Hex-rays is moving to a subscription model
hex-rays.comI've been a customer since ~2010, and have been paying out of my personal pocket the $469 / year support renewal for a standard IDA Pro named license, which I've carried with me through various jobs in my career.
The new subscription model will almost double my costs ($900 / year), all while I've been getting less and less value with each update. Furthermore if I ever stop paying, I will lose access to the product.
Whereas if I stop paying now, I will maintain indefinite access to what I currently have.
I think I simply won't renew next year, and will rely on Ghidra to fill any gaps going forward.
> Furthermore if I ever stop paying, I will lose access to the product.
Wow, not even a perpetual fallback license?
I wasn't super thrilled when Jetbrains switched to a more subscription-based system, but being grandfathered in (so I didn't have to restart the subscriptions as if I were a new client), the heaps of existing goodwill they'd built up, made the changeover much less of an issue, and super importantly finally listening to customer and adding perpetual fallback licenses alleviated much of the fear.
The real reason for many subscription models is to juice more revenue from users, charging over time allows for a higher price with less sticker shock.
The real reason for the software as a service model is that it makes it easier to extract/capture value. Many SaaS offerings would be better at providing value to customers with non-SaaS architectures, unfortunately providing value to customers is second to providing value to shareholders.
Don't pay for SaaS, don't encourage this bullshit. If foss offerings don't cover your usecase piracy is better for humanity than paying.
So don't pay the engineers that built the product and continue to maintain it?
That's fine with fixed priced software if the software is static and frozen in time, but most software is living and breathing and requires continual investment.
You can absolutely use an old WordStar license. In fact, several notable authors do.
> So don't pay the engineers that built the product and continue to maintain it?
Saas isn't the only way to pay people.
> most software is living and breathing and requires continual investment
Is it though? or is this broadly another side effect of value extraction focused engineering? I'm quite happy to buy a new version if it makes my life notably easier. CS2 is broadly a better experience than CC, etc. etc.
> > So don't pay the engineers that built the product and continue to maintain it? Saas isn't the only way to pay people.
> Saas isn't the only way to pay people.
> It kind of is if you have a product that people expect updates for, or you have to have very high prices, or a secondary source of income.
> > most software is living and breathing and requires continual investment Is it though? or is this broadly another side effect of value extraction focused engineering? I'm quite happy to buy a new version if it makes my life notably easier. CS2 is broadly a better experience than CC, etc. etc.
But are you happy to pay for better architecture that doesn't have shiny new features? Or support for new X (depending on the product this could be image formats, it could be architectures)? etc
To be clear I am not saying I want subscription based software, but I understand the business argument for it.
> But are you happy to pay for better architecture that doesn't have shiny new features? Or support for new X (depending on the product this could be image formats, it could be architectures)? etc
Depends on what product, and my use case.
> To be clear I am not saying I want subscription based software, but I understand the business argument for it.
Has nothing to do with more supported X or better architecture, its just about money. In fact SaaS offerings are often compromised and worse of than when they were standalone (at least in my experience with software that made transition from standard releases to subscription).
Additionally in my experience with software that went that route (standard paid releases to subscription) that just signals that the customer milking has become, and pretty much any new feature is looked at from how can we milk it standpoint.
> pretty much any new feature is looked at from how can we milk it standpoint.
That’s how more or less all features are chosen? The alternative is going out of your way to spend time/money on features you know have minimal/no interest.
There was once set of Christmas themed console controllers (one Red, one Green) with the model name "Profit Driver"
For whatever reason at the time, that opened my mind to why people do things
I'm a big fan of the radare2 suite. The integration of its ecosystem/plugin support is phenomenal.
Only the decompiler is better in Ghidra, IMO, but I'm sure there's a plugin for that.
There is. Rizin also has some interesting improvements (like mew save by serialization of state instead if command sequence) which is nice since it initially looked like a CoC fork.
For integration with Ghidra decompiler there's rz-ghidra[1]. It is also bundled in the Cutter[2] releases[3].
I'm in the same boat. It's finally passed the point where I'd rather spend a few slow weekends adding missing QoL features to Ghidra then renew IDA.
This is going to increase my costs from $4800/year to $8000/year, and yeah, no more perpetual license.
I’ve been paying for Hex-Rays out of my own pocket for a decade because it’s a great tool, but $8000/year for a personal license subscription? Forget it.
Just make sure you get the latest Ghidra update with the log4j issue addressed :)
... and readdressed. https://logging.apache.org/log4j/2.x/security.html
> It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
BinaryNinja... Switch to that.
As alternative tools like Ghidra or even some of the cheaper options like Hopper become more popular, I suspect Hex-Rays recognizes that corporate licenses are their bread and butter. From a business perspective it makes sense to squeeze as much out of these companies as they can get away with. The subscription costs are only a fraction of an annual salary.
Unfortunately this leaves the hobbyist and individuals behind. ~$1K/year isn't out of the realm of what I pay for other tools, but it's really hard to justify it when I can open Ghidra and get 95% of the way there without the subscription model.
IDA really is great for handling edge cases and obscure architectures, but I hope this last switch-up by Hex-Rays pushes even more developer attention toward improving the open-source alternatives.
By squeezing out hobbyists and individuals, they're shooting themselves in the foot over the long term.
The only reason any corporation I worked for purchased IDA Pro licenses was because I recommended it. The only reason I recommended it is because I could (barely) afford a personal license, and play with it in my own time.
Going forward they're going to miss out on this word-of-mouth marketing, which I expect will negatively affect sales expansion going forward.
My shop cancelled our IDA licenses last year and forced us all to use Ghidra. The struggle lasted like 2 days. We have all been wildly impressed with Ghidra.
They should probably supplement this "expensive corporate SaaS pricing" model with a "free for personal use" option if they want to have any hope of maintaining their standing.
You mean like this?
Maybe it's improved since, but last time I used IDA free the cloud decompiler was buggy and weird and it was overall a mediocre experience. I don't see why anyone would choose to use it instead of Ghidra unless they were explicitly trying to learn IDA because it's the industry standard, and I don't see it holding that position long-term unless they improve their free/cheap offerings.
Not sure if they've changed things because I haven't bought a product from them for almost 10 years, but back then the free option was several releases behind the current offering, and lacking many features. Also, back then there was NO free version of HexRays (a separate product).
As of May of this year, IDA Free is a lot less broken now, so they are making some progress. It's no longer ancient and it has the same "cloud based" Hex-Rays that the Home version does, albeit only for x64.
Home also only comes with the x64 "cloud" decompiler, at least if you buy the x86 version.
Having paid for a home license last year (mostly for the ability to run Python scripts) and discovering the home version has a sabotaged python implementation (can only run scripts individually from the GUI instead of running them from the command line, and you don't get the toolkit to develop scripts/plugins), it seems kind of hilarious that the free version is so close in feature set to Home. What's the difference even? They're both for "non-commercial use only", is the (limited) python script interface the only reason to pay $365 a year now? That, Lumina, and email support?
I mean - script support is a big deal for a lot of use cases. I think the other big thing is that unlike Free, you can buy Home for other architectures (although only some and not all other architectures, another incredible mystery).
I'd buy Home if it came in C167, not because I want to but because $365/year is still a lot less time than I'd spend writing/finishing a C167 module for Ghidra.
Anyway, the pricing model doesn't actually make any sense no matter how you slice it, and this latest announcement is even more bizarre. I really wonder how long for this world Hex-Rays products are, the always glacial development pace is still quite slow and as a new generation of people start by using Ghidra, there will IMO be less drive to buy corporate IDA renewals going forward.
They only lose out in the long term by doing this if you believe they can compete in the long term.
If you're an exec at Hex-rays and you believe that Ghidra will eventually out compete you, then it makes sense to squeeze every penny you can before you're irrelevant.
Does Hex Rays have an exec team? I thought it was just Ilfak and a couple others.
Long ago, when I got my first paycheck, I "went legit" and bought licenses for TextMate, Sublime, and IDA. Long story short, HexRays took my $1000 and never gave me a working version of their software. Bastards. I'm so glad there is an alternative now.
To this very day, whenever I'm stuck slogging through the build or debug process of a Ghidra plugin that has a more mature alternative in the IDA universe, I occasionally let a tiny bit of that resentment bubble to the surface to propel me across the finish line.
Shenanigans like that the product owe to its author, Ilfak Guilfanov, who's a bit of a meme in the ex-USSR SRE community. Back in the '00s, when IDA pretty much had no alternative, one couldn't just buy it. No, to pay them money, you had to be either an estabilished name (ESET or Kaspersky worked just fine), or to subtly caress the author's ego until it gives. And I've seen paying customers being kicked off the support forum for asking uncomfortable questions, complete with rude private messages. I believe that at least twice, unrelated hackers took offense and leaked the full version anyway. Fun times.
Yeah, B2B is a wild world and this was my first time going for a ride. Ah well. You live you learn.
Speaking of which, last time this came up on HN ilfak cruised into the comments a week later, all "I can not find your nickname in our database," and I didn't see the reply until a year later. Well, the HexRays database had no problem finding my-nickname-at-gmail for the purposes of bugging me to renew, and just in case anyone thinks I'm making this up, here's the order. I also have an email with the download link and serial number -- the ones that didn't work -- and the ghosted support requests spread throughout the following year.
I'm sure this is a Hanlon's Razor thing, I just want to make sure that any naive young hackers considering the possibility of a last-time-buy on a perpetual license understand what they are getting into.
************************************************************ * Your order has been accepted. ************************************************************ Please retain this receipt for your records. This e-mail confirms your order placed with Hex-Rays. Payment data ------------ Beneficiary : Hex-Rays Address : Rue Rennequin Sualem 34 BE-4000 Liege Website address : http://www.hex-rays.com General conditions : https://www.hex-rays.com/products/ida/t&c.pdf Order date : 15/05/2016 22:40:05 Order reference : deWerd_4732_20160515 Ogone Payment reference : 3016168801 Order description : IDA license Total : 1129.00 USD Charging method : MasterCard XXXXXXXXXXXX---- Sub-brand : UNDEFINED Status : Authorised Authorisation code : ------Did you do a bank chargeback? Losing $1k like that is brutal.
Should have done, of course. Most likely you were suspected to be buying for a warez group release =)
Haha yes. I remember that NFO like very few, perhaps m00 nfos but that’s it. The leaked IDA pro was fenomenal, can’t think of the group name to see if I can find it around. I’ll make an effort.
Found the NFO! Some bits:
Full version: https://pastebin.com/2EXSaq11Sorry for the English, I do not speak well -- so, some idioms may be translated directly and be incorrect for understanding for native. This release should serve as a life lesson to those who consider themselves as "people 'blue' blood." It aims - in some ways to bring down pride (swallow their pride), to tell these people where to get off. Show that, besides them, there are other people who should at least respect, appreciate their work and consider to their opinions (or at least listen to). This release is dedicated to one man and one company, which behave antisocial, defiant, arrogant, are not considered to anybody or anything, and therefore need to conduct a little "educational" work from the community. *** Let's start in order: one man - Ilfak Guilfanov. I wanted to write a lot, then I thought - it makes no sense. And so, in principle, nothing much to tell. Those who are "in" know a lot about this person. It is impossible to buy IDA even if you really want to do. I described some details about this in my blog, 'ida' tag (do not linking here, if you need - you will find it). Also, you can read some more here (Russian only): I apologize to crackers who were recruited in HexRays SA, you are in some measure also falls under attack. But your head, sadly, leaves no other choice. In December 2007, after a memorable revelations of Ilfak in the topic http://www.idapro.ru/forum/viewtopic.php?t=463, occurred after warez-release of the IDA v5.5, I created another topic http://www.idapro.ru/forum/viewtopic.php?t=458. In it I outlined some thoughts about "double standards" of the author of IDA. Just a small example. Struck up a brief conversation, which resulted in Ilfak behaved absolutely inadequate (in his usual manner) and I was banned on the forum. But that's not all. Before I was banned, he is sent me a private message (PM): I recommend to reconsider your attitude to people and to express your thoughts in dealing with them. In any case, at the moment you "reap" is what you had "sow" by yourself. I do not soft-pedal such things. *** Next: company - ESET - NOD Antivirus developer There is a saying: "Curses like chickens come home to roost" (I have already voiced it in relation to you in 2008-2009th years). Now it's time. So, the characters from ESET (a minimum): * J M - the main short-sighted and po-faced personage * M Z (Customer [Un]Care; z@eset.sk) * D N (Virus Researcher) The ESET company treats software developers (small companies and individual developers of shareware-products) as a shit, and does not hide this.hahaha I knew it was legendary NFO.
Ghidra has been publicly available for less than half the time of IDA/HexRays, but it has really caught up fast.
https://reverseengineering.stackexchange.com/questions/22676...
> IDA really is great for handling edge cases and obscure architecture
I find Ghidra to be much better at this, since people actually write loafers for it and you get a decompiler “for free”.
Agreed. I find IDA to be much better than Ghidra for common things: Windows C++ or Delphi applications and ARM Objective-C where the heuristic guided decompiler really shines and Ghidra gets lost easily.
For the obscure architectures Ghidra does support, it's way better than IDA by virtue of having a decompiler alone. Even if the decompilation is subtly wrong, the broad strokes are so much easier to navigate that finding the right method to go through by hand is much easier.
And once you dive into Ghidra's P-Code IR and more advanced plugin support and move beyond existing IDA plugins, it's honestly better than IDA for things nobody has done before.
Now, there are some obscure architectures like C167 for which we still lack a working Ghidra processor model, but this is only a matter of time - and once it comes, it will already be way ahead of IDA!
If automation and analysis over the IR is your goal, Binary Ninja is the far better choice compared to both Ghidra and IDA. There's always things to work on but even most people who don't use Binary Ninja regularly who have evaluated it agree that our API/BNIL stack is superior to other options.
Disclaimer: BN founder, so biased of course but I'm pretty up-front about our strengths/weaknesses.
I confirm. P-code IL is archaic and was designed at the onset of "decompiler science". Modern ILs are much more consistent and suitable for both uplifting and further analysis.
As I mainly reverse automative hardware, I care about only Tricore, C167, SuperH, and PowerPC, in that order - which means Binary Ninja is out for me for the time being!
Thanks for the post though, as I did look into adding a new Architecture and the setup for defining a new ISA is much simpler than it is in even Ghidra/SLEIGH, so kudos to that. Maybe if I find myself with a lot of free time I will try adding something.
Totally fair -- breadth of architecture support is definitely one of the biggest strengths of Ghidra! IDA does as well but purely for disassembly which isn't nearly as useful.
EDIT: But yeah, we designed our lifting to be as simple as possible. Specifically the way we handle flags tends to simplify much of the normal tedium around what's required for other decompilers. If you do decide to build a C167 module, give us a look again. :-)
Would you say its easy or possible to learn reversing while you learn binary ninja? I bought a license a while back and was struggling to figure out how to do things I could easily look up tutorials for in other programs so I ended up not using it much. I found a couple of videos that were pretty out of date and other than that I saw that there were expensive training courses from a single company.
You guys should try and get someone to write a book kind of like the IDA / Ghidra books that Chris Eagle did.
There could be something out there I just missed. Got any advice?
So I do a weekly live-stream which is a bit much to follow to just casually learn: https://youtube.com/c/vector35
But more importantly, there are video excerpts for some basic features which should at least help with understanding how to use BN:
https://www.youtube.com/watch?v=xKBQatwshs0&list=PLCVV6Y9Lmw...
We've got a few more in the editing queue I need to clear out as well.
That said, I agree in terms of needing more intro tutorials would be helpful. Part of the problem with producing something like the IDA books is that we are under far too active development. Our UI and features have grown exponentially over the past few years so there was just never a good time to make something that wouldn't be out of date before it was even done.
You might be interested in joining the Binary Ninja slack which is a great community for getting questions answered. https://slack.binary.ninja/
There's also the free cloud version which doesn't have quite the same features but is an easier introduction without paying. https://cloud.binary.ninja/
True. I wanted to analyze some or1k binaries. No IDA support. Two weekends, and I had a disassembler and decompiler for the architecture, without writing any Java code. Just amazing.
You don't even need to describe the whole instruction set, just all the instructions that your target binary uses.
Such an amazing thing. And or1k is a nasty architecture with delay slots, which makes manual assembly reading quite tedious, etc. So the decompiler "C" output is very useful in this situation. I was in awe.
I've seen IT Security vendors do this as well, in the space of vulnerability scanners specifically.
There's this new trend that big players (vendors with the size enough to appear in Gartner), that are investing heavily in bridging the gap between them and the end user, at the expense of the small players (independent IT Security consultants and boutique firms).
Their new SaaS offerings are marketed as next generation, while making it seem that their previous product is just legacy and no longer recommended. However, it's the legacy product what got them the growth to be there today.
Their On-Prem offering is still for sale, but at a cost very hard to justify. Almost no small player can afford such a cost.
I understand the business rationale behind a product management decision like this. But not because it was the right decision at the moment, automatically I have to feel great about it.
Taking away the option of perpetual licenses is an interesting business decision. Jetbrains makes the subscription model work, but they also do give you a permanent license to older versions after 1 year of subscription (which is a great incentive to keep people renewing!)
Historically, IDA Pro's sales and licensing has always been a bit of a headache for customers. I could understand that the OPEX model makes it easier for some companies to keep renewing.
That just goes to show that I'm not their target market. Even if IDA had a pay-what-you-want option, the 10-20 I'd be willing to pay per month while using a leaked version is clearly completely negligible compared to what they normally charge.
And I'm happy to just use Ghidra instead of bothering with an IDA leak, so I suspect this announcement might simplify things for their existing corp users, but it'll probably not do a great job of expanding the home userbase.
JetBrains had a mis-step on the way to that model (but had the sense to listen to their customers): https://blog.jetbrains.com/blog/2015/09/18/final-update-on-t...
> Jetbrains makes the subscription model work, but they also do give you a permanent license to older versions after 1 year of subscription
That happened after they announced the switch to a subscription model to overwhelmingly negative feedback.
You do realize that is a win from a customer service and reputation perspective? Jetbrains listened to their customers, and amended their model. That is the kind of responsiveness I would appreciate in a vendor, especially if it's a vendor that produces tools that I enjoy using or help me make money.
Anyone who has worked on customer facing projects or tools know there is always overwhelmingly negative feedback to billing increases. What is less common is vendors being responsive to that in a way that is actually beneficial to customers. That is doubly the case when you are dealing with high quality, specialty tools that have free or open source competitors that are good enough to get by, but not great (Adobe suite vs various free and open tools, for example).
Jetbrains is also just $5/mo for the one app I use, and I get a lot of functionality for that.
I really like IdaPro, but this guarantees that I move to Ghidra.
I think the worst part though is the bit about prohibiting future re-downloads for users who bought perpetual licenses in the past. The sort of company that pulls that nonsense is very precisely not the kind of company I expect to provide a good customer experience in a subscription product/service.
That is absolutely, 100% a complete deal breaker when it comes to the prospect of me ever doing business with Hex-Rays.
> I think the worst part though is the bit about prohibiting future re-downloads for users who bought perpetual licenses in the past. The sort of company that pulls that nonsense is very precisely not the kind of company I expect to provide a good customer experience in a subscription product/service.
IDA never offered redownloads past the end of your 'support period'. As their last renewal email to me said:
> Please check our web site and the protected area for new files. If you find anything interesting or useful, feel free to download it immediately. Once your support period is over, the server will not prepare new download links!
Thanks for catching that! The core point still stands, though, I think that approach is customer-hostile and entirely at odds with the sort of customer service I expect from a company offering a subscription.
Dear Hex Rays: I’m not switching to subscription for these prices. Signed, a paying customer with multiple licenses, and future Ghidra user.
I'm curious about the interplay of two items from their FAQ:
> 10. What if I do not renew my subscription? If subscriptions are not renewed, you will lose access to the software on the day that a new subscription should have started. Please note that the software will stop working if not renewed.
> 13. I have an IDA perpetual license, when do I have to change to a subscription? At the end of your current support period all renewals will be moved to the subscription model. We are offering our existing users an opportunity to pay only your current renewal price for your first year on the subscription plan.
So maybe I'm mistaken, but it sounds like they're trying to renege on perpetual licenses?
Just below:
> 14. What if I don’t renew on the subscription plan? Existing users can continue to use the version of IDA Pro/Decompiler he have purchased under the perpetual license model indefinitely. However, they will not be able to receive product updates and tech support after the 12-month support expires. No re-downloads of past versions will be provided, so make sure to keep all necessary backups.
> No re-downloads of past versions will be provided
Far, far bigger films get away with nonsense like this. But IMHO it's a violation of the CJEU case UsedSoft GmbH v Oracle (paragraph 85).
That's a bit embarrassing, thanks for the correction.
It didn't occur to me that some FAQ items would modify others, so I stopped reading at #13.
> 10. What if I do not renew my subscription?
> 14. What if I don’t renew on the subscription plan?
Not sure how a contraction and the word "on the", "plan" make those separate questions...
I agree. It's confusingly written, you basically have to read the answer (or the previous question) to guess that it's about perpetual licenses.
Nice try NSA!
... Oh wait.
Nice - last time I was looking for a decompiler this wasn't a thing. Clearly I've been out of the loop for a while.
This is the dumbest thing they could do.
“Ah yes, all you hackers and crackers, please take this DRM’ed copy of IDA and please obey the licensing agreement and don’t bypass the DRM.”
I'm not in this scene so take with a grain of salt, but I've heard that in many circles cracking your own copy of IDA was considered a rite of passage long before this particular change, and the company honestly may not care if their whole intent is to target the corporate market (a bit like how Adobe benefited greatly from Photoshop being widely pirated). Of course, the dynamic may also be changed by FOSS options becoming real competitors.
Oh really? I remember reading that each customer got a customised build so that if a customer did crack their version they could see who did it based on the cracked binary.
> and the company honestly may not care if their whole intent is to target the corporate market
If their goal is to target the corporate market, then they do care about individual hobbyists cracking their product - they'd be in favor of it.
Oh no, they were sore about this like you wouldn't believe. They'd rather refuse a legitimate customer than risk a leak. I can't even say they were entirely wrong: the sensitive nature of reverse engineering makes it hard to make sure you won't get ripped off. Still, they did take this personally.
They have a reputation of being one of the most aggressively anti-piracy companies that exists.
I've heard that IDA explicitly allows licensed users to decompile IDA itself. What's stopping someone from reverse engineering it transparently and making a competitor?
> What's stopping someone from reverse engineering it transparently and making a competitor?
Mostly that Ghidra is open source and no one would be willing to go through the hassle of reverse engineering IDA when Ghidra is just sitting right there...
Decompilation isn't exactly a rocket science: just about anyone capable of hacking on clang or gcc can write a simple decompiler. The entire point of IDA was that they've done that, and also a lot of tedious, boring work on providing support for lots and lots of different CPUs. There's just no secret sauce recipe for SREs to steal - even their FLIRT tech is documented on their site.
Probably patent law, unless it’s a black-box reverse engineering, in which case you can’t use a disassembler to peek at how it works
Copyright law is what you're after.
Patent law doesn't care about how you get to the same thing - independent invention does not work as a defense.
IANAL, I'm a random on HN, if you take this as legal advice I don't know what to tell you :D
No it doesn't, it also has a level of protection built in to stop decompiling itself
Because reverse engineered code is usually a mess, unmaintainable and takes a lot of effort to make even small improvements. Also, you run the risk of being accused of copyright infringement.
You mean decompiled code? Reverse engineered code is just code that someone wrote to match the existing functionality of something else.
Yeah, right. I mixed up things. Clean-room reverse engineering is, AFAIK, legal.
If I had to guess, they probably don't care about home usage of Hex-rays. Businesses have more to lose when using cracked versions of Hex-rays.
I had used IDA+HexRays for a few years between 2009 - 2017 but abandoned it entirely in favor of Binary Ninja and Ghidra (and to a lesser extent Hopper and Radare).
While IDA certainly has the first mover advantage, I've found that Binja and Ghidra in combination are able to achieve full coverage of my targets. If you're just targeting x86, you can probably get away fine with Ghidra. Although I've found for non x86 ISA's, Ghidra and Binja each have better or worse support for certain arch's but the ven diagrams overlap to full coverage.
This is what happens: you've got enough corporate clients dependent on your product; you know they can pay what you're asking and it would be even more expensive for them to invest in alternatives; you also see that alternatives will improve and take youR market in the long run, but when that happens will be already retired.
I think we've seen this happen with other tools before.
IMO: IDA Home was the response to Ghidra. They could’ve raised or lowered rates without this change. But, subscriptions are probably a response to… perpetual licenses. Because I can keep using my current version of IDA forever, and with updates usually slower than the speed of smell it’s pretty alluring sometimes. I mean fuck, IDA Pro hasn’t updated since like April. Not because there's no bugs or no features that could be added, it just doesn’t get that much updates in a year. This is not the worst thing and I am sure there’s a reason, but yeah it makes the value proposition of keeping the support license alive a lot weaker.
Of course Hex Rays wants people to ditch perpetual licenses. Because I can just not pay and use my current IDA and Hex Rays licenses as long as I want. And at this point, I am probably going to do exactly that, and transition to greener pastures as I am able to.
It’s not like their licensing was generous before either. Before, you had to pay separately for each decompiler, including x86 vs x64, AND for each platform you want to run IDA on, you need another full set of licenses. That fucking sucks. This new scheme may have improved some of that, but at the cost of perpetual licenses and both higher starting and renewal rates, it’s extremely difficult to see this as a win.
I wanted to like Hex Rays. The high cost was literally never an issue for me other than for accessibility reasons. The software is useful and featureful and the lack of annoying DRM was good. But this, plain ass sucks. Between IDA Home and subscriptions, it’s hard to imagine how much harder Hex Rays could spit on home users other than flat out telling them to take a hike.
And yeah, at the end of the day I’m sure a lot of thought went into this, but I hope the response doesn’t go unheeded. I am not downgrading to a subscription under any conditions.
I hope Ghidra and alternatives take their customers.
Another one bites the dust. It's fortunate we have ghidra all though it can't compete yet on feature level. I guess the positive thing is that ghidra development will accelerate now.
Ghidra's existance is a bit unfortunate, really. While it was released relatively recently, it's already a dated product permanently stuck with a clunky UI. And by being free, it'll create an extremely high bar for possible commercial products to clear. Combined with the extremely small market of low-cost SRE tools (so small in fact, that Hopper's author decided against porting their tool to Windows), we'll be stuck with IDA and Ghidra (and all their idiosyncrasies) for the next decade at least. Which is a damn shame.
The market is guaranteed to stay small if the "hobbyist" version of the software is $350/y. I've heard great things about it, but that's pretty far outside the "try it out for fun" range. I had a lot of fun experimenting with hardware hacking and dumping the firmware of an ARM device I own, but I'm certainly not paying $350 for one architecture for one year just to explore whether or not I like reverse engineering. What about kids hacking raspberry pis?
I respect people's right to sell software, but I'm tempted to crack out the world's tiniest violin when I hear people complain that FOSS is eating their lunch. Consider how much good FOSS compilers have done for the world, and how many more people were able to program computers that otherwise would never have been able to afford it.
I believe the pricing is high by necessity - we're talking about employing some dozen of people on the higher end of competency doing terribly unexciting work. Hobbyists should settle on the Hopper tool, which is $99 a year.
Also, if you wanted to advocate for FOSS, compilers are an all around terrible example. In fact, they prove my point: thanks to GCC and the likes, we're still stuck with hodgepodge of fragile build systems, platform-dependent code and poor IDE integrations. Hell, modern programmers will be right at home with 1988's compilers, seeing how Makefiles are still somehow relevant even today.
Compare that with the early 90's Turbo Pascal which had an IDE with a built-in help system, a build system, a debugger, and a profiler. We could've had competition to improve upon all that, and instead it's 2021, and you have to spend hours per project to keep the tooling from breaking. In my carreer, I've probably spent more paid hours setting up "free" tooling than I paid for commercial tools. It's just a sad lose-lose situation for everyone.
>doing terribly unexciting work.
You mean writing reverse reverse engineering tools? Personally I can hardly think of a more exciting job.
Also blaming GCC for today's dev experience is just wrong. With some notable exceptions(VS debugger), the situation over at Microsoft is just as bad and in no way influenced by GCC.
Oh, believe me, it's boring as hell. It's just endless hours of making sense of incomplete hardware manuals, converting tables to code by hand and handling subtle hardware differences. And what I did was console game modding - something that did look exciting at the time. IDA itself must be even worse, seeing how its codebase is two decades old by now.
As for the modern dev experience, what else do you expect? FOSS starved small software vendors by raising the bar for commercial software, so Microsoft has barely any competition in their field. Sure, there's JetBrains software, but that's it?
I say this as someone who worked on another Eclipse SWT application that I think is very good, is still in use, and that I am very proud to have worked on, but the SWT UI is the one thing I absolutely hate about Ghidra. I feel like many aspects of that specific school of 00's enterprise-Java-application UX design aged about as well as a wheel of goat cheese left on the dash of a car on a 90-degree summer day. (In particular, when using SWT applications, I find the buttons and layout to be cluttered and hard-to-parse - for me, the bars of small, densely packed buttons are frustrating to work with. Also, something about the iconography in those programs is generally opaque and ends up making me feel kind of stupid.)
Doesn't this just prove that Ghidra is actually very, very old? By the UX alone, I'd place it in the 2003-2006 range, the time when the excitement of Mac OS X turned into a new generation of bombastic widget toolkits.
2003 is "very old", really? FYI IDA dates to 1991.
Those are not the only choices:
Binary Ninja (disclaimer: BN dev here) Hopper JEB Relyze
That said, I 100% agree with the impact Ghidra has had on the market. It's definitely making it _much_ harder to sell a commercial product when a well maintained, zero cost, open source alternative is available. If we (Vector 35, Binary Ninja devs) hadn't been as far along in our development roadmap and growing our customer base as we were when Ghidra was released we'd likely have had to simply do something else which would be an overall loss for the community.
Who knows what other products/ideas will now never see the light of day. The barrier to entry was already extremely high in this space for a limited return, but now? Nearly impossible for anyone new to entry.
> ...it's already a dated product permanently stuck with a clunky UI...
I don't disagree with you. However we're discussing this in the context of IDA: A program whose user-interface is permanently stuck in the 90s. Its extremely idiosyncratic default key-bindings also betray exactly how dated its interface is.
I don't think Ghidras existence is unfortunate at all. Without it I, and a few people I know, would never have even touched this space. Ghidra is not perfect but a slick GUI is not something that is important in such a product.
What features of Ghidra do you find lacking?
I've only recently started using it, after being an IDA user for many, many years, and would be interested to know in advance where it falls short, in comparison with IDA or just generally.
Not parent, but shifted pointers is something that's sorely missed when you need it. There's a few other bugs/annoyances, none are deal breakers, but they do build up. The interface is also quite clunky for big projects.
Hadn’t heard of shifted pointers before, thanks. There is an open PR to Ghidra which adds them, they seem very useful. I’ve run into many places which would benefit from them.
Does anyone know whether it is possible to purchase a legacy license (and don't expect any update once they move to subscription model) for IDA right now? I'm preparing to get into reverse engineering but haven't looked into IDA because I'm still sharpening up my C, assembly and Operating System skills.
Actually, for a hobbyist, maybe the Home edition is good enough? It does have Pytho scripting capacity, local debugger (I guess I can just use Windbg for windows) and decompiler (although it's cloud based so I'm not sure what does it mean).
Edit just checked the quote for IDA Pro and it's some 5000+ USD, it's a bit heavy for me.
Honestly, as a hobyist, I'd really recommend looking into Ghidra. It's really great, can be modified to suit your needs much more easily both thanks to its open source nature but also because of its really good API (IDA's scripting API is a huge mess...). Its decompiler is also really really good, and keeps getting better.
This is coming from someone who has access to an IDA Pro license through work, and uses both it and Ghidra daily. IDA does a few things better than Ghidra (Lumina is much better than ghidra's FIDB, the debugger support is a bit more feature-complete), but it's certainly not worth the steep price IMO.
Thanks. Guess I'm going to try out Ghidra later. It probably has way more than what I need.
I'm not really familiar with the relative merits of the different tools, but:
If you're just getting into this area, perhaps it makes sense to gain expertise with a tool that is likely to be around for a while (e.g. Ghidra) rather than one with a now-uncertain future?
Thanks, concerning the popularity of Ghidra yeah will try it out.
Oddly, I’ve written my own decompiler stack from scratch for ARM thumb to “dumb” C for embedded systems, based on radare2. I looked at all the existing tooling and said “That would make sense in a professional capacity” before this change. But this is a little ridiculous, given how easy it is to write decompilation and reveng tooling, if you’ve got some compiler know-how and you’re willing to read manuals for those tricky details.
Also, just to be clear, my tooling only really covered what I needed. It was pretty crude. But amazingly simple to stitches together aside from a few gotchas.
> We have halved the price of our products on this new model and hope that it will allow more users to access the software.
I love the gall they have to say this.
When I saw the headline, I thought that a subscription model might provide more amenable pricing than the USD$1800 for IDAPro, and actually give access to more users. At this pricing, they've absolutely ensured that I never pay again. IDAPro is already a product that's diminishing in comparison to the competition year after year.
Ah the good old death of good tools.
i liked the old design on their website better. though this one fits better with the whole "software as a service" thing, i suppose.
IDA license has always been a joke.
Long live Ghidra!