Binary Disassembly and Reverse Engineering

Radare2 is a comprehensive framework for reverse engineering and analyzing compiled software. It provides a command-line environment designed for disassembling, debugging, and patching binary executables across a wide range of processor architectures and operating systems. The system distinguishes itself through a modular, plugin-based architecture that supports cross-platform analysis and automated workflows. It utilizes memory-mapped file access to enable efficient structural inspection and modification of binaries without requiring full file loads. By lifting machine instructions into a unified intermediate representation, the tool facilitates consistent analysis, emulation, and pseudo-code generation regardless of the underlying hardware. The platform covers a broad spectrum of binary analysis tasks, including control flow graph reconstruction, data type inference, and instruction-level emulation. It integrates runtime debugging capabilities, allowing users to monitor execution, manage breakpoints, and inspect memory states. Additionally, the tool includes utilities for mounting filesystem images and scripting complex analysis tasks to support automated security research and binary modification.

Ghidra is a software reverse engineering suite designed to analyze compiled binaries and reconstruct program logic without access to original source code. It provides an interactive environment for disassembly and decompilation, utilizing a platform-independent intermediate representation to maintain consistency across diverse hardware architectures. The framework supports automated binary analysis through programmatic routines, enabling the investigation of complex code patterns and security indicators. The platform distinguishes itself through a modular architecture that allows for extensive customization. Users can define new processor instruction sets using a dedicated specification language, ensuring support for unique hardware without requiring recompilation. Collaborative analysis is facilitated by a database-backed storage system, while a headless execution mode enables the processing of large binary sets via command-line scripts. The suite includes tools for malware analysis and software vulnerability research, providing capabilities for visual navigation of control flow and the development of custom plugins. Developers can extend the core functionality by injecting specialized analysis routines or user interface components through a standardized discovery mechanism. The project provides comprehensive documentation and build tasks to support the configuration of development workspaces for those contributing to the underlying architecture.

Angr is a binary analysis framework and static analysis tool used for reverse engineering compiled binaries. It serves as a binary decompiler and a lifting platform that translates machine code into a common intermediate representation to enable cross-architecture analysis. The framework integrates a symbolic execution engine and constraint solvers to determine the inputs required to reach specific program states. It also employs untrusted code sandboxing to isolate guest code from the host environment during analysis. Its capabilities cover control flow and data flow analysis, including the recovery of control flow graphs and taint-based data tracking. The system provides utilities for binary decompilation, value set analysis, and program execution instrumentation. The project includes mechanisms to compile native library components from source to ensure compatibility with the host operating system.

Retdec is an LLVM-based machine code decompiler and static binary analysis tool designed for binary reverse engineering. It translates binary executable code into high-level representations to facilitate the reconstruction of program logic from compiled machine code. The system utilizes a retargetable frontend architecture and a multi-stage lifting pipeline to convert raw bytes into a common intermediate language. It differentiates custom program logic from known library code through signature-based identification and provides utilities for binary symbol demangling to restore human-readable names. The toolkit covers a broad range of static analysis capabilities, including the reconstruction of high-level functions, types, and class hierarchies. It also provides visualization tools to generate call graphs and control-flow diagrams to map the execution structure of decompiled binaries.

RetDec is a reverse engineering framework and static binary analysis tool. Its primary purpose is to function as an LLVM-based machine code decompiler that translates binary machine code from multiple architectures into high-level C source code. The system employs a multi-stage lifting pipeline to recover program logic, using an intermediate representation to apply optimizations before emitting source code. It distinguishes itself through the ability to identify compilers and packers, perform executable unpacking, and reconstruct class hierarchies and original program structures. The framework covers broad capability areas including binary metadata extraction from formats like DWARF and PDB, symbol demangling, and the generation of call and control-flow graphs. It also provides tools for object file extraction and binary signature generation. The analysis and decompilation components can be embedded into external software projects using provided headers and build scripts.

Cutter is a binary analysis platform and graphical user interface for the Rizin reverse engineering framework. It provides an environment for analyzing the internal logic and data structures of compiled binaries through integrated disassembly and visualization. The platform supports a containerized deployment model to provide isolated environments for binary analysis, which is used to examine suspicious binaries without risking the host system. It is an extensible security tool that allows for the addition of custom analysis capabilities and visualizers via native plugins and scripts. The tool covers both static and dynamic binary analysis by linking the visual interface with a live debugging engine to monitor program execution in real time. It also supports host-to-container volume mapping to provide the analysis environment with read-only access to target files.

Jadx is a comprehensive Java decompilation suite designed to transform compiled binary application files into readable source code. It functions as a static analysis workbench, providing a graphical interface for navigating, searching, and inspecting the internal logic of complex software packages. By utilizing a bytecode-to-Java pipeline, the project reconstructs high-level logical structures from low-level binary instructions, making it a primary tool for Android application reverse engineering. The project distinguishes itself through a sophisticated control flow reconstruction engine and a symbolic deobfuscation engine that restores original code structure by renaming obfuscated identifiers. Beyond its graphical interface, Jadx offers a binary analysis library that allows developers to embed automated decompilation and source code extraction directly into custom security pipelines and software workflows. These capabilities enable detailed application security auditing and the investigation of mobile malware by tracing interactions across large, complex codebases. The platform includes extensive tooling for code navigation, such as cross-referencing class and method usage, jumping to declarations, and mapping dependencies within binary projects. To support the analysis of massive packages, it incorporates performance-oriented features like disk-backed caching, in-memory indexing, and configurable package exclusion to manage memory consumption and processing speed.

radare2 is a reverse engineering framework and binary analysis toolset. It functions as a multi-architecture disassembler, low-level binary debugger, and hexadecimal editor for inspecting executable structures and interpreting machine code when original source files are unavailable. The framework provides capabilities for decompiling machine instructions, performing symbolic analysis, and diffing binary files to identify structural changes across versions. It also includes a digital forensic analyzer and disk analyzer for browsing filesystem formats in userland. The toolset supports binary patching, malware analysis, and software vulnerability research. It features a plugin-based architecture to extend core functionality and an embedded scripting engine to automate analysis workflows.

dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, set breakpoints, and inspect memory state within compiled binaries to troubleshoot application behavior. Beyond core analysis and debugging, the platform provides an interactive scripting environment for automating repetitive tasks and manipulating assembly structures. It includes capabilities for abstract syntax tree manipulation and memory-mapped file inspection, allowing users to navigate between high-level code constructs and raw binary data.

Cheat Engine is a software reverse engineering suite and memory editor designed for the Windows environment. It functions as a comprehensive platform for inspecting, analyzing, and modifying the internal logic and data structures of running applications. The tool provides capabilities for real-time memory scanning and manipulation, allowing users to locate and alter specific values within a process's address space. It distinguishes itself through advanced debugging features, including hardware-assisted debugging, kernel-mode driver injection for bypassing memory protections, and dynamic binary instrumentation to intercept and modify machine code at runtime. Beyond basic memory editing, the suite supports the analysis of managed code by reconstructing object hierarchies and method signatures. It also includes an embedded scripting engine that enables the automation of complex tasks, such as interface interactions and custom code injection, allowing for the execution of user-defined assembly scripts within a target process.

This project is a desktop application designed for the reverse engineering and inspection of compiled Java code. It functions as a graphical interface that translates Java bytecode back into readable source code, allowing users to examine the internal logic of class files and archives when original source files are unavailable. The tool provides a structured environment for navigating complex file hierarchies, including nested archives like JAR and WAR files. By maintaining an in-memory representation of loaded classes, it enables rapid searching and cross-referencing of code elements. The application also supports a modular architecture, allowing for the dynamic loading of external libraries to extend its core functionality. Beyond basic decompilation, the software facilitates security auditing, legacy system maintenance, and general code review. It provides a visual workspace for inspecting methods, fields, and organizational structures within compiled binaries. The application is distributed as a standalone desktop utility with a standard graphical interface for file navigation and code display.

Apktool is an Android APK reverse engineering tool designed to decode application packages into human-readable form and rebuild them after modification. It functions as a Dalvik bytecode disassembler and a resource decoder, transforming binary Android XML and DEX files into editable text and Smali representation. The project serves as an application rebuilder, packing modified resources and Smali code back into a functional Android application package. This capability enables the modification of application logic and resources for testing and deployment. The tool covers a broad surface of analysis and modification, including Android app modding, malware analysis, and Smali bytecode debugging to identify vulnerabilities or examine internal software structures.

ILSpy is a .NET decompiler and binary analyzer designed to convert compiled .NET assemblies back into readable C# source code. It functions as a metadata explorer and a common intermediate language viewer, enabling the analysis of compiled code and the execution of reverse engineering workflows. The project distinguishes itself through specialized translation capabilities, such as converting compiled binary XML (BAML) back into human-readable XAML for user interface analysis. It also provides tools for inspecting native machine code and extracting metadata from program database (PDB) files. The toolset covers a broad range of static analysis capabilities, including project-wide decompilation, code hierarchy navigation, and the visualization of control-flow graphs. It further supports binary inspection via typed intermediate language analysis, assembly content searching, and a managed plugin framework for extending core functionality.

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory access and instruction-set-aware disassembly to translate machine code into readable assembly. These capabilities facilitate specialized tasks such as malware reverse engineering, software vulnerability research, and the analysis of complex system crashes. The platform includes a modular plugin architecture that enables the integration of external libraries for custom analysis and automation. It also features memory-mapped symbol resolution to correlate machine addresses with source code labels, assisting in the interpretation of internal application logic.

Pwntools is a Python-based framework designed for rapid prototyping and automation in binary exploitation, reverse engineering, and security research. It serves as a comprehensive toolkit for interacting with local and remote processes, providing the primitives necessary to manage complex exploit workflows and streamline security analysis tasks. The framework distinguishes itself through its specialized capabilities for binary manipulation and automated exploit construction. It includes dedicated utilities for parsing executable file formats, assembling and disassembling machine code, and generating shellcode across various architectures. A core strength of the project is its ability to automate the identification and chaining of gadgets to bypass memory protections, as well as its capacity to resolve remote symbols and exploit format string vulnerabilities through calculated memory manipulation. Beyond its core exploitation features, the library provides a unified interface for managing communication across network sockets, serial connections, and local process pipes. It supports deep integration with debugging environments, allowing researchers to monitor execution flow and inspect memory in real time. The project also includes specific utilities for managing capture-the-flag competition workflows, such as automating the submission of flags to remote servers. The library is structured to provide a consistent global execution environment, allowing users to configure architecture, operating system, and logging defaults for their research sessions. It is distributed as a Python library, enabling integration into custom security research scripts and automated analysis pipelines.

BenchmarkDotNet is a library and tool suite for measuring the execution time and memory allocation of .NET code. It utilizes statistical sampling and warm-up iterations to determine the stability and precise execution speed of specific methods. The project provides a JIT disassembly viewer to inspect processor disassembly and analyze how the compiler executes code paths. It includes a memory allocation profiler that tracks managed and native memory traffic to identify efficiency bottlenecks. Additionally, a runtime performance comparator allows the same benchmarks to be executed across different .NET runtimes and configurations to identify environment variances. The toolset covers performance analysis through the generation of summary reports and the tracking of statistical outliers against established baselines. It also includes reliability verification to detect attached debuggers or non-optimized builds that could invalidate measurement results.

ImHex is a professional-grade hex editor and binary data analysis platform designed for inspecting, modifying, and reverse engineering raw file contents. It functions as a schema-driven engine that interprets complex binary structures by applying custom definitions to map and visualize byte-level data. The platform distinguishes itself through a dedicated domain-specific language that allows users to define structural schemas for automated file parsing. This capability is supported by a dynamic plugin architecture and an event-driven registry, which enable the integration of external modules to extend core functionality and support specialized file formats. The system utilizes memory-mapped file access to handle large datasets and provides an immediate mode graphical interface for responsive data visualization. Users can maintain and share collections of format definitions to standardize the interpretation of various binary types, while a development kit facilitates the creation of custom extensions for specific analysis requirements.

PINCE is a dynamic debugger, instruction tracer, and memory scanner designed for the analysis and manipulation of running processes. It functions as a process memory manipulator and editor, allowing for the identification, modification, and monitoring of values within a target application's active memory. The tool distinguishes itself through memory pointer analysis, tracing addresses and offsets to locate static pointers that lead to dynamic data across different sessions. It also enables the execution of internal functions within a running process by manipulating the instruction pointer and capturing return values from the stack. The project covers a broad range of reverse engineering and debugging capabilities, including opcode-based disassembly analysis, instruction-level execution tracing, and the use of boolean-logic expressions to trigger conditional breakpoints. It further provides utilities for virtual address space mapping, dynamic symbol resolution, and the allocation of new memory regions for strings or arrays.

Flare-floss is a security utility and static binary string extractor designed to uncover hidden text and configuration data within compiled binaries. It functions as an obfuscated string decoder and reverse engineering tool to translate encoded strings into readable text for security auditing. The project employs emulated execution to capture the decrypted state of strings in memory by running small chunks of binary code in a virtual CPU. It further utilizes static analysis disassembly, intermediate representation analysis, and heuristic-based pattern matching to identify and decode strings that use non-standard encodings or lack standard null terminators. The toolset supports workflows for malware binary analysis, security research, and reverse engineering to identify embedded secrets and constants. It also provides capabilities for exporting extracted binary data to external analysis platforms.