Ghidra by NSA - Hacker News

Posted by handfuloflight 2 days ago

302 points | 166 commentspage 3

mdavid626 11 hours ago|

Works well. I used this tool once to disassemble and understand how key manager works on Vivotek cameras.

They create executables, which contain encrypted binary data. Then, when the executable runs, it decodes the encrypted data and pipes it into "sh".

The security is delusional here - the password is hard coded in the executable. It was something like "VIVOTEK Inc.".

Ghidra was able to create the C code and I was able to extract also the binary data to a file (which is essentially the bash script).

mickeyp 11 hours ago|

Sounds like `strings' on the binary would've sufficed if it's just hardcoded.

mdavid626 9 hours ago||

No, that’s not enough.

The password would be visible, but the encyption algorithm and the script’s text wouldn’t.

Alifatisk 9 hours ago||

There is also Hopper for ObjC/Swift, haven't tried it personally though

https://www.hopperapp.com

saagarjha 4 hours ago|

Hopper is pretty but worse than Ghidra for both

user3939382 3 hours ago||

I miss the analog of this community from the 90s. We had actual principles and ethos and wouldn’t have been caught dead upvoting and using software from the frickin NSA. Not that it’s any surprise here. Contemporary San Francisco driven software culture which is the majority represented on this forum have no qualms with FAANG ethics, open source is not really important either.

Oh I’m sorry the NSA didn’t spy on the whole country “wittingly” according to our leaders, carry on and use their software no ethical conflict here.

zmgsabst 2 hours ago|

Having been in Seattle, I’m not sure there was a time the NSA wasn’t involved with technology — eg, UW hosted meetups between researchers, criminals, and the government at least that long.

Who built the Echelon follow-up, proto-dragnet system that provided the framework for the spying you bemoan? — the one extended and taken live in the early 2000s? Those same 90s hackers you glorify.

commandersaki 10 hours ago||

Awful to use with a tiling window manager.

kugutsumen 8 hours ago||

unflutter supports ghidra :) https://news.ycombinator.com/item?id=47035788

tears-in-rain 7 hours ago||

opus 4.6 can use that from cli, and do RE, make pseudo C, and later decode binaries based on this code into interpretable data.

amazing tool

systems 11 hours ago||

is ghidralite dot com a safe link or an official link

when i try to expand their faq, it seem to try an open a (presumabl) malicious link , i wont paste the link here just in case it is really malicious

staubfinger 11 hours ago||

Just use the official github link or links that are linked there. The URL you mentioned seems bogus at best.

waltbosz 11 hours ago||

Curious, the ghidralite page download button links to the NSA's github releases page.

I wonder what is the purpose of ghidralite dot com. SEO spam? Are they building trust and then will swap out the Download button with a poisoned binary.

h4ch1 9 hours ago||

Or climb up high enough in the search results and sell the domain to a malicious actor.

dizzy9 9 hours ago||

Looks like AI slop and SEO junk. The Guide page you linked opens with an article on Dubai sports car rental. There are also .net and .org variants of the domain, which appear to be also AI-generated slop. There's no such program as Ghidralite, and every site just links to the official Ghidra repository.

brcmthrowaway 5 hours ago||

I'm using a tool on Parallels on Mac that says "cannot run in virtual machine". Could I remove that check using Ghidra?

saagarjha 4 hours ago|

Yes, if you know what you’re looking for.

29athrowaway 9 hours ago||

OllyDbg inspired: https://github.com/eteran/edb-debugger

atemerev 11 hours ago|

I always wondered whether they have a much more capable internal version. And I wonder the same thing for AI labs (they have to do a lot of lobotomy for their models to be ready for public use... but internally, they can just skip this perhaps?)

bjackman 11 hours ago||

Very likely people who actually work on RE at the NSA also have access to IDA Pro licenses. I don't work in this space, so take it with a pinch of salt, but my understanding is this is a fairly long term strategic initiative to _eventually_ be the best tool.

bri3d 11 hours ago|||

It’s better in some dimensions and not others, and it’s built on a fundamentally different architecture, so of course they use both.

Ghidra excels because it is extremely abstract, so new processors can be added at will and automatically have a decompiler, control flow tracing, mostly working assembler, and emulation.

IDA excels because it has been developed for a gazillion years against patterns found in common binaries and has an extremely fast, ergonomic UI and an awesome debugger.

For UI driven reversing against anything that runs on an OS I generally prefer IDA, for anything below that I’m 50/50 on Ghidra, and for anything where IDA doesn’t have a decompiler, Ghidra wins by default.

For plugin development or automated reversing (even pre LLMs, stuff like pattern matching scripts or little evaluators) Ghidra offers a ton of power since you can basically execute the underlying program using PCode, but the APIs are clunky and until recently you really needed to be using Java.

19h 11 hours ago|||

Ghidra has a slightly different focus than IDA, so they're definitely not just using Ghidra :-)

sergent_moon 11 hours ago||

I have only a very basic understanding of the two tools. Can you give me just some highlights regarding their differences?

19h 11 hours ago||

Well, Ghidra's strength is batch processing at scale (which is why P-Code is less accurate than IDA's but still good enough) while allowing a massive amount of modules to execute. That allows huge distributed fleets of Ghidra. IDA has idalib now, and hcli will soon allow batch fleets, but IDA's focus is very much highly accurate analysis (for now), which makes it a lot less scalable performance wise (for now).

jacquesm 11 hours ago|||

Too many people in the know about this stuff I think to keep it hidden for that long. At the same time, we keep finding stuff that that should have held for and it didn't, so maybe you're right.

hn92726819 10 hours ago|||

I doubt it. Ghidra is extremely extensible with their plugin/tool architecture. Public Ghidra includes the extremely helpful decompiler tool, and a few others, but I'm willing to bet that NSA uses regular Ghidra + some way more capable plugins instead of having another Ghidra.

HelloNurse 9 hours ago||

Powerful, "capable" plugins are obvious; NSA cannot stop people from writing them, and they have little reason to restrict their use.

I think what NSA is likely to keep confidential are in-house plugins that are so specialized and/or underengineered that their publication would give away confidential information: stolen and illegitimate secrets (e.g. cryptographic private keys from a game console SDK), or exploits that they intend to deny knowledge of and continue milking, or general strategies and methods (e.g. a tool to "customize" UEFI images, with the implication that they have means to install them on a victim's computer).

cactusplant7374 11 hours ago||

The gains come from pairing Ghidra with a coding agent. It works amazing well.

Mattwmaster58 10 hours ago|||

I'll second this. I used opencode + opus 4.6 + ghidra to reverse engineer a seedkey generation algorithm[1] from v850 assembly. I gave it the binary, the known address for the generation function, and a set of known inputs/outputs, and it was able to crack it.

[1] https://github.com/Mattwmaster58/ic204

bibelo 11 hours ago|||

would you have a tutorial on that?

More comments...