Ghidra by NSA - Hacker News

Posted by handfuloflight 2 days ago

Ghidra by NSA(github.com)

280 points | 155 commentspage 2

alex7o 3 hours ago|

I want to say if somebody makes a tool like that it would be a big winner https://qira.me/

xvilka 10 hours ago||

Cutter[1] by RizinOrg[2].

[1] https://github.com/rizinorg/cutter

[2] https://github.com/rizinorg/rizin

aktau 9 hours ago|

I once tried learning how to RE with radare2 but got very frustrated by frequent project file corruption (meaning radare2 could no longer open it). The way these project files work(ed?) in radare2 at the time was that it just saved all the commands you executed, instead of the state. This was brittle, in my experience.

I don't have a lot of free time, so I have to leave projects for long periods of time, not being able to restart from a previous checkpoints meant I never actually got further.

IIUC, one of the first things Rizin did was focus on saving the actual state, and backwards/forwards-compatibility. This fact alone made me switch to Rizin. To its credit, my 3-year old project file still works!

Now for the downside: there is apparently a gap in Windows (32-bit) PE support, causing stack variables to be poorly discovered: https://github.com/rizinorg/rizin/issues/4608. I tested this on radare2, which does not have this bug. I'm hoping this gets fixed in Rizin at some point, at which point I'll continue my RE adventure. Or maybe I should give an AI reverse engineer a try... (https://news.ycombinator.com/item?id=46846101).

xvilka 8 hours ago|||

Yes, we are working on rewriting analysis completely[1][2] that would fix your issue along with many others.

[1] https://github.com/rizinorg/rizin/pull/5505

[2] https://github.com/rizinorg/rizin/issues/4736

aktau 7 hours ago||

Can't wait! Do you have any idea how far along this is? Is it likely to be months, quarters, years?

(Funny expression, that. I'll wait, of course. It'll be a happy day when this works again and I can slowly make progress RE'ing again.)

xvilka 7 hours ago||

Months.

alberto-m 8 hours ago|||

I tried radare2 with the official GUI Iaito. Iaito saves the project in a git repo, so whenever I got corruption (and I got it a lot, like every 4-5 saves) I was just a `git reset --hard` away from restoring a good state. Not the most efficient way of operation, but for me it was better this than tolerating Ghidra's tiny Courier New font.

aktau 7 hours ago||

Thanks for the note.

Your corruption frequency anecdote matches mine. I don't have the mental werewithal to deal with that. I won't go back to radare2 until they change their project file stability somehow.

yibers 9 hours ago||

Can anyone provide their opinion of Ghidra vs Ida? Is Ida worth the extra money?

bri3d 9 hours ago||

For UI based manual reversing of things that run on an OS, IDA is quite superior; it has really good pattern matching and is optimized on this use case, so combined with the more ergonomic UI, it’s way way faster than Ghidra and is well worth the money (provided you are making money off of RE). The IDA debugger is also very fast and easy to use compared to Ghidra’s provided your target works (again, anything that runs on an OS is probably golden here).

For embedded IDA is very ergonomic still, but since it’s not abstract in the way Ghidra is, the decompiler only works on select platforms.

Ghidra’s architecture lends itself to really powerful automation tricks since you can basically step through the program from your plugin without having an actual debug target, no matter the architecture. With the rise of LLMs, this is a big edge for Ghidra as it’s more flexible and easier to hook into to build tools.

The overall Ghidra plugin programming story has been catching up; it’s always been more modular than IDA but in the past it was too Java oriented to be fun for most people, but the Python bindings are a lot better now. IDA scripting has been quite good for a long time so there’s a good corpus of plugins out there too.

flipped 9 hours ago|||

Almost every hobbyist reverse engineer uses cracked IDA which is easily available. I have never seen ghidra being recommended for serious work.

IAmLiterallyAB 8 hours ago|||

And everyone uses Ghidra exclusively where I work. I'd say we're a serious operation

lima 7 hours ago||||

This is changing, Ghidra is increasingly replacing IDA for commercial work.

q3k 9 hours ago||||

I recommend it for serious work. Well, serious enough that I got paid for doing it, and/or given talks about it.

(not if you're only doing x86/ARM stuff, though)

bri3d 8 hours ago||

Agree. IDA is surely the “primary” tool for anything that runs on an OS on a common arch, but once you get into embedded Ghidra is heavily used for serious work and once you get to heavily automation based scenarios or obscure microarchitectures it’s the best solution and certainly a “serious” product used by “real” REs.

jki275 8 hours ago|||

The NSA doesn't do serious work?

ARandomerDude 7 hours ago||

That wasn't the claim. Ability + interest + time + budget + ... are what makes a serious tool.

apple1417 8 hours ago|||

Leading this by saying I've only used Ida free, I can't comment on Ida pro. I'm also a very lite user of both, I give name functions/vars, save bookmarks, and occasionally work out custom types, and that's about it, none of the real fancy stuff.

I was recently trying to analyse a 600mb exe (denuvo/similar). I wasted a week after ghidra crashed 30h+ in multiple times. A seperate project with a 300mb exe took about 5h, so there's some horrible scaling going on. So I tried out Ida for the first time, and it finished in less than an hour. Faced with having decomp vs not, I started learning how to use it.

So first difference, given the above, Ida is far far better at interrupting tasks/crash recovery. Every time ghidra crashed I was left with nothing, when Ida crashes you get a prompt to recover from autosave. Even if you don't crash, in general it feels like Ida will let you interrupt a task and still get partial results which you might even be able to pick back up from later, while ghidra just leaves you with nothing.

In terms of pure decomp quality, I don't really think either wins, decomp is always awkward, it's awkward in different ways for each. I prefer ghidra's, but that might just be because I've used it much longer. Ida does do better at suggesting function/variable names - if a variable is passed to a bunch of functions taking a GameManager*, it might automatically call it game_manager.

When defining types, I far prefer ida's approach of just letting me write C/C++. Ghidra's struct editor is awkward, and I've never worked out a good way of dealing with inheritance. For defining functions/args on the other hand, while Ida gives you a raw text box it just doesn't let you change some things? There I prefer the way ghidra does it, I especially like it showing what registers each arg is assigned to.

Another big difference I've noticed between the two is ghidra seems to operate on more of a push model, while Ida is more of a pull model - i.e. when you make a change, ghidra tends to hang for a second propagating it to everything referencing it, while Ida tries pulling the latest version when you look at the reference? I have no idea if this is how they actually work internally, it's just what it feels like. Ida's pull model is a lot more responsive on a large exe, however multiple times I've had some decomp not update after editing one of the functions it called.

Overall, I find Ida's probably slightly better. I'm not about to pay for Ida pro though, and I'm really uneasy about how it uploads all my executables to do decomp. While at the same time, ghidra is proper FOSS, and gives comparable results (for small executables). So I'll probably stick with ghidra where I can.

q3k 8 hours ago||

> I was recently trying to analyse a 600mb exe (denuvo/similar). I wasted a week after ghidra crashed 30h+ in multiple times.

During the startup auto analysis? For large binaries it makes sense to dial back the number of analysis passes and only trigger them if you really need them, manually, one by one. You also get to save in between different passes.

apple1417 8 hours ago||

Yup. It was actually an openjdk crash, which was extra interesting.

I figured I probably could remove some passes, but being a lite user I don't really know/didn't want to spend the time learning how important each one is and how long they take. Ida's defaults were just better.

q3k 9 hours ago||

IDA is the better tool if you're being paid to work with architectures that IDA supports well (ARM(64), x86(_64), etc). This usually means 'mainstream' security/malware research. It's not worth the price for hobbyists. Before Hex-Rays was sold to private equity, it could make sense for rich hobbyists to pay for a private license once and use it for a few years without software updates, with the cloud offering now it pretty much makes no sense.

Ghidra is the better tool if you're dealing with exotic architectures, even ones that you need to implement support for yourself. That's because any architecture that you have a full SLEIGH definition for will get decompilation output for free. It might not be the best decompiler out there, sure, but for some architectures it's the only decompiler available.

Both are generally shit UX wise and take time to learn. I've mostly switched from IDA to Ghidra a while back which felt like pulling teeth. Now when I sometimes go back to IDA it feels like pulling teeth.

19h 9 hours ago||

Which exotic architectures is IDA missing from your perspective?

q3k 9 hours ago||

Stuff I've recently analyzed that IDA has no decomp support for (and Ghidra's is anywhere from good enough to actually good):

  - AVR
  - Z80
  - HC08
  - 8051
  - Tricore
  - Xtensa
  - WebAssembly
  - Apple/Samsung S5L87xx NAND controller command sequencer VLIW (custom SLEIGH)

And probably more that I've forgotten.

It's also not about lack of support, but the fact that you have to pay extra for every single decompiler. This sucks if you're analyzing a wide variety of targets because of the kind of work you do.

IDA also struggles with disasm for Harvard architectures which tend to make up a bulk of what I analyze - it's all faked around synthetic relocations. Ghidra has native support for multiple address spaces.

xvilka 8 hours ago||

Binary Ninja supports some of them as well, highly recommend.

q3k 8 hours ago||

I really want to like Binary Ninja, but whenever I have the choice between not paying (Ghidra), paying for something that I know works (IDA) and paying for something that I don't know if it works (Binja) then the last option has always lost so far.

Maybe we need to get some good cracked^Wcommunity releases of Binja so that we can all test it as thoroughly as IDA. The limited free version doesn't cut it unfortunately - if I can't test it on what I actually want to use it for, it's not a good test.

(also it doesn't have collaborative analysis in anything but the 'call us' enterprise plan)

Supermancho 8 hours ago||

I first used Ghidra this weekend as part of this series:

https://www.youtube.com/watch?v=d7qVlf81fKA&list=PL4X0K6ZbXh...

(#3 forward uses Ghidra)

It worked fine in Ubuntu and Windows. The interface takes some getting used to, but paired with Bless Unofficial (using snap to install), it makes reverse engineering smooth.

mturk 10 hours ago||

Ghidra is a very impressive piece of software with a deep bench of functionality. The recent couple major releases that move to a more integrated Python experience have been very nice to use.

givemeethekeys 5 hours ago||

How do they incentivize government employees into doing such excellent work without paying them a real tech salary?

neodymiumphish 4 hours ago||

Use military members.

I was a special agent with an org involved in similar work. They put me through 7 SANS courses, including paying for 5 certs, in 18 months.

bri3d 4 hours ago|||

They are contractors. The public face of Ghidra works at Praxis, for example.

wat10000 4 hours ago||

Great benefits and job security, and a belief in the mission.

wewtyflakes 4 hours ago||

The job security perk was recently defenestrated.

wat10000 2 hours ago||

Hopefully seen as an aberration. Otherwise we may see the excellent work go out the window along with it.

zeon256 10 hours ago||

Been awhile since I used this but decided to open the latest version to check my rust binary and was pleasantly surprised how much better it is today wrt rust binaries

flipped 9 hours ago|

Can you be more specific? Is it getting easier to reverse rust and go, since I have read about it being the hardest to reverse.

quux0r 6 hours ago||

It's not perfect, but in my personal experience it is still tough in languages like that due to the sheer volume of indirection and noise that makes it hard to follow. For example Go's calling convention is a little nutty compared to other languages, and you'll encounter a few *****ppppppppVar values that are otherworldly to make sense of, but the ability to recognize library functions and sys calls is for sure better.

lacoolj 7 hours ago||

Posting this on Github is a brilliant move by the NSA, and it showing up on HN amplifies it even more.

It's certainly not the first thing they've released (selinux, for one, and then all the other repos in the account), but this repo showing up on HN, with a prominent call-to-action to look at a career with them, is a great way to target the applicants you want ("those who would find this project interesting, because it's just the sort of thing we need them to work on")

Atlassian used to do (maybe still does) this in bitbucket if you open dev tools - a link to their careers page shows up

Alifatisk 8 hours ago|

There is also Hopper for ObjC/Swift, haven't tried it personally though

https://www.hopperapp.com

saagarjha 2 hours ago|

Hopper is pretty but worse than Ghidra for both

More comments...