Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
17 views39 pages

Session 4

The document outlines the features of Ghidra, a software reverse engineering tool, focusing on advanced functionalities such as loading external libraries, patch analysis, checksum generation, and P-Code review. It also covers Ghidra extensions, development environment setup, and scripting in Python. The session serves as a wrap-up for the course, inviting feedback and questions from participants.

Uploaded by

Quang nguyen anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views39 pages

Session 4

The document outlines the features of Ghidra, a software reverse engineering tool, focusing on advanced functionalities such as loading external libraries, patch analysis, checksum generation, and P-Code review. It also covers Ghidra extensions, development environment setup, and scripting in Python. The session serves as a wrap-up for the course, inviting feedback and questions from participants.

Uploaded by

Quang nguyen anh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

Introduction to Software

Reverse Engineering with Ghidra


Session 4: Ghidra Features
Hackaday U
Matthew Alt

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 1


#Outline: Advanced Features
• Ghidra Features
• Loading external libraries
• Patch analysis / diffing
• Checksum Generation
• P-Code Review
• Ghidra Extensions
• Setting up a development environment
• Python Scripting
• Course Wrap-up

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 2


#Course Administration
• This is our final session for the course!
• Feedback and thoughts on course are welcome!
• Fill out the google form to provide more feedback
• (released later this week!)

• Office hours will be Thursday at 6:00 ET

• Questions can also be submitted through:


• Hackaday.io chat room
• Hackaday messaging

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 3


#Session Goals
• Review more Ghidra features
• Patch analysis
• Memory Manager
• Extension via scripting
• P-Code and analysis
• Ghidra Development and Scripting
• Setting up an Eclipse based development environment
• Scripting examples
• Course Wrap-up and conclusion
• Review materials we’ve covered
• Take final questions

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 4


#External Libraries
• Ghidra can be used to analyze external libraries utilized by your target
binary
• Shared objects, DLLs, etc

• Ghidra can import and analyze these external libraries


• This can be done at load time or after initial analysis

• Loading external libraries can assist with auto analysis


• Type recognition and function prototype generation

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 5


#External Libraries: Example

Additional libraries were


not found
that were recognized in the
ELF header!

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 6


#Ghidra Tip: Patch Diffing
• Ghidra allows for version tracking of all imported binaries
• This makes collaboration when reversing simpler

• When using the version tracker, files are checked in and out of the
project
• Similar to a git workflow

• This version tracking feature can also be used to track patches and
changes to binaries

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 7


#Patch Diffing: Example

Click Correlations
here to start can
the be
version tracking wizard!
Click here to add additional
sorted by clicking the
correlations to becolumn
corresponding tracked

Run the precondition


checks to prevent any
errors

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 8


#Ghidra Tip: Checksum Tool
• Ghidra contains a built in checksum generator

• Multiple types of checksums can be generated


• CRC-16/32
• MD2/5
• SHA1/256/384

• Checksums can have various operations applied to them


• 1’s/2’s complement
• Recompute with carry / xor

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 9


#Ghidra Tip: Checksum Tool

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 10


#Ghidra Tip: Memory Manager
• Memory regions can be added manually via Ghidra’s Memory Map
tool
• This is often used when looking at firmware images
• Programs can be rebased from this tool as well

• Each memory region has the following attributes in the manager


• Start address
• Size/End address
• Read / Write / Execute
• Overlay

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 11


#Ghidra Tip: Memory Manager

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 12


#Ghidra Tip: Memory Manager
• Binary files can be imported into memory regions
• This is useful for RAM dumps if you can acquire them!
• File -> Add to Program

• Some memory regions can be set up as overlay blocks


• Useful for older consoles with regions that can be bank switched

• The memory manager functionality can also be instrumented via


Ghidra’s API
• This is how loaders automatically generate appropriate regions!

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 13


#Ghidra: Internals
• One of Ghidra’s most powerful features is having a decompiler for
each processor that it supports

• To implement a processor module in Ghidra, one must first write a


processor module in SLEIGH

• This processor module will handle both:


• Decoding of bytes to assembly code (disassembly)
• Generation of Pcode
• Generation of decompilation based on Pcode

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 14


#SLEIGH: Overview
• SLEIGH specifies the translation from assembly code to P-Code

• SLEIGH is the language that is used to create processor modules for Ghidra

• SLEIGH modules define the processor’s instructions, registers and features


• Examples are found at Ghidra/Processors

• SLEIGH modules are used for both disassembly and P-Code creation
• P-Code is what is analyzed by the decompiler

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 15


#Sleigh: 6502 Example
• Each processor definition will consist of the following files:
• CPU.cspec
• CPU.ldefs
• CPU.pspec
• CPU.slaspec
• LDEFS: Language definitions
• PSPEC: Processor Specification
• CSPEC: Compiler Specification
• SLASPEC: SLEIGH Specification

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 16


#Sleigh: 6502 Example - LDEFS
<language processor="6502"
endian="little"
size="16"
variant="default"
Language definitions include endianness,
version="1.0"
size – as well as definitions for the rest of
slafile="6502.sla"
the specification files for this particular
processorspec="6502.pspec"
processor.
manualindexfile="../manuals/6502.idx"
id="6502:LE:16:default">
<description>6502 Microcontroller Family</description>
<compiler name="default" spec="6502.cspec" id="default"/>
<external_name tool="IDA-PRO" name="m6502"/>
<external_name tool="IDA-PRO" name="m65c02"/>
</language>

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 17


#Sleigh: 6502 Example - PSPEC
<default_symbols>
<symbol name="PORTA" address="0"/>
<symbol name="PORTB" address="1"/>
<symbol name="PORTC" address="2"/>
<symbol name="PORTD" address="3"/>
<symbol name="DDRA" address="4"/>
<symbol name="DDRB" address="5"/>
<symbol name="DDRC" address="6"/>
<symbol name="DDRD" address="7"/>
<symbol name="SPCR" address="A"/>
Processor Specification is used to define
<symbol name="SPSR" address="B"/>
<symbol name="SPDR" address="C"/>
<default_memory_blocks>
processor specific information such as:
• Program Counter
<symbol name="BAUD" address="D"/>
<memory_block name="LOW_RAM" start_address="0x0000" length="0x0100" initialized="false"/>
<programcounter register="PC"/>
<symbol
<memory_block
name="SCCR1" address="E"/>
name="STACK"
<symbol name="SCCR2"start_address="0x0100"
address="F"/> length="0x0100" initialized="false"/>
<symbol name="SCSR" address="10"/>
</default_memory_blocks>
<symbol name="SCDAT" address="11"/>
• Reset Vectors
<symbol name="TCR" address="12"/>
<symbol name="TSR" address="13"/>
• Interrupt Handlers
<symbol name="ICHR" address="14"/>
<symbol name="ICLR" address="15"/> • Memory Mapped IO
<symbol name="OCHR" address="16"/>
<symbol name="OCLR" address="17"/>
<symbol name="CHR" address="18"/>
<symbol name="CLR" address="19"/>
<symbol name="ACHR" address="1A"/>
<symbol name="ACLR" address="1B"/>
<symbol name="NMI" address="FFFA" entry="true" type="code_ptr"/>
<symbol name="RES" address="FFFC" entry="true" type="code_ptr"/>
<symbol name="IRQ" address="FFFE" entry="true" type="code_ptr"/>
</default_symbols>

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 18


#Sleigh: 6502 Example - CSPEC
<compiler_spec>
<global>
<range space="RAM"/>
</global>
<stackpointer register="SP" space="RAM" growth="negative"/>
<returnaddress>
<varnode space="stack" offset="1" size="2"/>
</returnaddress> The Compiler Specification defines things such as:
<default_proto>
<prototype name="__stdcall" extrapop="2" stackshift="2" strategy="register"> • Sizes for various data types
<input>
<pentry minsize="1" maxsize="1"> • Alignment rules / directives
<register name="A"/>
</pentry> • Stack growth / behavior
<pentry minsize="1" maxsize="1">
<register name="X"/> • Function prototypes
</pentry>
<pentry minsize="1" maxsize="1"> • Calling conventions
<register name="Y"/>
</pentry>
</input>
<output>
<pentry minsize="1" maxsize="1">
<register name="A"/>
</pentry>
</output>
<unaffected>
<register name="SP"/>
</unaffected>
</prototype>
</default_proto>
</compiler_spec>

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 19


#Sleigh: 6502 Example -
SLASPEC
The SLASPEC file contains things such as:
• Alignment definitions
• Address space definitions
# Immediate
define endian=little; • Register definitions
OP1: "#"imm8 is bbb=2; imm8 { tmp:1 = imm8; export tmp; }
define alignment=1; • Instruction definitions
# Zero Page
OP1: imm8 is bbb=1; imm8 { export *:1 imm8; }
define space RAM type=ram_space size=2 default;
define space register type=register_space size=1; SLASPEC defines how instructions are
:STA OP1 is (cc=1 & aaa=4) ... & OP1 decoded / disassembled:
define register offset=0x00 size=1 [ A X Y P ]; • Defines the parameters for disassembly
{
define register offset=0x20 size=2 [ PC SP • ];Defines how instructions are shown in
OP1 = A;
define register offset=0x20 size=1 [ PCL PCH S SH ];the listing
resultFlags(A);
define register offset=0x30 size=1 [ N V B D I Z C ]; # status bits
}

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 20


#P-Code: Overview
• Designed to be capable of modeling a general purpose processor

• P-Code is generated during the initial analysis process

• P-Code is a register transfer language


• Used as an abstraction layer for CPU specific functions
• Intermediate representation of assembly code

• P-Code is used to generate decompiled code

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 21


#P-Code: Example

P-code representation is very detailed


and verbose
• Store value of A at RAM
• Check zero flag
• Check less than zero flag

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 22


#P-Code: Exercise
• Load the exercises in session-four/exercises/script-exercises/
• PPC
• ARM
• I386
• X86_64

• Examine the P-code for each example


• How are they different?
• Are they similar in any way?

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 23


#Ghidra Extension: Eclipse
• Ghidra can be extended via plugins
• Loaders
• Scripts
• Modules

• These extensions can be developed in Eclipse using the GhidraDev


plugin included with Ghidra

• Ghidra provides both a Java and Python API

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 24


#Ghidra Extension: Eclipse

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 25


#Ghidra Script Project
Creation

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 26


#Ghidra Scripts: Python
• Ghidra scripts can be written in Python as well as Java
• Requires the pydev plugin for eclipse integration

• Ghidra also features a python shell


• Window -> Python

• The Python interpreter can utilize the FlatProgramAPI


• This is what we will focus on!

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 27


#Ghidra Scripts: Globals
• Ghidra creates multiple global variables for use while scripting
• currentAddress
• currentHighlight
• currentProgram
• currentSelection
• currentLocation

• All of these can be used to determine information relevant to your


current cursor location!

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 28


#Ghidra Scripts: Addresses
• Ghidra utilizes the Address datatype heavily within it’s API
• currentAddress returns an Address object

• Address objects can NOT be treated like integers


• Contain special function to add and subtract
• .add() .subtract(), etc

• Address objects can be created using the AddressFactory


• currentProgram.getAddressFactory.getAddress(“0x10000”)

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 29


#Scripting: Data
• Data can be generated automatically via scripting
• createByte(currentAddress)
• createChar(currentAddress)
• createDWord(currentAddress)
• createAsciiString(currentAddress)

• These functions all take a Ghidra address object as an argument


• Eq: createDWord(currentAddress)

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 30


#Scripting: Instructions
• Ghidra scripts can parse and operate at the instruction level

• getInstructionAt(address)
• Used to get an Instruction object representing the instruction at that address

• From an instruction object multiple instruction components can be


derived
• Number of operands
• P-code representation
• Operand objects (scalars,etc)

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 31


#Scripting: Instructions

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 32


#Scripting: Functions
• Ghidra’s FlatProgramAPI can be used to create and modify functions
• Set signature, parameters, etc

• Functions can be accessed by providing an address:


• Func = getFunctionAt(address)

• Functions can also be created at a specified address:


• createFunction(address)

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 33


#Scripting: Functions

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 34


#Scripting: Pcode Extraction
• Pcode objects can be accessed from instruction objects
• Inst.getPcode()

• PcodeOps describe the Pcode operations for a given instruction

• PcodeOps can be emulated using Ghidra’s Pcode emulator

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 35


#Scripting: Pcode Extraction

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 36


#Final Exercises
• The final exercises for this course will be pushed shortly after class
today
• Session-four/exercises/crackmes.one

• Exercises have been pulled from crackmes.one


• They are of ascending difficulty
• Use this site for more reversing practice!

• Source for the exercises will be released after office hours this week

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 37


#Wrap Up
• This will be the final video for this series
• Thank you for watching and participating!

• If you have questions or commentary, please let us know for the


office hour!
• You can also fill out the google form to give us more feedback

• Feel free to use the course chatroom to ask RE questions and Ghidra
questions in the future

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 38


#Questions

7/13/2020 Hackaday U – Introduction to Software Reverse Engineering 39

You might also like