Tryhackme:CC: Ghidra

A crash course on the reverse engineering tool Ghidra

Intro:

The GHIDRA download can be found here.

Note: Assembly and C knowledge are highly recommended

Note: Ghidra requires an semi-new version of java(11+). If you do not have the jre or the jdk, you can install it with

sudo apt install openjdk-13-jre openjdk-13-jdk

Creating A New Project:

Execute the ghidraRun file by running and you will arrive on this screen,after ghidra finishes loading.

On this screen navigate to File->New Project->Non-Shared-Project.

On that screen make a project directory, and a name, and click finish.

Analyzing a Binary:

Once you’re at this screen, go to File->Import File. From there navigate to where you downloaded the included binary “example1” , and import it. (Note, Ghidra will automatically detect what type on binary the file is (Example x86,x86_64). )

From there double click the binary, and you will be prompted to analyze the binary, click Analyze->Yes, and you will see a screen similar to this appear.

(Note: Ghidra has plenty of customization options for analyzation, but for general use the default one’s that are selected provide all necessary features.)

This is the main screen for analyzing binaries, and it allows you to see every part, of the binary.

For practical use, the most interesting part of this screen is the “Symbol Tree”. It allows you to view all of the files that were imported to create the binary, and view all user created functions.

For example, given the C code:

#include <stdio.h>

int main(){

printf("hi!");

}

You would be able to see main, and printf in the functions tab of the Symbol Tree.

(Note: for general binary analysis, you won’t be interested in functions that start with “_” as those are functions created during compilation)

This is incredibly useful, as it allows you to see the functions that the binary creator made.

In the example1 binary, double click the “main” function and you should be presented with this screen.

You are able to see both the disassembly, and the decompilation, on the same screen!

From here you can click around all of the different functions that a binary has, and view the C code and the assembly.

It’s your turn!:

1.How many user created functions(including main) are there

A:2

2.What is the first variable set to in the main function?

A:10

3.What is the first variable set to, in the function “fn1”?

A:hello

4.If you provide the input “1”, when you run the binary, what would the output be.(Note you can just run the binary to find this out, but that would defeat the whole purpose!).

A:nice!

Miscellaneous operations:

Section 1 — Patching Binaries.

Occasionally there will be times when you want to patch(The art of changing assembly instructions) a binary. Ghidra offers support for this. In the example binary, navigate to the main function and double click the “return 0”, in the decompilation section. You should see this screen.

Right click the asm instruction, MOV EAX,0x0 and click “Patch Instruction”. From there you can change it to whatever you want, in this case let’s change “MOV EAX,0x0” to MOV EAX,0x1". The decompilation will also update, and you should see this screen

The instructions you patch have an effect on the decompilation, so it’s very useful for checking your work :D.

Section 2: Searching

Ghidra supports going to different portions of memory, when given a memory address. Click Navigation(At the top bar)->Go To and input a memory address.

Example:

Note: Ghidra supports plenty of misc operations; however, these are the ones I have used the most.

For a full list see this link.

Final Exam:

1.What outputs the good job message?

A:goodjob

please everyone join my telegram channel :https://t.me/hackerwheel

please everyone join my youtube channel :https://www.youtube.com/channel/UCl10XUIb7Ka6fsq1Pl7m0Hg

Hackerwheel
Change the world
https://t.me/hackerwheel

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics