- Ghidra is basically the first real competitor to IDA Pro, the extremely expensive and often pirated state-of-the-art software for reverse engineering. Nothing else has come close to IDA Pro.
- Ghidra is open-source, IDA Pro is not.
- Ghidra has a lot of really cool features that IDA Pro doesn't, such as decompiling binaries to pseudo-C code.
- It's also collaborative, which is interesting because multiple people can reverse engineer the same binary at the same time -- something IDA only got VERY recently.
Ghidra also appears to have a functioning Undo operation, which IDA seems to still not have. Being able to make changes without worrying about your IDB accidentally becoming unusable is huge.
Context: in IDA, certain changes you make can inadvertently wipe out a lot of work - for example, undefining a function (U) can erase all your annotations in a single keystroke; defining a return type incorrectly can completely mess up callers, sometimes to the point where they won't even decompile properly; making a typo to an array size argument can obliterate the stack and every variable annotation you made on it, etc. etc. Many of these require much more work to undo than simply reverting the change you made. So a functioning undo is a big deal
Some more comparisons:
- Ghidra's type system is nice, and in some ways nicer than IDA's. Semi-automatic struct inference rocks, and it comes with a big type library.
- Ghidra will decompile code from a dozen different architectures. IDA will only do x86, x64, ARM and AArch64 (and you pay for all of those separately). In theory it could decompile a custom architecture if you implement your disassembler backend thoroughly enough.
- Ghidra's UI is marginally worse than IDA because it's implemented in Java Swing (compared with IDA's Qt).
- Ghidra and IDA both use Python for scripting. However, Ghidra's Python is actually Jython, which gives it access to the entire state of the system (minus the decompiler, which is native code - but you can interact with all the code that drives the decompiler). This is really big - the API surface of the entirety of Ghidra is pretty massive so the scripting opportunities are similarly exciting.
- Ghidra has a (mostly functional) patching interface which understands assembly. IDA Pro, despite costing many thousands of dollars, gets confused when you try to assemble something as basic as "mov rdi, rdx" in 64-bit code. (There's an outstanding bug which breaks ELF files - but being open-source, I'm sure it will be fixed soon)
Think BinaryNinja has been acting pretty effectively as a competitor to IDA Pro. Its much cheaper than IDA, has a good API and I have been a very happy customer.
Wait, IDA has a collaborative mode? I couldn't find one; link please?
This is shocking, because, in an E-mail exchange a few years ago, Ilfak wrote to me:
> [...] we at hex-rays do not have any ideas how to implement dynamic database synchronization, so it is unlikely that others will come up with a good solution.
ida can use hexrays to decompile, which is working great. but ofcourse you need some employer to pay for it which is aa pain, no one will pay some 10k for a tool personally. however, free version is very adequate for most things.
i would say these both tools ,as well as r2 have their own merits and weak points, and it would be good not to exclude one and take the other as better, but to have them compliment eachother in your arsenal.
in the end if you want quality, then manual work is always better than these opinionated tools, and sometimes that is required, so really the tools offer different perspectives / opinions of the same thing, and that is valuable in any case. when you run into the limit of 1 tool ,another might just fill that gap.
Ghidra’s source source code was not released. The only thing on Github is the Readme, the license, and some git files. The best you can likely do is use Ghidra to reverse-engineer Ghidra.
IDA Pro is not expensive at all for serious professionals in the field. Other common software in the industry costs way more. Nessus is $2k a year, Metasploit like $1500 to $15000, and Core Impact is $30k and up.
If this is expensive to you, then it’s not for you. This is for people who are making real money with these tools, not hobbyists dicking around.
From someone who does binary reverse engineering full time, in my experience, BinaryNinja, Hopper, radare2, etc are toys compared to IDA Pro + Hex Rays Decompiler. The quality of the results and the features supported are unmatched... until now. I haven’t spent too much time with ghidra yet but it’s the real deal. The output of the decompiler looks alright (not complete garbage like I’ve seen with other tools). Even if everything else sucks, the decompiler by itself makes it outrank every other tool aside from IDA. And it costs $10k less! The fact that it’ll be open source is just icing on the cake.
Binja is the only real competitor in any remote sense IMO, and while the LLIL/MLIL are nothing compared to Hex-Rays, they do still dramatically improve the speed of the job. Binja is also fairly extensible/pluggable, though it's pretty undocumented... I just don't do it enough in my spare time these days (not in the field anymore) to justify a Hex-Rays license for myself (even if it is permanent...)
That said I just renewed my license so I have to get some use out of it, but Ghidra does seem like it could be the real deal. Honestly, I never really expected any free/FOSS alternative to IDA to ever exist at this point, so the possibility is tantalizing.
I’m a casual bystander who has only played with these tools, but I’ve been interested in this field for a long time. Do you think that radare2’s UI is a step forward? I like the Unix-esque command line and how composable everything feels. IDA (and now Ghidra) feel like an IDE, while radare2 feels more like Vim.
I've found radare2 pretty neat for doing some automated analysis (specifically on RISC-V binaries), but I agree, IDA Pro has, until now at least, been the undisputed champion.
You are the leader in your segment of the market one day and the undisputed leader. You wake up and the NSA decides to send a free competitor out with better or matching functionality. Tough blow. But good for us.
I'm curious what feature specifically prompted the NSA to develop their own IDA Pro alternative. I mean, someone somewhere at the NSA must have been trying to do something with IDA Pro only to repeatedly fail before the decision was made that whatever the NSA was trying to do warranted developing their own IDA Pro... right? Or perhaps they used IDA Pro so often and grew so frustrated by it that they started their own?
Just used it to solve the 2015 flare-on challenge #1. Rudimentary, but I am blown away. The interface feels better than IDA, I was able to write a python script straight away! 10/10 recommended.
The python interpreter attached with it is aware of the state. Where is my cursor, what memory module I have selected etc. Easy to write scripts for
I'm definitely excited for this, considering I couldn't fork out the thousand of dollars needed for using IDA. I can't really justify that on a small hobby project (reverse engineering games).
This is an unusually large open source project, especially for NSA. I wonder whether they were motivated to release this tool because of their recent brain drain / hiring problems.
Here's a potential angle: If you're going to use a tool internally it's in your best interest to be able hire people w/ experience with that tool. (ie, people learn the tool for free on their own time)
Oh yeah, for those who are wondering; there's another NSA project where they made a tool that's a direct competitor with a product that's "out there": https://github.com/redhawksdr
I just don't understand the doubt and hate. It's perfectly reasonable to distrust the NSA in most cases, but look at the context - the NSA has a huge brain drain and PR problem. They desperately need qualified people to start trusting and applying to them again. Does anyone seriously think they would try to backdoor security researchers in such a stupidly obvious way?
I was actually at the RSA talk where they released the tool - the presenter was very open in saying that this is a recruiting tool. They want college kids just getting into RE to learn their tools and have their name in the back of their mind so they apply for internships and jobs, and are trained for those roles from day zero. There are other benefits to releasing the tool, like free labor and testing from people submitting patches and bug reports, but the real value is in making the NSA appear like the good guys and getting people on their side.
It seems pretty obvious to me that this gives the NSA more benefit than trying (and probably failing) to hack random people. And yet the dude sitting next to me was shaking his head and saying he would only ever run it in a VM. Irrational as hell.
So, I've tried it on some mips binaries I've been reverse engineering on and off last 7 years from assembly, for various reasons. I'm completely blown away by the quality of the decompiler output. The binaries include symbols, so everything global is named correctly, which helps. Anyway, nothing I've tried over the years comes even close to the clean output I'm seeing from Ghidra.
I’m really hoping this release will improve the situation with learning RE in universities etc. The free version of IDA is very limiting, and few people use the open source and cheaper alternatives (radare2/cutter, binary ninja, hopper). I’m also hoping I can get that decompiler (or something similar) in cutter at some point, but with the source not yet available we’ll have to wait.
Are they serious? They are banning Russian IPs with decompiler source code. Hmm, I know ARM and x86 assembly. Of course, I don't know how to download these sources :)
It's not the first real competitor available to the public. Hopper Disassembler and Binary Ninja are both capable. They have been available for a few years.
They're arguably competitors if you don't care about decompilation. But Binary Ninja has no decompiler and Hopper's was awful last I checked. Ghidra's decompiler seems as competent as Hex-Rays.
This looks like an excellent free competitor. Been trying to learn; a tedious process without the fancy tools. Even hopper and binary ninja are very expensive (for a student). Radare2 has been a godsend so far and very helpful, but not as user-friendly.
[+] [-] emidoots|7 years ago|reply
- Ghidra is basically the first real competitor to IDA Pro, the extremely expensive and often pirated state-of-the-art software for reverse engineering. Nothing else has come close to IDA Pro.
- Ghidra is open-source, IDA Pro is not.
- Ghidra has a lot of really cool features that IDA Pro doesn't, such as decompiling binaries to pseudo-C code.
- It's also collaborative, which is interesting because multiple people can reverse engineer the same binary at the same time -- something IDA only got VERY recently.
[+] [-] nneonneo|7 years ago|reply
Context: in IDA, certain changes you make can inadvertently wipe out a lot of work - for example, undefining a function (U) can erase all your annotations in a single keystroke; defining a return type incorrectly can completely mess up callers, sometimes to the point where they won't even decompile properly; making a typo to an array size argument can obliterate the stack and every variable annotation you made on it, etc. etc. Many of these require much more work to undo than simply reverting the change you made. So a functioning undo is a big deal
Some more comparisons:
- Ghidra's type system is nice, and in some ways nicer than IDA's. Semi-automatic struct inference rocks, and it comes with a big type library.
- Ghidra will decompile code from a dozen different architectures. IDA will only do x86, x64, ARM and AArch64 (and you pay for all of those separately). In theory it could decompile a custom architecture if you implement your disassembler backend thoroughly enough.
- Ghidra's UI is marginally worse than IDA because it's implemented in Java Swing (compared with IDA's Qt).
- Ghidra and IDA both use Python for scripting. However, Ghidra's Python is actually Jython, which gives it access to the entire state of the system (minus the decompiler, which is native code - but you can interact with all the code that drives the decompiler). This is really big - the API surface of the entirety of Ghidra is pretty massive so the scripting opportunities are similarly exciting.
- Ghidra has a (mostly functional) patching interface which understands assembly. IDA Pro, despite costing many thousands of dollars, gets confused when you try to assemble something as basic as "mov rdi, rdx" in 64-bit code. (There's an outstanding bug which breaks ELF files - but being open-source, I'm sure it will be fixed soon)
[+] [-] dman|7 years ago|reply
[+] [-] saagarjha|7 years ago|reply
To be fair, IDA Pro has a decompiler plugin to do this.
[+] [-] Darmani|7 years ago|reply
This is shocking, because, in an E-mail exchange a few years ago, Ilfak wrote to me:
> [...] we at hex-rays do not have any ideas how to implement dynamic database synchronization, so it is unlikely that others will come up with a good solution.
[+] [-] smolsky|7 years ago|reply
[+] [-] bryanrasmussen|7 years ago|reply
[+] [-] voctor|7 years ago|reply
[+] [-] vectorEQ|7 years ago|reply
i would say these both tools ,as well as r2 have their own merits and weak points, and it would be good not to exclude one and take the other as better, but to have them compliment eachother in your arsenal.
in the end if you want quality, then manual work is always better than these opinionated tools, and sometimes that is required, so really the tools offer different perspectives / opinions of the same thing, and that is valuable in any case. when you run into the limit of 1 tool ,another might just fill that gap.
[+] [-] ernst_klim|7 years ago|reply
What do you think of BAP[1]?
[1] https://github.com/BinaryAnalysisPlatform/bap
[+] [-] webninja|7 years ago|reply
[+] [-] supermw|7 years ago|reply
If this is expensive to you, then it’s not for you. This is for people who are making real money with these tools, not hobbyists dicking around.
[+] [-] yifanlu|7 years ago|reply
[+] [-] aseipp|7 years ago|reply
That said I just renewed my license so I have to get some use out of it, but Ghidra does seem like it could be the real deal. Honestly, I never really expected any free/FOSS alternative to IDA to ever exist at this point, so the possibility is tantalizing.
[+] [-] in_hindsight|7 years ago|reply
[+] [-] tptacek|7 years ago|reply
[+] [-] snazz|7 years ago|reply
[+] [-] bpye|7 years ago|reply
[+] [-] bitcoinmoney|7 years ago|reply
[+] [-] yalogin|7 years ago|reply
[+] [-] Tepix|7 years ago|reply
Tax paid competition for existing commercial products. Isn't that considered evil/wrong by pure capitalists?
[+] [-] Semaphor|7 years ago|reply
https://github.com/NationalSecurityAgency/ghidra/issues/6
[+] [-] freeflight|7 years ago|reply
Sure, it might be a great tool for free, but who knows what else might be hidden in there?
[+] [-] twodayslate|7 years ago|reply
GitHub: https://github.com/NationalSecurityAgency/ghidra
[+] [-] WrtCdEvrydy|7 years ago|reply
anyone else virtualizing three layers deep to get to this?
[+] [-] guytv|7 years ago|reply
[+] [-] zelon88|7 years ago|reply
[+] [-] z3phyr|7 years ago|reply
The python interpreter attached with it is aware of the state. Where is my cursor, what memory module I have selected etc. Easy to write scripts for
[+] [-] Nanocurrency|7 years ago|reply
[+] [-] xxpor|7 years ago|reply
edit: Oh, outside contributors of course retain their own copyright. That's what's licenced.
https://github.com/NationalSecurityAgency/ghidra/blob/master...
[+] [-] mrmuagi|7 years ago|reply
[+] [-] JoachimS|7 years ago|reply
https://published-prd.lanyonevents.com/published/rsaus19/ses...
[+] [-] kevinchen|7 years ago|reply
[+] [-] maerF0x0|7 years ago|reply
[+] [-] hatsunearu|7 years ago|reply
The competitor in question is GNU Radio.
[+] [-] subjectsigma|7 years ago|reply
I was actually at the RSA talk where they released the tool - the presenter was very open in saying that this is a recruiting tool. They want college kids just getting into RE to learn their tools and have their name in the back of their mind so they apply for internships and jobs, and are trained for those roles from day zero. There are other benefits to releasing the tool, like free labor and testing from people submitting patches and bug reports, but the real value is in making the NSA appear like the good guys and getting people on their side.
It seems pretty obvious to me that this gives the NSA more benefit than trying (and probably failing) to hack random people. And yet the dude sitting next to me was shaking his head and saying he would only ever run it in a VM. Irrational as hell.
[+] [-] megous|7 years ago|reply
It's great.
[+] [-] noodlesUK|7 years ago|reply
[+] [-] snazz|7 years ago|reply
[+] [-] vasilia|7 years ago|reply
[+] [-] empath75|7 years ago|reply
[+] [-] alexozer|7 years ago|reply
https://github.com/avast-tl/retdec
[+] [-] souprock|7 years ago|reply
Binary Ninja is also collaborative if you get the enterprise edition: https://binary.ninja/purchase/
[+] [-] comex|7 years ago|reply
[+] [-] mises|7 years ago|reply
[+] [-] hendi_|7 years ago|reply