Cracking E-Book

CRACKING

REVERSE ENGINEERING WITH GHIDRA

4 BOOKS IN 1

BOOK 1

CRACKING GHIDRA: FOUNDATIONS OF REVERSE ENGINEERING USING GHIDRA FOR BEGINNERS

BOOK 2

CRACKING BINARIES: PRACTICAL REVERSE ENGINEERING WITH GHIDRA, DEBUGGERS, AND REAL-WORLD MALWARE

BOOK 3

CRACKING THE COMMAND LINE: MASTERING LINUX CLI: FROM SHELL BASICS TO AUTOMATION AND SCRIPTING

BOOK 4

CRACKING LIKE AN EXPERT: ADVANCED CLI TECHNIQUES, REVERSE ENGINEERING WORKFLOWS, AND HACKER TOOLS UNLEASHED

ROB BOTWRIGHT

Copyright © 2025 by Rob Botwright

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher.

Published by Rob Botwright

Library of Congress Cataloging-in-Publication Data

ISBN 978-1-83938-937-5

Cover design by Rizzo

Disclaimer

The contents of this book are based on extensive research and the best available historical sources. However, the author and publisher make no claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained herein. The information in this book is provided on an "as is" basis, and the author and publisher disclaim any and all liability for any errors, omissions, or inaccuracies in the information or for any actions taken in reliance on such information.

The opinions and views expressed in this book are those of the author and do not necessarily reflect the official policy or position of any organization or individual mentioned in this book. Any reference to specific people, places, or events is intended only to provide historical context and is not intended to defame or malign any group, individual, or entity.

The information in this book is intended for educational and entertainment purposes only. It is not intended to be a substitute for professional advice or judgment. Readers are encouraged to conduct their own research and to seek professional advice where appropriate.

Every effort has been made to obtain necessary permissions and acknowledgments for all images and other copyrighted material used in this book. Any errors or omissions in this regard are unintentional, and the author and publisher will correct them in future editions.

BOOK 1 - CRACKING GHIDRA: FOUNDATIONS OF REVERSE ENGINEERING USING GHIDRA FOR BEGINNERS

Introduction

Chapter 1: Welcome to Ghidra

Chapter 2: Setting Up Your Lab Environment

Chapter 3: Understanding Binary and Executable Formats

Chapter 4: Exploring the Ghidra Interface

Chapter 5: Importing and Analyzing Your First Binary

Chapter 6: Disassembly and Decompilation Basics

Chapter 7: Navigating Functions, Symbols, and Strings

Chapter 8: Patching Binaries and Making Modifications

Chapter 9: Understanding Control Flow and Logic

Chapter 10: Your First CrackMe: Practical Reverse Engineering Challenge

BOOK 2 - CRACKING BINARIES: PRACTICAL REVERSE ENGINEERING WITH GHIDRA, DEBUGGERS, AND REAL-WORLD MALWARE

Chapter 1: Advanced Binary Analysis with Ghidra

Chapter 2: Introduction to Debuggers: x64dbg, GDB, and WinDbg

Chapter 3: Static vs Dynamic Analysis

Chapter 4: Cracking Software Protections and Anti-Debugging Tricks

Chapter 5: Malware Dissection: Understanding Malicious Payloads

Chapter 6: Shellcode and Payload Extraction Techniques

Chapter 7: Analyzing Packed and Obfuscated Binaries

Chapter 8: Reverse Engineering Real-World Malware Samples

Chapter 9: Writing Custom Ghidra Scripts and Plugins

Chapter 10: Building a Reverse Engineering Workflow from Scratch

BOOK 3 - CRACKING THE COMMAND LINE: MASTERING LINUX CLI: FROM SHELL BASICS TO AUTOMATION AND SCRIPTING

Chapter 1: The Shell Unlocked

Chapter 2: Filesystem Navigation Like a Pro

Chapter 3: File Management and Manipulation

Chapter 4: Permissions, Ownership, and User Management

Chapter 5: Pipes, Redirection, and Chaining Commands

Chapter 6: Mastering Package Managers and Software Installation

Chapter 7: Process Management and System Monitoring

Chapter 8: Bash Scripting Essentials

Chapter 9: Scheduling and Automation with Cron

Chapter 10: CLI Power Tools and Customization

BOOK 4 - CRACKING LIKE AN EXPERT: ADVANCED CLI TECHNIQUES, REVERSE ENGINEERING WORKFLOWS, AND HACKER TOOLS UNLEASHED

Chapter 1: Elite Shell Tricks and Terminal Mastery

Chapter 2: Chaining, Substitution, and Command Injection Tactics

Chapter 3: Advanced Bash and Shell Scripting

Chapter 4: Reverse Engineering Workflow Automation

Chapter 5: Mastering Debuggers from the CLI

Chapter 6: Parsing, Grepping, and Text Manipulation at Scale

Chapter 7: Building Custom CLI Tools and Utilities

Chapter 8: Integrating Ghidra, x64dbg, and Radare2 with Shell

Chapter 9: Offensive Security Tools and Hacker CLI Kits

Chapter 10: Crafting Your Ultimate Hacker Terminal Environment

Conclusion

Introduction

Welcome to Cracking: Reverse Engineering with Ghidra—a four-book series designed for those who want to understand how software really works under the hood, how to pull it apart, analyze it, and gain mastery over binaries, systems, and command-line environments. Whether you’re a curious beginner, a student of cybersecurity, a malware analyst, or a hacker-in-training, this series will give you the tools, mindset, and workflow to explore and deconstruct software like a pro.

The digital world runs on compiled binaries—compiled, obfuscated, packed, and protected. To truly understand what's going on beneath the surface, you need to go deeper than source code. You need to crack into executables, dissect logic, trace control flows, and demystify what software is really doing. That’s where this journey begins.

Book 1 – Cracking Ghidra: Foundations of Reverse Engineering Using Ghidra for Beginners lays the groundwork. It walks you through installing and mastering Ghidra, the free and open-source reverse engineering suite developed by the NSA and released to the public. You’ll learn the fundamentals of disassembly, decompilation, memory inspection, symbol resolution, and control flow analysis. By the end of this book, you won’t just be clicking through a GUI—you’ll understand how to read what Ghidra is telling you, and how to start making sense of raw machine logic.

Book 2 – Cracking Binaries: Practical Reverse Engineering with Ghidra, Debuggers, and Real-World Malware takes you deeper into practical analysis. You’ll work with stripped binaries, encrypted payloads, and real malware samples. You’ll learn how to combine static and dynamic analysis using Ghidra and debuggers like x64dbg and Radare2. You’ll uncover embedded strings, analyze custom encoders, and extract obfuscated logic. Here, theory meets reality, and you'll see what reverse engineering looks like when the code fights back.

Book 3 – Cracking the Command Line: Mastering Linux CLI: From Shell Basics to Automation and Scripting shifts focus to your most powerful companion in this field: the command line. You’ll learn to move comfortably through Linux systems, understand file permissions, process management, pipes, redirects, bash scripting, and package management. You’ll go from typing basic commands to crafting modular scripts and custom utilities. These skills are essential for unpacking samples, automating analysis, setting up tools, and building environments for rapid testing and experimentation.

Book 4 – Cracking Like an Expert: Advanced CLI Techniques, Reverse Engineering Workflows, and Hacker Tools Unleashed brings it all together. You’ll master advanced shell scripting, tool integration, workflow automation, and environment customization. You’ll combine Ghidra, Radare2, x64dbg, and a variety of hacker tools into streamlined pipelines. You’ll automate common reverse engineering tasks, handle massive file sets, and develop your own hacker terminal—complete with aliases, functions, fuzzers, custom analyzers, and monitoring scripts.

This series doesn’t just show you how to use tools—it teaches you how to think like a reverse engineer. Step by step, byte by byte.

You don’t need prior experience in assembly, malware, or scripting to begin. You just need patience, curiosity, and a willingness to explore what lies beneath the surface of software. Whether you’re reading this from a Kali VM, a stripped-down Ubuntu box, or your main dev machine, you’re about to dive into a deep, powerful, and highly rewarding skill set.

Let’s crack open the first binary. Let’s crack Ghidra. Let’s start cracking.

BOOK 1

CRACKING GHIDRA

FOUNDATIONS OF REVERSE ENGINEERING USING GHIDRA FOR BEGINNERS

ROB BOTWRIGHT

Chapter 1: Welcome to Ghidra

Welcome to Ghidra, a powerful and versatile reverse engineering tool developed by the United States National Security Agency (NSA) and released to the public as open-source software in 2019. Ghidra has quickly become a go-to platform for malware analysts, security researchers, penetration testers, and software engineers due to its robust capabilities, extensibility, and user-friendly graphical interface. At its core, Ghidra is a software reverse engineering (SRE) suite that allows you to analyze executable files for a variety of platforms and architectures, including Windows, Linux, macOS, Android, and embedded systems. It supports a wide range of instruction sets such as x86, x64, ARM, MIPS, PowerPC, and more, making it a versatile tool for professionals working in security-critical industries.

The process of reverse engineering involves examining a program’s compiled binary code to understand its structure, logic, and behavior without having access to the original source code. This can be done for many reasons, including vulnerability research, malware analysis, software auditing, and even legacy software recovery. Ghidra provides analysts with a complete toolset for static analysis, which allows you to dissect binaries without executing them, reducing risk and offering deeper insights into their inner workings. It also offers limited dynamic analysis capabilities and can be integrated with external debuggers and emulators for more advanced workflows.

One of the first things you’ll notice when launching Ghidra is its modular design and well-organized interface. It consists of several key components: the Project Manager, CodeBrowser, Symbol Tree, Listing View, Decompiler, and various dockable panels and tools. The Project Manager is where you create, organize, and load your reverse engineering projects. Once a project is opened and a binary is imported, the CodeBrowser becomes the primary workspace. Here, you can navigate through disassembled code, decompiled functions, data structures, and symbols while maintaining full control over your analysis workflow.

Ghidra’s decompiler is one of its most praised features. It allows you to translate low-level assembly instructions into a high-level, human-readable pseudocode format that resembles C. This significantly reduces the time it takes to understand what a binary is doing, especially for those less comfortable with raw assembly language. The decompiler also highlights data flows, variable names, control structures, and function calls, allowing you to reverse engineer complex logic with much greater efficiency. The ability to rename functions, variables, and labels—along with adding comments and bookmarks—lets you document your analysis and track your discoveries over time.

Importing a binary into Ghidra is straightforward. You start by selecting the appropriate format and architecture, after which Ghidra performs an automatic analysis that includes disassembly, function discovery, control flow graph generation, and symbol recovery. You can customize this process to include or exclude specific analyzers depending on your goals. For instance, when analyzing malware, you may want to focus on strings, imported functions, and data cross-references, while leaving out more time-consuming analyzers that are less relevant to the task at hand. Ghidra also supports scripting in both Java and Python, giving you the ability to automate repetitive tasks, extend functionality, and develop custom plugins tailored to your workflow.

The tool also supports collaboration through its client-server mode, which allows multiple analysts to work on the same project simultaneously. This is particularly useful in professional environments where reverse engineering tasks are shared among team members. Ghidra’s database-driven architecture ensures that changes are saved incrementally, and its extensive version history lets you roll back to previous states or compare different points in your analysis timeline.

Another important strength of Ghidra lies in its extensibility. As an open-source project, it has a rapidly growing community of contributors who develop plugins, scripts, and enhancements that are freely available. Whether you're looking for support for a new file format, a utility for binary diffing, or an integration with a debugger like GDB or x64dbg, there’s a good chance someone in the community has already created a solution. Even if they haven’t, you can build your own, since the platform provides APIs, documentation, and sample code to help you get started with development.

When learning Ghidra for the first time, it's important to spend time understanding the navigation controls and hotkeys, which can greatly improve your productivity. Learning to switch between the decompiler and disassembly view, jumping to function references, or filtering the symbol tree for meaningful entry points are skills that become second nature with practice. Many binaries—especially those that are stripped or obfuscated—won’t give you clean or intuitive starting points, so developing the ability to identify initialization routines, API usage, and suspicious control flow patterns becomes crucial.

You will also encounter various file types in your journey, such as PE files on Windows, ELF binaries on Linux, Mach-O on macOS, and even raw firmware dumps from embedded devices. Ghidra can handle them all, and with the right analysis configuration, you'll gain visibility into imported libraries, exported symbols, internal function calls, memory segments, and even encoded or compressed data blobs. Working through real-world crackme challenges, malware samples, or custom applications is a great way to build skill with Ghidra and deepen your understanding of software internals.

Mastering Ghidra is a process of exploration and iteration. Each binary presents a new puzzle, a unique logic path to unravel, and a set of techniques to apply and refine. As you become more familiar with the tool, you’ll discover shortcuts, custom workflows, and deeper layers of functionality that expand what’s possible in your analysis. Whether you're aiming to reverse engineer malware, audit proprietary software, or simply understand what makes a program tick, Ghidra offers the power, flexibility, and community support to help you reach your goals as a reverse engineer.

Chapter 2: Setting Up Your Lab Environment

Setting up your lab environment is one of the most important steps in becoming a competent and responsible reverse engineer. A properly configured lab allows you to safely analyze binaries, experiment with malware, practice debugging, and explore low-level system behavior without risking your host machine or network. The goal of the lab environment is isolation, flexibility, and reproducibility, giving you a dedicated space to test tools, examine malicious code, and simulate real-world conditions while remaining secure and in control. Before diving into binary analysis or reverse engineering, you need to prepare an environment that is both powerful and safe enough to handle the tasks ahead. This often begins with virtualization, which offers a clean, controlled environment that can be easily reverted or replicated.

Virtual machines are a cornerstone of a solid lab setup. Tools like VirtualBox, VMware Workstation, VMware Fusion, and even KVM on Linux allow you to run multiple guest operating systems on a single host machine. For reverse engineering, having both Windows and Linux virtual machines is ideal, as binaries may be compiled for different platforms and behave differently depending on the underlying operating system. You should install Ghidra on both platforms so that you can analyze binaries in their native environments. It is recommended to create baseline snapshots of your VMs right after installation and tool configuration so that you can always revert back to a clean state if something goes wrong or if a sample compromises the virtual environment.

For Windows analysis, consider setting up different VMs for different purposes. One might be a clean system with Windows 10 or 11 for analyzing benign executables and performing software audits, while another could be configured for malware analysis with tools like Process Hacker, Procmon, Wireshark, PEStudio, and x64dbg. Disable automatic updates and restrict internet access for malware-focused VMs to avoid accidental infection or unwanted network communication. You may also want to add tools like CFF Explorer, Detect It Easy (DIE), and Resource Hacker to support your static analysis tasks. Isolating this environment from your main network using host-only networking or internal networking in VirtualBox ensures that any malicious behavior stays confined.

For Linux analysis, distributions like Ubuntu, Kali Linux, and REMnux are excellent starting points. Kali is well-suited for penetration testing and includes many tools out of the box, while REMnux is specifically tailored for malware analysis and comes pre-installed with dozens of reverse engineering utilities. You can also build a minimal Ubuntu environment and install only what you need. On Linux, you’ll want tools like Ghidra, Radare2, Cutter, GDB, Hexdump, strace, and ltrace. Having access to multiple terminal windows and virtual desktops is useful for multitasking during analysis. A reverse engineering lab on Linux also benefits from lightweight scripting tools and custom automation with Bash, Python, or even Ghidra’s headless analysis modes.

A good lab also requires file sharing capabilities and controlled access to malware samples. Instead of using shared folders between host and guest—which can be risky—set up a secure file drop location within the VM or use USB passthrough for manual transfers. Always hash your samples before and after transferring to verify integrity and avoid contamination. Consider setting up a local HTTP server to simulate command and control environments for malware, or to host scripts and tools. You may also install a network simulation tool such as INetSim to fake common services and observe how malware behaves in a controlled ecosystem.

Snapshotting and version control play a crucial role in managing your lab environment. Create snapshots before each analysis session, and document your process carefully. This not only allows you to return to a known good state but also enables reproducibility when sharing findings with other researchers. You might also want to consider using version control systems like Git to track changes in your scripts, plugins, or notes. Ghidra projects themselves are not Git-friendly due to their binary nature, but your associated notes, scripts, and helper tools can be versioned, improving your workflow and collaboration potential.

Security within the lab must be treated as a top priority. Disable clipboard sharing, drag-and-drop functionality, and unnecessary integrations between host and guest. Do not analyze real malware samples on your main OS, even if you're confident in your antivirus or endpoint protection. Antivirus software should be disabled inside the VM to avoid interference with analysis but should remain active on the host. Use a separate, dedicated user profile on your host operating system that is only used for managing virtual machines, and never open suspicious files on your host system under any circumstances. Consider using a dedicated physical machine for your lab if your work involves advanced malware or sensitive proprietary binaries.

Documenting and organizing your work will greatly enhance your learning process. Use note-taking tools like Obsidian, CherryTree, or even markdown files to track your observations, record memory addresses, rename functions, and highlight interesting strings or imports. A well-maintained research log not only helps you stay organized but becomes a personal knowledge base you can refer to when tackling similar challenges in the future. Take screenshots, export reports from Ghidra, and collect hashes and metadata for each sample you analyze.

Beyond the virtual machines and tools themselves, your lab setup should also reflect the mindset of curiosity, safety, and continuous learning. Set aside time regularly to test new tools, solve reverse engineering challenges such as CrackMes or CTF binaries, and build small projects that reinforce your understanding of assembly, binary formats, and system internals. Your lab is not just a workspace—it’s your training ground, your test bench, and your sandbox for breaking things and learning how they work. As you expand and refine your lab over time, you’ll gain both technical depth and confidence, making you more capable and efficient in your reverse engineering journey.

Chapter 3: Understanding Binary and Executable Formats

Understanding binary and executable formats is a fundamental step in the journey of reverse engineering, as it provides the foundation for analyzing how software is structured and behaves at the machine level. A binary file is any file that contains data in a format not intended for human reading, and an executable binary is specifically designed to be loaded and run by an operating system. Executable binaries are the compiled and linked output of source code written in programming languages like C, C++, or Rust, and they consist of machine instructions, data, and metadata arranged according to specific conventions defined by the operating system and hardware architecture. The format of an executable determines how it is interpreted and executed, how memory is allocated, how code and data are organized, and how external libraries are referenced or imported.

Different operating systems and platforms use different executable file formats, each with its own structure, headers, and segment layouts. On Windows, the dominant format is the Portable Executable (PE) format, which is used for .exe and .dll files. On Linux and other Unix-like systems, the Executable and Linkable Format (ELF) is standard for executables, shared objects, and kernel modules. On macOS, the format is Mach-O (Mach Object), which supports both native and cross-platform execution on Intel and Apple Silicon systems. Each format includes a header that identifies the file type and architecture, a set of segments or sections that define code and data regions, and a symbol table or import table that enables dynamic linking and function resolution at runtime.

The Portable Executable format used on Windows is derived from the older Common Object File Format (COFF) and begins with a DOS stub that allows it to display a message if run in a DOS environment. This is followed by the PE header, which includes the signature, machine type, number of sections, and timestamps, as well as information about memory alignment, entry points, and the location of important tables. Sections like .text, .data, .rdata, and .rsrc store the actual machine instructions, initialized data, read-only data, and resources such as icons or strings. The PE file also contains an Import Address Table (IAT) and Export Table, which are crucial for resolving functions dynamically at load time and for allowing other modules to access functionality provided by the binary.

In the case of ELF files on Linux, the format begins with an ELF header that defines the class (32-bit or 64-bit), endianness, ABI version, and type of binary (executable, relocatable, shared object). The ELF format uses Program Headers to describe how the executable should be loaded into memory and Section Headers to organize the contents of the binary for linkers and debuggers. Common sections in ELF files include .text for code, .data for writable global variables, .bss for uninitialized data, .rodata for read-only data, and .plt and .got for dynamic linking. The Procedure Linkage Table (PLT) and Global Offset Table (GOT) are instrumental in handling symbol resolution for shared libraries, allowing functions to be dynamically resolved at runtime without hardcoding addresses in the binary itself.

Mach-O files on macOS share similar goals but differ structurally. Mach-O files consist of a header followed by a sequence of load commands that describe the layout and purpose of various segments and sections. These load commands include information about the target architecture, dependencies, symbol tables, and dynamic linking. Mach-O supports universal binaries, which contain multiple architectures in a single file, allowing for compatibility across different processor types. Understanding Mach-O requires familiarity with concepts like LC_SEGMENT and LC_LOAD_DYLIB, which define memory regions and shared libraries to be used by the binary.