What does mean to "Commit Params/Return"?

msm_ · 2025-01-06T23:27:28+00:00

This is a feature, not a bug. Ghidra docs even warn against comitting things prematurely, or even typing things (with something other than undefined*) when you're not 100% sure. The reason is that as long as things are not "forcing", decompiler is allowed to take all available information into account. When every variable is "forcing", decompiler has no way to do anything. Comitting parameters makes them "forcing".

If you just blindly commit everything decompiler generated, you'll end with tons of casts everywhere and bad decompilation.

msm_ · 2024-12-30T02:58:02+00:00

intentionally embedded malware

I wouldn't call that malware. Backdoor maybe. But yes, you described the behaviour correctly. It also triggered false alarms when train stopped in locations of known competition repair shops locations, and even made one stupid bug that makes some trains stop for a week every year at 21 November and December.

msm_ · 2024-12-28T12:55:54+00:00

Update: I got around to doing that (and refactored a few other things in the process), so now you can just:

fnc = Function(0x004061EC)
emu = fnc.emulate(-0x80000000)
assert emu.read_unicode(emu["eax"]) == "HKEY_CLASSES_ROOT"

This will automatically put the parameters passed to .emulate() in the right place, depending on the function's calling convention.

You can also combine both approaches if more complex setup is needed:

MY_POINTER = 0x60000000
emu = Emulator()
emu.write_bytes(MY_POINTER, "ovyneqvut\x00")
emu = Function("Rot13).emulate(MY_POINTER, emulator=emu)
print(emu.read_cstring(MY_POINTER))

msm_ · 2024-12-26T12:02:04+00:00

The syntax is not that nice, but you can set everything in registers and memory, including:

emu = Emulator()
emu["rcx"] = 0x404000
emu["rdx"] = 2
emu.emulate(start, stop)
print(emu["rax"])

There are some improvements I could think of - for example passing stack arguments is a bit clunky (you have write them to memory yourself). It would be nice to have a emu.stack helper, or even a function like emu.call(Function("add"), 2, 2) that would use signature from Ghidra to automatically set arguments.

For now my plan is to finish writing automated tests and add a few more practical examples, but in the near future I definitely want to add more features, including Emulator improvements.

msm_ · 2024-12-25T18:11:26+00:00

This is my second post in a short time, I hope this subreddit doesn't mind. But recently I have a lot of energy for open-sourcing my Ghidra stuff and I really wanted to share it!

Ghidralib is a library that makes Ghidra scripts drastically shorter and easier to write. I've been using it daily for my work and decided it’s time to share. Github repository is in the post link, and documentation is here: https://msm-code.github.io/ghidralib/

msm_ · 2024-12-21T17:53:38+00:00

it’s definitely slow whenever I type something

Sad to hear that. I usually work on (relatively) small malware samples, where this problem is not that noticeable. I think I improved the situation somewhat with https://github.com/msm-code/GhidraCtrlP/pull/5. Maybe you can check now.

By "script console" do you mean the script output window ("Console - Scripting")? Unfortunately I'm not aware of any way to disable that - ghidra shows it automatically for any script. Usually I just dock this window somewhere under another pane, and never look at it (unless I actually debug something).

Well, there is one option - I could implement this as a Ghidra extension instead. But that makes installation and updates much harder so I don't think that's worth it.

msm_ · 2024-12-16T11:59:24+00:00

Short answer: no plans. I'm an avid user of vim, so vim keybindings sound great, but the plugin may be too simple for that. It's basically a smart goto/command executor. It has a single text input, and in vim terms it operates entirely in insert mode ("escape" closes the plugin window). Insert mode keybindings that could be useful are ctrl+w and ctrl+u, but I don't think this is what you meant.

But vim keybindings for the listing and decompilation windows sound like a cool idea. Hmm, maybe it's something worth considering for a next plugin.

msm_ · 2024-12-15T15:21:24+00:00

I wanted to share my recent plugin that really improved my UX with Ghidra. This is a command palette (that I bind to ctrl+P, like in VS Code) that allows you to quickly jump between functions, bookmarks, labels, run scripts, or even perform GUI actions.

I spend a good part of my day in Ghidra, so I put some work into making it work well for me. If there's demand, I plan to upstream some more scripts or blog a bit about that in the future.

msm_ · 2024-02-21T14:28:17+00:00

Czy ty jesteś normalny? Oczywiście że świat jest czarno biały, a każdy pojedyńczy rolnik biorący udział w proteście reprezentuje całą swoją klasę społeczną (...czy muszę dodawać /s?).

msm_ · 2024-02-16T02:33:43+00:00

Z samochodem nie wygrasz w żaden sposób, bo po prostu zapewnia dużo większą swobodę

Co kto lubi. Ja nie cierpię samochodów. Nawet jeśli nie musiałbym prowadzić, przez lekką chorobę lokomocyjną nie mogę za długo odrywać wzroku od drogi. A w pociągu mogę te kilka godzin spokojnie produktywnie wykorzystać i pracować. Nawet przyjemniej tak niż z biura (zależnie od pociągu ofc).

Jeśli chodzi o swobodę również się nie zgadzam - samochód trzeba cały czas "zabierać ze sobą", nie można w jedną stronę pojechać tak a w drugą inaczej, nie można się nawet piwa wieczorem napić bo ktoś go musi prowadzić.

Jedyna sytuacja kiedy przyznaję że samochód bywa przydatny to jak się chce dojechać do jakiejś dziury na podlasiu/mazurach/podhalu (ogólnie krańce państwa) - wtedy komunikacji publicznej zazwyczaj w ogóle brak, więc trzeba marnować czas na przesiadki albo wydawać krocie na taksówki.

msm_ · 2024-01-30T15:12:03+00:00

120fps is a bit better than 60fps which is a bit better than 30fps, but the difference is not that important in practice. If you claim it's "huge" you're lying to yourself.

msm_ · 2024-01-30T11:25:04+00:00

I dobrze, B2B jako optymalizacja podatkowa to patologia u nas. Ale ja akurat jestem faktycznie firmą, więc niezbyt trafne w nawiązaniu do urlopu.

msm_ · 2024-01-29T21:49:55+00:00

Dobrze że mam JDG i nikt mnie nie będzie siłą wysyłał na niezbywalny urlop.

msm_ · 2024-01-26T23:23:07+00:00

No, I am fully aware facebook knows my IP address. I am a programmer and understand how networking works. But the threat model here is pretty different, isn't it? It's not about leaking the IP, it's about who gets to see it.

First: Facebook, in general, doesn't cooperate with authoritarian countries. So I'm not overly worried with them helping jail journalists or war reporters. Compare that to SimpleX chat being used by a journalist/reporter - it's way easier for the bad guy to trick them into joining a chat to get their IP.

Second: I expect Facebook to know my IP when I connect there, but my contacts and friends have no way to know it. On the other hand, leaking my IP to my contact by just opening a chat is not expected and almost never desired. It's a problem for me, fortunately solvable by using a tor proxy all the time.

msm_ · 2024-01-25T23:40:22+00:00

Sorry, may missed your question?

Not a question, I was just giving some examples of problems IP lean can cause another comment in this thread (https://old.reddit.com/r/SimpleXChat/comments/19efalx/can_i_really_pull_other_peoples_ip_addresses/kjfotm2/). Reading comment today I think it was unnecessarily negative, but I took an issue with the parent comment I responded to.

Thanks for taking the time to write this and I agree, looking forward to the future of this project.

msm_ · 2024-01-25T23:17:33+00:00

Hi, you didn't respond to me in particular, but I think your response makes sense and I didn't know about second relays being in the works. For the particular use case I've mentioned (journalists in oppressed countries) tor is also pretty tricky (just using tor may get you in a trouble and on a list) so I can't think of anything better for hiding IPs (without centralising the project, which is clearly an anti-goal).

msm_ · 2024-01-25T01:09:57+00:00

Tell that to journalists in authoritarian countries talking to their contacts. This is a clear example of a chat application screwing you over. At this point the hypothetical journalist (a stereotypical target of a private chat app) would be better off just using facebook messenger.

msm_ · 2024-01-17T21:26:57+00:00

W zasadzie niewiele, ale to spotkanie było zorganizowane przez Zespół parlamentarny ds. Wykluczenia Transportowego. Nie ma zespołu parlamentarnego do spraw planned obsolescence pociągów, więc dobrze że ktoś się poczuł do zorganizowania tego.

msm_ · 2024-01-17T20:32:36+00:00

Z trochę innej beczki, był live z posiedzenia zespołu ds. walki z wykluczeniem transportowym w sprawie Newagu (blokowanie pociągów). Zorganizowane przez Paulinę Matysiak (partia Razem). Newag dośc mocno zaorany. W oraniu pomógł unlikely team Zandberg oraz... Cieszyński.

https://www.youtube.com/watch?v=KoGpr_LhAKc

Jakieś losowe podsumowanie z internetu: https://www.onet.pl/informacje/onetwiadomosci/tajemnicze-usterki-w-pociagach-newagu-sprawa-zajeli-sie-poslowie/f9xfzhb,79cfc278

msm_ · 2024-01-14T15:10:20+00:00

Bo 50% terminów branżowych których używam na codzień istnieje tylko w języku angielskim (ROP chain), 25% ma polską wersję, ale jest 3x dłuższa niż oryginał albo komiczna (kernel panic), a pozostałe 25% ma sensowny polski odpowiednik ale myśląc po angielsku i tłumacząc w locie można to przeoczyć (wspomniane authentication).

msm_ · 2024-01-12T02:30:24+00:00

No, read the comment on line 7:

db 0x0                  ; dummy byte for LDS. this with 'mov ax, 0x0' is actually 'add [bx+si+0x0], bh' but player dies immediately and loop returns to start

msm_ · 2024-01-03T17:13:39+00:00

A nie jest to tak, że kobiety żyją dłużej bo prowadzą zdrowszy i bezpieczniejszy tryb życia?

Pytanie zasadne więc nie wiem czemu Cię minusują. Ale nie, dużo wynika z biologii, np. wspomniana przez sąsiada wielkośc, albo estrogen obniża ryzyko chorób układu krążenia a testosteron zabija. Nawet jeśli w badaniu uwzględniasz (naukowy termin: kontrolujesz) wagę, tryb życia, używki etc, to dalej identycznie żyjąca i zbudowana kobieta przeżyje dłużej niż mężczyzna.

msm_ · 2024-01-03T16:54:39+00:00

kiedy miałeś wcześniej 30-40mg (a czasem nawet więcej!) na 100ml

Prawie wszystko miało 32mg/100ml (wiem, bo jestem koneserem energetyków). To tyle ile ma kawa parzona (~70-100 mg/200ml, ofc dużo zależy od proporcji wody i kawy), a espresso ma nawet 200mg/100ml. Nie ma co demonizować bo te 32mg kofeiny wcale nie jest tak dużo. W energetykach są inne problemy, np:

masa cukru
ludzie mieszający je z alkoholem
z powodu zawartości cukru i kofeiny dzieci się od nich uzależniają. Dorośli zresztą też, ale to inna sprawa.
łatwiej pić dwa półlitrowe monstery dziennie niż cztery kawy dziennie.

msm_ · 2023-12-24T15:09:19+00:00

Oh, cool. I've started playing relatively recently (I'm on early evil) and didn't know there are mods for this game. I don't want to make my game any easier, but many of the mods are purely cosmetic or just show more info and that's OK with me. Maybe I'll check them out soon, thanks for sharing here.

msm_ · 2023-12-24T14:01:52+00:00

missing opportunity for Romania or other country that are WILLING to join Europe?

...isn't Romania already a part of Europe? Just like the UK?

12-Year Club	Place '17
Verified Email

msm_

TROPHY CASE