-
note that strings in rust don't have trailing nulls and therefore ghidra will tend to run them together you can manually clear a string with C, then highlight each individual one, right click and select string
-
I've also been finding that ghidra doesn't actually decompile every method, so you may need to manually force it to treat a code section as a function
-
if you can identify the calls to panic, panic_fmt and similar methods, they will contain a reference to the code file that the method came from as a first approximation, you can rename methods by these filenames to give a sense of what is what
they might also contain specific error messages which you can then search in the code repos of the respective libraries to find the exact method
-
extract the names of the rust libraries used in the script with https://github.com/BinaryDefense/GhidraRustDependenciesExtractor then go and compile those libraries yourself in a similar dev environment, but make sure to specify in the Cargo.toml file
[profile.dev] opt-level = 3then compile it for dev (just omit the flag for release), so it generates a pdb file, and open that in ghidra. Ideally you can then export functionid databases, but even if that doesn't fully work consistently (still a WIP for me), you can copy some code bytes from a relevant function in the program you are decompiling, and then search in your dev compiled version for that instruction pattern.
Created
September 8, 2022 14:21
-
-
Save YSaxon/b15df087b0b05cc47ae64916045809b3 to your computer and use it in GitHub Desktop.
notes on decompiling rust programs with ghidra
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment