-
Notifications
You must be signed in to change notification settings - Fork 5
Ghidra
Ghidra is a reverse engineering suite that the National Security Agency created.
You can get Ghidra from HERE
Ghidra requires Java 11 64-Bit Runtime and Development Kit. It can be found here:
Install Instructions:
- Windows 7, Windows 10 (64bit) and macOS (OS X) 10.8.3+
- Linux
- For Arch/Manjaro:
pamac build ghidra - For Ubuntu there seems to be an install script located HERE
- For Arch/Manjaro:
Ghidra's Github can be found here
Starting Ghidra is fairly simple. On start up you will be asked to make a project. The first option that you will have to choose is to make the project Shared or not. Unless you have a need for a shared project you should select Non-Shared Project Option. The next set of options are directory and name. Put in what ever name you would like and adjust the directory accordingly.
Now that you have a project made you will be shown the project main window. This is the window where you can add the files that are to be decompiled. You can either drag and drop files into the list to add them or use the file browser to select them. You can add as many files as you want to this view.
Once you have added the file or files to the list you want to de-compile you simply have to double click the file you want to start with. This will make a nice little dragon appear and open a new window. This window is where the file will be decompliled. After the file is done loading a message will pop-up and say "This File has not been analyzed yet" You can run with the normal analyzers or you can pick and choose. I personally use all of them because... well i don't know why. This is about the extent of my knowledge when it comes to Ghidra and reverse engineering.
The first way that you can look for keys is with the use of data types. If you look at the bottom left corner of the CodeBrowser you will find the 'Data Type Manager'. Using the 'Data Type Manager' we can view the data types of the file we are looking at. If you expand 'BuiltInTypes' you can find an entry for strings. By right clicking on string you can find all instances of stings within the file. This is how I found the different versions of base64 within CricutDevice.exe. Searching strings can also give some insight into how the program runs. They have left many of the custom Exceptions in there.
I do not have much experience with reverse engineering. Because of this I started to look around for plug-ins that would help with our search. I ended up finding a GitHub repository with several interesting plugins. You can find that repository here. I zeroed in on a python plugin called Py-findcrypt-ghidra. It seems like a good script to run our .exes through.
On the Github page they suggest just cloning the repository and adding that folder to the scripts manager in Ghidra. Start by cloning it with:
git clone https://github.com/AllsafeCyberSecurity/py-findcrypt-ghidra.git
Once it is cloned it is really easy to add it the script manager. To open the script manager:
Inside of the CodeBrowser click Window -> Script Manager
Once the Script Manager is opened you need to click the Manage Script Directories button. It is to the left of red plus sign (Help button) in the top right of the window. From the new window that pops up you need to select the green plus sign in the top right of the window. There is where you will browse and find the py-findcrypt-ghidra directory. Hit okay after you select it and the path will be added. It did require me to exit out of the script manager and reenter in order for it to pop up.
After you have the file analyzed and the script installed it is a fairly straight forward task. If the script manager is closed you will need to open it. Near the bottom of the window there is a filter box. if you type in findcrypt it will be easy to find. By highlighting this script a green play button will be activated (turn green) in the upper right corner of the script manager. Simply press the button and the script will be ran on the current file in the CodeBrowser (I think so. It may also run in on the CodeBrowser that the script manager was opened from).
Once it is completed you will find the out put of the script at the bottom of the code browser. It will link what was found and what type of encryption key(or what ever it is) was found. You can click on the address that it found and it will pull up that code block in the listing window (the big center window).
What I have found is that on my machines these codes are not classified by ghidra. From what I have read and watched it appears that ghidra does not have a scheme for this information. I have noticed that if I highlight the blocks and adjust the data type to Char there is quite a bit of readable information in there. However, I am not sure what to make of the blocks that do not translate to chars. This section of the wiki is a TODO.