Ghidra has a well defined extension API, allowing automation of some reverse engineering tasks. Scripts making use of this API can indirectly influence the decompiled code by changing symbol and type information. But if we want to change the structure of the decompiled code itself, we need to get our hands dirty and change the C++ code of the decompiler itself. In this workshop, we cover the basic internals of the Ghidra decompiler and write our own rules to improve decompilation in example programs. Note that we will not cover basic Ghidra usage, so you should already have some sort of Ghidra experience.
The workshop will cover:
- Setup of lab environment with Ghidra install
- Comparison of Java/Python extension API with internal C++ decompiler API
- Overview of the internal decompiler pipeline
- Structure of decompiler rules/actions
- Introduction of the ReOxide toolchain for writing Ghidra decompiler rules
- Analyzing example programs
- Writing your own decompiler rules to improve decompilation of programs
PhD student at UniVie and CTF player at We_0wn_y0u. Passionate for reverse engineering, graphics programming and all kinds of low-level software development.