Decompiler not using the same stack variables as rizin #359
Description
For this small windows crack me, the ghidra decompile output is just not getting the correct stack variables, below is the pdf output:
; CALL XREF from sym.___mingw_CRTStartup @ 0x4010f8
;-- _main:
┌ int main(int argc, char **argv, char **envp);
│ ; var const char *s2 @ stack - 0xe4
│ ; var char [100] s1 @ stack - 0xd4
│ ; var char [100] var_70h @ stack - 0x70
│ ; var int var_ch @ stack - 0xc
│ ; var int32_t var_8h @ stack - 0x8
│ 0x00401350 push ebp
│ 0x00401351 mov ebp, esp
│ 0x00401353 push edi
│ 0x00401354 and esp, 0xfffffff0
│ 0x00401357 sub esp, 0xe0
│ 0x0040135d call sym.___main ; sym.___main
│ 0x00401362 mov dword [esp], str.Input_the_password: ; [0x403024:4]=0x75706e49 ; "Input the password: " ; const char *format
│ 0x00401369 call sym._printf ; sym._printf ; int printf(const char *format)
│ 0x0040136e lea eax, [var_70h[0]]
│ 0x00401372 mov dword [s2], eax
│ 0x00401376 mov dword [esp], data.00403039 ; [0x403039:4]=0x4f007325 ; "%s" ; const char *format
│ 0x0040137d call sym._scanf ; sym._scanf ; int scanf(const char *format)
│ 0x00401382 mov dword [s1[0]], 0x73373030 ; '007s'
│ ; [0x73373030:4]=-1
│ 0x0040138a mov dword [s1[4]], 0x72657075 ; 'uper'
│ ; [0x72657075:4]=-1
│ 0x00401392 mov dword [s1[8]], 0x797073 ; 'spy'
│ ; [0x797073:4]=-1
│ 0x0040139a lea edx, [s1[12]]
│ 0x0040139e mov eax, 0
│ 0x004013a3 mov ecx, 0x16 ; 22
│ 0x004013a8 mov edi, edx
│ 0x004013aa rep stosd dword es:[edi], eax
│ 0x004013ac lea eax, [var_70h[0]]
│ 0x004013b0 mov dword [s2], eax ; const char *s2
│ 0x004013b4 lea eax, [s1[0]]
│ 0x004013b8 mov dword [esp], eax ; const char *s1
│ 0x004013bb call sym._strcmp ; sym._strcmp ; int strcmp(const char *s1, const char *s2)
│ 0x004013c0 mov dword [var_ch], eax
│ 0x004013c7 cmp dword [var_ch], 0
│ ┌─< 0x004013cf jne 0x4013df
│ │ 0x004013d1 mov dword [esp], data.0040303c ; [0x40303c:4]=0x214b4f ; "OK!" ; const char *s
│ │ 0x004013d8 call sym._puts ; sym._puts ; int puts(const char *s)
│ ┌──< 0x004013dd jmp 0x4013eb
│ │└─> 0x004013df mov dword [esp], str.Not_ok ; [0x403040:4]=0x20746f4e ; "Not ok!" ; const char *s
│ │ 0x004013e6 call sym._puts ; sym._puts ; int puts(const char *s)
│ │ ; CODE XREF from main @ 0x4013dd
│ └──> 0x004013eb call sym.__getch ; sym.__getch
│ 0x004013f0 mov eax, 0
│ 0x004013f5 mov edi, dword [var_8h]
│ 0x004013f8 leave
└ 0x004013f9 ret
and pdg output:
// WARNING: Variable defined which should be unmapped: var_8h
undefined4 main(void)
{
int32_t iVar1;
undefined4 *puVar2;
char *s2;
undefined4 uStack_dc;
undefined4 uStack_d8;
char s1 [100];
char var_70h [100];
int var_ch;
int32_t var_8h;
sym.___main();
sym._printf("Input the password: ");
sym._scanf(data.00403039, s1 + 0x5c);
uStack_dc = 0x73373030;
uStack_d8 = 0x72657075;
s1[0] = 's';
s1[1] = 'p';
s1[2] = 'y';
s1[3] = '\0';
puVar2 = (undefined4 *)(s1 + 4);
for (iVar1 = 0x16; iVar1 != 0; iVar1 = iVar1 + -1) {
*puVar2 = 0;
puVar2 = puVar2 + 1;
}
iVar1 = sym._strcmp(&uStack_dc, s1 + 0x5c);
if (iVar1 == 0) {
sym._puts(data.0040303c);
} else {
sym._puts("Not ok!");
}
sym.__getch();
return 0;
}as u can see s1 is starting at stack -0xd4 and then gets the string value assigned as dwords, but it only gets one of those correct (still at the false index) and then also fucks something up with the var_70h variable which should get passed into the strcmp and scanf function. So yeah not sure what exactly gets fucked, but the ghidra decompiler doesnt use the same variables as rizin. If I analyze the crackme with ghidra and edit the variable types the same way ghidra will display the function how i would expect it.
exe, password is crackmes.one