As many other cybersecurity enthusiasts, I was so excited with the release of Ghidra which is another great tool added to the toolkit of reverse engineers and malware analysts. So I decided to spend 3 days using Ghidra to solve some simple Crackme challenges site by site with IDA free version as a base for my evaluation. The reason I chose IDA as the baseline is that IDA is kind of de facto for reverse engineering and it is the tool that I feel most comfortable when doing such tasks.
Disclaimer: I am not an expert in either reverse engineering and malware analysis, just an enthusiast. All of the information below is just personal thoughts. Since I only play with Ghidra for 3 days, my to-improvement points may due to the insufficient knowledge of the tool.
Some useful tips for Ghidra
- Layout setup: I found the layout setup as the figure below is quite handy for analysis, specifically the decompile window is site by site with the listing (code browser) window. The bookmarks window is also helpful to quickly navigate to interesting locations.
- Navigation: Move to the previous position — ATL + left arrow and move to the next position — ALT + right arrow
- Bookmark: CRTL+ D
- Cross-reference to: CTRL + SHIFT + F and choose “Find References To”
- Function graph: Window → function graph
- Add comments: press ;
- Rename label, function, and variable: press l (lower case of L)
- Create Function: press f (lower case of F)
What I like
- Function graph and code browser work simultaneously
When using IDA, I often switch back and forth between text mode and graph mode by pressing the space button. However, Ghidra allows you to work on both at the same time. It is awesome that the Function graph window and the code browser window are synchronized to each other. Using two screens, I can go through the code flow in the graph mode in one screen and keep the other screen for assembly code which is useful when I need details in the assembly code or to add comments and rename labels etc. - Decompile
As IDA free doesn’t come with the decompiler and Cutter often confuses me more than help, I find the decompiler is good and the translation is quite accurate. However, for a more complex function, it may be confused to check the pseudo code, but it is helpful to refer when performing an analysis.
- Bookmark
I really like this feature as it allows me to navigate quickly among interesting locations, just like when you read a book with colored marks.
- Cross-platform disassembler
As it is a Java-based disassembler, Ghidra would work identically across multiple platforms. To my experience, although IDA has a Linux version, it doesn’t work as well as its Windows version.
Things for improvement
- Text highlight:
In IDA, when I click a label/register etc., all of its usages are highlighted. It is particularly useful when I need to examine, for example, the value of a register. However, this feature is not available in the Code browser window
- Display of assembly code
It would be better if there is more space for assembly instructions. (look at the SCASB.RE…) Although it is minor, I think that it would be more convenient for an analyst when instructions are displayed in a clearer manner.
- The look and feel
After 3-day usage, I feel that IDA is still better than Ghidra in term of presenting information. Ghidra’s look is quite old and the text format is not really good as compared to IDA.
Conclusion
I think Ghidra is a good alternative to IDA in spite of the improvement points mentioned in the previous section. I feel pretty much comfortable using Ghidra to analyze assembly code and definitely, I would use it more frequently. However, to be honest, IDA free is till properly my first choice, at least for now.
