PMA 11: Ghidra (15 pts)

What You Need for This Project

Purpose

Ghidra is a new open-source tool released by the NSA. It is a free, easy-to-use disassembler, an alternative to IDA Pro. We'll use Ghidra to analyze compiled Windows C programs, which is the most common use case.

Installing JDK

Ghidra requires a Java Development Environment.

In a Web browser, go to

https://www.oracle.com/technetwork/java/javase/downloads/index.html

Click the DOWNLOAD button, as shown below.

On the next page, download the correct version for your OS, as shown below.

Install the software with the default options, as shown below.

Downloading and Extracting Ghidra

In a Web browser, go to

https://ghidra-sre.org/

Click the "Download Ghidra" button, as shown below. Save the ghidra_9.0_PUBLIC_20190228.zip file in your Downloads folder.

Unzip the file. In Windows, don't double-click it; that just appears to unzip it. You must right-click it, click "Extract All...", and Extract.

Launching Ghidra

In the "ghidra_9.0_PUBLIC_20190228" window, double-click the ghidra_9.0 folder to open it.

If you are on a Mac or Linux, double-click ghidraRun, as shown below. If you are using Windows, double-click ghidraRun.bat.

An agreement pops up. Click "I Agree".

Ghidra opens, as shown below.

In the little "Tip of the Day" box, click the Close button.

Downloading Files to Analyze

Ghidra lets you look inside executable files and see how they work. To see it go, we need some files to examine.

One by one, right-click the links below and download the files. Save them in your Downloads folder.

Running the Files (Optional)

If you are using Windows, you can run these programs to see what they do. If you aren't using Windows, you can skip this section.

Click Start, "File Explorer". In the left pane, click Downloads.

At the top left of this window, click File, "Open command prompt", "Open command prompt", as shown below.

In the Command Prompt, execute these commands:

crackme-121-1.exe
crackme-121-1.exe password123
This is a simple password guessing game. Unless you enter the correct password, it says "Fail!", as shown below.

Close the Command Prompt window.

Importing the File into Ghidra

In the "Ghidra:NO ACTIVE PROJECT" window, at the top left, click File, "New Project...".

In the "Select Project Type" page, accept the default option of "Non-Shared Project" and click Finish.

In the "Select Project Location" page, enter your name into the "Project Name" field, as shown below, and click Next>>.

In the "Ghidra:YOURNAME" window, at the top left, click File, "Import File...".

In the "Select File to Import" window, double-click Downloads and double-click crackme-121-1.exe.

A box pops up. Click OK.

After a few seconds, an "Import Results Summary" box appears, as shown below.

Click OK.

Analyzing the File in Ghidra

In the "Ghidra:YOURNAME" window, at the center, double-click crackme-121-1.exe, as shown below.

A big window opens, with an "Analyze" box on top, as shown below. In the "Analyze" box, click Yes.

In the "Analyze Options" box, click Analyze.

In the "Auto-Analysis Summary" box, click OK.

The main Ghidra window appears, showing the assembly code for the file in the large central pane, beginning at address 00400000 with the letters "MZ", as shown below.

All Windows executables start with those letters, at that relative address.

Cleaning Up the Display

On the left side, there are three small boxes titled "Program Trees", "Symbol Tr", and "Data Type Man..". Close them.

Finding Strings

From the menu bar, click Window, "Defined Strings".

On the right side, a box appears showing readable strings.

Click Fail!.

The left pane shows the address where that string is stored, as shown below.

In the left pane, on the line showing the "Fail!\n" string, on the right side, after the "XREF" label, double-click FUN.

The left pane shows the assembly code that uses this string, with a "PUSH" command, as shown below.

Viewing Decompiled Code

On the right side, close the "Defined Strings" pane.

A "Decompile" pane appears, as shown below.

This is readable C code, and you can easily see that the password is topsecret


PMA 11.1: crackme-121-2 (5 pts)

Analyze crackme-121-2 in IDA. Find the password. Run the program in a Command Prompt with the correct password and verify that it produces the "Congratulations" message.

The password is the flag.


PMA 11.2: crackme-121-3 (5 pts)

Analyze crackme-121-3 in IDA. Find the password. Run the program in a Command Prompt with the correct password and verify that it produces the "Congratulations" message.

The password is the flag.


PMA 11.3: crackme-121-4 (5 pts)

Analyze crackme-121-4 in IDA. This one is different. Find the complete command line required to see the "Congratulations" message.

The flag is that complete command line, like this:

notepad.exe topsecret

References

Ghidra Installation Guide


Posted 3-7-19
Revised for WCIL 5-22-19