Changes

Page history
Update An Introduction to Ghidra authored by Aaron Scott Pope's avatar Aaron Scott Pope
Show whitespace changes
Inline Side-by-side
Tool-Guides/An-Introduction-to-Ghidra.md
View page @ 665993ff
......@@ -57,7 +57,69 @@ Below the Symbol Tree is the Data Type Manager Window, which is useful for ident
In the center, the Listing window shows the disassembled binary.
For interpretability, Ghidra adds a great deal of color coding and annotative comments to the assembly display.
To the right of the Listing window is the Decompile window which shows Ghidra's best guess of the source code used to produce the corresponding assembly.
Clicking on a function in the Symbol Tree window or within a function in the Listing window will load the relevant decompiled source code in the Decompile window.
To the right of the Listing window is the Decompiler window which shows Ghidra's best guess of the source code used to produce the corresponding assembly.
Clicking on a function in the Symbol Tree window or within a function in the Listing window will load the relevant decompiled source code in the Decompiler window.
Clicking on code in the Decompiler window will highlight the associated assembly instructions; this can be used to inspect how well the decompiler translated the assembly to source code.
We can use the functions list in the Symbol Tree window to locate the main function of the executable.
Clicking on the name of the function brings us to the relevant portion of the assembly and loads the decompiled C code.
![main-function](uploads/7c5e58bd1e10e80d4ce1840ed96e0ed9/main-function.png)
We can see that the decompiler has some mistakes that we can work to correct to improve readability.
Right-clicking in the Decompiler window gives the option `Edit Function Signature` which presents the following dialogue:
![original-main-signature](uploads/61089a2d0b44ae2814f8f416e68b122e/original-main-signature.png)
We can provide the correct function signature for main, then click `OK`:
![fixed-main-signature](uploads/70b2040251dadaa33bef24711986f9d3/fixed-main-signature.png)
The code in the Decompiler window is updated and references to `argc` and `argv` are corrected throughout.
We can also rename variables and fix their type to make the code more understandable.
Middle-clicking with the mouse on a variable highlights its use throughout the code:
![highlight-variable](uploads/09c0f25aac5033bbcb8633476e00b9f1/highlight-variable.png)
Pressing `l` allows us to change the variable name, and pressing `Ctrl+l` lets us change the variable type.
We can see that `iVar1` is used as a return value, so let's rename it `retvar`.
This actually splits the uses of `iVar1` into two variables, one of which is used as the return value of a `strcmp` call.
We'll rename that to `cmpvar`.
We'll also change the type and name of `size_t __n` to `int password_length` to match its use.
![renamed-variables](uploads/e477fc42a8f2162660ad02c5258b0e37/renamed-variables.png)
Once we've identified the intended behavior of a section of code, we can make a comment to save ourselves from repeated work.
Right-click and select `Comments > Set ...` to open the comment dialogue.
Types of comments possible include end-of-line, pre, post, plate, and repeatable.
![set-comment](uploads/841f2d106ce309e588b4d62bea004714/set-comment.png)
Depending on the type, an entered comment will show up in the assembly listing, decompiled source, or both.
![pre-comment](uploads/6e7236545199081cdceee1133a5324a3/pre-comment.png)
Double-clicking the name of any function will show the code of the selected function.
Here we'll double-click `strlen` to show the placeholder assembly code used for the external function.
![strlen-assembly](uploads/3c12b1f321d692318797610d6be8da4e/strlen-assembly.png)
There are numerous views that can be used to further analyze a binary.
`Window > Function Call Graph` shows the calling relationship between functions as a graph.
![function-call-graph](uploads/159882f61ec731093faff41b0434253b/function-call-graph.png)
`Window > Function Graph` shows how execution can be traced through the assembly by function calls or jump instructions.
![function-graph](uploads/c894a3e194dcc0964087603dcf519861/function-graph.png)
`Window > Defined Strings` shows a list of extracted strings and clicking on a string takes you to the relevant portion of the assembly code.
![defined-strings](uploads/de1bd93afdfa45b8746bd187f6f86583/defined-strings.png)
### Under construction
\ No newline at end of file