fix: use detected ELF architecture instead of hardcoded ARM

process_elf_file() hardcoded ARM:LE:32:Cortex as the -processor
flag for Ghidra, causing all x86-64 ELF files to be decompiled
with the wrong architecture (producing garbage halt_baddata output).

Now calls detect_elf_architecture() to determine the correct
processor ID and compiler spec from the ELF header.

Also fix format.sh to use python3 instead of python for Ubuntu 24.04
compatibility.

test: add regression tests for ELF architecture detection in process_elf_file

6 new tests verify that the Ghidra command line receives the correct
-processor flag based on actual ELF architecture (x86-64, ARM32,
AARCH64, unknown).

Author: FASTSHIFT

format.sh

@@ -56,16 +56,16 @@ ALL_PASSED=true
 echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
 echo -e "${BLUE}  Import Sorting (isort)${NC}"
 echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
-if command -v isort &> /dev/null || python -m isort --version &> /dev/null; then
+if command -v isort &> /dev/null || python3 -m isort --version &> /dev/null; then
     if $CHECK_ONLY; then
-        if python -m isort --check-only --profile black $FILES; then
+        if python3 -m isort --check-only --profile black $FILES; then
             echo -e "${GREEN}✓ isort: passed${NC}"
         else
             echo -e "${RED}✗ isort: issues found${NC}"
             ALL_PASSED=false
         fi
     else
-        python -m isort --profile black $FILES
+        python3 -m isort --profile black $FILES
         echo -e "${GREEN}✓ isort: completed${NC}"
     fi
 else
@@ -77,16 +77,16 @@ echo ""
 echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
 echo -e "${BLUE}  Code Formatting (black)${NC}"
 echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
-if command -v black &> /dev/null || python -m black --version &> /dev/null; then
+if command -v black &> /dev/null || python3 -m black --version &> /dev/null; then
     if $CHECK_ONLY; then
-        if python -m black --check $FILES; then
+        if python3 -m black --check $FILES; then
             echo -e "${GREEN}✓ black: passed${NC}"
         else
             echo -e "${RED}✗ black: issues found${NC}"
             ALL_PASSED=false
         fi
     else
-        python -m black $FILES
+        python3 -m black $FILES
         echo -e "${GREEN}✓ black: completed${NC}"
     fi
 else
@@ -98,8 +98,8 @@ echo ""
 echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
 echo -e "${BLUE}  Linting (flake8)${NC}"
 echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
-if command -v flake8 &> /dev/null || python -m flake8 --version &> /dev/null; then
-    if python -m flake8 --max-line-length 88 --extend-ignore E203,E501,W503 $FILES; then
+if command -v flake8 &> /dev/null || python3 -m flake8 --version &> /dev/null; then
+    if python3 -m flake8 --max-line-length 88 --extend-ignore E203,E501,W503 $FILES; then
         echo -e "${GREEN}✓ flake8: no issues${NC}"
     else
         echo -e "${RED}✗ flake8: issues found${NC}"

libsurgeon.py

@@ -1164,17 +1164,31 @@ def process_elf_file(
         log_step("Running Ghidra analysis & decompilation...")
         print()
 
+        # Detect architecture
+        arch_info = detect_elf_architecture(elf_path)
+        if arch_info:
+            processor_id, cspec = arch_info
+            log_info(f"Detected architecture: {processor_id} (cspec: {cspec})")
+        else:
+            processor_id, cspec = None, None
+            log_warn("Could not detect architecture, letting Ghidra auto-detect")
+
         # Build Ghidra command
         cmd = [
             ghidra_headless,
             temp_project,
             "elf_project",
             "-import",
             elf_path,
-            "-processor",
-            "ARM:LE:32:Cortex",
-            "-cspec",
-            "default",
+        ]
+
+        # Add processor/cspec only if detected (otherwise let Ghidra auto-detect)
+        if processor_id:
+            cmd += ["-processor", processor_id]
+        if cspec:
+            cmd += ["-cspec", cspec]
+
+        cmd += [
             "-postScript",
             decompile_script,
             output_dir,

tests/test_process_elf.py

@@ -0,0 +1,223 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""
+LibSurgeon Test Suite - ELF Processing Pipeline Tests
+
+Tests that process_elf_file correctly uses detected architecture
+when building the Ghidra command line, rather than hardcoding a
+specific processor.
+
+This test was added after a bug where process_elf_file hardcoded
+ARM:LE:32:Cortex as the processor, causing all x86-64 ELF files
+to be decompiled with the wrong architecture (producing garbage
+halt_baddata() output).
+"""
+
+import os
+from unittest.mock import patch
+
+import pytest  # noqa: F401 - used by fixtures
+
+from libsurgeon import (
+    detect_elf_architecture,
+    process_elf_file,
+)
+
+FIXTURES_DIR = os.path.join(os.path.dirname(__file__), "fixtures")
+
+
+class TestProcessElfArchitectureDetection:
+    """
+    Tests that process_elf_file passes the correct -processor flag
+    to Ghidra based on the actual ELF architecture.
+
+    This is a regression test for the bug where ARM:LE:32:Cortex was
+    hardcoded, causing x86-64 binaries to be decompiled as ARM.
+    """
+
+    def _get_ghidra_cmd_from_process_elf(self, elf_path, temp_dir):
+        """
+        Helper: call process_elf_file with a mocked subprocess.Popen
+        and capture the command line that would be passed to Ghidra.
+        """
+        captured_cmd = {}
+
+        class FakePopen:
+            def __init__(self, cmd, **kwargs):
+                captured_cmd["cmd"] = cmd
+                self.returncode = 0
+                self.stdout = iter(
+                    [
+                        "INFO  ANALYZING\n",
+                        "INFO  REPORT: Analysis succeeded\n",
+                    ]
+                )
+
+            def wait(self):
+                pass
+
+        fake_ghidra_dir = os.path.join(temp_dir, "fake_ghidra")
+        os.makedirs(os.path.join(fake_ghidra_dir, "support"), exist_ok=True)
+        headless_path = os.path.join(fake_ghidra_dir, "support", "analyzeHeadless")
+        with open(headless_path, "w") as f:
+            f.write("#!/bin/bash\nexit 0\n")
+        os.chmod(headless_path, 0o755)
+
+        # Also need the ghidra_decompile_elf.py script to exist
+        script_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+        assert os.path.isfile(
+            os.path.join(script_dir, "ghidra_decompile_elf.py")
+        ), "ghidra_decompile_elf.py not found"
+
+        with patch("subprocess.Popen", FakePopen):
+            process_elf_file(
+                elf_path=elf_path,
+                output_base=os.path.join(temp_dir, "output"),
+                ghidra_path=fake_ghidra_dir,
+                strategy="prefix",
+                timeout=60,
+                evaluate=False,
+            )
+
+        return captured_cmd.get("cmd")
+
+    def test_x86_64_elf_uses_x86_64_processor(self, temp_dir):
+        """
+        Regression test: an x86-64 ELF must NOT be decompiled with ARM processor.
+        process_elf_file should detect x86-64 and pass -processor x86:LE:64:default.
+        """
+        so_file = os.path.join(FIXTURES_DIR, "libtest.so")
+        if not os.path.isfile(so_file):
+            pytest.skip("Test fixture libtest.so not found (run build_fixtures.sh)")
+
+        # Verify the fixture is actually x86-64
+        arch = detect_elf_architecture(so_file)
+        assert arch is not None, "Failed to detect architecture of libtest.so"
+        processor, cspec = arch
+        assert (
+            "x86" in processor and "64" in processor
+        ), f"Expected x86-64 fixture, got {processor}"
+
+        cmd = self._get_ghidra_cmd_from_process_elf(so_file, temp_dir)
+        assert cmd is not None, "Ghidra command was not captured"
+
+        # The command must contain -processor with x86:LE:64:default
+        assert (
+            "-processor" in cmd
+        ), "process_elf_file did not pass -processor flag to Ghidra"
+        proc_idx = cmd.index("-processor")
+        actual_processor = cmd[proc_idx + 1]
+        assert "x86" in actual_processor and "64" in actual_processor, (
+            f"Expected x86:LE:64:default processor for x86-64 ELF, "
+            f"got '{actual_processor}'. "
+            f"This is the ARM hardcoding bug!"
+        )
+        # Must NOT contain ARM
+        assert "ARM" not in actual_processor, (
+            f"x86-64 ELF is being decompiled as ARM: '{actual_processor}'. "
+            f"This is the ARM hardcoding bug!"
+        )
+
+    def test_x86_64_elf_executable_uses_x86_64_processor(self, temp_dir):
+        """Same test but with an ELF executable instead of shared library."""
+        elf_file = os.path.join(FIXTURES_DIR, "test_program.elf")
+        if not os.path.isfile(elf_file):
+            pytest.skip("Test fixture test_program.elf not found")
+
+        cmd = self._get_ghidra_cmd_from_process_elf(elf_file, temp_dir)
+        assert cmd is not None
+
+        assert "-processor" in cmd
+        proc_idx = cmd.index("-processor")
+        actual_processor = cmd[proc_idx + 1]
+        assert "x86" in actual_processor and "64" in actual_processor
+        assert "ARM" not in actual_processor
+
+    def test_synthetic_arm32_elf_uses_arm_processor(self, temp_dir):
+        """An ARM 32-bit ELF should use an ARM processor ID."""
+        # Create a synthetic ARM32 LE ELF header
+        elf_file = os.path.join(temp_dir, "arm32_test.so")
+        with open(elf_file, "wb") as f:
+            f.write(b"\x7fELF")  # magic
+            f.write(b"\x01")  # 32-bit
+            f.write(b"\x01")  # little endian
+            f.write(b"\x01\x00\x00")  # version + padding
+            f.write(b"\x00" * 7)  # padding
+            f.write(b"\x03\x00")  # e_type = ET_DYN (shared object)
+            f.write(b"\x28\x00")  # e_machine = ARM
+            f.write(b"\x00" * 100)  # rest of header
+
+        cmd = self._get_ghidra_cmd_from_process_elf(elf_file, temp_dir)
+        assert cmd is not None
+
+        assert "-processor" in cmd
+        proc_idx = cmd.index("-processor")
+        actual_processor = cmd[proc_idx + 1]
+        assert (
+            "ARM" in actual_processor
+        ), f"Expected ARM processor for ARM ELF, got '{actual_processor}'"
+
+    def test_synthetic_aarch64_elf_uses_aarch64_processor(self, temp_dir):
+        """An AARCH64 ELF should use an AARCH64 processor ID."""
+        elf_file = os.path.join(temp_dir, "aarch64_test.so")
+        with open(elf_file, "wb") as f:
+            f.write(b"\x7fELF")
+            f.write(b"\x02")  # 64-bit
+            f.write(b"\x01")  # little endian
+            f.write(b"\x01\x00\x00")
+            f.write(b"\x00" * 7)
+            f.write(b"\x03\x00")  # e_type = ET_DYN
+            f.write(b"\xb7\x00")  # e_machine = AARCH64
+            f.write(b"\x00" * 100)
+
+        cmd = self._get_ghidra_cmd_from_process_elf(elf_file, temp_dir)
+        assert cmd is not None
+
+        assert "-processor" in cmd
+        proc_idx = cmd.index("-processor")
+        actual_processor = cmd[proc_idx + 1]
+        assert "AARCH64" in actual_processor
+
+    def test_processor_and_cspec_both_passed(self, temp_dir):
+        """Both -processor and -cspec should be passed when architecture is detected."""
+        so_file = os.path.join(FIXTURES_DIR, "libtest.so")
+        if not os.path.isfile(so_file):
+            pytest.skip("Test fixture libtest.so not found")
+
+        cmd = self._get_ghidra_cmd_from_process_elf(so_file, temp_dir)
+        assert cmd is not None
+
+        assert "-processor" in cmd, "Missing -processor flag"
+        assert "-cspec" in cmd, "Missing -cspec flag"
+
+        cspec_idx = cmd.index("-cspec")
+        actual_cspec = cmd[cspec_idx + 1]
+        assert (
+            actual_cspec == "gcc"
+        ), f"Expected cspec 'gcc' for x86-64 ELF, got '{actual_cspec}'"
+
+    def test_unknown_arch_omits_processor_flag(self, temp_dir):
+        """
+        When architecture cannot be detected, -processor should be omitted
+        to let Ghidra auto-detect.
+        """
+        # Create a file with unknown machine type
+        elf_file = os.path.join(temp_dir, "unknown_arch.so")
+        with open(elf_file, "wb") as f:
+            f.write(b"\x7fELF")
+            f.write(b"\x02")  # 64-bit
+            f.write(b"\x01")  # little endian
+            f.write(b"\x01\x00\x00")
+            f.write(b"\x00" * 7)
+            f.write(b"\x03\x00")  # e_type
+            f.write(b"\xff\xff")  # e_machine = unknown
+            f.write(b"\x00" * 100)
+
+        cmd = self._get_ghidra_cmd_from_process_elf(elf_file, temp_dir)
+        assert cmd is not None
+
+        # Should NOT have -processor since arch is unknown
+        assert (
+            "-processor" not in cmd
+        ), "Should not pass -processor for unknown architecture"
+        assert "-cspec" not in cmd, "Should not pass -cspec for unknown architecture"