Hello #Ghidra users and #reversing experts out there: I need to level up my understanding of the C++ code produced by the decompiler from stripped binaries. Do you know of any tutorials that help me to step by step learn how to e.g. deal with vtables, recognize functions Ghidra has missed, create data types, ... Preferably with examples from ARM binaries.

@muminpappa I haven’t used Ghirda for a few years now, and never did ARM, so I don’t know about any specific tutorials but if you’re new to the tool, a good place to start is with the Ghidra book by Chris Eagle https://nostarch.com/GhidraBook. For finding missing functions, you can try turning on “aggressive instruction finder” in the analysis options to let Ghidra work harder at finding code. What sort of binary are you looking at?

@samirx thanks. I'll check it out. I'm analyzing a server binary on an embedded Linux system. Most of it has been written in c++.

@muminpappa hmmm for a binary like that I wouldn’t expect Ghidra to miss much, but sometimes you might find code that hasn’t been disassembled but that’s probably because it hasn’t been referenced or called.

With the decompiled code, I find renaming variables and defining the function prototypes goes a long way to understanding the code. I like to start by finding string manipulation functions (printf etc) and memory related functions (malloc, free, memset etc) and define/naming them. Once you find and rename these functions the code start making more sense.

Not sure if this is all stuff you know or not, but hope it helps!

@muminpappa Here's my old project with some (relatively) easy to get code and links to more mature resources: https://github.com/v-p-b/ghidra-vftable

@buherator awesome, thanks!