ghidra icon indicating copy to clipboard operation
ghidra copied to clipboard

Published 20 hours ago verified publisher icon NationalSecurityAgency

GNU demangler doesn't demangle anything on MacOS M1

Open alexdevsec opened this issue 2 years ago • 2 comments

When I use the Ghidra demangler tool from the GUI, it doesn't demangle any symbol names. I tracked it down to the GNU demangler doing nothing. This might be because I'm on macOS Monterey 12.6 on an M1.

For instance, when I run:

$ cd ghidra_10.1.5_PUBLIC/GPL/DemanglerGnu/os/mac_x86_64/ $ ./demangler_gnu_v2_33_1 __ZTISt12length_error __ZTISt12length_error

... it doesn't do any conversion, it just repeats the input because it couldn't demangle.

I get the same thing with v2_24.

Here's the same result using c++filt which comes with Xcode command line tools:

$ /usr/bin/c++filt __ZTISt12length_error typeinfo for std::length_error

This information appears correct.

A workaround might be to point the Ghidra demangler tool to use c++filt, but I don't know how to do that.

Ghidra version: 10.1.5 OS: MacOS Monterey 12.6 on an M1

alexdevsec avatar Oct 11 '22 09:10 alexdevsec

The issue with this example for the demangler we ship is that there are two leading underscores. I tried this on Linux and it does not work using demangler_gnu_v2_33_1 or using c++filt. Both tools worked as expected when I removed one of the leading underscores.

Ghidra has code to check for __Z and remove one of the underscores. I added the above mangled text as a label to Ghidra. Then, with my cursor on that label, I ran the Ghidra script DemangleSymbolScript.java. This demangled the symbol as expected. Running the Demangler Gnu analyzer also found and demangled the symbol.

dragonmacher avatar Oct 11 '22 16:10 dragonmacher

Note that we have things setup on an M1 such that it will use the x86_64 native executable with Rosetta 2 if an aarch64 version is not available, which is the case with the GNU demangler.

ryanmkurtz avatar Oct 11 '22 16:10 ryanmkurtz

I would like to add that this also applies to the decompiler binaries (and all other native binaries packaged within Ghidra releases), as none of them are built for aarch64-apple-darwin. Ghidra seems to default to x86_64-apple-darwin at runtime, regardless of the currently running architecture.

lnchan avatar Feb 27 '23 17:02 lnchan

We do not ship aarch64 binaries with our releases. However, we provide the ability to build them yourself for your native platform. Just run support/buildNatives.

ryanmkurtz avatar Feb 27 '23 17:02 ryanmkurtz