\n\nThis page has been machine-translated from the original page.
\n
This article was written as part of CTF Advent Calendar 2022 Day18.
\nIt was my first time participating in an Advent Calendar, and I was looking forward to it.
\nYesterday’s article was Ark’s ”Introducing the most interesting web challenges of 2022“.
\nTomorrow’s article is Satoooon’s “Taking a rough look at CTFTime statistics”.
\n\nIn this article, we use the Ghidra debugger feature added in version 10.0 to solve simple Reversing challenges on both Windows and Linux.
\nMy original plan was to write about analyzing an Android NDK library loaded via dlopen from a custom binary, but I spent about five days failing to get it working in my own environment, so I pivoted to this topic instead.
\nIt has been quite a while since it was announced that a debugger would be integrated into Ghidra starting with version 10.0.
\nThe Ghidra debugger relies on WinDbg on Windows and GDB on Linux, and it allows dynamic analysis of user-mode applications. However, I almost never see it used in CTF writeups.
\nI myself tried the debugger once while it was still in preview, and honestly found it a bit uncomfortable to use, so I never touched it again after that.
\nSome time has passed since then, and I still don’t see much information about the Ghidra debugger, so I decided to poke around, and write up how to use it along with my impressions.
\nI’ll work through the process of solving simple dynamic-analysis Rev challenges using the Ghidra debugger.
\nThis time we use a program built from the following code.
\n#include <stdio.h>\n#include <string.h>\n\nchar flag[30] = {0x4b,0x6a,0x6e,0x6a,0x77,0x70,0x76,0x68,0x6a,0x60,0x6b,0x6a,0x40,0x57,0x45,0x78,0x7a,0x6c,0x76,0x5c,0x74,0x33,0x6d,0x5c,0x67,0x71,0x62,0x22,0x22,0x7e};\n\nint super_secure_checker(char c, int i)\n{\n if (c == (flag[i]^0x3)) return 1;\n else return 0;\n}\n\nint main(void)\n{\n char password[0x100];\n\n printf(\"Input yout password: \");\n scanf(\"%s\", password);\n \n int len = strlen(password);\n if (len != 30) {\n printf(\"Wrong!!\\n\");\n return 0;\n }\n else {\n for (int i = 0; i < 30; i++) {\n if (super_secure_checker(password[i], i)) {\n continue;\n }\n else {\n printf(\"Wrong!!\\n\");\n return 0;\n }\n }\n }\n printf(\"Correct!!\\n\");\n return 0;\n}The code is straightforward and works as follows:
\nsuper_secure_checker function.Correct if all characters match.This is a typical reversing challenge of the type solvable by brute-force through dynamic analysis or symbol inspection.
\nSince the logic is very simple, it is also possible to overwrite the return value register of super_secure_checker on each call and retrieve the password one character at a time as it is expanded into the register.
Of course, a password this simple could easily be recovered through static analysis as well, but since the goal of this article is to use the Ghidra debugger, we’ll solve it via dynamic analysis instead.
\nWe analyze an ELF binary compiled from the above source code with gcc and no extra options.
\nThe sample program is available for download at Sample Program.
\nGhidra version 10.2.2 is used.
\nAfter loading the binary, click the bug-like button in the middle of the Tool Chest to launch the debugger.
Clicking [Launch] starts the debugger and outputs various information.
\nBy default, the familiar Listing window is displayed in the center, with the Interpreter shown on the right.
\nThe Interpreter shows the same output as when GDB is launched from the command line, and GDB commands can be entered directly. (In this environment, gdb-peda is set up, so peda’s output is displayed.)
\nThe left pane shows information about the process being debugged by GDB.
\nFrom here you can also view configured breakpoints and loaded modules.
\nNow that the debugger is up, let’s right-click the line immediately after the super_secure_checker function call in the Decompiler window and set a breakpoint via [Toggle Breakpoint].
Setting the breakpoint with SW_EXECUTE causes the color of the breakpointed line to change in the Listing window as well.
The breakpoint can also be confirmed in the Interpreter via GDB.
\nThe program can be restarted from the [Quick Launch] button at the top of the Objects window.
\nThe buttons there also allow operations such as [Step Into].
\nWith the breakpoint set, let’s run the program.
\nWhen running the program normally, execution pauses waiting for standard input at the scanf(\"%s\", password); line.
However, due to an unresolved limitation in the Ghidra debugger, it is not possible to feed standard input to the program from the Interpreter.
\nReference: Unable to put input value into interpreter. · Issue #3174 · NationalSecurityAgency/ghidra
\nTo work around this, we check the tty of the running terminal and connect to it from the Ghidra debugger’s Interpreter.
\nFirst, run the tty command in your terminal to identify the device’s pts.
Next, run sleep 10000000 in the terminal as a placeholder, then enter set inferior-tty [TTY] in the Ghidra debugger’s Interpreter, and restart the program.
Once execution reaches the scanf(\"%s\", password); line, the input prompt will appear in the terminal, allowing you to provide standard input and continue the debugger session.
It is a somewhat cumbersome procedure, but other ways to provide standard input to the Ghidra debugger include using GDB scripts or Python.
\nAdditionally, you can provide standard input from the Ghidra Interpreter window by running a GDB command such as run < input.txt.
Having successfully provided standard input to the program, execution stopped at the breakpoint we set earlier.
\nprintf(\"Input yout password: \");\nscanf(\"%s\", password);\n \nint len = strlen(password);\nif (len != 30) {\nprintf(\"Wrong!!\\n\");\n return 0;\n}Now let’s check the register values in the Register window, which appears in the right pane by default.
\nBeing able to reorder each register freely is quite convenient.
\nUsing the Ghidra debugger, you can view, search, and modify register values.
\nAt this point, because the first character of the password was wrong, the value of EAX — which holds the return value of super_secure_checker — is 0.
Let’s change this value to 1.
\nThe Register window is in Read Only mode by default.
\nTo switch to Edit mode, click the pen-like button in the upper right.
\nLet’s also look at memory information.
\nTo open the Memory window, go to [Windows] > [Debugger] > [New Memory View] in the toolbar.
\nRunning the program, we can see that the character ‘A’ (which we provided as arbitrary input) is stored in the DIL register, and is being compared against ‘H’, the first character of the decrypted flag.
\nNote that in the Ghidra debugger’s Register window, the Type column can be set to any data type, and when a Value matches the specified type, the Repr column displays the type’s representation.
\nTo let execution continue, we use the Register window’s edit mode to overwrite the AL register value with 0x41.
\nThis allows the password verification to pass, so continuing execution reveals the second flag character.
\nCommand-line arguments can be specified here if needed.
\nOnce the debugger starts, a WinDbg-like console appears in the Interpreter window, just as with GDB.
\nWith the debugger running, use the decompiler to locate the main function’s address and set a breakpoint.
Static analysis of the PE file is out of scope today, but following the entry function should lead you to main quickly.
Possibly due to compiler optimizations, the decompiled output showed the super_secure_checker function’s logic inlined into main.
So, as on Linux, we set an SW_EXECUTE breakpoint at the line that compares the input value against the decrypted password.
Starting the program with the breakpoint set launches a console application.
\nStandard input can be provided directly here, so we didn’t run into the same issue as on Linux.
\nThe user-input string is stored on the local stack.
\nHowever, it appears that the current Ghidra debugger cannot reference values in memory.
\nThe help documentation suggests a notation like *:4 (RSP+8) for reading memory, but in my environment it raised an exception and the value could not be retrieved.
Looking at the following issue, it seems that memory referencing from Ghidra currently doesn’t work correctly in some cases, and there is no workaround other than using debugger commands from the Interpreter.
\nReference: [Debugger]: Stack Frame Memory Viewer / Editor · Issue #2866 · NationalSecurityAgency/ghidra
\nFor this reason, the screenshot above also shows the WinDbg da command being used from the Interpreter to inspect the input string on the local stack.
Finally, let’s retrieve the flag.
\nOn Linux, we retrieved the flag one character at a time by modifying register values from the Register window, but the Watches window also allows editing register values in edit mode.
\nThis time, by changing the value of RCX to 0x41 (the same as the input), we passed the password check and were able to retrieve the second and subsequent flag characters.
\nThis time we used Ghidra’s debugger feature to solve a simple reversing challenge.
\nMy initial impressions after a quick hands-on session were roughly 40% “this looks promising” and 60% “this is hard to use.”
\nThe main pain points were the critically sparse knowledge base and the very unstable behavior.
\nOn the knowledge side, Ghidra’s own help documentation is minimal, and Googling in English barely turns up any blog posts at all.
\nOn the other hand, the GitHub issues have quite a variety of questions and answers, and those issues served as almost the only useful source of information.
\nAs for stability, it may partly be my own environment, but the debugger crashed or hung with exceptions at seemingly random moments quite frequently.
\nThere are clearly still many unimplemented features in the Ghidra debugger, but since GDB and WinDbg commands can both be run from the Interpreter window, the limitation on actual debugging capability doesn’t feel that severe. That said, having the debugger become unstable so often without doing anything particularly complex was quite frustrating.
\nNevertheless, being a free tool that can handle both PE and ELF files in the same UI is genuinely convenient, and being able to set breakpoints directly from decompiled output is also useful. (I’ve barely used IDA, so…)
\nAlso, although not covered in this article, the Ghidra debugger’s Time feature — which captures execution-trace snapshots and allows you to step back and analyze the state at those points — looked very promising.
\nBeing limited to snapshot-based tracing is a drawback, but having a feature similar to WinDbg Preview’s Time Travel Debugging (TTD) available for ELF analysis as well is something to be genuinely excited about.
","fields":{"slug":"/himitsukichi-ctf-rev-ghidra-dynamic-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/ghidra-en/","/tag/english/"]},"frontmatter":{"date":"2022-12-19","description":"Using the Ghidra debugger feature added in version 10.0 to solve simple Reversing challenges on Windows and Linux.","tags":["CTF (en)","Rev (en)","Ghidra (en)","English"],"title":"Use the Ghidra Debugger in 2023! - A Practical Guide","socialImage":{"publicURL":"/static/83a9435807117e1e99c60e9c8ad1fb67/himitsukichi-ctf-rev-ghidra-dynamic.png"}}}},"pageContext":{"slug":"/himitsukichi-ctf-rev-ghidra-dynamic-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}