Getting Started with SRE using Ghidra

If you are new to Software Reverse Engineering, popularly known as SRE, read on to dive deeper into the same with an Open-source tool, Ghidra. Before we get started, let’s understand what exactly SRE is and why do we use it.

Brief Introduction to SRE

“The basic concept of reverse engineering is breaking something down to understand it and make it better.”

Reverse engineering was initially limited to hardware but today, we apply it to software, database, and even human DNA. What started as a learning tool is now being harnessed as a process to break things and make them better. When we specifically talk about Software Reverse Engineering, it helps developers build cheaper, more efficient, and interoperable systems. The purpose of reverse engineering is to facilitate maintenance work by improving the understandability of a system and producing the necessary documents for a legacy system. Reverse-engineering can also expose security flaws and questionable privacy practices.

What is Ghidra?

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python.

Get your copy of Ghidra here.

Installing Ghidra

Installation is easy. Unlike other programs that use a traditional installer, the Ghidra distribution file is simply extracted in-place on the filesystem. This simply means that administrative privilege is not required to install Ghidra for personal use, hence there are no updates to the OS Configuration. A downside of the same is that Ghidra will not automatically create a shortcut on the desktop or appear in application start menus.

Using the aforementioned link, download the distribution and follow these steps for Windows 10:

1. Extract the JDK by right-clicking on the .zip file and then selecting “Extract All”.
2. Open Environment Variables Window by right-clicking on the Windows start button, and then click “System”. Then select “Advanced System Settings”, followed by “Environment Variables”.
3. Add the JDK bin directory to the PATH variable by highlighting “Path” under System Variables. Simply at the end of the Variable value field, add a semicolon followed by <path of extracted JDK dir>\bin. You’re all set.
4. Restart any open Command Prompt windows for changes to take effect.

If you’re using Linux or macOS, the process is fairly similar. Extract the JDK distribution (.tar.gz file) to your desired location, and add the JDK’s bin directory to your PATH using the following commands:

tar xvf <JDK distribution .tar.gz>
vi ~/.bashrc
export PATH=<path of extracted JDK dir>/bin:$PATH

Save the file and restart for the changes to take effect.

Getting Started with SRE using Ghidra

Now that installation is complete, let’s reverse engineer a Portable Executable file for starters! Download the PE File here.

We now need to open the file in Ghidra and set up the analysis. Follow these steps to get it up and running in no time:

1. Open Ghidra and click on File > New Project.
2. Select Non-Shared Project and choose a Directory as well as Name for your project.
3. Once done, click on Import File and choose the Executable file shared above. As you’re through with this, your screen should resemble the one given below.

Now all you need to do is drag the file onto the Dragon-shaped icon in the Tool Chest. This will open the Code Browser Window where the remainder of the process will take place!

In the prompt which asks you if you want to analyze the file, select “Yes”. In the same prompt, uncheck PDB and Windows x86 PE RTTI Analyzer which won’t be necessary at the moment.

PDB is a file that supports the debugger but since our file does not require it, we won’t be using the tool. As for the other tool, it populates push instructions with comments which might help us make sense of the binary file more easily. We won’t be needing the Windows x86 PE RTTI Analyzer either.

If you have followed all the steps correctly, you’ll see a screen that is similar to this:

What you see on the Decompile window is the code for Function Entry. In the same window, as you scroll down, you’ll see the following:

_Code = FUN_00401000()

This is nothing but the main function! This is an optional step but consider renaming it to main so you can easily track it in the future. To do so, simply right-click on FUN_00401000() and select Rename. You can also follow this for renaming variables, which makes your job easier!

Give yourself a pat on your back as by following these steps, you have successfully reverse-engineered the given executable file using Ghidra!

Ending Notes

The Portable Executable File that we are using is actually a CTF Prompt so feel free to crack it!

SRE if done manually, would consume a lot of time and labor, which is why we use various automated tools to make our job easier. Reverse Engineering has its own pros and cons. Use Ghidra wisely to learn and grow as a developer.