- Frameworks
- Debuggers & Related Techniques
- Decompilers
- Comparison Tools
- Tools
- Anti-Reverse Engineering & Countermeasure
- Guides & Tutorials
- Hardware Reverse Engineering
- Protocol Analysis
- Write-ups
- Talks & Videos
- Papers
- Wikis & Useful Sites
http://ropgadget.com/posts/pebwalk.html
https://github.com/TakahiroHaruyama/ida_haru/tree/master/bindiff
https://blog.xpnsec.com/analysing-rpc-with-ghidra-neo4j/ http://kakaroto.homelinux.net/2017/11/introduction-to-reverse-engineering-and-assembly/ https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/june/advanced-frida-witchcraft-turning-an-android-application-into-a-voodoo-doll/
RE https://fkie-cad.github.io/FACT_core/ https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool https://dyninst.org/ https://drmemory.org/strace_for_windows.html https://www.frida.re/ http://dynamorio.org/ https://arxiv.org/pdf/1901.01161.pdf
-
https://bordplate.no/blog/en/post/debugging-a-windows-service/ https://doc.dustri.org/reverse/Brian%20Pak%20-%20Effective%20Patch%20Analysis%20for%20Microsoft%20Updates%20-%20Power%20of%20Community%20-%202016.11.pdf
-
ToDo
-
Advanced Portable Executable File Analyzer
- Advanced Portable Executable File Analyzer And Disassembler 32 & 64 Bit
-
Debugging with Symbols - docs.ms https://secrary.com/Random/unexported/
PDF http://joxeankoret.com/blog/2010/02/21/analyzing-pdf-exploits-with-pyew/ https://blog.didierstevens.com/2008/10/30/pdf-parserpy/ http://blog.9bplus.com/ http://blog.9bplus.com/scoring-pdfs-based-on-malicious-filter/ http://honeynet.org/node/1304 https://itsjack.cc/blog/2017/08/analysingdetecting-malicious-pdfs-primer/ https://securityoversimplicity.wordpress.com/2017/09/28/not-all-she-wrote-part-1-rigged-pdfs/ https://digital-forensics.sans.org/blog/2009/12/14/pdf-malware-analysis/ https://blog.didierstevens.com/programs/pdf-tools/ https://blog.didierstevens.com/2009/03/31/pdfid/ https://www.cs.unm.edu/~eschulte/data/bed.pdf
- 101
- Articles/Blogposts
-
Educational
-
Reverse Engineering Reference Manual (beta)
- collage of reverse engineering topics that I find interesting - yellowbyte
- Introduction to Reverse Engineering Software - Dartmouth
- CSCI 4974 / 6974 Hardware Reverse Engineering
-
Introduction to Reverse Engineering Software
- This book is an attempt to provide an introduction to reverse engineering software under both Linux and Microsoft Windows©. Since reverse engineering is under legal fire, the authors figure the best response is to make the knowledge widespread. The idea is that since discussing specific reverse engineering feats is now illegal in many cases, we should then discuss general approaches, so that it is within every motivated user's ability to obtain information locked inside the black box. Furthermore, interoperability issues with closed-source proprietary systems are just plain annoying, and something needs to be done to educate more open source developers as to how to implement this functionality in their software.
- Reverse History Part Two – Research
- mammon_'s tales to his grandson
- Reversing Prince Harming’s Kiss of Death
- Jailbreaks and Pirate Tractors: Reverse Engineering Do’s and Don’ts
-
Reverse Engineering Reference Manual (beta)
-
Timelines
-
Symbolic execution timeline
- Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
-
Symbolic execution timeline
- Videos
-
Things that Don't fit elsewhere
-
Code Tools
-
SyntaxHighlighter
- SyntaxHighlighter is a fully functional self-contained code syntax highlighter developed in JavaScript. To get an idea of what SyntaxHighlighter is capable of, have a look at the demo page.
-
linguist
- Language Savant. If your repository's language is being reported incorrectly, send us a pull request!
- Ohcount - Ohloh's source code line counter.
- Detecting programming language from a snippet
-
SyntaxHighlighter
-
Comparison Tools
-
binwally
- Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
- Using binwally - a directory tree diff tool
-
Diaphora
- Diaphora (
διαφορά
, Greek for 'difference') is a program diffing plugin for IDA Pro and Radare2, similar to Zynamics Bindiff or the FOSS counterparts DarunGrim, TurboDiff, etc... It was released during SyScan 2015. It works with IDA Pro 6.9, 6.95 and 7.0. In batch mode, it supports Radare2 too (check this fork). In the future, adding support for Binary Ninja is also planned.
- Diaphora (
-
binwally
-
References
-
FCC ID Lookup
- Lookup devices according to FCC ID
- x86 opcode structure and instruction overview
-
ARMwiki - hehyrick.co.uk
- ARM processor wiki
-
FCC ID Lookup
-
Code Tools
-
General Research/Stuff
-
TAMPER (Tamper And Monitoring Protection Engineering Research)
- In the TAMPER Lab, we study existing security products, document how they have been penetrated in the past, develop new attack techniques, and try to forecast how newly available technologies will make it easier to bypass hardware security mechanisms. We then develop and evaluate new countermeasures and assist industrial designers in staying ahead of the game, most of all by giving them an advanced understanding of which attack techniques are most dangerous. We are especially interested in protection systems for mass-market applications, and in forensic applications.
-
TAMPER (Tamper And Monitoring Protection Engineering Research)
-
General Tools
-
Binary Visualization Tools
-
binglide
- binglide is a visual reverse engineering tool. It is designed to offer a quick overview of the different data types that are present in a file. This tool does not know about any particular file format, everything is done using the same analysis working on the data. This means it works even if headers are missing or corrupted or if the file format is unknown.
-
binvis.io
- visual analysis of binary files
-
cantor.dust
- a powerful, dynamic, interactive binary visualization tool
-
binglide
-
General
-
Binwalk
- Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
-
Pip3line, the Swiss army knife of byte manipulation
- Pip3line is a raw bytes manipulation utility, able to apply well known and less well known transformations from anywhere to anywhere (almost).
-
Frida
- Inject JS into native apps
-
Binacle
- Indexation "full-bin" of binary files
-
Construct2
- Construct is a powerful declarative parser (and builder) for binary data. Instead of writing imperative code to parse a piece of data, you declaratively define a data structure that describes your data. As this data structure is not code, you can use it in one direction to parse data into Pythonic objects, and in the other direction, convert ("build") objects into binary data.
-
Binwalk
-
De/Obfuscators/Unpackers
-
de4dot
- de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.
-
Universal Extractor
- Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc
- Stunnix C/C++ Obfuscator
-
asar
- Simple extensive tar-like archive format with indexing
-
de4dot
- ELF/Related Tools
-
Emulators
-
Unicorn-Engine
- Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
-
pegasus - Windbg extension DLL for emulation
- Windbg emulation plugin
-
Unicorn-Engine
-
Packers
-
UPX - the Ultimate Packer for eXecutables
- UPX is an advanced executable file compressor. UPX will typically reduce the file size of programs and DLLs by around 50%-70%, thus reducing disk space, network load times, download times and other distribution and storage costs.
-
UPX - the Ultimate Packer for eXecutables
-
PE32/Related Tools
-
Dependency Walker
- Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.
-
PPEE(puppy)
- Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more details. Free and fast.
-
PEStudio
- pestudio is a tool that performs the static analysis of 32-bit and 64-bit Windows executable files. Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of pestudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.
-
PEview
- PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
-
Dependency Walker
-
OLE
-
python-oletools
- python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
-
python-oletools
-
Searching Through Binaries
-
bingrep
- Greps through binaries from various OSs and architectures, and colors them.
-
bingrep
-
Static Analysis Tools
-
Bindead - static binary binary analysis tool
- Bindead is an analyzer for executable machine code. It features a disassembler that translates machine code bits into an assembler like language (RREIL) that in turn is then analyzed by the static analysis component using abstract interpretation.
-
Static binary analysis tool
- Amoco is a python package dedicated to the (static) analysis of binaries. Worth a check on the Github
- Statically Linked Library Detector
-
Bindead - static binary binary analysis tool
-
OS X
-
Instruments - OS X system analysis
- Instruments is a performance-analysis and testing tool for dynamically tracing and profiling OS X and iOS code. It is a flexible and powerful tool that lets you track a process, collect data, and examine the collected data. In this way, Instruments helps you understand the behavior of both user apps and the operating system.
- Reversing iOS/OS X
-
Instruments - OS X system analysis
-
Linux
- Statically Linked Library Detector
-
Rdis
- Rdis is a Binary Analysis Tool for Linux.
-
Windows
-
PolyHook - x86/x64 Hooking Library
- Provides abstract C++ 11 interface for various hooking methods
-
EasyHook
- EasyHook makes it possible to extend (via hooking) unmanaged code APIs with pure managed functions, from within a fully managed environment on 32- or 64-bit Windows XP SP2, Windows Vista x64, Windows Server 2008 x64, Windows 7, Windows 8.1, and Windows 10.
-
Microsoft Message Analyzer
- Microsoft Message Analyzer is a new tool for capturing, displaying, and analyzing protocol messaging traffic and other system messages. Message Analyzer also enables you to import, aggregate, and analyze data from log and trace files. It is the successor to Microsoft Network Monitor 3.4 and a key component in the Protocol Engineering Framework (PEF) that was created by Microsoft for the improvement of protocol design, development, documentation, testing, and support. With Message Analyzer, you can choose to capture data live or load archived message collections from multiple data sources simultaneously.
-
API Monitor
- API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.
-
SpyStudio
- SpyStudio shows and interprets calls, displaying the results in a structured way which is easy for any IT professional to understand. SpyStudio can show registry keys and files that an application uses, COM objects and Windows the application has created, and errors and exceptions.
- SpyStudio Tutorials
-
Fibratus
- Fibratus is a tool which is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. You can use filaments to extend Fibratus with your own arsenal of tools.
-
Deviare2
- Deviare is a professional hooking engine for instrumenting arbitrary Win32 functions, COM objects, and functions whose symbols are located in program databases (PDBs). It can intercept unmanaged code in 32-bit and 64-bit applications. It is implemented as a COM component, so it can be integrated with all the programming languages which support COM, such as C/C++, VB, C#, Delphi, and Python.
-
Deviare In-Proc
- Deviare In-Proc is a code interception engine for Microsoft Windows® developed by Nektra Advanced Computing. This library is at the core of our Deviare v2.0 and SpyStudio Application Monitor technologies. Deviare is an alternative to Microsoft Detours® but with a dual license distribution. The library is coded in C++ and provides all the facilities required to instrument binary libraries during runtime. It includes support for both 32 and 64 bit applications and it implements the interception verifying different situations that can crash the process. If you need to intercept any Win32 functions or any other code, this library makes it easier than ever. Unlike the rest of the libraries, Deviare In-Proc provides a safe mechanism to implement multi-threaded application API hooking. When an application is running, more than one thread can be executing the code being intercepted. Deviare In-Proc provides safe hooking even in this scenario.
-
PolyHook - x86/x64 Hooking Library
-
Binary Visualization Tools
-
Debuggers
-
All platforms
-
Voltron
- Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs.
-
GDB - GNU Debugger
- GDB, the GNU Project debugger, allows you to see what is going on 'inside' another program while it executes -- or what another program was doing at the moment it crashed.
-
GDB Addons
-
PEDA
- PEDA - Python Exploit Development Assistance for GDB
-
gdbgui
- A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust. Simply run gdbgui from the terminal and a new tab will open in your browser.
-
GEF - GDB Enhanced Features
- GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development. Why not PEDA? Yes!! Why not?! PEDA is a fantastic tool to do the same, but is only to be used for x86-32 or x86-64. On the other hand, GEF supports all the architecture supported by GDB (x86, ARM, MIPS, PowerPC, SPARC, and so on).
- Docs
-
PEDA
-
edb
- edb is a cross platform x86/x86-64 debugger. It was inspired by Ollydbg, but aims to function on x86 and x86-64 as well as multiple OS's. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality.
-
LLDB
- LLDB is a next generation, high-performance debugger. It is built as a set of reusable components which highly leverage existing libraries in the larger LLVM Project, such as the Clang expression parser and LLVM disassembler. LLDB is the default debugger in Xcode on Mac OS X and supports debugging C, Objective-C and C++ on the desktop and iOS devices and simulator.
-
Voltron
-
Linux
-
PulseDBG
- Hypervisor-based debugger
-
xnippet
- xnippet is a tool that lets you load code snippets or isolated functions (no matter the operating system they came from), pass parameters to it in several formats (signed decimal, string, unsigned hexadecimal...), hook other functions called by the snippet and analyze the result. The tool is written in a way that will let me improve it in a future, defining new calling conventions and output argument pointers.
-
PulseDBG
- OS X
-
Windows
-
OllyDbg
- OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
- OllyDbg Tricks for Exploit Development
-
WindDbg
- WinDbg
-
pykd
- python windbg extension
-
WinAppDbg
- The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides a powerful abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test or fuzz Windows applications with quickly coded Python scripts. Several ready to use tools are shipped and can be used for this purposes. Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.
- Getting Started with WinDbg part 1
- An Introduction to Debugging the Windows Kernel with WinDbg
-
DbgShell
- A PowerShell front-end for the Windows debugger engine.
- Open Source Windows x86/x64 Debugger
-
HyperDbg
- HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful.
- Paper
-
OllyDbg
-
Debugging Writeups/Papers
- BugNet: Continuously Recording Program Execution for Deterministic Replay Debugging
- Back to the Future: Omniscient Debugging
- A REVIEW OF REVERSE DEBUGGING - Jakob Engblom (2012?)
- Binary Hooking Problems
- Hyper-V debugging for beginners
- GCC gOlogy: studying the impact of optimizations on debugging - Alexandre Oliva
-
All platforms
-
Decompilers & Disassemblers
-
General
-
IDA
- IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.
- Overview & Tutorials
- [fREedom](capstone based disassembler for extracting to binnavi )
- fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
-
Hopper
- Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables!
-
Reverse
- Reverse engineering for x86 binaries (elf-format). Generate a more readable code (pseudo-C) with colored syntax. Warning, the project is still in development, use it at your own risks. This tool will try to disassemble one function (by default main). The address of the function, or its symbol, can be passed by argument.
-
Medusa
- Medusa is a disassembler designed to be both modular and interactive. It runs on Windows and Linux, it should be the same on OSX. This project is organized as a library. To disassemble a file you have to use medusa_dummy or qMedusa. wxMedusa and pydusa are not available anymore.
-
PLASMA
- PLASMA is an interactive disassembler. It can generate a more readable assembly (pseudo code) with colored syntax. You can write scripts with the available Python api (see an example below). The project is still in big development.
-
Snowman decompiler
- Snowman is a native code to C/C++ decompiler, supporting x86, AMD64, and ARM architectures. You can use it as a standalone GUI application, a command-line tool, an IDA plug-in, a radare2 plug-in, an x64dbg plug-in, or a library. Snowman is free software.
-
Panopticon
- Panopticon is a cross platform disassembler for reverse engineering written in Rust. It can disassemble AMD64, x86, AVR and MOS 6502 instruction sets and open ELF files. Panopticon comes with Qt GUI for browsing and annotating control flow graphs,
-
BinaryNinja
-
BinDbg
- BinDbg is a Binary Ninja plugin that syncs WinDbg to Binja to create a fusion of dynamic and static analyses. It was primarily written to improve the Windows experience for Binja debugger integrations.
-
BinDbg
-
IDA
-
Java
-
Procyon - Java Decompiler
-
Luyten
- Java Decompiler Gui for Procyon
-
Luyten
-
JavaSnoop
- A tool that lets you intercept methods, alter data and otherwise test the security of Java applications on your computer.
- Blackhat - 2010 JavaSnoop: How to hack anything written in Java
- JavaSnoop – Debugging Java applications
-
Krakatau
- Java decompiler, assembler, and disassembler
-
Bytecode Viewer
- Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch.
-
Procyon - Java Decompiler
-
.NET
-
DotPeek
- dotPeek is a .NET decompiler that has several handy features.
-
dnSpy
- dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available.
-
ILSpy
- ILSpy is the open-source .NET assembly browser and decompiler.
-
Shed
- Shed is an application that allow to inspect the .NET runtime of a program in order to extract useful information. It can be used to inspect malicious applications in order to have a first general overview of which information are stored once that the malware is executed.
-
dotNET_WinDBG
- This python script is designed to automate .NET analysis with WinDBG. It can be used to analyse a PowerShell script or to unpack a binary packed using a .NET packer.
-
Unravelling .NET with the Help of WinDBG - TALOS
- This article describes: How to analyse PowerShell scripts by inserting a breakpoint in the .NET API; How to easily create a script to automatically unpack .NET samples following analysis of the packer logic.
-
DotPeek
-
IDA specific Stuff
- IDA Extensions
-
BAP-IDA
- This package provides the necessary IDAPython scripts required for interoperatibility between BAP and IDA Pro. It also provides many useful feature additions to IDA, by leveraging power from BAP.
-
funcap - IDA Pro script to add some useful runtime info to static analysis.
- This script records function calls (and returns) across an executable using IDA debugger API, along with all the arguments passed. It dumps the info to a text file, and also inserts it into IDA's inline comments. This way, static analysis that usually follows the behavioral runtime analysis when analyzing malware, can be directly fed with runtime info such as decrypted strings returned in function's arguments. In author's opinion this allows to understand the program's logic way faster than starting the "zero-knowledge" reversing. Quick understanding of a malware sample code was precisely the motivation to write this script and the author has been using it succesfully at his $DAYJOB. It is best to see the examples with screenshots to see how it works (see below). It must be noted that the script has been designed with many misconceptions, errors and bad design decisions (see issues and funcap.py code) as I was learning when coding but it has one advantage - it kind of works :) Current architectures supported are x86, amd64 and arm. IDAPython Embedded Toolkit
- IDAPython is a way to script different actions in the IDA Pro disassembler with Python. This repository of scripts automates many different processes necessary when analyzing the firmware running on microcontroller and microprocessor CPUs. The scripts are written to be easily modified to run on a variety of architectures. Read the instructions in the header of each script to determine what ought to be modified for each architecture.
-
BAP-IDA
-
IDA Plugins
- A list of IDA Plugins
-
IDA Python - Ero Carrera
- IDAPython is an extension for IDA , the Interactive Disassembler . It brings the power and convenience of Python scripting to aid in the analysis of binaries. This article will cover some basic usage and provide examples to get interested individuals started. W e will walk through practical examples ranging from iterating through functions, segments and instructions to data mining the binaries, collecting references and analyzing their structure.
-
Kam1n0-Plugin-IDA-Pro
- Kam1n0 is a scalable system that supports assembly code clone search. It allows a user to first index a (large) collection of binaries, and then search for the code clones of a given target function or binary file. Kam1n0 tries to solve the efficient subgraph search problem (i.e. graph isomorphism problem) for assembly functions. Given a target function (the middle one in the figure below) it can identity the cloned subgraphs among other functions in the repository (the ones on the left and the right as shown below). Kam1n0 supports rich comment format and has an IDA Pro plug-in to use its indexing and searching capabilities via IDA Pro.
-
FLARE-Ida
- This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.
-
toolbag
- The IDA Toolbag is a plugin providing supplemental functionality to Hex-Rays IDA Pro disassembler.
-
Dynamic IDA Enrichment (aka. DIE)
- DIE is an IDA python plugin designed to enrich IDA's static analysis with dynamic data. This is done using the IDA Debugger API, by placing breakpoints in key locations and saving the current system context once those breakpoints are hit.
-
HexRaysCodeXplorer
- Hex-Rays Decompiler plugin for better code navigation in RE process of C++ applications or code reconstruction of modern malware as Stuxnet, Flame, Equation
-
Ida Pomidor
- IDA Pomidor is a fun and simple plugin for the Hex-Ray's IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions.
-
idaConsonance
- Consonance, a dark color theme for IDA.
-
Lighthouse - Code Coverage Explorer for IDA Pro
- Lighthouse is a code coverage plugin for IDA Pro. The plugin leverages IDA as a platform to map, explore, and visualize externally collected code coverage data when symbols or source may not be available for a given binary.
-
NRS
- NRS is a set of Python librairies used to unpack and analysis NSIS installer's data. It also feature an IDA plugin used to disassembly the NSIS Script of an installer
-
Ponce
- Ponce (pronounced [ 'poN θe ] pon-they ) is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.
-
IDASkins
- Advanced skinning plugin for IDA Pro
-
Ida Sploiter
- IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others.
-
vtbl-ida-pro-plugin
- Identifying Virtual Table Functions using VTBL IDA Pro Plugin + Deviare Hooking Engine
-
virusbattle-ida-plugin
- The plugin is an integration of Virus Battle API to the well known IDA Disassembler. Virusbattle is a web service that analyses malware and other binaries with a variety of advanced static and dynamic analyses.
-
ida-batch_decompile
- IDA Batch Decompile is a plugin for Hex-Ray's IDA Pro that adds the ability to batch decompile multiple files and their imports with additional annotations (xref, stack var size) to the pseudocode .c file
-
IdaRef
- IDA Pro Full Instruction Reference Plugin - It's like auto-comments but useful.
- [YaCo])(https://github.com/DGA-MI-SSI/YaCo)
- YaCo is an Hex-Rays IDA plugin. When enabled, multiple users can work simultaneously on the same binary. Any modification done by any user is synchronized through git version control.
-
HexRaysPyTools
- The plugin assists in the creation of classes/structures and detection of virtual tables. It also facilitates transforming decompiler output faster and allows to do some stuff which is otherwise impossible.
- IDA Tutorials/Help
- IDA Extensions
-
General
- File Formats
-
Flash Player
-
#Fldbg
- #Fldbg, a Pykd script to debug FlashPlayer
-
SWFRETools
- The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.
-
#Fldbg
-
Frameworks
-
angr
- angr is a python framework for analyzing binaries. It focuses on both static and dynamic symbolic ("concolic") analysis, making it applicable to a variety of tasks.
- Radare2 - unix-like reverse engineering framework and commandline tools ](http://www.radare.org/y/?p=features)
- Informally goal is to be best RE software framework
- Github
- Radare2 Book(free)
- Radare2 Documentation
- Reverse engineering embedded software using Radare2 - Talk/Tutorial
- Notes and Demos for above video
- radare2 cheat sheet
- radare2 as an alternative to gdb-peda
- Radare2 in 0x1E minutes
-
cutter
- A Qt and C++ GUI for radare2 reverse engineering framework
-
BitBlaze
- The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.
- Platform for Architecture-Neutral Dynamic Analysis
-
BARF-Project
- BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
- Presentation: Barfing Gadgets - Ekoparty 2014
-
angr
-
Programming Language Specifics/Libraries
-
Libraries
-
openreil
- Open source library that implements translator and tools for REIL (Reverse Engineering Intermediate Language)
-
openreil
- Go
-
Java
-
PortEx
- PortEx is a Java library for static malware analysis of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection. PortEx is written in Java and Scala, and targeted at Java applications.
-
PortEx
-
Python
-
Bytecode
- Gynvael’s Mission 11 (en): Python bytecode reverse-engineering
- Deobfuscating Python Bytecode
-
Equip: python bytecode instrumentation
- equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations. The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
-
Decompilation
-
python-uncompyle6
- A native Python cross-version Decompiler and Fragment Decompiler. The successor to decompyle, uncompyle, and uncompyle2.
-
Decompyle++
- C++ python bytecode disassembler and decompiler
-
Python Decompiler
- This project aims to create a comprehensive decompiler for CPython bytecode (likely works with PyPy as well, and any other Python implementation that uses CPython's bytecode)
-
PyInstaller Extractor
- Extract contents of a Windows executable file created by pyinstaller
-
Easy Python Decompiler
- Python 1.0 - 3.4 bytecode decompiler
-
python-uncompyle6
- General
-
Bytecode
-
Libraries
-
Anti-Reverse Engineering Techniques & Countermeasures
- Talks
-
Techniques
- The “Ultimate”Anti-Debugging Reference - Peter Ferrie 2011/4
- Android Reverse Engineering Defenses
- Anti-RE A collection of Anti-Reverse Engineering Techniques
- Anti Reverse Engineering
- Fun combining anti-debugging and anti-disassembly tricks
-
simpliFiRE.AntiRE - An Executable Collection of Anti-Reversing Techniques
- AntiRE is a collection of such anti analysis approaches, gathered from various sources like Peter Ferrie's The "Ultimate" Anti-Debugging Reference and Ange Albertini's corkami. While these techniques by themselves are nothing new, we believe that the integration of these tests in a single, executable file provides a comprehensive overview on these, suitable for directly studying their behaviour in a harmless context without additional efforts. AntiRE includes different techniques to detect or circumvent debuggers, fool execution tracing, and disable memory dumping. Furthermore, it can detect the presence of different virtualization environments and gives examples of techniques used to twarth static analysis.
- OpenRCE Anti Reverse Engineering Techniques Database
-
Windows Anti-Debugging Reference
- This paper classifies and presents several anti-debugging techniques used on Windows NT-based operating systems. Anti-debugging techniques are ways for a program to detect if it runs under control of a debugger. They are used by commercial executable protectors, packers and malicious software, to prevent or slow-down the process of reverse-engineering. We'll suppose the program is analyzed under a ring3 debugger, such as OllyDbg on Windows platforms. The paper is aimed towards reverse-engineers and malware analysts. Note that we will talk purely about generic anti-debugging and anti-tracing techniques. Specific debugger detection, such as window or processes enumeration, registry scanning, etc. will not be addressed here
- Windows Anti-Debug techniques - OpenProcess filtering
- Detecting debuggers by abusing a bad assumption within Windows
- Dangers of the Decompiler - A Sampling of Anti-Decompilation Techniques
- JavaScript AntiDebugging Tricks - x-c3ll
-
Tools
-
ALPHA3
- ALPHA3 is a tool for transforming any x86 machine code into 100% alphanumeric code with similar functionality. It works by encoding the original code into alphanumeric data and combining this data with a decoder, which is a piece of x86 machine code written specifically to be 100% alphanumeric. When run, the decoder converts the data back to the original code, after which it is executed.
-
reductio [ad absurdum]
- an exploration of code homeomorphism: all programs can be reduced to the same instruction stream.
-
REpsych - Psychological Warfare in Reverse Engineering
- The REpsych toolset is a proof-of-concept illustrating the generation of images through a program's control flow graph (CFG).
-
IDAnt-wanna
- ELF header abuse
-
makin
- makin - reveal anti-debugging tricks
-
ALPHA3
-
Hardware Reverse Engineering
- See 'Embedded Devices & Hardware Hacking'
-
.NET Related
- Getting Started with CLR MD
-
Microsoft.Diagnostics.Runtime.dll(CLR MD)
- Microsoft.Diagnostics.Runtime.dll (nicknamed "CLR MD") is a process and crash dump introspection library. This allows you to write tools and debugger plugins which can do thing similar to SOS and PSSCOR.
-
Reflexil
- Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, ILSpy and Telerik's JustDecompile. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection
-
Writeups
- 101s
-
Binary & Code Analysis
- Byteweight: Learning to Recognize Functions in Binary Code
-
Memalyze: Dynamic Analysis of Memory Access Behavior in Software
- This paper describes strategies for dynamically analyzing an application's memory access behavior. These strategies make it possible to detect when a read or write is about to occur at a given location in memory while an application is executing. An application's memory access behavior can provide additional insight into its behavior. For example, it may be able to provide an idea of how data propagates throughout the address space. Three individual strategies which can be used to intercept memory accesses are described in this paper. Each strategy makes use of a unique method of intercepting memory accesses. These methods include the use of Dynamic Binary Instrumentation (DBI), x86 hardware paging features, and x86 segmentation features. A detailed description of the design and implementation of these strategies for 32-bit versions of Windows is given. Potential uses for these analysis techniques are described in detail.
- How to Grow a TREE from CBASS - Interactive Binary Analysis for Security Professionals
-
File Formats
-
Reversing Monkey
- When trying to recover/carve deleted data, some reverse engineering of the file format may be required. Without knowing how the data is stored, we cannot recover the data of interest - be it timestamps, messages, images, video or another type of data. This quick blog post is intended to give some basic tips that have been observed during monkey's latest travels into reverse engineering of file formats. It was done partly as a memory aid/thinking exercise but hopefully other monkeys will find it useful. This post assumes there's no obfuscation/encryption applied to the file and it does not cover reverse engineering malware exes (which is another kettle of bananas).
- How to RE data files?
-
Reversing Monkey
- Firmware
-
General
- Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014
-
Getting access to your own Fitbit data
- This study investigates the possibility of getting direct access to one’s own data, as recorded by a Fitbit Charge HR activity tracker, without going through the Fitbit servers. We captured the firmware image of the Fitbit Charge HR during a firmware update. By analyzing this firmware image we were able to reverse-engineer the cryptographic primitives used by the Fitbit Charge HR activity tracker and recover the authentication protocol. We obtained the cryptographic key that is used in the authentication protocol from the Fitbit Android application. We located a backdoor in version 18.102 of the firmware by comparing it with the latest version of the firmware (18.122). In the latest version of the firmware the backdoor was removed. This backdoor was used to extract the device specific encryption key from the memory of the tracker. While we have not implemented this last step in practice, the device specific encryption key can be used by a Fitbit Charge HR user to obtain his/her fitness data directly from the device.
- Screwdriving. Locating and exploiting smart adult toys
- Hacking travel routers like it’s 1999
- Reverse Engineering IoT Devices
- How I Reverse Engineered and Exploited a Smart Massager
-
Make Confide great again? No, we cannot
- RE'ing an electron based "secure communications" app
-
The Three Billion Dollar App - Vladimir Wolstencroft -Troopers14
- Talk about reverse engineering SnapChat and Wickr Messaging apps.
-
A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony
- Abstract: The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of
$2^{ -14}$ . By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys,$2^{26}$ data,$2^{30}$ bytes of memory, and$2^{32}$ time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the$2^{128}$ complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.
- Abstract: The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of
- Reverse engineering HID iClass Master keys
- Reversing EVM bytecode with radare2
-
WhatsApp Web reverse engineered
- This project intends to provide a complete description and re-implementation of the WhatsApp Web API, which will eventually lead to a custom client. WhatsApp Web internally works using WebSockets; this project does as well.
-
OS X
-
Reverse Engineering Mac OS X
- Excellent source of papers from 2003-2013 all with a focus on reversing either iOS or OS X.
- osx & ios re 101
-
Reverse Engineering Mac OS X
-
Packers
- A Brief Examination of Hacking Team’s Crypter: core-packer.
-
The Art of Unpacking - Paper
- Abstract: The main purpose of this paper is to present anti-reversing techniques employed by executable packers/protectors and also discusses techniques and publicly available tools that can be used to bypass or disable this protections. This information will allow researchers, especially, malcode analysts to identify these techniques when utilized by packed malicious code, and then be able decide the next move when these anti-reversing techniques impede successful analysis. As a secondary purpose, the information presented can also be used by researchers that are planning to add some level of protection in their software by slowing down reversers from analyzing their protected code, but of course, nothing will stop a skilled, informed, and determined reverser
- Paper on Manual unpacking of UPX packed executable using Ollydbg and Importrec
-
PDFs
-
Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - Troopers1
- This session is NOT about analyzing exploits but about learning to manipulate PDF contents. Among others:hide/reveal information; remove/add watermark; just suck less about the format. It's an extended session (2 hours) to leave the audience time to try by themselves actively. The slides' PDF is entirely hand-written to explain clearly each fact, so the presentation slides themselves will be the study materials.
-
Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - Troopers1
-
Process Hookinng
- [Software Hooking methods reveiw(2016)]((https://www.blackhat.com/docs/us-16/materials/us-16-Yavo-Captain-Hook-Pirating-AVs-To-Bypass-Exploit-Mitigations-wp.pdf)
- PolyHook
-
Protocols
-
Somfy Smoove Origin RTS Protocol
- This document describes the Somfy RTS protocol as used by the “Somfy Smoove Origin RTS”. Most information in this document is based on passive observation of the data send by the Smoove Origin RTS remote, and thus can be inaccurate or incorrect!
-
Reverse Engineering The eQSO Protocol
- Today I reverse engineered the eQSO protocol. If you didn't know, eQSO is a small program that allows radio amateurs to talk to each other online. Sadly this program isn't as popular as it used to be (Well, neither is the radio).
- Cyber Necromancy - Reverse engineering dead protocols - Defcamp 2014
-
Reverse Engineering of Proprietary Protocols, Tools and Techniques - Rob Savoye - FOSDEM 2009
- This talk is about reverse engineering a proprietary network protocol, and then creating my own implementation. The talk will cover the tools used to take binary data apart, capture the data, and techniques I use for decoding unknown formats. The protocol covered is the RTMP protocol used by Adobe flash, and this new implementation is part of the Gnash project.
-
Netzob
- Originaly, the development of Netzob has been initiated to support security auditors and evaluators in their activities of modeling and simulating undocumented protocols. The tool has then been extended to allow smart fuzzing of unknown protocol.
- Netzob Documentation
-
Somfy Smoove Origin RTS Protocol
- Satellites
-
Windows
- Windows for Reverse Engineers
-
Introduction to Reverse Engineering Win32 Applications
- During the course of this paper the reader will be (re)introduced to many concepts and tools essential to understanding and controlling native Win32 applications through the eyes of Windows Debugger (WinDBG). Throughout, WinMine will be utilized as a vehicle to deliver and demonstrate the functionality provided by WinDBG and how this functionality can be harnessed to aid the reader in reverse engineering native Win32 applications. Topics covered include an introductory look at IA-32 assembly, register significance, memory protection, stack usage, various WinDBG commands, call stacks, endianness, and portions of the Windows API. Knowledge gleaned will be used to develop an application designed to reveal and/or remove bombs from the WinMine playing grid.
- Reverse Engineering Windows AFD.sys
-
Event Tracing for Windows and Network Monitor
- "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
-
Improving Automated Analysis of Windows x64 Binaries
- As Windows x64 becomes a more prominent platform, it will become necessary to develop techniques that improve the binary analysis process. In particular, automated techniques that can be performed prior to doing code or data flow analysis can be useful in getting a better understanding for how a binary operates. To that point, this paper gives a brief explanation of some of the changes that have been made to support Windows x64 binaries. From there, a few basic techniques are illustrated that can be used to improve the process of identifying functions, annotating their stack frames, and describing their exception handler relationships. Source code to an example IDA plugin is also included that shows how these techniques can be implemented.
-
Microsoft Patch Analysis for Exploitation
- Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction.
-
Wireless
- Reverse engineering radio weather station
- You can ring my bell! Adventures in sub-GHz RF land…
- Reverse engineering walk through; guy REs alarm system from shelf to replay
- Blackbox Reversing an Electric Skateboard Wireless Protocol
- Reverse Engineering a 433MHz Motorised Blind RF Protocol
- Flipping Bits and Opening Doors: Reverse Engineering the Linear Wireless Security DX Protocol
- Dissecting Industrial Wireless Implementations - DEF CON 25
-
State of the art of network protocol reverse engineering tools
-
- Cool resource relating to REing linux related things. Structured similar to this reference
-
Reversing Objective-C Binaries With the REobjc Module for IDA Pro - Todd Manning
-
- OleViewDotNet is a .NET 4 application to provide a tool which merges the classic SDK tools OleView and Test Container into one application. It allows you to find COM objects through a number of different views (e.g. by CLSID, by ProgID, by server executable), enumerate interfaces on the object and then create an instance and invoke methods. It also has a basic container to attack ActiveX objects to so you can see the display output while manipulating the data.
-
- Interactive code tracer for reverse-engineering proprietary software
-
- BinCAT is a static Binary Code Analysis Toolkit, designed to help reverse engineers, directly from IDA.
-
- rr is a lightweight tool for recording and replaying execution of applications (trees of processes and threads). More information about the project, including instructions on how to install, run, and build rr, is at http://rr-project.org.w
-
QEMU
- PyREBox
- PyREBox is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. PyREBox allows to inspect a running QEMU VM, modify its memory or registers, and to instrument its execution, by creating simple scripts in python to automate any kind of analysis. QEMU (when working as a whole-system-emulator) emulates a complete system (CPU, memory, devices...). By using VMI techniques, it does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time.
- PyREBox
-
Binary Instrumentation
- Dynamic Binary Instrumentation Primer - rui - deniable.org
- "Dynamic Binary Instrumentation (DBI) is a method of analyzing the behavior of a binary application at runtime through the injection of instrumentation code" - Uninformed 2007
- Dynamic Binary Instrumentation Primer - rui - deniable.org
-
- Project Etnaviv is an open source user-space driver for the Vivante GCxxx series of embedded GPUs. This repository contains reverse-engineering and debugging tools, and rnndb register documentation. It is not necessary to use this repository when building the driver. Android
-
Tracing arbitrary Methods and Function calls on Android and iOS
-
Offensive & Defensive Android Reverse Engineering
- Thinking like an attacker, you will learn to identify juicy Android targets, reverse engineer them, find vulnerabilities, and write exploits. We will deep dive into reverse engineering Android frameworks, applications, services, and boot loaders with the end goal of rooting devices. Approaching from a defensive perspective, we will learn quickly triage applications to determine maliciousness, exploits, and weaknesses. After learning triage skills, we will deep dive into malicious code along while dealing with packers, obfuscators, and anti-reversing techniques. Between the offensive and defensive aspects of this class, you should walk away with the fundamentals of reverse engineering and a strong understanding of how to further develop your skills for mobile platforms.
-
- ARM processor wiki
https://github.com/Wenzel/r2vmi https://github.com/giMini/mimiDbg https://github.com/samyk/frisky https://hshrzd.wordpress.com/how-to-start/ http://www.hexacorn.com/blog/2018/04/14/how-to-become-the-best-malware-analyst-e-v-e-r/ https://github.com/yellowbyte/reverse-engineering-reference-manual https://hex-rays.com/contests/2017/index.shtml https://www.endgame.com/blog/technical-blog/introduction-windows-kernel-debugging http://jamie-wong.com/post/reverse-engineering-instruments-file-format/ http://deniable.org/reversing/binary-instrumentation http://terminus.rewolf.pl/terminus/
Symbolic Execution
* [Theorem prover, symbolic execution and practical reverse-engineering](https://doar-e.github.io/presentations/securityday2015/SecDay-Lille-2015-Axel-0vercl0k-Souchet.html#/)
* [A bibliography of papers related to symbolic execution](https://github.com/saswatanand/symexbib)
* [BOLO: Reverse Engineering — Part 1 (Basic Programming Concepts) - Daniel Bloom](https://medium.com/bugbountywriteup/bolo-reverse-engineering-part-1-basic-programming-concepts-f88b233c63b7)