Automating Ghidra - part 3

Automating Ghidra - part 3

In the third installment of this series (if you haven't read/seen here's - part 1 & part 2) we will be reconstructing program flow. This is useful for tasks such as Towel's armageddon.

Note: If you prefer watching, have a look at my YouTube channel.

The difficulty of this crackme is that it contains (as noted in the description) slight obfuscation. It has a form of program flow obfuscation that looks like the following:

              LAB_00014a0c                   XREF[1] 00014a04 (j)  
   014a0c 00 48      stmdb  sp!,{r11 lr}
          2d e9
   014a10 00 00      b      LAB_00014a18
          00 ea
   014a14 07         ??     07h
   014a15 43         ??     43h    C
   014a16 94         ??     94h
   014a17 2b         ??     2Bh    +
              LAB_00014a18                   XREF[1] 00014a10 (j)  
   014a18 04 b0      add    r11,sp,#0x4
          8d e2
   014a1c 00 00      b      LAB_00014a24
          00 ea
   014a20 d9         ??     D9h
   014a21 5a         ??     5Ah    Z
   014a22 05         ??     05h
   014a23 ec         ??     ECh
              LAB_00014a24                   XREF[1] 00014a1c (j)  
   014a24 58 d0      sub    sp,sp,#0x58
          4d e2
   014a28 00 00      b      LAB_00014a30
          00 ea
   014a2c 1b         ??     1Bh
   014a2d f5         ??     F5h
   014a2e 8e         ??     8Eh
   014a2f f4         ??     F4h
              LAB_00014a30                   XREF[1] 00014a28 (j)  
   014a30 f8 08      ldr    r0=>s_---------------_-=UMDCTF_2019=-_-_0  = 000153d4
          9f e5                                                        = "--------
   014a34 00 00      b      LAB_00014a3c
          00 ea
   014a38 7e         ??     7Eh    ~
   014a39 05         ??     05h
   014a3a 8a         ??     8Ah
   014a3b 5f         ??     5Fh    _
              LAB_00014a3c                   XREF[1] 00014a34 (j)  
   014a3c 50 ee      bl     puts                              int puts(ch
      ff eb
   014a40 00 00      b      LAB_00014a48
      00 ea
   014a44 a2         ??     A2h
   014a45 d5         ??     D5h
   014a46 66         ??     66h    f
   014a47 3a         ??     3Ah    :

The program listing is a mess. Only one valid instruction followed by a jump and few bytes of garbage makes the analysis a bit tougher.  Disassembly is looking correct, but if we would like to check the disassembly we have a problem.

Here comes Ghidra's scripting API. We could use the API to extract instructions, skip those unconditional jumps and reconstruct the code.

To do that we can use currentProgram.getListing().getInstructionAt(addr) to check if the instruction is an unconditional jump, we can  get the Flow type information

t = instruction.getFlowType()

There's one more tricky part - in order to get an instruction string we need to do the following

codeUnitFormat = CodeUnitFormat(CodeUnitFormatOptions(CodeUnitFormatOptions.ShowBlockName.ALWAYS,CodeUnitFormatOptions.ShowNamespace.ALWAYS,"",True,True,True,True,True,True,True))


Without that we would be missing some important stuff like references, and string.

The full script.

Running it will give us listing without those jumps

000104f4: b .text:check_flag_1
000104fc: stmdb sp!,{r11 lr}
00010508: add r11,sp,#0x4
00010514: sub sp,sp,#0x8
00010520: str flag,[r11,#local_c+0x4]
0001052c: ldr r3,[r11,#local_c+0x4]
00010538: add r3,r3,#0x15
00010544: ldrb r3,[r3,#0x0]
00010550: cpy r2,r3
0001055c: ldr r3,[r11,#local_c+0x4]
00010568: add r3,r3,#0x27
00010574: ldrb r3,[r3,#0x0]
00010580: mul r3,r3,r2
0001058c: ldr r2,[r11,#local_c+0x4]
00010598: add r2,r2,#0x1
000105a4: ldrb r2,[r2,#0x0]
000105b0: mul r3,r2,r3
000105bc: ldr r2,[r11,#local_c+0x4]
000105c8: add r2,r2,#0x11
000105d4: ldrb r2,[r2,#0x0]
000105e0: add r2,r3,r2
000105ec: ldr r3,[r11,#local_c+0x4]
000105f8: add r3,r3,#0x1e
00010604: ldrb r3,[r3,#0x0]
00010610: cpy r1,r3
0001061c: ldr r3,[r11,#local_c+0x4]
00010628: add r3,r3,#0x13
00010634: ldrb r3,[r3,#0x0]
00010640: mul r3,r3,r1
0001064c: add r3,r2,r3
00010658: ldr r2,[.text:DAT_000106d0]
00010664: cmp r3,r2
00010670: beq .text:LAB_000106a4
0001067c: ldr flag=>.rodata:s__[!]_Code_did_not_validate!_:(_000153b4,[.text:PTR_s__[!]_Code_did_not_validate!_:(_000106d4]
00010688: bl .plt:puts

Now we can analyze it without problems.