Reverse Engineering#
Reference of the disassemblers, decompilers, debuggers, unpackers, and analysis frameworks an operator pulls from when working binaries, firmware, mobile apps, and protocols. For dynamic-analysis sandboxes and malware classification, see Malware. For hardware-side tooling, see Hacking Hardware.
Disassemblers / decompilers#
Tool |
Vendor / Org |
Notes |
|---|---|---|
IDA Pro |
Hex-Rays |
Long-running commercial standard; Hex-Rays decompiler add-on; IDC + IDAPython scripting; FLIRT signatures. |
IDA Free |
Hex-Rays |
Free disassembler; no decompiler; limited. |
Ghidra |
NSA |
Open-source; Java-based GUI; SLEIGH lang for new arches; P-code IR; widely adopted in CTF + RE. |
Binary Ninja |
Vector 35 |
Cloud + commercial; BNIL / HLIL / MLIL IRs; Python API; affordable mid-tier. |
radare2 / r2 |
Open |
CLI-first; r2pipe; Cutter GUI front-end. |
Cutter |
Open |
Qt GUI on radare2; integrates Rizin + Ghidra decompiler. |
Rizin |
Open |
radare2 fork emphasizing stability. |
Hopper |
Cryptic Apps |
macOS/Linux disassembler + decompiler. |
JEB |
PNF Software |
Android-focused; Dalvik decompiler. |
Snowman |
Open |
Native C++ decompiler. |
RetDec |
Avast |
Open decompiler; LLVM-IR-based. |
BAP |
CMU |
Binary Analysis Platform; OCaml. |
Angr |
UCSB |
Symbolic execution + analysis framework; Python. |
Triton |
Quarkslab |
Concolic execution; Python. |
Miasm |
CEA |
IR + symbolic engine. |
Debuggers#
Tool |
Vendor / Org |
Notes |
|---|---|---|
GDB |
GNU |
Standard Linux debugger; Python scripting; remote serial. |
GEF |
Open |
GDB Enhanced Features; CTF-friendly UI. |
Pwndbg |
Open |
CTF-tuned GDB plugin. |
PEDA |
Open |
Python Exploit Dev Assist; older GDB plugin. |
LLDB |
LLVM |
Standard macOS debugger; Linux/iOS too. |
WinDbg |
Microsoft |
Windows kernel + user; symbol loading; time-travel debugging (TTD); WinDbg Preview. |
x64dbg |
Open |
Windows user-mode; plugin ecosystem; popular for malware. |
OllyDbg |
Open |
Win32 user-mode; legacy. |
Immunity Debugger |
Immunity |
Win32; Python scripting; legacy CTF. |
DBVM / Cheat Engine |
Cheat Engine |
Memory analysis; primarily games but useful in RE. |
KGDB / kdb |
Linux |
Kernel debugger. |
QIRA |
Comma |
Concolic-style timeless debugger. |
Dynamic instrumentation#
Tool |
Org |
Notes |
|---|---|---|
Frida |
Frida |
Cross-platform DBI; Python + JS; iOS / Android / desktop. |
Pin |
Intel |
x86 DBI framework. |
DynamoRIO |
Open |
DBI; Linux / Win. |
Valgrind |
Open |
Memory + race detection; CPU emulation. |
QEMU |
QEMU |
Full-system + user-mode emulation. |
Unicorn |
Open |
QEMU CPU emulator extracted; per-instruction control. |
PANDA |
MIT/Renee |
Plugin-based dynamic analysis on QEMU. |
Speakeasy |
Mandiant |
Windows shellcode emulator. |
Qiling |
Qiling |
Cross-platform sandbox emulator. |
Triton (above) |
Quarkslab |
Concolic. |
S2E |
EPFL |
Selective symbolic execution. |
KLEE |
KLEE |
LLVM-IR symbolic execution. |
Fuzzing#
Tool |
Org |
Notes |
|---|---|---|
AFL++ |
AFLplusplus |
Coverage-guided fuzzer; the standard. |
libFuzzer |
LLVM |
In-process fuzzer; sanitiser-friendly. |
Honggfuzz |
Coverage + signal fuzzer. |
|
Syzkaller |
Linux kernel fuzzer. |
|
LIBFUZZER + OSS-Fuzz |
Continuous fuzzing infra. |
|
ClusterFuzz |
Distributed fuzzing. |
|
Boofuzz |
Open |
Network protocol fuzzer (Sulley successor). |
Peach Fuzzer |
Open / Comm |
Smart fuzzer. |
WinAFL |
Open |
AFL for Windows. |
TriforceAFL |
Open |
QEMU-based AFL for binaries. |
JQF / Zest |
Berkeley |
JVM coverage-guided fuzzing. |
Mobile RE#
Tool |
Org |
Notes |
|---|---|---|
APKTool |
Open |
Android APK decode / rebuild. |
JADX |
Open |
Java/DEX decompiler. |
Bytecode Viewer |
Open |
Multi-decompiler GUI for JVM bytecode. |
Procyon |
Open |
Java decompiler. |
CFR |
Open |
Java decompiler. |
Fernflower |
JetBrains |
Java decompiler; IDEA’s. |
Krakatau |
Open |
Java assembler/disassembler. |
Smali / Baksmali Open |
D |
alvik (Android) disassembler. |
ApkLab |
Open |
VS Code APK extension (uses APKTool / JADX). |
Frida-iOS-dump |
Open |
Decrypt + dump iOS app binary. |
Hopper / IDA / Ghidra |
Multiple |
Native Mach-O analysis. |
class-dump |
Open |
Objective-C header dump from Mach-O. |
otool / nm / strings |
Apple LLVM |
macOS/iOS binary tools. |
Codesign / Insert_dy |
lib Apple |
Resign / inject. |
Cycript |
Open |
iOS runtime injection / Objective-C bridge. |
Objection |
Open |
Frida-based mobile pentest framework. |
RMS-runtime-mobile-s |
ec Open |
GUI for Frida. |
MobSF |
OpenSec |
Mobile Security Framework; static + dynamic. |
APKLeaks |
Open |
Find leaked secrets in APKs. |
Unpackers / packers#
Tool |
Org |
Notes |
|---|---|---|
UPX |
Open |
Generic packer / unpacker. |
PEiD / Detect It Easy |
Open / Open |
PE / ELF / Mach-O packer detection. |
MalUnpack |
Hasherezade |
Generic Windows unpacker. |
PE-bear |
Hasherezade |
PE inspector. |
Scylla |
Open |
Imports / OEP recovery. |
ASLR Bruteforce |
Open |
PE relocation recovery. |
PE / ELF / Mach-O / file#
Tool |
Org |
Notes |
|---|---|---|
file / strings |
Coreutils |
Magic-byte ID + string extraction. |
binwalk |
Open / Refirm |
Firmware extraction; entropy plot. |
binskim |
Microsoft |
PE security analyzer. |
checksec |
Open |
ELF security flags. |
pe-tree |
FireEye |
PE inspector. |
peframe |
Open |
PE static feature scanner. |
ELF Tool Chain |
FreeBSD |
readelf / elfdump / nm. |
Mach-O view |
Apple LLVM |
otool, nm, lipo. |
DIE (Detect It Easy) |
Open |
Multi-format detector. |
ExifTool |
Open |
Metadata across many formats. |
Firmware#
Tool |
Org |
Notes |
|---|---|---|
Binwalk |
Refirm Labs |
Firmware unpacker; signatures. |
FACT |
Fraunhofer |
Firmware Analysis Comparison Toolkit. |
EMBA |
Siemens |
Firmware vulnerability scanner. |
Firmwalker |
Open |
Search extracted firmware for indicators. |
Firmadyne / FirmAE |
Open |
Firmware emulation harness for analysis. |
buildroot / Yocto |
Open |
Reference Linux for firmware comparison. |
flashrom |
Open |
Read / write SPI flash chips. |
chipsec |
Intel |
UEFI / firmware security. |
UEFItool |
Open |
UEFI image parser. |
PSPTool |
Open |
AMD PSP analysis. |
Network / protocol#
Tool |
Org |
Notes |
|---|---|---|
Wireshark |
Open |
Standard packet analyzer; Lua dissectors. |
tshark |
Open |
Wireshark CLI. |
mitmproxy |
Open |
HTTPS interception proxy; Python addons. |
Burp Suite |
PortSwigger |
Web protocol analysis; the proxy most operators reach for on web work. |
ZAP |
OWASP |
Open Burp alternative. |
Caido |
Caido |
Modern Burp alternative. |
Charles Proxy |
XK72 |
macOS HTTP debugger. |
Proxyman |
Proxyman |
macOS HTTP debugger. |
NetworkMiner |
NETRESEC |
Network forensics extraction. |
PcapNG / pcap |
libpcap |
Capture file formats. |
TCPdump |
Open |
CLI capture. |
Scapy |
Open |
Packet crafting in Python. |
Browser / JS / WASM#
Tool |
Org |
Notes |
|---|---|---|
Chrome DevTools |
Built-in JS / network / perf RE. |
|
Firefox DevTools |
Mozilla |
Same. |
JsNice |
ETHZ |
JavaScript deobfuscator. |
de4js |
Open |
Browser JS deobfuscator. |
Synchrony |
Open |
Modern JS deobfuscator. |
WABT |
WebAssembly |
.wat <-> .wasm; wasm2c / wasm-objdump. |
Binaryen / wasm-tools |
Bytecode All. |
wasm rewriting. |
WebCrack |
Open |
JS deobfuscation. |
Crypto / signature analysis#
Tool |
Org |
Notes |
|---|---|---|
CryptoIdentifier |
IDA / Ghidra plugin |
Find crypto constants. |
FindCrypt2 |
Plugin |
Detect crypto algorithms in binaries. |
YARA |
VirusTotal |
Pattern-matching for binaries; signatures + strings. |
YarGen |
Florian Roth |
Generate YARA rules from samples. |
ssdeep / TLSH |
Open |
Fuzzy hashing for similar files. |
sigtool / clamscan |
ClamAV |
AV signature engine. |
CTF / training#
Resource |
Org |
Notes |
|---|---|---|
Crackmes.one |
Crackmes |
Practice binaries; community. |
RingZer0 |
RingZer0 |
Online challenges. |
PicoCTF |
CMU |
Beginner-friendly RE / pwn. |
HackTheBox |
HTB |
RE machines + tracks. |
PortSwigger Web Acad emy |
PortSwigge |
r Web vuln training. |
Pwn.college |
ASU |
CSE466 university course online. |
LiveOverflow YouTube |
LiveOverflow |
Tutorial channel. |
RPISec MBE |
RPISec |
Modern Binary Exploitation course. |
nightmare (Nightmar e ) |
guyinatuxedo |
Pwn / RE walkthroughs. |
References#
Practical Malware Analysis, Sikorski + Honig.
The Ghidra Book, Eagle + Nance.
The IDA Pro Book, Eagle.
The Art of Mac Malware, Wardle.
Practical Reverse Engineering, Dang / Gazet / Bachaalany.
<x86>, Felix Cloutier opcode reference.
Reverse Engineering for Beginners, Yurichev (free PDF).
OWASP MASVS / MASTG, mobile RE.