Oh no, they were sore about this like you wouldn't believe. They'd rather refuse a legitimate customer than risk a leak. I can't even say they were entirely wrong: the sensitive nature of reverse engineering makes it hard to make sure you won't get ripped off. Still, they did take this personally.
Decompilation isn't exactly a rocket science: just about anyone capable of hacking on clang or gcc can write a simple decompiler. The entire point of IDA was that they've done that, and also a lot of tedious, boring work on providing support for lots and lots of different CPUs. There's just no secret sauce recipe for SREs to steal - even their FLIRT tech is documented on their site.
Ghidra's existance is a bit unfortunate, really. While it was released relatively recently, it's already a dated product permanently stuck with a clunky UI. And by being free, it'll create an extremely high bar for possible commercial products to clear. Combined with the extremely small market of low-cost SRE tools (so small in fact, that Hopper's author decided against porting their tool to Windows), we'll be stuck with IDA and Ghidra (and all their idiosyncrasies) for the next decade at least. Which is a damn shame.
The market is guaranteed to stay small if the "hobbyist" version of the software is $350/y. I've heard great things about it, but that's pretty far outside the "try it out for fun" range. I had a lot of fun experimenting with hardware hacking and dumping the firmware of an ARM device I own, but I'm certainly not paying $350 for one architecture for one year just to explore whether or not I like reverse engineering. What about kids hacking raspberry pis?
I respect people's right to sell software, but I'm tempted to crack out the world's tiniest violin when I hear people complain that FOSS is eating their lunch. Consider how much good FOSS compilers have done for the world, and how many more people were able to program computers that otherwise would never have been able to afford it.
I believe the pricing is high by necessity - we're talking about employing some dozen of people on the higher end of competency doing terribly unexciting work. Hobbyists should settle on the Hopper tool, which is $99 a year.
Also, if you wanted to advocate for FOSS, compilers are an all around terrible example. In fact, they prove my point: thanks to GCC and the likes, we're still stuck with hodgepodge of fragile build systems, platform-dependent code and poor IDE integrations. Hell, modern programmers will be right at home with 1988's compilers, seeing how Makefiles are still somehow relevant even today.
Compare that with the early 90's Turbo Pascal which had an IDE with a built-in help system, a build system, a debugger, and a profiler. We could've had competition to improve upon all that, and instead it's 2021, and you have to spend hours per project to keep the tooling from breaking. In my carreer, I've probably spent more paid hours setting up "free" tooling than I paid for commercial tools. It's just a sad lose-lose situation for everyone.
You mean writing reverse reverse engineering tools? Personally I can hardly think of a more exciting job.
Also blaming GCC for today's dev experience is just wrong. With some notable exceptions(VS debugger), the situation over at Microsoft is just as bad and in no way influenced by GCC.
Oh, believe me, it's boring as hell. It's just endless hours of making sense of incomplete hardware manuals, converting tables to code by hand and handling subtle hardware differences. And what I did was console game modding - something that did look exciting at the time. IDA itself must be even worse, seeing how its codebase is two decades old by now.
As for the modern dev experience, what else do you expect? FOSS starved small software vendors by raising the bar for commercial software, so Microsoft has barely any competition in their field. Sure, there's JetBrains software, but that's it?
I say this as someone who worked on another Eclipse SWT application that I think is very good, is still in use, and that I am very proud to have worked on, but the SWT UI is the one thing I absolutely hate about Ghidra. I feel like many aspects of that specific school of 00's enterprise-Java-application UX design aged about as well as a wheel of goat cheese left on the dash of a car on a 90-degree summer day. (In particular, when using SWT applications, I find the buttons and layout to be cluttered and hard-to-parse - for me, the bars of small, densely packed buttons are frustrating to work with. Also, something about the iconography in those programs is generally opaque and ends up making me feel kind of stupid.)
Doesn't this just prove that Ghidra is actually very, very old? By the UX alone, I'd place it in the 2003-2006 range, the time when the excitement of Mac OS X turned into a new generation of bombastic widget toolkits.
Binary Ninja (disclaimer: BN dev here)
Hopper
JEB
Relyze
That said, I 100% agree with the impact Ghidra has had on the market. It's definitely making it _much_ harder to sell a commercial product when a well maintained, zero cost, open source alternative is available. If we (Vector 35, Binary Ninja devs) hadn't been as far along in our development roadmap and growing our customer base as we were when Ghidra was released we'd likely have had to simply do something else which would be an overall loss for the community.
Who knows what other products/ideas will now never see the light of day. The barrier to entry was already extremely high in this space for a limited return, but now? Nearly impossible for anyone new to entry.
> ...it's already a dated product permanently stuck with a clunky UI...
I don't disagree with you. However we're discussing this in the context of IDA: A program whose user-interface is permanently stuck in the 90s. Its extremely idiosyncratic default key-bindings also betray exactly how dated its interface is.
I don't think Ghidras existence is unfortunate at all. Without it I, and a few people I know, would never have even touched this space. Ghidra is not perfect but a slick GUI is not something that is important in such a product.
Shenanigans like that the product owe to its author, Ilfak Guilfanov, who's a bit of a meme in the ex-USSR SRE community. Back in the '00s, when IDA pretty much had no alternative, one couldn't just buy it. No, to pay them money, you had to be either an estabilished name (ESET or Kaspersky worked just fine), or to subtly caress the author's ego until it gives. And I've seen paying customers being kicked off the support forum for asking uncomfortable questions, complete with rude private messages. I believe that at least twice, unrelated hackers took offense and leaked the full version anyway. Fun times.
Yeah, B2B is a wild world and this was my first time going for a ride. Ah well. You live you learn.
Speaking of which, last time this came up on HN ilfak cruised into the comments a week later, all "I can not find your nickname in our database," and I didn't see the reply until a year later. Well, the HexRays database had no problem finding my-nickname-at-gmail for the purposes of bugging me to renew, and just in case anyone thinks I'm making this up, here's the order. I also have an email with the download link and serial number -- the ones that didn't work -- and the ghosted support requests spread throughout the following year.
I'm sure this is a Hanlon's Razor thing, I just want to make sure that any naive young hackers considering the possibility of a last-time-buy on a perpetual license understand what they are getting into.
************************************************************
* Your order has been accepted.
************************************************************
Please retain this receipt for your records.
This e-mail confirms your order placed with Hex-Rays.
Payment data
------------
Beneficiary : Hex-Rays
Address : Rue Rennequin Sualem 34
BE-4000 Liege
Website address : http://www.hex-rays.com
General conditions : https://www.hex-rays.com/products/ida/t&c.pdf
Order date : 15/05/2016 22:40:05
Order reference : deWerd_4732_20160515
Ogone Payment reference : 3016168801
Order description : IDA license
Total : 1129.00 USD
Charging method : MasterCard XXXXXXXXXXXX----
Sub-brand : UNDEFINED
Status : Authorised
Authorisation code : ------
Haha yes. I remember that NFO like very few, perhaps m00 nfos but that’s it. The leaked IDA pro was fenomenal, can’t think of the group name to see if I can find it around. I’ll make an effort.
Sorry for the English, I do not speak well -- so, some idioms
may be translated directly and be incorrect for understanding for
native.
This release should serve as a life lesson to those who consider
themselves as "people 'blue' blood." It aims - in some ways
to bring down pride (swallow their pride), to tell these people
where to get off. Show that, besides them, there are other people
who should at least respect, appreciate their work and consider to
their opinions (or at least listen to).
This release is dedicated to one man and one company, which behave
antisocial, defiant, arrogant, are not considered to anybody or
anything, and therefore need to conduct a little "educational" work
from the community.
*** Let's start in order: one man - Ilfak Guilfanov.
I wanted to write a lot, then I thought - it makes no sense.
And so, in principle, nothing much to tell. Those who are "in" know
a lot about this person. It is impossible to buy IDA even if you
really want to do. I described some details about this in my blog,
'ida' tag (do not linking here, if you need - you will find it).
Also, you can read some more here (Russian only):
I apologize to crackers who were recruited in HexRays SA, you are
in some measure also falls under attack. But your head, sadly,
leaves no other choice.
In December 2007, after a memorable revelations of Ilfak in the
topic http://www.idapro.ru/forum/viewtopic.php?t=463, occurred
after warez-release of the IDA v5.5, I created another topic
http://www.idapro.ru/forum/viewtopic.php?t=458. In it I outlined
some thoughts about "double standards" of the author of IDA. Just
a small example. Struck up a brief conversation, which resulted in
Ilfak behaved absolutely inadequate (in his usual manner) and I was
banned on the forum. But that's not all. Before I was banned, he is
sent me a private message (PM):
I recommend to reconsider your attitude to people and to express
your thoughts in dealing with them.
In any case, at the moment you "reap" is what you had "sow" by
yourself.
I do not soft-pedal such things.
*** Next: company - ESET - NOD Antivirus developer
There is a saying: "Curses like chickens come home to roost"
(I have already voiced it in relation to you in 2008-2009th years).
Now it's time.
So, the characters from ESET (a minimum):
* J M - the main short-sighted and po-faced personage
* M Z (Customer [Un]Care; z@eset.sk)
* D N (Virus Researcher)
The ESET company treats software developers (small companies and
individual developers of shareware-products) as a shit, and does
not hide this.
