├── GBA ├── KongBruteForce.java ├── MakeFunctionsScriptGBA.java └── kong-passwords.txt ├── LINKS.md ├── PPC └── MakeFunctionsScriptPPC.java └── README.md /GBA/KongBruteForce.java: -------------------------------------------------------------------------------- 1 | //PCode emulation script to brute force possible password combinations for Kong: King of Atlantis on the Game Boy Advance 2 | //@author wrongbaud 3 | //@category 4 | //@keybinding 5 | //@menupath 6 | //@toolbar 7 | 8 | // Pulled from the example scripts in the included script manager 9 | 10 | import ghidra.app.script.GhidraScript; 11 | 12 | import java.io.BufferedWriter; 13 | import java.io.FileWriter; 14 | import java.time.LocalDateTime; 15 | import java.time.format.DateTimeFormatter; 16 | import java.util.Arrays; 17 | import java.util.List; 18 | 19 | import ghidra.app.emulator.*; 20 | import ghidra.app.emulator.EmulatorHelper; 21 | import ghidra.app.script.GhidraScript; 22 | import ghidra.app.util.opinion.ElfLoader; 23 | import ghidra.pcode.emulate.EmulateExecutionState; 24 | import ghidra.program.model.address.Address; 25 | import ghidra.program.model.lang.Register; 26 | import ghidra.program.model.listing.Instruction; 27 | import ghidra.program.model.listing.Program; 28 | import ghidra.program.model.symbol.*; 29 | import ghidra.util.Msg; 30 | import ghidra.util.exception.NotFoundException; 31 | import ghidra.program.model.symbol.SymbolUtilities; 32 | import java.util.function.Predicate; 33 | public class KongBruteForce extends GhidraScript { 34 | 35 | private EmulatorHelper emuHelper; 36 | private Address mainFunctionEntry; 37 | private Address returnAddress; 38 | FileWriter fw; 39 | BufferedWriter bw; 40 | private Address getAddress(long offset) { 41 | return currentProgram.getAddressFactory().getDefaultAddressSpace().getAddress(offset); 42 | } 43 | 44 | private void permute(byte[] a, int k) { 45 | int n = a.length; 46 | if (k < 1 || k > n) 47 | throw new IllegalArgumentException("Illegal number of positions."); 48 | 49 | int[] indexes = new int[n]; 50 | int total = (int) Math.pow(n, k); 51 | byte[] passTest = {1,1,1,1,1,1,1}; 52 | while (total-- > 0) { 53 | for (int i = 0; i < n - (n - k); i++) 54 | passTest[i] = a[indexes[i]]; 55 | // Function Call to emulate goes here! 56 | try { 57 | passwd_crack(passTest); 58 | } catch (Exception e) { 59 | // TODO Auto-generated catch block 60 | e.printStackTrace(); 61 | } 62 | 63 | for (int i = 0; i < n; i++) { 64 | if (indexes[i] >= n - 1) { 65 | indexes[i] = 0; 66 | } else { 67 | indexes[i]++; 68 | break; 69 | } 70 | } 71 | } 72 | } 73 | 74 | public void passwd_crack(byte[] passwdVals) throws Exception{ 75 | returnAddress = getAddress(0x82cccba); 76 | mainFunctionEntry = getSymbolAddress("check_password_1"); 77 | // Obtain entry instruction in order to establish initial processor context 78 | Instruction entryInstr = getInstructionAt(mainFunctionEntry); 79 | // Instantiate our emulator helper 80 | emuHelper = new EmulatorHelper(currentProgram); 81 | char[] passwdChars = {'B','D','F','G','J','L','M'}; 82 | SetupGBAMemory(passwdVals); 83 | emuHelper.writeRegister(emuHelper.getPCRegister(), mainFunctionEntry.getOffset()); 84 | 85 | try { 86 | emuHelper.setBreakpoint(returnAddress); 87 | // Execution loop until return from function or error occurs 88 | while (!monitor.isCancelled()) { 89 | emuHelper.run(mainFunctionEntry, entryInstr, monitor); 90 | Address executionAddress = emuHelper.getExecutionAddress(); 91 | //println(executionAddress.toString()); 92 | if (monitor.isCancelled()) { 93 | println("Emulation cancelled"); 94 | return; 95 | } 96 | if (executionAddress.equals(returnAddress)) { 97 | byte retVal = emuHelper.readRegister("r0").byteValue(); 98 | if(retVal == 1) { 99 | String password = ""; 100 | for(int x =0;x<7;x++) { 101 | password += passwdChars[passwdVals[x]-1]; 102 | } 103 | println("Valid password found with password Vals: " + Arrays.toString(passwdVals) + "Password: "+password); 104 | bw.write(password); 105 | bw.newLine(); 106 | } 107 | return; 108 | } 109 | } 110 | } 111 | finally { 112 | emuHelper.dispose(); 113 | } 114 | } 115 | 116 | @Override 117 | protected void run() throws Exception { 118 | DateTimeFormatter dtf = DateTimeFormatter.ofPattern("yyyy/MM/dd HH:mm:ss"); 119 | LocalDateTime now = LocalDateTime.now(); 120 | println("Kong Emulation Script Starting..."); 121 | println(dtf.format(now)); 122 | fw = new FileWriter("/home/wrongbaud/kong-passwords.txt", true); 123 | bw = new BufferedWriter(fw); 124 | byte[] chars = {1,2,3,4,5,6,7}; 125 | permute(chars, 7); 126 | bw.close(); 127 | println("Kong Emulation Script Ending..."); 128 | now = LocalDateTime.now(); 129 | println(dtf.format(now)); 130 | 131 | } 132 | 133 | 134 | private void SetupGBAMemory(byte [] passwdVals) { 135 | emuHelper.writeRegister(emuHelper.getStackPointerRegister(), 0x3007bc0); 136 | try { 137 | /* 138 | * 139 | r4 0x4 4 140 | r5 0x30027e0 50341856 141 | r6 0x30027e8 50341864 142 | r7 0x3004654 50349652 143 | r8 0x0 0 144 | r9 0x7 7 145 | r10 0x3004653 50349651 146 | r11 0x0 0 147 | r12 0x264 612 148 | sp 0x3007bc0 0x3007bc0 149 | lr 0x82caaff 137145087 150 | pc 0x82cc970 0x82cc970 151 | cpsr 0x6000003f 1610612799 152 | */ 153 | emuHelper.writeRegister("r0",passwdVals[0]); 154 | emuHelper.writeRegister("r1",passwdVals[1]); 155 | emuHelper.writeRegister("r2",passwdVals[2]); 156 | emuHelper.writeRegister("r3",passwdVals[3]); 157 | emuHelper.writeRegister("r4",4); 158 | emuHelper.writeRegister("r5",0x30027e0); 159 | emuHelper.writeRegister("r6",0x30027e8); 160 | emuHelper.writeRegister("r7",0x3004654); 161 | emuHelper.writeRegister("r8",0x0); 162 | emuHelper.writeRegister("r9",0x7); 163 | emuHelper.writeRegister("r10",0x3004653); 164 | emuHelper.writeRegister("r11",0x0); 165 | emuHelper.writeRegister("r12",0x264); 166 | emuHelper.writeRegister("sp", 0x3007bc0); 167 | emuHelper.writeRegister("lr", 0x82caaff); 168 | emuHelper.writeRegister("cpsr", 0x6000003f); 169 | emuHelper.writeRegister("CY", 0); 170 | emuHelper.writeStackValue(0, 4, passwdVals[4]); 171 | emuHelper.writeStackValue(4, 4, passwdVals[5]); 172 | emuHelper.writeStackValue(8, 4, passwdVals[6]); 173 | } catch (Exception e) { 174 | // TODO Auto-generated catch block 175 | e.printStackTrace(); 176 | } 177 | } 178 | 179 | private Address getSymbolAddress(String symbolName) throws NotFoundException { 180 | Symbol symbol = SymbolUtilities.getLabelOrFunctionSymbol(currentProgram, symbolName, 181 | err -> Msg.error(this, err)); 182 | if (symbol != null) { 183 | return symbol.getAddress(); 184 | } 185 | throw new NotFoundException("Failed to locate label: " + symbolName); 186 | } 187 | 188 | 189 | } 190 | 191 | 192 | -------------------------------------------------------------------------------- /GBA/MakeFunctionsScriptGBA.java: -------------------------------------------------------------------------------- 1 | /* ### 2 | * IP: GHIDRA 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | // Script to ask user for a byte sequence that is a common function start 17 | // make functions at those locations 18 | // if code has only one block it asks the user where the data block is and splits the program into 19 | // code and data blocks 20 | //@category Functions 21 | 22 | import ghidra.app.script.GhidraScript; 23 | import ghidra.program.model.address.Address; 24 | import ghidra.program.model.listing.Function; 25 | import ghidra.program.model.mem.Memory; 26 | import ghidra.program.model.mem.MemoryBlock; 27 | import ghidra.app.cmd.disassemble.*; 28 | 29 | public class MakeFunctionsScriptGBA extends GhidraScript { 30 | 31 | 32 | // Using the provided byte sequence and adddress range, iterate over the addresses and look for instructions! 33 | public int getFunctions(Address start,Address end,byte[] inst_sequence) { 34 | int funcCount = 0; 35 | boolean keepSearching = true; 36 | // Let the user know which byte sequence we are looking for. 37 | print("Searchig for byte sequence: " ); 38 | for(byte b: inst_sequence) { 39 | print(String.format("%02X", b)); 40 | } 41 | println(""); 42 | 43 | // Get the memory space for the current program that we are analyzing. 44 | Memory memory = currentProgram.getMemory(); 45 | Address currentAddr = start; 46 | while(keepSearching && (!monitor.isCancelled())&& (start.compareTo(end) <= 0)) { 47 | // Search the memory region that we provided for our byte sequence 48 | Address found = memory.findBytes(start, end, inst_sequence, null, true, monitor); 49 | if(found != null){ 50 | if(getFunctionContaining(found) == null) { 51 | //Create our command to disassemble code in thumb mode 52 | PowerPCDisassembleCommand cmd = new PowerPCDisassembleCommand(found,null,true);; 53 | cmd.applyTo(currentProgram); 54 | if(cmd.getDisassembledAddressSet() != null){ 55 | // Code was properly disassembled, create a function! 56 | Function func = createFunction(found, null); 57 | if (func != null) { 58 | println("Made function at address: " + found.toString()); 59 | // Add the length of our function here so that we don't have to iterate through all of the created code. 60 | start = found.add(func.getBody().getNumAddresses()); 61 | funcCount++; 62 | break; 63 | } 64 | } 65 | } 66 | start = found.add(2); 67 | // Nothing was found with memory.findBytes, time to bail! 68 | }else { 69 | keepSearching = false; 70 | } 71 | } 72 | return funcCount; 73 | } 74 | 75 | // Give the user an option to choose a start address and end address for the script 76 | public Address[] getBlockInfo() throws Exception { 77 | int regionCount = askInt("Get Num of Regions","How many different memory regions would you like to analyze?"); 78 | Address [] blocks = new Address[regionCount*2]; 79 | for (int x = 0;x < regionCount; x+=2) { 80 | Address startAddress = askAddress("Get Start Address","Please enter the starting address of the region you wish to analyze"); 81 | Address endAddress = askAddress("Get End Address","Please enter the end address for the region you wish to analyze"); 82 | blocks[x] = startAddress; 83 | blocks[x+1] = endAddress; 84 | } 85 | return blocks; 86 | } 87 | @Override 88 | public void run() throws Exception { 89 | println("GBA Function Generation"); 90 | int foundCount = 0; 91 | byte [] inst_bytes = new byte[] {0x00,(byte)0xB5}; 92 | Address[] addrBlocks = getBlockInfo(); 93 | for(int inst_byte = 0; inst_byte< 0xFF;inst_byte++) { 94 | for (int x = 0; x< addrBlocks.length; x += 2) { 95 | inst_bytes[0] = (byte)inst_byte; 96 | foundCount += getFunctions(addrBlocks[x],addrBlocks[x+1],inst_bytes); 97 | } 98 | } 99 | //int foundCount = getFunctions 100 | println("Made "+foundCount+ " functions"); 101 | } 102 | 103 | } 104 | -------------------------------------------------------------------------------- /GBA/kong-passwords.txt: -------------------------------------------------------------------------------- 1 | GMJMDBB 2 | GLJMFBB 3 | GJJMGBB 4 | GGJMJBB 5 | GFJMLBB 6 | GDJMMBB 7 | JMMJBDB 8 | JLMJDDB 9 | GMLMDDB 10 | JJMJFDB 11 | GLLMFDB 12 | JGMJGDB 13 | GJLMGDB 14 | JFMJJDB 15 | GGLMJDB 16 | JDMJLDB 17 | GFLMLDB 18 | JBMJMDB 19 | GDLMMDB 20 | JMLJBFB 21 | JLLJDFB 22 | GMMMDFB 23 | JJLJFFB 24 | GLMMFFB 25 | JGLJGFB 26 | GJMMGFB 27 | JFLJJFB 28 | GGMMJFB 29 | JDLJLFB 30 | GFMMLFB 31 | JBLJMFB 32 | GDMMMFB 33 | JMJJBGB 34 | JLJJDGB 35 | JJJJFGB 36 | JGJJGGB 37 | JFJJJGB 38 | JDJJLGB 39 | JBJJMGB 40 | JMGJBJB 41 | JLGJDJB 42 | BMBMDJB 43 | JJGJFJB 44 | BLBMFJB 45 | JGGJGJB 46 | BJBMGJB 47 | JFGJJJB 48 | BGBMJJB 49 | JDGJLJB 50 | BFBMLJB 51 | JBGJMJB 52 | BDBMMJB 53 | JMFJBLB 54 | JLFJDLB 55 | BMDMDLB 56 | JJFJFLB 57 | BLDMFLB 58 | JGFJGLB 59 | BJDMGLB 60 | JFFJJLB 61 | BGDMJLB 62 | JDFJLLB 63 | BFDMLLB 64 | JBFJMLB 65 | BDDMMLB 66 | JMDJBMB 67 | JLDJDMB 68 | BMFMDMB 69 | JJDJFMB 70 | BLFMFMB 71 | JGDJGMB 72 | BJFMGMB 73 | JFDJJMB 74 | BGFMJMB 75 | JDDJLMB 76 | BFFMLMB 77 | JBDJMMB 78 | BDFMMMB 79 | FJMMBBD 80 | GMJLDBD 81 | FLMMDBD 82 | GLJLFBD 83 | FMMMFBD 84 | GJJLGBD 85 | GGJLJBD 86 | MMBMJBD 87 | LBMMJBD 88 | GFJLLBD 89 | MMDMLBD 90 | LDMMLBD 91 | GDJLMBD 92 | MMFMMBD 93 | LFMMMBD 94 | JMMLBDD 95 | FJLMBDD 96 | GMLLDDD 97 | JLMLDDD 98 | FLLMDDD 99 | GLLLFDD 100 | JJMLFDD 101 | FMLMFDD 102 | GJLLGDD 103 | JGMLGDD 104 | MMBLJDD 105 | GGLLJDD 106 | JFMLJDD 107 | LBLMJDD 108 | MMDLLDD 109 | GFLLLDD 110 | JDMLLDD 111 | LDLMLDD 112 | MMFLMDD 113 | GDLLMDD 114 | JBMLMDD 115 | LFLMMDD 116 | JMLLBFD 117 | FJJMBFD 118 | JLLLDFD 119 | GMMLDFD 120 | FLJMDFD 121 | JJLLFFD 122 | GLMLFFD 123 | FMJMFFD 124 | JGLLGFD 125 | GJMLGFD 126 | MMBJJFD 127 | JFLLJFD 128 | GGMLJFD 129 | LBJMJFD 130 | MMDJLFD 131 | JDLLLFD 132 | GFMLLFD 133 | LDJMLFD 134 | MMFJMFD 135 | JBLLMFD 136 | GDMLMFD 137 | LFJMMFD 138 | JMJLBGD 139 | FJGMBGD 140 | JLJLDGD 141 | FLGMDGD 142 | JJJLFGD 143 | FMGMFGD 144 | JGJLGGD 145 | MMBGJGD 146 | JFJLJGD 147 | LBGMJGD 148 | MMDGLGD 149 | JDJLLGD 150 | LDGMLGD 151 | MMFGMGD 152 | JBJLMGD 153 | LFGMMGD 154 | JMGLBJD 155 | FJFMBJD 156 | BMBLDJD 157 | JLGLDJD 158 | FLFMDJD 159 | BLBLFJD 160 | JJGLFJD 161 | FMFMFJD 162 | BJBLGJD 163 | JGGLGJD 164 | MMBFJJD 165 | BGBLJJD 166 | JFGLJJD 167 | LBFMJJD 168 | MMDFLJD 169 | BFBLLJD 170 | JDGLLJD 171 | LDFMLJD 172 | MMFFMJD 173 | BDBLMJD 174 | JBGLMJD 175 | LFFMMJD 176 | JMFLBLD 177 | FJDMBLD 178 | BMDLDLD 179 | JLFLDLD 180 | FLDMDLD 181 | BLDLFLD 182 | JJFLFLD 183 | FMDMFLD 184 | BJDLGLD 185 | JGFLGLD 186 | MMBDJLD 187 | BGDLJLD 188 | JFFLJLD 189 | LBDMJLD 190 | MMDDLLD 191 | BFDLLLD 192 | JDFLLLD 193 | LDDMLLD 194 | MMFDMLD 195 | BDDLMLD 196 | JBFLMLD 197 | LFDMMLD 198 | JMDLBMD 199 | FJBMBMD 200 | JLDLDMD 201 | BMFLDMD 202 | FLBMDMD 203 | JJDLFMD 204 | BLFLFMD 205 | FMBMFMD 206 | JGDLGMD 207 | BJFLGMD 208 | MMBBJMD 209 | JFDLJMD 210 | BGFLJMD 211 | LBBMJMD 212 | MMDBLMD 213 | JDDLLMD 214 | BFFLLMD 215 | LDBMLMD 216 | MMFBMMD 217 | JBDLMMD 218 | BDFLMMD 219 | LFBMMMD 220 | FJMLBBF 221 | GMJJDBF 222 | FLMLDBF 223 | GLJJFBF 224 | FMMLFBF 225 | GJJJGBF 226 | GGJJJBF 227 | LBMLJBF 228 | MLBMJBF 229 | GFJJLBF 230 | LDMLLBF 231 | MLDMLBF 232 | GDJJMBF 233 | LFMLMBF 234 | MLFMMBF 235 | FJLLBDF 236 | JMMMBDF 237 | GMLJDDF 238 | FLLLDDF 239 | JLMMDDF 240 | GLLJFDF 241 | FMLLFDF 242 | JJMMFDF 243 | GJLJGDF 244 | JGMMGDF 245 | GGLJJDF 246 | MLBLJDF 247 | LBLLJDF 248 | JFMMJDF 249 | GFLJLDF 250 | MLDLLDF 251 | LDLLLDF 252 | JDMMLDF 253 | GDLJMDF 254 | MLFLMDF 255 | LFLLMDF 256 | JBMMMDF 257 | FJJLBFF 258 | JMLMBFF 259 | GMMJDFF 260 | FLJLDFF 261 | JLLMDFF 262 | GLMJFFF 263 | FMJLFFF 264 | JJLMFFF 265 | GJMJGFF 266 | JGLMGFF 267 | MLBJJFF 268 | GGMJJFF 269 | LBJLJFF 270 | JFLMJFF 271 | MLDJLFF 272 | GFMJLFF 273 | LDJLLFF 274 | JDLMLFF 275 | MLFJMFF 276 | GDMJMFF 277 | LFJLMFF 278 | JBLMMFF 279 | FJGLBGF 280 | JMJMBGF 281 | FLGLDGF 282 | JLJMDGF 283 | FMGLFGF 284 | JJJMFGF 285 | JGJMGGF 286 | MLBGJGF 287 | LBGLJGF 288 | JFJMJGF 289 | MLDGLGF 290 | LDGLLGF 291 | JDJMLGF 292 | MLFGMGF 293 | LFGLMGF 294 | JBJMMGF 295 | FJFLBJF 296 | JMGMBJF 297 | BMBJDJF 298 | FLFLDJF 299 | JLGMDJF 300 | BLBJFJF 301 | FMFLFJF 302 | JJGMFJF 303 | BJBJGJF 304 | JGGMGJF 305 | MLBFJJF 306 | BGBJJJF 307 | LBFLJJF 308 | JFGMJJF 309 | MLDFLJF 310 | BFBJLJF 311 | LDFLLJF 312 | JDGMLJF 313 | MLFFMJF 314 | BDBJMJF 315 | LFFLMJF 316 | JBGMMJF 317 | FJDLBLF 318 | JMFMBLF 319 | BMDJDLF 320 | FLDLDLF 321 | JLFMDLF 322 | BLDJFLF 323 | FMDLFLF 324 | JJFMFLF 325 | BJDJGLF 326 | JGFMGLF 327 | MLBDJLF 328 | BGDJJLF 329 | LBDLJLF 330 | JFFMJLF 331 | MLDDLLF 332 | BFDJLLF 333 | LDDLLLF 334 | JDFMLLF 335 | MLFDMLF 336 | BDDJMLF 337 | LFDLMLF 338 | JBFMMLF 339 | FJBLBMF 340 | JMDMBMF 341 | BMFJDMF 342 | FLBLDMF 343 | JLDMDMF 344 | BLFJFMF 345 | FMBLFMF 346 | JJDMFMF 347 | BJFJGMF 348 | JGDMGMF 349 | MLBBJMF 350 | BGFJJMF 351 | LBBLJMF 352 | JFDMJMF 353 | MLDBLMF 354 | BFFJLMF 355 | LDBLLMF 356 | JDDMLMF 357 | MLFBMMF 358 | BDFJMMF 359 | LFBLMMF 360 | JBDMMMF 361 | FJMJBBG 362 | GMJGDBG 363 | FLMJDBG 364 | GLJGFBG 365 | FMMJFBG 366 | GJJGGBG 367 | GGJGJBG 368 | LBMJJBG 369 | MJBMJBG 370 | GFJGLBG 371 | LDMJLBG 372 | MJDMLBG 373 | GDJGMBG 374 | LFMJMBG 375 | MJFMMBG 376 | FJLJBDG 377 | GMLGDDG 378 | FLLJDDG 379 | GLLGFDG 380 | FMLJFDG 381 | GJLGGDG 382 | GGLGJDG 383 | LBLJJDG 384 | MJBLJDG 385 | GFLGLDG 386 | LDLJLDG 387 | MJDLLDG 388 | GDLGMDG 389 | LFLJMDG 390 | MJFLMDG 391 | FJJJBFG 392 | GMMGDFG 393 | FLJJDFG 394 | GLMGFFG 395 | FMJJFFG 396 | GJMGGFG 397 | GGMGJFG 398 | MJBJJFG 399 | LBJJJFG 400 | GFMGLFG 401 | MJDJLFG 402 | LDJJLFG 403 | GDMGMFG 404 | MJFJMFG 405 | LFJJMFG 406 | FJGJBGG 407 | FLGJDGG 408 | FMGJFGG 409 | MJBGJGG 410 | LBGJJGG 411 | MJDGLGG 412 | LDGJLGG 413 | MJFGMGG 414 | LFGJMGG 415 | FJFJBJG 416 | BMBGDJG 417 | FLFJDJG 418 | BLBGFJG 419 | FMFJFJG 420 | BJBGGJG 421 | MJBFJJG 422 | BGBGJJG 423 | LBFJJJG 424 | MJDFLJG 425 | BFBGLJG 426 | LDFJLJG 427 | MJFFMJG 428 | BDBGMJG 429 | LFFJMJG 430 | FJDJBLG 431 | BMDGDLG 432 | FLDJDLG 433 | BLDGFLG 434 | FMDJFLG 435 | BJDGGLG 436 | MJBDJLG 437 | BGDGJLG 438 | LBDJJLG 439 | MJDDLLG 440 | BFDGLLG 441 | LDDJLLG 442 | MJFDMLG 443 | BDDGMLG 444 | LFDJMLG 445 | FJBJBMG 446 | BMFGDMG 447 | FLBJDMG 448 | BLFGFMG 449 | FMBJFMG 450 | BJFGGMG 451 | MJBBJMG 452 | BGFGJMG 453 | LBBJJMG 454 | MJDBLMG 455 | BFFGLMG 456 | LDBJLMG 457 | MJFBMMG 458 | BDFGMMG 459 | LFBJMMG 460 | FJMGBBJ 461 | GMJFDBJ 462 | FLMGDBJ 463 | GLJFFBJ 464 | FMMGFBJ 465 | GJJFGBJ 466 | GGJFJBJ 467 | LBMGJBJ 468 | MGBMJBJ 469 | GFJFLBJ 470 | LDMGLBJ 471 | MGDMLBJ 472 | GDJFMBJ 473 | LFMGMBJ 474 | MGFMMBJ 475 | DMMBBDJ 476 | FJLGBDJ 477 | DLMBDDJ 478 | GMLFDDJ 479 | FLLGDDJ 480 | DJMBFDJ 481 | GLLFFDJ 482 | FMLGFDJ 483 | DGMBGDJ 484 | GJLFGDJ 485 | DFMBJDJ 486 | GGLFJDJ 487 | LBLGJDJ 488 | MGBLJDJ 489 | DDMBLDJ 490 | GFLFLDJ 491 | LDLGLDJ 492 | MGDLLDJ 493 | DBMBMDJ 494 | GDLFMDJ 495 | LFLGMDJ 496 | MGFLMDJ 497 | DMLBBFJ 498 | FJJGBFJ 499 | DLLBDFJ 500 | GMMFDFJ 501 | FLJGDFJ 502 | DJLBFFJ 503 | GLMFFFJ 504 | FMJGFFJ 505 | DGLBGFJ 506 | GJMFGFJ 507 | DFLBJFJ 508 | GGMFJFJ 509 | LBJGJFJ 510 | MGBJJFJ 511 | DDLBLFJ 512 | GFMFLFJ 513 | LDJGLFJ 514 | MGDJLFJ 515 | DBLBMFJ 516 | GDMFMFJ 517 | LFJGMFJ 518 | MGFJMFJ 519 | DMJBBGJ 520 | FJGGBGJ 521 | DLJBDGJ 522 | FLGGDGJ 523 | DJJBFGJ 524 | FMGGFGJ 525 | DGJBGGJ 526 | DFJBJGJ 527 | MGBGJGJ 528 | LBGGJGJ 529 | DDJBLGJ 530 | MGDGLGJ 531 | LDGGLGJ 532 | DBJBMGJ 533 | MGFGMGJ 534 | LFGGMGJ 535 | DMGBBJJ 536 | FJFGBJJ 537 | DLGBDJJ 538 | BMBFDJJ 539 | FLFGDJJ 540 | DJGBFJJ 541 | BLBFFJJ 542 | FMFGFJJ 543 | DGGBGJJ 544 | BJBFGJJ 545 | DFGBJJJ 546 | BGBFJJJ 547 | MGBFJJJ 548 | LBFGJJJ 549 | DDGBLJJ 550 | BFBFLJJ 551 | MGDFLJJ 552 | LDFGLJJ 553 | DBGBMJJ 554 | BDBFMJJ 555 | MGFFMJJ 556 | LFFGMJJ 557 | DMFBBLJ 558 | FJDGBLJ 559 | DLFBDLJ 560 | BMDFDLJ 561 | FLDGDLJ 562 | DJFBFLJ 563 | BLDFFLJ 564 | FMDGFLJ 565 | DGFBGLJ 566 | BJDFGLJ 567 | DFFBJLJ 568 | MGBDJLJ 569 | BGDFJLJ 570 | LBDGJLJ 571 | DDFBLLJ 572 | MGDDLLJ 573 | BFDFLLJ 574 | LDDGLLJ 575 | DBFBMLJ 576 | MGFDMLJ 577 | BDDFMLJ 578 | LFDGMLJ 579 | DMDBBMJ 580 | FJBGBMJ 581 | DLDBDMJ 582 | BMFFDMJ 583 | FLBGDMJ 584 | DJDBFMJ 585 | BLFFFMJ 586 | FMBGFMJ 587 | DGDBGMJ 588 | BJFFGMJ 589 | MGBBJMJ 590 | DFDBJMJ 591 | BGFFJMJ 592 | LBBGJMJ 593 | DDDBLMJ 594 | MGDBLMJ 595 | BFFFLMJ 596 | LDBGLMJ 597 | DBDBMMJ 598 | MGFBMMJ 599 | BDFFMMJ 600 | LFBGMMJ 601 | FJMFBBL 602 | GMJDDBL 603 | FLMFDBL 604 | GLJDFBL 605 | FMMFFBL 606 | GJJDGBL 607 | GGJDJBL 608 | LBMFJBL 609 | MFBMJBL 610 | GFJDLBL 611 | LDMFLBL 612 | MFDMLBL 613 | GDJDMBL 614 | LFMFMBL 615 | MFFMMBL 616 | DMMDBDL 617 | FJLFBDL 618 | GMLDDDL 619 | DLMDDDL 620 | FLLFDDL 621 | GLLDFDL 622 | DJMDFDL 623 | FMLFFDL 624 | GJLDGDL 625 | DGMDGDL 626 | GGLDJDL 627 | DFMDJDL 628 | LBLFJDL 629 | MFBLJDL 630 | GFLDLDL 631 | DDMDLDL 632 | LDLFLDL 633 | MFDLLDL 634 | GDLDMDL 635 | DBMDMDL 636 | LFLFMDL 637 | MFFLMDL 638 | DMLDBFL 639 | FJJFBFL 640 | DLLDDFL 641 | GMMDDFL 642 | FLJFDFL 643 | DJLDFFL 644 | GLMDFFL 645 | FMJFFFL 646 | DGLDGFL 647 | GJMDGFL 648 | DFLDJFL 649 | GGMDJFL 650 | LBJFJFL 651 | MFBJJFL 652 | DDLDLFL 653 | GFMDLFL 654 | LDJFLFL 655 | MFDJLFL 656 | DBLDMFL 657 | GDMDMFL 658 | LFJFMFL 659 | MFFJMFL 660 | DMJDBGL 661 | FJGFBGL 662 | DLJDDGL 663 | FLGFDGL 664 | DJJDFGL 665 | FMGFFGL 666 | DGJDGGL 667 | DFJDJGL 668 | LBGFJGL 669 | MFBGJGL 670 | DDJDLGL 671 | LDGFLGL 672 | MFDGLGL 673 | DBJDMGL 674 | LFGFMGL 675 | MFFGMGL 676 | DMGDBJL 677 | FJFFBJL 678 | BMBDDJL 679 | DLGDDJL 680 | FLFFDJL 681 | BLBDFJL 682 | DJGDFJL 683 | FMFFFJL 684 | BJBDGJL 685 | DGGDGJL 686 | BGBDJJL 687 | DFGDJJL 688 | MFBFJJL 689 | LBFFJJL 690 | BFBDLJL 691 | DDGDLJL 692 | MFDFLJL 693 | LDFFLJL 694 | BDBDMJL 695 | DBGDMJL 696 | LFFFMJL 697 | MFFFMJL 698 | DMFDBLL 699 | FJDFBLL 700 | BMDDDLL 701 | DLFDDLL 702 | FLDFDLL 703 | BLDDFLL 704 | DJFDFLL 705 | FMDFFLL 706 | BJDDGLL 707 | DGFDGLL 708 | MFBDJLL 709 | BGDDJLL 710 | DFFDJLL 711 | LBDFJLL 712 | BFDDLLL 713 | MFDDLLL 714 | DDFDLLL 715 | LDDFLLL 716 | BDDDMLL 717 | DBFDMLL 718 | MFFDMLL 719 | LFDFMLL 720 | DMDDBML 721 | FJBFBML 722 | DLDDDML 723 | BMFDDML 724 | FLBFDML 725 | DJDDFML 726 | BLFDFML 727 | FMBFFML 728 | DGDDGML 729 | BJFDGML 730 | MFBBJML 731 | DFDDJML 732 | BGFDJML 733 | LBBFJML 734 | MFDBLML 735 | DDDDLML 736 | BFFDLML 737 | LDBFLML 738 | MFFBMML 739 | DBDDMML 740 | BDFDMML 741 | LFBFMML 742 | FJMDBBM 743 | GMJBDBM 744 | FLMDDBM 745 | GLJBFBM 746 | FMMDFBM 747 | GJJBGBM 748 | GGJBJBM 749 | LBMDJBM 750 | MDBMJBM 751 | GFJBLBM 752 | LDMDLBM 753 | MDDMLBM 754 | GDJBMBM 755 | LFMDMBM 756 | MDFMMBM 757 | FJLDBDM 758 | DMMFBDM 759 | GMLBDDM 760 | FLLDDDM 761 | DLMFDDM 762 | GLLBFDM 763 | FMLDFDM 764 | DJMFFDM 765 | GJLBGDM 766 | DGMFGDM 767 | GGLBJDM 768 | LBLDJDM 769 | DFMFJDM 770 | MDBLJDM 771 | GFLBLDM 772 | LDLDLDM 773 | DDMFLDM 774 | MDDLLDM 775 | GDLBMDM 776 | LFLDMDM 777 | DBMFMDM 778 | MDFLMDM 779 | FJJDBFM 780 | DMLFBFM 781 | GMMBDFM 782 | FLJDDFM 783 | DLLFDFM 784 | GLMBFFM 785 | FMJDFFM 786 | DJLFFFM 787 | GJMBGFM 788 | DGLFGFM 789 | GGMBJFM 790 | LBJDJFM 791 | DFLFJFM 792 | MDBJJFM 793 | GFMBLFM 794 | LDJDLFM 795 | DDLFLFM 796 | MDDJLFM 797 | GDMBMFM 798 | LFJDMFM 799 | DBLFMFM 800 | MDFJMFM 801 | FJGDBGM 802 | DMJFBGM 803 | FLGDDGM 804 | DLJFDGM 805 | FMGDFGM 806 | DJJFFGM 807 | DGJFGGM 808 | LBGDJGM 809 | DFJFJGM 810 | MDBGJGM 811 | LDGDLGM 812 | DDJFLGM 813 | MDDGLGM 814 | LFGDMGM 815 | DBJFMGM 816 | MDFGMGM 817 | FJFDBJM 818 | DMGFBJM 819 | BMBBDJM 820 | FLFDDJM 821 | DLGFDJM 822 | BLBBFJM 823 | FMFDFJM 824 | DJGFFJM 825 | BJBBGJM 826 | DGGFGJM 827 | BGBBJJM 828 | LBFDJJM 829 | MDBFJJM 830 | DFGFJJM 831 | BFBBLJM 832 | LDFDLJM 833 | MDDFLJM 834 | DDGFLJM 835 | BDBBMJM 836 | LFFDMJM 837 | MDFFMJM 838 | DBGFMJM 839 | FJDDBLM 840 | DMFFBLM 841 | BMDBDLM 842 | FLDDDLM 843 | DLFFDLM 844 | BLDBFLM 845 | FMDDFLM 846 | DJFFFLM 847 | BJDBGLM 848 | DGFFGLM 849 | BGDBJLM 850 | MDBDJLM 851 | LBDDJLM 852 | DFFFJLM 853 | BFDBLLM 854 | LDDDLLM 855 | MDDDLLM 856 | DDFFLLM 857 | BDDBMLM 858 | LFDDMLM 859 | MDFDMLM 860 | DBFFMLM 861 | FJBDBMM 862 | DMDFBMM 863 | BMFBDMM 864 | FLBDDMM 865 | DLDFDMM 866 | BLFBFMM 867 | FMBDFMM 868 | DJDFFMM 869 | BJFBGMM 870 | DGDFGMM 871 | MDBBJMM 872 | BGFBJMM 873 | LBBDJMM 874 | DFDFJMM 875 | MDDBLMM 876 | BFFBLMM 877 | LDBDLMM 878 | DDDFLMM 879 | BDFBMMM 880 | MDFBMMM 881 | LFBDMMM 882 | DBDFMMM 883 | -------------------------------------------------------------------------------- /LINKS.md: -------------------------------------------------------------------------------- 1 | # Helpful Links / Issues 2 | 3 | ## Functions Marked as noreturn 4 | * https://github.com/NationalSecurityAgency/ghidra/issues/1981 5 | * https://github.com/NationalSecurityAgency/ghidra/issues/889 6 | -------------------------------------------------------------------------------- /PPC/MakeFunctionsScriptPPC.java: -------------------------------------------------------------------------------- 1 | /* ### 2 | * IP: GHIDRA 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | // Script to ask user for a byte sequence that is a common function start 17 | // make functions at those locations 18 | // if code has only one block it asks the user where the data block is and splits the program into 19 | // code and data blocks 20 | //@category Functions 21 | 22 | import ghidra.app.script.GhidraScript; 23 | import ghidra.program.model.address.Address; 24 | import ghidra.program.model.listing.Function; 25 | import ghidra.program.model.mem.Memory; 26 | import ghidra.program.model.mem.MemoryBlock; 27 | import ghidra.app.cmd.disassemble.*; 28 | 29 | public class MakeFunctionsScriptPPC extends GhidraScript { 30 | 31 | 32 | // Using the provided byte sequence and adddress range, iterate over the addresses and look for instructions! 33 | public int getFunctions(Address start,Address end,byte[] inst_sequence) { 34 | int funcCount = 0; 35 | boolean keepSearching = true; 36 | // Let the user know which byte sequence we are looking for. 37 | print("Searchig for byte sequence: " ); 38 | for(byte b: inst_sequence) { 39 | print(String.format("%02X", b)); 40 | } 41 | println(""); 42 | 43 | // Get the memory space for the current program that we are analyzing. 44 | Memory memory = currentProgram.getMemory(); 45 | Address currentAddr = start; 46 | while(keepSearching && (!monitor.isCancelled())&& (start.compareTo(end) <= 0)) { 47 | // Search the memory region that we provided for our byte sequence 48 | Address found = memory.findBytes(start, end, inst_sequence, null, true, monitor); 49 | if(found != null){ 50 | if(getFunctionContaining(found) == null) { 51 | //Create our command to disassemble code in thumb mode 52 | ArmDisassembleCommand cmd = new ArmDisassembleCommand(found,null,true);; 53 | cmd.applyTo(currentProgram); 54 | if(cmd.getDisassembledAddressSet() != null){ 55 | // Code was properly disassembled, create a function! 56 | Function func = createFunction(found, null); 57 | if (func != null) { 58 | println("Made function at address: " + found.toString()); 59 | // Add the length of our function here so that we don't have to iterate through all of the created code. 60 | start = found.add(func.getBody().getNumAddresses()); 61 | funcCount++; 62 | break; 63 | } 64 | } 65 | } 66 | start = found.add(2); 67 | // Nothing was found with memory.findBytes, time to bail! 68 | }else { 69 | keepSearching = false; 70 | } 71 | } 72 | return funcCount; 73 | } 74 | 75 | // Give the user an option to choose a start address and end address for the script 76 | public Address[] getBlockInfo() throws Exception { 77 | int regionCount = askInt("Get Num of Regions","How many different memory regions would you like to analyze?"); 78 | Address [] blocks = new Address[regionCount*2]; 79 | for (int x = 0;x < regionCount; x+=2) { 80 | Address startAddress = askAddress("Get Start Address","Please enter the starting address of the region you wish to analyze"); 81 | Address endAddress = askAddress("Get End Address","Please enter the end address for the region you wish to analyze"); 82 | blocks[x] = startAddress; 83 | blocks[x+1] = endAddress; 84 | } 85 | return blocks; 86 | } 87 | @Override 88 | public void run() throws Exception { 89 | println("GBA Function Generation"); 90 | int foundCount = 0; 91 | byte [] inst_bytes = new byte[] {0x00,(byte)0xB5}; 92 | Address[] addrBlocks = getBlockInfo(); 93 | for(int inst_byte = 0; inst_byte<= 0xFF;inst_byte++) { 94 | for (int x = 0; x< addrBlocks.length; x += 2) { 95 | inst_bytes[0] = (byte)inst_byte; 96 | foundCount += getFunctions(addrBlocks[x],addrBlocks[x+1],inst_bytes); 97 | } 98 | } 99 | //int foundCount = getFunctions 100 | println("Made "+foundCount+ " functions"); 101 | } 102 | 103 | } 104 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ghidra-utils 2 | 3 | Collection of useful Ghidra utilities and references 4 | 5 | ## Repository Contents 6 | 7 | * ```GBA```: Contains scripts and tools for analyzing the King: King of Atlantis GBA ROM 8 | * [Supplemental blog post](https://wrongbaud.github.io/posts/kong-vs-ghidra/) 9 | * ```LINKS.md```: Contains helpful links to issues and blogs that I have found useful 10 | 11 | ## Learning Ghidra 12 | * [Course with Hackaday-U](https://hackaday.io/course/172292-introduction-to-reverse-engineering-with-ghidra) 13 | --------------------------------------------------------------------------------