EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationida-proghidrax64dbg

Reversing Tools: Disassemblers and Debuggers

The two core reversing tools — IDA Pro vs Ghidra for static analysis, x64dbg vs OllyDbg for dynamic — with practical selection guidance and the typical workflow for each.

Ashish Revar12 May 202614 min read2 views
Quick Bite

⚡ Quick Bite · 30s

Malware Analysis: The Technical Workflow

Disassembly translating binary into instruction flow, debugging to inspect registers and memory states, and why static and dynamic analysis are both essential.

Watch this 30-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

Overview

Two categories of tools dominate the reverse engineering workflow:

  • Disassemblers — convert machine code to assembly for static analysis
  • Debuggers — execute code step-by-step for dynamic code analysis

Both are needed. The disassembler gives you the map; the debugger lets you walk through it in real time.

Disassemblers

IDA Pro vs Ghidra

FeatureIDA ProGhidra
DeveloperHex-Rays (Belgium)NSA (open-source, 2019)
CostFree (IDA Free) / CommercialFree
DecompilerHex-Rays (F5) — industry gold standardBuilt-in — very capable
ScriptingIDAPythonJava, Python
CollaborationLimitedGhidra Server (multi-analyst)
Architecture supportVery broadVery broad
Industry adoptionStandard for commercial workGrowing rapidly

Recommendation for this course: Start with Ghidra (free, full-featured). Add IDA when an employer or project requires it. Skills transfer directly — menu locations differ, concepts are identical.

Typical IDA Pro workflow

1. Open sample → auto-analysis runs
2. Navigate to entry point (Edit → Jump to Entry Point)
3. Press Space to switch to Graph View
4. Double-click CALL instructions to follow into functions
5. Press F5 for decompiled pseudocode
6. Press X on any address to see cross-references
7. Press N to rename variables and functions
8. Add comments with ; or Ins key

Typical Ghidra workflow

1. Create new project → Import file
2. Auto-analysis runs (accept defaults)
3. Open CodeBrowser
4. Navigate via Symbol Tree or search
5. Use Decompiler window alongside disassembly
6. Right-click → Edit Function Signature to rename
7. Use Bookmarks for important locations

Debuggers

x64dbg vs OllyDbg

Featurex64dbgOllyDbg
Architecture32-bit (x32dbg) and 64-bit32-bit only
StatusActive developmentLegacy (no updates since 2013)
CostFree, open-sourceFree
Key featuresScylla (dump/IAT fix), scripting, pluginsCompact UI, built-in assembler
ScyllaHideYes (anti-anti-debug plugin)Limited version
Use caseModern analysis — recommendedAppears in older tutorials only

This course uses x32dbg (the 32-bit component of x64dbg) for all practical labs. OllyDbg appears in older tutorials; avoid it for new work.

Key x64dbg keyboard shortcuts

ActionKey
Step Into (follow CALL)F7
Step Over (skip CALL)F8
Run to CursorF4
Run (until breakpoint)F9
Set software breakpointF2
RestartCtrl+F2
Navigate to addressCtrl+G
Toggle graph viewSpace

Supporting Static Analysis Tools

ToolPurpose
PEStudioPE header inspection, imports, entropy, strings
PE-BearDetailed PE structure viewer with hex correlation
Detect It Easy (DIE)Packer/compiler identification by signature matching
FLOSSObfuscated string extraction (stack strings, XOR loops)
CapaCapability detection mapped to MITRE ATT&CK
CFF ExplorerPE editing and header manipulation

Tool Selection Guide

Start with this stack — all free, all production-quality:

Static:   Ghidra + PEStudio + DIE + FLOSS + Capa
Dynamic:  x32dbg (with ScyllaHide plugin)
Network:  Wireshark + FakeNet-NG
Process:  Process Hacker + Procmon

Add IDA Pro when:

  • Your employer uses it and you need to read existing IDA databases
  • You are working with obfuscated or custom-packed binaries where Hex-Rays decompiler quality matters
  • You need specific IDA plugins not available for Ghidra

The skills from Ghidra transfer immediately to IDA. The interface is different; the concepts are identical.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Binary Physics of Memory Corruption

Two experts break down the foundations of malware analysis and reverse engineering — malware taxonomy, x86 architecture, memory layout, and stack manipulation — using simple, real-world analogies.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Ghidra — Official Download

Download Ghidra from the official NSA release page. Install Java 17+ first.

tool
x64dbg — Official Site and Download

Download x64dbg (includes both x32dbg and x64dbg). Install ScyllaHide plugin immediately after.

tool
FLARE VM — Complete Analysis Environment

Mandiant FLARE VM installs 140+ analysis tools on Windows via one PowerShell script. Includes IDA Free, x64dbg, FLOSS, Capa, and all supporting tools.

tool
More articlesTest your knowledge