"SHOW_SETTINGS": true, "USE_GHIDRA_SERVER": false, "load_save_cached_code": false, "GHIDRA_INSTALLATION_PATH": "D:\Ghidra_9.1.2", "load_save_cached_comments": false}

Feedback/comment

Sorry this is more of a comment/feedback and not exactly an issue:

I tried it on Ida Pro 7.X and it worked as it supposed to however I also tried it on Ida Free 7.X and for some reason the plugin doesn't even show up in the Ida plugin menu. Any idea why?

Renesas Processor yields as unknown compiler

Hi,

I want to decompile code for Renesas SH processors. Both IDA and Ghidra support it as Module 'Renesas SH2A', but GhIDA says its not supported by Ghidra..

XML Exporter v5.0.1 : SDK 760
-----------------------------------------------------------
Exporting XML <PROGRAM> document ....
Processing PROGRAM                 WARNING: Segments do not have same addressing model!
GhIDA [!] unknown compiler not supported by Ghidra
GhIDA:: [!] export_xml cancelled

GhIDA:: [!] XML Export cancelled!
GhIDA:: [!] Decompilation wrapper error

GhIDA Plugin not Appearing in List

Hello,

I have installed GhIDA following the directions - however the plugin does not appear in the plugin list.

I am using IDA Pro 7.6, with Python 3.9, and "GhIDA 0.22 - IDA7.x-Python3." I have also installed both Requests and Pygments.

No error output is provided in the IDA Pro Output bar, however the plugin is still not listed.

Any possible fix is appreciated! Thank you.

Python module import errors

Python Version: 3.8.2
IDA Pro Version: 7.5
OS: Windows 10 Education
Build: 19042.867
Version: 20H2

# Import error
Location: IDAPro7.5\plugins\ghida_plugin
ERROR: Cannot import and find the modules that are in init.py

Solution:
Open init.py in an editor.
Add a '.' in front of all the modules in the form 'module' import statments.
ex: from .comments_cache import *
Directs IDA's python3 instance to explicitly look in the current directory for those module

# Queue error
Location: IDAPro7.5\plugins\ghida_plugin
ERROR: Cannot find 'Queue'

Solution:
Open lib.py in an editor.
Change 'import Queue' to 'import queue'
Now it was successfully found and import queue

# Error finding requests and pygments
Location:
ERROR: ModuleNotFoundError: No module named 'requests'

Solution: IDK

Sync Onclick Error

The Plugin is Amazing. However, i came across this issue on clicking one of the code lines in the decompiled function:
2019-09-06 (1)

IDAPython: Error while calling Python callback <OnClick>:
Traceback (most recent call last):
  File "C:/Program Files/IDA 7.0/plugins/ghida.py", line 495, in OnClick
    return gl.highlight_symbol_in_DISASM()
  File "C:/Program Files/IDA 7.0/plugins\ghida_plugin\ui.py", line 52, in highlight_symbol_in_DISASM
    symbol = idaapi.get_highlighted_identifier()
  File "C:\Program Files\IDA 7.0\python\ida_kernwin.py", line 190, in get_highlight
    return _ida_kernwin.get_highlight(*args)
TypeError: get_highlight expected 1 arguments, got 0

Ghidra Headless Analysis Failure: No JSON object could be decoded

System Information

  • GhIDA Versions:
    • Release v0.1
    • Master at commit d153e0d
  • OS: Windows 10 Professional 1909
  • Virtualization Host: VMWare Workstation Pro 15.5.2
  • Ghidra: 9.1.2
  • IDA Pro: 7.3
  • JDK Versions:
    • 13.0.2
    • 11.0.6
  • Python Version: 2.7.13

Symptoms

When attempting to perform analysis on the GreenBug Trojan, the Hexrays decompiler decompiles successfully, while the Ghidra decompiler displays the following error:

GhIDA:: [!] Decompilation error - timeout reached
GhIDA:: [!] No JSON object could be decoded
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

image

I found some test samples from the "Practical Malware Analysis" book (specifically Lab13-01.exe), and observed something interesting. The Ghidra headless analysis will succeed, but only after the full 300 seconds times out. If the decompilation is interrupted by clicking "Cancel" after a few seconds, the decompilation will still succeed. However, the decompilation will finish successfully within seconds for some binaries.

I believe I'm experiencing something similar to #3 (comment). However, fixes in this comment, as well as other fixes in #3 didn't fix my problem.

Global name "CLexer" not defined?

image

I got this error immediately after installation and attempt to decompile an example program in IDA 7.2 (Linux version), and Ghidra is 9.1 and 9.1.2 all gave the same error.

Any ideas how to overcome it?

This error is a showstopper, as there is no decompilation at all.

Decompilation wrapper error: module 'sys' has no attribute 'exc_type'

After I fixed import issues and icon_path error, this error appears:

XML Exporter v5.0.1 : SDK 750GhIDA:: [!] Decompilation wrapper error: module 'sys' has no attribute 'exc_type'

xml exporter i copied from Ghidra ida plugins to the plugins directory. But i don't know how to fix this decompilation wrapper error. Any suggestions?
Ghidra 9.1.2
Ida pro 7.5
Python 3.9.7

Port plugin to Python3

Hi, because Ida is slowly moving to python3, it would be nice to have this plugin ported to python3.

I started working on this (diff), but I have still some unresolved issues which requires deeper debug, like decompilation is failing - probably somebody from authors of this plugin should check diff.

Bug in calling tag_remove

ida_lines.tag_remove(regcmt + " ", 0) => ida_lines.tag_remove(regcmt + " ")
ida_lines.tag_remove(rptcmt + " ", 0) => ida_lines.tag_remove(rptcmt + " ")

Thanks, best regards,

Decompilation interrupted

WIndows 10 - 20H2
IDA 7.5_pack3
GHIDRA 9.2.1 and 9.3
PYTHON 3.9.1

Tried multiple small binaries.

The analysis completes very fast and I can see the XML is populated, however I get this in the IDA log:

GhIDA:: [INFO] XML exporting completed
GhIDA:: [INFO] Ghidra headless (timeout: 5000s)
GhIDA:: [INFO] Waiting Ghidra headless analysis to finish...
GhIDA:: [INFO] Ghidra analysis completed!
GhIDA:: [!] Expecting value: line 1 column 1 (char 0)
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

How can you implement jump-table related fixes using GhIDA?

Ghidra sometimes claim that there are too many branches to recover a jump table, yeilding errors as seen in this thread:

https://reverseengineering.stackexchange.com/questions/25917/what-do-these-2-ghidra-warnings-mean

As this is a commong problem, there are several solutions across the web, with one presents in that very thread.

My question is how can I apply them if I'm using the GhIDA plugin, since they require running scripts on Ghidra.

Ghidra headless analysis failed

Possible file format: ELF for ARM (Shared object) (D:\Program Files (x86)\IDA_Pro_v7.0_Portable\loaders\elf.dll)

bytes pages size description

262144 32 8192 allocating memory for b-tree...
65536 8 8192 allocating memory for virtual array...
262144 32 8192 allocating memory for name pointers...

589824 total memory allocated

Loading file 'C:\xxxxxxx\xxxxxx' into database...
Detected file format: ELF for ARM (Shared object)
Loading processor module D:\Program Files (x86)\IDA_Pro_v7.0_Portable\procs\arm.dll for arm...OK
Autoanalysis subsystem has been initialized.
[uEmu]: Init plugin
[uEmu]: Run plugin
[uEmu]: Unicorn version [ 1.0.1 ]
[uEmu]: CPU arch set to [ armle ]
D:\Program Files (x86)\IDA_Pro_v7.0_Portable\plugins\vx_target_standalone.py: PLUGIN_ENTRY was not defined or the class name 'uEmuPlugin' was already used in 'uEmu.py'
Assuming __cdecl calling convention by default
0. Creating a new segment (00000000-00002C0C) ... ... OK

  1. Creating a new segment (0000AE14-0000B038) ... ... OK
  2. Creating a new segment (00000AC0-00000AD0) ... ... OK
    Additional segment (00000AD0-00002C0C) ...
  3. Creating a new segment (00000AD0-00002C0C) ... ... OK
  4. Creating a new segment (00000AD0-00000CB8) ... ... OK
    Additional segment (00000CB8-00002C0C) ...
    Deleting segment (00000CB8-00002C0C) ...
  5. Creating a new segment (00000CB8-00002C0C) ... ... OK
  6. Creating a new segment (00000CB8-00002958) ... ... OK
    Additional segment (00002958-00002C0C) ...
    Deleting segment (00002958-00002C0C) ...
  7. Creating a new segment (00002958-00002C0C) ... ... OK
  8. Creating a new segment (00002958-00002968) ... ... OK
    Additional segment (00002968-00002C0C) ...
    Deleting segment (00002968-00002C0C) ...
  9. Creating a new segment (00002968-00002C0C) ... ... OK
  10. Creating a new segment (00002968-00002C06) ... ... OK
    Additional segment (00002C06-00002C0C) ...
    Deleting segment (00002C06-00002C0C) ...
  11. Creating a new segment (00002C06-00002C0C) ... ... OK
  12. Creating a new segment (00002C08-00002C0C) ... ... OK
  13. Creating a new segment (0000AE14-0000AE18) ... ... OK
    Additional segment (0000AE18-0000B038) ...
    Deleting segment (0000AE18-0000B038) ...
  14. Creating a new segment (0000AE18-0000B038) ... ... OK
  15. Creating a new segment (0000AE18-0000AE1C) ... ... OK
    Additional segment (0000AE1C-0000B038) ...
    Deleting segment (0000AE1C-0000B038) ...
  16. Creating a new segment (0000AE1C-0000B038) ... ... OK
  17. Creating a new segment (0000AE1C-0000AE20) ... ... OK
    Additional segment (0000AE20-0000B038) ...
    Deleting segment (0000AE20-0000B038) ...
  18. Creating a new segment (0000AE20-0000B038) ... ... OK
  19. Creating a new segment (0000AE20-0000AE34) ... ... OK
    Additional segment (0000AE34-0000B038) ...
    Deleting segment (0000AE34-0000B038) ...
  20. Creating a new segment (0000AE34-0000B038) ... ... OK
  21. Creating a new segment (0000AF3C-0000B000) ... ... OK
    Additional segment (0000B000-0000B038) ...
  22. Creating a new segment (0000B000-0000B038) ... ... OK
  23. Creating a new segment (0000B000-0000B00C) ... ... OK
    Additional segment (0000B00C-0000B038) ...
    Deleting segment (0000B00C-0000B038) ...
  24. Creating a new segment (0000B00C-0000B038) ... ... OK
    Deleting segment (0000B00C-0000B038) ...
  25. Creating a new segment (0000B00C-0000B038) ... ... OK
  26. Creating a new segment (0000B038-0000B039) ... ... OK
  27. Creating a new segment (0000B03C-0000B0E4) ... ... OK
    Assuming __cdecl calling convention by default
    Type library 'gnulnx_arm' loaded. Applying types...
    Types applied to 1 names.
  28. Creating a new segment (0000B0E4-0000B100) ... ... OK
    Adding relocations...
    Plan FLIRT signature: ARM library little endian
    autoload.cfg: armlibl.sig autoloads armv12.til
    Type library 'armv12' loaded. Applying types...
    Types applied to 0 names.
    Marking typical code sequences...
    Flushing buffers, please wait...ok
    File 'C:\xxxxxxx\xxxxxx' has been successfully loaded into the database.
    IDA is analysing the input file...
    You may start to explore the input file right now.
    Hex-Rays Decompiler plugin has been loaded (v7.0.0.170914)
    License: 56-3E5B-5634-29 Jiang Ying, Personal license (1 user)
    The hotkeys are F5: decompile, Ctrl-F5: decompile all.
    Please check the Edit/Plugins menu for more informaton.
    IDAPython Hex-Rays bindings initialized.
    ============================================================
    GhIDA Decompiler v0.1
    Andrea Marcelli [email protected]
    Cisco Talos, June 2019
    GhIDA Decompiler shortcut key is Ctrl-Alt-D
    ============================================================
    GhIDA:: [DEBUG] Reading GhIDA configuration
    ('GHIDA_CONF.load_save_cached_code', False)
    ('GHIDA_CONF.load_save_cached_comments', False)
    GhIDA:: [DEBUG] code_cache_path: c:\users\admini1\appdata\local\temp\decompiled_cache_1DC83C421557F6E549C8A9370EAFD4F8.json
    GhIDA:: [DEBUG] comments_cache_path: c:\users\admini    1\appdata\local\temp\comments_cache_1DC83C421557F6E549C8A9370EAFD4F8.json
    GhIDA:: [DEBUG] Registering handlers
    GhIDA [DEBUG] ScreenEAHook initialized
    ================================================================================
    Keypatch v2.2 (c) Nguyen Anh Quynh & Thanh Nguyen, 2016
    Keypatch is using Keystone v0.9.1
    Keypatch Patcher's shortcut key is Ctrl-Alt-K
    Use the same hotkey Ctrl-Alt-K to open 'Fill Range' window on a selected range of code
    To revert (undo) the last patching, choose menu Edit | Keypatch | Undo last patching
    Keypatch Search is available from menu Edit | Keypatch | Search
    Find more information about Keypatch at http://keystone-engine.org/keypatch
    ================================================================================
    [uEmu]: Init plugin
    [uEmu]: Run plugin
    [uEmu]: Unicorn version [ 1.0.1 ]
    [uEmu]: CPU arch set to [ armle ]
    [uEmu]: Init plugin
    D:\Program Files (x86)\IDA_Pro_v7.0_Portable\plugins\vx_target_standalone.py: PLUGIN_ENTRY was not defined or the class name 'uEmuPlugin' was already used in 'uEmu.py'
    ================================================================================
    [uEmu]: UI ready. Run plugin
    [uEmu]: Unicorn version [ 1.0.1 ]
    [uEmu]: CPU arch set to [ armle ]
    [uEmu]: UI ready. Run plugin
    [uEmu]: Unicorn version [ 1.0.1 ]
    [uEmu]: CPU arch set to [ armle ]
    [uEmu]: UI ready. Run plugin
    [uEmu]: Unicorn version [ 1.0.1 ]
    [uEmu]: CPU arch set to [ armle ]

Python 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)]
IDAPython v1.7.0 final (serial 0) (c) The IDAPython Team [email protected]

Using FLIRT signature: ARM library little endian
Propagating type information...
Function argument information has been propagated
The initial autoanalysis has been finished.
GhIDA:: [DEBUG] DisasmsHandler HELLO
('GHIDA_CONF.global_settings', True)
('GHIDA_CONF.use_ghidra_server', False)
('GHIDA_CONF.ghidra_install_path', 'E:\ghidra_9.0')
('GHIDA_CONF.ghidra_server_url', 'http://localhost:8080/ghidra/api')
('GHIDA_CONF.show_settings', True)
('GHIDA_CONF.load_save_cached_code', False)
('GHIDA_CONF.load_save_cached_comments', False)
GhIDA:: [INFO] Configuration saved to c:\users\admini~1\appdata\local\temp\ghida_config.json
GhIDA:: [DEBUG] EXPORT_XML_FILE: True
GhIDA:: [DEBUG] Exporting IDA project into XML format

XML Exporter v5.0.1 : SDK 700

Exporting XML document ....
Processing PROGRAM GhIDA:: [DEBUG] compiler name: GNU C++
GhIDA:: [DEBUG] new_compiler_name: gcc
CPU time: 0.0047
Processing DATATYPES CPU time: 0.0008
Processing MEMORY_MAP CPU time: 0.0250
Processing REGISTER_VALUES CPU time: 0.0141
Processing CODE CPU time: 0.0025
Processing DATA CPU time: 0.1220
Processing COMMENTS CPU time: 0.0146
Processing PROGRAM_ENTRY_POINTS CPU time: 0.0006
Processing SYMBOL_TABLE CPU time: 0.0122
Processing FUNCTIONS CPU time: 0.0151
Processing MARKUP CPU time: 0.0439
Total CPU time: 1.1215

PROGRAM 1
INFO_SOURCE 1
PROCESSOR 1
COMPILER 1
DATATYPES 1
STRUCTURE 3
MEMBER 12
UNION 1
MEMORY_MAP 1
MEMORY_SECTION 19
MEMORY_CONTENTS 16
REGISTER_VALUES 1
REGISTER_VALUE_RANGE 254
CODE 1
CODE_BLOCK 23
DATA 1
DEFINED_DATA 476
TYPEINFO_CMT 327
COMMENTS 1
COMMENT 229
PROGRAM_ENTRY_POINTS 1
PROGRAM_ENTRY_POINT 7
SYMBOL_TABLE 1
SYMBOL 229
FUNCTIONS 1
FUNCTION 66
ADDRESS_RANGE 66
STACK_FRAME 16
STACK_VAR 65
MARKUP 1
MEMORY_REFERENCE 140

Total XML Elements: 1963
Database exported to: C:\Users\Administrator\Desktop\huaweiQ2_pro\1DC83C421557F6E549C8A9370EAFD4F8_cEskL.xml
GhIDA:: [DEBUG] found 0 symbols
GhIDA:: [INFO] XML exporting completed
GhIDA:: [DEBUG] decompiled cache miss (dec)
GhIDA:: [DEBUG] Decompiling dec
GhIDA:: [DEBUG] EXPORT_XML_FILE: False
GhIDA:: [INFO] Ghidra headless (timeout: 300s)
GhIDA:: [INFO] Waiting Ghidra headless analysis to finish...
GhIDA:: [!] 'module' object has no attribute 'killpg'
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

Ghidra Headless Analysis Failure: No JSON object could be decoded

Good day. There is a problem as described above. Here is the log from Ida Pro.

  bytes   pages size description
--------- ----- ---- --------------------------------------------
   262144    32 8192 allocating memory for b-tree...
    65536     8 8192 allocating memory for virtual array...
   262144    32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
   589824            total memory allocated

Loading processor module C:\Program Files\IDA 7.2\procs\i5164.dll for 8051...OK
Loading type libraries...
Autoanalysis subsystem has been initialized.
Database for file '307.bin' has been loaded.
============================================================
GhIDA Decompiler v0.1
Andrea Marcelli <[email protected]>
Cisco Talos, June 2019
GhIDA Decompiler shortcut key is Ctrl-Alt-D
============================================================
GhIDA:: [DEBUG] Reading GhIDA configuration
('GHIDA_CONF.load_save_cached_code', False)
('GHIDA_CONF.load_save_cached_comments', False)
GhIDA:: [DEBUG] code_cache_path: c:\users\user\appdata\local\temp\decompiled_cache_FE46C519975BC6E312BB1719D93A0A64.json
GhIDA:: [DEBUG] comments_cache_path: c:\users\user\appdata\local\temp\comments_cache_FE46C519975BC6E312BB1719D93A0A64.json
GhIDA:: [DEBUG] Registering handlers
GhIDA [DEBUG] ScreenEAHook initialized
---------------------------------------------------------------------------------------------
Python 2.7.18 (v2.7.18:8d21aa21f2, Apr 20 2020, 13:25:05) [MSC v.1500 64 bit (AMD64)] 
IDAPython 64-bit v1.7.0 final (serial 0) (c) The IDAPython Team <[email protected]>
---------------------------------------------------------------------------------------------
GhIDA:: [DEBUG] DisasmsHandler HELLO
('GHIDA_CONF.global_settings', True)
('GHIDA_CONF.use_ghidra_server', False)
('GHIDA_CONF.ghidra_install_path', 'E:\\ghidra_9.1.2_PUBLIC_20200212\\ghidra_9.1.2_PUBLIC')
('GHIDA_CONF.ghidra_server_url', 'http://localhost:8080/ghidra/api')
('GHIDA_CONF.show_settings', True)
('GHIDA_CONF.load_save_cached_code', False)
('GHIDA_CONF.load_save_cached_comments', False)
GhIDA:: [INFO] Configuration saved to c:\users\user\appdata\local\temp\ghida_config.json
GhIDA:: [DEBUG] EXPORT_XML_FILE: True
GhIDA:: [DEBUG] Exporting IDA project into XML format

XML Exporter v5.0.1 : SDK 720
-----------------------------------------------------------
Exporting XML <PROGRAM> document ....
Processing PROGRAM                 GhIDA:: [DEBUG] compiler name: Unknown
GhIDA:: [DEBUG] new_compiler_name: default
CPU time: 0.0019
Processing MEMORY_MAP              CPU time: 0.0061
Processing CODE                    CPU time: 0.0013
Processing DATA                    CPU time: 0.0507
Processing COMMENTS                CPU time: 0.0032
Processing PROGRAM_ENTRY_POINTS    CPU time: 0.0005
Processing SYMBOL_TABLE            CPU time: 0.0023
Processing FUNCTIONS               CPU time: 0.0041
Processing MARKUP                  CPU time: 0.0275
                             Total CPU time: 0.4666
--------------------------------------
PROGRAM                           1
INFO_SOURCE                       1
PROCESSOR                         1
COMPILER                          1
MEMORY_MAP                        1
MEMORY_SECTION                    4
MEMORY_CONTENTS                   2
CODE                              1
CODE_BLOCK                        9
DATA                              1
DEFINED_DATA                     62
TYPEINFO_CMT                    109
COMMENTS                          1
COMMENT                          27
PROGRAM_ENTRY_POINTS              1
PROGRAM_ENTRY_POINT               8
SYMBOL_TABLE                      1
SYMBOL                           29
FUNCTIONS                         1
FUNCTION                         50
ADDRESS_RANGE                    60
REPEATABLE_CMT                    7
MARKUP                            1
--------------------------------------
Total XML Elements:             379
Database exported to: E:\RABOTA\FE46C519975BC6E312BB1719D93A0A64_vnzEm.xml
GhIDA:: [DEBUG] found 0 symbols
GhIDA:: [INFO] XML exporting completed
GhIDA:: [DEBUG] decompiled cache miss (432)
GhIDA:: [DEBUG] Decompiling 432
GhIDA:: [DEBUG] EXPORT_XML_FILE: False
GhIDA:: [INFO] Ghidra headless (timeout: 1000s)
GhIDA:: [INFO] Waiting Ghidra headless analysis to finish...
GhIDA:: [INFO] Ghidra analysis completed!
GhIDA:: [!] No JSON object could be decoded
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

With what it can be connected ? Incorrect compiler or Something is missing from my installation. The thing is that if I upload it directly through the hydra, then the file will decompile, but you must explicitly indicate where the code is in this file.

GhIDA analysis failed

Environment: Windows10, IDA Pro 7.3, ghidra 9.0.4, python2.7.16

error log

GhIDA:: [DEBUG] found 0 symbols
GhIDA:: [INFO] XML exporting completed
GhIDA:: [DEBUG] decompiled cache miss (3560)
GhIDA:: [DEBUG] Decompiling 3560
GhIDA:: [DEBUG] EXPORT_XML_FILE: False
GhIDA:: [INFO] Ghidra headless (timeout: 300s)
GhIDA:: [INFO] Waiting Ghidra headless analysis to finish...
GhIDA:: [INFO] Ghidra analysis completed!
GhIDA:: [!] No JSON object could be decoded
GhIDA:: [!] Ghidra headless analysis failed
GhIDA:: [!] Decompilation interrupted.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.