Disassembly and Decompilation with Ghidra

After this lesson, you will be able to: Use Ghidra to disassemble and decompile a binary and read its logic, and understand where IDA and Binary Ninja fit.

Ghidra is the free, powerful reverse-engineering suite the NSA open-sourced. This lesson covers loading a binary, the difference between disassembly and decompilation, navigating functions, and reading the decompiled output to understand what a program does, with the commercial alternatives in context.

Prerequisites:Static Analysis: File Formats and Binaries

Disassembly vs decompilation

Disassembly turns machine code into assembly instructions: accurate but low-level and tedious to read. Decompilation goes further, reconstructing approximate C-like source from the assembly, which is far easier to follow even though it is not the original source (variable names are synthesized, some structure is lost). Ghidra does both side by side: you read the decompiled C to understand logic and drop to assembly when you need precision.

Ghidra: the free powerhouse

Ghidra, released by the NSA in 2019, is a full reverse-engineering suite with a strong decompiler, free and cross-platform. You create a project, import a binary, let it auto-analyze, then browse the function list, follow cross-references, rename variables as you understand them, and read the decompiler output. Its collaborative features and scripting make it viable for serious work. For a learner, it removes the cost barrier that used to gate this field.

IDA and Binary Ninja in context

IDA Pro is the long-time industry standard with a polished decompiler (Hex-Rays); IDA Free is a limited free version. Binary Ninja is a modern, well-liked commercial tool with a clean API. They are excellent, but Ghidra is free and capable enough to learn and do real work with, which is why this subtrack centers it. Skills transfer: once you can read decompiled output and follow control flow, the specific tool matters less.

Lab: read a benign binary in Ghidra

Use the benign sample from the static-analysis lesson.

1
1. Create a Ghidra project and import the benign binary; let auto-analysis run.
2
2. Open the function list and find main (or the entry point).
3
3. Read the decompiler pane; rename variables and functions as their purpose becomes clear.
4
4. Follow cross-references to see what calls what and how data flows.
5
5. Confirm or revise the behavior hypothesis you wrote during static analysis, and note where dynamic analysis would tell you more.

Quick Check

What is the practical difference between Ghidra's disassembly and decompilation views?

Pick one.

Disassembly shows exact assembly instructions; decompilation reconstructs readable C-like pseudocode that is easier to follow but approximateDisassembly is for Windows, decompilation for LinuxDecompilation recovers the exact original source including commentsThey are the same view with different colors

Common mistakes only experienced analysts catch

Treating decompiler output as the real source (names are synthesized, some logic is approximated). Not renaming variables/functions as you learn, then getting lost. Ignoring cross-references, the map of how code connects. Expecting auto-analysis to be perfect on packed/obfuscated binaries. Buying IDA before learning on free Ghidra. Spending hours in disassembly when the decompiler would have answered the question.

←Static Analysis: File Formats and Binaries

Back to Reverse Engineering and Malware Analysis

Dynamic Analysis and Safe Malware Handling→