Getting Started with Reverse Engineering using Ghidra
In this article, we are going to explore how to download Ghidra, install it and use it to perform many important tasks such as reverse engineering, binary analysis and malware analysis.
But first what is Ghidra exactly?
According to its official Github repository:
"Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
In support of NSA's Cyber Security mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.
https://github.com/NationalSecurityAgency/ghidra
The official website of the project is https://ghidra-sre.org:
As you can notice from the official description that this tool was developed and maintained by the US NSA (National Security Agency) which leads us to think about if this tool is secure. Check this post if you didn't know what i am talking about:
Compilation example with a C Program:
Before diving into the fundamentals of reverse engineering with this powerful tool (Ghidra) , let's explore the compiling phases in order to get an executable and some important terminologies.
Wikipedia defines Reverse engineering as follows:
"Reverse engineering, also called back engineering, is the process by which a human-made object is deconstructed to reveal its designs, __ architecture , or to extract__ knowledge __from the object; similar to scientific research, the only difference being that scientific research is about a natural phenomenon."
Compilers: convert high-level code to assembly code
Assemblers: convert assembly code to machine code
Linkers: take the object files in order to generate the executable
Disassemblers: convert machine code to assembly code
The phases are represented in the following graph:
As a demonstration, let's compile a simple c program. The most known easy program is simply a " hello world!" program
Create a hello.c program:
#include <stdio.h>
void main(void)
{
printf ("hello world!\n");
}
Now let's compile it and link it with gcc
gcc -o helloWorld hello.c
Run the executable
./helloWorld
How to install Ghidra?
To use Ghidra we need to install it of course. As technical requirements, you need the following
Hardware
- 4 GB RAM
- 1 GB storage (for installed Ghidra binaries)
- Dual monitors strongly suggested
Software
- Java 11 64-bit Runtime and Development Kit (JDK)
Go to Download Ghidra v9.1
Download it and install Java JDK
Go to the installation folder and run the Ghidra bat file
For more information about the installation steps you can check Ghidra official documentation: https://ghidra-sre.org/InstallationGuide.html
Reverse engineering example (CrackMe Challenge):
We learned the compilation phases in order to generate a fully working binary. Now it is time to continue our learning experience with acquiring some fundamentals about reverse engineering. That is why we are going to download a small and easy CrackMe challenge and we will try to understand what is doing and how it works in order to find the correct password to solve the challenges.
The challenge that we are going to solve is a part of this free and publicly available training materials: https://github.com/Maijin/Workshop2015
We are going to follow Here Be Dragons: Reverse Engineering with Ghidra
Download the GitHub repository, go to /IOLI-crackme/bin-win32 and you will find the challenge binaries.
We are going to reverse " Crackme0x01" file.
Let's open it directly using the command line terminal:
Enter the binaries folder and type:
Crackme0x01.exe
Enter a random password. In my case I entered "root" but i get an "Invalid Password!" error message
Then let's crack it
Open Ghidra
Start a new project:
Name the project
Import the binary with Batch Import
Open the binary
Select the required options and click "Analyze"
Voila! This is the main windows of Ghidra
You can also check the function graphs
To solve the challenge let's first start with extracting the binary strings
As you can notice we get all the strings of the file. One of them is "Password OK :)"
Ghidra is powerful. It gives you the ability to decompile the file. As you can see from the screenshot it is giving us a readable code.
If you check the code carefully you will notice this line of code
If (local_8 == 0x149a)
_Printf ( “Password OK :) /n ”)
At the other side of the window you will see the CMP instruction. With a small Google search you will find that
"CMP is generally used in conditional execution. This __ instruction basically subtracts one operand from the other for comparing whether the operands are equal or not. It does not disturb the destination or source operands. It is used along with the conditional jump instruction __ for decision making. "
Then if our analysis is correct then the valid password will be a conversion of "0x149a"
To check its value double click on it and you will get this.
The decimal value is "5274". So let's try it:
Go back to your terminal and run the binary and this time type 5274:
Congratulations, you solved your first crackme challenge.
This article will be updated with more interesting sections in the next few hours like Malware Analysis with Ghidra
Further resources
References
Summary
This article was a good opportunity to learn the fundamentals of reverse engineering with an amazing tool called "Ghidra"