Home / Java / Miscellaneous

Hexagon decompiler for Ghidra

Ghidra hexagon plugin WIP Hexagon decompiler plugin for ghidra Pcode is more or less autogenerated, essentially copying and adapting from binja-hexago
Information
Category: Java / Miscellaneous
Watchers: 2
Star: 5
Fork: 0
Last update: Jan 18, 2022
Resource links
https://github.com/toshipiazza/ghidra-plugin-hexagon

Ghidra hexagon plugin

WIP Hexagon decompiler plugin for ghidra

demo

Pcode is more or less autogenerated, essentially copying and adapting from binja-hexagon

Checkout the wiki for more information!

Known issues

Exception while decompiling XXX: Decompiler process died

More often than not this is caused by pcode being unimplemented for some instruction. To view pcode for an instruction, go into the listing view, click on the "Edit the listing fields" icon in the top right, right click on PCode, and click on "Enable field"

e6 40 41 8c  {  S2_vsplatrb   R6 R1
                                     UNIMPLEMENTED

You can work around this temporarily by creating a userop

diff --git a/Ghidra/Processors/Hexagon/data/languages/hexagon.slaspec b/Ghidra/Processors/Hexagon/data/languages/hexagon.slaspec
index 57d1d31bf..e89ed1dac 100644
--- a/Ghidra/Processors/Hexagon/data/languages/hexagon.slaspec
+++ b/Ghidra/Processors/Hexagon/data/languages/hexagon.slaspec
@@ -144,6 +144,7 @@ define pcodeop fICDATAW;
 define pcodeop fPAUSE;
 define pcodeop WRITE_SGP0;
 define pcodeop fSTORE_LOCKED;
+define pcodeop S2_vsplatrb;

 define token NORMAL(32)
   Parse                                = (14, 15)
@@ -34376,7 +34377,9 @@ C4_addipc_pkt_start: reloc is epsilon [ reloc = pkt_start; ] {

 :S2_vsplatrh S2_vsplatrh_Rdd32 S2_vsplatrh_Rs32 is phase = 1 & immext = 0xffffffff & Parse != 0b00 & subinsn = 0 & b6 = 1 & b7 = 0 & b22 = 1 & b23 = 0 & b24 = 0 & b25 = 0 & b26 = 1 & b27 = 0 & b28 = 0 & b29 = 0 & b30 = 0 & b31 = 1 & S2_vsplatrh_Rdd32 & S2_vsplatrh_Rs32 unimpl

-:S2_vsplatrb S2_vsplatrb_Rd32 S2_vsplatrb_Rs32 is phase = 1 & immext = 0xffffffff & Parse != 0b00 & subinsn = 0 & b5 = 1 & b6 = 1 & b7 = 1 & b21 = 0 & b22 = 1 & b23 = 0 & b24 = 0 & b25 = 0 & b26 = 1 & b27 = 1 & b28 = 0 & b29 = 0 & b30 = 0 & b31 = 1 & S2_vsplatrb_Rd32 & S2_vsplatrb_Rs32 unimpl
+:S2_vsplatrb S2_vsplatrb_Rd32 S2_vsplatrb_Rs32 is phase = 1 & immext = 0xffffffff & Parse != 0b00 & subinsn = 0 & b5 = 1 & b6 = 1 & b7 = 1 & b21 = 0 & b22 = 1 & b23 = 0 & b24 = 0 & b25 = 0 & b26 = 1 & b27 = 1 & b28 = 0 & b29 = 0 & b30 = 0 & b31 = 1 & S2_vsplatrb_Rd32 & S2_vsplatrb_Rs32 {
+    S2_vsplatrb_Rd32 = S2_vsplatrb(S2_vsplatrb_Rs32);
+}

 :S6_vsplatrbp S6_vsplatrbp_Rdd32 S6_vsplatrbp_Rs32 is phase = 1 & immext = 0xffffffff & Parse != 0b00 & subinsn = 0 & b6 = 0 & b7 = 1 & b22 = 1 & b23 = 0 & b24 = 0 & b25 = 0 & b26 = 1 & b27 = 0 & b28 = 0 & b29 = 0 & b30 = 0 & b31 = 1 & S6_vsplatrbp_Rdd32 & S6_vsplatrbp_Rs32 unimpl

TODO

  • Reject invalid packets according to ordering and grouping constraints
  • Add new "semantic" field to listing to view disassembly in more natural way
  • Cleanup autogenerated hexagon.slaspec
  • Release autogeneration script for slaspec
  • Implement more instructions in pcode
  • Setting gp global register based on ELF information
  • Variadic arguments placed on stack
3 Open More issues
Closed

Auto-and Predicates

See section 6.1.3 "Auto-AND predicates" in the "Qualcomm Hexagon V66 Programmer’s Reference Manual"

If multiple compare instructions in a packet write to the same predicate register, the result is the logical AND of the individual compare results.

This is not handled in HexagonPcodeEmitPacked, and will silently result in only the last assignment to P3:0 being used in a subsequent compare

bug hexagon is weird 
opened Jan 16, 2022 by toshipiazza 3
Closed

Reorders new compare jumps and instructions containing dot-new predic…

…ates

Consider the following (valid) hexagon code:

  { if (!P0.new) r0 = #41
    P0 = cmp.eq(R18,#0x0); if (P0.new) jump:nt 1f  }
  { r0 = #0
    jumpr r31 }
1:
  { r0 = #1
    jumpr r31 }

P0.new precedes the store to P0. We handle this case by deferring dot-new predicates and new-compare jumps till after the rest of the instructions have been processed

Massively refactors HexagonPcodeEmitPacket to accommodate

Adds a test for the above code

Adds a test including endloop01 (the only instruction which contains more than one branch)

Fixes #7 Fixes #4

opened Jan 28, 2022 by toshipiazza 1
Closed

Incorrect disassembly and pcode for gp loads and stores

See "Encoding 32-bit address operands in load/stores" in section 10.9 of "Qualcomm Hexagon V66 Programmer's Reference Manual"

For unconditional load/stores, the GP-relative load/store instruction is used. [...] In this case the 32-bit value encoded must be a plain address, and the value stored in the GP register is ignored.

binja-hexagon correctly disassembles some code as

{ immext(<blah>)
  R3 = memw(0+<extended>) }

But ghidra-plugin-hexagon shows a GP-relative address instead

bug hexagon is weird 
opened Jan 18, 2022 by toshipiazza 1
Closed

dot-new predicates with weird ordering results in incorrect in_P0 refs in decompilation

Here's a weird code sample that's valid hexagon code

  { if (!P0.new) r0 = #41
    P0 = cmp.eq(R18,#0x0); if (P0.new) jump:nt 1f  }
  { r0 = #0
    jumpr r31 }
1:
  { r0 = #1
    jumpr r31 }

Even though P0.new is referenced before P0 is set, hexagon still store-forwards the write value in this case.

This will require a major refactor to HexagonPcodeEmitPacked to reorder some instructions (and split up newcmp jumps) just like in qemu

This also needs to be compatible with auto-and predicates #4, yeesh

bug hexagon is weird 
opened Jan 24, 2022 by toshipiazza 0
Closed

Fixes disassembly and pcode for instructions which read gp

For instructions which read C11 aka the gp register, such as L2_loadrubgp, gp should only be consulted if an immext was not applied.

For example, immext is applied below so the memref is not gp-rel:

{ immext(##0x123440)
  R0 = memw(#0+##0x123450)
  jumpr R31 }

But this is gp-rel:

{ R0 = memw(GP+##0x10)
  jumpr R31 }

Fixes this issue by adding a "gp" sleigh constructor that's conditional on the immext context reg, and adds C11 or 0 as an operand based on the above

Fixes #5

opened Jan 18, 2022 by toshipiazza 0
Closed

Enlightens BasicBlockModel and SimpleBlockcModel to ParallelInstructi…

…onLanguageHelper

Previously BasicBlockModel and SimpleBlockModel might terminate a block in the middle of an instruction group

Now BasicBlockModel and SimpleBlockModel respect instruction group boundaries

Adds getFlowType to ParallelInstructionLanguageHelper and implements it in HexagonParallelInstructionLanguageHelper

Reverts formatting on ParallelInstructionLanguageHelper for a cleaner diff off of master

Adds tests, HexagonPacketTestCodeBlock

As of this commit, the function graph also respects instruction group boundaries, so there are no longer awkward flows in between packets. For example:

{  SL2_jumpr31
   SA1_seti  R0 0x2 }

Previously appeared as

SL2_jumpr31 -> SA1_seti R0 0x2

In the function graph view. These are now displayed as one basic block.

opened Jan 15, 2022 by toshipiazza 0
Open

Misbehaving analyzer clears instructions after calls to non-returning functions

See below

ca 4b 00 5a  {  J2_call                             assert_fail
    -- Flow Override: CALL_RETURN (CALL_TERMINATOR)

All instructions after the call are undefined. Also notice that the J2_call is not the end of its own packet. This occasionally breaks decompilation as well

bug 
opened Feb 21, 2022 by toshipiazza 1
Open

Split out plugin and core ghidra (with requisite changes)

null

enhancement 
opened Feb 17, 2022 by toshipiazza 0
Open

Enumerate instructions in execution order when emitting pcode

Previously we would emit pcode for instructions in the order they appear in the listing (order of increasing address). This assumption is incorrect for DUPLEX instructions.

DUPLEX instructions appear in the listing in swapped order: the slot 0 instruction appears earlier in memory, followed by the slot 1 instruction. But execution order follows the opposite ordering: order of decreasing slots (so slot 3, 2, 1, 0)

As a result, we would emit incorrect pcode for the following assembly:

{ R3 = memw(R2+#0x0); memw(R2+#0x0) = #0x0 }

As written, the load comes before the store, but since they are DUPLEX the store would appear before the load, causing the load to be const-propped. This commit fixes the issue.

Fixes #10

opened Feb 14, 2022 by toshipiazza 1
Open

Pcode incorrect for DUPLEX instructions with two memops

The plugin emits incorrect pcode for the following snippet:

{ R3 = memw(R2+#0x0); memw(R2+#0x0) = #0x0 }

The store should occur after the load, as written. The problem causing the incorrect pcode is that these instructions form a DUPLEX; and in a DUPLEX the slot 0 instruction comes first in program memory, but the slot 1 instruction must always be executed after.

A standard InstructionIterator is insufficient

AddressSet addrSet = new AddressSet(minAddr, maxAddr);
program.getListing().getInstructions(addrSet, true)

Because DUPLEXes will be enumerated in the incorrect (execution) order

bug 
opened Feb 14, 2022 by toshipiazza 0
Open

Improve endloops

The current implementation of endloops has some issues. First, endloop01 has a subtle decompilation bug that doesn't seem to be an issue with pcode generation (see testHwLoop01). Also, the jumps themselves are indirect (goto [C0];) so the graph view doesn't display the loop edge

Consider replacing C0 and C2 with context registers, to replace the indirect branches with direct branches. This requires updating a few opcodes:

  • J2_loop0r
  • J2_loop1r
  • J2_loop0i
  • J2_loop1i
  • J2_ploop1sr
  • J2_ploop1si
  • J2_ploop2sr
  • J2_ploop2si
  • J2_ploop3sr
  • J2_ploop3si
  • J2_endloop0
  • J2_endloop1
  • J2_endloop01
enhancement 
opened Feb 9, 2022 by toshipiazza 0
Open

Support functions with variadic arguments

According to Qualcomm Hexagon Application Binary Interface

For [variadic] functions, we pass the named (and typed) parameters in the same manner as for fixed argument list functions. The remainder of the arguments are passed on the stack.]

I do not know how to achieve the desired behavior in the cspec

enhancement hexagon is weird 
opened Jan 14, 2022 by toshipiazza 0

Contents

    IRQsome Port of Super Hexagon to the Parallax Propeller
    Konloch A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
    airbus-cert Yet Another Ghidra Integration for IDA
    StarCrossPortal SleighCraft is a decoder based on ghidra's decompiler implementation.
    federicodotta The new bridge between Ghidra and Frida!
    hexagonkt Hexagon is a microservices toolkit written in Kotlin. Its purpose is to ease the building of services (Web applications, APIs or queue consumers) that run inside a cloud platform.
    rocky Python decompiler for 3.7+. Stripped down from uncompyle6 so we can refactor and fix up some long-standing problems
    avast RetDec is a retargetable machine-code decompiler based on LLVM.
    rocky A cross-version Python bytecode decompiler
    daenerys-sre Daenerys: A framework for interoperability between IDA and Ghidra
    d3v1l401 IDA Pro's FindCrypt ported to Ghidra, with an updated and customizable signature database
    NationalSecurityAgency Ghidra is a software reverse engineering (SRE) framework
    cesena Export ghidra decompiled code to dwarf sections inside ELF binary
    federicodotta A collection of my Ghidra scripts
    xyzz Renesas RL78 processor module for Ghidra
    danylokos Nintendo 3DSX loader for Ghidra
    zaksabeast Ghidra scripts to help with 3ds reverse engineering
    atc1441 Ghidra Plugin for Texas Instrument CC 8051 SOC's especially CC1110 and CC2510
    fridex Create hexagon stickers automatically
    KenneyNL Hexagon terrain generation using KayKit models
    fesh0r Unofficial mirror of FernFlower Java decompiler (All pulls should be submitted upstream)
    Share this repo

    Related Repos


    Miscellaneous
    12
    A public, stripped down workspace of the Project Unity mod, a mega-collaboration Mindustry...
    AvantTeam Project Unity A work-in-progress mega-collaboration Mindustry mod, created by the Avant Team. As the repository description says, this is not a fully
     
    Miscellaneous
    4
    FeatherMC - Pedaret
    PersianDevs FeatherMC FeatherMC Yek Forke NachoSpigot e, Ke Ba Optimize Khoob Baraye Server Haye Mini Game Va PvP Sakhte Shode, Ke Ba Remove Kardan Bug Ha Va Feat
     
    Miscellaneous
    470
    Java library and command-line application for converting Scikit-Learn pipelines to PMML
    jpmml JPMML-SkLearn Java library and command-line application for converting Scikit-Learn pipelines to PMML. Table of Contents Features Overview Supported p
     
    Miscellaneous
    198
    Rails-like inflection library for Clojure and ClojureScript
    r0man Inflections Rails-like inflection library for Clojure and ClojureScript. Usage (use 'inflections.core) (plural "word") ;=> "words" (plural "virus")
     
    Miscellaneous
    733
    Data visualizations in Clojure and ClojureScript using Vega and Vega-lite
    metasoarous Great and powerful scientific documents & data visualizations Overview Oz is a data visualization and scientific document processing library for Cloju
     
    Miscellaneous
    7
    Apache Dubbo Hessian2 CVE-2021-43297 demo
    longofo Apache Dubbo Hessian2异常处理时的反序列化(CVE-2021-43297) 将两个项目分别导入两个idea 先运行org.apache.dubbo.samples.basic.BasicProvider#main启动服务端 再运行org.apache.dubbo.samples.
     
    Miscellaneous
    6
    A public bot for Discord servers 🥶
    zellzik Public sample bot for Discord servers 😎 Bot is written in Java 16, currently there is only verification in the bot, but if someone knows at least the
     
    Miscellaneous
    5
    Hexagon decompiler for Ghidra
    toshipiazza Ghidra hexagon plugin WIP Hexagon decompiler plugin for ghidra Pcode is more or less autogenerated, essentially copying and adapting from binja-hexago
     
    Miscellaneous
    4
    Log4J 2.0 beta9 without JNDI lookup functionality
    IntentStore Log4J-Patched Log4J 2.0 beta9 without JNDI lookup functionality How does the Log4J exploit work? A server sends the user a specially crafted packet wh
     
    Miscellaneous
    3
    A bukkit server plugin make player can use shulker box dupe item
    jiyun233 ShulkerDupe a bukkit server plugin make player can use shulker box dupe item Configuration
     
    Miscellaneous
    3
    Minecraft Open to Internet
    MvRens Minecraft Open to Internet This useful little utility I wrote back in 2012 should still work! It is written in Delphi, XE2 I believe. It seems to use
     
    Miscellaneous
    3
    A 1.18.1 minecraft Utility Client
    Sxmurai saturn-client A 1.18.1 minecraft Utility Client Licensing This project is under the GNU v3.0 licensing. If you use any code from this project you must
     
    Miscellaneous
    3
    Ghidra Plugin for Texas Instrument CC 8051 SOC's especially CC1110 and CC2510
    atc1441 Texas Instruments CCxxxx Ghidra CPU Plugin Ghidra Plugin for Texas Instrument CC 8051 core SOC's especially CC1110 and CC2510 This helps to name the d
     
    Miscellaneous
    4
    A general purpose programming language
    omnit3a Jenny A general purpose programming language I'm making Jenny out of interest, and mainly just because I want to see how far I can get with making my
     
    Miscellaneous
    303
    Hierarchical Temporal Memory implementation in Java - an official Community-Driven Java po...
    numenta htm.java Official Java™ version of... Hierarchical Temporal Memory (HTM) Community-supported & ported from the Numenta Platform for Intelligent Comput