securityjoes
diff --git a/‎AskJOE.py
+223-226 b/‎AskJOE.py
+223-226
diff --git a/‎AskJOE/__init__.py b/‎AskJOE/__init__.py
diff --git a/‎AskJOE/capa_explorer.py
+378 b/‎AskJOE/capa_explorer.py
+378
diff --git a/‎AskJOE/config.ini
+5 b/‎AskJOE/config.ini
+5
diff --git a/‎AskJOE/constants.py
+14 b/‎AskJOE/constants.py
+14
diff --git a/‎AskJOE/data.py
+3,250 b/‎AskJOE/data.py
+3,250
diff --git a/‎AskJOE/db.json
+1 b/‎AskJOE/db.json
+1
diff --git a/‎AskJOE/ghidra_utils.py
+87 b/‎AskJOE/ghidra_utils.py
+87
diff --git a/‎AskJOE/openai_utils.py
+44 b/‎AskJOE/openai_utils.py
+44
diff --git a/‎AskJOE/utils.py
+15 b/‎AskJOE/utils.py
+15
diff --git a/‎README.md
+28-6 b/‎README.md
+28-6
diff --git a/‎config.ini
-2 b/‎config.ini
-2
diff --git a/‎imgs/AskJOE-Running.gif
-861 KB b/‎imgs/AskJOE-Running.gif
-861 KB
diff --git a/‎imgs/AskJOE-updated-running.gif
1.15 MB b/‎imgs/AskJOE-updated-running.gif
1.15 MB
diff --git a/‎imgs/ghidra_scripts_folder.png ‎imgs/ghidra_scripts_folders.png b/‎imgs/ghidra_scripts_folder.png ‎imgs/ghidra_scripts_folders.png
diff --git a/‎imgs/ghidra_scripts_home.png
18.7 KB b/‎imgs/ghidra_scripts_home.png
18.7 KB
@@ -0,0 +1,5 @@
+[KEY]
+OPEN_AI = KEY_HERE
+
+[CAPA]
+GITHUB = https://raw.githubusercontent.com/mandiant/capa/master/capa/ghidra/capa_explorer.py
@@ -0,0 +1,14 @@
+from enum import Enum
+
+
+class Operation(Enum):
+    PROMPT = "User Prompt."
+    AI_TRIAGE = "AI Triage."
+    EXPLAIN_FUNCTION = "Explain Function."
+    EXPLAIN_SELECTION = "Explain Selection."
+    BETTER_NAME = "Better Name."
+    SIMPLIFY_CODE = "Simplify Code."
+    STACK_STRINGS = "Stack Strings."
+    XORS = "Search XORs."
+    CRYPTO_CONSTS = "Crypto Consts."
+    CAPA_ANALYSIS = "Capa Analysis."
@@ -0,0 +1,87 @@
+import re
+import ghidra
+
+# For type checking
+try:
+    from ghidra.ghidra_builtins import *
+except ImportError:
+    pass
+
+from java.awt import Color
+from ghidra.util.exception import CancelledException
+from ghidra.app.plugin.core.colorizer import ColorizingService
+from ghidra.app.decompiler import DecompInterface
+from ghidra.util.task import ConsoleTaskMonitor
+from ghidra.program.model.data import StringDataType
+from ghidra.program.model.mem import MemoryAccessException
+
+
+def set_ghidra_plate_comment(address, comment):
+    service = state().getTool().getService(ColorizingService)
+
+    listing = currentProgram().getListing()
+    code_unit = listing.getCodeUnitAt(address)
+    code_unit.setComment(code_unit.PLATE_COMMENT, comment)
+    service.setBackgroundColor(address, address, Color(143, 27, 104))
+
+
+def rename_function(old_name, new_name):
+    function_manager = currentProgram().getFunctionManager()
+    core_func_obj = function_manager.getFunctionAt(old_name.getEntryPoint())
+    core_func_obj.setName(new_name, ghidra.program.model.symbol.SourceType.DEFAULT)
+
+
+def recover_stack_string(address):
+    stack_string = ""
+    current_instruction = currentProgram().getListing().getInstructionAt(address)
+    current_address = address
+
+    while current_instruction and current_instruction.getScalar(1):
+        scalar_value = current_instruction.getScalar(1)
+        if not scalar_value:
+            break
+        decimal_value = scalar_value.getValue()
+
+        try:
+            next_instruction = current_instruction.getNext()
+            if decimal_value == 0 and stack_string and next_instruction.getScalar(1).value == 0:
+                return stack_string, str(current_address)
+        except AttributeError:
+            pass
+
+        stack_string_part = ""
+
+        while decimal_value > 0:
+            if decimal_value > 126:
+                try:
+                    hex_str = hex(decimal_value)[2:]
+                    bytes_array = bytes.fromhex(hex_str)
+                    ascii_str = bytes_array.decode()
+                    stack_string_part += ascii_str[::-1]
+                    decimal_value = 0
+                except (ValueError, UnicodeDecodeError):
+                    decimal_value = 0
+            else:
+                stack_string_part += chr(decimal_value & 0xff)
+                decimal_value >>= 8
+
+        stack_string += stack_string_part
+
+        try:
+            next_instruction = current_instruction.getNext()
+            if next_instruction.getScalar(1) is None and next_instruction.getNext().getScalar(1) is not None:
+                current_instruction = next_instruction
+        except AttributeError:
+            pass
+
+        current_instruction = current_instruction.getNext()
+        current_address = current_instruction.getAddress() if current_instruction else current_address
+
+    return stack_string, str(current_address)
+
+
+def print_joe_answer(option, open_ai_response=""):
+    if open_ai_response:
+        print(f"\n[+] AskJOE said: {option}\n{open_ai_response}\n")
+    else:
+        print(f"\n[+] AskJOE said: {option}\n")
@@ -0,0 +1,44 @@
+import configparser
+
+# For type checking
+try:
+    from ghidra.ghidra_builtins import *
+except ImportError:
+    pass
+
+from openai import OpenAI
+from ghidra.app.script import GhidraScriptUtil
+
+import logging
+
+# Suppress INFO messages from httpx
+logging.getLogger('httpx').setLevel(logging.WARNING)
+
+def read_config(section_name, key_name) -> str:
+    ghidra_script = GhidraScriptUtil()
+    config = configparser.ConfigParser()
+    config.read(f'{ghidra_script.USER_SCRIPTS_DIR}/AskJOE/config.ini')
+    return str(config.get(section_name, key_name))
+
+
+def ask_open_ai(prompt, decompiled_function="") -> object:
+    client = OpenAI(api_key=read_config('KEY', 'OPEN_AI'))
+
+    response = client.chat.completions.create(
+        model="gpt-4o",
+        messages=[{"role": "user", "content": f"{prompt}\n{decompiled_function}"}],
+        temperature=0.8,
+        max_tokens=2048,
+        top_p=1,
+        frequency_penalty=0.2,
+        presence_penalty=0
+    )
+
+    return response
+
+
+def parse_open_ai_response(response):
+    try:
+        return response.choices[0].message.content
+    except AttributeError:
+        raise Exception(response.choices[0].message.content)
@@ -0,0 +1,15 @@
+import re
+import struct
+
+
+def pack_constant(const):
+    byte_array = []
+    if const["size"] == "B":
+        byte_array = const["array"]
+    elif const["size"] == "L":
+        for val in const["array"]:
+            byte_array += list(map(lambda x: x if isinstance(x, int) else ord(x), struct.pack("<L", val)))
+    elif const["size"] == "Q":
+        for val in const["array"]:
+            byte_array += list(map(lambda x: x if isinstance(x, int) else ord(x), struct.pack("<Q", val)))
+    return bytes(bytearray(byte_array))
@@ -4,14 +4,22 @@
 AskJoe is a tool that utilizes [OpenAI](https://openai.com/) to assist researchers wanting to use [Ghidra](https://github.com/NationalSecurityAgency/ghidra) as their malware analysis tool. It was based on the [Gepetto](https://github.com/JusticeRage/Gepetto) idea.
 With its capabilities, OpenAI highly simplifies the practice of reverse engineering, allowing researchers to better detect and mitigate threats. 
 
-![AskJOE Running](/imgs/AskJOE-Running.gif "AskJOE Running")
+![AskJOE Running](/imgs/AskJOE-updated-running.gif "AskJOE Running")
 
 The tool is free to use, under the limitations of Github.
 
 Author: https://twitter.com/moval0x1 | Threat Researcher, Security Joes
 
+## Updates - 07/20/2024
+- Ghidrathon added and removed pyhidra
+- Refactored Code
+- AI Triage added
+- Better Name added
+- Search for crypto constants added
+- Mandiant CAPA added
+
 ## Updates - 07/31/2023
-- Search XOR
+- Search XORs
 - Ask User Prompt (To OpenAI)
 
 ## Updates - 05/23/2023
@@ -34,17 +42,31 @@ Author: https://twitter.com/moval0x1 | Threat Researcher, Security Joes
 - Monitor messages added
 
 ## Dependencies
-- Requests: `pip install requests`
+- requests: `pip install requests`
+- flare-capa: `pip install flare-capa`
+- openai: `pip install openai`
 - [Ghidra](https://github.com/NationalSecurityAgency/ghidra)
-- [Pyhidra](https://github.com/dod-cyber-crime-center/pyhidra)
 - [Python3](https://www.python.org/downloads/)
+- [Ghidrathon](https://github.com/mandiant/Ghidrathon)
 
 
 ## Limitations
 > OpenAI has a hard limit of 4096 tokens for each API call, so if your text is longer than that, you'll need to split it up. However, OpenAI currently does not support stateful conversations over multiple API calls, which means it does not remember the previous API call.
 
+> By now, It only supports Linux OS.
 
 ## How to install?
-- Copy the AskJOE files to the ghidra_scripts folder
+Copy the ```AskJOE.py```, ```JOES.png``` and ```AskJOE folder```.
+
+![ghidra_scripts home](/imgs/ghidra_scripts_home.png "ghidra_scripts home")
+
+Within any of the ```ghidra_scripts``` folders.
+
+![ghidra_scripts folders](/imgs/ghidra_scripts_folders.png "ghidra_scripts folders")
+
+## Credits
+Some functions were added in the AskJOE, but we did not create them. Let us give the proper credit.
 
-![ghidra_scripts](/imgs/ghidra_scripts_folder.png "ghidra_scripts")
+- [Stack Strings](https://github.com/reb311ion/replica/blob/fede41b9afd2ef5e33c860ce114e8a24193751ac/replica.py#L560)
+- [Crypto Constants](https://github.com/reb311ion/replica/blob/fede41b9afd2ef5e33c860ce114e8a24193751ac/replica.py#L527)
+- [Capa Explorer](https://github.com/mandiant/capa/blob/master/capa/ghidra/capa_explorer.py)