Ghidra, Fuck Yeah!

Woohoo!

BLUF: Ghidra is awesome and I’m looking forward to switching over entirely from other tools, and not having to sell my car (and the neighbor’s) to afford a license is quite convenient.

I finally got a chance to sit down and take a look at Ghidra. I’ll admit that my first couple of minutes with it wasn’t great, but I think that was because the software does so much that it can seem overwhelming. I thought about how I currently use IDA, and made some quick notes about how to do those things in Ghidra. After figuring out how to do the things I need to do, I started to REALLY like Ghidra. Here are my notes in no particular order. Next post I plan to write about reversing something with Ghidra, and maybe even do a side-by-side reversing comparison with IDA if I have the time.

UNDO!

  • Everything should have this.
  • CTRL-Z to undo and CTRL-Shift-Z to redo.
  • Be aware that this will undo more things than you might anticipate — for example, one time I did an automatic analysis of a full file, and undo actually undid all of the analysis done by the program and I was back to just a raw listing. This isn’t what I would expect to happen — I figured that it would only undo simple things like undo a label I just created. Not a problem, just interesting to see how it works.

Moving Back and Forward

  • Just Alt and the left or right arrows. Still getting used to not hitting Escape all the time.

Viewing Strings and other Subviews

  • In IDA, I’m used to pulling up stuff like the Strings subview with Shift-F12. Once you’re in the CodeBrowser, then place you’re going to want to look is in the Windows section of the menu bar. Besides the Strings window, you’ll also find stuff like Bytes (like the hexview in IDA) and the function graph, which is similar to the graph view in IDA.
The Window List
The Function Graph

Bookmarks

  • To add a bookmark, CTRL-D, and to view the list of bookmarks, CTRL-B. Sound familiar?

Comments

  • Add a comment with ; and from that dialog box, you can select the type of comment (e.g., repeatable).
  • Other comment types specify if you want the comment to come before the line, after the line, or even do a “plate comment”.

Labels (Naming a Location or a function)

  • Hit L to add a label to a location, say if you want to provide a name for a section of code within a function that represents different paths from a branching instruction.
  • This would also be how you rename functions. Put the cursor on the function name in the main window and hit L, then you can change the function name using the dialog box.

Function Editing

  • If you want to change more than just the name, put the cursor on the function name and hit F, which will let you modify the function name but also things like the calling convention, parameters, etc.

Searching for Specific Instructions

  • For instance, maybe you want to search for all instances of XOR so you can pick out where there might be some XOR encoding. I highlight the instruction, then from the menu bar select Search | For Matching Instructions | Exclude Operands (to find just XOR, not XOR EAX, EAX for instance).

Then from there you can select where you want to search (the entire program, or just a selection) and other options, and then you get a similar listing to what you might see in IDA.

Enumerations

  • Pretty easy — cursor on the value you want to look up, press E to bring up the enumerations dialog box. Haven’t done too much with this in Ghidra yet, but looks pretty similar to IDA in the sense that you need to have some idea of where to find what you’re looking for (for instance, I’ll probably still have to look up functions in MSDN to figure out what the possible enumerations are). Not sure how to add my own enumerations, though it looks like Ghidra has so much (and it’s so well organized) that perhaps this won’t be necessary.

Instruction Highlighting

  • Middle mouse button, and this seems to work like a toggle. You don’t seem to be able to select multiple instructions, but clicking with the middle button / mousewheel will highlight all the the instructions and will keep them highlighted even if you move the cursor elsewhere in the disassembly. I actually like this better than IDA, because in IDA when you would move the cursor somewhere else, you would either lose the highlighting entirely or you would have something else highlighted (like another instruction or location). This also seems to work on everything — opcodes, locations, operands, etc. I got this info from someone names Saruman9 on the repository. I had posted this as an enhancement and they had this to say:

“Clicking the middle mouse button will highlight all the other occurrences of instruction/operand/other. For changing the setting see Edit -> Tool options… -> Listing Fields -> Cursor Text Highlight -> Mouse Button To Activate.”

Highlighting All the Calls

To wrap it up, these notes represent just a tiny amount of Ghidra’s full functionality (and, in fairness, a tiny slice of what IDA can do also). Let’s also not forget that I didn’t even get into the decompiler functionality of Ghidra in this post. I’m not trying to dump on IDA and I hope it’s not coming across that way, but I’m just really excited to have this great tool available to use without paying a ton of money, especially for architectures other than the usual x86/64.

I expect this is unnecessary if you are already reading this post, but you can find Ghidra here if you don’t have it already. You’ll also need OpenJDK 11.0 (though it might work with other versions, I have not tested it out).