Sonic and Sega Retro Message Board: Ghidra - a new open disassembler/decompiler... - Sonic and Sega Retro Message Board

Jump to content

Hey there, Guest!  (Log In · Register) Help
Page 1 of 1
    Locked Forum

Ghidra - a new open disassembler/decompiler... ...from the NSA...

#1 User is offline evilhamwizard 

Posted 07 March 2019 - 11:28 PM

  • Posts: 1285
  • Joined: 16-June 04
  • Gender:Male
  • Wiki edits:109
So the NSA recently released Ghidra, their open/multiplatform disassembler for free. It can turn pretty much any architecture it supports into pseudo-c. It supports many architectures, including a few of their variants (the 68000 and z80 is among the ones that are supported). It supports MIPS, PPC, ARM, x86/x64, and even a few legacy cpus as well. You can create a project and set it up as a server to do collaboration with multiple users. It even supports generating program differences, something I haven't tried yet. Unfortunately there aren't any loaders for disassembling ROMs from various systems, but it's trivial to set the project up. I don't think systems that use bank switching are natively supported (?). Disassembling Mega Drive games with it yields some interesting results:

Posted Image

Seeing everything be represented in pseudo-c does help a bit. I kinda like it more than graphing to be honest. It's surprising how much this can do despite being free. I haven't depended on the auto analysis yet, so I'm not sure how completely dependable it is. It certainly does feel like much that you can do in IDA Pro you can do in Ghidra as well, if you can only figure out how to do it. I really hope people pick this up and work on it, know...

What are your thoughts on this?
This post has been edited by evilhamwizard: 07 March 2019 - 11:35 PM

#2 User is offline Overlord 

Posted 08 March 2019 - 02:24 PM

  • Substitute Meerkovo IT Chief
  • Posts: 17147
  • Joined: 12-January 03
  • Gender:Male
  • Location:Berkshire, England
  • Project:VGDB
  • Wiki edits:3,204
I like the idea behind this application just fine.

Who it's come from makes me feel there's something malicious to it on a low level. What exactly are they gaining by releasing this?

#3 User is offline Jeffery Mewtamer 

Posted 08 March 2019 - 03:25 PM

  • Posts: 1428
  • Joined: 28-December 03
  • Gender:Male
The NSA? As in, one of the US Federal Government's shady organizations that probably does a lot of morally/ethically questionable things while claiming to be protecting the general public from malicious activities? That NSA? If so, I second the suspicions that something with this utility isn't entirely on the level, even if its something as small as adding any IP address that downloads it to a governement watch list for potential malicious hackers. And if its a different NSA, they probably should've chose a different name to avoid such unintentional association.

That said, this sounds like an interesting utility and setting the source aside, I'm curious if its usable from the Linux command line.

#4 User is offline MainMemory 

Posted 08 March 2019 - 11:08 PM

  • Every day's the same old thing... Same place, different day...
  • Posts: 4247
  • Joined: 14-August 09
  • Gender:Not Telling
  • Project:SonLVL
  • Wiki edits:1,339
Yes, it's the NSA.

#5 User is offline Ritz 

Posted 09 March 2019 - 08:02 AM

  • Subhedgehog
  • Posts: 3983
  • Joined: 01-January 06
  • Gender:Not Telling
  • Location:Glimmering Cornhole Zone
  • Wiki edits:2
Now that we're locked in endless asymmetrical cyber warfare with most of Asia, they're becoming increasingly reliant on civilian researchers when tracking down threats, so I can see them releasing this as a sort of vaccine for herd immunity. Just disconnect from the internet before disassembling NewYorkNuclearPowerGrid.exe and you'll be fine, probably.

#6 User is offline sonicblur 

Posted 09 March 2019 - 05:23 PM

  • Posts: 1240
  • Joined: 18-February 08
  • Gender:Male
  • Wiki edits:6

View Postevilhamwizard, on 07 March 2019 - 11:28 PM, said:

What are your thoughts on this?

I was playing with it earlier this week and say it's pretty good. My reference for comparison is against Hopper Disassembler on macOS, which I bought years ago because it was so much more affordable than IDA was and it included a decompiler at no extra cost unlike IDA.

Compared to that, obviously the UI is worse but that's the first thing everyone will notice anyway since Ghidra is a java app. The decompiler is a mixed bag compared to the one in Hopper. In general it's more advanced than Hopper's, especially with support for function argument detection, but at the same time there are things that it does worse. In a method that declares an array of 16 floats to do some matrix multiplication, Ghidra decides to declare 16 separate variables in backwards order for indexes in the array. In the same scenario, Hopper instead does pointer operations against an offset of the starting address which is easier to read than figuring out all mapping between variables and indexes.(And when I tried to rename one of the variables Ghidra generated, suddenly a bunch of code disappeared from the function. Could be my fault for not completely understanding things, but all I did was right click on one of the variables it generated and tried to give it a name.

As a free tool, it's extremely good. I like it. Having a psuedocode decompiler is a huge time saver for me, and I think I'm from now on I'm going to swap between Ghidra and Hopper based on whichever does a better job for what I'm looking at.

I wonder how long before people start making processor extensions for it. I'd like an SH4 one for Dreamcast stuff. I see some of the processor extensions actually do include source code, but I don't want to be the one who does it. (I initially created the SH4 plugin for hopper 3 and never actually finished porting it to version 4. No time / motivation for it.)

View PostOverlord, on 08 March 2019 - 02:24 PM, said:

Who it's come from makes me feel there's something malicious to it on a low level.

A few well known security researchers tried it out and posted about it via social media and didn't run into anything questionable. (aside from someone finding a security hole with remote debugging which they admitted looked like a bug) It wasn't phoning home and they plan to open source it, so I trusted it enough to give it a try. It's a nice tool, and they probably will get public contributions to it but they lose an advantage now that developers can obfuscate better against their decompiler if they want to.

Page 1 of 1
    Locked Forum

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users