ghidra

Disassembler and decompiler for reverse engineering. Works on Linux, Windows and Mac OS.

A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.

Install

Option 1

apt install ghidra

Start Ghidra

ghidra

Option 2

Download zip file at https://ghidra-sre.org

cd $HOME/Downloads
unzip ghidra_9.2.3_PUBLIC_20210325.zip -d /usr/bin

Start Ghidra

cd /usr/bin/ghidra_9.2.3_PUBLIC
./ghidraRun

Documentation and course included in the zip

file:///usr/bin/ghidra_9.2.3_PUBLIC/docs/GhidraClass/Beginner/Introduction_to_Ghidra_Student_Guide_withNotes.html#Introduction_to_Ghidra_Student_Guide.html

Usage

Cheat Sheet

• Create a new project: File -> New project
• Click on the Dragon icon
• File -> Import File
• Click Analyze
• Under Symbol Tree, click Functions, click main
• Right click on one instruction -> Instruction Info to get assembly

Some hints

• FUN = function. In the Decompile window, right-click on the function name and click Rename. Useful when you figure out what this function does.
• Look for main or entry function
• Menu Search -> For strings, leave fields empty and click OK. Does the same as the strings utility
• Menu Window -> Function Graph to show relations (calls) between functions.
• Modify program to skip an instruction: Right click the assembly instruction, click Patch instruction, replace instruction (like CALL) by NOP and remove the rest of the instruction.
• Right click an instruction -> Bookmark, add a description. Menu Window -> Bookmark to display all bookmarks.