redballoonsecurity
Pyghidra Analysis unpacks Complex Blocks multiple times
What is the problem? (Here is where you provide a complete Traceback.) While adding log messages to the standalone Pyghidra analyzer script, I noticed that it was unpacking all of the program's complex blocks for every Elf segment. Even segments containing no complex blocks would unpack all complex blocks in the program. Running the analyzer on a program containing 5 segments will result in analysis taking 5 times longer to complete than it should.
Please provide some information about your environment. At minimum we would like the following information on your platform and Python environment:
- Platform:
- If running in one of the OFRAK Docker images, say which image it is (for example,
redballoonsecurity/ofrak/ghidra). - If not running in an OFRAK Docker image, please provide the output of
python3 -m platform.
- If running in one of the OFRAK Docker images, say which image it is (for example,
- Python environment: Please provide the output of
python3 -m pip freeze.
Docker image
If you've discovered it, what is the root cause of the problem?
Pyghidra's Address.subtract() method seems to be buggy. For example:
Address address_1 = Address(0xfffffff000000000)
Address address_2 = Address(0x100)
address_1.subtract(address_2)
This results in 0x3f00000100. It seems that the sign extension of the resulting Java long is not being handled correctly. Using compareTo instead works correctly, as this method returns -1 if a < b, 0 if a == b, and 1 if a > b.
How often does the issue happen?
Running the standalone analyzer script on a binary with multiple segments.
What are the steps to reproduce the issue? Ideally, give us a short script that reproduces the issue.
Running the standalone analyzer script on a binary with multiple segments.
How would you implement this fix?
Use compareTo instead of subtract
Are there any (reasonable) alternative approaches?
Are you interested in implementing it yourself? Yes
