A curated list of awesome reverse engineering resources to make you better!
Managed by Reversing.ID for the reversing community.
Software Reverse Engineering
focus on code, related data, and architecture which build a complete software.
The goals:
- Recover lost information, or to make documentation.
- Detect side effects (bugs, backdoor, vulnerabilities)
- Synthesis higher abstraction.
- Facilitate reuse.
In most case, the target of Software Reversing is code in compiled form (native or intermediate), either executable or libraries.
- Resources
- Tools
- Scripting
Reversing Concept
- Reverse Engineering for Beginners
- Practical Reverse Engineering
- Reversing: Secrets of Reverse Engineering
- Practical Malware Analysis
Tools
Assembly and languages
Specific topic on Software Reverse Engineering
- Next Generation debugger for reverse engineering
- Behind Enemy Lines Reverse Engineering C++ in Modern Ages
- Overcoming Java Vulnerabilities
- Reverse engineering tools review
- Intercepting DLL libraries calls. API hooking in practice
- Windows Hot Patching Mechanism Explained
- How to write a CrackMe for a CTF competition
- Anti reverse engineering. Malware vs Antivirus Software
- Code of destruction – malware analysis
- Polymorphic Encryption Algorithms
- Reversing reading - coming soon.
Reverse Engineering Courses
- Lenas Reversing for Newbies
- Open Security Training
- Dr. Fu's Malware Analysis
- Binary Auditing Course
- TiGa's Video Tutorials
- Legend of Random
- Practical Malware Analysis
- Modern Binary Exploitation
- RPISEC Malware Course
- begin.re
- RE101
- RE102
- ARM Assembly Basics
- Offensive and Defensive Android Reversing
Binary Analysis Channels
- OALabs
- MalwareTech
- GynvaelEN
- VirusBtn
- Intro to WinDBG
- hasherzade
- Colin Hardy
- MalwareAnalysisHedgehog
- LiveOverflow
Practice Reverse Engineering
- Reversing.ID Crackmes Repository
- Crackmes.one
- OSX Crackmes
- ESET Challenges
- Flare-on Challenges
- Github CTF Archives
- Reverse Engineering Challenges
- xorpd Advanced Assembly Exercises
- Virusshare.com
- Contagio
- Malware-Traffic-Analysis
- Malshare
- Malware Blacklist
- malwr.com
- vxvault
Learning Assembly
- Low-level Code Reference
- Assembly code size optimization tricks
- When and how to use an assembler. Assembly programming basics
Intermediate Representation
Hex editor lets you view/edit the binary data of a file.
Multi/cross platform
Windows
Mac OS X
File information and format identifier
Executable detector
Executable explorer
Dependency check
- DependencyWalker
- slid - statically linked library detector.
Format parser and modification
- Kaitai Struct - develop format parsers by declarative approach
- LIEF - Library to Instrument Executable Formats, easily parse, modify and abstract many file formats.
- QuickBMS - easily extract and modify file format with support of encryption, compressions, obfuscation, and other algorithms.
Java bytecode editor
Native code disassembler and decompiler
- Ghidra
- IDA Pro
- Binary Ninja
- Relyze Desktop
- Radare2 // Cutter
- Hopper
- fREedom
- Retdec
- Snowman
- objdump
- Medussa
- Plasma
- Capstone - lightweight multi-platform, multi-architecture disassembly framework based on LLVM.
- distorm3 - lightweight library for disassembling binary stream.
- zydis - fast and lightweight x86/x86-64 disassembler library.
Android application disassembler / decoder
- JEB2 - eclipse-based integrated reverse engineering platform for analyzing various parts of Android application components.
Java decompiler
- Bytecode Viewer - aggregate of various tools
- Procyon
- CFR
- FernFlower
- Krakatau
- Luyten
.NET decompiler
Python decompiler
- uncompyle6
- decompile3 - reworking and refactoring of
uncompyle6
which focus on Python 3.7+
Flash decompiler
- JPEXS Flash Decompiler - open source SWF decompiler and editor, convert SWF to FLA, edit ActionScript, replace resources (images, sounds, texts, fonts).
- Flare - Extract all scripts from SWF.
Delphi decompiler
Lua decompiler
- UnLuac - decompiler for Lua 5.0 - 5.4 and require debugging information (non-stripped).
- LuaDec - decompiler based on luadec 5.0.x and LuaDec51.
AutoIT decompiler
Ethereum (EVM) Solidity disassembler / decompiler
- evmdis - EVM disassembler by static analysis on the bytecode.
- pyevmasm - assembler and disassembler library for EVM (Ethereum Virtual Machine).
Multi/cross platform
Windows
Linux
Virtual Machine Introspection for debugging
Hypervisor debugger
- HyperDbg - minimalistic hypervisor with hardware-assisted virtualization to debug kernel.
GDB enrichment
OllyDbg variant
Graphic Debugger
Network simulation
Packet Capture
Process
Tracer
- API Monitor
- Process Monitor
- SpyStudio
- fibratus - explore and trace windows kernel
- TCPView
- CDA: Code Dynamic Analysis
Sandbox
Misc
- Objective-See Utilities
- XCode Instruments - XCode Instruments for Monitoring Files and Processes User Guide
- dtrace script for Mac - sudo dtruss = strace dtrace recipes
- fs_usage - report system calls and page faults related to filesystem activity in real-time. File I/O: fs_usage -w -f filesystem
- dmesg - display the system message buffer
Native
- DynamoRIO - runtime code manipulation system that supports code transformation on any part of program.
- Frida - scriptable DBI toolkit for cross-platform target.
- Pin
- QBDI - modular, cross-platform, and cross-architecture DBI framework backed by LLVM.
.NET
- Hawkeye2 - view, edit, analyze, and invoke (almost) any object from .net applications.
- UnityDoorstop - execute managed assemblies inside Unity as early as possible.
- Angr - python framework for analyzing binaries, combines both static and dynamic symbolic (concolic) analysis.
- Triton - dynamic binary analysis (DBA) framework.
- BAP - suite of utilities and libraries that enable analysis of programs in their machine representations.
- BitBlaze
- PANDA - Platform for Architecture-Neutral Dynamic Analysis, built on QEMU system emulator, analyzecode in runtime.
- BARF
- S2E - platform for in-vivo analysis of software systems.
- miasm - analyze / modify / generate binary program with python.
- soot - java optimization framework
Symbolic Execution (only)
- KLEE - dynamic symbolic execution engine built on top of the LLVM compiler infrastructure
- manticore - symbolic execution tool for analysis of smart contracts and binaries.
- Kite - conflict-driven symbolic execution tool (proof of concept)
- jCUTE - Java Concolic Unit Testing Engine, automatically generate unit tests for Java programs.
- ExpoSE - dynamic symbolic execution engine for JavaScript.
- ESILSolve - python symbolic execution framework using r2 and ESIL.
Binary lifting
- McSema - framework for lifting x86, amd64, and aarch64 program binareis to LLVM bitcode.
Theorem prover and solver
Windows
Import reconstructor
Data-type reconstructor
- ReClassEx
- ReClass.NET - port of ReClass to .NET
- FUU - [F]aster [U]niversal [U]npacker
- TitanEngine
Native
AutoIt scripts
Native
- LLVM Deobfuscator
- SATURN - software deobfuscation framework based on LLVM.
Java
.NET
Javascript
PHP
String extraction
See also Data & Format Reversing.
- bingrep - grep through binaries
- IDA Python Src - source code for IDAPython plugin, enable python script running in IDA Pro .
references
- IDC Functions Doc
- Using IDAPython to Make your Life Easier
- Introduction to IDA Python
- The Beginner's Guide to IDA Python
- IDA Plugin Contest
Script collection
- fireeye/flare-ida - multiple IDA plugins and IDAPython scripts by FLARE team.
- devttys0/ida - collection of IDAPython plugins/scripts/modules.
- onehawt IDA Plugin List - list of ida scripts (IDC / IDAPython), links to many repository.
Script collection