,
25 tweets,
7 min read
Read on Twitter
1/ So what is a "reverse engineering" tool like Ghidra? Well, I'm going to describe it in a few tweets, with screen shots.
2/ Everything in a computer exists as a file on the disk containing bytes. This includes programs, where the bytes represent machine code that the computer will run. The first thing a tool like this does is DECODE the structure of the file and figure out what these bytes mean.
3/ In this screenshot, I open up the 'masscan' program. Ghidra analyzes this file and figures out where all the code is, and breaks it down by function. I've drawn a red box around the raw bytes, the rest is how Ghidra interprets those bytes. 
4/ The most basic interpretation is to convert the raw machine code into the slightly more readable ASSEMBLY LANGUAGE code, showing here in the red box. Understanding the various CPU architectures is a big feature of reverse engineering tools.
5/ Assembly is useful, but still hard to read. What would be nicer is work with source-code, such as that written in C. C is compiled into machine code. Thus, we want to DECOMPILE these bytes back into C, shown in the red box.
6/ Ghidra is able to find the name of the function "base64_decode", because that's part of compiled code unless stripped out, but the rest of the variables are just named like "parm1" or "var1" because it doesn't know their names.
7/ And here is where things get exciting for reverse engineer tools: I can figure this out myself and ANNOTATE the disassembled/decompiled code. I keep annotating more, documenting what I figure out as I go along.
8/ I click on it once, change the variable name from "uParm4" to "src_length", and it renames the variable through all the disassembled/decompiled code, as shown in the red boxes here.
9/ The bottom pane of these screenshots is "scripting". Instead of figuring out things manually, I can write a script to do something, either my own, or one a fell reverse engineer has written that does some particularly clever analysis to discover some aspect of the code.
10/ One thing you look for in code is error messages, which explain to the user things. It also tells us reverse engineers what the surrounding code is doing, such as this one, where the code is obviously testing for out-of-memory errors.
11/ So when @MalwareTechBlog found the "kill switch" for WannaCry, it's because the name was a "string", one of the first things we reverse engineers look for. He was simply the first to find what would've been found quickly anyway.
12/ So why is Ghidra important? Well, because the standard tools in the industry, "IDApro" and "HexRays" are expensive, costing thousands of dollars per year. Ghidra is free. It may not be as good, but it seems to cover all the basics.
13/ Anyway, I've only used the product for 5 minutes. I'll probably get around to writing a more substantial blogpost on it sometime soon.
14/ Oh, I forgot another thing: navigation. When reverse engineering a function, you want to know who calls the function, and who this function calls.
15/ Also, instead of viewing the code as a sequence of instructions, you want to break it apart and see the various chunks and how they interact with each other.
16/ "Why did the NSA release this?"
1. because it costs them a lot of money to maintain/improve the product, by open-sourcing it, they'll get contributions from the community
2. it costs money to train, now students will leave college trained on this
1. because it costs them a lot of money to maintain/improve the product, by open-sourcing it, they'll get contributions from the community
2. it costs money to train, now students will leave college trained on this
17/ My biggest guess is PR and recruitment. It gets people excited about working with and for the NSA, rather than seeing it as a secretive faceless enemy.
18/ To resolve this controversy quickly before it gets out of hand: the 'G' in 'Ghidra' is pronounced the same as in 'GIF'.
19/ What are we reverse engineering?
- finding software vulns to exploit with 0days
- figuring out what malware/viruses do against us
- hacking games
- discovering competitor's trade secrets
- bypassing copyright.
The last is a no-no (DMCA).
- finding software vulns to exploit with 0days
- figuring out what malware/viruses do against us
- hacking games
- discovering competitor's trade secrets
- bypassing copyright.
The last is a no-no (DMCA).
20/ No, it doesn't come with a backdoor. It's just that "debug mode" is enabled when you launch it with "debug mode". I didn't launch it with debug mode, so for me, debug mode isn't enabled.
21/ That debug mode listens on 0.0.0.0 instead of 127.0.0.1 by default is certainly a bug, but it's not a backdoor.
22/ I mean, the NSA may be evil, but O M G THEY ARE SMARTER THAN THIS. Putting obvious backdoors in a reverse engineering tool designed to find backdoors is, well, not smart.
23/ Of course, at some point we are going to find an exploitable "bug" in Ghidra's code, and that that point we'll get to have endless debates about whether it's an unintentional or intentional "bug". :-)
24/ Decoding stuff if a huge attack surface, lots of bugs. A bug in how Ghidra decodes X that can be exploited means I can put X in my thing, and when my enemy tries to reverse engineer my thing, I pwn them.
25/ Yes, you should really run this in a VM/sandbox environment. A common self-own using the competing IDApro has been to run the code (IDApro is also a debugger) when analyzing viruses.
