0x1 Ghidra installation
1. Ghidra is a Software Reverse Engineering (SRE) suite developed by the Research Division of the National Security Agency (NSA) to support cybersecurity missions. Includes a full-featured set of high-end software analysis tools that enable users to analyze compiled code on various platforms (Windows, Mac OS, and Linux). Features include disassembly, assembly, decompilation, plotting and scripting, and hundreds of other functions. Like IDA, Ghidra supports various processor instruction sets and executable formats, and users can also use the public API to develop their own Ghidra plug-ins and scripts. The difference is that IDA is charged, while Ghidra is free and open source.
2. You can download it through Ghidra's project home page or GitHub:
2)https://github.com/NationalSecurityAgency/Ghidra
3)https://github.com/NationalSecurityAgency/ghidra.git))
3. Ghidra can be used directly by decompressing the compressed package. The advantage of this is that there is no need to modify various system configurations
1. Switch to the GhidraInstallDir directory and run GhidraRun.bat
2. Ghidra is managed by project, users need to create a project first, named test
3. Take a look at the helloworld I wrote before, and import the file you want to analyze through File->Import File->
4. After Ghidra is loaded, it will display the basic information of the file
5. Right-click on the target file name -> Open with ->CodeBrowser, directly Analyze, press the g key to go to the address we want, for example 00401000, you can see the disassembly window in the middle, and the pseudo code on the right , the left is the section, the function table
6. The pseudo code on the right can also export the c code according to the upper right corner of the diagram
0x3 Ghidra's function
1. Next, write a simple code to learn how to use Ghidra. The program is very simple, just enter the password
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int reserveChar(char *ch, int length);
int DectoHex(int dec, char *hex, int h_length);
// 10进制转换16进制
int DectoHex(int dec, char *hex, int h_length)
{
char str[16] = "0123456789abcdef";
int i;
for (i = 0; dec > 0; i++)
{
if (i < h_length)
{
// 这样存是反着的
hex[i] = str[dec % 16];
}
dec /= 16;
}
reserveChar(hex, i);
return 0;
}
// 翻转字符串
int reserveChar(char *ch, int length)
{
char temp;
if (length % 2 == 0)
{
for (int i = 0; i != (length / 2); i++)
{
temp = ch[i];
ch[i] = ch[length - i - 1];
ch[length - i - 1] = temp;
}
}
}
int main()
{
int user = 1314520;
char password[15] = "";
char input[15] = "";
printf("请输入密码:\n");
scanf("%s", input);
DectoHex(user, password, 15);
if (!strcmp(input, password))
{
printf("密码正确\n");
}
else
{
printf("密码错误\n");
}
system("pause");
return 1;
}2. Next, run the program and check it. If you see it, please press any key to continue. You can guess that the system function is called
3. Go to Ghidra, search for pause in Search->For Strings->
4. After finding it, press g to enter the address, see the cross reference on the right, double-click to find the place of use, and locate the key function
6. Go to the decompilation window to look at the pseudo code, and compare the decompiled code of ida, and you can see that the decompilation function of IDA is more powerful
7. Ghidra can also manage data, sections, and functions. For example, you can directly view DOS header files here without using other tools