Replies: 2 comments
-
From the code browser, try Analysis->One Shot->Decompiler Parameter ID |
Beta Was this translation helpful? Give feedback.
0 replies
-
Meant to reply separately, not to a reply... When you fix a signature, you should press "p" to commit the changes. This will trigger Ghidra to propagate some of the changes. It doesn't always do that but it works often |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi,
After many year of an ameture IDA user I decided to check the magic of Ghidra.
I'm reading "The Ghidra Book The Definitive Guide" and in one of the examples it shows how to replace a function parameter type, in this case:
to replace param_3 to an addrinfo pointer in this definition:
ssize_t get_page(undefined4 param_1,undefined4 param_2, int param_3)
(If you want the exact location it is on pg.172 in this sample "http_get_example_x86"
)
The reason is that if you follow the function definition and it's caller you find out that param_3 is really a pointer to an addrinfo struct.
It goes down like this:
and uVar1 (param_3 above) is defined in
do_setup
asaddrinfo
pointer like this:Now, going back to my question, it is clear now that param_3 in get_page definition is a pointer to addrinfo struct and I should replace it like this:
ssize_t get_page(undefined4 param_1,undefined4 param_2,int param_3)
==>ssize_t get_page(undefined4 param_1,undefined4 param_2,addrinfo *param_3)
which makes the inner definition of any reference to param_3 a lot clearer.
uVar1 which is passed to get_page is a pointer to addrinfo as Ghidra deducted above therefore the definition/signature of get_page should reflect it.
So my basic question is this:
Why, or how can I make Ghidra automatically deduct that param_3 is actually a pointer to addrinfo in this case.
After all my tracing back the origin of param_3, in this case is very easy.
It is right there in Ghidra code. Why then, did it not propagate?
If a parameter is decompiled as a struct and later passed on to a function why is it that that function definition/signature does no reflect it?
Of course I can do this manually in this case but when you try to RE real code it is a lot harder and takes a lot more time.
Perhaps I am missing something or perhaps there is a plugin or an option I did not use
Beta Was this translation helpful? Give feedback.
All reactions