Code emulation with Ghidra SRE

Did you know that Ghidra SRE has the ability to emulate code? If you want to know how we use it to save time when reversing firmware binaries, read on!

Ghidra can emulate instructions, although not directly from GUI. You'll need to use Ghidra scripting API. Fortunately, the documentation is rather good and the whole process is rather straightforward. In this article, we'll focus on using Ghidra API from a Jupyter Notebook with Kotlin kernel.

First, we need to install Ghidra-Jupyter kernel. We should be able to see Ghidra(Kotlin) kernel in our Jupyter lab interface.

If the kernel is missing, Jupyter can't find our freshly-installed kernel.json kernelspec. Use jupyter kernelspec install command to set the correct path.

Open a new Jupyter notebook with Ghidra(Kotlin) kernel. Then in Ghidra CodeBrowser, click the Kotlin Notebook button

Ghidra extension will connect to the running Jupyter kernel. Now we have a fully synchronized Jupyter notebook for Ghidra! This means we can access objects like currentProgram or currentAddress exactly like in Ghidra scripting console.

Let's look at the emulation capabilities we promised. ghidra.app.emulator.EmulatorHelper class does the heavy lifting for us. In this example, our target will be a partially analyzed function:

We've previously figured out parameter types and meaning, but what is the returned value? Let's set up the initial emulator state.

Then we step through the code until we reach the function return address.

Playing around with input parameters we figure out that our specimen function is an integer division of two 64-bit values. This approach can be very useful when trying to wrap your head around a piece of code with a lot of binary twiddling.

Happy reversing!