
Ghidra, NSA's reverse-engineering tool - twodayslate
https://www.nsa.gov/ghidra
======
slimsag
Why this is important (for those uninitiated):

\- Ghidra is basically the first real competitor to IDA Pro, the extremely
expensive and often pirated state-of-the-art software for reverse engineering.
Nothing else has come close to IDA Pro.

\- Ghidra is open-source, IDA Pro is not.

\- Ghidra has a lot of really cool features that IDA Pro doesn't, such as
decompiling binaries to pseudo-C code.

\- It's also collaborative, which is interesting because multiple people can
reverse engineer the same binary at the same time -- something IDA only got
VERY recently.

~~~
supermw
IDA Pro is not expensive at all for serious professionals in the field. Other
common software in the industry costs way more. Nessus is $2k a year,
Metasploit like $1500 to $15000, and Core Impact is $30k and up.

If this is expensive to you, then it’s not _for_ you. This is for people who
are making _real_ money with these tools, not hobbyists dicking around.

~~~
vageli
> If this is expensive to you, then it’s not for you. This is for people who
> are making real money with these tools, not hobbyists dicking around.

That's an odd perspective. Imagine if this type of sentiment were applied to
paint brushes. There is a lot of useful work that is not economically viable
per se, and to discount that and to be pejorative feels wrong.

~~~
supermw
If you are using these tools you are either defending systems from threats or
breaking into systems and making money through illegal activities. There is
not really any other useful work you can do with these tools.

I don’t see how the perspective is odd. Having tools like Core Impact and the
knowledge of how to use them well can propel you to a six figure income
easily. On top of that these tools are also business expenses you can use for
tax write offs.

They are certainly worth the investment. The only people who see the price as
steep are those who cannot see any viable way to make a decent ROI off them.

~~~
Godel_unicode
Google "video game modding ida".

Then think about the fact that some people are poor and can't float thousands
of dollars long enough to learn and get employed with tools like this.

~~~
supermw
I don't think about those people, here's why:

1) No one is entitled to a career in cybersecurity or reverse engineering, no
matter how poor or sad your origin story is.

2) There are always lucrative opportunities in this world that are out of
reach by people who lack some resource. In this case, it's money, but it could
easily just have been something like popularity, beauty, connections,
location, or even plain old brains.

I always wanted to be popular and loved by many, but I came to accept long ago
that it just wasn't going to happen. I'm an introvert, I keep to myself a lot,
don't get much pleasure from social outings, and at the end of the day people
just don't give a fuck about weird people like that. So I just try to enjoy
the gifts I do have and the things that come naturally to me. We all have to
accept the realities of our lives at some point, even the poor.

~~~
tomhoward
Sorry to hear you're finding it tough. Some people find ways of becoming less
constrained by their introversion, but no judgment on you for doing what works
for you.

It's true that some pre-existing conditions can limit what options people
have, but it doesn't apply to everything.

It's important to be discerning about when this effect applies and when it
needn't, and work to open more opportunities to more people wherever possible.

------
yifanlu
From someone who does binary reverse engineering full time, in my experience,
BinaryNinja, Hopper, radare2, etc are toys compared to IDA Pro + Hex Rays
Decompiler. The quality of the results and the features supported are
unmatched... until now. I haven’t spent too much time with ghidra yet but it’s
the real deal. The output of the decompiler looks alright (not complete
garbage like I’ve seen with other tools). Even if everything else sucks, the
decompiler by itself makes it outrank every other tool aside from IDA. And it
costs $10k less! The fact that it’ll be open source is just icing on the cake.

~~~
in_hindsight
Out of curiosity what kind of job involves doing binary reverse engineering
full time?

~~~
bpye
Red team?

~~~
lowpro
If your Red team is reversing binaries you’re doing it wrong.

~~~
bencoder
Why? If your real world adversaries can reverse binaries, why would you
shackle a Red team from doing so?

~~~
neckardt
Because they have access to the source code itself. No need to reverse
engineer anything.

~~~
pbhjpbhj
Couldn't compilation introduce vulnerabilities that wouldn't be in the source,
but could be found by decompilation?

~~~
andrewnicolalde
Short answer is yes.

------
yalogin
You are the leader in your segment of the market one day and the undisputed
leader. You wake up and the NSA decides to send a free competitor out with
better or matching functionality. Tough blow. But good for us.

~~~
Tepix
I'm surprised that noone is yelling "socialism" yet.

Tax paid competition for existing commercial products. Isn't that considered
evil/wrong by pure capitalists?

~~~
dang
"Eschew flamebait. Don't introduce flamewar topics unless you have something
genuinely new to say. Avoid unrelated controversies and generic tangents."

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
ddtaylor
OP does have a point that this software was subsidized by tax payers. One
could argue the NSA needs advanced tools and that the costs of IDA Pro add up.

~~~
woodman
This, unfortunately, occurs so infrequently that it can safely be ignored by
99.9% of the economy. Businesses have really enjoyed having their cake and
eating it too with the transition away from a highly involved acquisition
process that generally resulted in a tailored solution that the USG owned, to
the present COTS policy that allows them to then go on to sell software to
people that have already effectively paid for it through taxes. While there
was an impressive amount of bureaucracy and an infinitely self referential
system of standards in the old method, it did lead to some pretty interesting
side effects: Ada[0], IDEF[1], MIL-STD-498[2], etc.

The most recent liberation of useful taxpayer funded software that I can think
of was over ten years ago, when NIST released NFIS2 - the fingerprint software
that the FBI relied on. They of course had to be crappy about it and wrap it
in export controls that limited its utility, but it was interesting to see all
the work that internal development had done - very polished, with man pages
going back to '97\. Ah the memories: software classified as munitions, the
clipper chip...

[0] [http://archive.adaic.com/pol-
hist/policy/naig94-1.txt](http://archive.adaic.com/pol-
hist/policy/naig94-1.txt)

[1]
[https://en.wikipedia.org/wiki/IDEF#The_IDEF_modeling_languag...](https://en.wikipedia.org/wiki/IDEF#The_IDEF_modeling_languages)

[2] [https://en.wikipedia.org/wiki/MIL-
STD-498](https://en.wikipedia.org/wiki/MIL-STD-498)

[3]
[https://web.archive.org/web/20041206072946/http://fingerprin...](https://web.archive.org/web/20041206072946/http://fingerprint.nist.gov/NFIS/index.html)

------
Semaphor
RCE included ;)

[https://github.com/NationalSecurityAgency/ghidra/issues/6](https://github.com/NationalSecurityAgency/ghidra/issues/6)

~~~
freeflight
This not being the top comment kinda scares me.

Sure, it might be a great tool for free, but who knows what else might be
hidden in there?

~~~
syn0byte
Likely nothing, it's the source code for an RE toolkit with an NSA sticker
right on the box. There is _literally_ no worse place to try to hide back
doors.

At worst they will know how to mask their real malware from analysis with
their own tools.

------
twodayslate
Download: [https://ghidra-sre.org/](https://ghidra-sre.org/)

GitHub:
[https://github.com/NationalSecurityAgency/ghidra](https://github.com/NationalSecurityAgency/ghidra)

~~~
WrtCdEvrydy
Download from the NSA without open source software...

anyone else virtualizing three layers deep to get to this?

~~~
gpm
AFAICT all the source is there, beside every `.jar` there is a `.zip` with the
corresponding source. The source in a more usable form should be posted here
soon:
[https://github.com/NationalSecurityAgency/ghidra/](https://github.com/NationalSecurityAgency/ghidra/)

(And if not I'm sure the community will reconstitute it)

~~~
dustindiamond
One person’s jar is another’s zip.

~~~
gpm
Well sure, but the .zip files I'm referring to are "decompiled" for you with
nice naming conventions and all that ;)

------
zelon88
I'm curious what feature specifically prompted the NSA to develop their own
IDA Pro alternative. I mean, someone somewhere at the NSA must have been
trying to do something with IDA Pro only to repeatedly fail before the
decision was made that whatever the NSA was trying to do warranted developing
their own IDA Pro... right? Or perhaps they used IDA Pro so often and grew so
frustrated by it that they started their own?

~~~
thornjm
A few reasons I can think of:

1\. Collaborative.

2\. supporting classified proprietary architectures (think missile chips or
something)

3\. The intermediate representation (architecture independent representation
of code) can be integrated in to many other classified tools. Maybe for
automated analysis for example.

~~~
perlgeek
4\. Managing licenses is a huge PITA, presumably especially in environments
with lots of classified information.

~~~
janekm
Good point... "we need a site license. No, I can't tell you for how many
employees, that's classified. No, I can't tell you who we are, that's
classified. No, I can't tell you what we are working on, that's classified.
Hello? Hello? Darn they hung up again..."

~~~
ktjfi
I think all three letter agencies create front companies for this kind of
stuff?

~~~
rasz
[https://www.battelle.org/](https://www.battelle.org/)

------
z3phyr
Just used it to solve the 2015 flare-on challenge #1. Rudimentary, but I am
blown away. The interface feels better than IDA, I was able to write a python
script straight away! 10/10 recommended.

The python interpreter attached with it is aware of the state. Where is my
cursor, what memory module I have selected etc. Easy to write scripts for

~~~
Nanocurrency
Any chance you could do a few videos tutorials on using it in conjunction with
Python?

~~~
z3phyr
That's a great idea!! I can try.

~~~
canada_dry
Remind me! 7 days.

Shit... wrong site.

~~~
z3phyr
Haven't streamed before. Need some time to prepare

------
xxpor
Why do they have a LICENCE file with the Apache Licence in it? As a work of
the federal government this is public domain by definition, isn't it?

edit: Oh, outside contributors of course retain their own copyright. That's
what's licenced.

[https://github.com/NationalSecurityAgency/ghidra/blob/master...](https://github.com/NationalSecurityAgency/ghidra/blob/master/NOTICE)

~~~
paxys
They can also enforce copyright in other countries.

~~~
pbhjpbhj
Can they? How's that work, surely a resident in USA could take the work to the
other country and make it available, if they can't then it wasn't public
domain in the first place?

Can you point me to any caselaw/ analysis please?

~~~
MileyCyrax
I don't quite get it either, but one of their documentation files seems to
imply that they can:

>In countries where copyright protection is available (which does not include
the U.S.), contributions made by U.S. Federal Government employees are
released under the License. Merged contributions from private contributors are
released under the License.

[https://github.com/NationalSecurityAgency/ghidra/blob/master...](https://github.com/NationalSecurityAgency/ghidra/blob/master/INTENT.md)

------
mrmuagi
I'm definitely excited for this, considering I couldn't fork out the thousand
of dollars needed for using IDA. I can't really justify that on a small hobby
project (reverse engineering games).

~~~
kabwj
If it’s a hobby project why don’t you just pirate it? Honest question.

~~~
jchw
My personal reason for not pirating IDA Pro is because I don't want to
contribute to the problem. It's one thing to argue about the effects of piracy
on things like video games, where the unit price is much cheaper, and a large
number of users are casual users who mostly are going to buy legitimate copies
if it's convenient and not exorbitantly expensive.

Power user software, like Photoshop, IDA Pro, VMWare, etc. are a different
story. They provide tremendous value to both companies and individuals and yet
I have no doubt an enormous amount of their poweruser userbase simply have
never paid for them. As a young adult or child with no practical way to get a
license, this is pretty innocuous since frankly it's hard to argue any sale
was lost. But there's plenty of cases where large companies and of course
hobbyist users end up pirating the tools they use. I believe Windows XP
shipped with some audio files that were produced with a pirated version of
Sony Soundforge, for example. That's just silly, but.. it happened.

IDA Pro is an excellent piece of software. They provide a freeware version,
which is a pretty nice thing to do. And while the licenses are expensive I
have no doubt it is worth it to the companies that purchase it, many times
over.

Sadly, I can't afford IDA (as I've discussed eerily recently in HN comments,
actually) so I've been mostly avoiding it for now, but I do buy other
software, including Windows licenses, Adobe Creative Suite, VMWare, etc. If
they're useful enough for me to use, then as an adult with decent income, I
pay for them.

~~~
xvector
> yet I have no doubt an enormous amount of their poweruser userbase simply
> have never paid for them.

Do keep in mind that many of these companies _expect_ users to pirate their
software. Indeed, piracy is ironically part of what has made Adobe such a big
player - teenagers pirating software in highschool, and using it up until
their first job, make it their go-to tool when they actually do enter a
company. Often leaving the company with no choice _but_ Photoshop!

~~~
tptacek
Hex-Rays is not one of those companies, I don't think.

------
JoachimS
Here is the presentation slides from the Ghidra presentation at the RSA
conference:

[https://published-
prd.lanyonevents.com/published/rsaus19/ses...](https://published-
prd.lanyonevents.com/published/rsaus19/sessionsFiles/13678/PNG-T09-Come-Get-
Your-Free-NSA-Reverse-Engineering-Tool%21.pdf)

------
kevinchen
This is an unusually large open source project, especially for NSA. I wonder
whether they were motivated to release this tool because of their recent brain
drain / hiring problems.

~~~
maerF0x0
Here's a potential angle: If you're going to use a tool internally it's in
your best interest to be able hire people w/ experience with that tool. (ie,
people learn the tool for free on their own time)

------
hatsunearu
Oh yeah, for those who are wondering; there's another NSA project where they
made a tool that's a direct competitor with a product that's "out there":
[https://github.com/redhawksdr](https://github.com/redhawksdr)

The competitor in question is GNU Radio.

------
subjectsigma
I just don't understand the doubt and hate. It's perfectly reasonable to
distrust the NSA in most cases, but look at the context - the NSA has a huge
brain drain and PR problem. They desperately need qualified people to start
trusting and applying to them again. Does anyone seriously think they would
try to backdoor security researchers in such a stupidly obvious way?

I was actually at the RSA talk where they released the tool - the presenter
was very open in saying that this is a recruiting tool. They want college kids
just getting into RE to learn their tools and have their name in the back of
their mind so they apply for internships and jobs, and are trained for those
roles from day zero. There are other benefits to releasing the tool, like free
labor and testing from people submitting patches and bug reports, but the real
value is in making the NSA appear like the good guys and getting people on
their side.

It seems pretty obvious to me that this gives the NSA more benefit than trying
(and probably failing) to hack random people. And yet the dude sitting next to
me was shaking his head and saying he would only ever run it in a VM.
Irrational as hell.

~~~
stebann
Well, they shouln't have involve in "hacking random people". Then we would
trust them. They didn't and they still have surveillance and hacking programs.
Why would I expose myself and become a target for the next years? Are they
trying to know where are the new targets?

~~~
subjectsigma
Your comment makes no sense whatsoever. Let's say you're an NSA target. You're
probably already hacked. If not, then you are very smart or you haven't been
an NSA target for long. Let's assume you're a very smart malware researcher -
that means you 1. Already have tools like IDA and don't need this, 2. Have an
in depth knowledge of how to acquire and run potentially malicious code
safely, 3. Have experience figuring out if that code is malicious.

Do you think the winning strategy for the NSA here is to attack you in a way
that you're perfectly equipped to deal with?

------
megous
So, I've tried it on some mips binaries I've been reverse engineering on and
off last 7 years from assembly, for various reasons. I'm completely blown away
by the quality of the decompiler output. The binaries include symbols, so
everything global is named correctly, which helps. Anyway, nothing I've tried
over the years comes even close to the clean output I'm seeing from Ghidra.

It's great.

------
noodlesUK
I’m really hoping this release will improve the situation with learning RE in
universities etc. The free version of IDA is very limiting, and few people use
the open source and cheaper alternatives (radare2/cutter, binary ninja,
hopper). I’m also hoping I can get that decompiler (or something similar) in
cutter at some point, but with the source not yet available we’ll have to
wait.

------
snazz
The intro video is pretty good, if you want to see a screen recording:
[https://ghidra-
sre.org/GhidraGettingStartedVideo/GhidraGetti...](https://ghidra-
sre.org/GhidraGettingStartedVideo/GhidraGettingStartedVideo_player.html?embedIFrameId=embeddedSmartPlayerInstance&theme=dusk)

------
vasilia
Are they serious? They are banning Russian IPs with decompiler source code.
Hmm, I know ARM and x86 assembly. Of course, I don't know how to download
these sources :)

~~~
empath75
Legal reasons.

~~~
vasilia
As I see it's licensed under Apache 2.0. I don't know about any regional
restrictions for this type of license. But it's could be a real reason because
of our stupid government.

------
alexozer
I wonder how this compares to retdec, an open source cross-architecture
decompiler by Avast.

[https://github.com/avast-tl/retdec](https://github.com/avast-tl/retdec)

~~~
snazz
I'm wondering this too. I haven't heard of retdec being used too much, but it
looks very cool. I'll guess that Hex-Rays is better, but I still am interested
in the opinion of someone more experienced who has tried retdec.

~~~
DannyBee
I'll go one better: I've contributed patches to retdec.

Retdec is ... okay.

On small binaries it's usable. On even average sized windows binaries (a few
meg), not really.

Like on things that IDA takes 10-15 minutes and a reasonable amount of memory
(like a 7 meg windows binary), retdec can take forever and unlimited amounts
of memory.

I started fixing a lot of the memory issues (completely recursive CFG
traversal, etc), but there are also very serious algorithmic issues (N^3/N^4
algorithms in the optimizers).

If i disable a lot of the backend optimizers, i can make it work okay.

But then the output is also a lot larger/worse. To be fair: It used to be
about 50x bigger than similar IDA output. The latest development version of
retdec now has a new backend IR converter, and the output is only 5x-10x
bigger than IDA output.

So as a TL;DR: retdec in its default state is unusable for anything but small
binaries. If you understand what is going on, you can get it to work on a lot
of binaries as long as you have a _ton_ of memory and time to spare.

------
m0zg
Yeah, I think I'm gonna pass on this strictly binary release and wait until
the code is released, reviewed, and independently compiled.

------
souprock
It's not the first real competitor available to the public. Hopper
Disassembler and Binary Ninja are both capable. They have been available for a
few years.

Binary Ninja is also collaborative if you get the enterprise edition:
[https://binary.ninja/purchase/](https://binary.ninja/purchase/)

~~~
comex
They're arguably competitors if you don't care about decompilation. But Binary
Ninja has no decompiler and Hopper's was awful last I checked. Ghidra's
decompiler seems as competent as Hex-Rays.

~~~
souprock
Binary Ninja has most of a decompiler and is expected to get the rest soon.

Binary Ninja offers multiple views of the code, each with an API that gives
you the same access that the GUI has. The different views vary in how much
they are like assembly or C. Only that last step, real C code, is still
missing. Those other views are quite good if your goal is to understand
things, but less good if you were hoping to throw the results into a C
compiler.

~~~
XMPPwocky
Binja could get a decent "C-like" view on top of MLIL, sure, but it still
fails in a large number of relatively rare cases.

Anybody use SEH or MSVCRT exceptions on x86? Well, there are non-inlined
functions that adjust the stack pointer dynamically there. Binary Ninja can't
capture that. To be fair, it's unlikely IDA can either- but IDA has a
heuristic (read- hack) that treats those functions specially. Result? SP-
analysis for all callers generally fails, and Binja becomes convinced that
arguments are being passed in eax and ebp.

Ah, but you can just patch the LLIL for calls to those functions to adjust the
stack. Oh, no, you actually can't patch LLIL that way- it's immutable after
the lifter creates it. Now, you can write your own architecture hook, and
there you can be your own lifter- you can call the real lifter, see if it
emits a LLIL_CALL to a function you recognize, and if so just emit the stack
adjustment LLIL instead. Ah, heh, but you can't- you can't call the real
lifter, because it doesn't _emit_ LLIL, it adds LLIL to an existing function,
and you can't remove that IL later- it's append-only. And you can't recognize
functions easily, because the things passed into your GetInstructionLowLevelIL
callback don't include a BinaryView pointer- the thing you'd need to find out
anything at all about other functions. You can sort of, kind of, hack around
this by calling about five other functions... for every CALL instruction in
every function in the binary. This is, ah, less than performant.

Ever reversed a Win32 binary that uses the Win32 API a lot? I hope you like
defining structs by hand, because OH BOY are you going to be defining a lot of
structs to do anything useful. And you also get to define DWORD, LPDWORD,
LPVOID, and every other annoying Windows typedef by hand. (You can be clever
and use libclang hackery on the Windows SDK and automate some of this. But
you'll have to do it yourself.)

Then there's stuff like type propagation only going forwards inside functions-
sometimes. The GUI occasionally deciding that all basic blocks should be laid
out in one small square, on top of each other. (You have to reanalyze the
function to fix this.)

Mind you, I love Binary Ninja- I bought my own dang commercial license, and
renewed it! It's getting better, fast... but it's got its warts.

~~~
XMPPwocky
Oh, and I forgot to mention- despite being multi-threaded, it's slooow on
massive (50MB+) binaries. Bother your co-workers! Play Pokemon GO outside!
Make lunch! Take a nap! Use the foosball table in the 'game room' that's there
because we want to seem trendy! When you're done, perhaps the initial analysis
will have finished.

If you're on the dev branch of binja (which, at least until recently, was
miles ahead of stable), you get to do this again in a few days when binja
updates and throws out all its old cached information.

Also, saving and loading massive databases can easily be a 5-minutes-or-more
process. Again- this does provide you with ample time to explore the area
around your office building, but still.

(Mind, this isn't a problem if you mostly see small binaries- for malware it's
probably entirely fine.)

~~~
duskwuff
Can you please edit your post to make the word "slooo[…]oow" shorter? It's
currently breaking the page layout. :(

~~~
XMPPwocky
Oops.

------
hendi_
Probably not run that on networks you care about:
[https://twitter.com/hackerfantastic/status/11030878690637045...](https://twitter.com/hackerfantastic/status/1103087869063704576)

~~~
acdha
… in debug mode. Normally it doesn't load the debugging tools.

------
stargazing
Aaaaaand:
[https://twitter.com/hackerfantastic/status/11030878690637045...](https://twitter.com/hackerfantastic/status/1103087869063704576)

~~~
meowface
Though the obvious explanation for that is that it was an intentional
backdoor, that honestly looks more to me like a legitimate oversight than a
backdoor. I think an actual backdoor would be a lot more subtle and clever
than that. Especially since this way, absolutely anyone could exploit it (it's
just Java Debug Wire Protocol).

Also, you have to explicitly run it in debug mode for this to happen, which
probably only a small percentage of end users will do. Kind of seems like the
equivalent of running Flask apps in debug mode, which by default will handle
exceptions by showing a traceback with an interactive debugger that can be
used to execute arbitrary code.

There could be some backdoors in it, but I'm leaning towards that not being an
intentional one. (But I definitely could be totally wrong; you never know when
it comes to intelligence agencies.)

~~~
earenndil
I also don't think it's a backdoor, but the best way to hide a backdoor is to
make it look like a mistake.

~~~
meowface
>but the best way to hide a backdoor is to make it look like a mistake

It is, but usually the best way to do is to make it look like a mistake that's
very subtle and difficult to notice without careful testing and analysis, kind
of like Apple's infamous SSL "goto fail". That's a classic example of a
vulnerability that really could be either an honest mistake or a very
insidious backdoor.

This is more like leaving the house's sliding glass door to the backyard wide
open for everyone to see.

------
bluedino
Is it odd that this is written in Java? What advantages does this have?

~~~
HelloNurse
Fairly portable and future-proof, and very easy to compile (just collect
dependencies; you need to really go out of your way to compile and "link" Java
applications wrong)

------
nyrulez
I am going to sound pessimistic here, but isn't there a real danger of having
this technology available to bad actors and is there any value to keeping such
things confidential if it plays a role in national security?

If someone was releasing malicious software to hijack the power grid as an
example, wouldn't they be first able to use this to try to improve the
robustness and invisibility of their attack ?

Or is the functionality here common place enough that it doesn't tilt the axis
of power in an unfavorable way?

~~~
mparlane
Bad actors have been using IDA this entire time. So no, not really.

~~~
nyrulez
You mean there is nothing new here? Then why is this news?

I am not wondering about the concept of reverse engineering but the specific
(and hopefully novel) feature set that this may enable.

~~~
saagarjha
It's a competitor to IDA's monopoly, basically. It might be better in certain
aspects.

~~~
tptacek
IDA has a bunch of competitors --- Hopper, Binja, and all the Capstone
interfaces.

~~~
saagarjha
Yup, well aware of them (I think Hopper uses Capstone, FWIW). I'm sure you
agree that they're not quite at the level of IDA, though ;)

~~~
tptacek
I'm not especially a fan of IDA, but I don't do much of this work anymore and
haven't had a reason to catch up. IDA definitely wouldn't be the first tool
I'd reach for in 2019.

~~~
saagarjha
I'm not really a fan either, but it's somewhat better and this makes people
seem to like to pass around IDBs…

~~~
tptacek
It's the de facto standard and the program you can assume everyone is already
using, plus the fact that a lot of tooling relies on IDA (in part because, for
a long time, it was the only game in town) for analysis and function recovery.
I don't know if that really makes it "better".

I got out of this stuff before decompilation became a mainstream feature, so
it might be a big deal that Ghidra has a strong decompiler.

~~~
saagarjha
Yeah, that's basically it. Most other tools either lack a decompiler or have a
somewhat poorer one.

------
Sreyanth
Am I the only one or is anyone else thinking about what the angle here could
be?

Pretty impressive software though. Finally one strong open-source alternative
for reverse engineering.

------
J253
Can anyone speculate as to why the NSA decided to release this? Have they
released any OSS in the past?

~~~
noidea_
Yes they have. Their biggest effort to date is SELinux:
[https://github.com/SELinuxProject](https://github.com/SELinuxProject)

If you run Linux, you likely have NSA OSS on your machine.

You can find their public GitHub profile at:
[https://github.com/nationalsecurityagency](https://github.com/nationalsecurityagency)

------
andrewcchen
There's a typo in launch.sh that breaks when you try launch in debug mode

> "{$DEBUG_PORT}"

------
marrowgari
If you run in debug mode it listens on port 18001 allowing for RCE on host
machine

------
the_librarian
Discord created for this tool here: (Help with mods is needed!)

[https://discord.gg/RcSBc6](https://discord.gg/RcSBc6)

------
AnIdiotOnTheNet
Oh cool, this even supports old DOS MZ exes. And it easy to make portable.

Edit: no, spoke too soon. It acts like it supports MZ exes but consistently
fails to import them.

------
ru999gol
honest question: should I trust the binary they provided? What reason should I
have trusting it? Because I don't.

~~~
webninja
Virtualize, containerize, or sandbox it.

------
ryanmarsh
The logo reminds me of 8 chan's logo.

~~~
ecommerceguy
indeed.

------
ramon
does Ghidra work for APK files, it would be cool if it also worked with mobile
projects.

~~~
kdbg
Yes it does work with APKs.

Well, it should. It kept having issues with the only APK I had on hand, but
when I just pulled some DEX files out and loaded them it handled them just
fine (including decompilation)

------
morenoh149
How did they use jenkins to do this exactly? I'm curious

------
keypnchr
Started to watch the video, then remembered Snow Crash.

------
kuroguro
I know what I'm doing this weekend :)

------
sscarduzio
Does it work for non windows binaries?

~~~
jukeboxbandit
>includes a suite of software analysis tools for analyzing compiled code on a
variety of platforms including Windows, Mac OS, and Linux

From the site, so yes it works on non-windows binaries. It also runs on Linux,
Mac and Windows. This is the list of file formats I found in the docs that are
supported by Ghidra

* Common Object File Format (COFF)

* Debug Symbols (DBG)

* Executable and Linking Format (ELF)

* Ghidra Data Type Archive Format

* GZF Input Format

* Intel Hex

* Mac OS X Mach-O

* Module Definition (DEF)

* Motorola Hex

* New Executable (NE)

* Old-style DOS Executable (MZ)

* Portable Executable (PE)

* Preferred Executable Format (PEF)

* Program Mapfile (MAP)

* Raw Binary

* XML Input Format

------
_bashskids
wish it would be helpful for reversing drivers etc.. for oss community

------
kuwze
This is awesome!

------
karthickgururaj
radare2 is an other open source alternative

------
savgeborn
This is Sanskrit name for Vulture

Ghid = Vulture

Ra = In Sanskrit RA is the acoustic root of fire. RA also connotes with light
or spiritual light.

~~~
z3phyr
No. This is clear apophenia. Ghidra is a reference to the Japanese video game
boss of the same name, which was supposed to be called Hydra, but due to mis-
translation, came as Ghidra

In Sanskrit, a vulture is vocally spoken aloud like [Giddh], emphasis on the
end.

> Ra is the acoustic root of fire

Any source for that?

~~~
unpixer
Funny, I'd assumed it was a reference to the movie monster.

------
an-allen
Nice try NSA.

------
baby
Annndddd, it's ugly as fuck. Well, I'm not going to install something made by
the NSA on my machine but I'd be interested in feedback.

~~~
tptacek
It's not as if IDA is a work of art. Arguably, this is a cleaner, more usable
interface.

~~~
baby
Totally, that's why I was hopping for something better looking. Looks like
Binary Ninja is the only one that cares about that.

~~~
saagarjha
And Hopper!

------
imjustsaying
>clicking the link before reading the domain

regret

------
Defcon6
[https://twitter.com/hackerfantastic/status/11030878690637045...](https://twitter.com/hackerfantastic/status/1103087869063704576?s=21)

------
maxfan8
It appears that it isn't actually available as of now. Apparently, the NSA is
going to release it at RSA Conference 2019, so it'll probably _actually_ be
published within the next couple of days.

~~~
pacificmint
The RSA conference is currently ongoing and the NSA talk was today. Actually,
it should be over just about now.

~~~
pkaye
Is the NSA talk about this available online?

~~~
saagarjha
I don't know if there's a video, but here are the slides: [https://published-
prd.lanyonevents.com/published/rsaus19/ses...](https://published-
prd.lanyonevents.com/published/rsaus19/sessionsFiles/13678/PNG-T09-Come-Get-
Your-Free-NSA-Reverse-Engineering-Tool%21.pdf)

------
Foxboron
Also found this community edition linked on twitter:

[https://ghidrace.github.io/](https://ghidrace.github.io/)

~~~
_wmd
This link is third party junk, don't touch it. A "fork" existing before the
original software release, yeah right

