The Decompiler's Digest
Back to posts
8 min read

Reverse Your First Binary: A Ghidra vs. IDA Pro Guide

reverse engineering ghidra ida pro binary analysis malware analysis beginners patching
Table of Contents

Introduction

You have a compiled program, a black box. You need to understand its inner workings, find a secret, or patch a vulnerability, but you don’t have the source code. This is the core challenge of reverse engineering. Your most critical decision is choosing the right tool. For decades, IDA Pro has been the undisputed king, but the NSA’s free and open-source alternative, Ghidra, has become a powerful contender.

Instead of just listing features, let’s pit them against each other in a real-world scenario. We’ll reverse a simple “crackme” binary, find its secret password, and patch it to bypass the check entirely. This will show you the workflow in each tool and help you decide which one is right for you.

Our target is a basic C program that asks for a password:

#include <stdio.h>
#include <string.h>

int main() {
    char password[16];
    printf("Enter the password: ");
    scanf("%15s", password);

    // The check we need to bypass
    if (strcmp(password, "secret123") == 0) {
        printf("Access Granted!\n");
    } else {
        printf("Access Denied.\n");
    }
    return 0;
}

Our goal is twofold: first, find the password “secret123” using static analysis, and second, patch the program to always grant access, regardless of the input.

Tools & Environment Setup

You don’t need a complex lab for this. Just grab the tools and a compiled version of the C code above (we’ll call it crackme.exe or crackme).

  • Ghidra: A free, Java-based reverse engineering suite from the NSA. It’s incredibly powerful, featuring a solid decompiler out of the box. Download it from the official website. You’ll also need a Java Development Kit (JDK).
  • IDA Pro: The long-standing industry standard. While the full version is very expensive, Hex-Rays provides IDA Free, which is a great way to get started. It lacks the famous Hex-Rays decompiler and support for many processor architectures but is perfect for our x86/x64 target. Download it from Hex-Rays’ website.

For this guide, we will compare Ghidra against IDA Free to keep things accessible for beginners.

Setup:

  1. Install Ghidra and IDA Free.
  2. Compile the C code above with a standard compiler like GCC (gcc crackme.c -o crackme) or MSVC.
  3. You’re ready to go. No complex environment is needed.

Static Analysis: Finding the Secret

Static analysis means examining the binary without running it. Our first goal is to find the password string.

First Impressions: Loading the Binary

In Ghidra:

  1. Create a new project.
  2. Drag and drop your crackme binary into the project.
  3. Double-click the binary to open it in the CodeBrowser.
  4. A dialog will pop up asking to analyze the binary. Click “Analyze” with the default settings. Ghidra will chug away, identifying functions, strings, and cross-references.

In IDA Free:

  1. Launch IDA and drag and drop your crackme binary onto the main window.
  2. IDA presents a dialog to configure loading. The default settings are usually fine. Click “OK”.
  3. IDA performs its auto-analysis, which is typically faster than Ghidra’s initial analysis.

Both tools present a disassembly view, but their layouts differ. IDA has a more compact, text-focused default view, while Ghidra’s default layout is a modular “kitchen sink” with disassembly, decompiler, and other windows open.

Finding the main Function and the Password

Every C program starts in main. Let’s find it.

In Ghidra: The Symbol Tree window on the left lists all identified functions. Scroll down to Functions and find main. Clicking it jumps you straight to the code.

On the right, Ghidra’s “Decompile” window is the star of the show. It displays a C-like representation of the assembly code, which is incredibly easy to read. You’ll immediately see something like this:

// Ghidra Decompiler Output
if (local_18 == 0) {
  puts("Access Granted!");
}
else {
  puts("Access Denied.");
}

By tracing back where local_18 comes from, you’ll see a call to strcmp. Even better, check the “Defined Strings” window. You’ll find "secret123" and "Enter the password: ". Double-clicking the password string will show you cross-references (XREFs) to where it’s used in the code—right in the strcmp call inside main.

In IDA Free: IDA also lists functions in the “Functions” window on the left. Click main to navigate there.

IDA Free does not have a decompiler. You are limited to the assembly view. However, it’s still very readable. You’ll see calls (call) to printf and scanf, followed by a call to strcmp. Right before the strcmp call, you’ll see the password string being loaded into memory.

; IDA Disassembly View
lea     rax, [rbp+s]          ; User input buffer
lea     rcx, aSecret123       ; "secret123"
call    _strcmp
test    eax, eax              ; Check strcmp result
jnz     short loc_ACCESS_DENIED

Just like in Ghidra, you can view all strings via View > Open subviews > Strings.

Static Analysis Verdict:

  • Ghidra Wins for Readability: The built-in decompiler is a game-changer for beginners. It translates complex assembly into understandable logic almost instantly.
  • IDA is Faster and More Direct: For those comfortable with assembly, IDA’s speed and clean disassembly view are top-notch.

Dynamic Analysis: Patching the Binary

Now for the fun part. We’ll patch the binary so that the “Access Denied” code path is never taken. The key is the conditional jump instruction that follows the strcmp call. In x86 assembly, this is often JNZ (Jump if Not Zero) or JZ (Jump if Zero). strcmp returns 0 if the strings match. Our code jumps to the “denied” branch if the result is not zero.

Our goal is to defeat this logic. We can either:

  1. Change the JNZ to a JZ (Jump if Zero).
  2. Change the JNZ to a JMP (Unconditional Jump) to the “granted” block.
  3. Replace the JNZ instruction with NOP (No Operation) instructions, causing the program to “fall through” to the success block.

Let’s go with option 3, as it’s simple and effective.

Patching in Ghidra

  1. In the disassembly view, find the JNZ instruction after the strcmp call.
  2. Right-click the instruction and select Patch Instruction (or press Ctrl+Shift+G).
  3. Type NOP into the text box. Ghidra automatically knows how many bytes the original JNZ instruction occupied and will fill the space with the correct number of NOPs.
  4. Click the patch button. The original instruction will be replaced.
  5. To save your changes, go to File > Export Program. Choose “Binary” as the format, and save it as a new file (e.g., crackme_patched).

Run crackme_patched, enter any garbage password, and you’ll be greeted with “Access Granted!”.

Patching in IDA Pro

  1. Navigate to the JNZ instruction in the disassembly view.
  2. Go to Edit > Patch program > Assemble.
  3. A dialog will appear with the current instruction. Change JNZ short loc_... to NOP and click OK. Like Ghidra, IDA will automatically handle the instruction size.
  4. To save the changes, go to Edit > Patch program > Apply patches to input file. IDA will create a backup and overwrite the original binary (or you can save a new copy).

Dynamic Analysis & Patching Verdict:

  • It’s a Tie: Both tools make patching assembly straightforward. The process is nearly identical: find the instruction, assemble a new one in its place, and export the binary. IDA’s workflow feels a little more direct, but Ghidra’s is just as effective.

Mitigation & Conclusion

How could a developer make our job harder?

  • String Obfuscation: Instead of storing "secret123" in plain text, it could be encrypted or encoded and only reconstructed at runtime.
  • Anti-Debug Tricks: The program could check if a debugger is attached and refuse to run or behave differently.
  • Control Flow Flattening: Compilers can transform simple if/else logic into a complex switch statement or a series of indirect jumps, making the code much harder to follow.

So, which tool should you learn?

Start with Ghidra. It’s free, powerful, and its decompiler provides an unparalleled learning experience. Translating assembly to C is one of the hardest parts of learning reverse engineering, and Ghidra does it for you. This allows you to focus on high-level logic and program flow. The collaboration features are also a huge plus for team projects.

Learn IDA Pro later. As you become more comfortable with assembly and need a more mature, specialized toolset, exploring IDA Pro (and its full-featured paid version) is a natural next step. Its debugger is more polished, and its vast ecosystem of scripts and plugins built over decades is unmatched.

Ultimately, a good reverse engineer doesn’t choose one tool; they use the right tool for the job. By starting with this simple crackme, you’ve taken your first step and seen the core workflow of both Ghidra and IDA. Now, go find a bigger binary to break.

How to Find Vulnerabilities in IoT Binaries After Extraction