Analyzing dynamically decompressed code

[alercah]

Hi,

I'm working on analyzing a program that uses dynamic code decompression, and it's becoming a bit of an obstacle to not be able to trace function calls through that code. Because this is in an embedded context, different blocks of code will get decompressed to the same address space.

The decompression routine is not hard to reimplement, so I can certainly decompress each of the various blocks that might get loaded, and I can load those into Ghidra as separate programs. But is there a way to do better? What I would like to do is effectively load all of the different blocks at the same address in the same program. If that isn't possible, can I still set things up in a way that I can trace references from one program to another?

Thanks!

[astrelsky]

There is an "Add to program" option in the file toolbar menu of the code browser. You can specify the address to load the file to. This is what I normally do for programs which load shell code. Since there is going to be reuse of the same address in your case I think you have to set it as an overlay. I'm not sure how this will effect any references that are created from analysis.

You can manually override the destination of any function call. To do so, right click on the call instruction and select add/edit references. Make sure the mnemonic is selected and not the operands. Then you can add a memory reference to the function address and for the type select the option for unconditional call override. (Might be "Call override unconditional" but I'm not 100% sure)

This should help you get closer to what you're looking for. Once again, I don't know how it will handle analysis references with overlays without manual overrides so your results may vary.