Reverse Engineering#

Reference of the disassemblers, decompilers, debuggers, unpackers, and analysis frameworks an operator pulls from when working binaries, firmware, mobile apps, and protocols. For dynamic-analysis sandboxes and malware classification, see Malware. For hardware-side tooling, see Hacking Hardware.

Disassemblers / decompilers#

Tool

Vendor / Org

Notes

IDA Pro

Hex-Rays

Long-running commercial standard; Hex-Rays decompiler add-on; IDC + IDAPython scripting; FLIRT signatures.

IDA Free

Hex-Rays

Free disassembler; no decompiler; limited.

Ghidra

NSA

Open-source; Java-based GUI; SLEIGH lang for new arches; P-code IR; widely adopted in CTF + RE.

Binary Ninja

Vector 35

Cloud + commercial; BNIL / HLIL / MLIL IRs; Python API; affordable mid-tier.

radare2 / r2

Open

CLI-first; r2pipe; Cutter GUI front-end.

Cutter

Open

Qt GUI on radare2; integrates Rizin + Ghidra decompiler.

Rizin

Open

radare2 fork emphasizing stability.

Hopper

Cryptic Apps

macOS/Linux disassembler + decompiler.

JEB

PNF Software

Android-focused; Dalvik decompiler.

Snowman

Open

Native C++ decompiler.

RetDec

Avast

Open decompiler; LLVM-IR-based.

BAP

CMU

Binary Analysis Platform; OCaml.

Angr

UCSB

Symbolic execution + analysis framework; Python.

Triton

Quarkslab

Concolic execution; Python.

Miasm

CEA

IR + symbolic engine.

Debuggers#

Tool

Vendor / Org

Notes

GDB

GNU

Standard Linux debugger; Python scripting; remote serial.

GEF

Open

GDB Enhanced Features; CTF-friendly UI.

Pwndbg

Open

CTF-tuned GDB plugin.

PEDA

Open

Python Exploit Dev Assist; older GDB plugin.

LLDB

LLVM

Standard macOS debugger; Linux/iOS too.

WinDbg

Microsoft

Windows kernel + user; symbol loading; time-travel debugging (TTD); WinDbg Preview.

x64dbg

Open

Windows user-mode; plugin ecosystem; popular for malware.

OllyDbg

Open

Win32 user-mode; legacy.

Immunity Debugger

Immunity

Win32; Python scripting; legacy CTF.

DBVM / Cheat Engine

Cheat Engine

Memory analysis; primarily games but useful in RE.

KGDB / kdb

Linux

Kernel debugger.

QIRA

Comma

Concolic-style timeless debugger.

Dynamic instrumentation#

Tool

Org

Notes

Frida

Frida

Cross-platform DBI; Python + JS; iOS / Android / desktop.

Pin

Intel

x86 DBI framework.

DynamoRIO

Open

DBI; Linux / Win.

Valgrind

Open

Memory + race detection; CPU emulation.

QEMU

QEMU

Full-system + user-mode emulation.

Unicorn

Open

QEMU CPU emulator extracted; per-instruction control.

PANDA

MIT/Renee

Plugin-based dynamic analysis on QEMU.

Speakeasy

Mandiant

Windows shellcode emulator.

Qiling

Qiling

Cross-platform sandbox emulator.

Triton (above)

Quarkslab

Concolic.

S2E

EPFL

Selective symbolic execution.

KLEE

KLEE

LLVM-IR symbolic execution.

Fuzzing#

Tool

Org

Notes

AFL++

AFLplusplus

Coverage-guided fuzzer; the standard.

libFuzzer

LLVM

In-process fuzzer; sanitiser-friendly.

Honggfuzz

Google

Coverage + signal fuzzer.

Syzkaller

Google

Linux kernel fuzzer.

LIBFUZZER + OSS-Fuzz

Google

Continuous fuzzing infra.

ClusterFuzz

Google

Distributed fuzzing.

Boofuzz

Open

Network protocol fuzzer (Sulley successor).

Peach Fuzzer

Open / Comm

Smart fuzzer.

WinAFL

Open

AFL for Windows.

TriforceAFL

Open

QEMU-based AFL for binaries.

JQF / Zest

Berkeley

JVM coverage-guided fuzzing.

Mobile RE#

Tool

Org

Notes

APKTool

Open

Android APK decode / rebuild.

JADX

Open

Java/DEX decompiler.

Bytecode Viewer

Open

Multi-decompiler GUI for JVM bytecode.

Procyon

Open

Java decompiler.

CFR

Open

Java decompiler.

Fernflower

JetBrains

Java decompiler; IDEA’s.

Krakatau

Open

Java assembler/disassembler.

Smali / Baksmali Open

D

alvik (Android) disassembler.

ApkLab

Open

VS Code APK extension (uses APKTool / JADX).

Frida-iOS-dump

Open

Decrypt + dump iOS app binary.

Hopper / IDA / Ghidra

Multiple

Native Mach-O analysis.

class-dump

Open

Objective-C header dump from Mach-O.

otool / nm / strings

Apple LLVM

macOS/iOS binary tools.

Codesign / Insert_dy

lib Apple

Resign / inject.

Cycript

Open

iOS runtime injection / Objective-C bridge.

Objection

Open

Frida-based mobile pentest framework.

RMS-runtime-mobile-s

ec Open

GUI for Frida.

MobSF

OpenSec

Mobile Security Framework; static + dynamic.

APKLeaks

Open

Find leaked secrets in APKs.

Unpackers / packers#

Tool

Org

Notes

UPX

Open

Generic packer / unpacker.

PEiD / Detect It Easy

Open / Open

PE / ELF / Mach-O packer detection.

MalUnpack

Hasherezade

Generic Windows unpacker.

PE-bear

Hasherezade

PE inspector.

Scylla

Open

Imports / OEP recovery.

ASLR Bruteforce

Open

PE relocation recovery.

PE / ELF / Mach-O / file#

Tool

Org

Notes

file / strings

Coreutils

Magic-byte ID + string extraction.

binwalk

Open / Refirm

Firmware extraction; entropy plot.

binskim

Microsoft

PE security analyzer.

checksec

Open

ELF security flags.

pe-tree

FireEye

PE inspector.

peframe

Open

PE static feature scanner.

ELF Tool Chain

FreeBSD

readelf / elfdump / nm.

Mach-O view

Apple LLVM

otool, nm, lipo.

DIE (Detect It Easy)

Open

Multi-format detector.

ExifTool

Open

Metadata across many formats.

Firmware#

Tool

Org

Notes

Binwalk

Refirm Labs

Firmware unpacker; signatures.

FACT

Fraunhofer

Firmware Analysis Comparison Toolkit.

EMBA

Siemens

Firmware vulnerability scanner.

Firmwalker

Open

Search extracted firmware for indicators.

Firmadyne / FirmAE

Open

Firmware emulation harness for analysis.

buildroot / Yocto

Open

Reference Linux for firmware comparison.

flashrom

Open

Read / write SPI flash chips.

chipsec

Intel

UEFI / firmware security.

UEFItool

Open

UEFI image parser.

PSPTool

Open

AMD PSP analysis.

Network / protocol#

Tool

Org

Notes

Wireshark

Open

Standard packet analyzer; Lua dissectors.

tshark

Open

Wireshark CLI.

mitmproxy

Open

HTTPS interception proxy; Python addons.

Burp Suite

PortSwigger

Web protocol analysis; the proxy most operators reach for on web work.

ZAP

OWASP

Open Burp alternative.

Caido

Caido

Modern Burp alternative.

Charles Proxy

XK72

macOS HTTP debugger.

Proxyman

Proxyman

macOS HTTP debugger.

NetworkMiner

NETRESEC

Network forensics extraction.

PcapNG / pcap

libpcap

Capture file formats.

TCPdump

Open

CLI capture.

Scapy

Open

Packet crafting in Python.

Browser / JS / WASM#

Tool

Org

Notes

Chrome DevTools

Google

Built-in JS / network / perf RE.

Firefox DevTools

Mozilla

Same.

JsNice

ETHZ

JavaScript deobfuscator.

de4js

Open

Browser JS deobfuscator.

Synchrony

Open

Modern JS deobfuscator.

WABT

WebAssembly

.wat <-> .wasm; wasm2c / wasm-objdump.

Binaryen / wasm-tools

Bytecode All.

wasm rewriting.

WebCrack

Open

JS deobfuscation.

Crypto / signature analysis#

Tool

Org

Notes

CryptoIdentifier

IDA / Ghidra plugin

Find crypto constants.

FindCrypt2

Plugin

Detect crypto algorithms in binaries.

YARA

VirusTotal

Pattern-matching for binaries; signatures + strings.

YarGen

Florian Roth

Generate YARA rules from samples.

ssdeep / TLSH

Open

Fuzzy hashing for similar files.

sigtool / clamscan

ClamAV

AV signature engine.

CTF / training#

Resource

Org

Notes

Crackmes.one

Crackmes

Practice binaries; community.

RingZer0

RingZer0

Online challenges.

PicoCTF

CMU

Beginner-friendly RE / pwn.

HackTheBox

HTB

RE machines + tracks.

PortSwigger Web Acad emy

PortSwigge

r Web vuln training.

Pwn.college

ASU

CSE466 university course online.

LiveOverflow YouTube

LiveOverflow

Tutorial channel.

RPISec MBE

RPISec

Modern Binary Exploitation course.

nightmare (Nightmar e )

guyinatuxedo

Pwn / RE walkthroughs.

References#