Ghidra - a new open disassembler/decompiler...

Discussion in 'Technical Discussion' started by evilhamwizard, Mar 8, 2019.

  1. evilhamwizard

    evilhamwizard

    Researcher Researcher
    1,295
    1
    18
    So the NSA recently released Ghidra, their open/multiplatform disassembler for free. It can turn pretty much any architecture it supports into pseudo-c. It supports many architectures, including a few of their variants (the 68000 and z80 is among the ones that are supported). It supports MIPS, PPC, ARM, x86/x64, and even a few legacy cpus as well. You can create a project and set it up as a server to do collaboration with multiple users. It even supports generating program differences, something I haven't tried yet. Unfortunately there aren't any loaders for disassembling ROMs from various systems, but it's trivial to set the project up. I don't think systems that use bank switching are natively supported (?). Disassembling Mega Drive games with it yields some interesting results:

    [​IMG]

    Seeing everything be represented in pseudo-c does help a bit. I kinda like it more than graphing to be honest. It's surprising how much this can do despite being free. I haven't depended on the auto analysis yet, so I'm not sure how completely dependable it is. It certainly does feel like much that you can do in IDA Pro you can do in Ghidra as well, if you can only figure out how to do it. I really hope people pick this up and work on it, despite...well...you know...

    What are your thoughts on this?
     
  2. Overlord

    Overlord

    ...did we just switch realities? Moderator
    I like the idea behind this application just fine.

    Who it's come from makes me feel there's something malicious to it on a low level. What exactly are they gaining by releasing this?
     
  3. Jeffery Mewtamer

    Jeffery Mewtamer

    Blind Bookworm Member
    1,469
    0
    16
    The NSA? As in, one of the US Federal Government's shady organizations that probably does a lot of morally/ethically questionable things while claiming to be protecting the general public from malicious activities? That NSA? If so, I second the suspicions that something with this utility isn't entirely on the level, even if its something as small as adding any IP address that downloads it to a governement watch list for potential malicious hackers. And if its a different NSA, they probably should've chose a different name to avoid such unintentional association.

    That said, this sounds like an interesting utility and setting the source aside, I'm curious if its usable from the Linux command line.
     
  4. MainMemory

    MainMemory

    Every day's the same old thing... Same place, diff Tech Member
    4,273
    0
    16
    SonLVL
  5. Ritz

    Ritz

    Subhedgehog Member
    Now that we're locked in endless asymmetrical cyber warfare with most of Asia, they're becoming increasingly reliant on civilian researchers when tracking down threats, so I can see them releasing this as a sort of vaccine for herd immunity. Just disconnect from the internet before disassembling NewYorkNuclearPowerGrid.exe and you'll be fine, probably.
     
  6. sonicblur

    sonicblur

    Oldbie Oldbie
    1,280
    0
    16
    I was playing with it earlier this week and say it's pretty good. My reference for comparison is against Hopper Disassembler on macOS, which I bought years ago because it was so much more affordable than IDA was and it included a decompiler at no extra cost unlike IDA.

    Compared to that, obviously the UI is worse but that's the first thing everyone will notice anyway since Ghidra is a java app. The decompiler is a mixed bag compared to the one in Hopper. In general it's more advanced than Hopper's, especially with support for function argument detection, but at the same time there are things that it does worse. In a method that declares an array of 16 floats to do some matrix multiplication, Ghidra decides to declare 16 separate variables in backwards order for indexes in the array. In the same scenario, Hopper instead does pointer operations against an offset of the starting address which is easier to read than figuring out all mapping between variables and indexes.(And when I tried to rename one of the variables Ghidra generated, suddenly a bunch of code disappeared from the function. Could be my fault for not completely understanding things, but all I did was right click on one of the variables it generated and tried to give it a name.

    As a free tool, it's extremely good. I like it. Having a psuedocode decompiler is a huge time saver for me, and I think I'm from now on I'm going to swap between Ghidra and Hopper based on whichever does a better job for what I'm looking at.

    I wonder how long before people start making processor extensions for it. I'd like an SH4 one for Dreamcast stuff. I see some of the processor extensions actually do include source code, but I don't want to be the one who does it. (I initially created the SH4 plugin for hopper 3 and never actually finished porting it to version 4. No time / motivation for it.)

    A few well known security researchers tried it out and posted about it via social media and didn't run into anything questionable. (aside from someone finding a security hole with remote debugging which they admitted looked like a bug) It wasn't phoning home and they plan to open source it, so I trusted it enough to give it a try. It's a nice tool, and they probably will get public contributions to it but they lose an advantage now that developers can obfuscate better against their decompiler if they want to.