DEV Community

丁久
丁久

Posted on • Originally published at dingjiu1989-hue.github.io

Reverse Engineering Tools: Ghidra, IDA Free, radare2, Binary Ninja

#technology #devtools #productivity

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Reverse Engineering Tools: Ghidra, IDA Free, radare2, Binary Ninja

Introduction

Reverse engineering is the art of understanding how software works without access to its source code. Modern reverse engineering tools provide disassembly, decompilation, debugging, and scripting capabilities. This article compares four major platforms: Ghidra, IDA Free, radare2, and Binary Ninja.

Ghidra

NSA's open-source reverse engineering framework:

// Ghidra scripting API

import ghidra.app.script.GhidraScript;

import ghidra.program.model.listing.*;

import ghidra.program.model.symbol.*;

public class AnalyzeFunction extends GhidraScript {

    @Override

    public void run() throws Exception {

        // Get the current program

        Program program = getCurrentProgram();

        Listing listing = program.getListing();

        // Iterate over all functions

        FunctionIterator functions = listing.getFunctions(true);

        for (Function function : functions) {

            println("Function: " + function.getName());

            println("  Address: " + function.getEntryPoint());

            println("  Body size: " + function.getBody().getNumAddresses());

            // Check for imported functions

            SymbolTable symTable = program.getSymbolTable();

            ReferenceIterator refs = program.getReferenceManager()

                .getReferencesTo(function.getEntryPoint());

            while (refs.hasNext()) {

                Reference ref = refs.next();

                println("  Referenced by: " + ref.getFromAddress());

            }

        }

    }

}
Enter fullscreen mode Exit fullscreen mode

Key features:

  • Decompiler (produces C-like pseudocode from assembly)
  • Program tree and listing views
  • Cross-reference analysis (XREFs)
  • Version tracking (collaborative analysis)
  • Scripting in Java and Python (Jython)

  • Processor support: x86, x64, ARM, AARCH64, MIPS, PowerPC, RISC-V, 6502, 8051, and 50+ more

    Ghidra Python script

    from ghidra.program.model.symbol import SourceType

    def find_string_refs(target_string):

    for address in currentProgram.getListing().getDefinedData(True):

    data = getDataAt(address)

    if data and data.isString():

        string_value = str(data.getDefaultValueRepresentation())

        if target_string in string_value:

            print(f"Found '{string_value}' at {address}")

            refs = getReferencesTo(address)

            for ref in refs:

                print(f"  Referenced from: {ref.getFromAddress()}")

Key strengths: Free and open-source, excellent decompiler, collaborative features, extensive processor support, active development.

IDA Free

Hex-Rays' industry-standard disassembler (free edition):

# IDAPython scripting

import idautils

import ida_funcs

import ida_xref

def analyze_critical_functions():

    for func_addr in idautils.Functions():

        func = ida_funcs.get_func(func_addr)

        name = ida_funcs.get_func_name(func_addr)

        # Identify functions with many cross-references

        xref_count = len(list(idautils.CodeRefsTo(func_addr, 0)))

        if xref_count > 20:

            print(f"Hot function: {name} at {hex(func_addr)} ({xref_count} refs)")

        # Check if function references suspicious strings

        for ref in idautils.XrefsFrom(func_addr):

            if is_string(ref.to):

                string_val = get_strlit_contents(ref.to)

                if string_val and b"password" in string_val.lower():

                    print(f"Password reference in {name} at {hex(func_addr)}")

# Rename subroutines based on string references

for addr, name in idautils.Names():

    if name.startswith("sub_"):

        refs = list(idautils.DataRefsTo(addr))

        for ref in refs[:3]:

            string_ref = get_strlit_contents(ref)

            if string_ref:

                idaapi.set_name(addr, f"sub_{string_ref[:16].decode('utf-8', errors='replace')}")

                break
Enter fullscreen mode Exit fullscreen mode

Key features: Industry-standard disassembly, cross-references (the best XREF system), IDAPython scripting, mature plugin ecosystem, compact database format.

Limitations of Free edition: No decompiler (Hex-Rays decompiler is paid), x86/x64 only, no collaborative features.

radare2

The most powerful command-line reverse engineering framework:

# Open a binary

r2 ./binary

r2 -d ./binary  # Debug mode

r2 -A ./binary  # Analyze automatically

# Common commands

aaaa            # Full analysis

afl             # List functions

afl ~main       # Find main function

s main          # Seek to main

pdf             # Print disassembly of function

V               # Visual mode (arrow keys to navigat
Enter fullscreen mode Exit fullscreen mode

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.

Top comments (0)