You can change the IDA options around strings so that it will not automatically generate a name (and set options like string prefix, etc.) but then you just get something like “asc_401414” which isn’t that meaningful either. IDA will sometimes just give you a very generic name without including the address in the label. Ghidra did better on this part, at least recognizing that there’s a function there while IDA got a bit more confused:Īs I was looking at the function at 4017B8, besides noticing that this was another function that IDA didn’t recognize, I noticed that Ghidra labels strings in a nice way where the label contains both a reference to the string itself and also the address. On the other hand, I remember there was a part of the code that IDA wasn’t as successful with. In Ghidra, you’d just put the cursor in the spot where you want to create the function, and then hit F: Press F to Pay Respect Create a Function One thing I suppose you could do is look for function entry sequences (PUSH EBP MOV EBP, ESP) and then manually create a function when you find one. Once I loaded the ransomware, one thing I noticed immediately is that Ghidra didn’t catch that there was a new function right after the entry/start function, but IDA did: Look at 401CD5…
I’m using Ghidra 9.0 Public and Ida Free 7.0 (both running in a 64-bit VM). Whenever it makes sense I’ll do a side-by-side comparison. For more Ghidra practice, I took a piece of ransomware that I analyzed before (using IDA) and worked on it with Ghidra. I’m still digging into Ghidra, building off of my last post which was meant to be a kind of “ IDA to Ghidra Crossover” guide.
0 kommentar(er)
