In this episode, I will list several tools that are useful for performing software reverse engineering. We will return to some of them in further detail later.

Small Utility Tools

A first useful tool is strings. Here is a small excerpt from its man page:

For each file given, strings prints the printable character
sequences that are at least 4 characters long (or the num-
ber given with the options below) and are followed by an
unprintable character.

Applying strings to the executable a.out of Episode #2 produces the following result:

$ strings code/a.out
The sum of 1 to 63 is %d.

Another useful tool is file, which allows you to determine the type of a given file. Applying it to /bin/ls on Linux and macOS produces the following results:

$ file /bin/ls
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
$ file /bin/ls
/bin/ls: Mach-O 64-bit executable x86_64

Under Linux, other useful tools are:

• nm, which lists the symbols in an object file;
• readelf, which displays information about ELF files;
• ldd, which shows the shared objects dependencies of an executable;
• lsof, which lists files and other system resources used by a running process;
• ltrace, which traces a process’ calls to functions in dynamic libraries;
• strace, which traces the system calls of a running process;
• etc.

Disassemblers

There are many tools available for disassembling native code. Some support only one hardware architecture, while others can disassemble code for many different types of CPUs.

objdump on Linux and otool on MacOS are open source tools for displaying various types of information about object files on Unix-based operating systems, including disassembled machine code.

The gdb and LLDB debuggers have an internal disassemble command that allows you to disassemble the current stack frame or a memory area.

radare2 is a free and open source portable reversing framework that includes a disassembler.

Capstone is a free and open source lightweight multi-platform, multi-architecture disassembly framework.

Ghidra is a free and open source reverse engineering graphical toolset.

IDA Pro is a very powerful disassembler with free and commercial versions available.

Binary Ninja is a commercial graphical reverse engineering toolset with cloud and limited trial versions available.

Hopper is a commercial disassembler with free trial versions available.

Decompilers

Hopper, Binary Ninja and Ghidra have embedded decompilers. Hexrays is a commercial decompilation plugin for IDA Pro.

.NET Reflector is a commercial decompiler for .NET with free trial versions available.

JD is a free and open source Java decompiler.

uncompyle6 is a free and open source Python bytecode decompiler.

Debuggers

The GNU Debugger gdb is available on many Unix-like platforms and supports many programming languages.

LLDB is a free and open source debugger developed by the LLVM project. In particular, it is the default debugger in the Apple ecosystem.

WinDbg is a multi-purpose debugger for the Microsoft Windows computer operating system, distributed by Microsoft.

x64dbg is an open source debugger for Microsoft Windows.

Emulators

QEMU is a generic and open source machine emulator and virtualizer.

Bochs is a highly portable open source 32-bit x86 PC emulator.

Binary Instrumentation Frameworks

PIN is a free, closed-source instrumentation framework provided by Intel.

Triton is a free and open-source dynamic binary analysis framework.

Frida is a free and open source dynamic instrumentation toolkit that is popular among mobile application security researchers.

QBDI is a free, open-source, modular, cross-platform and cross-architecture dynamic instrumentation framework.

In the next episode, I will cover the basics of the Intel architecture. Stay tuned!

Thanks for reading Crumbs of Cybersecurity! Subscribe for free to receive new posts and support my work.