# PyGhidra Ghidra Ops Use this skill when Ghidra MCP is missing a needed write operation and you need native CPython access to the Ghidra API for the local Crusader project. ## Use Cases - Create or delete functions in `CRUSADER-RAW.EXE`. - Apply small batched repairs driven by verified addresses. - Add comments or rename functions by address from a repeatable JSON plan. - Inspect project root files to confirm the program name/path before running edits. ## Workspace Defaults - Ghidra install dir: `I:\Apps\ghidra_11.3.2_PUBLIC` - Ghidra project dir: repo root - Ghidra project name: `Crusader` - Default program: `CRUSADER-RAW.EXE` - Local Python env: `.venv-pyghidra311` - CLI entrypoint: `.\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader` ## Constraints - Stay conservative. Use the same rename and batch-size rules as the main Ghidra workflow. - Prefer one focused plan or 1-5 direct edits at a time. - Write operations require the project to be openable for modification. If `Crusader.lock` is present because the GUI owns the project, close Ghidra first or work on a copy. - Keep `crusader_decompilation_notes.md` updated after verified repair batches. ## Commands List root project files: ```powershell .\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader project-files ``` Delete a bad function object: ```powershell .\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader delete-function --entry 0007:5b6f ``` Create a repaired function with an explicit body: ```powershell .\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader create-function \ --entry 0007:5a90 \ --name seg043_func_0090 \ --body-start 0007:5a90 \ --body-end 0007:5b79 \ --plate-comment "Recovered from standalone seg043 boundary scan" ``` Rename a function by entry address: ```powershell .\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader rename-function --entry 0006:02cc --name entity_class_get_flag20 ``` Apply a small JSON plan: ```json { "transaction": "Repair seg043 boundaries", "remove_functions": [ "0007:5b6f" ], "create_functions": [ { "entry": "0007:5a90", "name": "seg043_func_0090", "body_start": "0007:5a90", "body_end": "0007:5b79", "comment": "Recovered from standalone seg043 boundary scan" }, { "entry": "0007:5b7a", "name": "seg043_func_017a", "body_start": "0007:5b7a", "body_end": "0007:5c1b" }, { "entry": "0007:5c1c", "name": "seg043_func_021c", "body_start": "0007:5c1c", "body_end": "0007:5c80" } ], "comments": [ { "address": "0007:5b6f", "text": "Old auto-created split overlaps the earlier seg043:0090..0179 routine.", "type": "plate" } ] } ``` ```powershell .\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader apply-plan --plan .\seg043_repair.json ``` Dry-run a plan before touching the project: ```powershell .\.venv-pyghidra311\Scripts\python.exe -m tools.pyghidra_crusader apply-plan --plan .\seg043_repair.json --dry-run ``` ## Implementation Notes - Address strings accept raw `SSSS:OOOO` form or plain integers such as `0x75a90`. - The CLI tries a few root folder path variants when opening the program so it can tolerate minor project path differences. - Plan files support `remove_functions`, `rename_functions`, `create_functions`, `comments`, and `assert_functions`.