WEBVTT 00:00.400 --> 00:01.320 Hello everyone. 00:01.840 --> 00:02.960 Welcome to this lecture. 00:03.680 --> 00:04.520 The iPhone here. 00:05.000 --> 00:11.200 And in this session we are going to get hands on with Ghidra and learn how to set up your first project. 00:11.200 --> 00:17.120 You will also see how to import the binary and understand how Ghidra organizes and manages your data. 00:17.960 --> 00:23.040 This foundational walkthrough will prepare you for more advanced reverse engineering work later on. 00:24.440 --> 00:27.160 And here we have the GitHub project folder. 00:27.440 --> 00:27.880 Right? 00:28.200 --> 00:35.680 And one of the core differences compared to other reverse engineering tools is how it structures analysis. 00:35.680 --> 00:37.240 Now if we run this ghidra. 00:45.160 --> 00:50.400 And here, you know, active project here what you will see that it's called project. 00:50.440 --> 00:58.680 And so rather than opening files directly like most other reverse engineering tools do, GitHub uses 00:58.720 --> 01:00.760 a project based system. 01:00.800 --> 01:06.130 Now this is a huge advantage when dealing with large project multiple binaries or collaborating with 01:06.170 --> 01:07.770 other analysts. 01:08.130 --> 01:14.930 Now to create a new project, we will go to the top menu on the file and new project, or simply use 01:14.930 --> 01:22.450 a shortcut for Ctrl n this control and N here. 01:24.970 --> 01:27.050 And after that you will see two options. 01:27.970 --> 01:32.090 Also remember if you Google or DuckDuckGo. 01:32.530 --> 01:33.570 Uh ghidra. 01:33.890 --> 01:38.930 Cheat sheet and you will see the lots of keyboards here. 01:39.690 --> 01:40.090 Oops. 01:40.250 --> 01:40.730 Wait. 01:40.770 --> 01:41.170 Yeah. 01:41.930 --> 01:42.810 Now here. 01:44.890 --> 01:45.410 Here. 01:46.290 --> 01:47.650 Yeah, there's lots of options. 01:50.250 --> 01:52.930 On keyboards and lots of information on that page. 01:53.370 --> 02:01.050 And here you will be prompted to select between a non-shared project or a shared project. 02:01.290 --> 02:04.290 Now for this example we will be working solo. 02:04.290 --> 02:04.380 on. 02:04.740 --> 02:08.860 So we will choose a Non-shared project and click next. 02:09.460 --> 02:16.020 Now you need to give your project a name and names have to be descriptive like in programming. 02:16.540 --> 02:24.860 We'll open the GitHub projects, select Project Directory and we will name the project as Hello World 02:25.700 --> 02:26.860 and click on finish. 02:27.820 --> 02:29.940 And here we have the Hello World project. 02:30.500 --> 02:36.540 And if we go to this file and get our projects hello world. 02:36.580 --> 02:45.140 Here you have you can see that we have one directory, two log files and one GPX file. 02:46.340 --> 02:49.860 Now this is GR file like as the name implies. 02:49.860 --> 02:50.620 Hello world that. 02:52.980 --> 02:55.140 Is this is the main project file. 02:55.580 --> 02:59.420 We have the folder directory. 02:59.980 --> 03:05.380 If you come from the Linux side I use arch by the way. 03:06.240 --> 03:15.720 So in this ref directory we have uh, this which stores all related metadata and analysis, uh, data 03:15.760 --> 03:16.360 basically. 03:16.920 --> 03:24.600 And this folder will get bigger as we analyze our project file or executable. 03:26.320 --> 03:26.840 Yeah. 03:27.080 --> 03:28.120 That's basically it. 03:29.280 --> 03:37.960 And this log files, uh ghidra prevents simultaneous access to the same project by using this kind of 03:38.000 --> 03:44.480 lock mechanisms where you can see also in the, uh, VMware virtual machines here. 03:45.200 --> 03:46.600 Um, almost same. 03:47.720 --> 03:52.720 We have that log file and we have the dot log file. 03:53.760 --> 04:01.000 Um, but if we open this you will see the time a lot of information about how this work, uh, log file 04:01.040 --> 04:01.640 happened. 04:07.280 --> 04:12.450 Now, if you try to open this GPX file, log files are there. 04:13.170 --> 04:14.730 Ghidra will detect this. 04:14.770 --> 04:19.610 Lock and lock some symbol file and block duplicate access. 04:19.650 --> 04:24.610 Now this ensures that your data is not accidentally corrupted during multitasking or teamwork. 04:26.130 --> 04:27.130 And yeah, that's. 04:27.130 --> 04:29.090 We have opened our project. 04:29.850 --> 04:33.050 Uh, ghidra created project files and so on and so forth. 04:33.050 --> 04:34.890 We have the active project hello world. 04:35.250 --> 04:37.650 But we are missing something. 04:39.290 --> 04:42.250 We need some executable file or binary file. 04:42.250 --> 04:42.810 It doesn't matter. 04:42.850 --> 04:44.250 Ghidra analyzes everything. 04:44.770 --> 04:47.770 We need some file to analyze. 04:48.570 --> 04:54.130 And now we will write some code with Visual Studio. 04:55.410 --> 04:56.210 Like doesn't matter. 04:56.210 --> 04:59.450 You can even use the text file of course if you have. 05:00.770 --> 05:06.690 But of course we will need to firstly install the MinGW from the sourceforge download. 05:07.530 --> 05:09.930 This will download the five seconds. 05:09.930 --> 05:11.140 We don't have five seconds. 05:11.180 --> 05:12.380 Life is short. 05:14.180 --> 05:15.740 Yeah, I have deleted, but don't worry. 05:15.780 --> 05:17.060 Yeah, we will open this. 05:17.740 --> 05:18.220 Okay. 05:18.460 --> 05:18.980 Here. 05:19.020 --> 05:19.580 Run. 05:19.980 --> 05:20.740 Install. 05:20.740 --> 05:21.500 Continue. 05:21.740 --> 05:22.940 Already in use. 05:23.100 --> 05:23.500 Uh. 05:24.980 --> 05:25.820 Run now. 05:25.940 --> 05:26.780 So that's it? 05:26.820 --> 05:27.820 It is installed. 05:27.860 --> 05:30.420 Click on update catalog. 05:30.900 --> 05:32.100 It will update it. 05:32.100 --> 05:41.620 And what you need to install from this catalog is g, g c g plus, plus bin and dev two of them. 05:42.260 --> 05:44.060 You don't know where you will need that. 05:45.020 --> 05:46.860 And GCC. 05:47.300 --> 05:49.620 This is the most important right. 05:51.420 --> 05:53.140 That's it you know. 05:53.180 --> 05:58.820 Or you can if you have a storage problem with you. 05:58.860 --> 06:02.900 But you shouldn't because it will just take ten megabytes max. 06:04.260 --> 06:06.300 You can install this GCC only. 06:06.300 --> 06:07.700 It will work as well. 06:08.020 --> 06:11.780 Now after that mark all upgrades and that's it. 06:14.640 --> 06:16.040 This is installed. 06:16.720 --> 06:24.000 So what you need to do after this installation process is you need to add this GKE to your environment 06:24.000 --> 06:29.320 variables so you can run the GKE whenever you want like I did here. 06:29.760 --> 06:34.400 And in order to do that we will go to system properties environment variables path. 06:35.760 --> 06:36.360 That's it. 06:38.320 --> 06:42.600 This is how easy this is as easy as it gets in installing GKE. 06:42.680 --> 06:48.960 You don't need a 10 minute or 15 minutes lectures understanding or explaining nonsense. 06:49.560 --> 06:50.680 This is like one minute. 06:50.680 --> 06:52.080 I think that's it. 06:52.360 --> 07:01.800 And what we need to do here is we will open VSCode Main.c in, and we will write some program now as 07:01.840 --> 07:02.960 after installation. 07:03.000 --> 07:10.040 Of course, you need to make sure that GKE is working on the CMD here, and you can check that by quickly 07:10.080 --> 07:15.290 pressing GKE on CMD And version, you can see the mean. 07:15.290 --> 07:15.810 GW. 07:17.330 --> 07:19.970 Uh, this is a free software. 07:20.170 --> 07:20.770 Nice. 07:21.130 --> 07:21.930 And that's it. 07:22.850 --> 07:32.490 So include, uh, we will write some hello world program and integer main and printf. 07:33.170 --> 07:38.610 We will just print Hello world and New line. 07:38.770 --> 07:40.010 And to compile. 07:41.050 --> 07:43.170 Yeah we don't we don't want to return here. 07:43.770 --> 07:49.890 So to compile the program using newly installed gcc we will save the code here. 07:49.930 --> 07:50.410 Oops. 07:50.730 --> 07:51.730 Hello world. 07:52.050 --> 08:02.850 Yeah we will save the code and make GCC hello world dot c fatal input. 08:03.370 --> 08:03.970 Yeah. 08:04.770 --> 08:13.970 No this is a main dot c of course main dot C and output is going to be hello world dot exit. 08:15.700 --> 08:17.340 We have error here. 08:18.220 --> 08:18.620 Of course. 08:18.660 --> 08:19.060 This. 08:22.340 --> 08:25.540 Last line brought the Python code, so that's why I forgot here. 08:25.900 --> 08:26.980 Hello world and exit. 08:26.980 --> 08:27.580 That's it. 08:27.620 --> 08:28.820 Now we will open this. 08:33.020 --> 08:35.140 See, here we have hello world. 08:35.740 --> 08:39.860 If we run this, it will quickly show the HelloWorld. 08:39.860 --> 08:46.980 But what you need to do is open a terminal and hello world desktop. 08:47.020 --> 08:51.740 Hello world dot x and you can see Hello World is written here without a problem. 08:51.740 --> 08:52.700 That's the easy thing to do. 08:52.740 --> 08:53.380 Don't worry. 08:54.380 --> 08:56.900 And what you need to do then. 08:56.900 --> 08:59.220 Now, now git run will. 09:02.820 --> 09:04.060 We will go to here. 09:04.100 --> 09:05.060 Open the git run. 09:05.100 --> 09:08.540 We will click on file import file. 09:09.060 --> 09:09.940 And that's it. 09:10.540 --> 09:16.700 Now what you need to do you will know that we need to import this hello world dot exe file. 09:17.190 --> 09:19.590 Uh, select file to import. 09:23.470 --> 09:27.270 I will go up now and you can see it. 09:27.510 --> 09:38.830 It automatically detected that it is a x86 32 bit windows PE which is basically means portable executable 09:39.830 --> 09:41.350 and once detected. 09:45.310 --> 09:53.550 You'll click on the okay to confirm the input F yeah that was quick. 09:55.390 --> 09:59.070 And after that you will see the summary here. 09:59.110 --> 10:04.670 Yet this might sometimes be problematic but yeah here we are. 10:06.550 --> 10:08.070 And you will see the summary here. 10:10.150 --> 10:11.590 Um yeah. 10:11.630 --> 10:16.310 This will give you insights into the file structure segments and metadata. 10:16.350 --> 10:19.350 You can see project file name read only. 10:19.350 --> 10:21.520 It's not read only we can write this also. 10:22.720 --> 10:30.280 Language ID windows endian is little. 10:31.800 --> 10:35.480 Address size 32 bytes. 10:35.720 --> 10:37.040 Memory blocks. 10:37.040 --> 10:42.160 Instructions define data function symbols, data types. 10:42.160 --> 10:43.080 Yeah, so on and so forth. 10:43.080 --> 10:48.400 We have some lots, lots of information here, lots of executable location data created. 10:49.240 --> 10:52.560 And yeah after this is just the import result summary. 10:52.600 --> 10:54.600 Nothing special here. 10:54.600 --> 10:59.760 But in some cases you will get pretty easy information here. 11:03.160 --> 11:06.920 And that's it I will go down. 11:13.320 --> 11:20.600 Unlike tools that focus on a single file analysis, Ghidra lets you work with multiple binaries at once. 11:21.080 --> 11:27.260 Now you can import a main executable along with its supporting DLLs, configuration files or even firmware 11:27.300 --> 11:28.020 images. 11:28.260 --> 11:34.860 This is incredibly useful for complex projects where understanding across binary relationships is essential. 11:35.180 --> 11:37.820 Now you can search across multiple files. 11:37.860 --> 11:40.140 Link symbol references. 11:41.020 --> 11:44.780 And organize your work in a modular, scalable way. 11:45.460 --> 11:47.300 Now this project based design is one of the. 11:49.540 --> 11:58.100 Greatest strengths compared to other tools, especially when compared to more like traditional tools. 11:59.740 --> 12:00.500 And that's it. 12:00.540 --> 12:06.220 In the next lecture, we will take our first steps into Getter's disassembler and Decompiler. 12:06.460 --> 12:13.980 Now you will learn how to initialize, uh, initiate analysis, interpret the results, and begin navigating 12:13.980 --> 12:18.060 a binary from a reverse engineer's perspective. 12:19.700 --> 12:20.820 Thank you for watching. 12:20.940 --> 12:23.180 I'm Typhoon and I'm meeting you in the next lecture.