Open-source alternatives to Capstone

LIEF is a framework for parsing, modifying, and analyzing executable binary formats and system shared caches across multiple platforms. It serves as a cross-platform library for the programmatic manipulation of ELF, PE, and MachO binary files. The project provides tools for altering the internal structure and sections of executable files to change program behavior. It also includes a dedicated parser for recovering individual dynamic libraries from combined system shared caches. The toolset covers binary executable analysis, machine code disassembly, and the extraction of debug metadata and

Android Classyshark is a binary analysis toolset designed to extract structural data from Android executable files. It functions as a bytecode viewer and binary XML parser to analyze compiled Java and Android binaries. The project converts binary XML files into readable formats for the inspection of application manifests, layouts, and resource files. It also provides the ability to analyze class interfaces, members, and dependency counts without requiring access to the original source code. The toolset supports static analysis and the export of binary information into plain text formats for

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory

AssetRipper is a suite of tools designed for the recovery and analysis of Unity game projects. It functions as an asset extractor, project reconstructor, shader decompiler, binary analysis tool, and dependency auditor. The project specializes in recovering high-level structures from compiled binaries. It reconstructs prefabs from inlined scene instances, reverses static batching to separate merged meshes, and translates compiled shader code from multiple platforms back into a readable format. Its broader capabilities include converting serialized files and bundles back into native engine for

ipsw is a specialized toolkit for iOS firmware analysis, binary reverse engineering, and hardware interaction. It provides a suite of tools for downloading, extracting, and analyzing firmware images and kernel caches, alongside a MachO binary analysis tool for disassembling and patching executables. The project distinguishes itself through integrated language-model-powered code reconstruction to translate machine code into high-level source code. It also features an automation client for the App Store Connect API to manage certificates and application settings. The framework covers a broad r

Pwntools is a Python-based framework designed for rapid prototyping and automation in binary exploitation, reverse engineering, and security research. It serves as a comprehensive toolkit for interacting with local and remote processes, providing the primitives necessary to manage complex exploit workflows and streamline security analysis tasks. The framework distinguishes itself through its specialized capabilities for binary manipulation and automated exploit construction. It includes dedicated utilities for parsing executable file formats, assembling and disassembling machine code, and gen

Ghidra is a software reverse engineering suite designed to analyze compiled binaries and reconstruct program logic without access to original source code. It provides an interactive environment for disassembly and decompilation, utilizing a platform-independent intermediate representation to maintain consistency across diverse hardware architectures. The framework supports automated binary analysis through programmatic routines, enabling the investigation of complex code patterns and security indicators. The platform distinguishes itself through a modular architecture that allows for extensiv

Binaryen is a WebAssembly compiler toolchain and optimizer designed to transform, validate, and shrink binary modules. It provides a comprehensive intermediate representation framework that converts binary code into a single-assignment form to enable advanced program analysis and code transformation. The project includes a specialized transformation engine that applies iterative optimization passes to increase execution speed and reduce binary size. Additionally, it functions as a transpiler that translates WebAssembly binary modules into executable JavaScript for environments that lack nativ

Apktool is an Android APK reverse engineering tool designed to decode application packages into human-readable form and rebuild them after modification. It functions as a Dalvik bytecode disassembler and a resource decoder, transforming binary Android XML and DEX files into editable text and Smali representation. The project serves as an application rebuilder, packing modified resources and Smali code back into a functional Android application package. This capability enables the modification of application logic and resources for testing and deployment. The tool covers a broad surface of an

The WebAssembly Binary Toolkit is a suite of tools for inspecting, validating, and transforming WebAssembly modules between binary and human-readable representations. It includes a stack-based interpreter for executing modules and a transpiler that converts binary files into C source code and headers. The toolkit provides utilities for assembling human-readable text into binary modules and disassembling binary files back into text. It features a text formatter for normalizing definitions into a canonical flat representation and supports the conversion of binaries into S-expression formats. T

LibChecker is an Android application library analyzer used to identify third-party libraries and classify software components within installed applications. It functions as a software component classifier and a native library ABI inspector to determine if an application is 32-bit or 64-bit. The tool utilizes a rules repository and a local database to match detected libraries against known software signatures. It employs regex-based pattern detection and rule-based matching to identify components, even when files have been renamed or obfuscated. The project provides capabilities for Android p

ILSpy is a .NET decompiler and binary analyzer designed to convert compiled .NET assemblies back into readable C# source code. It functions as a metadata explorer and a common intermediate language viewer, enabling the analysis of compiled code and the execution of reverse engineering workflows. The project distinguishes itself through specialized translation capabilities, such as converting compiled binary XML (BAML) back into human-readable XAML for user interface analysis. It also provides tools for inspecting native machine code and extracting metadata from program database (PDB) files.

Binsider is a collection of specialized toolsets for hexadecimal editing, ELF structural analysis, system call tracing, and execution performance profiling. It provides a suite of utilities designed for binary reverse engineering, encompassing both static structural analysis and dynamic runtime monitoring of compiled binaries. The project distinguishes itself by combining low-level binary manipulation, such as a hex editor for raw byte modification, with an ELF binary analysis tool for inspecting file structures and metadata. It also includes a Linux system call tracer for observing dynamic b

XenonRecomp is a static binary translator and Xbox 360 game recompiler. It functions as a binary analysis tool and native code generator that converts machine instructions from Xbox 360 game executables into C++ source code for recompilation on different hardware platforms. The tool features specialized capabilities for translating compiled binaries, including the conversion of assembly jump tables into native switch cases and the detection of function boundaries using stack space data and branch link instructions. It optimizes translated code by converting non-volatile and non-argument regis

YARA is a pattern matching engine and binary analysis tool used to identify and classify malware samples. It functions as a malware research framework that allows for the definition of file descriptions and detection rules to find indicators of compromise within binaries. The system enables the creation of custom detection rules using strings, wildcards, and regular expressions. These rules use boolean logic to match textual or binary patterns, allowing for the classification of files into specific malware families and the automation of threat intelligence. The engine utilizes Aho-Corasick s

Peda is a security tool suite and exploit development framework designed for binary analysis, debugger automation, and memory inspection. It functions as a set of Python scripts that extend a debugger to automate the analysis of compiled files and the inspection of process memory. The project provides specialized utilities for memory corruption research, including a payload generation utility for creating cyclic patterns to discover buffer overflows and a gadget finder to locate return-oriented programming sequences within binaries. It differentiates itself by offering a visualization tool th

JPEX Software is a comprehensive reverse engineering suite for SWF binary files, serving as an ActionScript decompiler and editor. It provides a toolkit for decompiling, analyzing, and modifying the internal structure of compiled Flash content, including the extraction of scripts and media assets. The project is distinguished by its ability to perform direct binary modification, allowing users to edit bytecode and replace embedded resources without reverting to high-level source code. It includes a runtime ActionScript bytecode debugger for variable inspection and call stack analysis, as well

Angr is a binary analysis framework and static analysis tool used for reverse engineering compiled binaries. It serves as a binary decompiler and a lifting platform that translates machine code into a common intermediate representation to enable cross-architecture analysis. The framework integrates a symbolic execution engine and constraint solvers to determine the inputs required to reach specific program states. It also employs untrusted code sandboxing to isolate guest code from the host environment during analysis. Its capabilities cover control flow and data flow analysis, including the

pwndbg is a GDB plugin and binary analysis framework designed for reverse engineering, exploit development, and low-level program analysis. It extends the core functionality of the debugger to provide advanced memory inspection and automation tools. The project distinguishes itself with specialized capabilities for heap analysis across glibc, jemalloc, and musl, as well as a comprehensive kernel debugging toolkit for inspecting Linux kernel tasks and slab allocators. It includes an integrated ROP gadget searcher for constructing exploit chains and an LLM-powered debugging assistant that provi

dnSpy is a specialized toolset for the reverse engineering, analysis, and modification of compiled .NET binaries. It functions as a decompiler that converts assemblies back into readable high-level source code, an assembly editor for modifying bytecode and metadata, and a debugger for inspecting compiled binaries. The project integrates a hex editor specifically for inspecting and modifying raw bytes and Common Intermediate Language structures. It allows for the direct modification of binary contents to change application behavior without requiring the original project source files. The tool

Detect-It-Easy is a binary file identifier and analysis toolkit designed to determine file formats, compilers, and packers. It functions as a binary file identifier that utilizes signature matching and heuristic analysis to identify executable and archive formats. The project includes a custom file signature engine and a scriptable rule system for defining and applying detection logic to identify specific binary patterns. It features specialized detectors for Android packages, such as APK and DEX files, and a malware packer detector to identify protections, obfuscators, and virus families. T

proot-distro is a rootless container runtime and Linux distribution manager that allows users to install and run isolated guest environments without requiring administrative root privileges. It utilizes PRoot to simulate root access and filesystem redirection, enabling the deployment of full Linux distributions in a non-root space. The project functions as an OCI container image handler, capable of building, pulling, and pushing OCI-compatible images and manifests. It further serves as a cross-architecture execution layer, utilizing user-mode emulation to run binaries and containers built for

dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, s

MAME is a vintage hardware emulation platform designed to recreate the circuitry of arcade games, computers, and consoles to run original software on modern devices. It functions as a retro gaming preservation framework for managing, verifying, and archiving ROM sets and disk images to ensure long-term software accessibility. The project features a system debugging tool for inspecting emulated memory, CPU registers, and execution flow via breakpoints and disassembly. It also includes a Lua-based automation layer that exposes core system state and hardware controls for custom behavior and anal

This project is a collection of techniques and configurations for reducing the disk footprint of compiled Rust executables. It serves as a guide and toolset for binary size optimization, providing strategies to minimize the final executable size through compiler flags and configuration. The project focuses on aggressive size reduction strategies, including recompiling the standard library from source to prune unused functions and implementing no-standard-library modes for memory-constrained environments. It details how to eliminate runtime overhead by removing standard library entry points an

Highway is a portable C++ library and hardware abstraction layer designed for writing single instruction multiple data (SIMD) code. It provides a unified interface that maps data-parallel logic to various CPU instruction sets, enabling the development of high-performance software that runs across different processor architectures without requiring architecture-specific assembly. The project features a dynamic instruction dispatcher that selects the most efficient CPU instruction set at runtime based on detected hardware. It also supports static target specialization and extensible mechanisms

This project is an Android RPA framework designed for automating user interfaces and system tasks on rooted Android devices using Python and ADB. It provides a suite of tools for rooted device management, allowing for programmatic control of system settings, application lifecycles, and shell command execution via a remote API. The framework distinguishes itself through a combination of dynamic instrumentation and AI integration. It can inject scripts into running processes to hook Java interfaces and modifies application behavior in real time. Additionally, it supports large language model in