A detailed thumbnail for a Ghidra Software Reverse Engineering Framework tutorial, featuring a computer screen with a dark-themed interface displaying green and black code, decompiled pseudocode, and binary analysis tools. A larger, highly detailed NSA logo with an eagle design is prominently centered on the monitor. In the background, a person is intensely focused on the screen in a dimly lit room, their face illuminated only by the light from the monitor.

Learn Ghidra: A Simple Guide to Reverse Engineering

by Evgenii Studitskikh
5 minutes read

The world of reverse engineering software can seem daunting, but tools like Ghidra have made it more accessible than ever. Developed by the National Security Agency (NSA) and released as an open-source project in 2019, Ghidra is a powerful, free reverse-engineering framework that rivals commercial tools like IDA Pro. Whether you’re a security researcher, malware analyst, or hobbyist, Ghidra provides a robust platform to disassemble, decompile, and analyze binary files. In this article, we’ll explore what Ghidra is, how to get started, and walk through a detailed example of reverse-engineering a simple program.

What is Ghidra?

Ghidra is a Software Reverse Engineering (SRE) framework that allows users to analyze compiled code—such as executables, libraries, or firmware—by converting machine code into human-readable assembly or pseudocode. Its key features include:

  • Disassembler: Translates binary instructions into assembly language.
  • Decompiler: Generates high-level pseudocode (similar to C) from assembly.
  • Cross-Platform: Runs on Windows, macOS, and Linux with Java support.
  • Extensibility: Supports scripting in Python and Java for automation and custom analysis.
  • Collaboration: Includes a team server for multi-user projects.

Unlike some proprietary tools, Ghidra is free and open-source, making it an excellent choice for students, researchers, and professionals alike.

Setting Up Ghidra

Before we dive into the tutorial, let’s get Ghidra installed:

  1. Download Ghidra:
  1. Install Java:
  • Ghidra requires Java 17 or later. Install the JDK (Java Development Kit) from Adoptium or Oracle if you don’t already have it.
  1. Extract and Run:
  • Unzip the downloaded Ghidra archive to a directory (e.g., C:\ghidra or /opt/ghidra).
  • Run the ghidraRun script (or ghidraRun.bat on Windows) from the extracted folder.
  1. Launch Ghidra:
  • You’ll see the Ghidra splash screen, followed by the Project Manager window. Create a new project by selecting File > New Project, naming it (e.g., “ReverseEngTutorial”), and choosing a directory.

Now that Ghidra is ready, let’s move on to our example.

Tutorial: Reverse-Engineering a Simple Program

For this tutorial, we’ll create a basic C program, compile it, and use Ghidra to analyze the resulting binary. Our goal is to understand the program’s logic without access to the source code.

Step 1: Create the Sample Program

Here’s the C code we’ll use. It’s a simple password checker:

#include <stdio.h>
#include <string.h>

int main() {
    char input[20];
    char secret[] = "xaiRocks2025";

    printf("Enter the password: ");
    fgets(input, 20, stdin);
    input[strcspn(input, "\n")] = 0; // Remove newline

    if (strcmp(input, secret) == 0) {
        printf("Access granted!\n");
    } else {
        printf("Wrong password!\n");
    }
    return 0;
}
C
  • Compile it:
    On a Linux system (or WSL on Windows), save this as password.c and compile it with:
  gcc -m64 -o password password.c
Bash

This generates a 64-bit ELF executable called password. For Windows, you can use MinGW or a similar compiler to create a .exe.

Step 2: Import the Binary into Ghidra

  1. Open Ghidra Project:
  • Launch Ghidra, open your project, and click File > Import File.
  • Select the compiled password binary.
  1. Analyze the File:
  • After importing, Ghidra will ask if you want to analyze the file. Click Yes.
  • In the analysis options, leave the defaults checked (e.g., “Auto Analysis”) and click Analyze. This process disassembles the binary and identifies functions.
  1. Explore the Code Browser:
  • Double-click the imported file in the project tree to open it in the Code Browser. You’ll see windows like the Symbol Tree, Listing (assembly), and Decompiler.

Step 3: Locate the Main Function

  1. Find main:
  • In the Symbol Tree (left panel), expand the “Functions” folder.
  • Look for main (or something like _start or entry if main isn’t obvious). For our ELF binary, main should be listed.
  1. View Assembly:
  • Click main in the Symbol Tree. The Listing window displays the assembly code. It might look like this (simplified):
000011a9 PUSH RBP
000011aa MOV RBP,RSP
000011ad SUB RSP,0x30 .
.. 
000011d4 CALL strcmp 
000011d9 TEST EAX,EAX 
000011db JNZ 0x11f0
ASM
  1. View Decompiled Code:
  • In the Decompiler window (right panel), Ghidra translates this into pseudocode:
  • This is remarkably close to our original C code!
int main(void)
{
    char local_28 [20];
    char local_14 [14] = "xaiRocks2025";
    
    printf("Enter the password: ");
    fgets(local_28, 0x14, stdin);
    local_28[strcspn(local_28, "\n")] = 0;
    if (strcmp(local_28, local_14) == 0) {
        printf("Access granted!\n");
    } else {
        printf("Wrong password!\n");
    }
    return 0;
}
C

Step 4: Analyze the Logic

  • Identify the Password:
  • The decompiled code reveals the string "xaiRocks2025" stored in local_14. This is the secret password!
  • Alternatively, in the Listing window, search for strings (Ctrl+Shift+E) and find "xaiRocks2025" in the data section.
  • Understand the Flow:
  • The strcmp call compares the user input (local_28) with the secret. If they match (result 0), the program jumps to the “Access granted” branch.

Step 5: Test the Findings

  • Run the password binary in a terminal:
  ./password
  Enter the password: xaiRocks2025
  Access granted!
Plaintext
  • Try a wrong password:
  Enter the password: hello
  Wrong password!
Plaintext
  • Our reverse-engineering confirmed the password without seeing the source code!

Step 6: Modify the Binary (Optional)

Ghidra allows patching binaries. Let’s say we want to bypass the password check:

  1. In the Listing window, find the JNZ instruction after strcmp (e.g., at 0x11db).
  2. Right-click it, select Patch Instruction, and change JNZ (jump if not zero) to JZ (jump if zero).
  3. Export the modified binary (File > Export Program) and test it. Now, any password might fail, reversing the logic!

Why Use Ghidra?

This example barely scratches the surface of Ghidra’s capabilities. It excels at:

  • Analyzing malware to uncover malicious behavior.
  • Debugging embedded systems by dissecting firmware.
  • Recovering lost source code from old binaries.

With its scripting support, you can automate repetitive tasks, and its decompiler often provides clearer insights than assembly alone.

Conclusion

Ghidra is a game-changer in reverse engineering, offering professional-grade tools for free. In this tutorial, we installed Ghidra, analyzed a simple password checker, and extracted its secret—all without the source code. As you explore further, experiment with more complex binaries, explore Ghidra’s scripting, and join its vibrant community. Happy reversing!

You may also like

AI’s Impact on Software Engineers: A Future Reimagined

How Topbord Optimized Performance with DigitalOcean Spaces, AWS S3, and...

Optimizing Performance in Next.js 14: New Features You Should Use

AI in DevOps: How AI is Changing Software Deployment

NestJS vs. Fastify: Which One is Better for High-Performance APIs?

Back to BASIC: Drawing a Smiley Face on the ZX...

React 19 & Future of Server Components: What You Need...

How to boost React Performance. UseMemo, UseCallback, and Lazy Loading

Integrating Google Cloud Build with Node.js. Easy and smooth.

Connecting to Kubernetes on Digital Ocean. 5 simple steps