Example `sleigh-lift` invocation no longer works

Question

Example `sleigh-lift` invocation no longer works

Closed this issue 3 years ago · 5 comments

There seems to be a regression at 387f9b0 which has broken disassembly. I'll eyeball the SLEIGH changes that went into that release and see if I submit a patch to Ghidra.

Before:

tetsuo@Alexs-MacBook-Pro install % ./bin/sleigh-lift disassemble x86-64.sla 4881ecc00f0000
0x00000000: SUB RSP,0xfc0

After:

tetsuo@Alexs-MacBook-Pro install % ./bin/sleigh-lift disassemble x86-64.sla 4881ecc00f0000
0x00000000: DEC AX
0x00000001: DEC AX
0x00000002: DEC AX
0x00000003: DEC AX
0x00000004: DEC AX
0x00000005: DEC AX
0x00000006: DEC AX

Answer 1 · 2022-01-03T06:28:41.000Z

@pgoodman This is the issue you saw earlier.

Answer 2 · 2022-01-03T14:29:36.000Z

Looks like the culprit is this commit.

It seems that you now need to set longMode through the API in order for it to correctly disassemble 64-bit instructions even if you've provided the right SLA file. Seems weird that you need to specify that... I'll follow up with a PR to fix sleigh-lift.

@pgoodman I saw in your IRENE branch, one of your commit messages mentions that you're seeing unexpected output (stuck on 16-bit mode). Perhaps this is related?

Answer 3 · 2022-01-03T15:00:24.000Z

Not sure if this is related, but I found out you have to specify a .pspec file for 64 bit x86 disassembling, but maybe setting longMode is more correct.

Code reference from Mishegos PR:
https://github.com/ekilmer/mishegos/blob/712981d442f30207a4adf9acc052774024bc5be3/src/worker/ghidra/ghidra.cc#L91-L95

Answer 4 · 2022-01-03T15:10:47.000Z

Interesting, thanks for the tip @ekilmer. I'll try both methods tomorrow and let you know how it goes.

Answer 5 · 2022-01-03T23:00:06.000Z

@tetsuo-cpp the stuff @ekilmer linked to related to pspec files fixed my 16-bit issue :-)