Introduction to Reverse Engineering with Ghidra

Learn how to reverse engineer software using Ghidra! This four-session course will walk you through the basics.

Public Chat
Similar projects worth following
The purpose of this course is to provide an introductory overview of how to reverse engineer software with Ghidra. This program will consist of multiple hands-on exercises and labs allowing the students to gain the practical skills necessary to reverse engineer software with Ghidra. All exercises will be written for a modern x86_64 target running Linux. After attending these sessions, students will be familiar with the basic analysis features that Ghidra provides and understand the steps involved to perform basic analysis of software programs.

The course will consist of four sessions in total. Each section will contain a video component, a lab component (to be completed after the video, utilizing the concepts illustrated), and an office hour component where the instructor will be available for questions.

Updates / Information

For regular updates regarding class materials, follow wrongbaud and voidstarsec on twitter.

Hardware Requirements

  • 8GB RAM 

Software Requirements

  1. Docker (or an Ubuntu 18.04 VM)
  2. The Ghidra SRE Tool

Getting Started

  1. Download Ghidra from here
  2. Download the exercises / Docker container from here
    • git clone
  3. Build the docker container (Note: You can also use an Ubuntu 18.04 VM if you're doing this, skip to step 5)
    • cd hackaday-u/docker
      docker build . -t hackaday
  4. Test the Docker container (If using Ubuntu 18.04, skip to step 5!)
    • docker run --rm -it hackaday /bin/bash
  5. Run a challenge binary as a test!
    • root@522471199b16:/home/hackaday# ./hackaday-u/session-one/challenges/c1 
      Please supply the password!
      root@522471199b16:/home/hackaday# ./hackaday-u/session-one/challenges/c1 test
      Wrong answer, we'd never use test as the password!

Course Goals

  • Familiarize students with the basic concepts behind software reverse engineering
    • x86_64 Architecture Review
    • Identifying C constructs in assembly code
    • Disassembly vs Decompilation
  • Teach students how to use the Ghidra SRE tool to reverse engineer Linux based binaries
    • Basic navigation and usage
    • How to identify and reconstruct structures, local variables and other program components
  • Demonstrate and explain the methodologies used when approaching an unknown program with Ghidra
    • Where to start when looking at an unknown binary
    • How to quickly gain an understanding of an unknown program
  • Provide challenges and "crackme" exercises so that students gain hands on experience with Ghidra

Scheduling Detals

  • The course starts Monday, June 22 at 6:00 PM (EDT)
  • Class sessions will occur weekly on Mondays at 6:00 PM (EDT)
  • Office hours will be Thursday at 6:00 PM  (EDT)
  • There will be a total of four class sessions  and office hour sessions

Prerequisites / Resources

  • Class 3 video

    Lutetium3 days ago 0 comments

    Here is the mostly unedited video for the third class.

    This video is currently unlisted and will be edited and reposted at a later date. 

    See you at the Office Hours!

  • Class 2: Q&A

    wrongbaud6 days ago 0 comments

    • Where do we get the exercises? The only info I've gotten is on the Eventbrite.
    • I tried Gidra on two firmware images I had: an esp32 and STM32 dev board. Since it's a binary blob, it did not provide the ELF info on architecture, so I had to fill it out by hand, and there are many ARM options. I chose ARM Cortex, but it didn't seem to work that well. How do you pick arch from the many ARM options? What would be the right one for this firmware?
      • In order to determine the proper CPU architecture, you should start with any applicable datasheets. A lot of the MCUs in those series’ that were mentioned use Cortex cores, but analysis will fall short if you do not properly define the appropriate memory regions, which can be acquired from the relevant datasheet. 
    • Why arent functions like main() for c++ automatically set to the right parameters?
      • The decompiler tries not to make too many assumptions for these function prototypes and uses the context that is provided by the instructions in use - this allows things to be more generic and causes fewer failures, but also means that users have to sometimes identify and add the appropriate types. In short - you don't want to assume too much such that it breaks other use cases. 
    • Can you take thins like [rbp+8] and give them symbolic names for local variables?
      • Yes, if you right click the label that is being used, you can rename the variable to something different.
    • Also for the exercises, should we use docker on windows or do WSL and git clone the repo?
      • They have been tested within the docker container, and in an Ubuntu 18.04 VM, so I would recommend sticking with one of those two. If you have issues with docker, reach out and we’ll try to help you.

  • Class 2 Video

    Lutetium06/30/2020 at 17:11 0 comments

    Here is the mostly unedited video for the second class.

    This video is currently unlisted and will be edited into sections and reposted at a later date. 

  • Office Hour Questions 6/25/20

    wrongbaud06/26/2020 at 11:45 0 comments

    Office Hour Notes from 6/25/20


    • When is code obfuscation executed?
      • There are various levels of code obfuscation, sometimes the source code itself is obfuscated, and other times it’s applied to the machine code. 
    • What do you consider .NET stuff?  Is it a binary file or something else?
    • Do people obfuscate by handwriting assembly or are there obfuscating compilers?
      • Obfuscation can be performed in a number of ways. For example, there are obfuscating assemblers, and various compiler tricks that can be done to aid in obfuscation.
    • How often is obfuscation in play?
      • It depends on your target, you’ll find it often in games and other things that require some sort of DRM, but it’s less common when looking at embedded firmware images for example.
    • It would be great if you can give some pointer on how to identify packed or encrypted code using Ghidra
    • Any binary can be reversed?
      • Yes, technically speaking anything that contains machine code that can eventually be run by the CPU can be reverse engineered.
    • Do you have any resources for extracting binaries from a platform/uC?
    • On embedded systems do you often see heap being used? Or is deterministic memory (stack) more common?
      • This depends entirely on what the system is used for - if it’s running an RTOS or a Linux based OS, then you’re going to see heap usage. Smaller microcontrollers may not have space/resources to implement a memory allocator and will rely on statically sized buffers in SRAM. 
    • Is the memory for AH / AX / EAX / etc. shared? i.e. can you access 8 bits of AX by accessing AH?
      • Yes, the various representations of these registers can be used to access those specific size ranges. 
    • Is there a universal reference to the instruction set for x86_64?
      • Yes, the Intel instruction set architecture reference is linked on the course page. 
    • x86-64 has a flat 64bit memory model so RAM, as well as PCIe peripherals, can end up in memory space, correct?
      • Technically this is correct, however there are memory protections in place to try to prevent these regions from being accessed. The operating system / mmu will protect these regions of memory, as well as the drivers utilizing them from being accessed. 
    • What are 'high level' differences between Ghidra and Ida Pro? [understand it may just be OpenSource vs not]
      • There are many differences between the two, and we will go over these during the second class session!
    • Will we be touching on what to do if Ghidra can’t find cross-references because the pointers are some +value off from the virtual addresses in this course? (trying to reverse some firmware blob)
      • When looking at firmware blobs, properly creating a memory map is very important, and may be the reason why you’re having issues with XRefs.. This can be done from within ghidra by clicking on the memory viewer, or by writing a loader / script to perform this for you. It is important to also create relevant RAM regions when working with firmware images as these are often where the XRefs will be located. 
    • Thank you for the amazing tour of the tools, but what is the "goal" - what can we expect to do with all this? :) 
      • The goal of this course is to familiarize students with the concepts behind reverse engineering software, and provide a base understanding of how to use Ghidra to solve binary puzzles and challenges. 
      • By the end of this course, students will be comfortable loading x86_64 ELF files into Ghidra and be able to analyze them. 
    • I thought EABI was for embedded...
    Read more »

  • Class 1 video

    Lutetium06/23/2020 at 18:13 0 comments

    Here is the mostly unedited video for the first class.

    This video is currently unlisted and will be edited into sections and reposted at a later date.

View all 5 project logs

Enjoy this project?



Scott Shell wrote 06/17/2020 at 22:01 point

Are we supposed to get a ticket for each of the 4 sessions?  It looks like it is being offered 4 times the way Eventbrite is setup...

  Are you sure? yes | no

wrongbaud wrote 06/20/2020 at 17:29 point

Hi - it is currently set up that way as far as I understand. But if you don't make it to a session we will be uploading the videos as well

  Are you sure? yes | no

ubuntourist wrote 06/17/2020 at 00:10 point

The challenge binary is missing the `/execise/` in the path:

    $ ./hackaday-u/session-one/exercises/c1

  Are you sure? yes | no

wrongbaud wrote 06/17/2020 at 01:28 point

Hey thanks for the heads up! The exercises and such will be ready by the course start date, right now things are still being reorganized!

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates