Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

Radare2, IDA Pro, and Binary ninja, a metaphoric comparison
Sat 07 September 2019 — download

I started to use radare2 in the beginning on 2012, and my first contribution to it was in August 2013. I gave numerous workshops and talks about it at various security conferences, served as a GSoC mentor, wrote a couple of articles about it both on this very blog and other places, attended all the r2con to give workshops there, …

I've used IDA Pro for a similar amount of time, and recently attended a binary ninja training. No clue about Ghidra though.

People are often asking me why they should use radare2 instead of something else, so I decided to write this down. I think that a nice way to (partially) answer this question is to use a handy metaphor: text editors.

The metaphor

Radare2 is like vim

Radare2 is all about command line and cryptic shortcuts/commands, and just like vim, at the beginning, one is completely lost, spending all your time in insertion mode, trying to remember what gg=G" is supposed to do, or how to undo the folding of the function you're looking at. But once you're used to it, once you saw the light, you're fast and efficient, everything seems logical, pleasant and well designed.

Like vim, radare2 has a terrible scripting language, due to legacy issues, that looks like this:

/x 7...7...
(patch2,?E patch2,wx eb,s+2,wx 9090,)
(,f foo=$j,s+2,f bar=$j,s-2,?v foo-bar,?! .(patch2))() @@ hit*
(,s+2,?v $j-$$+2,?! wx 9090)() @@ hit*
f-hit*

Because vimscript and r2script may be brittle to use, they both have a lot of binding: lua, ruby, python, vimscript, mzscheme, Perl, Tcl, … for vim, and a large subset of those for radare2.

The community around those two software are a bit alike: they are fans of their tool, and will be vocal about this, which is sometimes often annoying to others: Why can't those people not shut up, why do they have to be so vocal and insist that we give a try at their cryptic tool from the past?

There are some GUI for vim, like GVim, or all the neovim ones, but most of the people are simply using vim in a terminal, because it's more convenient. Radare2 had gradare2, bokken, Ronin, radare2gui_dotnet, various web interfaces, and now Iaito Cutter, but most of its power users are using radare2.

Both of them are also running on almost every single platform: AmigaOS, Atari MiNT, BeOS, DOS, MacOS, NextStep, OS/2, OSF, RiscOS, SGI, UNIX, VMS, Win16 + Win32 (Windows95/98/00/NT), BSD*, Linux, …

Moreover, even while they're packed with features, they do have a lot of hackish clever integrations with other programs: vim plays nice with make, ctags, LSP, crazy autocompletion engines, fuzzy finders, git… while radare2 integrates with yara, snowman, retdec, ghidra, kaitai, …

I like vim, it's great to write text, C, Haskell, … but I wouldn't recommend to use it for things like Java or C++. For those, an IDE is more suited. Of course, there will always be people using vim for Java, but the majority doesn't.

For radare2, it's similar: it's great for reversing small programs, like in CTF, things written in C, … but for C++ or massive packed binaries, I wouldn't recommend it.

Binary Ninja is like Emacs

Binary ninja feels a bit clunky: there is this omnipresent feeling that things are missing or aren't completely dry yet. But if you take the time to write your plugins, or to use the ones from other, then you'll understand why its users are loving it so much.

For example, its Opaque predicate patcher plugin is amazing, and would be awful to write in pure r2script. Even by using Python, for example via r2pipe, or IDAPython, doing the backward propagation to find if a given condition is constant would be horrible.

Actually, some people are recommending org-mode or magit, with emacs only being a byproduct of it. Like Binary Ninja being a byproduct of its multi-level IL or Python API.

There is also this tendency of emacs users to never use any other tool, because they wrote eww to browse the web, ERC for irc, reading emails with GNUS, using org-mode as a notebook/calendar, serving http with elnode, ordering food, … Binary Ninja users have a similar behaviour: scripting everything via the Python API.

IDA Pro is like IntelliJ IDEA

IDA is massive, and costs more money than its competitors, but this is what the industry is using, and you can reverse massive binaries with ease.

You can of course write C++ or Java in vim, or in emacs, but you either have a massive amount of plugins, or you're a hardcore user, which is entirely fine. But for normal people™, it's usually easier, faster and more effective to use an IDE.

IntelliJ IDEA comes with a lot of features, like deep integration with the Java ecosystem (Gradle, Maven, JBoss, Spring, Android, …), intelligent autocompletion, code analysis, refactoring, framework integrations, profiting…

Likewise, IDA Pro comes with FLIRT, remote debugging (including compatibility with Corellium), advanced analysis, tracing, advanced typing system with automatic inference, an advanced interactive decompiler, support for a myriad of architectures, PDB support, Lumina, Android and iPhone weird format support, …

There is more…

At the beginning of this blogpost, I used the term "partially answered", because a metaphor is rarely enough to provide a comprehensive answer, and there is an elephant in the room that needs to be mentioned: money

Radare2 has a vibrant community, that does things mostly because they are fun, while IDA Pro and Binary Ninja have to make money: if you want a feature in radare2, you'll need to either convince someone to implement it for you, or to implement it yourself, while for the others, you can likely just throw a bunch of money at the developers to get it done. Worse case, the license is coming with technical support anyway.

Not having to care about paying the rent by selling radare2 also means that some useless stupid entertaining features are added from time to time: some potache easter eggs, the game 2048, emoji support, Malbolge and brainfuck disassembly, … this also means that from time to time, things are broken, and nobody cares because nobody is using them but you.

It also means that while Binary Ninja and IDA Pro a giving expensive trainings, radare2 has the r2con for less than 100EUR, with 2 days of workshops,and two day of people presenting the crazy things they did with radare2: fiddling with proprietary Street Fighter emulators, writing a GUI, integrate with decompilers, Fuzzing, writing music, reversing wireless SD cards, … and even a chiptune party!