Add PyGhidra Crusader Toolkit and patch scripts
- Introduced README.md for the PyGhidra Crusader Toolkit, detailing setup and usage instructions. - Added bootstrap_env.ps1 script to create and refresh the Python virtual environment with necessary packages. - Implemented _tmp_patch_hidden_cheat_menu.py and _tmp_patch_hidden_cheat_menu_deferred.py scripts for patching specific memory addresses in Ghidra.
This commit is contained in:
parent
fafd849beb
commit
ad6ebd0b86
132 changed files with 41758 additions and 99 deletions
25
.github/instructions/ghidra.instructions.md
vendored
25
.github/instructions/ghidra.instructions.md
vendored
|
|
@ -4,14 +4,15 @@ applyTo: "**"
|
|||
|
||||
# Crusader Ghidra Workflow
|
||||
|
||||
- Active target is the raw full-EXE Ghidra program `CRUSADER-RAW.EXE` unless explicitly stated otherwise.
|
||||
- Active target is the NE Ghidra program `CRUSADER.EXE` unless explicitly stated otherwise.
|
||||
- Use Ghidra MCP tools for analysis, decompilation, renaming, comments, and xref work.
|
||||
- Treat the verified `CRUSADER-RAW.EXE` work already captured in `docs/` and notes as a cross-reference evidence base for the live `CRUSADER.EXE` session, not as the default active program.
|
||||
- Avoid speculative renames. Prefer names that are supported by one of these:
|
||||
- verified raw mapping from standalone segment work
|
||||
- direct string evidence
|
||||
- clear call/field behavior in decompiler or disassembly
|
||||
- xref relationships to already-named functions
|
||||
- When porting names from standalone segment extracts into `CRUSADER-RAW.EXE`, use only verified base mappings.
|
||||
- When porting names from standalone segment extracts or prior raw full-EXE work into `CRUSADER.EXE`, use only verified base mappings and keep the older raw address evidence with the live NE address where practical.
|
||||
|
||||
# Verified Raw Mapping Rules
|
||||
|
||||
|
|
@ -25,6 +26,7 @@ applyTo: "**"
|
|||
- Prefer a single decompile call first.
|
||||
- If the decompiler collapses to thunk-heavy output, use one disassembly lookup to confirm the wrapper or parameter setup.
|
||||
- **When `decompile_function` output is too large** (>~50KB), the result is written to a temp JSON file that `read_file` returns as empty `{}`. Use `disassemble_function` instead — it returns inline assembly directly and is fully navigable for large functions.
|
||||
- Cross-reference new `CRUSADER.EXE` findings against the old raw notes before promoting a rename or behavioral claim. If the two differ, keep both addresses and explain the mismatch instead of silently preferring one.
|
||||
- Add a short decompiler comment when a rename is mapped from verified notes so the provenance stays visible in Ghidra.
|
||||
- Keep `crusader_decompilation_notes.md` updated after each verified batch. That file is now a short index — append new analysis to the appropriate file in `docs/` and add a row to the index table if a new file is created.
|
||||
- Keep `crusader_segment_coverage_ledger.csv` updated after each verified batch whenever a segment can be promoted or reclassified.
|
||||
|
|
@ -36,19 +38,32 @@ applyTo: "**"
|
|||
- For substantive RE batches, end with at least 6 concrete future steps unless the task is fully closed and there are genuinely fewer defensible next actions.
|
||||
- When a batch analyzes currently unnamed Ghidra functions and the behavior is clear enough, rename them in Ghidra instead of leaving them as positional `FUN_xxxx_xxxx` placeholders.
|
||||
|
||||
# Executable Write Safety
|
||||
|
||||
- Normal Ghidra database work on `CRUSADER.EXE` remains in scope: renames, comments, prototypes, local-variable/type cleanup, function creation/deletion, and boundary repair are allowed unless the user says otherwise.
|
||||
- Treat only actual program-byte changes as destructive actions: byte patching, write-back flows that alter loaded memory bytes, or any operation that would make the executable differ from the original program bytes.
|
||||
- Never run destructive byte-write operations against the main reference executable in the project.
|
||||
- Only use byte-patching or other byte-diverging executable write flows when the target program is an explicitly writable patch target, normally a program in the `/Writable` folder.
|
||||
- Treat `CRUSADER.EXE`, `CRUSADER-RAW.EXE`, and other main reference executables as read-only with respect to program bytes unless the user explicitly says otherwise.
|
||||
- Before running write endpoints such as `patch_bytes_and_reanalyze` or any PyGhidra byte-write script, verify that the selected program is the intended writable copy, not the reference executable.
|
||||
- If the target program is not clearly a writable patch copy in `/Writable`, stop and ask the user before performing the byte write.
|
||||
|
||||
# PyGhidra Fallback
|
||||
|
||||
- Use the local PyGhidra toolkit in `tools/pyghidra_crusader` when MCP is missing an operation such as function creation, deletion, or batched scripted edits.
|
||||
- When PyGhidra is needed because MCP lacks a required operation, append a note to `ghidra_mcp_wishlist.md` in the same batch if the gap is not already documented.
|
||||
- The workspace-local Python environment for this toolkit is `.venv-pyghidra311`, created from `C:\Users\Maddo\.pyenv\pyenv-win\versions\3.11.6\python.exe` and installed from the bundled Ghidra 11.3.2 offline packages.
|
||||
- Default install dir for the toolkit is `I:\Apps\ghidra_11.3.2_PUBLIC`.
|
||||
- The workspace-local Python environment for this toolkit is `.venv-pyghidra311`, created from `C:\Users\Maddo\.pyenv\pyenv-win\versions\3.11.6\python.exe` and installed from the bundled Ghidra 12.0.4 offline packages.
|
||||
- Default install dir for the toolkit is `I:\Apps\ghidra_12.0.4_PUBLIC`.
|
||||
- Invoke the toolkit with `\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader ...` from the repo root.
|
||||
- Rebuild or refresh that environment with `powershell -ExecutionPolicy Bypass -File .\tools\pyghidra_crusader\bootstrap_env.ps1` from the repo root when the local PyGhidra packages drift or a Ghidra upgrade lands.
|
||||
- Keep PyGhidra batches small too: prefer one focused repair plan or 1-5 direct edits at a time.
|
||||
- Write operations require the Ghidra project to open successfully. If `Crusader.lock` is present because the GUI owns the project, close Ghidra first or operate on a project copy.
|
||||
- If the workflow needs the user to change Ghidra state, use the ask-questions tool with a yes/no confirmation prompt instead of plain text. Ask the user to close Ghidra before PyGhidra write commands, and ask the user to open the Ghidra project before MCP server commands. The prompt should briefly describe exactly what to do and instruct the user to answer `Yes` only after the action is complete.
|
||||
|
||||
# Current Verified Raw-Import Ports
|
||||
|
||||
These remain valid cross-reference anchors for `CRUSADER.EXE` work. Keep the old raw-import addresses and original segment-relative offsets in notes/comments when using them to support live NE renames.
|
||||
|
||||
- `0006:e5d0` = `cursor_update_hover` from seg001 `0x0060`
|
||||
- `0008:7377` = `entity_count_by_type_a` from seg021 `0x0207`
|
||||
- `0007:28ce` = `shot_entity_alloc` from seg001 `0x435e`
|
||||
|
|
@ -88,7 +103,7 @@ applyTo: "**"
|
|||
|
||||
# Documentation Structure
|
||||
|
||||
Detailed RE notes live in the `docs/` folder. `crusader_decompilation_notes.md` is a short index.
|
||||
Detailed RE notes live in the `docs/` folder. `crusader_decompilation_notes.md` is a short index. Unless a doc says otherwise, read raw-focused docs as evidence sources to be cross-checked against the live `CRUSADER.EXE` session.
|
||||
|
||||
| File | Topic |
|
||||
|------|-------|
|
||||
|
|
|
|||
14
.github/skills/pyghidra-ghidra-ops/SKILL.md
vendored
14
.github/skills/pyghidra-ghidra-ops/SKILL.md
vendored
|
|
@ -1,3 +1,8 @@
|
|||
---
|
||||
name: pyghidra-ghidra-ops
|
||||
description: Local PyGhidra fallback workflow for Crusader Ghidra edits and queries
|
||||
---
|
||||
|
||||
# PyGhidra Ghidra Ops
|
||||
|
||||
Use this skill when Ghidra MCP is missing a needed operation and you need native CPython access to the Ghidra API for the local Crusader project.
|
||||
|
|
@ -13,12 +18,13 @@ Use this skill when Ghidra MCP is missing a needed operation and you need native
|
|||
|
||||
## Workspace Defaults
|
||||
|
||||
- Ghidra install dir: `I:\Apps\ghidra_11.3.2_PUBLIC`
|
||||
- Ghidra install dir: `I:\Apps\ghidra_12.0.4_PUBLIC`
|
||||
- Ghidra project dir: repo root
|
||||
- Ghidra project name: `Crusader`
|
||||
- Default program: `CRUSADER-RAW.EXE`
|
||||
- Local Python env: `.venv-pyghidra311`
|
||||
- CLI entrypoint: `.\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader`
|
||||
- Bootstrap script: `.\tools\pyghidra_crusader\bootstrap_env.ps1`
|
||||
|
||||
## Constraints
|
||||
|
||||
|
|
@ -27,6 +33,12 @@ Use this skill when Ghidra MCP is missing a needed operation and you need native
|
|||
- Write operations require the project to be openable for modification. If `Crusader.lock` is present because the GUI owns the project, close Ghidra first or work on a copy.
|
||||
- Keep `crusader_decompilation_notes.md` updated after verified repair batches.
|
||||
|
||||
Refresh the local PyGhidra environment when the bundled Ghidra version changes:
|
||||
|
||||
```powershell
|
||||
powershell -ExecutionPolicy Bypass -File .\tools\pyghidra_crusader\bootstrap_env.ps1
|
||||
```
|
||||
|
||||
## Commands
|
||||
|
||||
List root project files:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue