PMA 511: Ghidra Data Displays (40 pts)

What you need

Purpose

To practice using the Ghidra data displays.

Launching Ghidra

Start Ghidra. If a CodeBrowser window opens, close it. In the "Save Program?" box, click "Don't Save".

showing a file you were previusly ecxt will probably show the previous file you were examining. That's OK.

Opening an Empty CodeBrowser Window

From the Ghidra menu bar, click Tools, "Run Tool", "CodeBrowser", as shown below.

The CodeBrowser window opens. Notice the labelled items in the figure below. There is a Menu bar, a Toolbar, and six windows.

Importing a File

Click File, "Import File". Browse to ch5_example1.exe and double-click it.

In the Import dialog box, accept the default options and click OK.

In the "Import Results Summary" window, click OK.

A pop-up box asks if you want to analyze the file now. Click Yes.

In the Analysis Options box, accept the default options and click Analyze.

A box pops up warning that the file has "Incomplete PDB information". That's common. Click OK.

When the analysis finishes, a "CodeBrowser" window appears.

Informational Margin Bar

In the Listing window, to the right of the vertical scrollbar, little colored rectangles mark locations in the code

Right-click in this area to see the color codes for the marks, as shown below.

PMA 511.1: Gray Mark (5 pts)

Find the name for the gray mark, covered by a green box in the image below.

That's the flag.

Use the Book

Refer to Chapter 5 of the Ghidra book. Follow along to find the flags described below.

PMA 511.2: Blue Bar (5 pts)

Find the name for the bar containing various shades of blue. It's the third bar to the right of the scroll bar in the image below.

That name is the flag.

PMA 511.3: Opcode (5 pts)

Find the instruction covered by a green box in the image below.

That's the flag.

PMA 511.4: Function Graph (5 pts)

Find the instruction covered by a green box in the image below.

That's the flag.

PMA 511.5: Program Trees (5 pts)

Find the section label covered by a green box in the image below.

That's the flag.

PMA 511.6: Function (5 pts)

Find the third function name, covered by a green box in the image below.

That's the flag.

PMA 511.7: Decompile (5 pts)

Find the function name, covered by a green box in the image below.

That's the flag.

PMA 511.8: Defined Strings (5 pts)

Find the text covered by a green box in the image below.

That's the flag.

Posted 8-25-2020