Thanks for the update to the first video! Agree with almost everything here and wanted to add a few small clarifications: (Full Disclosure for others: I'm a Binary Ninja Developer) - BN actually had collaboration support even before IDA but it's only for larger customers of the enterprise product (so is Teams with IDA though). We've got a good size number of teams who are happily using it and we've heard it compares very well to both the Ghidra and IDA implementations from customers who have tried them all. - RE: Projects and the workflow around them in Ghidra. We agree that they can be quite useful! We added them in the last year as well, but we still think it's useful to have a faster default workflow is worth it. Let us know if there are still features from Ghidra's project workflow you think we could improve from. - RE: type libraries/function names, we'd love any specific feedback here. Just in the last two years we've added a _ton_ of new type info (in particular on windows userland and kernel). If you still see any instances where our type libraries are lagging other tools in the latest dev release (or the new stable coming out later this week or next) definitely let us know! Totally agree RE: support for other compilers. At least for Delphi and Golang in particular IDA does a much better job with those. Keep an eye out for some improvements on that in the future. :-) I love that you took another look at things and appreciate hearing your perspective over time.
Awesome, thank you for the clarifications, Jordan! I did not know about the collaboration feature. Also, what you are currently doing there is exactly what I impresses me. You are immersed in the RE community, you contribute to it, and live in it, and that shows in the product too. Things that come into my mind regarding features: I like the alternative string representation in Ghidra, which allows to keep the original value of the string while also making it appear as the deobfuscated string in the code. Ghidra has this script, where I just plug in a decryption function for the strings. In the strings listing I mark the strings I want to decrypt and voila, the representation for them is changed. I can change it back whenever I want. What is also great about that: I do not need to figure out how to find the strings, e.g. in IDA I usually resort to pattern matching or search of push instructions that happen before the decrypt function is called. That is often not perfect so I end up having to tweak it until it works for all strings. Compare that to Ghidra where I only mark the string and voila, it is done. When analysing shellcode that is just a blob and not embedded in a PE, I would like to be able to choose and apply types like the PE export directory, PEB, TEB, MSDOS Header or other PEB walking related structures. In IDA I load the correct type library. I did not see a way to do that in Binja last time I tried and had to resort to creating those types myself. It's been a while though, maybe it is possible now? Unions: I would like to be able to choose the member of the union at each location where the union is being used. That is all I can think of right now. For the type libraries: I do not remember the cases/samples anymore where I saw the difference, but I might get back to you when I do.
Ghidra support has been fairly constant since its release via github. Simple bugs and usability issues are usually fixed very quickly. Some of the more complex issues/requests eventually get fixed too, like the addition of theming.
Hi, you said that you use the three tools (IDA Pro, Ghidra, and Binja), in my understanding (newbie), IDA is one the most complete, in which cases do you feel the need to use Ghidra or Binja? like when a code is written in a particular language? automation? deobfuscation? etc. I'm asking this to see the viewpoint of an experienced professional like yourself. Thanks for the video, it always helps lesser experienced professionals.
@@yuewang8887 Yes, I got that, but my question was directed to the author, whom I believe, is sponsored by a company, so, he can choose the tool, and if he can choose the tool, in which cases he prefers to use Ghidra or Binja, I'm asking about for a point of view from someone who reverses malware and artifacts day by day. I hope I'm clearer now.
Hi, I use only IDA for my professional work, it is our standard tool. I do not feel the need to use another. But for this RUclips channel and also the malware analysis course I cannot use the work license. So the answer is: I started using Ghidra and Binary Ninja because buying IDA for a hobby was out of the question. I also wanted the content of this channel to be somewhat accessible for people. I still have no clear preference towards Binary Ninja or Ghidra. If money did not play any role, I would probably use IDA because I am most comfortable with it due to the many hours we spent together. X) I am also the fastest with it. It is a love-hate relationship, though. My dream tool has Binjas Interface, IDAs general capabilities and some specific features from Ghidra, like the projects, multiuser-analysis, ability to add cross-references just anywhere and the alternative string representation.
@@MalwareAnalysisForHedgehogs Thank you, Karsten, for the reply, this is such good information for novices, like myself, I understand all the points you have explained, again, it is an awesome video and congrats on your work, I hope you keep generating this excellent content.
I think most people use cr@cked ida on a virtual machine for home usage for work it's more problematic. ghidra has an aweful UI, but has some powerfull features for certain aspects.
That is true. But how many Ghidra scripts are written in Python 3? Or if you look for tutorials on Ghidra, how much of that is using Python 3? I believe, if you really want to learn to create scripts in Ghidra, knowing some Java is very advantageous. The docs are Java, most tutorials are Java, most examples are Java. If a beginner does not have knowledge in Java and starts with Ghidra, it might be frustrating to find resources that they can use.
Not much admittedly, but this should not be the main reason to not use Ghidra. It is possible and transferring knowledge from a Java tutorial to Python3 code is not that hard (API is pretty much the same). But I totally agree with you, that missing native support is a major downside of Ghidra at the moment :(
Thanks for the update to the first video! Agree with almost everything here and wanted to add a few small clarifications: (Full Disclosure for others: I'm a Binary Ninja Developer)
- BN actually had collaboration support even before IDA but it's only for larger customers of the enterprise product (so is Teams with IDA though). We've got a good size number of teams who are happily using it and we've heard it compares very well to both the Ghidra and IDA implementations from customers who have tried them all.
- RE: Projects and the workflow around them in Ghidra. We agree that they can be quite useful! We added them in the last year as well, but we still think it's useful to have a faster default workflow is worth it. Let us know if there are still features from Ghidra's project workflow you think we could improve from.
- RE: type libraries/function names, we'd love any specific feedback here. Just in the last two years we've added a _ton_ of new type info (in particular on windows userland and kernel). If you still see any instances where our type libraries are lagging other tools in the latest dev release (or the new stable coming out later this week or next) definitely let us know!
Totally agree RE: support for other compilers. At least for Delphi and Golang in particular IDA does a much better job with those. Keep an eye out for some improvements on that in the future. :-)
I love that you took another look at things and appreciate hearing your perspective over time.
Awesome, thank you for the clarifications, Jordan! I did not know about the collaboration feature.
Also, what you are currently doing there is exactly what I impresses me. You are immersed in the RE community, you contribute to it, and live in it, and that shows in the product too.
Things that come into my mind regarding features:
I like the alternative string representation in Ghidra, which allows to keep the original value of the string while also making it appear as the deobfuscated string in the code. Ghidra has this script, where I just plug in a decryption function for the strings. In the strings listing I mark the strings I want to decrypt and voila, the representation for them is changed. I can change it back whenever I want. What is also great about that: I do not need to figure out how to find the strings, e.g. in IDA I usually resort to pattern matching or search of push instructions that happen before the decrypt function is called. That is often not perfect so I end up having to tweak it until it works for all strings. Compare that to Ghidra where I only mark the string and voila, it is done.
When analysing shellcode that is just a blob and not embedded in a PE, I would like to be able to choose and apply types like the PE export directory, PEB, TEB, MSDOS Header or other PEB walking related structures. In IDA I load the correct type library. I did not see a way to do that in Binja last time I tried and had to resort to creating those types myself. It's been a while though, maybe it is possible now?
Unions: I would like to be able to choose the member of the union at each location where the union is being used.
That is all I can think of right now.
For the type libraries: I do not remember the cases/samples anymore where I saw the difference, but I might get back to you when I do.
Great feedback all around! This is why I love the RE community
Ghidra support has been fairly constant since its release via github. Simple bugs and usability issues are usually fixed very quickly. Some of the more complex issues/requests eventually get fixed too, like the addition of theming.
Just purchased your course, can't wait to get stuck in.
I used IDA. Now, I am using Binary Ninja
Nice information video sir, Clear explanation 😊
Hi, you said that you use the three tools (IDA Pro, Ghidra, and Binja), in my understanding (newbie), IDA is one the most complete, in which cases do you feel the need to use Ghidra or Binja? like when a code is written in a particular language? automation? deobfuscation? etc.
I'm asking this to see the viewpoint of an experienced professional like yourself.
Thanks for the video, it always helps lesser experienced professionals.
Use other tools when you have no money
@@yuewang8887 Yes, I got that, but my question was directed to the author, whom I believe, is sponsored by a company, so, he can choose the tool, and if he can choose the tool, in which cases he prefers to use Ghidra or Binja, I'm asking about for a point of view from someone who reverses malware and artifacts day by day.
I hope I'm clearer now.
Hi, I use only IDA for my professional work, it is our standard tool. I do not feel the need to use another.
But for this RUclips channel and also the malware analysis course I cannot use the work license.
So the answer is: I started using Ghidra and Binary Ninja because buying IDA for a hobby was out of the question. I also wanted the content of this channel to be somewhat accessible for people. I still have no clear preference towards Binary Ninja or Ghidra.
If money did not play any role, I would probably use IDA because I am most comfortable with it due to the many hours we spent together. X)
I am also the fastest with it. It is a love-hate relationship, though.
My dream tool has Binjas Interface, IDAs general capabilities and some specific features from Ghidra, like the projects, multiuser-analysis, ability to add cross-references just anywhere and the alternative string representation.
@@MalwareAnalysisForHedgehogs Thank you, Karsten, for the reply, this is such good information for novices, like myself, I understand all the points you have explained, again, it is an awesome video and congrats on your work, I hope you keep generating this excellent content.
Ghidra is the bes choice for me, because i am poor guy 😅
Lmao same here. Even radare2 is fine for me.
All is matter is your knowledge
Here here to Cutter
Like you, I sold my hair to buy a copy of IDA but I use radare and a case of whiskey to reverse engineer now
Nex time, i will try with Binary Ninja
I think most people use cr@cked ida on a virtual machine for home usage
for work it's more problematic.
ghidra has an aweful UI, but has some powerfull features for certain aspects.
Ghidra can be used with python3 via ghidraton plug-in.
That is true. But how many Ghidra scripts are written in Python 3? Or if you look for tutorials on Ghidra, how much of that is using Python 3?
I believe, if you really want to learn to create scripts in Ghidra, knowing some Java is very advantageous. The docs are Java, most tutorials are Java, most examples are Java. If a beginner does not have knowledge in Java and starts with Ghidra, it might be frustrating to find resources that they can use.
Not much admittedly, but this should not be the main reason to not use Ghidra. It is possible and transferring knowledge from a Java tutorial to Python3 code is not that hard (API is pretty much the same). But I totally agree with you, that missing native support is a major downside of Ghidra at the moment :(
-Gheidra- Gheedra
I just use radare2 and cutter :3
It's pronounced "Gheedra" with "ee"