Reverse Engineering Asked on May 10, 2021
I’m reversing a program and a library without debugging symbols. I’m using x64dbg to break at specific regions and observe what is happening at runtime, and annotate the decompile version in ghidra.
I’m using ret-sync to synchronize horizon between x64dbg and ghidra. However, it’s often addresses and not values that are directly visible in x64dbg, and only the horizon is sync in ghidra, from x64dbg as the program goes on.
I would like to:
see the variables values in ghidra’s decompile window: as the program goes and all the values that were allocated between two datetimes in the execution; how can I do this ? For instance when a pointer change of address I would like to follow the "content" directly, not "caring/focusing first" about/on the address.
in the case of arrays and struct, from the address, how can I have all the values displayed, as if I was debugging from Visual Studio for instance ? (example)
how can I label back the renamed variables in ghidra back in x64dbg ?
It sounds like you are looking for proper debugger integration in Ghidra. This has recently been published to the GitHub repository in the debugger
branch. There is also a good blogpost showcasing it.
Sadly there does not seem to be a x64dbg
backend yet, but I would expect that this will appear as either an official backend or a community plugin at some point in the near future.
Concerning your specific questions and whether they are supported or will likely be supported via this debugger feature in the future:
see the variables values in ghidra's decompile window
I think showing them directly in the decompile window is currently not supported. But showing a list of variables of the current function, globals and maybe specific addresses definitely seems like something that will be supported at some point, or can be written with reasonable effort.
in the case of arrays and struct, from the address, how can I have all the values displayed, as if I was debugging from Visual Studio for instance ?
I am not quite sure what you mean here because I never used debugging with Visual Studio myself. But this seems like a more specific case of the first question to me and will either be supported at some point, or something that can be scripted for a specific purpose easily enough.
how can I label back the renamed variables in ghidra back in x64dbg ?
This might be out of scope for a debugger plugin and would require support on the x64dbg
side. The x64dbg
plugin would need some functionality to receive variable names from Ghidra and apply them. Most likely possible in general, but I do not know if the Debugger Protocol which Ghidra uses supports this notion.
Correct answer by Florian Magin on May 10, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP