resources i find useful
This page contains a bunch of links to resources, blogs, software, etc. that I've found useful during my time writing and reversing software.
Last updated: 01/11/2023 (dubya, you suck)
table of contents
geting started with reverse engineering - the basics (assembly):
- Felix Cloutier's x86 and amd64 instruction set reference. [web] [archive] [source]
While Felix's website is an amazing place to read up on the (machine-parsed) summaries of instructions, when in doubt, reference the official software developer manuals:
- Intel's IA-32 and Intel 64 ISA Software Developer Manual [web] [archive]
- AMD's AMD64 Architecture Programmer's Manual [web] [archive] [doc-search]
- Brown University's x86-64 Cheat Sheet [web] [archive]
reverse engineering pages:
secret.club
- great reads relating to all fields reversing [web] [archive]- fravia's pages of reverse engineering (~199x) [web mirror] [archive of web mirror]
reverse engineering tooling:
Contrary to popular belief, you don't need expensive tooling such as IDA, Binary Ninja, or Hopper Disassembler to begin your reverse engineering adventures. Free alternatives exist, and are only getting better as time goes by. Great examples of this include Ghidra, x64dbg, zydis. All of them are free, open-source tools that make your life much easier.
disassemblers & debuggers:
- Ghidra - an open-source, cross-platform disassembler, decompiler and debugger [web] [source]
- x64dbg - a very powerful Windows application debugger [web] [source]
- radare2 - a unix-esque reverse engineering suite of tools [web] [source]
- gdb - The GNU Debugger is a UNIX application debugger that can be effectively scripted to do anything [web] [source]
general software reverse engineering:
- Detect It Easy (DIE) - signature identification in binaries made easy [source]
- Interactive Delphi Reconstructor (IDR) - a tool that aids in the static analysis of binaries written in Borland Delphi [source]
- mitmproxy - a lightweight, scriptable man-in-the-middle proxy [web] [source]
- SysInternals Process Monitor - advanced monitoring of file, registry and network APIs for Windows [web] [archive]
- UniExtract2 - a universal installer & binary extractor [source]
- Cheat Engine - a really powerful but proprietary memory modification tool [web] [source]
Notes on CE: Be aware that publicly-available Cheat Engine installers are bundled with additional software. Select "Skip All" during installation. The source-code is available on Github, but is proprietary, [see this FAQ entry].
- ReClass.NET - an extensible memory analysis & modification toolkit [source]
software unpacking & devirtualization:
- unlicense - a dynamic unpacker for Themida/WinLicense [source]
- dnSpyEx - a maintained fork of the dnSpy .NET decompiler & debugger. [source]
- Andras Pardeike's Harmony - A .NET dynamic patching library. [source]
- NirSoft's
snremove
- A .NET StrongName removal tool. [web] [archive] - Einar Egilsson's
InjectModuleInitializer
- A tool to inject code that will run when a .NET assembly is initialized. [source] [blog post] [blog post archive] - SychicBoy's
NETReactorSlayer
- An open-source deobfuscator and unpacker for .NET assemblies and executables packed with Eziriz's .NET Reactor [source] - void-stack's
VMUnprotect.NET
- A dynamic devirtualizer for .NET assemblies and executables protected by VMProtect. [source]
disassembler scripts, plugins & tools:
- GoReSym - Go symbol recovery tool with IDA, Ghidra, and BinjaPython scripts [source]
- BinDiff - a post-analysis binary diffing tool for use with disassemblers such as IDA, Binary Ninja, and Ghidra [web] [source]
- Patching - IDAPython plugin that introduces interactive patching with assembly mnemonics [source]
ida_names
- IDAPython plugin that automatically renames pseudocode windows with the current function name [source]- AlphaGolang - IDAPython scripts to aid in reverse engineering Go binaries [source]
- IDAPatch - IDA plugin that can be used to patch IDA in runtime [source]
interesting posts & pages
These are any pages I deem interesting, but don't fit in the "Reverse Engineering Pages" section above.
- Akamai SIRT - UPX Packed Headaches; A tale of unpacking executables with intentionally-malformed headers. [web] [archive]