Is there any disassembler to rival IDA Pro?

  • Is there any disassembler (not only a live debugger) second to IDA in capabilities? IDA is wonderful, and somewhat amazing in how robust and useful it is for reversing. However, it is quite expensive to properly license. Is there any viable alternative, or does IDA hold the monopoly on this market?

    I don't expect an alternative to be as good as IDA, just looking for other options that may be more affordable, and useful enough.

    EDIT: Preferrably, multi-platform support should exist, though that's optional. MIPS, ARM, x86, and x86-64 would be nice, but a disassembler that handles any one of those is a good option to know about.

    I don't know any tool for static analysis other than IDA. However for live debugging there are many better alternatives, x64dbg being one of them. IDA's UI is clunky and lacking.

  • Mick

    Mick Correct answer

    7 years ago

    You didn't mention a platform (Windows, Linux, macOS, etc), but here are some great disassemblers.

    Ghidra

    Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. Windows, Mac OS, and Linux.

    Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.

    radare2

    Radare2 is an open source tool to disassemble, debug, analyze and manipulate binary files.

    It actually supports many architectures (x86{16,32,64}, Dalvik, avr, ARM, java, PowerPC, Sparc, MIPS) and several binary formats (pe{32,64}, [fat]mach0{32,64}, ELF{32,64}, dex and Java classes), apart from support for filesystem images and many more features.

    It runs on the command line, but it has a graphical interface called Cutter that has support for some of its features already.

    Binary Ninja

    Binary Ninja is a reverse engineering platform. It focuses on a clean and easy to use interface with a powerful multithreaded analysis built on a custom IL to quickly adapt to a variety of architectures, platforms, and compilers. Runs on macOS, Windows, and Linux.

    Hopper

    Hopper is a reverse engineering tool for macOS and Linux, that lets you disassemble, decompile and debug (OS X only) your 32/64bits Intel Mac, Windows and iOS (ARM) executables.

    x64dbg

    An open-source x64/x32 debugger for windows.

    ImmunityDbg

    Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting and much more.

    PE Explorer's disassembler

    The PE Explorer Disassembler is designed to be easy to use compared with other disassemblers. To that end, some of the functionality found in other products has been left out in order to keep the process simple and fast. While as powerful as the more expensive, dedicated disassemblers, PE Explorer focuses on ease of use, clarity and navigation.

    Hiew

    Hiew is a great disassembler designed for hackers, as the name suggests. It supports three modes - Text, Hexadecimal and Decode (Dis-assembly) mode.

    ODA

    The Online Disassembler is a free web-based, reverse engineering platform that supports over 60 architectures and object file formats from all the major operating systems, including Windows, Mac OS X, Linux, and mobile platforms.

    Relyze

    Relyze is a commercial interactive disassembler for x86, x64 and ARM software with loaders for PE or ELF file formats. It supports interactive flat and graph views of the disassembly, generating call and reference graphs, binary diffing two executables, exploring the executable file's structure and a Ruby plugin API. It can also handle things like symbols (PDB's), function local variables, switch statements, exception handlers, static library identification and more.

    Medusa

    Medusa is an open source disassembler with x86, x64, z80 and partial ARM support. It runs on Windows and Linux. It has interactive flat and graph views.

    Hmm, didn't even know DuxDebugger. Thanks for pointing it out :) +1

    Thanks! I didn't mention a platform, you're right. Multi-platform is ideal, as I work on targets from many. ARM/MIPS/x86/x86-64 code are my specific requirements.

    I would add HIEW too, since you included PE Explorer. I've always found it remarkably good to do this day, though it needs an update bad.

    I'm a bit surprised that ImmunityDebugger and OllyDbg are not part of this list. Is it because they are not multi-platforms ?

    @perror Personally I don't even think it is in the same class as IDA unless it can handle multiple architectures. It makes those tools useless for entire classes of tasks.

    From my experience radare2 is much better than hopper. Just use 'fresh' version (at least 0.9.4) and visual mode ('Vpd' command).

    @MickGrove: as much as I appreciate to learn about (new) tools others use, wasn't the question in particular about a *contender* for IDA as disassembler?

    @0xC0000022L: Good point.

    Should *"While as powerful as the more expensive, dedicated disassemblers, PE Explorer focuses on ease of use, clarity and navigation."* read "while **not** as powerful"?

    Adding a comment here in case the original comment is updated to include Binary Ninja since the question itself is now locked. (https://binary.ninja)

    Hopper is not available for Windows.

    @MahmoudAl-Qudsi - Correct, Hopper is no longer available for Windows. It was at the time I wrote this answer in 2013.

    I removed Visual DuxDebugger from this list, as its domain is gone (www.duxcore.com). You can find old copies of the program here: http://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasemblers/Visual-DuxDebugger.shtml

    After years I still return to this list . Please keep it updated . It is amazing. When I first read this answer I felt like Alice when discovered Wonderland

    Ghidra was just released a few days ago by the NSA, it seems to be a worthy mention, but its too early to know how they compare. https://github.com/NationalSecurityAgency/ghidra and https://ghidra-sre.org/

  • If you were looking for a contender, I believe ImmunityDebugger and OllyDbg can compete in part for and Hopper in part for .

    That said, there is a big gap between the capabilities you get with the aforementioned software and IDA.

    IDA Pro is pretty unique with its capabilities and if you add the Hex-Rays Decompiler Plugin into the equation, things look bleak for the wannabe contenders. However, for casual disassembly and even some decompiling Hopper seems a good choice for anyone not willing to shell out hundreds of bucks for IDA Pro. If you want a free ride, radare2 is probably the next in line, but it takes some getting used to.

    Having gotten my first IDA Pro Standard license as a student I have to admit the price point is steep, but it's worth every penny. When I began to work professionally with RCE-related things I upgraded to the "normal" license first and later upgraded to IDA Pro Advanced to get the x64 support.

    Also keep in mind there is a freeware version of IDA with license restrictions (but suitable for hobbyists or students) and restrictions of the capabilities.

  • Some other disassemblers / decompilers

    W32Dasm
    W32DASM was an excellent 16/32 bit disassembler for Windows, it seems it is no longer developed. the latest version available is from 2003

    Capstone
    Capstone is a lightweight multi-platform, multi-architecture disassembly framework.

    BORG Disassembler
    BORG is an excellent Win32 Disassembler with GUI.

    DSM Studio Disassembler
    DSM Studio is an easy-to-use yet comprehensive application that can aid you in the disassembly and inspection of executables built for the Intel x86 architecture.

    Decompiler
    Decompiler is an easy to use and simply application designed to read program binaries and decompile executable or DLL files. The application is designed to decompile executables for any processor architecture and not be tied to a particular instruction set. Although currently only a x86 front end is implemented, there is nothing preventing you from implementing a 68K, Sparc, or VAX front end if you need one.

    Lida - linux interactive disassembler
    lida is a fast feature packed interactive ELF disassembler / code-/cryptoanalyzer based on bastards libdisasm

    BugDbg x64 v0.7.5
    BugDbg x64 is a user-land debugger designed to debug native 64-bit applications. BugDbg is released as Freeware.

    distorm3
    A lightweight, Easy-to-Use and Fast Disassembler/Decomposer Library for x86/AMD64

    Udis86
    Udis86 is an easy-to-use, minimalistic disassembler library (libudis86) for the x86 class of instruction set architectures. It has a convenient interface for use in the analysis and instrumentation of binary code.

    BeaEngine
    This project is a package with a multi-platform x86 and x64 disassembler library (Solaris, MAC OSX, AIX, Irix, OS/2, Linux, Windows)

    C4 Decompiler

    • General Machine Code to C Decompiler
    • Free Windows I64 target edition
    • Interactive Windows GUI

    REC Studio 4 - Reverse Engineering Compiler
    REC Studio is an interactive decompiler. It reads a Windows, Linux, Mac OS X or raw executable file, and attempts to produce a C-like representation of the code and data used to build the executable file. It has been designed to read files produced for many different targets, and it has been compiled on several host systems.

    Retargetable Decompiler
    A retargetable decompiler that can be utilized for source code recovery, static malware analysis, etc. The decompiler is supposed to be not bounded to any particular target architecture, operating system, or executable file format.

    miasm
    Miasm is a a free and open source (GPLv2) reverse engineering framework written in python. Miasm aims at analyzing/modifying/generating binary programs.

    Free Code Manipulation Library
    This is a general purpose machine code manipulation library for IA-32 and Intel 64 architectures. The library supports UNIX-like systems as well as Windows and is highly portable.

    Intel® X86 Encoder Decoder Software Library
    Intel® XED is a software library (and associated headers) for encoding and decoding X86 (IA32 and Intel64) instructions.

    angr
    angr is a framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.

    JEB Decompiler
    JEB is a reverse-engineering platform to perform disassembly, decompilation, debugging, and analysis of code and document files, manually or as part of an analysis pipeline.

    Cutter
    A Qt and C++ GUI for radare2 reverse engineering framework (originally Iaito). Cutter is not aimed at existing radare2 users. It instead focuses on those whose are not yet radare2 users because of the learning curve, because they don't like CLI applications or because of the difficulty/instability of radare2.

    REDasm
    REDasm is an interactive, multiarchitecture disassembler written in C++ using Qt5 as UI Framework. Its core is light and simple, it can be extended in order to support new instruction sets and file formats.

    as far as I know W32Dasm development was stopped in 1997 and the last version is 8.9

    I think the RetDec link needs to be updated

    @julian Updated.

    The `Decompiler` project on Sourceforge is now called `Reko` and is hosted on GitHub.

  • Another framework to check out is Vdb and Vivisect

    • Vdb - Python based debugger and programatic debugging API
      • VdbTargetVMWare32 - Kernel debugging using the vmware hypervisor
      • VdbOnAndroid - Using vdb to debug android processes
    • Vivisect - Python based static analysis and emulation framework
  • Reverse - Reverse engineering tool for x86/ARM/MIPS. Generates indented pseudo-C with colored syntax code. enter image description here

    SmartDec (aka Snowman) is a native code to C/C++ decompiler. Supports PE and ELF (both 32 and 64bit) also has plugin modules for IDA (6.1, 6.4, 6.5).

    Decompiler example.

    Currently supports Intel x86 and x86-x64 architectures. C++ reconstruction supports the 32-bit ABI used by MSVC compiler under Windows.

    Structures.

    C reconstruction is generic and can be used on a code produced by virtually any compiler for x86 and x86-x64 architectures.

    Github repo can be found here.

    Ida Free doesn't appear to support plugins although there is hope, in the meantime Snowman might be better used as standalone.

  • Relyze is a commercial interactive disassembler for x86, x64 and ARM software with loaders for PE or ELF file formats. It supports interactive flat and graph views of the disassembly, generating call and reference graphs, binary diffing two executables, exploring the executable file's structure and a Ruby plugin API. It can also handle things like symbols (PDB's), function local variables, switch statements, exception handlers, static library identification and more.

    enter image description here


    Medusa is an open source disassembler with x86, x64, z80 and partial ARM support. It runs on Windows and Linux. It has interactive flat and graph views.

    enter image description here

  • On of my favorite alternatives to IDA is HT Editor.

    I've used it on x86 and x64 binaries and java class files. I think it has support for many other architectures/bytecode. It is cross platform and has some nice features.

  • Sourcer was quite awesome, but I'm not sure it's what you need.

    indeed it *was* good during its time and I kept the manual for years because it had this very nice opcode table (similar what you offer on your website) - until one of my colleagues ended up losing it :-|

    Oh yea! I nearly forgot about Sourcer. Thanks for the memory!

    It looks like this link is no longer available.

  • ArkDasm is a 64-bit interactive disassembler. Supported file types: PE64, raw binary files. Its currently in alpha stage but works well.

  • Just for completeness: one more disassembler, Binary Ninja:

    As for now (9/26/2016) it has the following properties:

    • Commercial ($99 as introductory price for personal use license)
    • Handles x86, x64, ARMv7-8, MIPS and 6502 architectures
    • Works on Linux, Mac OsX and Windows
    • Supports PE/COFF, ELF, .NES and Mach-O
    • Has python API
    • Has Undo
    • Has IL
    • Has a lot of other cool features

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM