Favorite debuggers, disassemblers, extensions?

debugging

(EternalEclipse) #1

On Windows I use WinDBG with PyKd, for simple things and patching I sometimes use x64dbg with x64dbgpy.
On Linux, mostly gdb with pwndbg (IDA integration is nice) and pwntools, trying to get into radare.

And of course for static analysis, I think as of today nothing beats IDA Pro. Sark is a good upgrade from IDAPython.

What are your favorite debuggers for Windows / Linux?


#2

Personally I’m a huge fan of radare but since I usually don’t use vi, the interaction with the program is still a little strange to me.
Other than that I believe it’s just a very clean and concise program for re.
Another cool one is Binary Ninja, never used it myself though. But it’s supposed to come close to IDA in terms of utility.
Would love to hear from someone who actually used them what the big differences are between IDA and BN, or r2 and BN.


#3

Yes and no, BN does not provide any dynamic analysis as IDA does.

More information in the thread below :slight_smile:

RE guide for beginners: Methodology and tools

Best,
NItrax


#4

My favourite disassember is radare2, I’ve mainly used this for reverse engineering and a little bit for pwning. Besides radare2, I’ve worked with the following programs in varying degrees: ollydbg, x64dbg, IDA Pro, Binary Ninja(the trial version), gdb and a few others. Let me point out why I especially like radare2:

  • It is a commandline tool. The advantage of this is that it allows you to quickly display important information. For instance, in debugging mode, the registers can be shown quickly with the “dr” command, instead of going through a few GUI views. Furthermore, there are no distracting views with redundant information; everything you want to know can easily be requested with a few keystrokes. Besides efficiency, there may be situations where using a GUI is not an option, for instance on a headless server. Lastly, it allows you to work soley with the keyboard and makes you look like a hacker :sunglasses:

  • Very efficient commands: As hinted earlier with the ‘‘dr’’ command, almost all commands are short and follow a command hierarchy. The commands are usually composed of a few letters such as ‘‘pxw’’. Here the first letter ‘‘p’’ means print, this includes all printing commands. The second letter is to further specify the exact printing command; in this case the ‘‘x’’ indicates print in hex. The next letter again further specifies the print command to print the hexadecimals as 32 bits words. At any point in the command, the question mark can be inserted to show all possible options. For instance, the ‘‘p?’’ command can be used to show all possible printing commands. In this way, radare2 is to a large extend self documented, although there are options that can be hard to find in the hierarchy.

  • File formats and architectures: One of the cool things of radare2 is that it supports a large number of different computer architectures and file formats to disassemble. With radare2 it is, for instance, possible to open files for the SNES, Nintendo 3DS firmware, Web Assembly, brainfuck and all other sorts of cool architectures. I believe that there are no other disassemblers that provide the same number of options regarding this aspect.

  • Opensource: Ofcourse, it is always nice to have an opensource tool, what else do I need to say here :stuck_out_tongue:

A few disadvantages:

  • A common critique is the steep learning curve of radare2; this I will not deny. I think learning radare2 can be compared with learning vim, at the start it is frustrating as it is hard to figure out how to perform even the most simple operations such as writing or even exiting the file. Eventually, you will start to appreciate the elegance of vim and radare2 once you are over the initial struggles, at least that is how I look at both programs.
  • With radare, you can get lost if a program has very complex logic. It may be nice to use a disassembler with a GUI to have a better overview of the program in these cases.

There are probably more advantages and disadvantages that I forgot to include. Please, let me know if you have anything to add or disagree with me; that is, of course, also fine.


#5

I definitely have to agree with the complex logic. Where Binary Ninja and IDA provide easy to navigate flow graphs and tracing of execution, radare2 is within the terminal and can get hairy navigating through large code.

All in all, radare2 is great once you get to learning it and can be used on all platforms so it makes it very versatile. Also why learn 4 different tools to do the job that one can.


#6

IDA has been my favorite disassembler so far. Naming, Xrefs, colorizing blocks, comments and graph view make my job a lot of easier. You see, I’m the type of guy that likes static code analysis better :stuck_out_tongue: I’ve recently tried out IDA’s debugger (yeah just recently :smiley:) it’s pretty neat but I like Immunity’s stack view better.


#7

I m an IDA and Radare2 fan, I use IDA to understand de flow of execution and find the path I want to follow, then to reverse complex logic and understand what each functions actually does I use radare2.
I should add that Ghidra decompiler is very impressive. It gives a really better code than IDA.


(he not busy being born is busy dying) #8

I for myself am learning to use gdb just very recently. Having installed the peda framework it really helps in terms of visibility of the stack and registers. Also the commands are self intuitive fairly easy to remember after a few interactions as far as learning goes. Being a novice reverser, I am finding it quite easy to learn about inner workings of machine code using peda.
Peda : Python Exploit Development Assistance
GitHub: https://github.com/longld/peda


#9

I don’t deal a lot with binary exploitation so I stick with the basics: radare2 for the execution flow and gdb for altering registers etc., as radare2 is a bit hard to learn if you don’t invest much time on it. Althought I’m trying to go full radare2


(Not4Ghost) #10

I should mention radare2 now have a GUI still in dev phase know as cutter check it out it resembles x64dbg very much


#11

Yes, thank you, I am aware of cutter but I have not really used it yet. I think it may become a nice open-source alternative to Binary Ninja or IDA Pro at some point. At least on Linux, good GUI alternatives to BN and IDA seem to be lacking.


#12

I have only been messing with it for a short time but I am likeing GHIRDA. (I know) Before that I was loyal to x64 debug but never like liked it, for some reason it just felt lacking. GHIRDA is a blank canvas, you can really tell it was either released in a supper stripped down version or what I believe. It was meant to be as bare bones as possible to allow for customization on a case by case bases. (Think about who this was developed for and by, writing your own plug in’s is a assumed skill.) I see me sticking with GHIRDA from now on.

~TKBomber

EDIT:
Two things I think should be said there is no debugger and I only downloaded this on to a qube that was disposable and copied to a reasonably well isolated qube. (Qube being a vm on Qubes.)


(he not busy being born is busy dying) #13

Oh the paranoia, the sweet sweet paranoia.


#14

Shush the over lords are watching, they are always watching listening always. (Couldn’t help but play along.)

But really the fact it is supposed to open a port and could be threat was why I took a light step. (Note I didn’t bother to look I do draw the line somewhere) Plus I don’t think the NSA would risk that kind of law suit or at least that much bad PR to attempt to slip malware in something like that. I have not sat down and looked it over yet beyond the basics. Really its less utilitarian than I expected it has just in odd ways flash.