Class 3 Q&A

• How are we using docker for this class?
• Docker is used to run the exercises in, you can also use an Ubuntu 18.04 virtual machine if you prefer
• What is a (the most?) common example of being able to pull in a header file? Doesn't most of RE activities assume you don't have the source?
• If you are aware of an open source library that the program may be using, you can import header files from that. Or perhaps if you are reverse engineering a custom kernel module, a lot of the structs in use are likely from the mainline kernel
• Can you touch on using tools like Ghidra to remove calls to say a dongle attached to the system?
• This would be entirely system dependent and more context would be needed. Are you trying to functions? What is the end goal? etc
• How do you do expressions in Ghidra? e.g. the last exercise which did a complicated shift and arithmetic---I ended up using Octave to calculate it, but Ghidra must have it as well but I couldn't find it.
• Aside from PCODE emulation, I am not aware of a way to directly evaluate the resulting decompilation. This would require using an external emulator of some sorts. 
• Could you give a couple of examples of what is IDA good at that nobody else has, and vice versa Ghidra and R2
• IDA: Good at c++ demangling, windows PDB parsing, strong decompiler
• R2: Extensible, can easily be expanded upon with plugins, community support, open source
• Ghidra: Decompiler support for every processor, open source, actively developed
• Is it possible to demo running Ghidra alongside a debugger? I know the ret-sync plugin exists but I've had trouble with it
• Right now the built in debugger in in alpha testing and hopefully they will be releasing it with the next official release
• Could you use Ghidra to reverse engineer itself?
• Ghidra is Java based, and open source so there would be little reason to reverse engineer it specifically when the source code is hosted up on github
• Should all struct members take up the same amount of space?
• No, it depends on multiple factors - the architecture of the target system, the compiler optimization settings and of course the members of the struct itself!
• Does running a syscall, by definition, execute instructions defined in the kernel? How does that carry over to an embedded context?
• The syscall instruction does a number of things, but most importantly it puts the value of IA32_LSTAR MSR into PC, this will jump to valid code that will handle the syscall properly, think of it as similar to an interrupt vector table on an embedded processor. 
• I was surprised there wasn’t any Ghidra feature for syscall analysis.
• As of right now I am not aware of any plugins that do this, but it would make for a great side project!
• A question I've been having is why I often see extra (typically repeated) arguments in the decompiled output.  For example, in many of the examples the functions that add two parameters are known to only take two parameters, but Ghidra shows them as having 3 or 4 being provided.  What does it mean/why does it happen?  How do I fix it in Ghidra?
• This happens because the decompiler makes a lot of assumptions and often times these assumptions are simply incorrect. You can fix this up by changing the types of variables on the stack such that they are the proper size. 
• are there any special considerations needed to reverse a proprietary kernel module?
• Nope! They are just ELF files, this is a good example of when one might want to import header files from the kernel source depending on the driver and what other subsystems it uses, for example if your driver uses USB URB objects / structs you could import those in order to make it simpler.