Ghidra

Post here first, or if you can't find a relevant section!
Post Reply
User avatar
RogerClark
Posts: 8416
Joined: Mon Apr 27, 2015 10:36 am
Location: Melbourne, Australia
Contact:

Ghidra

Post by RogerClark » Wed Mar 13, 2019 3:54 am

I think this new reverse engineering tool may be of interest to the stalwarts of the forum.

Its going to be free and open source (albeit the source has not been released yet, but its written mostly in Java as far as I can tell, so even if they didnt end up releasing the source code, I'm sure some enterprising people would just decompile it)

https://ghidra-sre.org/

Its roughly equivalent to IDA Pro + Hexrays and both disassembles and decompiles.

I've been reverse engineering some NXP MCU firmware with it for a few days, and it seems very powerful.
It lacks a debugger connection, which would be very useful, but apart from that it seems really good.

In order to make the most of the disassembly you need a PSPEC file for the exact processor you are using. So I made the attached PSPEC file for the NXP MK22 by processing their PDF reference doc (it took a lot of processing !)

I'm sure the same thing can be done for the STM32 or other MCU's either from the reference manuals, or possibly by using the C Preprocessor to generate something useful (though think using the reference doc route may be better)

Also, another trick I found, is that if you can halt the code in GDB, and dump the MCU ram to a file, you can load that file into the project (Press ALT+I)

You can then jump from the disassembly references to what has actually been in the RAM for specific pointers (variables)


PS..
There is a security advisory on the support/launch.sh and support/launch.bat

Line 150 of launch.sh needs to be changed so only localhost access is allowed

Code: Select all

	VMARG_LIST+=" -Xrunjdwp:transport=dt_socket,server=y,suspend=${SUSPEND},address=localhost:${DEBUG_PORT}"

And the same on line 140 of launch.bat for PC users

Code: Select all

	set VMARG_LIST=!VMARG_LIST! -Xrunjdwp:transport=dt_socket,server=y,suspend=!SUSPEND!,address=localhost:!DEBUG_PORT!
Attachments
MK22_PSPEC_NEW.zip
(13.38 KiB) Downloaded 2 times

User avatar
Squonk42
Posts: 551
Joined: Thu Dec 29, 2016 9:25 am
Location: Bordeaux, France
Contact:

Re: Ghidra

Post by Squonk42 » Wed Mar 13, 2019 5:44 am

Thank you Roger for the tip!

I am not sure I want to install an NSA tool on my machine... Maybe I am a little bit paranoid, but I fear they took the opportunity to install some backdoors, so I may wait until they provide the source code and enough people have a look at it beforehand.

What is this security advisory exactly? I am not on my machine so I cannot open the attached zip yet.

ag123
Posts: 1321
Joined: Thu Jul 21, 2016 4:24 pm

Re: Ghidra

Post by ag123 » Wed Mar 13, 2019 5:48 am

oh wow, it is pretty interesting stuff and what is more interesting is it comes from NSA
:lol:

User avatar
BennehBoy
Posts: 886
Joined: Thu Jan 05, 2017 8:21 pm
Location: Yorkshire
Contact:

Re: Ghidra

Post by BennehBoy » Wed Mar 13, 2019 7:36 am

Squonk42 wrote:
Wed Mar 13, 2019 5:44 am
Thank you Roger for the tip!

I am not sure I want to install an NSA tool on my machine... Maybe I am a little bit paranoid, but I fear they took the opportunity to install some backdoors, so I may wait until they provide the source code and enough people have a look at it beforehand.
I wouldn't worry too much there's almost certainly already one installed :lol: :lol:
-------------------------------------
https://github.com/BennehBoy

Riva
Posts: 59
Joined: Fri May 06, 2016 6:42 am

Re: Ghidra

Post by Riva » Wed Mar 13, 2019 8:20 am

Squonk42 wrote:
Wed Mar 13, 2019 5:44 am
I am not sure I want to install an NSA tool on my machine... Maybe I am a little bit paranoid, but I fear they took the opportunity to install some backdoors, so I may wait until they provide the source code and enough people have a look at it beforehand.
The software is probably fine, with no backdoors. The problem is you need Java that is likely riddled with holes the NSA exploit. :lol:

User avatar
Squonk42
Posts: 551
Joined: Thu Dec 29, 2016 9:25 am
Location: Bordeaux, France
Contact:

Re: Ghidra

Post by Squonk42 » Wed Mar 13, 2019 8:39 am

OK, I'll run it in a VM with no external access, then :mrgreen:

ag123
Posts: 1321
Joined: Thu Jul 21, 2016 4:24 pm

Re: Ghidra

Post by ag123 » Wed Mar 13, 2019 9:45 am

it is interesting as my guess is the s/w is to help you find the backdoors :lol:

User avatar
RogerClark
Posts: 8416
Joined: Mon Apr 27, 2015 10:36 am
Location: Melbourne, Australia
Contact:

Re: Ghidra

Post by RogerClark » Wed Mar 13, 2019 9:56 am

If the NSA wants to gain access to your computer, there's not a lot you can do about it.

IMHO the only things that are vaguely secure are MCU's that have no external connections.
Even connecting via USB is a risk, as the stack could have bugs in it.

Post Reply