[saagarjha]

It's a bit of a gloomy view into the landscape of disassemblers, but I was very impressed that Ghidra managed to keep one of my temporary unsaved projects I had been working on (mostly) intact through a kernel panic. Oh, and there are certain things that Ghidra's UI is better than IDA's at: defining structures, for example. And I'd like to think it has less malware in it than pirated IDA…

[tambre]

> Ghidra's UI is better than IDA's at: defining structures, for example

IDA 7.4 introduced a new structure editor, arguably better Ghidra's. [1]

[1]: https://hex-rays.com/products/ida/7.4/index.shtml

[heavenlyblue]

IDA still doesn’t support ctrl+z for field renames. Which makes working in it an absolute nightmare (e.g. accidentally renaming a field at the beginning of the structure which will remove all mapping after it).

[comex]

Defining structures is one of the worst parts of Ghidra for me! But maybe I'm missing something.

- When I first tried Ghidra I couldn't set the size of a struct by editing the size field, so I had to go through an awkward process of creating an undefined byte and then duplicating it. However, that seems to have been fixed, so it's now better than IDA (where I always have to create a dummy field and move it to the end)...

- The structure editor displays offsets and sizes as decimal by default (!?); there is a menu option to display as hex but it's per-structure and not persistent. ...Oh, I looked in Tool Options and I guess you can change the default there. That's nice to learn. But that's dumb UI design; it should just remember whether you clicked the menu option, and the default should be hex anyway.

- Changes in the structure editor window don't take effect until you press the little save button, which doesn't even have a key binding by default. If you forget to save, and then you modify the same structure from elsewhere (e.g. from rename/retype field in the decompiler), the structure editor 'helpfully' asks you whether to keep its version (in which case you lose the change you just made) or discard edits and reload (in which case you lose the changes you had forgotten to save).

- Can't jump to a specific offset in a structure. Well, you can sort of do it using the search field that does a textual search across all columns, since offset is one of the columns. But then you can type 0x3e and potentially be taken to 0x3e0 because that starts with "0x3e". Also, unlike a true "jump to offset", you can't enter the offset in a different form, like decimal instead of hex, or a mathematical expression (0x10+0x20).

- Can't jump from a field reference in the decompiler to the corresponding field in the structure editor. There is a way to open the struct in the structure editor (without jumping to the field), but even that requires a right click.

- If you have a structure consisting mostly of undefined bytes (e.g. I know there are fields at offset 0x50 and 0x100 but don't know anything else about the struct), the fields list shows each undefined byte as its own row, making it hard to see what actually matters – the defined fields. However, IDA has the same problem.

- The type list view is awkward. Why do I have to right click and go through a submenu just to create a new structure?

- It's annoying that the structure editor is a pop-up window rather than being integrated into the main window.

And some of my other Ghidra complaints are more generally related to structures:

- Can't mark struct field references in the disassembly, as far as I can tell, only in the decompiler.

- Searching for references to struct fields requires waiting for Ghidra to re-decompile every function that references the field (though it does seem to have some smarts to determine which functions to look at).

- Struct constants in the listing view are handled awkwardly. (Also awkward in IDA though.)

[saagarjha]

I mean, it's not perfect; I just thought that IDA does many of the same things that Ghidra does wrong but with a somewhat less forgiving UI. You did hit on some of the issues I've had with Ghidra, though: I agree that the way to create structures requires a lot of overhead and while I don't deal with anything too large, I kind of wish that Ghidra would collapse runs of "undefined" and only expand them if you clicked on it or something like that. If it annoys me enough and I ever get the time I'll see if I can file a pull request for these things.

Actually, overall I think you've pretty much nailed the issues with Ghidra: it's a bit slow and clunky, and its UI sometimes does the stupidest and most infuriating things, such as truncate instructions. But its saving grace (at least for me) is that usually it's easier to figure out how to do what I want in it. It might require a few extra clicks or confirmations but if even if I mess up I can usually rely on undo working right, while I would always be scared of messing something up permanently with IDA and not being able to go back…

[heavenlyblue]

Thanks for this comment - I never tried Ghidra thinking it’s the same non-undoable usability disaster.