Disassembler and decompiler for reverse engineering. Works on Linux, Windows and Mac OS.
A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.
Install
Option 1
apt install ghidra
Start Ghidra
ghidra
Option 2
Download zip file at https://ghidra-sre.org
cd $HOME/Downloads
unzip ghidra_9.2.3_PUBLIC_20210325.zip -d /usr/bin
Start Ghidra
cd /usr/bin/ghidra_9.2.3_PUBLIC
./ghidraRun
Documentation and course included in the zip
Usage
- Create a new project: File -> New project
- Click on the Dragon icon
- File -> Import File
- Click Analyze
- Under Symbol Tree, click Functions, click main
- Right click on one instruction -> Instruction Info to get assembly
Some hints
- FUN = function. In the Decompile window, right-click on the function name and click Rename. Useful when you figure out what this function does.
- Look for main or entry function
- Menu Search -> For strings, leave fields empty and click OK. Does the same as the strings utility
- Menu Window -> Function Graph to show relations (calls) between functions.
- Modify program to skip an instruction: Right click the assembly instruction, click Patch instruction, replace instruction (like CALL) by NOP and remove the rest of the instruction.
- Right click an instruction -> Bookmark, add a description. Menu Window -> Bookmark to display all bookmarks.