Learning All About Ghidra – Inside a Class with Craig Young
I was recently tasked with reverse engineering (RE) some mobile apps. The actual task was to “learn” to RE – I don’t actually know how to do it, so it’s a good thing it’s more of a learning experience than an actual security job.
And the task wasn’t really to RE apps. It was “do a security check on these mobile apps.” I’ve never done that and didn’t even know where to start. RE? Disassemble? Decompile? Which one? Or is it something else?
And what after that? After I pick a method of viewing the mobile app, which program do I use? Online or Offline? dotPeek? Visual Studio? Android Studio? Hopper? Or others?
And which one works for the mobile app? APK or iOS, Windows or Linux, Paid or Free, online vs. local, add-in or standalone?
So many questions. So, naturally, I chose Ghidra!
What is Ghidra?
Why would I even want to learn about Ghidra? And how do you pronounce it? I thought it was pronounced “HIGH-druh” like the multi-headed monster in Greek mythology. I thought of this pronunciation because of the icon of the dragon/serpent, though it doesn’t have multiple heads. But it’s pronounced “Gee-druh.” Oh, well. It still seemed to be a great tool which, at the time, I didn’t know how to use with any proficiency. But it was so prevalent that I HAD to give it a try.
On a related tangent, here’s a short Twitter thread that talks a little about what might be the reasoning and meaning behind the logo:
Back to “Why would someone learn Ghidra?” It could be because one has an interest in NSA tools. Or it could be because one wants a free tool for reverse engineering. Or it could be that one has been tasked with better understanding internally developed apps. I’m in the third category, with a strong emphasis on the second category.
Craig Young at ISACA
When I found out that Craig Young was going to teach a Ghidra class for ISACA members, I was thrilled! (I would have loved to have attended his Black Hat sessions, but that wasn’t going to be possible.)
I made sure I took those days off work so that I wouldn’t get interrupted.
While the class was designed more for those with RE skills, I was able to follow along because I’ve had some exposure to RE. I had fumbled along with Ghidra but couldn’t quite get around it; Craig’s class was a welcome helping hand with the mire in which I’d gotten myself stuck.
Class #1
For the first class, I used my work laptop because I already had Ghidra installed and had upgraded to the most recent Ghidra version. I saved my notes to my corporate OneNote. I could use Evernote or Cherry Tree or any number of other systems, but one handy feature of OneNote is being able to copy the text from a picture (works best with light background and dark text). I was so proud of myself for being prepared! (This sense of delight didn’t last forever, but we take what we can get, right?)
In this first class (a four-hour session), Craig guided us in creating projects in Ghidra, importing files, and performing basic analysis of & manipulating disassembled and decompiled functions.
Craig is one of those instructors who, it’s easy to tell, knows what he’s talking about. He has to stop himself from going further into a topic; while relevant to the topic, it would distract from the overall class material. And there are the other paths that could be taken and avenues he could go down, but there’s only so much time. I enjoy that kind of teaching – informal, unscripted, willing to take a tangent, and all useful material.
Class #2
For the second class, I used my personal laptop. Soon after the class started, I realized I didn’t have Ghidra on there! So, I scrambled to install it before things really got going. (We don’t want the teacher to know we’re not prepared, right?) For notetaking, I had to use my personal Evernote. I don’t have access to my work OneNote from my own laptop, so now it’s spaced across two disparate systems for both learning and for note-taking. I wasn’t so proud this time, feeling (rightfully so) like a newbie – a little tense for me, but I got over it (hooray for remote learning with no cameras on). But learning is half being prepared, half being experienced, half paying attention, and half adapting. (Yes, learning takes 200%).
We jumped into a Challenge right away! Craig used Strings1 from MalwareTech. You can find this and other reversing challenges on MalwareTech’s page here: https://www.malwaretech.com/beginner-malware-reversing-challenges.
We also dove into Finding Scalars, Bookmarks (Ctrl + B), and Exporting.
The second challenge in Class 2 was solving Strings2 from MalwareTech, Decoding Stack Strings. (See here for more information on this: https://www.tripwire.com/state-of-security/security-data-protection/ghidra-101-decoding-stack-strings/.)
The third Challenge was (are you ready?) analyzing Strings3 from https://www.malwaretech.com/strings3.
In case you wonder what we were staring at for so long, here’s a sample visual:
There was Scripting (for automating analysis), Program Diffing (compare 2 programs), and importing symbols from the Microsoft Program Database (providing debugging information).
I was glad that I took a lot of notes. There was way too much for me to remember from the eigh hours, and I can review as needed. (Thanks for the digital memories.)
Craig gave plenty of time to instruct and even more time to allow for us to work through the challenges. I really appreciated that. I’ve never had that in a session before, but Craig obviously knows what it’s like to be a student exploring something technically new, especially this kind of content where it just simply takes time staring at the screen, thinking, and clicking around to find the missing pieces and put them together in an arrangement that is unknown to the puzzler. The concept reminds me of caving. (The kind where you step into pitch black, strap on a flashlight, crawl through mud, squeeze through tight spaces, etc.) There’s no hurry, no pushing and shoving, taking time to reconnoiter. One just has to do it, and there’s no one right way to do it. Fortunately, I was in a well-lit room and had plenty to snack on while I worked through things (and no mud or bats).
If you ever get a chance to take a class with Craig, please do. And be prepared to take notes – in one place.
P.S.: For some extra Ghidra fun: the binary for the bytes emerging from the dragon’s mouth are ASCII and actually present a message.
See this thread here: https://github.com/NationalSecurityAgency/ghidra/issues/115.
Here’s the cleaned-up binary:
0
1
00
1000
0110
010
1011
0110
00110
11000
11011
110010
000001
010111
011011
1101110
0100110
11000110
01000010
0001
You can verify this when you put this into a decoder (I double-checked with Cyber Chef, using the “From Binary” recipe: https://gchq.github.io/CyberChef/#recipe=From_Binary(‘Space’,8)
About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.