Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mark PLT Functions as Thunks #19

Open
misson20000 opened this issue Sep 25, 2020 · 4 comments · May be fixed by #60
Open

Mark PLT Functions as Thunks #19

misson20000 opened this issue Sep 25, 2020 · 4 comments · May be fixed by #60

Comments

@misson20000
Copy link

When PLT entries are processed, symbols are created for each entry, and usually analysis automatically determines these to be functions, but it does not mark them as thunks to their actual implementations. Marking thunk functions improves navigation and makes it easier to (ab)use version tracking to apply sdk markup to sysmodules, since otherwise it can get confused by the sdk's use of dynamic binding compared to the sysmodule's use of static binding (implied matches fail, and the name-based correlators produce multiple matches).

Ghidra-Switch-Loader/src/main/java/adubbz/nx/loader/common/NXProgramBuilder.java

Lines 377 to 389 in a9dc0f2

for (PltEntry entry : this.pltEntries)
{
if (gotNameLookup.containsKey(entry.target))
{
long addr = this.nxo.getBaseAddress() + entry.off;
String name = gotNameLookup.get(entry.target);
// TODO: Mark as func
if (name != null && !name.isEmpty())
{
this.createSymbol(this.aSpace.getAddress(addr), name, false, false, null);
}
}
}

@misson20000
Copy link
Author

Actually, it seems that there is already an existing analyzer that is supposed to do this automatically, but if the .plt section isn't already disassembled it will fail because the SymbolicPropogator won't be able to fetch instructions.

@fkelava fkelava mentioned this issue Jan 27, 2024
Closed
@fkelava
Copy link

fkelava commented Jan 29, 2024
edited
Loading

Hello,

I'm reviving this issue as it is causing a few issues for me at present.

Normally, an AARCH64 ELF would have its .plt and .got sections disassembled at import time, which is a prerequisite for Ghidra's built-in AARCH64 ELF PLT Thunks analyzer to work. The Switch loader does not seem to apply this behavior to NROs, which means no function in the .plt section is marked as a thunk. For large binaries, fixing this by hand is slightly prohibitive.

It also somewhat breaks the BSim workflow introduced in Ghidra 11, making function comparisons between Switch and PC versions of games more difficult.

Could this be looked into? I don't mind giving it a go myself if you can point me in the right direction.

@TSRBerry
Copy link
Contributor

Normally, an AARCH64 ELF would have its .plt and .got sections disassembled at import time, which is a prerequisite for Ghidra's built-in AARCH64 ELF PLT Thunks analyzer to work.

Oh I see, I didn't know about this.

I don't mind giving it a go myself if you can point me in the right direction.

I'm currently short on time, so I won't be looking into this for a bit.
plt sections are dealt with here:

Ghidra-Switch-Loader/src/main/java/adubbz/nx/loader/common/NXProgramBuilder.java

Line 208 in 8c2ec80

protected void setupRelocations() throws AddressOutOfBoundsException, NotFoundException, IOException {

If you need to get a pointer for something specific, let me know.

@fkelava
Copy link

fkelava commented Feb 18, 2024

I've found a way around this. Clearing the entire .plt section, including functions, then disassembling, then re-running AARCH64 ELF PLT Thunks properly marks them as thunks.

It's a good enough workaround for my needs.

@TSRBerry TSRBerry linked a pull request Oct 17, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disassemble .plt section and mark functions as thunks TSRBerry/Ghidra-Switch-Loader
3 participants
@misson20000 @TSRBerry @fkelava