1

I am trying to decompile nodejs bytecode using ghidra, and there is this specific plugin which decompiles the the nodejs bytecode. How can I install that plugin using ghidra headless method?

And another question I have is, after analysing the nodejs bytecode it generated a .rep folder, which I am not sure what to do about now, as I thought it will be giving me the source code after analysis.

Thanks in advance :)

Pradumn
  • 13
  • 2

1 Answers1

1

Installing a plugin in Ghidra via GUI is just an unzip with extra checks. Headless install is described in the doc at https://ghidra-sre.org/InstallationGuide.html#GhidraExtensionNotes

To install an extension in these cases, simply extract the desired Ghidra extension archive file(s) to the /Ghidra/Extensions directory. For example, on Linux or macOS:

  1. Set current directory to the Ghidra installed-extensions directory: cd <GhidraInstallDir>/Ghidra/Extensions
  2. Extract desired extension archive file(s) to the current directory: unzip /path/to/<extension>.zip
  3. The extension(s) will be installed the next time Ghidra is started.

How to dump the source code will depend on the plugin you are using, without a link it's hard to tell. I guess it just allows disassembling NodeJS bytecode, so you have to use the regular Ghidra APIs or scripts to dump disassembly?

Florian Magin
  • 576
  • 3
  • 6
  • The plugin that I am using is this one.. https://github.com/PositiveTechnologies/ghidra_nodejs This plugin claims to decompile the bytecode to its source code, but when I was using it in headless mode I did not understand how to call this plugin in headless mode after analysis. As after analysis i got a .rep folder so not sure how to proceed now can you please help me out – Pradumn Mar 25 '22 at 05:59
  • The .rep folder is just the Project that Ghidra created, that's expected. – Florian Magin Mar 25 '22 at 18:15
  • Ghidra's design means that it doesn't really matter that you decompiled V8 code vs decompiled x86. Any script that dumps all decompiled functions should work in your case, simply call it via the `-postScript` paramater to the headless analyzer. Some details are explained in this issue: https://github.com/NationalSecurityAgency/ghidra/issues/574 – Florian Magin Mar 25 '22 at 18:19