National Security Agency's Program

Dolyetyus

International Team Leader
21 Nis 2020
910
80
Leiden
Ghidra.png




Welcome, today I will talk about a reverse engineering program that the NSA has explicitly leaked to the public(National Security Agency), the national security agency is briefly referred to as an intelligence unit, let's go to the subject briefly and after reading the subject, please do not forget to write comments.



What is GHIDRA?



GHidra is a reverse engineering software developed by the National Security Agency, the platforms on which it is valid are platforms that can be installed on Linux-MacOs-Windows, respectively, this program built on these platforms allows us to examine the C and Assembly codes of a program written and gives us the necessary data to examine. Such tools show us how the codes in the created programs work, and clearly show us the vulnerabilities in the systems. This program can be used by people who have just entered the hacking business, and the fact that the program is free.

Most people recommend installing it on Linux rather than on Windows, because the release of the program by the NSA creates a loss of trust, but most users continue on Windows. You can get the program free on this link.



What is JDK?



After downloading the GHIDRA program, of course there is a program that should be on our computer, GHIDRA does not download directly with .exe extension, since GHIDRA comes with .bat extension, we need to run it with JDK. Let's come to what is the program that should help us to set up the GHIDRA program. JDK, which stands for English, is Java Development Kit,but this program is a must-have application for Developers who want to make improvements over java. After downloading this application, we can continue the GHIDRA installation, you can download it on this link.



JDK Download and Installation



First, we open any browser, I use opera, so I will tell about it, first we type JDK Download in the Opera search engine and click the first link that comes out.



5lbPcA.png


We get down the page and download the latest version of Java, for this we click on the place where it says JDK Download.



5lbPcA.png


We go down the page that directs us a little further down and scroll to the Windows compatible version of Java and click on "jdk-15.0.1_windows-x64_bin.exe", I want to add that it is really bad that this program is only 64 compatible, but on 32s You can try it can work well. Program size 159.69 MB



5lbPcA.png


Then we look at the small window that opens in front of us and mark the "I reviwed and accept the Oracle Technology Network License Agreement for Oracle Java SE" section above. Then we click on the "Download jdk-15.0.1_windows-x64_bin.exe" section at the bottom.



5lbPcA.png


After clicking, Opera offers us an option for where we want to install the program, I want to install it directly to the Desktop, select "Desktop", make sure of the file name and say "Save".



5lbPcA.png


Then we wait for this application to be installed in the "Downloads" section at the top right in Opera.



5lbPcA.png


After downloading the program to the Desktop, it will go directly to the installation section, we click "Run" to continue the download.



5lbPcA.png


Then we wait for the "Preparing to install" section in the window that the program has given us.



5lbPcA.png


The program comes up with the Welcome screen, we click "Next>" to continue downloading again.



5lbPcA.png


In this window where the program is presented to us, we need to choose the path to be followed for the installation of the program, and we should not forget the path followed, as sometimes Java JDK does not automatically redirect because it opens CMD over .bat while running the GHIDRA application, we have to give the command ourselves, so the installation path is good. We need to know that we can direct the program to the opening with the command we give via CMD. You can change the installation Iocation from the "Change" section, if you do not want to, you can click the "Next" button to download the program.



5lbPcA.png


We are also waiting for the window that the program displays again, this process may take 3-5 minutes depending on the health of the HDD or SSD you use.



5lbPcA.png


If you say "Next Steps" in this window, the program will redirect you to a site where Java's other developer options offer, we say "Close" because we don't need it.



5lbPcA.png




GHIDRA Download and Installation



First, you paste this link into the search part of the browser you are using, and then we click the "Download Ghidra v9.2" section in the window that opens and we take our first step to download the program.



5lbPcA.png


Then, as I said above, we expect the program to download from the "Downloads" section provided by Opera on the top right.



5lbPcA.png


We drag the folder of the program named "ghidra", which is also included in the downloaded RAR file with the .zip extension, to the desktop, the reason for this is to extract the .bat folders in this program into .zip.



5lbPcA.png


We double click and open the folder we pulled on the desktop and right click the "ghidraRun.bat" extension and then click "Run as administrator". If we do not say that, as I mentioned above, the program does not automatically redirect and we have to direct it with the command via CMD.



5lbPcA.png


After the CMD screen opens, we wait for a while, if it does not open automatically, we write the path we directed to CMD while installing the JDK program on the CMD command line. The path I directed was "C:\Program Files\Java\jdk-15.0.1". If you press "Enter" after typing this in the CMD command line, it will redirect you to the program again, the point here is the way the application named JDK is directed. Since I run it as an administrator, it automatically redirects to the JDK program. In order to continue the installation of GHIDRA, we click on the "I Agree" section and continue.



5lbPcA.png


Then the program starts to run, we wait for a while on this screen, as I mentioned above, the standby time may vary depending on the HDD or SSD status.



5lbPcA.png




GHIDRA Usage



After the waiting screen passes, the program opens and puts a notification screen, a kind of tutorial screen, if you want to read and learn this, you can press the "Next To" section and continue, I say "Close" in order not to extend it.



5lbPcA.png


Before starting to work, we need to create a new project, for this we come to the "File" section and click on the "New Project" section. If you know the shortcut keys in the program, you can create a new project by pressing "CTRL + N" shortly.



5lbPcA.png


In the following screen, if we will work alone, we click on the "Non-Shared Project" section, if you want to work with a team, you can click on the "Shared Project" section, since I will work alone, I click on the "Non-Shared Project" and click on the "Next >>" section.



5lbPcA.png


After coming to the "Select Project Iocation" section, the "Project Directory" part is our first option, we can click on the "..." section and select the place where we want to set up our project. I will click on the "button and put a name for my project. I choose the name" thtprojesi" and say" Finish"to finish creating the project.



5lbPcA.png


Now we need to import a program called ".exe" that we mentioned above, we need to import it, so we come to the "File" section and we say "Import File", import the file. If you want, you can open this folder path by pressing the "L" key while the program is open with the shortcut key.



5lbPcA.png


Then, we choose any .exe extension to choose our .exe extension, after making sure that this extension is selected in the "File Name" section, we click on "Select File To Import".



5lbPcA.png


The screen presented by the program is a window that appears to get information on the program we have selected with .exe extension, to perform operations, to find the vulnerabilities, and to continue reverse engineering, we select the "Options ..." section.



5lbPcA.png


We click on the "Load External Libraries" section. When we click this, it will make it easier for us to change the information on the program or to see detailed coding information about the program, we say "OK" and continue.



5lbPcA.png


Now that we have made our settings in the "Options" section, we say "OK" to continue the Reverse Engineering process.



5lbPcA.png


Then, GHIDRA continues to import it so that it can show us in-file ".dll" extensions and in-program software information, we are waiting here for a while.



5lbPcA.png


The "Import Results Summary" screen appears. This screen is a window that reveals superficial information about the program, it offers general information about the program. We say "OK" and close the window.



5lbPcA.png


As you can see in the window of the program, there is the user dll and the kernel.dll about the program. Since our job is with the "FastClicker.exe" extension for reverse engineering, we select the "FastClicker.exe" file and drag it over the GHIDRA logo.



5lbPcA.png


After doing this, the program will come up with such an icon, which means that we are using and activating the tool, which is for GHIDRA.



5lbPcA.png


After doing this, we get a notification as we see TOOL, and this notification says "FastClicker.exe has not been analyzed. Would you like to analyze it now?" He gave a notification like this means that now this .exe extension is not analyzed. Do you want to analyze it? Since we have wanted this from the beginning, we say "Yes" and continue.



5lbPcA.png


After doing these, the program will give us the "Analysis Options" screen, this window will give us a list of all analyzers of the dialog box, and a chance to present transactions to them. We can take a look at an option we want in the "Analyzers" window on the left side of this window. The option I chose is "Create Address Tables", when we click on it, it gives "Description" about the program on the right side of the screen and gives "Options" options at the bottom.



5lbPcA.png


Then we see the "Analyze" progress in the bottom right of the program, where the program shows you the progress of each analyzer, we wait for a while.



5lbPcA.png


The window that opens after this progress is over is "There were warnings / errors issued during analysis." In other words, there are warnings and errors given during the analysis, you can get the necessary information from the side, we say "OK" and continue.



5lbPcA.png


Our analysis and analyzer processes are finished now, as you can see 3 different windows in the program appear, these are "Program Trees", "Symbol Tree" and "Data Type Menager", let's get to know them.



5lbPcA.png


Our first window, "Program Trees", this section is the area used to not only show us the structure of the program but also to perform operations in the program. Here, C and Assembly data about "headers, text, rdata, data, rsrc, reloc and debug data" can be seen about the program.



5lbPcA.png


The next window, our second window, is "Symbol Tree". This helps us find the symbols about the program and search for information about these symbols. We can do the search we want from the "Filter" section. Here, there are data such as imports, exports, functions, labels, classes, namespaces.



5lbPcA.png


Our next window, the last and third window, "Data Type Manager", that is the data type manager part, here we can create an application or find the data types one by one. As you can see here, there are BuiltInTypes, FastClicker.exe and windows_vs12_32 parts.


5lbPcA.png


If you want, you can press the "G" key on the program and open a "finder" to search for an address. If you type the address you want to search and click "OK", it will direct you to the address in the Assembly window.



5lbPcA.png


If you go to the program again and press the "F1" key, GHIDRA's utility will open, and the menu on the left can have the information you want for this auxiliary menu.



5lbPcA.png


At the end of the topic, as seen on the screen in the program, the window on the left is the "Assembly" window, and the window on the right is the "Decompiler" for C, ie the compiler window.



5lbPcA.png
 
Son düzenleme:
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.