Releasing the NSA’s Previously Classified Tool ‘Ghidra’ For Free Is a ‘Game Changer’

The National Security Agency released a previously classified reverse-engineering app for free—and so far people in the information security community love it.

Rob Joyce, the NSA’s senior cybersecurity adviser, presented Ghidra, a tool to decompile, reverse engineer, and analyze malware, at the RSA conference in San Francisco on Tuesday evening.

The agency had announced the release of Ghidra weeks ago, and the hype among cybersecurity professionals was comparable to that of Star Wars fans awaiting the trailer for Episode IX. Ghidra used to be an internal NSA tool for years. Its existence was first revealed by leaked CIA hacking documents by WikiLeaks in 2017.

On Tuesday night, my Twitter feed was mostly people giddily awaiting Ghidra’s release. Then—once it was posted on the site—it became a flurry of people commenting on it.

Ghidra is, of course, not the first tool made to reverse engineer applications. There’s a few other alternative reverse engineering and analysis tools such as IDA, made by European company Hex Rays; Radare, made by volunteers; and Binary Ninja, made by Florida-based Vector 35. But apart from Radare, which is free, IDA can cost as little as $879 and as much as $3944, and Binary Ninja costs between $149 and $599.

Ghidra, on the other hand, is free, open source—the NSA posted it on its GitHub page—and it’s been in development for years.

“It’s fantastic,” Darren Martyn, an independent security researcher who has used Ghidra and other reverse engineering tools, told Motherboard. “The decompiler is fucking amazing.”

Martyn praised several of Ghidra’s features, including the “undo” function, the fact that it allows multiple people to collaborate on the same project, its support for different processors, its configurable user interface, the option to use templates and write extensions and plugins, among others.

“Oh and I didn't have to sell a kidney and dox myself to get it,” Martyn joked, referring to what similar tools cost, and the fact that the company behind IDA sometimes asks for a lot of personal information to sell a license to its software, as others have complained.

Joxean Koret, a security researcher, said on Twitter that “Ghidra shits all over any other RE tool out there with the only exception of IDA.”

The fact that it’s an advanced tool that is free and open source is probably what will make Ghidra a success. According to Marcus Hutchins, also known as MalwareTech, this is why it’s a “a total game changer for those looking to break into the industry.”

Hutchins, who is awaiting trial for his alleged role in writing a banking malware, recorded himself playing with Ghidra on Twitch on Tuesday night.

“There's been no good freely available decompiler until now,” Hutchins told Motherboard in an online chat. “Previously people had to choose between an awful one, or pirating IDA."

Martyn agreed.

“For IDA with decompilers for all the architectures Ghidra supports you are paying like 10k or more,” he told me in an online chat. “Ghidra gives you that for free.”

Of course, there’s the little detail that this software was developed within the NSA, the same agency that became a punching bag in the wake of the Edward Snowden leaks and for losing hacking tools that ended up being used in one of the worst malware outbreaks in the world. That, however, does not seem to bother people who like the tool.

“It’s nice to get something back in return for all our data ;),” Martyn said.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.