PMA 510: Starting with Ghidra (20 pts)

What you need

Purpose

To start using Ghidra, the NSA's free disassembler.

Getting the Sample Files

In a Web browser, go to

https://ghidrabook.com/

At the lower left, click the "Download.zip" button.

Save the zip file.

Unzip it. If you are using Windows, right-click the file, click Extract, and then click "Extract All".

Installing Ghidra

If you are using the "Windows 10 w Tools" VM, Java and Ghidra are already installed. Double-click the ghidraRun icon to lauch it.

If you don't already have Java installed, go to https://www.oracle.com/java/technologies/javase-downloads.html and install the JDK.

In a Web browser, go to

https://ghidra-sre.org/

Click the red "Download Ghidra" button.

Save the file. Unzip it.

In the "ghidra_9.1.2_PUBLIC" folder, if you are using Windows, double-click ghidraRun.bat.

If you are on a Mac or Linux machine, double-click ghidraRun.

Creating a Project

In Ghidra, click File, "New Project".

Accept the default option of "Non-Shared" project and click Next.

Assign a name and location and click Finish.

Importing a File

Click File, "Import File". Browse to the Sample files you downloaded earlier in thie project. Find the ch4_example.exe and double-click it.

In the Import dialog box, accept the default options and click OK.

In the "Import Results Summary" window, click OK.

The file appears in the Tool Chest window, as shown below.

Analyzing the File

In the the Tool Chest window, double-click the ch4_example.exe file.

A pop-up box asks if you want to analyze the file now. Click Yes.

In the Analysis Options box, accept the default options and click Analyze.

Look in the lower right to see the progress of the analysis. It will take a minute or so.

A box pops up warning that the file has "Missing 'PDB file' ...". That's common. Click OK.

You see a "CodeBrowser" window containing the first few bytes of the file, starting with "MZ", as shown below.

PMA 510.1: Functions (10 pts)

From the Ghidra menu bar, click Help, "About ch4_example.exe".

The flag appears, covered by a green box in the image below.

PMA 510.2: Decompiler (10 pts)

In the CodeBrowser window, in the top left, in the "Program Trees" pane, double-click .text

The pane on the right is titled Decompile and it contains reconstructed C++ code.

The flag appears, covered by a green box in the image below.

Saving the Project

In the CodeBrowser window, click File, "Save 'ch4_example.exe'".

Click File, "Exit Ghidra".

Posted 8-25-2020
Minor update 9-27-20