disassemblers

[shankle]

As far as I can tell Ollydbg for a 64-bit computer does not work yet.
Idapro is out of the question.
Softice no longer exists.

Any suggestions?

[fearless]

Disassembler or Debugger?

http://www.arkdasm.com/ - 64-bit interactive disassembler
http://x64dbg.com/#start - 64bit/32bit debugger (open source on github)

[Grincheux]

Make your choice here

[guga]

It depends exactly what you want to do. Idapro provides a "pretty" interface, but... masks the result of the true disassembly process from the Flirt engine.

RosAsm disassembler provides a better result in terms of accuracy (according to the size of the PE and it´s internal organization), and can reassemble the app, but, so far only works for 32 Bits PE (I didn´t had time yet to implement other features or fix the development, neither a technique i called Digital DNA system, which is another approach of the Flirt engine, but more accurate). Totally free and open source

Ollydbg provides a good result too, sometimes more accurate then ida (when used in raw mode, i mean, without fancy tools, like Flirt, typelib and other sorts of attempt in data recognition etc).. Totally free

So, it all depends of your needs. Those 3 tools are the best choices for disassembly of  PE Files (Other types of files, ida can handle too, but i dunno the accuracy of it)

Ida is expensive, but yet a good alternative. The demo version was ok, the last time i saw.

[Grincheux]

I don't find Flirt Engine. The only thing I have found is uvudec
https://github.com/JohnDMcMaster/uvudec/tree/master/util

[jj2007]

Make your choice here

Interesting comparisons :t
Below a side-by-side comparison for two of them, based on this code:

Code Select Expand

include \masm32\include\masm32rt.inc ; plain Masm32 for the fans of pure assembler

.code
AppName db "Masm32:", 0

start: MsgBox 0, "Hello World", addr AppName, MB_OK
exit

end start

Would be nice if some proud owner of IDA Pro could post a screenshot for the same code. I've tried the freeware version right now, but it fails miserably on Win7-64, with a range of obscure error messages like "EAccess violation". The uninstall.exe worked fine, though 8)

[guga]

Phillip. Flirt can be seeing here https://www.hex-rays.com/products/ida/tech/flirt.shtml

But, again...The way Ilfak did, it only masks the true disassembly code. Compare the differences of a app where uses the library recognition and with the same disassembly without this.

I made some tests with this years ago with rené (The original author of RosAsm. Retired now) and we developed another approach, although never had time to finished it. It is on my plans to implement in Rosasm, but, not before i can enhance the accuracy of the disassembler itself.  Since flirt or even the DIS (the one we are developing) are mainly small tricks to identify a chain of code and set the proper flags before the main disassemble process start they may lead to innacuracy. The problem is that if you have a app whose library is not provided the resultant disassemblement code will have flaws, because you didn´t fixed those without the "trick".

Olaf, on the other hand, is doing a great work with Olly, making things simple, and letting this recognition techniques on a 2nd plan. That´s why, olly and RosAsm are a better choice then Ida on this aspect. Olly provides the equates etc, while i didn´t had time to do the same for RosAsm, but, in terms of accuracy, the results of both are better then on ida.

In any case, i always use those 3 tools together. When one of them fails in what i´m analyzing, i look at the other one.

[fearless]

Dont have IDA, but this is what that program looks like in x64dbg (x32dbg)



source view only available if you compile with debug information and link with debug info and specify to create a pdb file as well.