This Saturday, I was working with some legacy software that needed changing. This software communicates over the network, and I needed to change which port it communicates over. While we do technically still have the source code of this software, there isn't much documentation, so changes can be a hassle to implement. My team and I changed the DEFAULT_PORT macro in the source file, but we were having issues getting it to compile correctly. My team and I spent about an hour and a half attempting to compile the code but to no avail. As we were leaving for the day, I jokingly mentioned that, as a last resort, we could find the current port number and manually change it with Ghidra. We had a good laugh as we were heading out, but as I walked to my car, I started considering how feasible it would be, and after a couple hours of work, I succeeded!
For those who don't know, Ghidra is a software reverse-engineering tool that the NSA released as open source software this past March. It supports a variety of compilers for several languages on different architectures and speaking from my early initial success, it is fairly easy to use. However, because I couldn't find a tutorial that told me how to edit the program, I had to find out by trial and error. Hopefully, someone interested in a simple modification like I was will be able to find this blog post, and I'll save them a little time and frustration.
Warning: Editing software without the owner's explicit permission could be against the law depending on the software's license. Do not alter any software without checking to be sure that it is legal to do so.
Ghidra Setup
 |
| Ghidra Loading Screen |
Importing the Executable
 |
| Ghidra Main Screen |
Once the program has finished loading, you should be greeted with the main menu screen. From here, you'll need to create a project to load in the program you'd like to change. Navigate to File>New Project or press Control+N to create a new project.
 |
| Creating a New Project |
After navigating through the project creation screens, choosing a project name, and a directory to keep the project files in, clicking on the icon of the green dragon head in the Tool Chest will open the CodeBrowser.
 |
| CodeBrowser Icon |
When the CodeBrowser opens, you'll be met with an empty screen. To import the executable you'd like to change, navigate to File>Import File or press the "I" key on your keyboard. Find the executable you'd like to change in your file system, then click the "Select File to Import" button at the bottom of the window. For format on the next screen, choose "Raw Binary". If you choose "Executable and Linking Format," it's a known bug with Ghidra that whatever you export will be unusable and give a segmentation fault, so don't forget that step. Next, choose the language that and compiler that was used with the ellipsis (the three periods -> ...) beside the "Language" box (I knew my program was compiled with gcc for a 64-bit x86 CPU, so this was straightforward) and choose the destination folder the same way, then click "Ok" when you're ready.
 |
| CodeBrowser File Import Settings Screen |
Once that's done, two windows should pop up, one labeled "Import Results Summary" that gives information about the import and one labeled "Analyze" that asks if you'd like CodeBrowser to analyze the newly imported file.
 |
| CodeBrowser Analyze Screen |
Clicking "Yes" will take you to an options screen for the analysis tool. The default options seemed to work alright for me, so click the "Analyze" button at the bottom of the screen to start the analysis.
 |
| CodeBrowser Analyze Options Screen |
 |
| CodeBrowser File Imported |
Editing the Executable
Here's the part where my changes and yours will differ. I can't offer much advice on how to find the part you need other than an explanation of how I found the instruction I needed to change. I needed to change the default network port from 6813 to 6950, so I did a memory search, by clicking Search>Memory, but you can also do this by pressing the "S" key on your keyboard.
 |
| Opening the Memory Search Window |
 |
| Search Memory Window |
Next, I typed 6813 in the "Search Value" box, selected decimal in the "Format" box, selected "All Blocks" in the "Memory Block Types" box, and selected "Word" in the "Format Options" box. I selected "Decimal" because the port number I entered is in decimal, I selected "All Blocks" to be sure that CodeBrowser would search the entire program, and I selected "Word" because the value I was looking for was an integer, and word is the smallest integer data type that was big enough to contain the whole value.
 |
| CodeBrowser Memory Search Window Filled Out |
Next, I clicked "Search All" to get a list of all the occurrences of 6813 in the program. It only gave one result, an instruction at the location 0003fc0. Double-clicking the search result took me to the line of the instruction I wanted to change.
 |
| CodeBrowser Memory Search Results |
 |
| CodeBrowser Window with the Search Result Highlighted |
Now that I had found the instruction I needed to edit, all that was left was to do the editing. When you'd like to edit a line, right-click it and select "Patch Instruction" or select it and press Control+Shift+G. This will allow you to edit the instruction or the data of the instruction.
 |
| Selecting "Patch Instruction" from the Instruction Menu |
 |
| Editing the Instruction |
Now all I had to do was to replace the 6813 (which is represented here in hexadecimal as 1a9d) with the new value 6950. The instruction takes a hexadecimal number as an input, and 6950 is in decimal, so after converting 6950 to the hexadecimal (1b26), I deleted the old value, replaced it with the new, and pressed enter.
 |
| CodeBrowser with Correct Port Value |
Exporting the New Executable
All that's left now is to save the file and export the program. You can save by either pressing Control+S or by navigating to File>Save '<the name of your program>'. After saving, either navigate to File>Export Program or press the "O" key on your keyboard to export.
 |
| CodeBrowser Export Program Option |
Choose "Binary" as your format, choose your output file, and with any luck, that's it! If everything worked correctly, you should have a fully functional, but slightly altered, binary program. Again, remember not to edit anything without making sure that you aren't breaking any laws.
 |
| CodeBrowser Export Screen |
What is binary code in ghidra??
ReplyDeleteLove this
ReplyDelete