Ghidra — Complete Reverse Engineering Series | Part 2 of 60

← Previous: Part 1 — What Is Ghidra and Why Should I Care? What Is Ghidra? A Beginner’s Guide to Reverse Engineering and Firmware Analysis | Next → Part 3 — The CodeBrowser: Every Window Explained (coming soon)

---

Installing Ghidra Java, Download, First Launch

(told by someone who was confused about it too)

Most tutorials just say “install Java, download Ghidra, run it.” They don’t explain why each step exists. I was confused about the Java part for a while why does a reverse engineering tool even need Java? This part answers that, and gets you to a working Ghidra project screen without any mystery steps.

---

Quick Recap From Part 1

• Ghidra is NSA’s free, open-source reverse engineering framework
• It decompiles binaries converts machine code back into something humans can read
• It works on Linux, Windows, and macOS
• It is not a debugger it does static analysis (no code is executed)
• We will use a single crackme binary throughout this entire series

---

Why Does Ghidra Need Java?

Every time I try to install a game, Windows throws up a dialog: “This requires Visual C++ Redistributable” or “.NET 6.0 Runtime.” The game isn’t .NET but it was built to run on top of that runtime. The runtime is the engine. The game is the car.

Ghidra is the same situation.

NSA built Ghidra in Java. Java programs don’t run directly on your hardware they run on something called the JVM (Java Virtual Machine). The JVM is a middleman. It takes Java code and translates it into instructions your specific OS and CPU understand.

Your OS (Linux / Windows / Mac)
        ↑
       JVM         ← you install this
        ↑
    Ghidra.jar     ← the actual application

The design goal was: write Ghidra once, run it everywhere. The JVM handles the platform differences. That’s why the same Ghidra zip works on Linux, Windows, and Mac without any changes.

So when you install Java you’re installing the engine. Ghidra is just the car that needs that engine to start.

---

JDK, Not JRE - And Why It Matters

There are two Java packages you’ll see on every download page: JRE and JDK.

Think of a car manufacturing factory vs a car with an engine already installed. The JRE (Java Runtime Environment) is the car it can run Java programs. The JDK (Java Development Kit) is the factory it can run Java programs and build and compile them.

Ghidra ships with internal tools the script runner, decompiler components that need more than just “run this Java program.” It needs the full kit.

JDK is the umbrella. JRE is inside it. Install the JDK and you get everything.

JDK
 └── JRE
      └── JVM

Version: Java 21 specifically. Not 17, not 11, not whatever your system already has. Ghidra 11.x and 12.x require Java 21. Wrong version = Ghidra refuses to start with a cryptic error.

---

Where to Get Java 21 - Adoptium Temurin

You want engine oil for your car. You could get it from the official manufacturer or from some random shop that repackages it. Same product? Maybe. But if something breaks, you won’t know if it was the oil or the car.

Oracle’s JDK exists but has licensing restrictions for commercial use, you may owe them money. So the community created Adoptium Temurin: same OpenJDK codebase, free, LTS (Long Term Support), no licensing headaches.

Download from: adoptium.net

On the download page:

• Select Temurin 21 (LTS)
• Select JDK not JRE
• Select your OS and architecture

Linux Users - Package Manager Install (Easier)

If you’re on Ubuntu/Debian:

# Add the Adoptium repo first
wget -O - https://packages.adoptium.net/artifactory/api/gpg/key/public | sudo apt-key add -
echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^VERSION_CODENAME/{print$2}' /etc/os-release) main" | sudo tee /etc/apt/sources.list.d/adoptium.list
sudo apt-get update
sudo apt-get install temurin-21-jdk

For RHEL/Fedora/CentOS:

sudo yum install temurin-21-jdk

For openSUSE:

sudo zypper install temurin-21-jdk

Verify the Install

After installing, run:

java -version

You should see something like:

openjdk version "21.0.x" ...
OpenJDK Runtime Environment Temurin-21...

If you see 17, 11, or Oracle Java wrong version or wrong build. Fix this before touching Ghidra.

---

Where to Download Ghidra And Why Source Matters

Official site: ghidra-sre.org

This redirects to the NSA’s official GitHub releases page: github.com/NationalSecurityAgency/ghidra/releases

That is the only safe source. Not random mirrors. Not “Ghidra with plugins preinstalled” packages from unknown sites.

Here’s why this matters more than it might seem: Ghidra is a reverse engineering tool that sits on your machine and reads every binary you throw at it. A backdoored copy of Ghidra would be an incredibly effective attack. You are trusting this tool with your analysis work. Get it from the source.

On the releases page you’ll see:

Assets:
  ghidra_12.x_PUBLIC_YYYYMMDD.zip    ← this one
  Source code (zip)
  Source code (tar.gz)

Download the PUBLIC zip. Not the source code we’re not compiling Ghidra, we’re using it. Compiling from source requires a completely different setup and isn’t necessary for anything in this series.

---

What’s Inside the Zip

Extract the zip anywhere you want. There is no installer. No registry entries. No system-wide changes. The whole application lives inside that folder.

ghidra_12.x_PUBLIC/
├── ghidraRun            ← start button for Linux/Mac
├── ghidraRun.bat        ← start button for Windows
├── Ghidra/              ← actual application lives here
├── Extensions/          ← plugins go here
├── docs/                ← offline documentation
├── GettingStarted.html  ← NSA actually wrote decent docs
├── GettingStarted.md    ← same, markdown version
├── GPL/                 ← some components use GPL license
├── server/              ← Ghidra Server (team collab — ignore for now)
├── support/             ← logs, crash reports
└── licenses/            ← legal stuff

Most beginners ignore GettingStarted.html. NSA actually put effort into it. Worth opening once.

The server/ folder is for collaborative analysis multiple people working on the same binary simultaneously. Powerful feature, not relevant for Part 2.

“No installer” means practically: you can put this folder on a USB drive, plug it into another machine with Java 21 installed, and run Ghidra from there. No installation required on the second machine.

---

Running Ghidra

Linux / Mac

First time only make the script executable:

chmod +x ghidraRun
./ghidraRun

After that, ./ghidraRun is all you need.

Windows

Double-click ghidraRun.bat

Or from Command Prompt:

ghidraRun.bat

Ghidra will load for a few seconds. You’ll see:

1. The user agreement - agree once, never again
2. A tips dialog - close it (or keep “show tips on startup” ticked, up to you)
3. A help/docs window - close it
4. The Project Manager screen

---

The Project Screen - What It Is and Why It Exists

When you open Photoshop, it doesn’t immediately ask you to open an image. It opens a project — a workspace where your work lives. The image file itself stays untouched on disk. Your layers, history, edits all live in the project, not in the original file.

Ghidra works exactly the same way.

The Project Manager is where Ghidra stores:

• Your analysis results
• Your comments and renamed functions
• Your bookmarks and labels
• Your entire reverse engineering work

The original binary is never modified. Ever.

This is important: you can analyze malware, production firmware, anything Ghidra only reads the binary. Everything Ghidra figures out gets stored in the project. The binary stays byte-for-byte identical.

---

Creating Your First Project

File → New Project

Ghidra asks: Non-Shared Project or Shared Project

• Non-Shared = lives on your machine. Just you. This is what we use.
• Shared = connects to a Ghidra Server for team analysis. That server/ folder in the zip is for this. Ignore it for now.

Click Non-Shared Project → Next

• Project Directory: pick a location. I created a Ghidra_Projects folder inside Documents so my home directory stays clean.
• Project Name: GhidraPractice

Click Finish.

Now look at what Ghidra created on disk:

Ghidra_Projects/
├── GhidraPractice.gpr       ← the project index file
└── GhidraPractice.rep/      ← actual project data lives here
    └── ...internal files

Important: The .gpr file is what you double-click to reopen the project. The .rep folder is where your analysis actually lives. Both are needed. Don’t delete .rep thinking .gpr is “the project.”

The .lock file appears while the project is open — Ghidra creates it so two instances don’t write to the same project simultaneously. It disappears when you close Ghidra normally. If Ghidra crashes, the lock file sometimes stays behind and you’ll get a warning next time. That’s normal — just tell it to override.

---

Closing Ghidra - What Gets Saved

Close Ghidra. No “save before closing?” dialog for the project. Your work is automatically saved. Your binary is untouched. Nothing is lost.

When you reopen Ghidra, your project appears under Recent Projects. Click it, everything is exactly where you left it.

---

Common Errors and Fixes

“Java not found” or Ghidra won’t start

What you see (Linux):

ghidraRun: line 28: java: command not found

What you see (Windows): A brief black window flashes and closes immediately.

Fix: Java isn’t installed or isn’t in your PATH.

Linux:

which java       # should return a path
java -version    # should return openjdk 21

If which java returns nothing Java isn’t installed. Go back to the Adoptium install step.

If Java is installed but Ghidra still can’t find it, set JAVA_HOME:

export JAVA_HOME=/usr/lib/jvm/temurin-21-amd64
./ghidraRun

---

Wrong Java Version

What you see:

Caused by: java.lang.UnsupportedClassVersionError

Or on newer Ghidra versions:

Failed to find a supported JDK

Fix: Check your version:

java -version

If it shows 17, 11, or anything not 21 install Temurin 21 and make sure it’s the active Java. On systems with multiple Java versions:

sudo update-alternatives --config java

Pick the Java 21 entry.

---

macOS Gatekeeper Quarantine

What you see:

"ghidraRun" cannot be opened because it is from an unidentified developer

Fix:

xattr -d com.apple.quarantine ghidraRun

Or: System Preferences → Security & Privacy → click “Open Anyway”

This happens because macOS quarantines files downloaded from the internet. The fix removes that quarantine flag. This is safe to do here because we downloaded from the official NSA GitHub.

---

What I Found Confusing (And Now Don’t)

1. Why Java and not Python or C++?
I kept thinking why would NSA build a security tool in Java? The answer is cross-platform design. One codebase for Linux, Windows, Mac. The JVM handles the translation. It was a deliberate choice, not an accident.

2. JDK vs JRE — which one?
Every Java download page shows both. I used to just pick whichever was at the top. For Ghidra: always JDK. JDK is the umbrella JRE is inside it. If you install JDK you have everything. If you install only JRE, Ghidra’s internal tools break.

3. “No installer” felt wrong
I kept looking for a setup.exe or an install wizard. There isn’t one. Extract the zip, run ghidraRun. That’s the whole install. It felt too simple and I assumed I was missing a step. I wasn’t.

4. The project vs the binary
I wasn’t sure if Ghidra was modifying my binary as it analyzed it. It isn’t. The binary stays untouched. Everything Ghidra figures out goes into the .rep folder. This matters when you’re analyzing anything you don’t want accidentally changed.

---

Hands-On Summary What We Did

1. Verified Java requirement → Ghidra needs JDK 21 (not JRE, not older versions)
2. Downloaded Temurin 21 JDK → from adoptium.net only
3. Verified install → java -version shows openjdk 21
4. Downloaded Ghidra zip → from ghidra-sre.org → official NSA GitHub releases
5. Extracted zip → no installer, folder is the full application
6. Ran ghidraRun (Linux: chmod +x first) / ghidraRun.bat (Windows)
7. Agreed to user agreement → closed tips and help dialogs
8. Saw Project Manager screen → "No Active Project"
9. Created Non-Shared project → GhidraPractice in Documents/Ghidra_Projects
10. Verified project files on disk → .gpr + .rep folder
11. Closed Ghidra → project auto-saved, binary untouched

---

What We Learned

---

Coming Up Next - Part 3: The CodeBrowser

So now Ghidra is running and we have a project. But a project with no binary in it is just an empty folder.

In Part 3 we import our first binary - the crackme_ghidra ELF we’ll use throughout this series and Ghidra opens the CodeBrowser. That’s where the actual work happens. There are about eight different windows open at once and it looks overwhelming on first launch. Part 3 maps every single one of them so nothing is a mystery when we start analyzing.

---

Resources

• Adoptium Temurin Downloads — official JDK 21 download
• Ghidra Official Releases — always download from here
• Ghidra Documentation — official NSA docs
• OllyDbg From Zero Series — IoTSec.in — if you want to see how a Windows debugger compares to Ghidra’s static approach
• Ghidra Series Index — IoTSec.in (coming soon)