Classroom Public page

RE-011 Lab 4: Ghidra Navigation

798 words

Import a 200-line binary into Ghidra, navigate to main three ways, rename all non-trivial functions, and explain what the binary does based on function names and the decompiler view.

Overview

You import a provided stripped binary into Ghidra, run the auto-analyser, and demonstrate navigation fluency: finding functions three different ways. Then you rename every function that does observable work using the naming discipline from Week 6. The deliverable is a Ghidra project with renamed functions and a written explanation of the binary's purpose.

Tools: Ghidra (current release, from NSA's GitHub or ghidra-sre.org)

Time: ~90 minutes.

Setup

The lab binary (lab4_target) is provided by the instructor as a stripped Linux x86-64 ELF. Self-paced fallback: see labs/_artifacts/README.md ("Self-paced fallback: Lab 4") for a C source + compile command that produces an equivalent binary. Before opening Ghidra, run the usual static triage:

file lab4_target
readelf -h lab4_target
readelf -S lab4_target
nm -D lab4_target
strings -n 8 lab4_target | head -30

Record your initial hypothesis: based on the import table and strings, what do you think this binary does?

Part A: Project creation and import

  1. Launch Ghidra.
  2. Create a new project: File > New Project > Non-Shared > name it lab4.
  3. Import the binary: File > Import File > select lab4_target.
  4. Verify Ghidra detected: Format = ELF, Language = x86:LE:64:default:gcc (or similar x86-64 variant).
  5. Open in CodeBrowser (double-click the imported file in the project window).
  6. When prompted to analyze, click "Yes" then "Analyze." Wait for analysis to complete.

Take a screenshot of the main Ghidra window after analysis completes. This is the starting state.

Part B: Navigate to main -- three methods

Navigate to the main function (or whatever Ghidra has named the entry function) using each of the three methods below. After each navigation, return to a different part of the binary (e.g., the entry point) before using the next method.

Method 1: Symbol Tree. Expand the Symbol Tree (left panel) > Functions. Scroll to find main or entry. Double-click to navigate. If the binary is stripped, main may not be present -- look for FUN_xxxxxxxx near the entry point address.

Method 2: Address navigation. In the listing view, press G (or use Navigation > Go To). Type the address of main (find it with readelf -s lab4_target | grep main or from Method 1's result). Press Enter.

Method 3: Decompiler cross-reference. Navigate to any function that calls main (such as __libc_start_main call site, or entry). In the decompiler view, click the name of the function being called to navigate to it.

For each method, write one sentence: what you did, and whether it would work on a fully stripped binary with no symbol table.

Part C: Rename all non-trivial functions

After navigating to main, read the decompiler view. Identify every function called by main and every function called by those functions (up to 2 levels deep).

For each function that does observable work (not a library stub like printf@plt or malloc@plt), rename it using the Week 6 naming discipline:

  • Be specific: validate_serial_number not check
  • Include confidence: maybe_decrypt if you are not certain
  • Preserve hierarchy: parse_header_field if it is clearly a sub-helper of parse_header

Rename at least 5 functions. Record each rename in your lab report:

Original name: FUN_00401200
New name: validate_key
Reason: Reads a global counter, compares input against a computed expected value, returns 0 or 1

Part D: Binary purpose explanation

After renaming, write a structured explanation (200-300 words) of what the binary does:

  • What is the program's top-level purpose?
  • What are the two or three most important functions, and what does each do?
  • What user input does the binary accept (command-line arguments, stdin, files)?
  • What output does it produce?
  • Is there a check or validation in the binary? If so, what does it validate?

Compare this explanation to your initial hypothesis from the Setup step. Was your hypothesis right? What did the static triage (strings, imports) tell you that the Ghidra analysis confirmed or corrected?

Part E: Screenshot submission

Take and submit two screenshots:

  1. Symbol Tree showing your renamed functions.
  2. Decompiler view of the most interesting function (the one that does the primary work).

In your report, reference each screenshot with a caption explaining what it shows.

Lab Report

Submit one document covering Parts A through E. Include:

  • The commands from the Setup step and your initial hypothesis
  • Three sentences from Part B (one per navigation method)
  • The rename table from Part C (at minimum 5 entries)
  • The 200-300 word explanation from Part D
  • Two screenshots from Part E with captions

Grading

Criterion Points
Part A: Project setup complete and correct processor detected 10
Part B: Three navigation methods described with accuracy 15
Part C: At minimum 5 functions renamed with reasoning 30
Part D: Binary purpose explanation is accurate and specific 30
Part E: Screenshots submitted with captions 15
Total 100

A rename like "FUN_00401200 -> check" with no explanation earns minimal credit. A rename like "FUN_00401200 -> validate_serial_number -- reads global counter and compares to computed expected value" earns full credit.

Lab 4 of 9. Due: end of Week 6. The naming discipline established here carries forward to every binary you analyze for the rest of the course and into RE-101.