Skip to content
A collection of pwn/CTF related utilities for Ghidra
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs/images added system call annotation Jan 17, 2020
.gitignore Initial commit Jan 10, 2020
LICENSE Initial commit Jan 10, 2020 added convenience script to convert operands to strings IDA style Jan 18, 2020


A collection of pwn/CTF related utilities for Ghidra


Replace Constants

This utility will attempt to replace known constants in functions with their human readable counterpart.

pwndra constants

Annotate Syscalls

This utility will attempt to find and identify system calls (and arguments).

Annotation in the decompiler view pwndra syscalls

Arguments are annotated in the disassembler view pwndra syscalls

Character Conversion

The correct workflow to convert displayed data in an operand is to right click the value and select the conversion type under the Convert submenu, however, on request I have made a script to convert the display type of operands to char so it can be used with a keyboard shortcut for convenience (IDA style).

To use it select the In Tool option of the script and then select a numeric operand and hit shift+r to convert to a string. You can change the shortcut by editing the line that contains the comment with keybinding in it at the top of the script.


Clone the repository or download and extract somewhere. In Ghidra, open the Script Manager (Window -> Script Manager) click the Script Directory buttom and add pwndra/scripts to the list.

Once the script directory is added to Ghidra you can find the scripts in the Pwn category. You can run the scripts directly from the Script Manager if you like but the scripts also have menus and keyboard shortcuts for ease of use. In order to activate the menus and shortcuts you must click the In Tool checkbox next to the scripts you wish to integrate into the tool.

If you clicked In Tool the menus will be under Analysis -> Pwn and any shortcuts for scripts are listed in the menu item that uses that shortcut.


There are several frontends available:

  • aarch64
  • amd64
  • arm (oabi/eabi)
  • hppa
  • i386
  • m68k
  • mips (n32/o32/n64)
  • powerpc
  • powerpc64
  • sh
  • sh4
  • sparc
  • sparc64
  • thumb

You can either run one of those frontend scripts directly (through the Script Manager or if you clicked In Tool you can access a menu; Analysis -> Pwn -> Tool Name).

There is an Auto frontend that will automatically detect the current loaded program for you. This can also be accessed with the keyboard shortcut which is specified in the menu item for the tool.

The scripts have two modes of operation, the default is to operate globally, the second is to only operate on a given selection. This is useful for those times where you have two binary modes interlaced in the same code such as i386/amd64 or thumb/arm.

You can’t perform that action at this time.