[yifanlu]

From someone who does binary reverse engineering full time, in my experience, BinaryNinja, Hopper, radare2, etc are toys compared to IDA Pro + Hex Rays Decompiler. The quality of the results and the features supported are unmatched... until now. I haven’t spent too much time with ghidra yet but it’s the real deal. The output of the decompiler looks alright (not complete garbage like I’ve seen with other tools). Even if everything else sucks, the decompiler by itself makes it outrank every other tool aside from IDA. And it costs $10k less! The fact that it’ll be open source is just icing on the cake.

[aseipp]

Binja is the only real competitor in any remote sense IMO, and while the LLIL/MLIL are nothing compared to Hex-Rays, they do still dramatically improve the speed of the job. Binja is also fairly extensible/pluggable, though it's pretty undocumented... I just don't do it enough in my spare time these days (not in the field anymore) to justify a Hex-Rays license for myself (even if it is permanent...)

That said I just renewed my license so I have to get some use out of it, but Ghidra does seem like it could be the real deal. Honestly, I never really expected any free/FOSS alternative to IDA to ever exist at this point, so the possibility is tantalizing.

[xvilka]

I agree, they have a big potential. But if you speak about FOSS alternative - there is already radare2[1]+Cutter[2]+radeco[3].

[1] https://github.com/radare/radare2

[2] https://github.com/radareorg/cutter

[3] https://github.com/radareorg/radeco

[aseipp]

Binary-Ninja and IDA are a completely different class of tool from Radare. Don't get me wrong, I'm happy Radare exists. And I occasionally check it out and play with it -- I think "the vim of RE tools" is a cool point in the design space. As a Linux person, I find that attractive, especially for certain kinds of automated stuff (vs loading Python scripts in through a UX or whatever). But that kind of aesthetic is an extremely small part of these tools in the whole, and it simply does not matter if the tool cannot "keep up" with your work. All of that comes later on. You're comparing a Jalopy to a Prius -- and that Prius is already going up against a Ferrari.

When I use IDA, almost all of my actual work in the tool itself is very "boring" RE stuff, because it does its job. I am not constantly fighting with it to get basic things analyzed propertly, or fighting a lack of supported features that prevent it from opening something, or a bad analysis engine that misses 80% of things I later reverse by hand. You could comparatively stitch something together with the tools in Radare to patch over this for the cases it doesn't handle. You might even call those "edge cases", but reverse engineering is 90% edge cases and 10% easy stuff. I'll already be done by then.

I should also be clear that part of the issue is that reverse engineering is a money game, one where money is easy to come by if you have the clients -- and as a result and a lot of the developers of those tools have more money/labor available than the Radare developers. That also means people who need this can simply throw money at a problem, like an expensive IDA license, and move on. That doesn't mean Radare developers are incompetent. If you gave them a lot of money -- like, enough to fund 5-10 core developers for a couple years -- Radare would dramatically improve extremely quickly, I'm sure. (This is one of the reasons why I suspected a true competitor to IDA would never come around as FOSS -- it takes a shitload of money to do that, and it's also something you can make a shitload of money from.)

But I'll say this: if you put me into a situation where I had to reverse something, I'd pay for an IDA license 10/10 times even if every Radare developer was at my command, and I'd probably still get it done faster (most RE tools I know of lack even the most basic, fundamental features IDA has had for years -- such as FLIRT -- that can dramatically improve reversing speed.)

[xvilka]

R2 has Cutter GUI, along with FLIRT support (and custom signatures format as well) for years as well. So bad example. And there are not much money even for IDA developers - it is very small market. So no tool would get a "shitload" of money ever.

[souprock]

IDA developers get paid. My company alone probably gives them more than two million dollars per year.

If we switch, it will be to Ghidra or to Binary Ninja.

[in_hindsight]

Out of curiosity what kind of job involves doing binary reverse engineering full time?

[philpem]

Reverse engineering the firmware for an embedded product where someone lost the source code.

Bonus points available for:

  * "the source control is ZIP files on a network share"
  * "yeah we use forced squash commits on everything to keep the Git history nice and linear"
  * "it was designed by a contractor who is now uncontactable"

[Godel_unicode]

Malware analyst, vulnerability research

[souprock]

Well there are these, at my workplace: https://news.ycombinator.com/item?id=19055183

That includes malware analysis, vulnerability research, and emulator development.

[nunobrito]

Audits for Intellectual Property.

Too often companies pay 6 digits for a feature that some supplier rips directly from an open source on the Internet (often GPL) and then sells as his own.

[auiya]

Chinese software dev firms.

[FBISurveillance]

A job at NSA, for instance.

[bpye]

Red team?

[lowpro]

If your Red team is reversing binaries you’re doing it wrong.

[bencoder]

Why? If your real world adversaries can reverse binaries, why would you shackle a Red team from doing so?

[neckardt]

Because they have access to the source code itself. No need to reverse engineer anything.

[SCHiM]

That depends on your definition. Many people, myself included, take 'red team' to mean -> attack simulation. If you have access to source, it implies a white box test, which is not an attack simulation but 'ordinary' vulnerability research.

The concrete difference between the two is that vulnerability research is mostly focused on the technical security aspects. Eg. is there a buffer overflow here yes or no? From an efficiency perspective it makes no sense to hide the source code or even credentials from the pentesters performing this research.

An attack simulation is more holistic in nature, the question becomes "can your security team detect when we exploit this buffer overflow?". The blue team and the red team do not share details, and to give the blue team a proper exercise they are often not even informed. To do a proper red team exercise the scope must be very broad. Both technical controls as well as procedural operations are in scope. If you call application/network security research a red team exercise I think you're doing it wrong.

So a red team, in the sense of the word that I specified, does not have access source code, and most definitively sometimes needs to reverse engineer binaries.

[pbhjpbhj]

Couldn't compilation introduce vulnerabilities that wouldn't be in the source, but could be found by decompilation?

[lowpro]

Because although you don't have source code (like other commenters are saying), reversing a program to get into a company would be the hardest way to go. Red teams are used to test a company's overall security, and reversing normally wouldn't make sense compared to phishing, using common exploits, and owning the network. Reversing binaries is not the job of a red team, but pentesters of specific systems.

[PeterisP]

Red teaming isn't limited to "get into a company" testing of networks, it's also used for testing products and infrastructure that's outside the company. For example, you can reasonably have a red team evaluation of some authentication or payment infrastructure based on smartcards or mobile apps, and that'd inevitably include reverse engineering of all the artifacts that are available to the users; and in such cases also likely that many/most software parts of "your" product or device aren't made by you but redistributed from some other vendor, and you don't necessarily have the source available for that.

[bluesign]

Because they should use the source.

[tptacek]

Leaving the decompiler aside, for core disassembly features, in what ways is modern IDA far ahead of its competitors?

[yifanlu]

Auto analysis when you have barely any information. Any tool can make nice output if you feed it nice input. Try a partial dump from an exotic device and then you’ll see IDA shine.

[tptacek]

See, that's really most of what I ever did with IDA (I don't do a lot of Windows reversing) and I always had to do a lot of binutils munging to get weird architectures to work. But things may have improved dramatically in the last 8 years or so.

[XMPPwocky]

Definitely- it's all the years of tweaking and the massive numbers of heuristics to handle, i don't know, code emitted by Microsoft Visual FORTRAN from 1972- that's IDA's moat. Screw the decompiler. If GHIDRA can match that, it's a huge step forwards.

[XMPPwocky]

To be fair, without undo, Hex-Rays can only move forwards. This explains their advantage.

[simcop2387]

Not sure about everything, but last i looked IDA had a lot more support for different architectures and file formats compared to most of the open source stuff (not sure about other proprietary ones).

[snazz]

I’m a casual bystander who has only played with these tools, but I’ve been interested in this field for a long time. Do you think that radare2’s UI is a step forward? I like the Unix-esque command line and how composable everything feels. IDA (and now Ghidra) feel like an IDE, while radare2 feels more like Vim.

[yifanlu]

I mean having a good UI is great but without the features to back it up, you can’t do anything serious. I tried cutter again a few months ago and went back to ida after an hour of frustration. When handed a binary dump with no executable format or symbols, cutter just chokes while IDA was able to quickly find 90% of functions in memory as well as data xrefs and strings and so on.

I’m sure everything performs well on ELFs built with -O0 -g but in most real world usage, Ida is queen.

Since everything is open source, if ghidra is as good as people say it is, I’m sure people will make better guis for it (and tui) in no time.

[rotred]

do you mind talking a bit about how you got into the field?

[yifanlu]

Video game console hacking. Wanted to run my own code on my console back before phones and laptops were so cheap.

[Relys]

Pretty much all of the seriously talented reverse engineers I've met started out hacking video games as teenagers. Also, IDK if you remember me from back in the day, but hi! ^.^

[souprock]

It really is a job for a GUI, but even IDA lets you type commands. You can use Python, or a built-in language that is in the C family, or anything custom that you have attached to the plug-in interface. I would be surprised if one of these tools is lacking such a capability.

[mpeg]

I use cutter with r2 and consider it a better UI than IDA; but then again I don't do a lot of work in it, just CTFs and crackmes.

[bpye]

I've found radare2 pretty neat for doing some automated analysis (specifically on RISC-V binaries), but I agree, IDA Pro has, until now at least, been the undisputed champion.

[bitcoinmoney]

Curious how much a job like this pays? Seems like a fun job