Reverse Engineering: Ghidra Review and IDA Pro Sticker Shock.
IDA Pro (Just for x86) is about $5500US. Well clearly I didn't find that kind of money in my couch cushions so I will have to try an alternative. Enter Ghidra. Downloading Ghidra is available from gitlab: I have no idea how this compares to other Reverse Engineering Software so take this as a 'blind review' or a 'get it working guide' I leave pitfalls in there to show how they are solved as a learning guidance for anyone following this path. I am installing into a BackBox Linux which is basically Ubuntu Libraries.
Once you have downloaded the .tar.gz
tar -xvf ghidra-Ghidra_10.3.1_build.tar.gz
cd ghidra-Ghidra_10.3.1_build/The build instructions advise us as:
## Build
To create the latest development build for your platform from this source repository:
##### Install build tools:
* [JDK 17 64-bit][jdk17]
* [Gradle 7.3+][gradle]
* make, gcc, and g++ (Linux/macOS-only)
* [Microsoft Visual Studio][vs] 2017+ or [Microsoft C++ Build Tools][vcbuildtools] with the
following components installed (Windows-only):
- MSVC
- Windows SDK
- C++ ATL
- Installing JDK 17 64-bit
sudo apt install openjdk-17-jdk openjdk-17-jre -y2. Installing Gradle
sudo apt install snap
sudo snap install gradle4. Install Gradle dependencies
gradle -I gradle/support/fetchDependencies.gradle init
Houston we have a problem.. Let's try seeing if it will build anyways:
gradle build GhidraHouston more problems:
- 2 Problems to solve: Install Latest Gradle (See if it compiles without the module) and then then pull a similar missing module and see if this goes.
Downloading the latest gradle.8.2
- Latest Releases from here
unzip gradle-8.2-all.zip
cd gradle-8.2
Success Both Fixed (Call gradle 8.2 in the near-by directory and have it do the .grade init dependencies
../gradle-8.2/bin/gradle -I gradle/support/fetchDependencies.gradle init
../grade-8.2/bin/gradle buildGhidra
Lots goes on here. This looks like about a 5-10 minute compile at this point.
What is neat about the installation is it shows 'per-core' as in:
We have 3 cores working and 9 idle. It did not take all 16 available.
Build time came in at a respectable 5 Min 59 Seconds.
Once that is done it produces a .zip file in /build/dist
-rw-rw-r-- 1 c c 361433570 Jul 5 19:24 ghidra_10.3.1_DEV_20230705_linux_x86_64.zip
Now copy the .zip to your /home/ and then unzip it - it contains a running production for it.
Inside the ghidra_10.3.1_DEV
./ghidraRunWill present as:
It will give you a project menu and a detailed manual guide pop-up
And a detailed help guide:
We will create a non-shared project:
Once you have made your project it will look like this (I guess their budget for icons was a bit lacking?)
Selecting the Dragon or 'code browser' will give an entire new IDE space.
We select a .exe to import and it gives some decompiler information:
Once it is done ingestion it will give you a status and present you a reverse assembly language display.
Without even stepping the code there are a pile of analyzers that can assist you.
In the bottom right a bunch of progress boxes will show you as each analyzer module is called against the code.
In the left corner it did a really good job of finding the corresponding header files associated with the executable:
In the right side window it automatically produced Decompile C psuedo-code which is very impressive - but logically this might be quite confusing. I guess one could cut and paste this into CLion or some other compiler and step it.
In the data type manager it has a detailed object browser as in:
Cool plugin. Since they don't have the license for the intel manual they give you this installation screen:
Summary: This is a very powerful and very specialized program to quickly analyze a program and produce a lot of engineering level statistics on it.
This is only a partial guide and one could spend a LONG time learning all the intricacies of this program. Anyone that does reverse engineering that is not plunking down the large $$$ for IDA pro should definitely have this in their tool box.
