Register
Value
RAX
0x2FFF
RBX
RCX
RIP
section .text
global _start
_start:
mov rax, 0x2FFF
mov rbx, 0x3000
or rax,rbx
mov rcx, 0x10000
sub rcx, rax
add rcx, rbx
cmp rax,rbx
jg _greater
mov rax, 0x2
_greater:
mov rax, 0x1
ret
Register_Value'>Register
Value
RAX
0x2FFF
RBX
0x3000
RCX
RIP
Register
Value
RAX
0x3FFF
RBX
0x3000
RCX
RIP
Register
Value
RAX
0x3FFF
RBX
0x3000
RCX
0x10000
RIP
Register
Value
RAX
0x3FFF
RBX
0x3000
RCX
0xC001
RIP
Register
Value
RAX
0x3FFF
RBX
0x3000
RCX
0xF001
RIP
Register
Value
RAX
0x2FFF
RBX
0x3000
RCX
0xF001
RIP
_greater
Register
Value
RAX
1
RBX
0x3000
RCX
0xF001
RIP
_greater
+5
#x86_64: Wrap up
•
x86_64 is a very complicated architecture
•
We’ve only covered the bare minimum
•
Instructions and other reference material can be found on Intel’s
website
•
Although Ghidra has a decompiler, it is important to understand the
underlying assembly
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
36
#Ghidra: Overview
•
Open source SRE tool developed by NSA
•
Released in March 2019
•
Written in Java
•
Free
•
Provides a disassembler and decompiler
•
Large library of supported processors / architectures
•
Custom processors can be added via SLEIGH modules
•
Active development community
•
146 PRs, 2,530 commits
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
37
#Ghidra: Installation
•
Download the latest release from
https://ghidra-sre.org/
•
For this course we will use v9.1.2
•
Unzip the installation bundle
•
This contains everything you need to run Ghidra
•
Unzip to somewhere accessible
•
Install Java 11 64-bit Runtime and Development Kit (JDK)
•
Launch Ghidra!
•
./ghidraRun.sh or ./ghidraRun.bat
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
38
#Ghidra: Creating a Project
•
Ghidra groups binaries into projects
•
Projects can be shared across multiple users
•
Programs and binaries can be imported into a project
•
File -> New Project
•
Non-Shared Project
•
Select Directory
•
Name the project: “
hackaday-u-ghidra
”
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
39
#Ghidra: Creating a Project
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
40
#Ghidra: Loading a Binary
•
Import Window
•
In this window you can inform Ghidra about the target binary
•
Architecture / Language
•
File format
•
Ghidra will attempt to autodetect features based on the file format
•
In our case these features are provided by the ELF header
•
After the file is imported, a results summary window will appear
•
Various file features will be listed in this window
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
41
#Ghidra: Loading a Binary
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
42
#Ghidra: Initial Analysis
•
Once a program has been loaded into the active project, it can be
analyzed
•
Double click on the program in the project view to start analysis
•
Ghidra will attempt to automatically analyze the binary
•
This is based on information inferred from the filetype
•
The binary entry point is determined and Ghidra begins the disassembly
process
•
During auto-analysis Ghidra will also attempt to:
•
Create and label functions
•
Identify cross references in memory (xrefs)
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
43
#Ghidra: Initial Analysis
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
44
#Ghidra: Navigation
•
Once the analysis window is done, the program can be explored
•
This is done mainly within the CodeBrowser Window
•
Some of the default CodeBrowser windows include:
•
Program Tree
–
this shows the segments of the ELF file
•
Symbol Tree
–
lists and displays all currently defined symbols
•
Data Type Manager
–
shows data types inferred during auto-analysis
•
Listing
–
the resulting assembly code from auto analysis
•
Console
–
tool output / debugging information
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
45
#Ghidra Navigation
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
46
#Ghidra Nav: Disassembly View
•
This is where the resulting assembly code is displayed
•
This listing can be edited by clicking the symbol
•
By default this listing contains
•
Address
•
Bytes
•
ASM Instructions (Mnemonics) and operands
•
Comments
•
Xrefs
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
47
#Ghidra Nav: Disassembly View
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
48
Address field: This represents the
memory address where this data is
located
Bytes: There are the opcodes that
represent the instructions
Mnemonic: This is the instruction that
has been disassembled from the opcode
Operands: These are the
registers/memory locations used by the
instruction
XRefs: These are generated when Ghidra
detects other locations or instructions
that reference this address
#Ghidra: Decompiler
•
One of
Ghidra’s
most powerful features is the decompiler
•
Implemented utilizing
Ghidra’s
P-Code
•
P-Code abstracts assembly instructions into P-Code operations
•
P-Code is an intermediate language shared across all supported processors
•
The decompiler creates C code from the analyzed P-Code
•
All supported processors can utilize the decompiler
•
All processors are created with the SLEIGH language
•
SLEIGH specifies the translation from machine code to P-Code
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
49
#Ghidra Nav: Decompiler View
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
50
#GHIDRA: Byte View
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
51
#Ghidra: Other Views
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
52
#GHIDRA: Navigation
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
53
•
The listing view can be navigated in multiple ways
•
Scrolling
•
Arrow keys
•
Using the side scroll bar
•
Double clicking on Xrefs will navigate to that location
•
Locations can be specified by pressing the ‘G’ key
#Ghidra Exercises: Overview
•
Multiple challenge binaries have been developed for this course
•
These binaries were developed to highlight Ghidra features covered in
each lesson
•
After each lesson, two additional challenge binaries will be released
•
For review during office hours
•
On Wednesday of each session week, an advanced challenge may be
released for those interested
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
54
#Ghidra Exercises: c1
•
Download the exercises from github:
•
https://github.com/wrongbaud/hackaday-u
•
This repository will hold all materials for the course
•
Import the C1 challenge binary into Ghidra
•
What is this program doing?
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
55
#Ghidra Exercises: c2
•
Load the C2 exercise into Ghidra
•
Run the application
•
How is this program different from c1?
•
What is it doing?
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
56
#Session 1: Conclusion
•
In this lesson we covered:
•
Basic x86_86 instructions and features
•
Ghidra features
•
Ghidra navigation and basic usage
•
For the next session, review the c3/c4 exercises in the github
repository
•
Feel free to bring all questions to Thursday’s office hour!
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
57
#Questions
?
7/19/2020
Hackaday U
–
Introduction to Software Reverse Engineering
58
| 