Information Security Lab 5 | Disassembly Tools

Series: Information Security Lab

Information Security Lab 5 | Disassembly Tools

  1. Ghidra

One of the static analysis tools that we can use for disassembling code is called Ghidra. Ghidra is a free and open-source reverse engineering tool developed by the National Security Agency of the United States of America.

First, let’s download this file from the official website of Ghidra,

$ cd ~/cs6265-tut/
$ curl https://ghidra-sre.org/ghidra_9.2.3_PUBLIC_20210325.zip > ghidra_9.2.3_PUBLIC_20210325.zip

Then, let’s unzip the file and change it to this directory,

$ unzip ghidra_9.2.3_PUBLIC_20210325.zip
$ cd ghidra_9.2.3_PUBLIC

In this directory, we can change the mode of the file ghidraRun to 777 and then execute this file,

$ chmod 777 ghidraRun
$ ./ghidraRun

After that, we can choose to set a project directory by “File” -> “New Project”. Select “Non-Shared Project” and specify “Project Name”, and finally drag our local crackme0x00 into the folder just created.

Then let’s double click on this binary to analyze it. To examine the binary, click on main under Symbol Tree. This will take us toward the assembly view of the text segment based on the symbol. Meanwhile, you will have a synced view of the decompiled C code main by Ghidra, side-by-side.

The decompiled C code main code is,

int main(int argc,char **argv)
{
  int iVar1;
  char buf [16];
  
  puts("IOLI Crackme Level 0x00");
  printf("Password: ");
  scanf("%s",buf);
  iVar1 = strcmp(buf,"250381");
  if (iVar1 == 0) {
    puts("Password OK :)");
    print_key("lab01:tutorial");
  }
  else {
    puts("Invalid Password!");
  }
  return 0;
}

From here, we can clearly see that the password of crackme0x00 should be 250381.

Finally, let’s add a shortcut to Ghidra. First, let’s open .bashrc by vim,

$ vi ~/.bashrc

Then, let’s add new lines in this file,

# alias for ghidra
alias ghidra="~/cs6265-tut/ghidra_9.2.3_PUBLIC/ghidraRun"

Then we save this file and reload the terminal by,

$ source ~/.bashrc

Finally, we can directly open Ghidra by,

$ ghidra

2. IDA

Another software we can use to disassemble a binary is called Interactive Disassembler (aka. IDA). Commonly, we have IDA (for 32-bit address disassembly) and IDA64 (for 64-bit address disassembly) and they are not free. The following tables show the relationship of the logic in the main function. We can also find the password from this analysis.