Ghidra: Wildcards when using Memory Search doesn't work as intended

Created on 7 Mar 2019  路  4Comments  路  Source: NationalSecurityAgency/ghidra

Describe the bug
When using the 'Memory Search' from Search > Memory, the 'wildcard' option doesn't work as intended. It seems like it's replacing "?" with 00 instead of an actual wildcarded value.

To Reproduce
Steps to reproduce the behavior:

  1. Go to Search in the Menu tab
  2. Click on 'Memory'
  3. Type out any AOB with a wildcard. I used '64 A1 ? ? ? ?' (mov eax, ? ? ? ? )
  4. Click 'Search All'
  5. Notice that the search results only give 64 A1 00 00 00 00 results.

Expected behavior
Expected similar behavior as IDA giving any result including the 00 00 00 00 ones.

Screenshots
https://i.imgur.com/v8I4N1e.png

Environment

  • OS: Windows 10
  • Version: 9.0 PUBLIC
Bug
Source
picture nithax

Most helpful comment

@nithax It seems you need to use dots . for wildcards.
e.g.:

64 A1 . . . .
picture Randshot on 7 Mar 2019
👍2

All 4 comments

@nithax It seems you need to use dots . for wildcards.
e.g.:

64 A1 . . . .
Randshot picture Randshot on 7 Mar 2019
👍2

Just tried "." instead of "?" and I get the same results. Definitely something wrong here

https://i.imgur.com/JFfAtjI.png

nithax picture nithax on 8 Mar 2019

I had success with removing the spaces between the dots/questionmarks:
64 A1 ........ or 64 A1 ????????

Randshot picture Randshot on 8 Mar 2019

Ah thanks @Randshot , that works.

nithax picture nithax on 8 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tambry picture tambry  路  3Comments
pd0wm picture pd0wm  路  3Comments
0x6d696368 picture 0x6d696368  路  3Comments
chibicitiberiu picture chibicitiberiu  路  3Comments
awsaba picture awsaba  路  3Comments