A friend of mine has also been working on a Ghidra MCP: looks like theres a few of them: https://github.com/themixednuts/GhidraMCP

https://github.com/LaurieWired/GhidraMCP is great also

Hopefully this will help decompilation projects into generating better pseudocode. Some sort of "generate code -> build and execute -> test against existing executable if it behaves like the original -> change code again" loop.

How willing is Claude to help you there?

Agh I really wish these awesome community wikis would be easier to find when you don't know about them, they usually have such a cool trove of information. The one I love quite I love is the OSDev Forums Wiki, though that one is well known and loved by a lot of people in the space. We really need to protect these projects somehow, more and more stuff and expertise is getting hidden in Discord servers, completely unsearchable and locked away within the minds of the members...

One large-ish past thread and a few tinies, for anyone curious:

Binary Ninja – an interactive decompiler, disassembler, debugger - https://news.ycombinator.com/item?id=41297124 - Aug 2024 (1 comment)

Binary Ninja – 4.0: Dorsai - https://news.ycombinator.com/item?id=39546731 - Feb 2024 (1 comment)

Binary Ninja 3.0: The Next Chapter - https://news.ycombinator.com/item?id=30109122 - Jan 2022 (1 comment)

Binary Ninja – A new kind of reversing platform - https://news.ycombinator.com/item?id=12240209 - Aug 2016 (56 comments)

Yep, it's cheaper than IDA and I like the UI better. Also I love that it's made by game hacking folks (my clique).

Wow, they made it free. The last time I used it I bought a $100 subscription for non commercial use.

Not sure why you would use Binary Ninja free version, there are so many limitations, like IDA free the platform support is very low.

BN is nice if someone is paying for it, but has too many limitations especially for the most common use case which is security.

Binary Ninja seems way ahead in terms of UX, as a hobby reverser. It's my default as well.

In particularly I like their approach of creating modern IR pipeline.

Also this.

https://github.com/jart/blink

The Linux free trial version is a 400MB .zip file including a 255.2MB "binaryninja" shared binary

https://github.com/Vector35/binaryninja-api/releases/downloa...

> Taking the opportunity to ask: are there nice recommended resources for a beginner to start with reverse engineering (ideally using Ghidra)? Let's say for an experienced developer, but not so experienced in reverse engineering?

The good news is that there has never been MORE resources out there. If you want to use this learning expedition as an excuse to also build up a small electronics lab then $100 on ali express to buy whatever looks cheap and interesting and then tear it apart and start poking around to find where the firmware lives. Pull the firmware, examine it, modify it and put it back :)

This guy has a discord server with a specific "book club" section where they all choose a cheap $thing and reverse engineer it: https://www.youtube.com/@mattbrwn/about

I can't help much with "traditional" app/software RE work, sorry.

The Nightmare Course [1], so named because someone with that skillset (developing zero-days) is a nightmare for security, not because the course itself is a nightmare, and Roppers Academy [2] are both good for learning how to reverse engineer software and look for vulnerabilities.

The nightmare course explicitly talks about how to use Ghidra.

1: https://guyinatuxedo.github.io 2: https://www.roppers.org

Somewhat unconventional (and i'm not really a seasoned reverse engineer so take it with some salt) but I started by hacking old video games (nes, gameboy, arcade.. that kind of thing). You could start with making basic action replay RAM cheats to e.g. give Mario infinite lives, then you can use breakpoints, the debugger, and a 6502 ISA reference to edit instructions and make ROM patches.

from then you can use things like Ghidra (which supports a lot of those old CPU arches) for more advanced analysis and make the game do almost whatever the hell you want if you have the patience.

I think a lot of the skills will transfer quite well (obviously not 1:1, you will need to learn some things) to the more employable side of RE if that's what you're interested in

I started reverse engineering at 13 with an IDA Pro of questionable provenance - at that time, I found it quite difficult.

One thing which really helped me (and I wholeheartedly recommend) is to write simple programs, run them through the compiler and then in the disassembler. It really helps build a correspondence between program structure and its object code.

Eventually, you can make it even more fun and challenging by stripping debug symbols and turning on compiler optimisations.

Happy reversing!

If you are into the book, I would recommend The Ghidra Book from No Starch publisher https://nostarch.com/ghidra-book-2e.

The book is designed for beginner and advance users.

Finding something with symbols will help a lot. Symbols end up getting left in Linux and macOS builds fairly often.

The reverse engineering I've learned has generally been to fix something that has annoyed me - for example I reverse engineered part of RCT3 to fix mouse input with high poll rates and allow for resizable windows [0]. Certainly easier to approach than trying to get into a closed device since you can attach a debugger.

[0] - https://mastodon.social/@benpye/109261545643008493

https://pwn.college has really good modules/dojos that cover a bunch of reverse engineering concepts.

See if there is an OTA package available for your speaker that you can extract and figure out what goes where.

Then figure out what SoC your smart speaker is running.

A lot of soc vendors just provide SDKs for IoT applications. Maybe you'll find something like that you can flash.

Also if there's a separate SPI flash chip, you can simply dump it and study the firmware.

You can start here to learn reverse engineering.

https://beginners.re/

So a couple things. Bruce Dang’s book, while a little old, is still a great spot to get started. Another great book is Blue Fox by Maria Markstedter for ARM. From there, finding small binaries and just trying to get the “flow” is a good next step, for me this is largely renaming functions and variables and essentially trying to work the decompiled code into something readable, then you can find flaws.

So for the second thing, pulling the data off chips like that typically involves some specialized hardware, and you have to potentially deal with a bunch of cryptographic safeguards to read from the chip’s memory. Not impossible though, and there are not always good safeguards, but might be worth checking out some simpler programs and working up to it, or learning some basic hardware hacking to get an idea of how that process works.

I personally learn best by doing which is why I love learning with LLMs. They're going to be wrong a lot, and give bad advice, and do things in silly ways. I learn well from the process of working with them, seeing them fail constantly, then learn the tool yourself by researching what it's doing wrong to fix it. I just attempted to use Ghidra to reverse engineer the game Shenmue from Dreamcast. I was previously unfamiliar with Ghidra and I mostly did it as a learning exercise, but it wasn't really the right tool for the job. However the project itself made lots of progress without it:

https://www.newyokosuka.com/

Find an old piece of software you care about that is broken somehow, and abandoned. Most of my friends use these types of tools to reverse engineer abandoned MMOs and remake servers for them.

Allow me to shamelessly plug my blog, I have been (very slowly!) re-visiting microcorruption and writing up the solutions in a tutorial-esque fashion.

https://lovesexsecretgod.com

Go through the katas at https://pwn.college

Having been in Seattle, I’m not sure there was a time the NSA wasn’t involved with technology — eg, UW hosted meetups between researchers, criminals, and the government at least that long.

Who built the Echelon follow-up, proto-dragnet system that provided the framework for the spying you bemoan? — the one extended and taken live in the early 2000s? Those same 90s hackers you glorify.

do please share your "ethical" software stack that doesn't include contributions from "unethical" sources involved in spying, wars, human rights violations, etc

what sort of device did you type this comment from?

+1

I once tried learning how to RE with radare2 but got very frustrated by frequent project file corruption (meaning radare2 could no longer open it). The way these project files work(ed?) in radare2 at the time was that it just saved all the commands you executed, instead of the state. This was brittle, in my experience.

I don't have a lot of free time, so I have to leave projects for long periods of time, not being able to restart from a previous checkpoints meant I never actually got further.

IIUC, one of the first things Rizin did was focus on saving the actual state, and backwards/forwards-compatibility. This fact alone made me switch to Rizin. To its credit, my 3-year old project file still works!

Now for the downside: there is apparently a gap in Windows (32-bit) PE support, causing stack variables to be poorly discovered: https://github.com/rizinorg/rizin/issues/4608. I tested this on radare2, which does not have this bug. I'm hoping this gets fixed in Rizin at some point, at which point I'll continue my RE adventure. Or maybe I should give an AI reverse engineer a try... (https://news.ycombinator.com/item?id=46846101).

Easily one of the coolest RE projects out there, I've always looked on in awe.

> The relocation table synthesizer analyzer relies on a fully populated Ghidra database (with correctly declared symbols, data types and references) in order to work

It's a shame that this requirement exists (I am well aware that it's a functional necessity), because all the stuff I want to relink is far too big to make a full db!

Where can I learn more about the Windows decompilation community? (This is an area I kind of work in, and I am interested in participating!)

What is Mad Max-style?

One huge difference is that IDA is much faster and less resource-intensive than Ghidra, on account of the latter being written in Java (not surprisingly) while the former is native code. The Ghidra UI is noticeably laggy to perform basic operations even with tiny binaries, while I haven't noticed anything like that in IDA.

For UI based manual reversing of things that run on an OS, IDA is quite superior; it has really good pattern matching and is optimized on this use case, so combined with the more ergonomic UI, it’s way way faster than Ghidra and is well worth the money (provided you are making money off of RE). The IDA debugger is also very fast and easy to use compared to Ghidra’s provided your target works (again, anything that runs on an OS is probably golden here).

For embedded IDA is very ergonomic still, but since it’s not abstract in the way Ghidra is, the decompiler only works on select platforms.

Ghidra’s architecture lends itself to really powerful automation tricks since you can basically step through the program from your plugin without having an actual debug target, no matter the architecture. With the rise of LLMs, this is a big edge for Ghidra as it’s more flexible and easier to hook into to build tools.

The overall Ghidra plugin programming story has been catching up; it’s always been more modular than IDA but in the past it was too Java oriented to be fun for most people, but the Python bindings are a lot better now. IDA scripting has been quite good for a long time so there’s a good corpus of plugins out there too.

IDA is the better tool if you're being paid to work with architectures that IDA supports well (ARM(64), x86(_64), etc). This usually means 'mainstream' security/malware research. It's not worth the price for hobbyists. Before Hex-Rays was sold to private equity, it could make sense for rich hobbyists to pay for a private license once and use it for a few years without software updates, with the cloud offering now it pretty much makes no sense.

Ghidra is the better tool if you're dealing with exotic architectures, even ones that you need to implement support for yourself. That's because any architecture that you have a full SLEIGH definition for will get decompilation output for free. It might not be the best decompiler out there, sure, but for some architectures it's the only decompiler available.

Both are generally shit UX wise and take time to learn. I've mostly switched from IDA to Ghidra a while back which felt like pulling teeth. Now when I sometimes go back to IDA it feels like pulling teeth.

  - AVR
  - Z80
  - HC08
  - 8051
  - Tricore
  - Xtensa
  - WebAssembly
  - Apple/Samsung S5L87xx NAND controller command sequencer VLIW (custom SLEIGH)

Almost every hobbyist reverse engineer uses cracked IDA which is easily available. I have never seen ghidra being recommended for serious work.

Leading this by saying I've only used Ida free, I can't comment on Ida pro. I'm also a very lite user of both, I give name functions/vars, save bookmarks, and occasionally work out custom types, and that's about it, none of the real fancy stuff.

I was recently trying to analyse a 600mb exe (denuvo/similar). I wasted a week after ghidra crashed 30h+ in multiple times. A seperate project with a 300mb exe took about 5h, so there's some horrible scaling going on. So I tried out Ida for the first time, and it finished in less than an hour. Faced with having decomp vs not, I started learning how to use it.

So first difference, given the above, Ida is far far better at interrupting tasks/crash recovery. Every time ghidra crashed I was left with nothing, when Ida crashes you get a prompt to recover from autosave. Even if you don't crash, in general it feels like Ida will let you interrupt a task and still get partial results which you might even be able to pick back up from later, while ghidra just leaves you with nothing.

In terms of pure decomp quality, I don't really think either wins, decomp is always awkward, it's awkward in different ways for each. I prefer ghidra's, but that might just be because I've used it much longer. Ida does do better at suggesting function/variable names - if a variable is passed to a bunch of functions taking a GameManager*, it might automatically call it game_manager.

When defining types, I far prefer ida's approach of just letting me write C/C++. Ghidra's struct editor is awkward, and I've never worked out a good way of dealing with inheritance. For defining functions/args on the other hand, while Ida gives you a raw text box it just doesn't let you change some things? There I prefer the way ghidra does it, I especially like it showing what registers each arg is assigned to.

Another big difference I've noticed between the two is ghidra seems to operate on more of a push model, while Ida is more of a pull model - i.e. when you make a change, ghidra tends to hang for a second propagating it to everything referencing it, while Ida tries pulling the latest version when you look at the reference? I have no idea if this is how they actually work internally, it's just what it feels like. Ida's pull model is a lot more responsive on a large exe, however multiple times I've had some decomp not update after editing one of the functions it called.

Overall, I find Ida's probably slightly better. I'm not about to pay for Ida pro though, and I'm really uneasy about how it uploads all my executables to do decomp. While at the same time, ghidra is proper FOSS, and gives comparable results (for small executables). So I'll probably stick with ghidra where I can.

Can you be more specific? Is it getting easier to reverse rust and go, since I have read about it being the hardest to reverse.

Use military members.

I was a special agent with an org involved in similar work. They put me through 7 SANS courses, including paying for 5 certs, in 18 months.

They are contractors. The public face of Ghidra works at Praxis, for example.

$160k-$170k is not a bad salary; in some cases they get $250k, but sure, it's not a FAANG type.

I wouldn't say a program in Java Swing / AWT would count as excellent.

Great benefits and job security, and a belief in the mission.

There is MCPs for Ghidra

Very likely people who actually work on RE at the NSA also have access to IDA Pro licenses. I don't work in this space, so take it with a pinch of salt, but my understanding is this is a fairly long term strategic initiative to _eventually_ be the best tool.

I doubt it. Ghidra is extremely extensible with their plugin/tool architecture. Public Ghidra includes the extremely helpful decompiler tool, and a few others, but I'm willing to bet that NSA uses regular Ghidra + some way more capable plugins instead of having another Ghidra.

Too many people in the know about this stuff I think to keep it hidden for that long. At the same time, we keep finding stuff that that should have held for and it didn't, so maybe you're right.

The gains come from pairing Ghidra with a coding agent. It works amazing well.

Sounds like `strings' on the binary would've sufficed if it's just hardcoded.

Hopper is pretty but worse than Ghidra for both

Yes, if you know what you’re looking for.

Just use the official github link or links that are linked there. The URL you mentioned seems bogus at best.

Looks like AI slop and SEO junk. The Guide page you linked opens with an article on Dubai sports car rental. There are also .net and .org variants of the domain, which appear to be also AI-generated slop. There's no such program as Ghidralite, and every site just links to the official Ghidra repository.

This is correct. The majority of cases I have to rely on my own expertise.

It's useful for the automation of small repetitive tasks here and there. I was never expecting it to gain the traction that it did; anyone saying they expect it to replace reverse engineers (it won't) is wildly misunderstanding the original intent.

Quite trivial to create binaries that massively confuse LLMs!

I was wondering why so many people were suddenly hopping into my humble profession and declaring me redundant. Ah, a youtube influencer is at the center of it. Makes sense.

> People are really attracted to using LLMs on deep thinking tasks, off shoring their thinking, to a "Think for me SaaS". This won't end well for you, there's no shortcuts in life that don't come with a (huge) cost.

I, too, watched The Sorcerer’s Apprentice. The problem is that I, too, shipped a fuckton of working, reviewed, reworked, tests-and-lint-passing, properly-typed code implementing brand new features from scratch in the last 48 hours, that would have taken me 48 days a year ago.

“thinking” means a lot of different things, and you can indeed outsource a lot of it to other things that can think at different levels of ability than you. This is effectively what an engineering organization does.

Perhaps I haven’t fully offshored my thinking in the sense you mean in that I review all the code and give feedback on the PRs—I still steer. But I think the SOTA will continue to improve until we can indeed oneshot larger and larger tasks.

In a funny inversion of the normal analogy to machine code and compilers, you could say the same thing about people using decompilation rather than getting gud at reading ARM assembly.

This feels like a bit of a false dichotomy. Just because I give some thinking tasks to an AI doesn't mean I'm sitting there doing nothing while it thinks.

Do you have a background in reverse engineering?

A VC might want variety and advise people he will vote with his dollars for variety, because he's not funding the same thing as everyone else is.

Being first and the winner requires a lot to line up, so it shouldn't be the only, default, or best setting. Pursuing this is optimizing.

Also a message from 10-15 years ago might not reflect the same context as today.

Some of the comment matches in the code search suggest at least portions of the codebase goes back to the very late 90s.

Edit: Wikipedia has a table with 1.0 being 2003 https://en.wikipedia.org/wiki/Ghidra

Yes, it’s from the late 90s/early 00s, but why is it strange to see Java?

I suppose they should be using rust yeah?