Introduction

In this blog post we will look at some of the differences between a several of the most widely used Debuggers/Disassemblers.  This post is by no means exhaustive.  It is meant as a brief overview to give people new to reversing a “quick start” guide.  If there is anything that I may have missed or have misstated, please email me at james [AT] learnsecurityonline [DOT] com and I will edit this post accordingly.

Debuggers vs Disassemblers

Before we look at IDA Pro (Free), Immunity Debugger (ImmDBG) and Olly Debugger (OllyDBG).  We must first understand the differences between a debugger and a disassembler.  I have heard these terms used interchangeably, but, they are two separate tools.  A disassembler will take a binary and break it down into human readable assembly.  With a disassembler you can take a binary and see exactly how it functions (static analysis).  Whereas, with a debugger we can step through, break and edit the assembly while it is executing (dynamic analysis).

IDA Pro (Free)

Honestly, IDA Pro should be in a category by itself.  It is an interactive, extendible disassembler and debugger.  IDA is also programmable with a complete development environment.  This allows users to build plug-ins and scripts to assist them in their research.  The standard version of IDA is $539 USD that gives you support for over 50 families of processors.  But for someone who is new to reversing, the free version will do just fine.  One of the main differences you’ll notice that IDA has over Immunity Debugger (ImmDBG) and Olly Debugger (OllyDBG), is its platform support.  IDA is available for Windows, Linux as well as Mac OS X.  Personally, I haven’t really used IDA much.  I’ve found that it is a bit harder to use than ImmDBG and OllyDBG.  For someone just starting out there may be a bit much going on.

Olly Debugger (OllyDBG)

OllyDBG is a graphical user-mode debugger that has been around for a long time.  Like IDA Olly is also extendable by creating new plug-ins to assist you in your research.  OllyDBG knows most of the Windows APIs, when you’re examining your binary.  OllyDBG will show you what each register parameter means.  Unfortunately, it does not understand Microsoft’s symbol file format or debug information.  Another advantage OllyDBG has, is its size.  OllyDBG is very small and portable.

Immunity Debugger (ImmDBG)

ImmDBG is another graphical user-mode debugger that is exactly like OllyDBG.  The main difference is that ImmDBG uses python as a scripting/plugin language.  Another difference is the annoying ad in the top right hand corner of the main window.  Personally, ImmDBG is my favorite.  Having a python background the ability to script simple, repetitive tasks is great.  This makes reversing large binaries a bit easier on the eyes.  The other huge plus for ImmDBG is !pvefindaddr plug-in written by Peter Van Eeckhoutte (http://www.corelan.be).  With a focus on exploitation, this plug-in simplifies a great deal of the process!