- Joined
- Jan 8, 2019
- Messages
- 56,623
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,455
- Points
- 2,313
- Credits
- 32,750
6 Years of Service
76%
ret-sync stands for Reverse-Engineering Tools SYNChronization. It is a set of plugins that help to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg/OllyDbg2/x64dbg) with a disassembler (IDA/Ghidra). The underlying idea is simple: take the best from both worlds (static and dynamic analysis).
Debuggers and dynamic analysis provide us with:
local view, with live dynamic context (registers, memory, etc.)
built-in specialized features/API (ex: WinDbg’s !peb, !drvobj, !address, etc.)
Disassemblers and static analysis provide us with:
macro view over modules
code analysis, signatures, types, etc.
fancy graph view
decompilation
persistent storage of knowledge within IDBs/GPRs
Key features:
synchronize graph and decompilation views with debugger’s state
no need to deal with ASLR, addresses are rebased on-the-fly
pass data (comment, command output) from the debugger to disassembler
multiple IDBs/GPRs can be synced at the same time allowing to easily trace through multiple modules
disassembler and debugger can be on different hosts / VMs