Proj 11x: Ghidra (25 pts)

What You Need for This Project

Purpose

Ghidra is a new open-source tool released by the NSA. It is a free, easy-to-use disassembler, an alternative to IDA Pro. We'll use Ghidra to analyze compiled Windows C programs, which is the most common use case.

Installing JDK

Ghidra requires a Java Development Environment.

In a Web browser, go to

https://www.oracle.com/technetwork/java/javase/downloads/index.html

Click the DOWNLOAD button, as shown below.

On the next page, download the correct version for your OS, as shown below.

Install the software with the default options, as shown below.

Downloading and Extracting Ghidra

In a Web browser, go to

https://ghidra-sre.org/

Click the "Download Ghidra" button, as shown below. Save the ghidra_9.0_PUBLIC_20190228.zip file in your Downloads folder.

Unzip the file. In Windows, don't double-click it; that just appears to unzip it. You must right-click it, click "Extract All...", and Extract.

Launching Ghidra

In the "ghidra_9.0_PUBLIC_20190228" window, double-click the ghidra_9.0 folder to open it.

If you are on a Mac or Linux, double-click ghidraRun, as shown below. If you are using Windows, double-click ghidraRun.bat.

An agreement pops up. Click "I Agree".

Ghidra opens, as shown below.

In the little "Tip of the Day" box, click the Close button.

Downloading Files to Analyze

Ghidra lets you look inside executable files and see how they work. To see it go, we need some files to examine.

One by one, right-click the links below and download the files. Save them in your Downloads folder.

Running the Files (Optional)

If you are using Windows, you can run these programs to see what they do. If you aren't using Windows, you can skip this section.

Click Start, "File Explorer". In the left pane, click Downloads.

At the top left of this window, click File, "Open command prompt", "Open command prompt", as shown below.

In the Command Prompt, execute these commands:

crackme-121-1.exe
crackme-121-1.exe password123
This is a simple password guessing game. Unless you enter the correct password, it says "Fail!", as shown below.

Close the Command Prompt window.

Importing the File into Ghidra

In the "Ghidra:NO ACTIVE PROJECT" window, at the top left, click File, "New Project...".

In the "Select Project Type" page, accept the default option of "Non-Shared Project" and click Finish.

In the "Select Project Location" page, enter your name into the "Project Name" field, as shown below, and click Next>>.

In the "Ghidra:YOURNAME" window, at the top left, click File, "Import File...".

In the "Select File to Import" window, double-click Downloads and double-click crackme-121-1.exe.

A box pops up. Click OK.

After a few seconds, an "Import Results Summary" box appears, as shown below.

Click OK.

Analyzing the File in Ghidra

In the "Ghidra:YOURNAME" window, at the center, double-click crackme-121-1.exe, as shown below.

A big window opens, with an "Analyze" box on top, as shown below. In the "Analyze" box, click Yes.

In the "Analyze Options" box, click Analyze.

In the "Auto-Analysis Summary" box, click OK.

The main Ghidra window appears, showing the assembly code for the file in the large central pane, beginning at address 00400000 with the letters "MZ", as shown below.

All Windows executables start with those letters, at that relative address.

Cleaning Up the Display

On the left side, there are three small boxes titled "Program Trees", "Symbol Tr", and "Data Type Man..". Close them.

Finding Strings

From the menu bar, click Window, "Defined Strings".

On the right side, a box appears showing readable strings.

Click Fail!.

The left pane shows the address where that string is stored, as shown below.

In the left pane, on the line showing the "Fail!\n" string, on the right side, after the "XREF" label, double-click FUN.

The left pane shows the assembly code that uses this string, with a "PUSH" command, as shown below.

Viewing Decompiled Code

On the right side, close the "Defined Strings" pane.

A "Decompile" pane appears, as shown below.

This is readable C code, and you can easily see that the password is topsecret

Saving a Screen Image

Make sure you can see topsecret, as shown above.

Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Save the image with the filename "YOUR NAME Proj 11x", replacing "YOUR NAME" with your real name.

Challenges

The image above is worth 10 pts.

For extra credit, analyze the other three crackme files and find their passwords. Include those passwords in the body of your email message. Each correct recovered password is worth 5 additional points.

Turning in your Project

Email the image and the other recovered passwords to to cnit.128sam@gmail.com with the subject line: Proj 11x from YOUR NAME

References

Ghidra Installation Guide


Posted 3-7-19