It's a funny situation, though: decompilation probably should cost a small fortune. If you're in a line of work that needs it, the quality of your decompiler is probably a huge factor in how valuable an hour of your time is, and many [most?] fields where people routinely decompile stuff are very highly compensated.
IDA has always had a weirdly low price point given the bill rates of people who use it, and it's interesting to see that price being competed all the way down to free.
> It's a funny situation, though: decompilation probably should cost a small fortune.
In the past, the same could have been said of compilers and even web server and mail server software.
> many [most?] fields where people routinely decompile stuff are very highly compensated.
If it's more freely available, and more people have experience with it, then the compensation might go down as the supply of people with this experience goes up. I'm not sure using salary as a justification of what a tool price should be makes a whole lot of sense. to me, it just sounds like an inefficient market because there's not enough competition (justification on the ground that it does much more than any competitor and thus can command a premium does though).
Another way to think about it is that if any piece of professional software should cost a lot, a super-specialized piece of software that is hard to duplicate, is a near industry standard, and is used almost exclusively by people with high bill rates should be expensive. But again, my point is: IDA costs a lot less than its place in the market suggests it should.
I'm not arguing that a capable free alternative is a bad thing. I think there's an industry business case study in what Hex-Rays could have done to keep this from happening, though.
> I think there's an industry business case study in what Hex-Rays could have done to keep this from happening, though.
Is the fact that Hex-Rays is Russian one of the reasons why Ghidra exists? (Honest question.) If so, is there anything they could have done differently?
No, "the market" means financial considerations created an opportunity that was fulfilled to generate profit. It could be that the economy gained via this FOSS release, and that was part of the consideration, but that would be structural interference by the government (which can be a good thing IMO) working in opposition to the market.
Market forces are often reined in, eg by human rights, those things aren't part of the market operating they're mitigations of the damaging effects. In this case it's an external force (gov action), not the market, that has created the availability of the product.
Hmm? Large customer of leading widget manufacturer decides to make its own widgets in-house instead and keep the build minus buy money (plus possibly getting a better widget). Totally normal market practice.
Large player in widget market has low marginal cost and deep pockets, sells widgets at marginal cost its competitors can't match. Also totally normal market practice.
Competitors exit market or are relegated to minor market share, leaving de facto sole survivor. Also totally normal market practice.
We could be talking about chrome just as easily as IDA pro here.
In the past, the same could have been said of compilers and even web server and mail server software.
I'm not sure the exact same thing could have been said which to me seems like a testament to how complicated software pricing can be. Web servers never really sold†, platform vendors eventually figured out it's better for them for compilers to be free (non-platform vendors still sell compilers), etc.
† back in the 90s, Netscape used to pester web companies to make their Apache installs lie that they are Netscape web servers.
Video game modders certainly use IDA. IDA's purchase price, though, is, ah, not an issue for them- not because they have lots of funds available, but rather quite the opposite.
To be fair, I don't think HexRays is oblivious to this dynamic, and to that end I think the freeware version they offer makes a lot of sense. Especially if it supports AMD64, which I'm hearing it does nowadays.
That's not going to prevent many people from taking the five finger discount I'm sure, since they'd rather have as many of the features as they can, but at least nobody can say HexRays isn't trying.
Yeah, but I think the big issue is the lack of decompiler. If you're new to RE, it's literally night and day between that and "assembly with stack variables renamed and some helpful comments". (Even Binja's MLIL is a huge step up from the annotated assembly IDA provides.)
Biggest limitation in the free version for me, as somebody who likes to tinker with old games as a pastime, is that it does not support any other instruction set than x86/x64 and not many executable formats either.
There are a lot of good and interesting games that were made in the DOS era for PCs which used the DOS4GW DOS extender, and their binaries come in the OS/2 executable format (LE/LX) which is unsupported in IDA's free version. A lot of good and interesting games also happen to run on game consoles which use non-x86 processors.
Ghidra probably won't have plugins to support all of these weird old legacy formats and CPUs which the full IDA package does for a while, but hopefully it'll get there eventually. If it doesn't seem too difficult, I might even try creating a LE loader for it myself.
I agree that the decompiler is amazingly useful... but it's pretty telling that there's really no alternatives that come close. I sympathize with hobbyists that pirate IDA Pro, but I personally wish we could do better than that.
Isn't that true for lots of software that's been driven down to zero cost, though? Like, say, TensorFlow? Given the business value of people who need to use TensorFlow, it "should" cost more than even IDA.
It feels like to stay in business with software like this, it has to be lucrative, but not too lucrative, or else FAANG companies (or occasionally governments, like in this case) will either gobble up or kill the market.
The pricing of Ida Pro is set to limit the size of the support work and to avoid liabilities. Do not know how it works now, but many years ago, as you were buying Ida Pro, they were asking questions and if anything seemed to imply that you want to hide the buyer's identity, they refused to sell.
That is, Hex-Rays do not want to have any business relationship with the proverbial would-be teenage hackers.
Outside of that, Hex-Rays is a small business which has probably around than 1mln eur/year of turnover and they do not want to grow it much more. It was a Basecamp-style business long before DHH made the concept of anti-growth popular.
It still works like that. I practically had to beg Hex Rays to take my money. They were very skeptical of me at initial purchase, it took about 2 hours of email exchange and phone calls.
When I went to renew my support, they grilled me again. This was just a few weeks ago. I gave up and figured Ghidra was just around the corner. Looking forward to trying it.
I emailed them and told them a) I didn't appreciate being treated like a criminal (won't get into the specifics, but one set of answers led to another set of questions, but I'm a consultant with my own company, website, physical address, company history, blog posts, etc. -- I work in security / reverse engineering of electronic devices)
I also told them I've never had to work so hard to give someone my money. Finally I gave up. Let the market speak.
I think IDA's lack of significant competition until now is nearly a textbook example of how charging a lot for a tool is no indication that the funds will go toward improving the quality.
What's been significantly improved in IDA over the last 10-15 years? Certainly not the x86 decompiler, which costs something like five times as much as IDA itself. The interface is still super-clunky and missing functionality like keyboard shortcuts for frequently-used functions.
I'm ecstatic that there's finally a realistic alternative.
Certainly the x86 decompiler improved! It hadn't existed. We also got graph view, a Python interface, a native Linux port using Qt, and 64-bit binaries.
IDA comes with amazing technical support. I've emailed complaints, then gotten a freshly-compiled build with a bug fix within a couple days. Funds are thus improving quality in ways that customers request.
In fact, the essence of decompilation is a NP-Complete problem: Graph Isomorphism.
So far, our decompilers are just greedy scheme to approximate the original expressions as best as possible by treating each instruction as a tree then as a graph, but still even a single assignment could cause the entire outcome of the code to change a lot, let alone to correctly recognizing heavily optimized procedures.
Edit: Wiki said it is NP-Complete but I was pretty sketchy about it. I think the better wording should be "at least NP"
Graph Isomorphism is not known to be NP-hard, that is we don't know a proof that a polynomial algorithm for GI implies NP=P. So it is "at most NP" rather than "at least NP", because GI is obviously in NP.
Reverse engineering doesn't pay that well-- IME at or just below par with software engineers.
So as one point of comparison you might look at the tools of software engineers, which are essentially all free today.
To get to hex-rays having a reasonable price you probably have to look at jobs like pipe welding where the equipment is expensive and the hourly high, but the comparison is much less direct.
Besides the usual ones, I've had to use IDA Pro occasionally for compatibility purposes in my job as a NAS vendor.
There are lots of apps that make lots of assumptions about how filesystems behave, generally based on the local filesystem and maybe on one popular networked filesystem for the platform (NFS, SMB, AFP).
If one of those assumptions is violated, applications can crash or refuse to interact with you. Some just refuse to write to any networked filesystem. Some run only on whitelisted filesystems. Some will hit an error due to an unsupported operation on your filesystem, fall back to some ancient code path using long-since deprecated Carbon APIs that only work properly on 32 bit systems, and so truncate all of your data to 2 GB.
Problems like the latter are really helped by being able to do some reverse engineering of the application to figure out why the heck it just writes out the first 2 GB of the file.
Because this isn't our bread and butter but only an occasional tool in our toolbox, the licensing on IDA Pro can be rather frustrating. We use it only once every couple of years to debug some kind of compatibility issue like this, and so we usually have to dig around to figure out if we still have valid licenses, deactivate systems that we're no longer using, and so on.
Would you mind answering some questions if you're familiar with the area (edit: hah, just noticed you posted to the OP to this whole thread.); What are some examples of firms that are involved in this work? Is it mostly a collection of smaller shops/individual contractors? After a cursory search, I seem to be seeing a lot of groups/labs comprised of relatively few people. Why are there so many references to high bill rates in these comments, is the pay especially notorious? That's something I haven't heard before.
> My office is in the same building as BitDefender. (...) They mostly hire their researchers straight out of college if they have high C proficiency
Also partially OT, just wanted to say that I was a sort of college-roommate with one of their present-day senior security researchers in the early 2000s and to this day I remember that person as one of the most code-obsessed persons I have ever met, and I say that in a good way.
He was looking at almost every program running on our room's computer (yes, we only had one computer in our room of 4 or 5, no laptops) as a thing to be "broken apart"/analyzed/made sense of, he had a state of mind and a way of looking at things when it came to computers that I've never met since then at any other computer programmers (I've mostly met desktop, backend and front-end programmers, I'm a data-obsessed person myself). I realized in the meantime that in order to enter this "computer security" field and especially in order to be good at it you need to have a different set of skills and especially a different way of looking at things compared to other computer programmers.
Quite ironically for the GP, that's exactly what has happened in this case: a taxpayer-funded governmental organisation (NSA) has produced and released a public good for free consumption. They literally saw the toll bridge (IDA Pro), said ‘nope’ for whatever internal reason, built a new one downstream, drove their vehicles across it, and then said “hey folks, this over here is for you to use for free whenever you want”.
While I agree with your overall point, this isn't the greatest analogy, because a finite number of users are able to use a bridge simultaneously. A bridge with too many users is called a traffic jam.
Along these lines, the first customer should pay the millions of dollars it takes to market and produce the software and then they can do what they want with it.
$4k/cpu/year is really not very expensive at all for industry-leading niche software.
Good comparison might be Synopsys VCS. Prices are not published but I believe they are over $30k/cpu/year and for larger designs you really want a big sim server.
To be fair, IDA Pro has a decompiler plugin to do this.