Reverse engineering

Top 8 reverse engineering tools for cyber security professionals [updated 2021]

Irfan Shakeel
January 10, 2021 by
Irfan Shakeel

Whether it is rebuilding a car engine or diagramming a sentence, people can learn about many things simply by taking them apart and putting them back together again. This process of breaking something down to understand it, build a copy to improve it, is known as reverse engineering.

The process of reverse engineering was originally applied to hardware only, but it is now being applied to software, databases and even human DNA as well. In the field of cyber security, the reverse engineering can be used to identify the details of a breach that how the attacker entered the system, and what steps were taken to breach the system.

Cyber criminals behind the attack, utilize the full spectrum of computer intrusion techniques to breach into corporate networks. They have a specific objective and are skilled, motivated, organized and well-funded. Here, reverse engineering enables us to identify their techniques to prevent it in future. There are some tools available for reverse engineering in Kali Linux (The most preferred operating system by ethical hackers). Here are some essential tools that are used to perform reverse engineering in Kali Linux:

Apktool:

Apktool is a tool third party tool for reverse engineering that can decode resources to nearly original form and recreate them after making some adjustments. It allows debugging smali code step by step and also it allows working with app easier due to its project-like files structure and automation of some repetitive tasks like building apk, etc.

Apktool features:

  • decoding resources to nearly original form (including resources.arsc, XMLs and 9.png files) and rebuilding them
  • smali debugging
  • helping with some repetitive tasks

dex2jar:

Dex2jar is a lightweight API designed to read the Dalvik Executable (.dex/.odex) format. It is used to work with Android and Java .class files. dex2jar contains following components:

  • dex-reader is designed to read the Dalvik Executable (.dex/.odex) format. It has a lightweight API similar with ASM.
  • dex-translator is designed to do the convert job. It reads the dex instruction to dex-ir format, after some optimize, convert to ASM format.
  • dex-ir used by dex-translator is designed to represent the dex instruction
  • dex-tools tools to work with .class files. here are examples: Modify an apk, DeObfuscate a jar
  • d2j-smali [To be published] disassemble dex to smali files and assemble dex from smali files. different implementation to smali/baksmali, same syntax, but we support escape in type desc "Lcom/dex2jartu1234;"
  • dex-writer [To be published] write dex same way as dex-reader.

diStorm3:

diStorm is a lightweight, easy-to-use and a fast decomposer library. It disassembles instructions in 16, 32 and 64-bit modes. It is also the fastest disassembler library. The source code is very clean, readable, portable and platform independent (supports both little and big endianity). diStorm solely depends on the C library. Therefore it can be used in embedded or kernel modules.

diStorm3 is backward compatible with the interface of diStorm64. However, make sure you use the new header files.

edb-debugger:

edb debugger is a Linux equivalent of the famous "Olly debugger" on the Windows platform. One of the main goals of this debugger is modularity. Some of its features are:

  • Intuitive GUI interface
  • The usual debugging operations (step-into/step-over/run/break)
  • Conditional breakpoints
  • Debugging core is implemented as a plugin so people can have drop-in replacements. Of course, if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
  • Basic instruction analysis
  • View/Dump memory regions
  • Effective address inspection
  • The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
  • Importing and generation of symbol maps
  • Various plugins

Jad Debugger:

Jad has been the most popular Java decompiler ever written. It is a command line utility written in C++. Several graphical shells are available that execute this program behind the scenes while providing the user with a more comfortable interface for source browsing, project management, etc. It is available in Kali Linux for debugging Java applications for reverse engineering and many other purposes.

Javasnoop:

JavaSnoop is an Aspect Security tool that allows security testers to test the security of Java applications easily. JavaSnoop is an example of how Aspect is leading the industry in providing Verification Services, and not just for your web applications.

JavaSnoop allows you to attach an existing process (like a debugger) and instantly begin tampering with method calls, run custom code, or just watch what's happening on the system.

OllyDbg:

OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where the source is unavailable.

Features:

  • Intuitive user interface, no cryptic commands
  • Code analysis – traces registers, recognizes procedures, loops, API calls, switches, tables, constants, and strings
  • Directly loads and debugs DLLs
  • Object file scanning – locates routines from object files and libraries
  • Allows for user-defined labels, comments and function descriptions
  • Understands debugging information in Borland® format
  • Saves patches between sessions, writes them back to executable file and updates fixups
  • Open architecture – many third-party plugins are available
  • No installation – no trash in registry or system directories
  • Debugs multithread applications
  • Attaches to running programs
  • Configurable disassembler supports both MASM and IDEAL formats
  • MMX, 3DNow! and SSE data types and instructions, including Athlon extensions
  • Full UNICODE support
  • Dynamically recognizes ASCII and UNICODE strings – also in Delphi format!
  • Recognizes complex code constructs, like call to jump to procedure
  • Decodes calls to more than 1900 standard API and 400 C functions
  • Gives context-sensitive help on API functions from external help file
  • Sets conditional, logging, memory and hardware breakpoints
  • Traces program execution, logs arguments of known functions
  • Shows fixups
  • Dynamically traces stack frames
  • Searches for imprecise commands and masked binary sequences
  • Searches whole allocated memory
  • Finds references to constant or address range
  • Examines and modifies memory, sets breakpoints and pauses program on-the-fly
  • Assembles commands into the shortest binary form

Valgrind:

Valgrind is a suite for debugging and profiling Linux programs. With its tool, we can automatically identify memory management and threading bugs, by eliminating hours of provoking bug-hunting and make programs more stable. We can also perform detailed profiling to help speed up program's processes and use Valgrind to build new tools. The Valgrind distribution currently includes six production-quality tools:

  • a memory error detector (Memcheck)
  • two thread error detectors (Helgrind and DRD)
  • a cache and branch-prediction profiler (Cachegrind)
  • a call-graph generating cache and branch-prediction profiler (Callgrind)
  • a heap profiler (Massif)

It also includes three experimental tools:

  • a stack/global array overrun detector (SGCheck)
  • a second heap profiler that examines how heap blocks are used (DHAT)
  • a SimPoint basic block vector generator (BBV)

Manufacturers look at reverse engineering as an important means to sustain competition, or some may take it as a tool to understand flaws in the design and re-work for the same. However, Kali Linux provides us with some great and well known reverse engineering tools to perform such activities. Moreover, there are many other reverse engineering tools as well, but these tools are already built-in and come out of the box with Kali Linux.

More articles for Cyber Security Professionals:

The Top 15 Must-Have Books in InfoSec

Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of ehacking.net An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.