reverse engineering tools

meow.md

"%" means not tested by me personally.

Reference material

• syscall.sh: Linux ARMv7/AArch64/x86/x86_64 ABI and syscall tables
• %C8051F34x_Glitch: silicon glitching tutorial

Disassemblers and decompilers

• Binary Ninja: interactive native code disassembler, decompiler, and debugger
  • BinExport: companion tool for BinDiff
    • when building, replace the BN SDK it downloads with a path to BN API library
  • SENinja: symbolic execution engine for BN with a debugger-like API, based on Z3
  • hexfiles: Intel HEX / Motorola SREC / TI-TXT file loader
  • %binja-8051: 8051 architecture
  • binja-avnera: Avnera architecture
  • binja-m16c: Renesas M16C architecture
  • cryptoscan: detector of common cryptographic algorithms
  • Rust string slicer: detect Rust strings in code and data
  • blob extractor: frontend for unblob
  • %mole: static backward slicing through MLIL
• %binsync: cross-decompiler (Binary Ninja / Ghidra / IDA) collaboration tool
• BinDiff: comparison tool operating on control flow graphs
• %ReGenny: interactive C/C++ structure reconstruction tool and SDK generator
  • %UE4Genny: late Unreal Engine 4 and Unreal Engine 5 SDK generator
  • %Source2Gen: Source 2 SDK generator
• dnSpyEx: interactive CLR decompiler and debugger
• %hal: interactive netlist analysis and manipulation tool
• %Pylingual: Python bytecode decompiler and patcher

Debuggers

• WinDbg: Windows kernel and user-mode debugger
• x64dbg: OllyDbg if it was maintained; Windows user-mode x86/x64 debugger
• %BugChecker: SoftICE if it was maintained; preemptive Windows kernel and user-mode debugger; requires PS/2 keyboard and linear framebuffer
• %libdebug: GDB if it had an API; Python interface to GDB with a CTF/RE focus
• rr: deterministic record/replay debugger for Linux x86/x64/arm64

Machine code emulation

• Unicorn: CPU emulator with fine-grained instrumentation, hooks for memory accesses, Python API, ...
• %PANDA: fork of QEMU with support for whole system record/replay and a plugin system for taint analysis, callgraph tracing, ...
• %Pydgin: Python DSL for generating instruction set simulators

API emulation

• %usersim: implementation of Windows kernel APIs on top of Windows user-mode APIs, for KMDF driver testing, fuzzing, ...
• %Qiling: emulator for Windows, Linux, macOS, Android, BSD, UEFI, ... kernel and user-mode APIs based on Unicorn
• %Limbo: XNU (Darwin) userspace syscall emulator for Linux

Dynamic binary analysis and instrumentation

• ExtremeDumper: online .NET assembly dumper
• %Triton: dynamic symbolic execution and LLVM/SMT lifting; "like doing heart surgery with a blender"
• %Shiva: ELF dynamic linker that performs just-in-time symbol (function, data) interposition; AArch64 only
• %wsh: loads ET_DYN ELF files and makes API available for scripting
• %mesos: basic block coverage collector for unmodified Windows user-mode binaries; requires IDA
• NtLua: Windows kernel mode driver with a Lua interpreter, including ntoskrnl exports and x86 intrinsics
• Detours: Windows user-mode API hooking library
• %Frida: Windows/macOS/Linux/Android API tracing and instrumentation tool
• %Avatar2: toplevel runner for other tools (qemu, angr, openocd, ...), primarily for embedded system analysis, debugging, record/replay, ...
• CSharpRepl: C# REPL

Static binary analysis and modification

• readpe: PE file reader, like objdump -p but works better on malware
• %wld: transforms ELF executables into ELF shared libraries; arch-independent
• %wcc: transforms ELF/PE/COFF binaries into ELF relocatable object files (unlinker)
• superlinker: combines ET_DYN ELF files with each other and the program interpreter
• %dll-merger: merges PE libraries into executables
• ApplyDeltaB: applies forward/reverse delta patches from Windows Update .msu files or WinSxS
• Detect it Easy: Windows/Linux/macOS/Android/DOS/... executable and archive analysis tool with a focus on malware analysis and protection/compression/... detection
• %Microwalk: static/dynamic microarchitectural leakage detection framework
• %GoReSym: Go symbol recovery based on Go compiler internals
• %Zydis: x86/x64 disassembler with no dependencies or allocations
• %LIEF: ELF/PE/MachO parsing and modification library
• pefile: PE parsing library for Python
• %seer: byte histogram based CPU architecture recognition tool
• cpu_rec: Markov chain based CPU architecture recognition tool
• %allyourbase: fast, FFT-based firmware base address detection tool
• %at51: 8051 firmware reverse engineering tools with a focus on Keil C51
• bingrep: ELF/PE/MachO binary printer, like colorful objdump that works well with PE/MachO; not a search tool!
• %miasm: disassembly, lifting, symbolic and dynamic execution library
• %angr: disassembly, lifting, and symbolic execution library
• %IAT patcher: replaces an imported function in a PE file with exports from another file
• PE-bear: interactive PE file viewer and editor
• FLOSS: strings if it was good and not based on libbfd; searches for C/Rust/Go strings in read-only data sections, stack-allocated strings, strings in vector registers; PE-only
• revng: tool to convert machine code fragments into equivalent compilable C code; made by crackheads??
• %angrop: automated ROP gadget search and chain construction
• %Ropper: ROP gadget search and display tool
• apktool: Android application decompiler/recompiler; emits/consumes smali
• jadx: Android application decompiler; emits Java
• de4js: JavaScript deobfuscator and unpacker
• %unpac.me: automated malware unpacking

Filesystem and archive manipulation

• binwalk: firmware/filesystem/archive/executable/... analysis tool with an emphasis on semi-unstructured vendor blobs
• unblob: filesystem/archive analysis tool
• %UEFITool: UEFI firmware viewer and editor
• fiedka: SoC firmware viewer (UEFI FFS, coreboot CBFS, AMD PSP/ASP)
• UBI Reader: Python library for Linux UBI/UBIFS extraction and analysis
• %lessmsi: MSI interactive viewer and batch extractor
• %innoextract: Inno Setup installer extractor
• jefferson: Python JFFS2 extractor
• %pyinstxtractor-ng: PyInstaller extractor (has a web version)
• %diffoscope: recursive diff tool for archives (developed for debugging reproducible builds)

Data format manipulation

• delsum: checksum (modular, Fletcher, and CRC) reverse engineering tools
• biodiff: alignment based file comparison tool
• %yabo: functional heapless binary parser language
• %bgrep: search binary files for data with mask specified as hex
• %MultiRipper: game data archive extraction tool
• %vgmstream: game music playback tool
• %binxelview: tool for extracting pixel arrays from binary files
• %polyfile: libmagic/file replacement tailored for polyglot and recursive files

Signal analysis

• Wireshark: network protocol analyzer
• %Modlishka: HTTP reverse proxy capable of intercepting TLS
• Universal Radio Hacker: RF demodulation and protocol analysis tool
• %Signalspec: composable digital/analog/radio signal analysis framework
• %bettercap: WiFi/Ethernet/BLE/CAN recoinassance and attack tool

Event tracing

• %DecodeWheaRecord: Windows Hardware Error Architecture (WHEA) record decoder (PCIe errors, firmware errors, machine check errors, ...)
• %ply: Linux kprobe/tracepoint tracer with a custom language and compiler (not dependent on LLVM/BCC)
• System Informer: Windows Task Manager if it was good; displays modules (+ a PE viewer), threads (+ stack trace symbolication), security tokens, environment, memory regions (+ hex dump), handles, named pipes, win32k windows, services and drivers, NT objects, NT memory pools, UEFI/SMBIOS tables, ...
• API Monitor: interactive Windows API tracing tool
• %UIforETW: captures ETW logs without making you remember tracelog incantations

Hardware instrumentation

• %usbrply: converter from USB .pcap packet captures to Python libusb calls
• %hgdb: waveform trace based reversible debugger

Silicon reverse engineering

• %zorrom: physical <> logical mask ROM layout converter
• %rompar: mask ROM optical extraction tool
• %maskromtool: mask ROM optical extraction tool and layout converter

Thanks!