Ghidra is out!

Ghidra is a static analysis/reverse engineering tool that is apparently very similar to big commercial offerings such as IDA Pro. It was developed internally by the NSA, but is just now being released to the public. They put it out there as Free Software under the Apache license. It is written in Java.

Attached: GHIDRA_1.png (1497x1015, 185.37K)

Other urls found in this thread:

How is it compared to Radare2?

What could possibly go wrong?

i wouldn't even run this in a VM


Basically trash. Use if for the decompiler nothing else.

What the fuck even is this reality

If I remember correctly the US government commissioned an IDA replacement a while ago. Sounds like that is it. Knowing how government projects like these turn out, it's probably hilariously bad compared to the original.

Why would they try to replace something that works perfectly fine?

Beats me, maybe they thought The Great And Powerful NSA (dog bless aberiga) could easily outdo whatever other product, even though their staff is mostly redditards.

Are they?

The leaks sure gave me that impression, especially the wiki. Gave off a similar air to googlefags in terms of being high on your own fumes.


Wow, it's fucking retard garbage.

Drink bleach and shoot yourself in the mouth, you fucking failed abortion.


Attached: did you cry.png (363x359, 90.24K)

In your own words, please explain your qualms with Java and tell me how the target language effects you, not as a contributing developer but as a user of the tool.

actually Java is pretty good and safe language and muh compile once, run everywhere is pretty comfy (when it's feasible)

It litterally has a backdoor. Don't use it.

Usually terrible UIs, poor performance compared to native, the mere existence of the JVM on your machine is a security risk given Java's poor track record.

Java isn't safe at all, there's a lot of exploits for it.


Neck yourself you worthless nigger.

Attached: kill_yourself_faggot.png (480x255, 189.29K)

i'm as much of a java hater as the next guy but the 'poor track record' for java is primarily concerned with client-side exploits targeting the virtual machine.

keep in mind, default behavior in say C, is totally unchecked allocations.

It's probably clean. If they were to bug it they wouldn't release it as the NSA. The question then is why they'd release it. I think it's to attract talent, hoping a few shiny toys will make people ignore the fact they're working for the devil.

Attached: java.jpg (960x540, 41.66K)

Yep. They've even got a recruitment pitch in the README.

Only complaint i heard so far was from some poorly included debug mode bug that opened a port. Sensationalist, but it at least shows one issue. Be interesting to see if they push fixes once the source is posted. I might give it a spin since a lot are raving its comparable to IDA in some regards

Write once, run everywhere is sadly a meme.
t. victim of write once, debug everywhere

The NSA has open sourced software before. I can't remember the name of it. Oh yeah because it was fucking useless.

Security moralfags.

Isn't a bad security track record (somewhat ironically) a good thing? It means the issues have already been found and fixed earlier in the projects life cycle.

Bad UI's seems a bit unfair since that's going to differ on a program to program and even framework to framework basis.

Likewise with performance, that's mostly dependent on the platform it runs on. I'm not going to pretend like safe, runtime oriented languages are going to be faster but the difference should be negligible in most cases.
I can't imagine something like this, which will mostly be idle, being perf dependent. Unlike say, a video encoder trying to max out your CPU for the duration of the process lifetime.

You're obviously free to feel however you wish, but I myself don't think these are reasonable objections in this context. I feel like people see Java and instantly write something off and I don't understand that. Just because some programs written in Java are bad does not make all Java program inherently unusable imo.

Because old software is too correct and efficient. Nu-software is inclusive and has contributions by women, homosexuals and brown people.

Not really since many discovered flaws don't mean few remaining flaws. However, it tells you something (bad) about the quality of the programmers and the program's design.

You forgot the transsexuals and fishmouth people. Please be more inclusive next time, it's very insensitive to leave out under represented degenerates.

Consider it, I might say it's moot then.
Regardless of the past, it's not indicative of the current state. Something is either exploitable or not and we cannot really know until after an exploit has been found.
Also audit and dev teams change so the quality could have gone in either direction as well.

That being said, my stance is that it's still unfair to judge a program based on the language alone, and even extending to Java here, it may not be fair to judge them based on their past versions, or make assumption about the current state of it without certainty.

The Java bullies will be stopped.

Not him, but here it goes.
Slow, every large java application I have used has been unresponsive and slow to the point where I don't want to use it. This includes net-simulators, UML graph tools, ide's. Once it might be retarded devs, but when it repeats then, no, it's java.

What else do you judge things on except their past?! It's not like they completely rewrite the thing or replace the entire team every time a new version comes around. Additionally, the problem with security exploits is that things can be failing horribly while you are none the wiser, so you necessarily have to rely on heuristics; what better heuristic is there than the project's past?

Just look at something like OpenSSL: Their code is awe-inspiringly terrible (no really, I was literally in awe at how bad it is), but you would be able to tell as much even if it was closed source, simply because they constantly have massive security problems. In a sanely designed program with good developers, these problems simply don't occur at that frequency. If you naively assume that every fixed bug was the last one for real this itme, you get fucked nonstop. Honestly, I'm kinda interested where this attitude comes from, because it seems completely batshit insane to me. Is it wishful thinking?

This also extends to language, e.g. because the language makes it very easy to make such mistakes (C etc) or because the language has a large pool of bad developers (PHP and JS are the primary examples of this, but it applies to Java as well). Or in this case, because the above stuff applies to its implementation. That said, I do agree that shitting on Java is a big meme on Zig Forums and mostly comes from people who couldn't program their way out of a paper bag. It's the cool thing to hate.

Remember when getting into the NSA was a challenge?

Remember when Whites were a super-majority? Everything today is degraded.

Look up IDA's licensing fees some time and you'll immediately understand why.

Why don't they just pirate it?

Why did you take the bait?

Blows IDA and Radare out of the park

Why would you install proprietary software

you're a shill
How is github abotnet that compares to foogle?

It's owned by kikerosoft

The short answer is that large java applications open slowly, but then after that are as fast, if not faster, than anything else.

Taking 30-60 seconds to open wasn't that bad 10 years ago, but now people think that's terrible, as if it was really such a massive amount of time. The bad impression at opening the software sticks and retards then think it's always slow and never use it again, because they could opened 10 snapchat messages in the time to open. Java hate = short attention span

You missed the news didn't you?

Does this mean they have something way better and this ghidra is obsolete?

What would be the point of backdooring a reverse engineering tool?

Wow Zig Forums is worse than /g/
They release it because they want people to fix it for free and attract new talent at the same time

Attached: 1201635159.jpg (373x339, 18.04K)

It's not open source though since the code hasn't been released.
Anyway's not it's not /g/ to be weary of THE FUCKING NSA. Fuck off glow-in-the-dark.

If you find a backdoor in Ghidra I will unironically kill myself on stream.

Ok that makes sence come again
It's still under development.

Maybe they forgot the backdoor.

shit, tyrone

LARPer detected. Nothing wrong with Java for this type of program.

Full source code was released today. This includes the source to the decompiler and sleigh parser which wasn't included in the initial release.


What tf am I even supposed to do with it?

The UI feels pretty slow compared to IDA or radare but it works quite well.

Considering I always do REing in a VM anyways I don't see a reason not to use this.

Attached: 123713465273.png (2396x1616, 253.92K)

I’d set affinity to a single core, it wasn’t coded correctly and is probably less deterministic than the lottery.

You fools, the backdoor is not in Ghidra itself, but a backdoor is dynamically inserted into the code it decompiles so that if you compile it again it's botnet.

but cant you read the source to find any such things

I have a theory that the NSA knows we're all totally owned and with WWIII on the horizon really wants people to discover a lot about the different ways we're owned, and maybe JUUUST maybe, there are "totally not NSA security researchers and teams" who already have a bunch of these vulns which need to be released in a deniable way so the NSA doesn't reveal its capabilities?

That's what I'd do anyways.

You're thinking of RSA and DSA encryption

Well, I know they have a bad history, but there is plenty of bad blood between the CIA and the NSA. Also, I don't remember Terry Davis saying anything about glow in the dark "NSANiggers". We also have the NSA to thank, indirectly, for being able to shut off Israel Inside's ME bullshit.

Attached: 3e14a8d0f68612f21990d435a4ebadf5b3cbb127371e8a416aba37676320858c.png (1280x800, 591.79K)

Ghidra might be reverse engineered itself, at least in order for it to be version 9 and be horribly coded.

like version numbers mean anything these days. just look at chrome..

Now the source code is out, but I can't figure out how to fucking build it. Apparently it requires gradle, so I installed gradle and ran it in the root ghidra directory. Whoops. It requires an older gradle (5.0, specifically). Fine. I install that instead. Now it's complaining about something related to jython and that I don't have a repository set up. I installed jython, but apparently that's not what it's asking for.

I looked through the source tree for variations of *build* to see if there were some build instructions, but I couldn't find any. The README is useless. The wiki/FAQ on github has no info about building. Is there some obvious build documentation I'm missing? Has anybody actually build this?

lol brainlet

isnt there any build script like a makefile or something? just read it if there is

Attached: 1550552501651.jpg (235x215, 7.99K)

Looks cool for me. I've scanned the source code with clamav. I'll check, if the code has any analitics shit, if not I'll try it. Not using the software your enemy uses is funny, especially if you have the source code.

It's a Java project, Gradle is the build system.

It is.


It's open source, and so the irony is that only a nigger like you won't be able to tell if its safe or not.

Unironically true.

Attached: Lincucks.png (1200x756, 548.78K)

Lol that picrel.
slow as fuck
Last time I checked (month ago) windows couldn't find USB driver. Linux (kernel) is better at loading binary blobs, than windows.
You mean when they don't install security patch for meltdown and spectre, so games can run smoothly, or when ton of spyware is running in the background?
Just doesn't work it crashes all the time. Updates often break something.
Because Windows wasn't good enough so they had to put GNU/Linux inside.
Implying there are no IDEs on GNU/Linux. Better pay for your monthly Visual Studio subscription.

On GNU/Linux
This is actually an advantage.
Why would I use this spyware?
that's a good thing
Why would I use nonfree drivers/firmware? I don't want to use malicious software on my computer.
There are some problems, but it is still better than being exploited and controlled.

When did Zig Forums became a place full of botnet lovers and windows useds?

lol stopped reading there

objectively untrue as well.

No an argument

Did you follow the dev guide?

Meant for

Here we see the loonix fag claiming a problem is a solution

That's not because driver devs are retarded, but hardware manufacturers are - they won't tell how the hardware works, they'll just give you a binary blob. There are some backward engineering efforts, but it is hard and firmware is often signed with a crypto key, so you can't use your own software on that hardware.
The solution is to support only copmanies that produce libre hardware.

Libre hardware is great to have but not necessary. What's absolutely necessary is accurate technical documentation about the specifications of the hardware. When programmers have the proper specifications, then the programmer should be able to write the appropriate driver for the hardware device. Libre hardware should have this level of technical specification. However it's perfectly fine for a black box device as long as the interfaces and relevant internal knowledge are documented for the programmer.






Schizophrenia is one hell of a drug.

Masons, Masons everywhere...

Wow. Just wow.

Shit thread

I love eating kebabs. Why do you guys want to kill the Muslims?