Reverse Engineering re_lotsastuff.exe Using Ghidra

1. Setting Up Ghidra:

  • Create a New Project:

    • Open Ghidra and create a new project.

    • Import the Sample:

      • Drag and drop the re_lotsastuff.exe sample into the project or press I on the keyboard to import it.

2. Analyzing the File:

  • Open in Default Tool:

    • After importing, right-click the sample and select Open in Default Tool to begin the analysis.

    • Follow the dialogues and choose the options that allow Ghidra to analyze the file.

3. Navigating the Disassembly and Decompiled Code:

  • Symbol Tree Navigation:

    • In the left pane, expand the Symbol Tree under the Functions folder.

    • Look for the entry function to begin your analysis.

  • Viewing Decompiled Code:

    • Clicking on the entry function will bring up both the disassembled code and the decompiled version of the code in the right pane.

  • Finding the Main Function:

    • To locate the main function:

      • Use the address identified in IDA Pro (in this case, 0x401480).

      • Search within the Symbol Tree for functions prefixed with FUN_ followed by an underscore and the relevant address.

      • This brings up the main function in a more readable, decompiled view.

4. Ghidra Plugins:

  • Exploration of Plugins:

    • Ghidra has a variety of plugins that can aid in analyzing files more efficiently.

    • It's recommended to explore and utilize these plugins to enhance the speed and accuracy of your analysis.

5. Key Takeaways:

  • Ghidra’s Strengths:

    • Provides both disassembly and a high-level decompiled view, making it easier to understand the code.

    • Symbol Tree helps in quick navigation to critical functions like the main function.

  • Plugin Support:

    • Leverage the available plugins in Ghidra to improve your analysis workflow.

  • Learning Resources:

    • The course series includes sessions on assembly language, which can be beneficial if you're new to low-level programming.

These notes cover the fundamental steps for using Ghidra to analyze and decompile a C++ compiled 32-bit executable. Ghidra’s combination of disassembly and decompiled views, along with its plugins, make it a powerful tool for reverse engineering.

PreviousReverse Engineering re_lotsastuff.exeNextAnalyzing PowerShell Scripts

Last updated