Hacker News

Do you have a background in reverse engineering?

This feels like a bit of a false dichotomy. Just because I give some thinking tasks to an AI doesn't mean I'm sitting there doing nothing while it thinks.

A VC might want variety and advise people he will vote with his dollars for variety, because he's not funding the same thing as everyone else is.

Being first and the winner requires a lot to line up, so it shouldn't be the only, default, or best setting. Pursuing this is optimizing.

Also a message from 10-15 years ago might not reflect the same context as today.

What is Mad Max-style?

A friend of mine has also been working on a Ghidra MCP: looks like theres a few of them: https://github.com/themixednuts/GhidraMCP

https://github.com/LaurieWired/GhidraMCP is great also

How willing is Claude to help you there?

I started reverse engineering at 13 with an IDA Pro of questionable provenance - at that time, I found it quite difficult.

One thing which really helped me (and I wholeheartedly recommend) is to write simple programs, run them through the compiler and then in the disassembler. It really helps build a correspondence between program structure and its object code.

Eventually, you can make it even more fun and challenging by stripping debug symbols and turning on compiler optimisations.

Happy reversing!

> Taking the opportunity to ask: are there nice recommended resources for a beginner to start with reverse engineering (ideally using Ghidra)? Let's say for an experienced developer, but not so experienced in reverse engineering?

The good news is that there has never been MORE resources out there. If you want to use this learning expedition as an excuse to also build up a small electronics lab then $100 on ali express to buy whatever looks cheap and interesting and then tear it apart and start poking around to find where the firmware lives. Pull the firmware, examine it, modify it and put it back :)

This guy has a discord server with a specific "book club" section where they all choose a cheap $thing and reverse engineer it: https://www.youtube.com/@mattbrwn/about

I can't help much with "traditional" app/software RE work, sorry.

The Nightmare Course [1], so named because someone with that skillset (developing zero-days) is a nightmare for security, not because the course itself is a nightmare, and Roppers Academy [2] are both good for learning how to reverse engineer software and look for vulnerabilities.

The nightmare course explicitly talks about how to use Ghidra.

1: https://guyinatuxedo.github.io 2: https://www.roppers.org

Somewhat unconventional (and i'm not really a seasoned reverse engineer so take it with some salt) but I started by hacking old video games (nes, gameboy, arcade.. that kind of thing). You could start with making basic action replay RAM cheats to e.g. give Mario infinite lives, then you can use breakpoints, the debugger, and a 6502 ISA reference to edit instructions and make ROM patches.

from then you can use things like Ghidra (which supports a lot of those old CPU arches) for more advanced analysis and make the game do almost whatever the hell you want if you have the patience.

I think a lot of the skills will transfer quite well (obviously not 1:1, you will need to learn some things) to the more employable side of RE if that's what you're interested in

If you are into the book, I would recommend The Ghidra Book from No Starch publisher https://nostarch.com/ghidra-book-2e.

The book is designed for beginner and advance users.

So a couple things. Bruce Dang’s book, while a little old, is still a great spot to get started. Another great book is Blue Fox by Maria Markstedter for ARM. From there, finding small binaries and just trying to get the “flow” is a good next step, for me this is largely renaming functions and variables and essentially trying to work the decompiled code into something readable, then you can find flaws.

So for the second thing, pulling the data off chips like that typically involves some specialized hardware, and you have to potentially deal with a bunch of cryptographic safeguards to read from the chip’s memory. Not impossible though, and there are not always good safeguards, but might be worth checking out some simpler programs and working up to it, or learning some basic hardware hacking to get an idea of how that process works.

Find an old piece of software you care about that is broken somehow, and abandoned. Most of my friends use these types of tools to reverse engineer abandoned MMOs and remake servers for them.

https://pwn.college has really good modules/dojos that cover a bunch of reverse engineering concepts.

I personally learn best by doing which is why I love learning with LLMs. They're going to be wrong a lot, and give bad advice, and do things in silly ways. I learn well from the process of working with them, seeing them fail constantly, then learn the tool yourself by researching what it's doing wrong to fix it. I just attempted to use Ghidra to reverse engineer the game Shenmue from Dreamcast. I was previously unfamiliar with Ghidra and I mostly did it as a learning exercise, but it wasn't really the right tool for the job. However the project itself made lots of progress without it:

https://www.newyokosuka.com/

You can start here to learn reverse engineering.

https://beginners.re/

There is MCPs for Ghidra

One large-ish past thread and a few tinies, for anyone curious:

Binary Ninja – an interactive decompiler, disassembler, debugger - https://news.ycombinator.com/item?id=41297124 - Aug 2024 (1 comment)

Binary Ninja – 4.0: Dorsai - https://news.ycombinator.com/item?id=39546731 - Feb 2024 (1 comment)

Binary Ninja 3.0: The Next Chapter - https://news.ycombinator.com/item?id=30109122 - Jan 2022 (1 comment)

Binary Ninja – A new kind of reversing platform - https://news.ycombinator.com/item?id=12240209 - Aug 2016 (56 comments)

Also this.

https://github.com/jart/blink

BN is nice if someone is paying for it, but has too many limitations especially for the most common use case which is security.

The Linux free trial version is a 400MB .zip file including a 255.2MB "binaryninja" shared binary

https://github.com/Vector35/binaryninja-api/releases/downloa...

Yep, it's cheaper than IDA and I like the UI better. Also I love that it's made by game hacking folks (my clique).

Binary Ninja seems way ahead in terms of UX, as a hobby reverser. It's my default as well.

Wow, they made it free. The last time I used it I bought a $100 subscription for non commercial use.

In particularly I like their approach of creating modern IR pipeline.

+1

I once tried learning how to RE with radare2 but got very frustrated by frequent project file corruption (meaning radare2 could no longer open it). The way these project files work(ed?) in radare2 at the time was that it just saved all the commands you executed, instead of the state. This was brittle, in my experience.

I don't have a lot of free time, so I have to leave projects for long periods of time, not being able to restart from a previous checkpoints meant I never actually got further.

IIUC, one of the first things Rizin did was focus on saving the actual state, and backwards/forwards-compatibility. This fact alone made me switch to Rizin. To its credit, my 3-year old project file still works!

Now for the downside: there is apparently a gap in Windows (32-bit) PE support, causing stack variables to be poorly discovered: https://github.com/rizinorg/rizin/issues/4608. I tested this on radare2, which does not have this bug. I'm hoping this gets fixed in Rizin at some point, at which point I'll continue my RE adventure. Or maybe I should give an AI reverse engineer a try... (https://news.ycombinator.com/item?id=46846101).

For UI based manual reversing of things that run on an OS, IDA is quite superior; it has really good pattern matching and is optimized on this use case, so combined with the more ergonomic UI, it’s way way faster than Ghidra and is well worth the money (provided you are making money off of RE). The IDA debugger is also very fast and easy to use compared to Ghidra’s provided your target works (again, anything that runs on an OS is probably golden here).

For embedded IDA is very ergonomic still, but since it’s not abstract in the way Ghidra is, the decompiler only works on select platforms.

Ghidra’s architecture lends itself to really powerful automation tricks since you can basically step through the program from your plugin without having an actual debug target, no matter the architecture. With the rise of LLMs, this is a big edge for Ghidra as it’s more flexible and easier to hook into to build tools.

The overall Ghidra plugin programming story has been catching up; it’s always been more modular than IDA but in the past it was too Java oriented to be fun for most people, but the Python bindings are a lot better now. IDA scripting has been quite good for a long time so there’s a good corpus of plugins out there too.

Almost every hobbyist reverse engineer uses cracked IDA which is easily available. I have never seen ghidra being recommended for serious work.

Leading this by saying I've only used Ida free, I can't comment on Ida pro. I'm also a very lite user of both, I give name functions/vars, save bookmarks, and occasionally work out custom types, and that's about it, none of the real fancy stuff.

I was recently trying to analyse a 600mb exe (denuvo/similar). I wasted a week after ghidra crashed 30h+ in multiple times. A seperate project with a 300mb exe took about 5h, so there's some horrible scaling going on. So I tried out Ida for the first time, and it finished in less than an hour. Faced with having decomp vs not, I started learning how to use it.

So first difference, given the above, Ida is far far better at interrupting tasks/crash recovery. Every time ghidra crashed I was left with nothing, when Ida crashes you get a prompt to recover from autosave. Even if you don't crash, in general it feels like Ida will let you interrupt a task and still get partial results which you might even be able to pick back up from later, while ghidra just leaves you with nothing.

In terms of pure decomp quality, I don't really think either wins, decomp is always awkward, it's awkward in different ways for each. I prefer ghidra's, but that might just be because I've used it much longer. Ida does do better at suggesting function/variable names - if a variable is passed to a bunch of functions taking a GameManager*, it might automatically call it game_manager.

When defining types, I far prefer ida's approach of just letting me write C/C++. Ghidra's struct editor is awkward, and I've never worked out a good way of dealing with inheritance. For defining functions/args on the other hand, while Ida gives you a raw text box it just doesn't let you change some things? There I prefer the way ghidra does it, I especially like it showing what registers each arg is assigned to.

Another big difference I've noticed between the two is ghidra seems to operate on more of a push model, while Ida is more of a pull model - i.e. when you make a change, ghidra tends to hang for a second propagating it to everything referencing it, while Ida tries pulling the latest version when you look at the reference? I have no idea if this is how they actually work internally, it's just what it feels like. Ida's pull model is a lot more responsive on a large exe, however multiple times I've had some decomp not update after editing one of the functions it called.

Overall, I find Ida's probably slightly better. I'm not about to pay for Ida pro though, and I'm really uneasy about how it uploads all my executables to do decomp. While at the same time, ghidra is proper FOSS, and gives comparable results (for small executables). So I'll probably stick with ghidra where I can.

IDA is the better tool if you're being paid to work with architectures that IDA supports well (ARM(64), x86(_64), etc). This usually means 'mainstream' security/malware research. It's not worth the price for hobbyists. Before Hex-Rays was sold to private equity, it could make sense for rich hobbyists to pay for a private license once and use it for a few years without software updates, with the cloud offering now it pretty much makes no sense.

Ghidra is the better tool if you're dealing with exotic architectures, even ones that you need to implement support for yourself. That's because any architecture that you have a full SLEIGH definition for will get decompilation output for free. It might not be the best decompiler out there, sure, but for some architectures it's the only decompiler available.

Both are generally shit UX wise and take time to learn. I've mostly switched from IDA to Ghidra a while back which felt like pulling teeth. Now when I sometimes go back to IDA it feels like pulling teeth.

Use military members.

I was a special agent with an org involved in similar work. They put me through 7 SANS courses, including paying for 5 certs, in 18 months.

They are contractors. The public face of Ghidra works at Praxis, for example.

Great benefits and job security, and a belief in the mission.

Can you be more specific? Is it getting easier to reverse rust and go, since I have read about it being the hardest to reverse.

Hopper is pretty but worse than Ghidra for both

Sounds like `strings' on the binary would've sufficed if it's just hardcoded.

Yes, if you know what you’re looking for.

Just use the official github link or links that are linked there. The URL you mentioned seems bogus at best.

Looks like AI slop and SEO junk. The Guide page you linked opens with an article on Dubai sports car rental. There are also .net and .org variants of the domain, which appear to be also AI-generated slop. There's no such program as Ghidralite, and every site just links to the official Ghidra repository.

Very likely people who actually work on RE at the NSA also have access to IDA Pro licenses. I don't work in this space, so take it with a pinch of salt, but my understanding is this is a fairly long term strategic initiative to _eventually_ be the best tool.

Too many people in the know about this stuff I think to keep it hidden for that long. At the same time, we keep finding stuff that that should have held for and it didn't, so maybe you're right.

I doubt it. Ghidra is extremely extensible with their plugin/tool architecture. Public Ghidra includes the extremely helpful decompiler tool, and a few others, but I'm willing to bet that NSA uses regular Ghidra + some way more capable plugins instead of having another Ghidra.

The gains come from pairing Ghidra with a coding agent. It works amazing well.

Some of the comment matches in the code search suggest at least portions of the codebase goes back to the very late 90s.

Edit: Wikipedia has a table with 1.0 being 2003 https://en.wikipedia.org/wiki/Ghidra

Yes, it’s from the late 90s/early 00s, but why is it strange to see Java?

Seems like it would be of limited value to backdoor a program like Ghidra. Might be useful in identifying security researchers, except that it's also the kind of program that will often be running on disconnected systems with little valuable data beyond whatever is being disassembled.

This was discussed when Ghidra was first open sourced. To the best of my knowledge, nobody's found an NSA backdoor in Ghidra.

Without providing any proof that either this or SELinux is backdoored.

Well it’s open source, so you can check in principle. I would imagine there’s some fame and notoriety in discovering that.