Getting Started with Reverse Engineering using Ghidra

Hi Peerlysters

In this article, we are going to explore how to download Ghidra, install it and use it to perform many important tasks such as reverse
engineering, binary analysis and malware analysis.

To get the most from this article I attached a helpful doc that contains many useful links to learn
reverse engineering and assembly: Reverse Engineering Resources

Source

But first what is Ghidra exactly?

According to its official Github repository:

“Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security AgencyResearch
Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze
compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly,
decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processorinstruction
sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra
plug-in components and/or scripts using Java or Python.

In support of NSA's Cyber Security mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to
provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that
involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of
potential vulnerabilities in networks and systems.

https://github.com/NationalSecurityAgency/ghidra
The official website of the project is https://ghidra-sre.org:

As you can notice from the official description that this tool was developed and maintained by the US NSA (National Security Agency)
which leads us to think about if this tool is secure. Check this post if you didn't know what i am talking about:

Compilation example with a C Program:

Before diving into the fundamentals of reverse engineering with this powerful tool (Ghidra) , let’s explore the compiling phases in order
to get an executable and some important terminologies.

Wikipedia defines Reverse engineering as follows:

“Reverse engineering, also called back engineering, is the process by which a human-made object is deconstructed to reveal its
designs, architecture, or to extract knowledge from the object; similar to scientific research, the only difference being that scientific
research is about a natural phenomenon.”

Compilers: convert high-level code to assembly code

Assemblers: convert assembly code to machine code

Linkers: take the object files in order to generate the executable

Disassemblers: convert machine code to assembly code

The phases are represented in the following graph:

Figure

As a demonstration, let’s compile a simple c program. The most known easy program is simply a “hello world!” program

Create a hello.c program:

#include <stdio.h>

void main(void)

{
 printf ("hello world!\n");

Now let’s compile it and link it with gcc

gcc -o helloWorld hello.c

Run the executable

./helloWorld

How to install Ghidra?

To use Ghidra we need to install it of course. As technical requirements, you need the following

Hardware

4 GB RAM
1 GB storage (for installed Ghidra binaries)
Dual monitors strongly suggested

Software

Java 11 64-bit Runtime and Development Kit (JDK)

Go to Download Ghidra v9.1

Download it and install Java JDK

Go to the installation folder and run the Ghidra bat file
For more information about the installation steps you can check Ghidra official documentation: https://ghidra-
sre.org/InstallationGuide.html

Reverse engineering example (CrackMe Challenge):

We learned the compilation phases in order to generate a fully working binary. Now it is time to continue our learning experiencewith
acquiring some fundamentals about reverse engineering. That is why we are going to download a small and easy CrackMe challenge
and we will try to understand what is doing and how it works in order to find the correct password to solve the challenges.

The challenge that we are going to solve is a part of this free and publicly
available training materials: https://github.com/Maijin/Workshop2015

Download the GitHub repository, go to /IOLI-crackme/bin-win32 and you will find the challenge binaries.

We are going to reverse “Crackme0x01” file.

Let’s open it directly using the command line terminal:

Enter the binaries folder and type:

Crackme0x01.exe

Enter a random password. In my case I entered “root” but i get an “Invalid Password!” error message
Then let’s crack it

Open Ghidra

Start a new project:

Name the project
Import the binary with Batch Import
Open the binary
Select the required options and click “Analyze”
Voila! This is the main windows of Ghidra
You can also check the function graphs
To solve the challenge let’s first start with extracting the binary strings
As you can notice we get all the strings of the file. One of them is “Password OK :)”

Ghidra is powerful. It gives you the ability to decompile the file. As you can see from the screenshot it is giving us a readable code.

If you check the code carefully you will notice this line of code

If (local_8 == 0x149a)

_Printf ( “Password OK :) /n ”)

At the other side of the window you will see the CMP instruction. With a small Google search you will find that
 “CMP is generally used in conditional execution. This instruction basically subtracts one operand from the other for comparing
whether the operands are equal or not. It does not disturb the destination or source operands. It is used along with the conditional
jump instruction for decision making. ”

Then if our analysis is correct then the valid password will be a conversion of “0x149a”

To check its value double click on it and you will get this.
The decimal value is “5274”. So let’s try it:

Go back to your terminal and run the binary and this time type 5274:

Congratulations, you solved your first crackme challenge.

This article will be updated with more interesting sections in the next few hours like Malware Analysis with Ghidra

Further resources
 https://ghidra-sre.org/CheatSheet.html

References

https://www.tutorialspoint.com/assembly_programming/assembly_conditions.htm

Summary

This article was a good opportunity to learn the fundamentals of reverse engineering with an amazing tool called "Ghidra"