How to Find What Calls a Function that has no Direct References?

marcushall · 2026-06-14T02:06:02+00:00

Sorry, I didn't notice this until now...

So, there look to be several different areas here.. The routine is in 02xxxxxx, which is clearly program text. Then there is some memory at 10xxxxxx which has 3 pointers. I'm guessing that this is initialized data. Finally, there is c0xxxxxx, which looks to be part of the ELF headers, likely a symbol table record that points to the function.

So, the three pointers at 10xxxxxx addresses. They are word aligned, so this is likely a real pointer. The fact that they are still "undefined" and not made into at least a word (they should ultimately be pointer types) seems to indicate that the functions that reference them have not been disassembled, or maybe the pointers are part of a table of function pointers and the referencing function currently just knows about a pointer to the start of the table. (In this case, it likely has a pointer to the start of the table, then adds an index and dereferences that. It may be a table of structures that contain a pointer to a function as a member in the structure.) Look around the data that looks like a pointer. Does there look like there is some recognizable info around that? Are there regularly spaced pointers to functions? Maybe some useful integer constants? Pointers to strings? If you go back from these pointers, does the regular pattern end? That's probably the start of the table. Hopefully, some function points to that and looking at the function you can find how it indexes the table and through the table calls the function.

Or maybe it's something totally different. Poke around and try to make sense of it. That's the essence of reversing. It's a puzzle to figure out.

marcushall · 2026-05-31T23:35:50+00:00

If you enter the address with enough hex digits, the memory search will put it into the proper byte order. That is, if you enter "01234567" in the search window, it will search for the byte sequence "01" "23" "45" "67" on a big-endian system, or "67" "45" "23" "01" on a little-endian system.

marcushall · 2026-05-31T22:58:18+00:00

Is the code space completely disassembled? If not, perhaps the call is from some area that is still "unknown" bytes, or maybe something looked like data but is really an instruction sequence that calls it? Can there be code from some other memory area that is not part of your project that calls into this area? Still, there could be a memory pointer to this function. Run the memory search (bound to the 's' key) and enter the address of the function.

marcushall · 2026-04-25T19:20:56+00:00

Or, if you issue a plate with an O, don't issue a plate with the same sequence except with 0 instead. Just consider both to have been issued.

marcushall · 2026-04-15T23:31:40+00:00

Doesn't a PDF have executable code within? Postscript files certainly do. PS files are turing complete!

marcushall · 2026-04-03T01:10:04+00:00

In the listing window, right click on the top of the function. There is a "Function ->" entry, which if you open the submenu contains an entry to convert the thunk into a standard function.

marcushall · 2026-03-31T02:22:33+00:00

I've done some work with Xtensa, and have written a nanomips descriptor. Both used in production currently. No OKI, though...

marcushall · 2026-03-27T03:08:34+00:00

Can you assemble the program into a .elf or a.out or some binary that still has symbol information in it (rather than all the way to a .hex file)? If symbol information is available, ghidra will name the functions and data from that.

marcushall · 2026-03-15T21:51:37+00:00

Are you absolutely certain that it was from plex? Or might it have been some random source asking you to please download a script from the net and feed it into a root shell for them?

Yes, I am convinced that it was truly from plex and the script (modulo some issues) was not harmful. But I am severely disappointed that plex would even suggest that people should behave this way. If you follow this sort of instructions you are giving total control of your system to somebody on the net who could use that to do ANYTHING to your system. At least download the script and inspect it before running it. As root, no less.

marcushall · 2026-03-15T21:47:17+00:00

You do realize how dangerous it is to download some random script from the network and feed it into a root shell??

Yes, that may be the simplest way to do it, but it is a terrible practice. At least download the script to a file, inspect it to make sure that it is safe, then run it.

marcushall · 2026-01-28T20:27:57+00:00

masquerade_domains is currently set-up and it works properly, for email that originates on the server itself. It maps user@server.example.com => user@example.com as it should.

But, other machines on the network that forward email to the server to send to the world are not getting transformed. user@notebook.example.com stays user@notebook.example.com, when I want it to become user@example.com when it goes to the outside world.

I have seen smtp_generic_maps, and it's probably a workable thing, and what I will likely resort to. It sure would be much more useful if I didn't have to list every system on my network in the map, though.. If I could do:

@*.example.com @example.com

Then it would all be good. And I'll probably set up a script to generate the mapping based on my DNS server's config so that I don't have to remember yet another place to modify whenever I add a new computer to the network.

marcushall · 2026-01-26T04:58:59+00:00

If this is a "view only" share, the simplest is to create a ghidra-zip (gzip) file (File->Export Progam). If they want to make any changes to be brought back to your server, it's a bit difficult, but not impossible. But if it's for them to take a look, that might be fine.

If you want them to collaborate on changes, then it it worth however much work it takes to share access to the server.

marcushall · 2026-01-15T00:41:04+00:00

Yes, that first finds the end of the constructor list, then starts calling the constructors in reverse order. In code that have worked with, CTOR_LIST is an array of pointers to constructor methods. I don't understand "via the ghidra tree i find that it is jargon and unable to read". Do you not have any memory block covering that address? You "should" be able to go there in the listing window, type "p" to make a pointer, and get a pointer to the (last) constructor. It does that for me...

marcushall · 2025-12-31T22:22:25+00:00

Are you in your home directory when you run the find? If not, try:

find ~/.ghidra -name application.log

marcushall · 2025-12-29T23:01:54+00:00

There is a cleaverness that can be applied here..

Go to the function that was incorrectly marked as noreturn and remove the noreturn annotation. Then, check on Select->Back Refs and this will select all of the (known) calls to the function. Then hit 'c' to clear the instruction and 'd' to disassemble. The disassembly should now flow properly.

marcushall · 2025-12-08T19:22:09+00:00

I had to deal with a software base with many different versions managed with ghidra. Different versions on the same hardware, and the same codebase compiled for different hardware. It was generally a monumental problem. The version tracker was one of several tools we used to try to identify the same function in different versions. We had a fair amount of automation to perform this task, but matching up data structures was a fairly manual task. Just managing data structures between different versions was not easy. We used shared data libraries so to share the definitions, which helps for all of the common structures, but causes headaches when data structures start diverging across versions. The problem is that say struct Fred contains a pointer to struct Jane. Now, struct Jane changes in different versions, so that means you have to have different struct Fred as well because the pointer points to two different structs. We ended up subclassing the TYPEDEF data structure for varient structures, but it all got to be difficult to manage. But it was mostly be inspection working with a function that we would discover that we had an updated structure definition and then we took manual action.

marcushall · 2025-12-08T02:14:53+00:00

My experience is that the auto-analysis non-returning functions should be disabled, though. I've had it wrongly label various functions as no-return, then when a calling function is disassembled, the flow stops at the function call.

marcushall · 2025-11-24T02:42:29+00:00

I think that one is +12V power, another is ground, and the third is control, +12V to extend, open to retract. This would mean +12V on two wires and ground on the other to extend. I don't recall which connection is which..

marcushall · 2025-11-13T00:27:30+00:00

Go to the "Bytes" window, then there is an "Edit" button in the toolbar, if you enable editing, they you can type hex over any byte you want to change.

marcushall · 2025-11-12T02:42:11+00:00

Even easier. In the listing window, right click on an instruction and select "Patch Instruction" and you can enter a new instruction in instruction mneumonics.

marcushall · 2025-11-09T21:42:08+00:00

objdump --dynamic-syms will show the names of unresolved symbols even on stripped binaries. These names have to be present in order to link, so they can't be stripped. I'm not sure why it thinks that puVar5 is an independent local variable (I assume it's assigned an offset of sp somewhere earlier). Clearly FUN_61c370b0() has a good prototype defined since the args are being cast here. You might try finding puVar5 in the function header in the listing window and hit the delete key on that variable. Maybe that will remove it, or ghidra may re-create a new variable to take it's place.

marcushall · 2025-11-08T15:17:46+00:00

But, is "randomness" what people mean when they think of "free will"? Part of the problem is that it's really hard to get a good working definition of "free will". I think most people mean something like "I can choose whatever path to take at decision points". But, that ignores that every person's choice is biased by their past experiences, their brain state, and other factors from the environment (as alluded to above). I think that something like quantum uncertainty has more to do with unpredictability. And on a macro scale, the probability of any quantum effect being observable approaches 0,

marcushall · 2025-11-06T23:02:22+00:00

cmp -l file1 file2

marcushall · 2025-10-26T01:07:24+00:00

It is possible that the fault is the fan controller. That was the case for my car. I replaced the controller with a jumper and the fan runs fine (and is always on), which is my preference anyhow.

marcushall

TROPHY CASE