Occasionally you run into one of those tools that changes things. For me, this was Ghidra. I remember sitting in study hall reading the release notes and rushing home to my computer just to install it. You see, I am a huge nerd when it comes to reverse engineering. I am not perfect at it, but I love the puzzle of taking apart things to see how they work, and finally a tool that could seriously compete with IDA had come out. I fired it up and breezed through a few elementary crackmes in it. Ghidra was a game changer.

Getting Started

You can grab Ghidra from this link. Once you have that, the install is as simple as unzipping it and running the bash or batch script included with it (assuming you have the right version of java installed). Upon launch you will be greeted with the following:

In my case I have an active project, but if it’s your first time installing Ghidra you obviously will not. First, you need to create a project under File > New Project, then follow the wizard to create an un-shared project and add files to this using the key shortcut ‘i’. Generally Ghidra does a good job of automatically determining what file type you are adding, so you can go ahead and (after a brief sanity check) click through that.

Finally, if you double-click on a file, you will be asked by a prompt if you want to analyze that file. Click “yes,” run with the defaults, and you will be prompted with this page:

Jumping Into a Hello World

Whenever I start using an RE tool, I like to look through a very basic binary with it to get a feel for all of the bells and whistles. I started out with the dead simplest binary for this challenge that consisted of the following C code:

#include <stdio.h>

int main(int argc, char **argv) {
    printf("%s\n", "Hello World");
    return 0;
}

I loaded it up into Ghidra and ran the analysis. On the right is a scroll box called the symbol tree. The symbol tree has names of functions that a binary imports, exports, and a bunch of other useful information. When you first look under functions, you will see a main function. If you double-click that, the decompiler and code browser will both update to show that function.

The decompiler window aims to take assembly and generate a C-like representation of it. This is one of the things about Ghidra that is game changing. Most open-source decompilers have not been nearly as accurate with their output. Now, Ghidra’s decompiler is not perfect—sometimes it has trouble identifying types. You can fix type identification issues by right-clicking on the variable declaration in the decompiler and clicking “retype.” Doing this is a good way of drastically cleaning up decompile and making it look more like source.

The code browser window will be your other best friend when using Ghidra. Sometimes when looking through math, it is easier to use the assembly representation in case the decompiler decides to interpret math as a casting operation. The code browser also allows you to view data portions of the binary along with the assembly.

Other Features

Ghidra gets really fun when you use some of the other features available to you. Some fun ones are the function graph, bookmarks, and the Python scripting interface.

A Toast to Python

Ghidra implements Python scripting using jython2.7. (Yes, that means you are stuck coding in Python 2 syntax.) Scripting Ghidra can make the discovery phase of reverse engineering fly by extremely fast.

To start scripting Ghidra, you need to go under Window > Script Manager. From there, you can right-click and select “add a new script,” which will be opened up in a default editor once you complete the setup wizard.

Here is an example of a little script I wrote to make malware reversing easier on myself:

#Finds some common functions used by malware
#@author Tristan Messner
#@category Iteration
#@keybinding 
#@menupath 
#@toolbar 

funcList = ["HttpOpenRequestA", "HttpOpenRequestW", "IsDebuggerPresent", "InternetConnectA"]

for i in currentProgram.getSymbolTable().getExternalSymbols():
    if i.name in funcList:
        print "Found Func " + i.name
        for ref in i.getReferences():
            fromAd = ref.getFromAddress()
            print fromAd

This is a fairly simple little script that checks a program’s imports, finds where it is referenced from, and prints out those addresses. In this script I am particularly looking for Internet connectivity and anti-debugger mechanisms in malware samples.

The comments at the top of the script are used to tell Ghidra information about the script and are rather self explanatory. Some of the objects that are used to script Ghidra can get rather confusing, but when in doubt hit F1—this will take you straight to Ghidra’s documentation.

Bookmarks

Bookmarks are an easy feature to just gloss over and never use, but they are very helpful when you want to easily be able to find something important without having to traverse the symbol tree to find it again. You can set bookmarks by right-clicking the window and then clicking “set bookmark.” You can view your bookmarks by going to Window> Bookmarks. Bookmarks work in all sections of binary so you can bookmark both data and code.

A Quick Look at the Function Graph

The function graph is a rather simple portion of Ghidra, but one that can help you quickly understand the flow of a function. A function graph is also known as a control flow graph (CFG for short). This creates a graphical representation of the disassembly of a function by organizing it into blocks and drawing lines between the flow of the function. A CFG can be rendered for the current function by clicking Window > Function Graph. This is what a CFG looks like once it is rendered: