A day with Ghidra

Published in

WriteaByte

6 min readAug 24, 2021

Reverse engineering, M9 in the list of Mobile Top 10 by OWASP, refers to the duplication of a piece of software or hardware to thoroughly examine its construction or composition. A popular name in the world of reverse engineering tools is Ghidra.

Ghidra: An Opensource Reverse Engineering Tool

According to the official documentation, “ Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.” This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux.

In 2017, Wikileaks broke the news of Ghidra’s existence as part of its Vault 7 investigation, and the NSA officially released the source code at RSA in 2019 in a move seen by many as a public relations exercise.

What does Ghidra have to offer?

Ghidra, built on Java, offers disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. With the release of Ghidra 10.0-BETA, the official debugger, something that the community has been eagerly waiting for, has finally been introduced. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.

Getting started

Before proceeding with the installation, make sure you meet the following prerequisites:

Hardware

4 GB RAM
1 GB storage (for installed Ghidra binaries)

Software

Java 11 64-bit Runtime and Development Kit (JDK) provided by: AdoptOpenJDK or Amazon Corretto.

Installation

Head to the releases tab of their official Github repo and download the zipped build version of your choice. Opt for a version greater than 10.0.0 to be able to use the debugger. Unzip the build and run the windows batch file, GhidraRun, and follow the instructions on the screen to complete installation.

Let’s get our hands dirty!

Click on File -> New Project, choose Non shared project, pick a directory and the name for your project then click on finish. I’ll be reverse engineering this PE file to find the hidden flag while exploring Ghidra.

If you are somebody who’s a dark-mode-only person, here’s Ghidra ghetto dark mode to your rescue: Edit->Tool Options->Tools->Use inverted colors. You’ll have to restart the application for the changes to be applied.

Main window of the Ghidra tool — Main window

Once you’ve created a new project, on the initial screen, you’ll find three main sections:

Tool Chest: Shortcuts to the Code Browser, Debugger, and the Version Tracking.
Active Project: Directory structure of the current project.
Running Tools: Icons from the tool chest appear here when they are in use.

Trusting my instincts, I dragged and dropped the executable into the initial screen. This brought out the import dialog which detected the format, architecture, and bit size of the executable file. To check if the detections are always correct, I used the executables of Docker and Postman and all of them seem to work fine.

Once the import is complete, a brief import results summary is displayed which, other than the information about the format and platform of the executable, provides us with information at the assembly language level.

Code browser seems to be the place where all the magic happens. On opening the code browser a prompt appears, asking me if I’d want to disassemble or analyze, the executable. Ghidra gives us the option to choose from a variety of analysis methods, such as ASCII Strings, which searches for valid ASCII strings and automatically creates them in the binary. Being a tool written on Java, Ghidra seemed to be a memory hog when I tried to analyze larger files.

As in any other reverse engineering task, we first need to find the main function. Under the symbol tree on the right is the list of functions, one of which is called entry. When clicked on it, the decompiler gets populated with the decompiled C program. On clicking a keyword/line in the decompiled code, the corresponding line in the assembly gets highlighted in the listing section. A feature that I found extremely helpful in the decompiler is the ability to rename functions/variables and also edit function signatures. This lets us change the decompiled code to make it look closer to reality.

On examining the symbol tree, I came across the function FUN_00401000() which resembles the signature of the main function. This function seems to be reading passcodes(strings) from the user, performs string comparison, and prompts if the passcode is incorrect.

The original and edited probable main function

Playing around with the UI, I found Function Call Graph under the Window tab which, as the name suggests, provides a graphical view of the function calls.

Next, I examined all the variables and pointers in the decompiled code and the corresponding assembly code. Ghidra gives us an option to search for certain types of values, such as scalars, string, and instruction patterns, in the code.

A pointer in the main function, PTR_DAT_0040d014, seems to be returning a value to the address 0040d040. The data type of value at address 0040d040 is specified as ?? because Ghidra was unable to detect it. From the string comparisons that we noticed in the main function, we can conclude that the value at address 0040d040 would be of type char. Ghidra lets the user assign data types manually to addresses. Right-click on an address, select data and then choose the appropriate datatype.

Another important feature of Ghidra that I came across is called Instruction Patching. Patching lets us make changes to a binary and modifying its instruction flow. These patched binaries can be exported to different formats such as ASCII, Binary, PE, and C/C++ which can be used to bypass built-in protections such as SSL certificate verification(a.k.a. SSL pinning) or to exploit devices on which they are installed. This is exactly why security experts recommend downloading executables and binaries only from verified sources.

Analyzing the main function further and calculating the offset from the starting address (explanation of which is outside the scope of this blog), we get subsequent addresses and after some pointer arithmetic, we get the flag: 6241570398.

Why Ghidra?

Ghidra is free and open-source whereas most other licensed alternatives, such as IDA, cost a fortune.
Ghidra can load multiple binaries at once (but is a memory hog).
Ghidra has an undo button, unlike other paid alternatives.
Ghidra supports the development of scripts, plugins, analyzers.
Ghidra can support multiple users working together on a single project through a Ghidra server.

Resources

These are some tutorials/blogs that helped me get started:

Youtube tutorials by stacksmashing
A detailed comparison between Ghidra and other alternatives.