Software Tools

From RECESSIM, A Reverse Engineering Community
Revision as of 19:16, 9 October 2023 by Polymorphic7 (talk | contribs) (added basictutorial introduction to ida and olly)
Jump to navigation Jump to search
Schematic of an embedded device

Disassemblers, Decompilers, Development Tools, Schematic/PCB Capture and other reverse engineering software. If you used it while reverse engineering, list it here!

Tool Index


RF Signals Analysis

  • Universal Radio Hacker - tool to analyze and extract data from SDR-captured radio signals (especially pilots, ISM RF devices, etc). See youtube for tutorials and examples.
  • GNU Radio - toolkit that provides signal processing blocks to implement software-defined radios and signal processing systems.
  • Audacity - is a audio editor that can be used to cleanup the radio waves captured by a SDR or Software Defined Radio. (Example: Start Audacity -> Import –> Raw Data -> Radio Wave File)


Firmware Analysis

  • binwalk - Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  • FAT - is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware.
  • Firmwalker - is a script for searching the extracted firmware file system for goodies!

Setup or Overlay Unpackers / Extractors

  • lessmsi - a tool to view and extract the contents of an Windows Installer (.msi) file.
  • FUU - [F]aster [U]niversal [U]npacker.

Binary PE Analysis / Editor (Windows)

  • PE-bear - is a Portable Executable reversing tool with a friendly GUI using the Capstone Engine and is Open Source!
  • CFF Explorer - is a PE editor called CFF Explorer and a process viewer with a lot of features.

IAT Reconstructors (Windows)

  • NtQuery Scylla - is a Windows Portable Executable imports reconstructor open source and part of x64dbg.

API monitoring ring3 (Windows)

  • WinAPIOverride - is an advanced api monitoring software for 32 and 64 bits processes. You can monitor and/or override any function of a process.
  • Rohitab API Monitor - is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.


Debugger / disassembler for unmanged binaries

  • Binary Ninja - reverse-engineering platform that can disassemble a binary and display the disassembly in linear or graph views.
  • IDA - The IDA Disassembler and Debugger is an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X.
  • Vivisect - Vivisect binary analysis framework. Includes Disassembler, Debugger, Emulation and Symbolik analysis engines. Includes built-in Server and Shared-Workspace functionality. Runs interactive or headless, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X (Pure-Python, using ctypes to access underlying OS debug mechanism). Supports RevSync via plugin, allowing basic collaboration with Binja, Ghidra, and IDA. Criticisms (from a core dev): "Graph View could use some work, slower than Binja and IDA (due to Python), documentation like an OpenSource Project... but we keep working to make it better. PR's and suggestions welcome." Best installed via Pip: python3 -m pip install vivisect
  • Veles - Open source tool for binary data analysis (No longer actively developed).
  • Immunity Debugger - is a powerful new way to write exploits, analyze malware, and reverse engineer Windows binary files (python support)
  • Hopper - Hopper can use LLDB or GDB, which lets you debug and analyze the binary in a dynamic way (only for Mac and Linux hosts, not for mobile devices).
  • x64dbg - Is a powerful Open Source Ollydbg replacement with a User Interface very similar to Ollydbg also x64dbg as the name states offers x64 support.
  • Reko - Reko is a binary decompiler for static analysis (ARM, x86-64, M68K, Aarch65, RISC-V and dotnet)
  • radare2 and Rizin - radare2 and its fork Rizin are open source reverse engineering frameworks. Both are primarily used through a shell-like text UI, but also offer GUIs called iaito and Cutter respectively.

Debugging and Profiling dynamic analysis (Linux)

  • valgrind - Valgrind is a GPL'd system for debugging and profiling Linux programs. With Valgrind's tool suite you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable.
  • jTracer - is a stack trace visualization utility for libcsdbg. In other words, it acts as a TCP/IP server for libcsdbg clients, that connect to it and transfer their trace data, either C++ exception stack traces or generic thread stack traces and whole process stack dumps.

Debugger / disassembler for manged binaries

.NET
  • dnSpy - is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any source code available.
  • Iced - Blazing fast and correct x86/x64 disassembler, assembler, decoder, encoder for Rust, .NET, Java, Python, Lua.
  • ILSpy - NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!
  • Telerik JustDecompile - is a free .NET decompiler and assembly browser that makes high-quality .NET decompilation easy With an open source decompilation engine.
.NET deobfuscators
  • de4dot CEx - is a deobfuscator based on de4dot with full support for vanilla ConfuserEx.
  • de4dot - is a .NET deobfuscator and unpacker.
JAVA
  • Jadx - Dex to Java decompiler. Command-line and GUI tools for producing Java source code from Android Dex and apk files.
  • Recaf - Recaf is an open-source Java bytecode editor that simplifies the process of editing compiled Java applications.
  • JEB decompiler - Decompile and debug Android dalvik, Intel x86, ARM, MIPS, RISC-V, S7 PLC, Java, WebAssembly & Ethereum Decompilers.
  • APKinspector - is a powerful GUI tool for analysts to analyze the Android applications.
  • Apktool - A tool for reverse engineering Android apk files.
  • Bytecode viewer - A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
Java deobfuscators
  • deobfuscator - is a project that aims to deobfuscate most commercially-available obfuscators for Java. GUI version github
  • Another Deobfuscator - Some deobfuscator for java. Supports superblaubeere27 / JObf / sb27, Paramorphism 2.1.2_9, Caesium, Monsey, Skid/qProtect, Scuti, CheatBreaker, Bozar, ...
PYTHON
  • uncompyle6 - is a native Python cross-version decompiler and fragment decompiler. The successor to decompyle, uncompyle, and uncompyle2.
  • pycdc - is a C++ python bytecode disassembler and decompiler.



PC platform exploration frameworks

  • Chipsec - is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities.
  • Metasploit Framework - is a Framework is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code.
  • Arachni - is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
  • Burp Suite - Burp or Burp Suite is a set of tools used for penetration testing of web applications.


Mobile exploration frameworks

  • Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
  • objection - is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.
  • AppAudit - is an efficient program analysis tool that detects data leaks in mobile applications. It can accurately find all leaks within seconds and ~200 MB memory.
  • LSposed - is a Riru / Zygisk module trying to provide an ART hooking framework which delivers consistent APIs with the OG Xposed, leveraging LSPlant hooking framework.
Xposed modules
  • JustTrustMe - Art framework hook to patch okHTTP and other common libs to fool the CERT chain in order for Mitmproxy to capture TLS traffic in cleartext.
  • FakeXposed - Hide xposed, root, file redirection, two-way shielding data detection.
  • SSLUnpinning_Xposed - Android Xposed Module to bypass SSL certificate validation (Certificate Pinning)..

Promiscuous mode eavesdropping TCP/UDP

  • mitmproxy - is an interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
  • wireshark - is a network traffic analyzer, or "sniffer", for Linux, macOS, *BSD and other Unix and Unix-like operating systems and for Windows.
  • Mallet - is an intercepting proxy for arbitrary protocols.

Unified Extensible Firmware Interface (UEFI) & legacy PC BIOS Tools

UEFI
BIOS
AMI
Award
Insyde


Download all tools in one archive, click here. VT link

Operating System for Penetration Testing & Digital Forensics

  • Kali Linux - is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing, Security Research, Computer Forensics and Reverse Engineering.
  • BlackBox is more than an operating system, it is a Free Open Source Community Project with the aim of promoting the culture of security in IT environment and give its contribution to make it better and safer.
  • BlackArch - is an Arch Linux-based penetration testing distribution for penetration testers and security researchers.
  • Parrot Security - is based on top of Debian, the most advanced and recognized universal operating system that can run anywhere.
  • Fedora Security Spin - is a live media based on Fedora to provide a safe test environment for working on security auditing, forensics and penetration testing, coupled with all the Fedora Security features and tools.
  • CAINE - CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project.
  • Dracos Linux - is the Linux operating system from Indonesia, open source is built based on Debian live project under the protection of the GNU General Public License v3.0. This operating system is one variant of Linux distributions, which is used to perform security testing (penetration testing). Dracos linux in Arm by hundreds hydraulic pentest, forensics and reverse engineering.
  • Pentoo - is a Live CD and Live USB designed for penetration testing and security assessment. Based off Gentoo Linux, Pentoo is provided both as 32 and 64 bit installable livecd.

Privacy Operating System

  • Tails - is a portable operating system that protects against surveillance and censorship.



Tools for opening CAD or Boardview files

Description: Boardview is a type of file containing information about printed circuit boards, their components, used signals, test points and more. These files may have following extensions: .asc, .bdv, .brd, .bv, .cad, .cst, .gr, .f2b, .fz, .tvw and others.

  • FlexBV - Advanced FlexBV boardview software integrates your boardview files with PDF schematics to substantially ease the process of tracking down faults and understanding damaged boards
  • BoardViewer - BoardViewer is software intended for viewing various boardview file types

For resources to open in your favorite boardview program visit Literature -> 1.2 Datasheets boardviews & schematics

Education

Tools are great, and sometimes free! Without knowing how to use them, they can be a big waste of time. Better to spend your time learning the basics, then apply your knowledge.

Reverse Engineering Tutorial - A comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures.

- A Reverse Engineering Malware introduction with IDA & Olly in x86 basics (5 parts) by otw.