Ghostrings (“Go strings”) is a collection of Ghidra scripts for recovering string definitions in Go binaries. These analyze P-Code rather than native machine code, so they’re architecture independent.

While developing Ghostrings, I ran into some unexpected difficulties with using the Ghidra decompiler’s high P-Code output to analyze stack write operations. To understand and work around these issues I had to look into the decompiler internals, including the different analysis configurations or “simplification styles” it offers. I wrote a blog post to provide an overview of what the simplification styles are, how to trace through the decompilation process to observe how specific analysis rules affect the P-Code output, and using the output from a lower-level simplification style versus a higher-level simplification style for analysis scripts.

The blog post is published on the NCC Group research blog at https://research.nccgroup.com/2022/05/20/earlyremoval-in-the-conservatory-with-the-wrench/.