bojle
diff --git a/‎docs/_images/zoomed-out-vdb-highlighted.png
70.5 KB b/‎docs/_images/zoomed-out-vdb-highlighted.png
70.5 KB
diff --git a/‎docs/_images/zoomed-out-vdb.png
42.2 KB b/‎docs/_images/zoomed-out-vdb.png
42.2 KB
diff --git a/‎docs/_sources/blog/ghidra_decompiler_cli_guide.rst.txt
+233 b/‎docs/_sources/blog/ghidra_decompiler_cli_guide.rst.txt
+233
diff --git a/‎docs/_sources/blog/index.rst.txt
+3 b/‎docs/_sources/blog/index.rst.txt
+3
diff --git a/‎docs/_sources/blog/pattern_seeking_brain.rst.txt
+78 b/‎docs/_sources/blog/pattern_seeking_brain.rst.txt
+78
diff --git a/‎docs/_sources/links.rst.txt
+2 b/‎docs/_sources/links.rst.txt
+2
diff --git a/‎docs/_static/zoomed-out-vdb-highlighted.png
70.5 KB b/‎docs/_static/zoomed-out-vdb-highlighted.png
70.5 KB
diff --git a/‎docs/_static/zoomed-out-vdb.png
42.2 KB b/‎docs/_static/zoomed-out-vdb.png
42.2 KB
@@ -0,0 +1,233 @@
+Ghidra Decompiler - CLI guide
+#############################
+
+`Ghidra <https://ghidra-sre.org/>`_ has a decompiler that unlike the rest of the
+program (written in java) is written in C++. This caught my attention so I
+started to hack on it. Unfortunately, there isn't much written on the decompiler
+if one wants to use it standalone, in the terminal without the ghidra GUI. This
+article tries to fill that void.
+
+Building The Decompiler
+***********************
+
+Fetch and unzip the ghidra package from `their github release page
+<https://github.com/NationalSecurityAgency/ghidra/releases>`_
+
+.. code::
+
+   $ unzip ghidra_11.1.2_PUBLIC_20240709.zip
+
+`cd` into the decompiler directory and build it
+
+.. code::
+
+   $ cd ghidra_11.1.2_PUBLIC/Ghidra/Features/Decompiler/src/decompile/cpp
+   $ make decomp_opt -j $(nproc --all)
+
+You should end up with a executable called `decomp_opt`.
+
+Running the Decompiler
+**********************
+
+While inside the directory, export the SLEIGHHOME env variable so our decompiler
+can find it, then run the executable.
+
+.. code::
+
+   $ export SLEIGHHOME=/home/shreeyash/ghidra_11.1.2_PUBLIC
+   $ ./decomp_opt
+   [decomp]>
+
+The compiler is running now waiting for commands.
+
+.. note::
+
+   Remember to always export the environment variable before running decomp_opt.
+   You could consider tossing the two commands into a script, making life easier
+   for you.
+
+Decompile and view an ELF executable
+************************************
+
+Let's start with a trivial c++ program with some control flow, compile it into an
+executable (ELF) and decompile it.
+
+Here's the program, save and compile it:
+
+.. code::
+
+   $ cat a.cpp
+   #include <iostream>
+   #define THRESHOLD 20
+   int foo() {
+     return 10;
+   }
+   int main() {
+     int b = foo();
+     std::cout << "The threshold is " << THRESHOLD << '\n';
+     std::cout << "You returned " << b << '\n';
+     if (b < THRESHOLD) {
+       std::cout << "get in\n";
+     } else {
+       std::cout << "get out!\n";
+     }
+   }
+   $ g++ -no-pie a.cpp -o a
+   $ ./a
+   The threshold is 20
+   You returned 10
+   get in
+
+The executable is ready, what's left now is decompilation.
+
+Let's start the decompiler, and load our file:
+
+.. code::
+
+   $ ./decomp_opt
+   [decomp]> load file a                        
+   a successfully loaded: Intel/AMD 64-bit x86     
+
+
+We've loaded our executable in the decompiler. c++ is an abstract language with
+constructs that do not make any sense to a CPU. These include, but are not
+limited to: functions, structs, loops etc. In order to implement these, the
+compiler has to translate abstractions into concrete implementation which
+manifests itself in the form of control flow instructions like branch, compare,
+and jump. If we peep into an executable, we'll notice what we called functions
+are now 'addresses' i.e. a number that represents a location in memory.
+Functions are run by jumping (i.e. setting the program counter) to an address.
+Essentially, if we wish to decompile a function we had in source, we'll have to
+find the corresponding address at which it resides. `a.cpp` has two functions:
+`main` and `foo`. To find the address where a functions resides in the
+executable, we could use `objdump`. 
+
+.. code::
+
+   $ objdump -C -D a
+   ...
+   00000000004011c5 <main>:
+   4011c5:       f3 0f 1e fa             endbr64
+   4011c9:       55                      push   %rbp
+   4011ca:       48 89 e5                mov    %rsp,%rbp
+   4011cd:       48 83 ec 10             sub    $0x10,%rsp
+   4011d1:       e8 e0 ff ff ff          call   4011b6 <_Z5todayv>
+   4011d6:       89 45 fc                mov    %eax,-0x4(%rbp)
+   4011d9:       48 8d 05 24 0e 00 00    lea    0xe24(%rip),%rax        # 402004 <_IO_stdin_used+0x4>
+   4011e0:       48 89 c6                mov    %rax,%rsi
+   4011e3:       48 8d 05 96 2e 00 00    lea    0x2e96(%rip),%rax        # 404080 <_ZSt4cout@GLIBCXX_3.4>
+   4011ea:       48 89 c7                mov    %rax,%rdi
+   4011ed:       e8 9e fe ff ff          call   401090 <_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@plt>
+   4011f2:       48 89 c2                mov    %rax,%rdx
+   4011f5:       8b 45 fc                mov    -0x4(%rbp),%eax
+   ...
+
+Searching for 'main' reveals its label which resides at address `0x4011c5`. 
+
+.. code::
+
+   [decomp]> load addr 0x4011c5 main                  
+   Function main: 0x004011c5                          
+
+`load addr` takes an address and an optional 'label'. Label is essentially a
+name that we assign to that address. In this case, it was 'main'—could've been
+anything for what its worth. 
+
+.. code::
+
+   [decomp]> decompile                             
+   Decompiling main                                   
+   Decompilation complete                          
+   [decomp]> print C                               
+                                                
+   xunknown8 main(void)
+
+   {
+     int4 iVar1;
+     xunknown8 xVar2;
+   
+     iVar1 = func_0x004011b6();
+     xVar2 = func_0x00401090(0x404080,0x402004);
+     xVar2 = func_0x004010c0(xVar2,0x14);
+     func_0x004010a0(xVar2,10);
+     xVar2 = func_0x00401090(0x404080,0x402016);
+     xVar2 = func_0x004010c0(xVar2,iVar1);
+     func_0x004010a0(xVar2,10);
+     if (iVar1 < 0x14) {
+       func_0x00401090(0x404080,0x402024);
+     }
+     else {
+       func_0x00401090(0x404080,0x40202c);
+     }
+     return 0;
+   }
+   [decomp]>
+
+Just like that, we've decompiled our program. Notice how the names are garbled.
+This is because names (of variables and functions) are really neccessary to
+execute a program.
+
+Let's analyze the decompiled output. The latter part of all function names are
+their address. This means, we can look them up in the `objdump`. Moreover, 
+if the set of commands that got us `main` s decompilation we to be repeated
+for all the functions present in in the output, the resulting decompilation
+of main would replace all address with the labels we assign to them. Looking
+up in `objdump`, we find `func_0x004011b6` to be foo:
+
+.. code::
+
+   ...
+   00000000004011b6 <foo()>:
+   4011b6:       f3 0f 1e fa             endbr64
+   4011ba:       55                      push   %rbp
+   4011bb:       48 89 e5                mov    %rsp,%rbp
+   4011be:       b8 0a 00 00 00          mov    $0xa,%eax
+   ...
+
+`func_0x00401090` is not present in the executable, however, the calls to this 
+function are shown in the objdump thusly:
+
+.. code::
+
+   4011ed:       e8 9e fe ff ff          call   401090 <std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*)@plt>
+
+Its quite obvious from the hint that `func_0x00401090` is the operator `<<`
+overloaded to accept a `std::basic_ostream` object and a `const char *`. The
+`@plt` at the end indicates that this function can be found in the `.plt`
+section of the executable. `.plt` which stands for Procedure Linkage Table
+is a redirection table of external functions that can be found in shared
+objects. So, `func_0x00401090` is `operator<<` found in `libstdc++.so` that
+the program is linked to. It takes two arguments: both addresses to 
+objects. A search reveals that the first argumnet is the object `std::cout`
+of which the definition resides in an external library (`libstdc++.so`) and
+the other argument is a char literal that can be found in the `.rodata` 
+section of the executable.
+
+.. code::
+
+   $ objdup -s -j .rodata a
+   Contents of section .rodata:
+   402000 01000200 54686520 74687265 73686f6c  ....The threshol
+   402010 64206973 2000596f 75207265 7475726e  d is .You return
+   402020 65642000 67657420 696e0a00 67657420  ed .get in..get
+   402030 6f757421 0a00                        out!..
+
+Indeed, the string `"The threshold is "` is present at address `0x0402004`.
+
+Likewise, all following functions till `func_0x004010a0` are overloads of
+`operator<<` that handle different types of data. What remains is the control
+flow. It checks if `iVar1` which is `b` in the original source is less than
+`0x14` (`THRESHOLD`) and calls the familiar `func_0x00401090` i.e.
+(`operator<<`). 
+
+Conclusion
+**********
+
+Our work was made much easier by the fact that the executable was not
+'stripped'. Stripping is a process that gets rid of all the symbols that are
+not absolutely neccessary for execution (greatly reduces executable size). In
+the real world, especially if we are dealing with propreitary software,
+executables might be stripped. Unstripped executables allows us to tread
+faster by simply searching for symbols like we did to find main. Stripped
+executables require us to trace, find and deduce what we need. In a later
+article, I may demo decompilation of stripped executables.
@@ -4,4 +4,7 @@ Blog
 .. toctree::
    :titlesonly:
 
+
+   When Reverse Engineering, Your Pattern Seeking Brain Is Your Friend <pattern_seeking_brain>
+   Ghidra Decompiler - Standalone CLI Guide <ghidra_decompiler_cli_guide>
    How to remove a vertex from a boost graph? <boost_graphs_remove_vertex>
@@ -0,0 +1,78 @@
+When Reverse Engineering, Your Pattern Seeking Brain Is Your Friend
+###################################################################
+
+At work, I've been working on reverse engineering a propreitary file format that
+is used to represent a synthesized `netlist
+<https://en.wikipedia.org/wiki/Netlist>`_ for FPGAs by our vendor's EDA tools.
+
+It's a binary file, and here's a sample of the hexdump:
+
+.. code::
+
+   00000000  12 6c 1f 03 0b 00 00 a0  00 00 00 00 40 e4 7a 1f  |[email protected].|
+   00000010  03 08 b6 84 a3 66 00 00  00 00 01 00 20 20 00 02  |.....f......  ..|
+   00000020  40 31 00 ab 00 0e 43 45  4e 4e 41 48 45 68 65 46  |@1....CENNAHEheF|
+   00000030  62 66 4b 49 03 8f 8d a3  03 8f 8d a3 02 00 08 aa  |bfKI............|
+   00000040  ba b9 9e 40 b6 9b 99 00  00 00 00 00 00 00 00 01  |...@............|
+   00000050  0a 49 4d 41 4f 40 4e 4e  49 48 82 08 aa ba b9 9e  |.IMAO@NNIH......|
+   00000060  40 b6 9b 99 00 40 31 00  ab 00 00 b6 84 a3 66 00  |@[email protected].|
+   00000070  00 00 00 ff 00 00 00 00  00 00 00 00 03 8f 8d a3  |................|
+   00000080  00 00 00 00 00 00 00 00  00 00 40 31 00 ab 00 00  |..........@1....|
+   00000090  b6 84 a3 66 00 00 00 00  ff 06 00 14 00 05 00 01  |...f............|
+
+Without any information on the file, this stands as a wall full of random bytes.
+Although complex, there's a lot that can be deduced by looking for patterns.
+File formats are often divided in sections. The bytes may look random, but in
+reality, they ought to be very structured. The first step in dealing with this
+is to **extract the structure**.
+
+One trick I use is to zoom out on the hexdump. This isolates zeros and all other bytes.
+
+Here's an image of a hexdump of the same file, zoomed out:
+
+.. image:: /_static/zoomed-out-vdb.png
+   :align: center
+
+Do you notice any patterns? 
+
+There are alternating strips of dark and light patterns. The light patterns are
+just zeros and darker ones appear to be 'data'. Here's a highlighted image with
+the patterns. White rectangles represent dark parts and greens represent the
+zeros.
+
+.. image:: /_static/zoomed-out-vdb-highlighted.png
+   :align: center
+
+Since this repeats it's likely encoding the same 'type' of information. The pattern
+starts with dark section followed by white and ends with a white section. They
+always come in a pair. So we can deduce that to represent one of this type of
+data, we need a dark part followed by the light part. 
+
+Now, what could this be?
+
+This is a question that falls into the 'content' part. What we did above was the 
+'structure' part. As it turns out, getting meaning out of this is much more 
+tedious. 
+
+A `Fuzzer <https://en.wikipedia.org/wiki/Fuzzing>`_ is the right tool for this
+job. As fuzzers tend to be very special purpose, i wrote one for myself.
+Extracting the details with the fuzzer vindicates our suspicion. The dark and
+light parts are indeed part of the structure. The dark part is sort of a
+preamble to the light part. The light part is a port reference list for all
+the black-box module present in the netlist. 
+
+That this pattern represents black-box modules can be deduced by counting the
+number of times this pattern is present, and what other thing is present as
+many times in the original source file from which this was generated. Inspecting
+the source, which is just a verilog file confirms that this are indeed the
+black-box modules.
+
+Conclusion
+##########
+
+In conclusion, file formats or any other type of data that are supposed to be 
+regular can be brute-forced by our pattern-seeking brains to reveal their 
+structures.
+
+PS: I'll write a full description of the fuzzer and document other details as
+this project progresses.
@@ -37,6 +37,8 @@ Programming/Hacking
 - `Continuations for Curmudgeons
   <https://intertwingly.net/blog/2005/04/13/Continuations-for-Curmudgeons>`__
 - `Video Lan (VLC) Hacker's Guide <https://wiki.videolan.org/Hacker_Guide/Audio_Filters/>`__
+- `Fast IO on Unixes by the way of 'yes' command
+  <https://www.reddit.com/r/unix/comments/6gxduc/how_is_gnu_yes_so_fast/>`__
 
 Books
 -----