ghidra
ghidra copied to clipboard
NationalSecurityAgency
Demangler doesn't run on OSX
Describe the bug The first time the demangler runs, OSX will block it. After unlocking it with the "open anyway" button in the security settings, the demangling part is already skipped in ghidra. Even re-analyzing the binary won't solve the issue.
To Reproduce Steps to reproduce the behavior:
- Open a binary in Ghidra with OSX (in my case a armeabi-v7a one)
- Analyze with default settings
- Wait for the error to appear
Expected behavior Demangler properly runs.
Screenshots
Attachments libminecraftpe.so.zip
Environment (please complete the following information):
- OS: macOS 12.6.6
- Java Version: openjdk 17.0.7 2023-04-18
- Ghidra Version: 10.3
- Ghidra Origin: official GitHub distro
OSX adds an extended attribute tag to files downloaded from your browser by default. You can read more about it here or here, kudos to hoakley for the great explanations. That attribute is likely what is triggering the OSX security warning that's causing issues.
A good way to prevent this issue in the first place is to run the command below on your Ghidra folder. It removes the quarantine attribute and should prevent the initial wall of errors. Full disclosure - I haven't tested in a while so your milage may vary.
Command to remove the Quarantine flag
xattr -r -d com.apple.quarantine $ghidraFolder
In addition to @revolver-ocelot-saa's advice, you can produce your own build of Ghidra's native components from the Ghidra release by running:
support/buildNatives
The native components produced by this will not get blocked. You will have to have Xcode or Command Line Tools installed for the native build to work.
Using M3 MacBook Air running Sonoma 14.4. I had the exact same problem as this issue, and running support/buildNatives (requires brew install gradle) as suggested by Ryan worked
