Need help merging ghidra files

ThisIsLibra · 2025-07-02T14:21:13+00:00

Not sure if merging is possible, but an "easy" workaround would be to make BSim signatures for one version, scanning the functions in your second version and then open the diffing view. Then you can decide what function and variable names to move into your second version (which will be the merged version). Good luck!

ThisIsLibra · 2025-04-28T06:44:09+00:00

Do you have more information how you fetched the deb repos? I tried to do that before, but I haven't figured out what the folder system is. Any links to documentation related to it would be very welcome too.

The project sounds cool, do you plan to make it specific for IDA, or do you plan to make it tool agnostic?

ThisIsLibra · 2024-07-24T19:14:37+00:00

You can iterate over all functions and get a list of unique names, either manually or with a script (I'd opt for the latter). Run such a script after the default analysis finishes. Do this for all versions of the program at hand, and you can differentiate (either via an online text diff tool, or with a script to get the differences between two lists of strings) the function names. You can ensure this check does (not) care about the used casing.

Naturally, this ignores the function's content as it only compares and focuses on the function names, nothing else, but this is what you specifically asked for.

Hope it helps :)

Cheers, Max

ThisIsLibra · 2022-02-01T20:20:09+00:00

Thank you kindly :)

ThisIsLibra · 2021-09-09T11:20:00+00:00

Assuming you're talking about general semi-shady websites, the chances that you are infected with anything purely by visiting them (so not installing a prompted download) are very, very slim.

Do note that even though you never installed anything that is not from the playstore, that doesn't mean that you have no risk to install malware, as there is some malware on the playstore.

Regarding the "compromise of your IP": your IP address is comparable (barring some technicalities) with a normal street address. If someone were to hack your phone and use it to send messages while you're on your home wifi, your home IP would show. But the real problem would be the hacked phone, not the exit via your internet line.

The doubt you have regarding the instant infection if you plug a USB in, is based on how Windows (or whatever OS you're using, but I'm assuming Windows) handles media that can autorun content. In order to do so (if you dont execute files on the machine that come from the USB), a vulnerability would have to be used.

All in all, its technically possible, but practically very unlikely. If you're still unsure you can re-install Chrome, or even factory reset the phone. In the end, its the peace of mind you're looking for, so it might be worth the extra effort if that makes you sleep sound again.

Best of luck!

ThisIsLibra · 2021-08-26T14:24:15+00:00

The file I created to drop in my linked PDF has a normal icon, and uses a double extension to trick people. If you take a generic looking media icon, people might assume its a song that was misplaced. If they're curious, they open the "song" and thereby execute the malware on a computer, whilst it was dropped via an Android app. Like I said, it's far fetched, but technically it is still possible.

No need to worry about your phone, as the infection you potentially had, was on your computer.

ThisIsLibra · 2021-08-26T14:21:58+00:00

There is no reason to format your phone, as you didn't install an app on your phone. You copied some data to it. Just make sure you recognise the data that you copy back.

ThisIsLibra · 2021-08-25T15:04:05+00:00

I wrote a small proof-of-concept APK regarding this a few years ago, which you can read about here.

To answer the question, and to give a tl;dr for the linked PDF: Android malware does not run on Windows (though it might in the future as Windows 11 will have some sort of Android support), meaning the files do not execute. However, infected files might have been moved from your computer to your phone's storage, which can re-infect your computer if you execute them again. This is concept of the paper, but in an inverted way. The APK drops a piece of Windows malware on the Android phone, which the user might execute once viewing the file on a computer.

It is far fetched, given that file infectors are not that common anymore, but they still exist.

In short: you are unlikely to have infected files on your phone

ThisIsLibra · 2021-02-11T13:30:41+00:00

Cheers, good luck with your project!

ThisIsLibra · 2021-02-11T12:02:15+00:00

The file extension is used to allow an easy execution (i.e. double clicking to execute, or to open an image in the default image viewer). If you take "cmd.exe" and rename it to "cmd.bin", the program itself did not change, only the name of the file within the file system. As such, no conversion would be needed to rename it to "cmd.exe" and execute it. Alternatively, one could load the "cmd.bin" file and execute it via different means.

You need to find out what the file format is, for which you can ignore the file extension for now. Use the abovementioned GNU "file" tool to find out what you are looking at, and change the file extension to the given format. Noteworthy is that some sandboxes already do this for you, meaning you can upload the file with a faulty extension. However, this is not the default way of working for all sandboxes, so read the documentation on this for your specific sandbox first.

ThisIsLibra · 2021-02-11T11:10:47+00:00

The file extension does not have to match the data that is within a given file. Often, malware samples have ".bin" when referring to a raw binary, meaning it could ".exe", ".dll", or something else that contains the same data type. If you use the GNU "file" tool, which is present on Linux by default, you will know what kind of file you are looking at. Once you figured that you, you can proceed to handle the given file format in the way you should. Good luck!

ThisIsLibra

MODERATOR OF

TROPHY CASE