Let’s compare the most populare reverse-egineering with strong focus on personal usage: BinaryNinja, Ghidra, IDA and radare2.
Hopefully this post will help you to find tools worth choosing as primary reverse engineering tool.
To be fair during my analysis I developed simple score system. For each feature product can specific amount of points:
- 1.0 (
+) - given feature is available and fully operational.
- 0.5 (
~) - feature is partially available, you need to install plugin to achieve it or pay for extra license.
- 0.0 (
-)- feature is not available at all.
For detailed description of features go to corresponding chapters below.
[Bracketed] character means that in my opinion specified tool is the “best” in the specified category (feature), it is not extra scored, but it may be useful for somebody.
| | Price | Score | Cross-platform | Multi-arch | Decompiler | Debugger | Plugins (1) | Signatures (2) | Patching (3) | Symbolic constants | |:--------------------:|:-----:|:-----:|:--------------:|:-------------:|:----------------------:|:--------:|:------------:|:---------------:|:-------------:|:------------------:| | BinaryNinja 2.0.2097 | $150 | 7.0 | + | + | + | + | + | + | [+] | - | | Ghidra 9.1.2 | Free | 6.5 | + | + | [+] | - | ~ | + | + | + | | IDA Home(4) | $365 | 6.0 | ~ (1/license) | ~ (1/license) | ~ (extra-paid feature) | [+] | + | [+] | ~ | + | | radare2/Cutter | Free | 7.0 | [+] | [+] | + | + | + | + | + | - |
- Plugins - support for modern, updated programming languages.
- Signatures - built-in signatures with option to add own.
- Patching - ability to assemble code without using the hex-editor.
- IDA Home - currently this version is not published yet, but this is just a limited IDA Pro version, so I will rate it based on my previous experiences with IDA Pro (for limitation list go to References).
Actually here is no winner, I would like to only mention that I skipped some freeware versions of paid tools:
- BinaryNinja Cloud - Binary Ninja Personal in browser, but without debugger and plugins support.
- IDA Freeware 7.0 - free version of IDA, with a lot of limitations.
To be 100% honest, BinaryNinja also have standalone demo, but it is more limited than cloud version, so I decided to ignore it.
Just remember to not blindly follow my scoring! This blog post is about my subjective point of view. If you want to know, which tool I like the most -> jump to the summary.
From my perspective disassembly tool should be cross-platform, it is very annoying when you can’t easily install your tool on any operating system, specially when you are not staying with one favourite whole time (like me - I’m the user of OSX, Linux & Windows).
Unfortunatelly IDA is “not the best” here, because you need to specify on what kind of operating system you are going to use it :/
Don’t understand me wrong: you can disassemble Linux binaries on Windows and veice versa. But it means that if you decide to buy it in version for Windows, then you will receive IDA install files only for Windows.
The absolute winner is radare2, this tool you can run on almost anything (probably you can even run it on your washing machine).
Multi-arch (support multiple CPU families)⌗
You never know when you will have change architecture of analysed software, probably you will do the most of analysis for x86 or ARM, but it is good to be ready for any kind of analysis, especially when you are paying for some tools.
Once again IDA is not cheap and supports only 1 architecture for each home license.
radare2 supports probably the biggest amount of architectures by default.
Note: the rest of tools probably requires only install of some plugin to support extra architecture - IDA Home is an exception.
Probably the most desired feature in every disassembly product. Unfortunatelly IDA Home won’t have it built-in in this price and you need to pay full-price to get it (and this is very expensive toy).
Note: I really hate to hate IDA, because I like this tool, but IDA have also another disadvantage (without hex-rays): local variables doesn’t support types.
This actually affects all plugins using i.e ghidra decompiler - if you have binary where some structure is created in the context of local variable, then you have to manually rename variables - even if definition of its structure is known for you.
But anyway Ghidra seems to have the best decompiler at this moment (even better that HexRays): with support for C++ classes, etc. Definately the strongest feature of Ghidra.
For Binja it is relatively fresh stuff (it is available from version 2.0), so hopefully it will be similarly good as Ghidra (binja-devs we are waiting for support of classes!).
r2 Cutter have some decompiler, but seems to prefer to use ghidra’s decompiler with as pretty good integration.
IDA is the winner and the loser at the same time. Definately the ugliest and the less intuitive interface, but it also have win-feature in debugger (even if debugger is sometimes bugged): populate current code state to database. Very useful during unpacking or dynamic code modifications.
Note: radare2 developed something called ESIL - very useful features for emulating code, analysis. Unfortunatelly it can’t run code handled by operating system (APIs).
Update: actually binja from some time also can populate analysis database based on debugging session! (it happens auto-magically)
Here I had very simple requirements: plugin API must be available AND used language must be up to date.
Ghidra failed here, because it is using Java or Python2 (Jython to be honest). Just no.
I really like radare2 API, because it is just radare syntax :P Then binja API seems to be very intuitive, IDA contains the most complex API.
BinaryNinja and radare2 have plugin managers which helps you to install plugins & keep them updated.
Every dissasembly tool should have some mechanism for detecing commonly known functions and actually all of mentioned tools have such ability:
- BinaryNinja - own “Signatures” engine (I will work on support for FLIRT);
- Ghidra - own signatures engine + FLIRT support (plugin required);
- IDA Home - FLIRT, support for Lumina server is not known is not known yet;
- Radare2 - zignatures(
iz?) + FLIRT.
From my perspective Binja contains the best user interface for this (you can invert jumps, xor pieces of code, etc just by few clicks), pretty good interface is in Cutter, ofc if you are masochist you can everything in radare2 ;)
In IDA patching is theorethically possible, but I won’t recommend it - much easier is to easier code in built-in hex editor than with very limited Assemble code feature.
Useful when you are analysing Windows binaries, just replace ugly int with more meaningful name.
From my perspective if you are just looking for your 1st tool to begin with in reverse engineering, then I would recommend you Ghidra (I know, it’s ugly - but it’s free), then you can start thinking about buying i.e BinaryNinja.
Personally I very like BinaryNinja - for the interface and incoming features, it seems to become very good tool in the near feature. I can’t also don’t recommend radare2 which is very powerful, but this tool requires a little bit more attention.
I don’t think that IDA Home is worth of waiting (it will be available in May), because it seems to be very limited in comparision to other tools - I can change my mind onluif it will contain HexRays Decompiler built-in in home version.
I hope this article will help you find your new favourite tool - if you have different opinion: please, share it in the comments :)
comments powered by Disqus