ghidra

Disassembler and decompiler for reverse engineering. Works on Linux, Windows and Mac OS.

A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.

Install

Option 1

apt install ghidra

Start Ghidra

ghidra

Option 2

Download zip file at https://ghidra-sre.org

cd $HOME/Downloads
unzip ghidra_9.2.3_PUBLIC_20210325.zip -d /usr/bin

Start Ghidra

cd /usr/bin/ghidra_9.2.3_PUBLIC
./ghidraRun

Documentation and course included in the zip

file:///usr/bin/ghidra_9.2.3_PUBLIC/docs/GhidraClass/Beginner/Introduction_to_Ghidra_Student_Guide_withNotes.html#Introduction_to_Ghidra_Student_Guide.html

Usage

Cheat Sheet

  • Create a new project: File -> New project
  • Click on the Dragon icon
  • File -> Import File
  • Click Analyze
  • Under Symbol Tree, click Functions, click main
  • Right click on one instruction -> Instruction Info to get assembly

Some hints

  • FUN = function. In the Decompile window, right-click on the function name and click Rename. Useful when you figure out what this function does.
  • Look for main or entry function
  • Menu Search -> For strings, leave fields empty and click OK. Does the same as the strings utility
  • Menu Window -> Function Graph to show relations (calls) between functions.
  • Modify program to skip an instruction: Right click the assembly instruction, click Patch instruction, replace instruction (like CALL) by NOP and remove the rest of the instruction.
  • Right click an instruction -> Bookmark, add a description. Menu Window -> Bookmark to display all bookmarks.