5 min read

Best Reverse Engineering Tools

Best Reverse Engineering Tools

Being able to reverse engineer software is a vastly valuable skill to have. As a software engineer, it teaches you to find vulnerabilities in your code so you can patch them. Here is a list of reverse engineering tools that I think all reverse engineers should have.

IDA Pro

IDA Pro – Hex Rays

IDA Pro is probably the most powerful reverse-engineering tool. IDA Pro includes a disassembler. When you feed an executable to IDA Pro's disassembler, assembly language code is generated and displayed. By having assembly language code, you can get a clearer idea of what the program does. IDA Pro does some of its own reversing to go through every function, finds strings, generates other references, and so much more. This is what they call automatic code analysis. The automatic code analysis is not completely accurate nor does it say everything. You will still need to step in to figure out bits, but this does make many aspects easier.

The product is matured-It has years of development and improvement by highly competent reverse engineers. Tutorials are all over the place because IDA Pro is well established in reverse engineering communities. Just search on Google when you need help. Even fortune-500 companies use IDA Pro.

Being a vastly powerful tool, it comes with a very premium price. Thankfully, it is the only paid tool on this list. The product "IDAPRONW" comes at $1879. Ironically, many people have reversed engineered the software to crack and leak it. Grabbing a cracked copy is of course, not recommended because:

  • You never know if it is bundled with malware.
  • Downloading cracked content is piracy, which is illegal.
  • The developers worked hard on their software. Their invested time and money go to waste.

IDA has a free version of their software. Though it is an older version and very stripped down. You can experiment with it to get a general idea of IDA, but it doesn't demonstrate the full power of IDA Pro. You can find the free version here.

Ghidra

NationalSecurityAgency/ghidra
Ghidra is a software reverse engineering (SRE) framework - NationalSecurityAgency/ghidra

The IDA alternative. Ghidra is a suite of reverse engineering tools. It is very much like IDA. Because Ghidra is open-source, it is completely free. Ghidra offers many features that IDA does, such as the disassembler. Albeit, Ghidra is much slower than IDA. It will likely always be as Ghidra is made with Java, while IDA Pro is made with C++.

Some of Ghidra's features are not as well integrated as IDA, but this will likely change with time as the community builds onto the open-source code. Ghidra is still very young. It came out on March 5, 2019. With such a short amount of time, there have already been lots of huge improvements. Who knows what else will happen with time. It would be no surprise to see Ghidra surpass IDA as the preferred tool years later.

Ghidra is developed by the United States National Security Agency(NSA). They use this tool to support their efforts in cybersecurity improvement. This is a huge backing to suggest the ongoing improvement and reliability of Ghidra. Being developed by the NSA, many people were naturally worried about being spied on by the government. Being open-source, people have been able to check the code for anything of the sort. There have been no major reports of Ghidra being used to spy on anyone.

ReClass.NET

ReClassNET/ReClass.NET
Not just a ReClass port to the .NET platform. Contribute to ReClassNET/ReClass.NET development by creating an account on GitHub.

ReClass.NET is particularly useful to reverse engineer data structures inside of a running process built with .NET. It is mainly used to understand classes. It is built on ReClass for support with the .NET platform. It extends many other features on top of ReClass. Most major software is built with .NET, so this tool can prove commonly useful. ReClass.NET is completely open-source, so it is completely free.

Get a quick idea of what ReClass does with this YouTube playlist.

Process Dump

glmcdona/Process-Dump
Windows tool for dumping malware PE files from memory back to disk for analysis. - glmcdona/Process-Dump

If you couldn't tell from the name, Process Dump is a tool used to dump a process. Some programs obfuscate their code to hide from reverse engineers. More specifically, it is to hide from tools like disassemblers and decompilers. Obfuscation makes code look like nonsense. Eventually, code needs to be deobfuscated to run properly during run-time. We can take advantage of this by dumping the running process with the Process Dump tool. The Process Dump tool can create a new executable based on the dumped process. The new executable file can then be used with your other tools to better reverse engineer the program.

Cheat Engine

cheat-engine/cheat-engine
Cheat Engine. A development environment focused on modding - cheat-engine/cheat-engine

Cheat Engine is an open-source memory scanner. It is most popularly used to cheat in video games, but its practicality serves for almost any other running process. Being able to edit and view live memory of processes is immensely powerful. With such power, Cheat Engine is often the first tool to be used when reverse engineering software. You can use it to find reference points and continue with the new-found data in the other reverse engineering tools.

Summary

There are so many more useful reverse engineering tools, but these are the ones I can best vouch for. Cheat Engine, ReClass.NET, Process-Dump, and suites like IDA Pro and Ghidra are all valuable tools in the world of reverse engineering. They each serve their own purpose and do something better than another tool. There is no single best tool. To get the best experience, you will likely use multiple tools together.