Day 2 (FOR610.2)

Getting around in ghidra

The main aspect of dealing with gidra is to analyse the code and "reconstruct" the work and action the code does during it's excution. Reverting the funktions, calls and variables to human readable labels helps a lot to complete this target.

https://ghidra-sre.org/CheatSheet.html

function graph view

Windows -> Function graph

Note the different colors of the arrows

green: conditional jump, condition is met

red: conditional jump, condition is not met.

blue: uncondition jump, end of block.

imports

Windows -> Symbol references

instructions

conditional jump "jump if zero"

004047e7 PUSH HKEY_CURRENT_USER
[..]
004047f6 TEST EAX, EAX

Compare (read) the value of register EAX with itself. EAX usually hold the result of the function bevore.

004047f8 JZ LAB_00404817

JZ non-zero means SUCCESS

Hence, this means, if the above operation was successfull, jump to LAB_00404817