karu's den

Adventures of Binary Analysis on ARM-Based Macs

August 27, 2025
9 min read
Table of Contents

Introduction

A few weeks ago I decided to get a new laptop since the old ThinkPad was getting tired. The problem was, most, if not all, Windows laptops are either not powerful enough for my needs or have the battery life of a mosquito, which is just as inconvenient.

This is when I started taking a look at Apple Silicon Macbooks. I’ve heard plenty of good things from the internet and friends. Great performance, great battery, great screen. it was perfect.

One small problem though: it was ARM-based. I play a lot of CTFs and mainly do binary exploitation and reverse engineering. I do plenty of binary analysis. My work requires x86-64 and unfortunately I cannot convince the entire CTF community to switch to ARM for my convenience, as cool as that would be.

At the end, I decided to get myself a 2021 Macbook Pro with an M1 Pro chip. I’ve read about Rosetta and how it can emulate x86-64 binaries flawlessly, and apparently it also has a GDB stub? sick. Docker also supports running x86-64 containers through Rosetta so that’s nice. And I’ve seen an OALabs video showcasing a malware analysis lab on an ARM Mac. What’s the worst that can happen?

TL;DR

For the impatient, this is my final setup for now :)

  • Linux
    • Headless Arch Linux x86-64 VM with SSH through UTM
    • GDB with pwndbg
    • Spin up XFCE desktop when dealing with GUI
  • Windows
    • Windows 11 ARM through Parallels
    • x64dbg and IDA Pro for debugging
    • Use WinDbg backend for IDA Pro
    • Debugging works fine as long as you don’t step into Windows DLLs

Initial Attempts and Shattered Dreams

I decided to start with setting up Linux because in my mind at the time, it was the easiest to set up.

Rosetta Hell

The plan was simple, use Docker to start a Linux container, install GDB and pwndbg, use Rosetta to run binaries and attach to the debug port, boom.

Rosetta has a GDB server built-in that allows waiting for GDB to attach before starting a process and debugging it like any good old x86-64 binary. This can be done with

Terminal window
ROSETTA_DEBUGSERVER_PORT=1234 ./binary

then attaching to it from within GDB with target remote :1234.

I’ve read in multiple places that the GDB stub works fine and that they use it daily to build Space-X software and cure cancer and whatnot. Spoiler alert: it did not work.

GDB crashed with a backtrace and the binary crashed with an error of an unimplemented functionality in the GDB stub. Trying GDB by itself worked, but using pwndbg or GEF caused the same issue. And there is no chance I’m using vanilla GDB, I’m not an IoT researcher..

I ended up tracing this issue in pwndbg and creating a shitty patch just to make it work.

Okay we have GDB! Let’s try debugging… it takes 10 seconds to single-step.

This is an issue with vanilla GDB as well, not as severe but still unusable. my guess is that the GDB server implementation is just too slow, and since pwndbg displays all the register and stack information with every step it takes even longer to communicate that data. I can’t do anything about that..

I’ve also tried to set up an Ubuntu ARM VM with Parallels and see how Rosetta performs there, but it was basically the same problem.

I’m still confused on how people call this “usable”, maybe it’s actually doable and these are just problems on my machine? Please let me know if you can get GDB to work with Rosetta without the latency problems.

Michaelsoft Binbows

Okay that was a rough start and I don’t wanna deal with Linux anymore, so let’s move forward to Windows. Sergei said this setup works well enough and he would never lie to me.

The idea is to install Windows 11 ARM in Parallels. Windows ARM has a built-in translation layer from x86-64 to ARM, the same way WOW64 runs x86 binaries on x86-64. Think of it as Rosetta but better.

While scrolling up through OALabs Discord server I’ve seen some people saying that debugging is sometimes scuffed and jumps around, so uuhhh hopefully we don’t run into that?

Running into that

I use IDA Pro as my main debugger for Windows binaries (please don’t judge me). Debugging works fine… until you step over a function. The debugger loses track of the instruction pointer, can’t pause the process, we’re cooked.

Okay fine maybe I should be switching to x64dbg, I’m tired of feeling left out anyway.

x64dbg ARM warning

Uh Oh.

I tried to animate a binary with stepping in and sure enough, all hell broke loose. The debugger lost track of the PC again, and it randomly crashed at an invalid instruction that doesn’t even decode, probably ARM code being read as x86-64.

Whisky

Whisky was my last hope for Windows. it uses some wine+Rosetta magic to run Windows binaries.

I tried running both IDA Pro and x64dbg through Whisky and ran into the same problem with both. the execution will randomly stop and the debugger UI will freeze until you kill the debugged process. This also feels like a problem on my machine that can be fixed by messing with wine settings, so it’s worth a try if you’re following this as a guide.

CrossOver also has the same problem which proves money can’t buy happiness.

Actually Working Setup

At this point I was pretty devastated. I really liked the Macbook, but all the nice features are useless if I can’t get my work done.

Linux Episode IV: A New Hope

As a Hail Mary, I decided to try running a Linux x86-64 virtual machine. I used UTM which is based on QEMU, so hopefully the JIT and nerd optimizations combined with using a minimal distro and DE can make it usable?

As a matter of fact it did! Don’t expect to run CyberPunk 2077 on it, but running Arch Linux with XFCE is usable! To squeeze more performance, I installed an SSH server on the VM and disabled GUI. Now I can connect into the VM from my terminal and use tmux, GDB, and all the nice things I need, with an option to enable GUI when necessary.

Success!

The Windows Situation

Figuring out the Linux part filled me with determination, so I decided to give Windows another shot.

My first attempt was doing the same thing I did with Linux. Setting up an x86-64 virtual machine. But that was cut short by how bad the performance was. Opening explorer.exe took about 5 seconds, you can guess the rest.

Windows 11 ARM is our only hope if we’re gonna get this to work so let’s try fixing the problems we had previously.

Fixing IDA

You remember the problem we had with IDA, right? I’m sure you do you have a sharp memory.

Stepping over functions will lose track of the instruction pointer. But if we set a breakpoint after the function call and continue execution, it will hit that breakpoint, replicating the behavior of stepping over!

I asked ChatGPT to write an IDA plugin to do exactly that, and it works flawlessly.

x64dbgging

Okay let’s try fixing x64dbg. Maybe I can spot a pattern that is hopefully fixable.

I noticed that stepping over functions works fine, but stepping inside Windows DLLs will mess things up. so uhh, let’s just not do that? I don’t think I’ve ever needed to debug kernel32.dll anyway.

It works. Me using the “animate into” functionality was crashing because it was stepping inside the DLLs, maybe I would’ve noticed this if I was an actual x64dbg user, oops.

Fixing IDA 2: Electric Boogaloo

At this point I started messing around with WinDbg for some reason. I hate WinDbg, I never used WinDbg, I have no idea why I was playing with it but I was. While doing that I noticed that stepping over functions works just fine, and WinDbg can actually switch from disassembling x86-64 to ARM and back seamlessly, pretty cool.

Wait, doesn’t IDA support WinDbg as a debugger backend? it does, and it works perfectly, there’s no need for the plugin GPT wrote earlier.

What Doesn’t Work

Alright this is cool and all, but what doesn’t work? (some of these things might be doable but I just couldn’t figure them out, let me know!)

  • Debugging Windows kernel drivers obviously will not work, this is an ARM kernel.

  • Hardware breakpoints on Windows do not work, this might be the biggest problem I have.

  • Cheat Engine didn’t work, showing 0 results from first scan.

  • Stepping into Windows DLLs.

Final Thoughts

This setup seems to work fine for me for the time being, I played a couple CTFs on it and didn’t have any problems yet.

My biggest fear is the Windows VM since Linux is straight up QEMU emulating everything.

For the time being I will try my best to use the Macbook for all my work, but I will keep the ThinkPad with me just in case, until I get comfortable with the limitations of the Mac and see if I can do everything I need on it. Flare-On #12 is coming soon so that would be a nice stress test for it :)