Ghidra 9.2.2 Download Fix
Clarissa Pfister
We are also going to build the Eclipse development extensions for this version of Ghidra, this will help us later on when we build a loader and write our analysis scripts. To do this we add the following line to the build_ghidra.sh script:
Now that we have a new version of Ghidra built, we also need to build the GhidraDev plugin for Eclipse. The eclipse projects can be found in the ghidra-builder/workdir/ghidra/GhidraBuild/EclipsePlugins/GhidraDev directory.
Launch Ghidra via ghidraRun and go to File-> Install Extensions. Select the GhidraGBA loader and click OK. You will need to restart Ghidra for the change to take effect. Now when you load a GBA ROM you should see the following:
Takeaways here - gvba does not work with any sort of modern GDB. gdb-multiarch seems to miss breakpoints for some reason, and gdb from devkitarm does not respond to ghidra appropriately to provide registers.
Here is where the problem comes up. I have a Ryzen 9 5900X with 64GB of RAM on my computer, yet it has been analyzing for days now and it isn't showing any signs of finishing soon. Before starting the analysis, I extended Ghidra's MAXMEM to 32GB (and restarted Ghidra to apply changes), and I believe this helped a bit with speed, because memory usage seems to be a bit above 16GB (which is, according to the ghidraRun script, the limit Ghidra would let itself use on my computer). I have no idea what else to do though. The binary is pretty big (33.6MB), but not nearly enough to need so many days I think, it can't be that complicated. My max threads in auto analysis are also set to 24, yet according to system monitor, Ghidra is only using 8% of my CPU.
Ghidra installation simply involves unpacking zip files to a folder of your choice. Each of the Ghidra packages is intended to unpack directly on top of the same folder structure. For example, extracting Ghidra_7.0.2_TSSI_20151120_common.zip to the folder C:\Ghidra will unpack everything into the C:\Ghidra\ghidra_7.0.2. Other packages for version 7.0.2 will drop their files into the same relative directory structure.
The eventbrite page is here: -u-reverse-engineering-with-ghidra-tickets-109681391996 - we will be releasing the videos of the classes as well so you will still be able to access the material even if you're not present for the actual class.
Making Ghidra aware of function signatures improves decompilation and analysis. This can be done by importing header files from tools/ghidra_scripts/datatypes. The dump should already be analyzed as described above.
Note:Parse configurations are global Ghidra settings, not specific to a project or "program". They are stored in a version specific .ghidra directory, like $HOME/.ghidra/.ghidra_9.2.2_PUBLIC/parserprofiles. They are a simple text format, so if you upgrade ghidra, it's probably safe to copy them to the new config directory.
After creating a project in ghidra for the CTF (or just using youreverything-goes-here project) and after using File > Import File toadd our binary to the project we can open it tell Ghidra that Yes wewould like to analyze the file right now when prompted.
Writing Ghidra loader
I never implemented any Ghidra loader. I did some research. There is a nice tutorial about writing loaders - here. To be honest, I much prefer to experiment so my mostyle was based on the opensource loaders like GhidraPS4Loader and mclf-ghidra-loader.