Is Ghidra better than IDA?

It depends on your goals. IDA Pro has a more mature debugger and ecosystem, but Ghidra is free, open-source, and ships an excellent decompiler. For learning and most static analysis, Ghidra is more than enough — many professionals use both.

Yes. Ghidra is completely free and open-source, released by the NSA in 2019 under the Apache 2.0 license. There is no paid tier, no license key, and the full source code is on GitHub.

Can Ghidra decompile?

Yes. Ghidra's built-in decompiler converts machine code back into readable C-like pseudocode for many architectures, which is one of its biggest advantages for beginners.

Does Ghidra run on Windows, Linux, and Mac?

Yes. Ghidra is written in Java and runs on Windows, Linux, and macOS. You only need a compatible JDK (Java 17 or newer) installed first.

Ghidra Tutorial: A Beginner's Guide to Reverse Engineering

If you are starting out in reverse engineering, Ghidra is the best free tool you can learn. This beginner-friendly tutorial walks you through installing it, importing your first binary, running analysis, and reading the disassembly and decompiler output — the core skills you will use every day.

What is Ghidra?

Ghidra is a free, open-source software reverse engineering (SRE) framework developed by the NSA and publicly released in 2019. It takes a compiled program — an .exe, a Linux ELF binary, a shared library — and reconstructs its structure so you can understand what it does without the original source code.

Its standout feature is a built-in decompiler that turns raw machine code into readable C-like pseudocode. Commercial tools historically charged thousands of dollars for that capability, so Ghidra being free changed the landscape for learners. To get the most from the output, it helps to keep an assembly reference close while you read disassembly, and a glossary of reverse-engineering terms handy for unfamiliar jargon.

Installing Ghidra

Ghidra is written in Java, so installation is mostly about getting the runtime right.

Install a JDK. Ghidra needs Java 17 or newer (a 64-bit JDK, not just a JRE). Adoptium / Temurin builds work well on all platforms.
Download Ghidra from the official GitHub releases page. You get a single ZIP archive — there is no installer.
Extract the archive anywhere you like, for example ~/ghidra.
Launch it. On Linux or macOS run ./ghidraRun; on Windows double-click ghidraRun.bat.

That's it. Because it is self-contained, you can also keep it on a USB stick for malware analysis on an isolated machine.

Creating a project and importing a binary

Ghidra organizes work into projects, which are containers for one or more binaries plus all your analysis notes.

From the main window choose File → New Project.
Pick a Non-Shared Project (shared projects are for teams using a Ghidra server), name it, and choose a location.
Import a binary with File → Import File and select your target. Ghidra auto-detects the format and architecture — confirm the language/compiler spec looks right, then click OK.
Double-click the imported file in the project tree to open it in the CodeBrowser, Ghidra's main analysis workspace.

Beginner tip: practice on a small program you compiled yourself, like a "Hello World" in C. Knowing the source makes the output far easier to interpret.

Running auto-analysis

The first time you open a binary, Ghidra asks if you want to analyze it. Say yes and accept the default analyzers for now.

Auto-analysis is where Ghidra does the heavy lifting: it identifies functions, traces cross-references, recovers strings, resolves library calls, and feeds everything into the decompiler. On a small binary this takes seconds; on a large one it may take a minute or two. Let it finish before you start exploring.

Be aware that some programs deliberately fight this step. Malware and protected software use anti-disassembly tricks and code obfuscation to confuse the analyzer, so don't assume the auto-analysis is perfect on hostile targets.

Navigating the CodeBrowser

The CodeBrowser splits into several synchronized panels. The four you will use constantly are:

Symbol Tree (left) — functions, labels, imports, and exports. Your table of contents.
Listing (center) — the disassembly: addresses, raw bytes, and assembly instructions.
Decompiler (right) — C-like pseudocode for whichever function you're viewing.
Program Trees / Data Type Manager — sections and the types Ghidra knows about.

Click any function in the Symbol Tree and the Listing and Decompiler both jump to it. The two stay in sync: click a line in one and the matching location highlights in the other. This pairing is the heart of Ghidra — read the readable pseudocode on the right, and drop to the precise assembly on the left when you need detail.

Reading the decompiler

The decompiler output won't look like the original source. Variables have names like iVar1 and uStack_20, and types are best guesses. That's normal. Your job as the analyst is to make it readable by progressively annotating what you understand.

Renaming and retyping

This is where reverse engineering becomes interactive. As you work out what something does, tell Ghidra:

Rename a variable or function by clicking it and pressing L (or right-click → Rename). Turn FUN_00401050 into parse_config.
Retype a variable with Ctrl+L to change its data type — for example from undefined4 to int * or a struct you define.
Add comments with a semicolon (;) in the Listing, or // in the Decompiler, to leave notes for your future self.

Every rename propagates across the Listing and Decompiler, so the picture gets clearer with each correct label.

Finding strings and cross-references

Strings are gold for a beginner — they point straight at interesting behavior like file paths, error messages, and URLs.

Open Window → Defined Strings to list every string Ghidra recovered.
Double-click one to jump to it in the Listing.
Right-click an address or symbol and choose References → Show References to (shortcut Ctrl+Shift+F) to find every place in the code that uses it.

Cross-references (XREFs) let you work backwards: find a suspicious string, then jump to the function that references it. Note that not every string lives in the strings table — techniques like stack strings build text one character at a time at runtime specifically to hide from this view, so a "clean" strings list doesn't always mean a clean program.

Basic patching

Ghidra can also modify a binary. To change an instruction, right-click it in the Listing and choose Patch Instruction, then type the new assembly (for example, flip a JZ to a JNZ to bypass a check). Export the result with File → Export Program using the "Original File" format to write a patched binary to disk. Keep patching simple while you learn — a single byte changed in the wrong place breaks the file.

Scripting in one line

When you outgrow clicking, Ghidra's Script Manager (Window → Script Manager) lets you automate analysis in Java or Python, and you can drive the whole API from the Python interpreter console for quick one-off tasks.

Where to go next

You now have the full beginner loop: import, analyze, read the decompiler, rename, chase strings and XREFs, and patch. The fastest way to improve is repetition on real binaries. Browse our full library of reverse-engineering techniques to learn the tricks programs use to resist analysis — and how to defeat them in Ghidra.

Ready to keep going? Pick a crackme, open it in Ghidra, and rename every function until the pseudocode reads like a story. That single exercise teaches more than any guide can.