- Author:ZERO-A-ONE
- Date:2022-07-30
This series aims to record my own use of the M1 Pro-based Apple Silicon chip MacBook Pro notebook to build an environment suitable for binary research, including scenarios such as reverse engineering and PWN
0x1 Ghidra - an alternative to IDA
1.1 Introduction
As we all know, for a binary CTFer or research institute, a good disassembly tool is a must-have product for life and work. Among them, the IDA Pro launched by Interactive Disassembler with the Hex Rays decompiler has always been the first choice of users. However, IDA Pro does not provide native ARM64 support for Apple Silicon until version 7.6, although the X64 version can also run well under Rosetta2. There has been a lack of leaked versions of IDA for macOS on the Internet, we need to find a replacement
We can look at Ghidra developed by the US National Security Agency NSA, which is a GUI written in the Java Swing framework, and the decompilation component is written in C++. Plugins for Ghidra can be developed in Java or Python (via Jython). Ghidra's debugger supports debugging user-mode Windows programs via WinDbg and Linux programs via GDB
Ghidra already supports the following architectures or binary formats:
- x86 16, 32 and 64 bit
- ARMand AARCH64
- PowerPC 32/64 and VLE
- MIPS 16/32/64
- MicroMIPS
- 68xxx
- Java and DEX bytecode
- PA-RISK
- PIC 12/16/17/18/24
- SPARC 32/64
- CR16C
- Z80
- 6502
- 8048, 8051
- MSP430
- AVR8, AVR32
- SuperH
- V850
If you want to learn more about the usage of Ghidra, you can refer to the Kanxue course "Ghidra Operation Manual":
https://www.kanxue.com/book-section_list-64.htm
1.2 Installation
1.2.1 JDK
Because Ghidra is written in Java, we first need to install the JDK
https://www.oracle.com/java/technologies/downloads/#jdk18-mac
In order to save the steps of configuring environment variables, it is recommended to choose to download the Apple Silicon installation version directlyArm 64 DMG Installer
https://download.oracle.com/java/18/latest/jdk-18_macos-aarch64_bin.dmg
Then it's a fool's installation
1.2.2 Guide
Download the distribution from the official Github
https://github.com/NationalSecurityAgency/ghidra/releases
ghidraRun Run it after decompression
0x2 IDA Pro
I saw that the master on the Internet provided a solution to run IDA Pro 7.6 on Apple Silicon, and its main core technology is to use the compatibility layer of wine
Compatible with the M1 version of Wine is basically a gcenxpre- , we only need to brewinstall it through
If you don't need a python environment, you can also install winehq separately. But the winehq python environment cannot be configured, and IDA configuration winehq will crash, and the bat script cannot be run
2.1 install wineskin
wineskin can help us create a wine container, make a Mac App shell, and create an alias icon to launchpad, through which you can open IDA.
We can brewinstall wineskin:
brew install --no-quarantine gcenx/wine/unofficial-wineskin
Here it is recommended to enable Clash's local terminal agent, otherwise it will be very slow to go to Git in China
After the installation is complete, wineskin will appear on launchpad. We open it and download and create a container:
2.2 Configure python 3 environment
Go to the python official website to python 3.8download the Windows 64 Bit executable package and decompress it into the root directory of IDA, and name it as python-3:
https://www.python.org/ftp/python/3.8.10/python-3.8.10-embed-amd64.zip 47
2.3 Create a startup script
Copy the following content and save it as run64.batand store it in the root directory of IDA
@set path=.\python-3;%path%
@set PYTHONPATH=.\python-3
@start ida64.exe
2.4 Import the prepared IDA into the Wine container
Select Install Softwareand copy IDA into it:
2.5 Configure the running path of the wineskin container:
2.6 Setting environment variables
Open Registry Editor and find the following path:
HKEY_CURRENT_USER\Software\Hex-Rays\Python3TargetDLL
And set to (need to be modified according to your actual situation):
C:\Program Files\Hex-Rays\IDA Pro\python-3\python3.dll
Note: If you cannot find the Hex-Rays path, please test-run ida.exe once, or create it manually;
if you cannot find the Python3TargetDLL key, please manually add a string type key.
Caution: Do not try to modify the registry through the installed version of python with idapyswitch.exe. The dll path obtained by idapyswitch.exe is incorrect, and the installed version of python cannot correctly set the wine environment variable, and IDA will crash.
Create a stand-in for the wine container (the icon needs to be set in wineskin), and move to /Applicationthe directory , and then you can start ida 7.6 through the launchpad:
python3 can also be used normally:
Here you can also directly use the packaged package provided by the original blogger:
链接:https://pan.baidu.com/s/1todGWnAXMg6emvJooL58VA?pwd=8617
提取码:8617
0x3 virtual machine selection
According to the current research summary of netizens, it is suitable for Apple Silicon
-
pd: more than 400 years, no cracks, unlimited trial by automatically changing the time
-
pd runs windows: dx11, OpenGL 3.3
-
pd runs Linux: OpenGL 4.1, no vulkan
-
-
vmware: free
- vmware running windows: only 2D, no dx
- Vmware runs Linux: OpenGL 4.3, which requires the unreleased Linux 5.19 kernel and the latest mesa driver (vmware's Linux drivers and tools are open source)
-
utm: open source, supports jailbreak iOS, qemu gui
- utm runs windows: only 2D, can simulate x86 windows, but after simulating win7, it is relatively stuck, and simulating win7 or xp is smoother
- utm running Linux: OpenGL 2.0, very easy to crash
in conclusion:
- windows11 select pd
- Choose vmware for Linux with GUI
- Command line Linux choose utm (or lima)
Note: vmware running Linux can get OpenGL4.3, and Apple deliberately locks the OpenGL version under macOS at 4.1