Skip to content
Scripts for the Ghidra software reverse engineering suite.
YARA Python
Branch: master
Clone or download
nezza Merge pull request #3 from 0x6d696368/master
fixed: marking incorrect offsets for matches
Latest commit fa1a02d Apr 20, 2019


Scripts for the Ghidra software reverse engineering suite.


In the Ghidra Script Manager click the "Script Directories" icon in the toolbar and add the checked out repository as a path. Scripts from this collection will appear in the "Ghidra Ninja" category.

Runs binwalk on the current program and bookmarks the findings. Requires binwalk to be in $PATH.

Example result: SHA256 constants found by binwalk.

Automatically find crypto constants in the loaded program - allows to very quickly identify crypto code.

Example result: Crypto constants found in libcrypto.a

Runs yara with the patterns found in yara-crypto.yar on the current program. The Yara rules are licensed under GPLv2. In addition @phoul's SHA256 rule was added.

Requires yara to be in $PATH.

Automatically demangle swift function names. For more complex functions it adds the full demangled name into the function comment. Requires swift to be in $PATH.

Example result: Swift demangling of a simple entry function.

Restores function names from a stripped Go binary. This script was contributed by QwErTy (QwErTyReverse on Telegram) and is a port of George Zaytsev's

Example result: Function names restored by

You can’t perform that action at this time.