Reverse Engineering Roadmap

Author: admin

  • General Tools Used for Disassembly

    Disassembling is the process of converting binary executable code into assembly language. It’s often used for reverse engineering, debugging, security auditing, and malware analysis. Below is a detailed guide on how to disassemble executables on different platforms.

    GENERAL TOOLS USED FOR DISASSEMBLY

    ToolDescription
    IDA Pro / FreeInteractive disassembler (Windows/Linux/macOS)
    GhidraNSA’s reverse engineering suite (cross-platform)
    Radare2 / CutterOpen-source framework with GUI (Cutter)
    objdumpGNU binary utilities (Linux/macOS)
    HopperGUI disassembler (macOS/Linux)
    Binary NinjaCommercial, scripting-friendly disassembler
    Jadx / Bytecode ViewerJava/Android decompilation tools

    HOW TO DISASSEMBLE A WINDOWS .exe FILE

    Tools:

    • IDA Free / IDA Pro
    • Ghidra
    • x64dbg (for debugging)
    • objdump (via MinGW or WSL)
    • PEiD / Detect It Easy (for checking packers)

    Steps:

    1. Identify Architecture:
      • Use PE-bear, die.exe, or file.exe (in Git Bash or WSL) to check if it’s 32-bit or 64-bit.
    2. Disassemble with IDA:
      • Load the .exe in IDA.
      • It auto-detects 32-bit vs 64-bit and shows disassembly.
      • Can analyze code/data segments, imports/exports, functions.
    3. Alternative: Ghidra:
      • Import .exe, select correct language (x86 or x86_64).
      • Let it analyze and decompile.
      • Provides both assembly and C-like decompiled view.
    4. With objdump:
    objdump -d somefile.exe > disassembly.txt

    HOW TO DISASSEMBLE A LINUX EXECUTABLE

    Tools:

    • objdump (binutils)
    • gdb (debugger)
    • radare2 / Cutter
    • Ghidra
    • IDA Free

    Check Architecture:

    file ./binaryfile

    Disassemble with objdump:

    • For 32-bit:
    objdump -m i386 -D ./binaryfile > disasm.txt
    • For 64-bit:
    objdump -m i386:x86-64 -D ./binaryfile > disasm.txt

    With radare2:

    r2 -A ./binaryfile
# then inside r2 shell:
> pdf @ main    # disassemble function at 'main'

    HOW TO DISASSEMBLE A MAC OS EXECUTABLE

    Tools:

    • otool (Apple’s equivalent of objdump)
    • Hopper Disassembler
    • Ghidra
    • IDA
    • Radare2

    Check Binary Type:

    file ./MyApp

    Use otool:

    otool -tV ./MyApp > disasm.txt # Disassemble text section

    With Hopper:

    • Load binary, choose architecture.
    • View disassembled or decompiled output.

    Universal Binaries (Fat Binaries):

    lipo -info ./MyApp
# Strip out individual arch:
lipo -thin x86_64 ./MyApp -output MyApp64

    HOW TO DISASSEMBLE AN ANDROID APPLICATION (.apk)

    APK = Zipped Java/Kotlin + Native code (if any)

    Tools:

    • Jadx – decompile .dex to Java.
    • apktool – disassemble Smali code.
    • Ghidra – for native .so libraries inside APK.
    • Frida – dynamic analysis.

    Steps:

    1. Unpack APK:
    unzip app.apk -d unpacked_apk/
    1. Convert DEX to Smali (Disassemble):
    apktool d app.apk
# Look inside smali/ directory
    1. Decompile to Java (Optional):
    jadx-gui app.apk
    1. Disassemble Native .so files:
    objdump -D lib/armeabi-v7a/libnative.so > native_disasm.txt

    HOW TO DISASSEMBLE A .JAR (Java Application)

    Tools:

    • JD-GUI – GUI decompiler.
    • Jadx
    • CFR, Fernflower, Procyon – Java decompilers.
    • javap – disassembler built into JDK.

    Steps:

    1. List classes:
    jar tf app.jar
    1. Disassemble with javap:
    javap -c -p com/example/MyClass.class
    1. Decompile to Java (Optional):
    • Open in JD-GUI or Jadx for readable Java code.
    • Use: 
    cfr MyClass.class > MyClass.java

  • Operating System (OS) processes

    What is a Process in an Operating System?

    A process is an instance of a program in execution. It includes:

    • The executable program code.
    • Current activity (Program Counter, registers).
    • Stack (temporary data like function parameters).
    • Heap (dynamically allocated memory).
    • Data section (global/static variables).
    • OS context (such as process ID, priority, state).

    WINDOWS PROCESSES (32-bit and 64-bit)

    Key Characteristics

    • Process creation: Via CreateProcess() API.
    • Each process has a unique process ID.
    • Each has its own virtual address space, handle table, security context, and environment block.
    • Thread-based: Windows processes contain one or more threads.

    32-bit Windows (x86)

    Memory Layout

    • 4 GB virtual address space per process.
      • 2 GB for user mode (default).
      • 2 GB for kernel mode.
      • Can be configured to 3 GB user / 1 GB kernel with /3GB switch in boot.ini.

    Process Constraints

    • Limited address space (important for memory-heavy apps).
    • Can only load 32-bit DLLs.
    • Cannot run 64-bit code.

    64-bit Windows (x64)

    Memory Layout

    • Theoretically supports 16 TB of virtual memory.
      • Usually 8 TB user space / 8 TB kernel space.
    • Can run both 32-bit and 64-bit processes using WoW64 (Windows-on-Windows 64-bit) subsystem.

    Advantages

    • Larger address space (important for large databases, CAD tools).
    • ASLR (Address Space Layout Randomization) is more effective.
    • Improved DEP (Data Execution Prevention) support.
    • Can load both 32-bit and 64-bit executables (32-bit through WoW64).

    Tools & Commands

    • Task Manager (Ctrl + Shift + Esc)
    • tasklist / taskkill
    • Process Explorer (Sysinternals)
    • wmic process (deprecated in latest Windows)
    • Get-Process (PowerShell)

    LINUX PROCESSES (32-bit and 64-bit)

    Key Characteristics

    • Created via fork() / exec() system calls.
    • Represented in the kernel as task_struct.
    • Each has its own PID, UID, memory space, and open file descriptors.
    • Process hierarchy is maintained (e.g., parent-child relationships).

    32-bit Linux (x86)

    Memory Layout

    • Typically 4 GB virtual address space.
      • 3 GB user space / 1 GB kernel space (default).
      • Can vary depending on kernel config.

    Constraints

    • Limited to ~3 GB memory per process.
    • Cannot access 64-bit registers (limits performance and addressability).
    • Cannot run 64-bit binaries.

    64-bit Linux (x86_64)

    Memory Layout

    • Theoretically supports 256 TB virtual address space.
      • Actual user/kernel split may vary.
    • Can run both 32-bit and 64-bit binaries (if multilib is enabled).
    • Uses ELF64 format for binaries.

    Features

    • Larger address space.
    • Supports native 64-bit instructions.
    • Can address more RAM (beyond 4 GB).
    • Kernel uses task_struct to manage process information.
    • Can access high-performance features like HugePages, NUMA, and ASLR enhancements.

    Tools & Commands

    • ps, top, htop, pidstat
    • kill, nice, renice, killall
    • /proc/<pid>/ – contains full process metadata
    • strace, lsof, gdb – for deeper inspection

    MAC OS PROCESSES (32-bit and 64-bit)

    Key Characteristics

    • macOS is based on XNU kernel (hybrid of Mach and BSD).
    • Process creation through fork(), exec(), and posix_spawn().
    • Uses Mach tasks and threads under the hood.
    • All applications are 64-bit as of macOS Catalina (10.15).

    32-bit macOS (pre-10.15)

    Memory Layout

    • Standard 4 GB address space per process.
    • System-wide transition to 64-bit started around OS X Leopard (10.5).
    • Could run both 32-bit and 64-bit apps on Intel Macs (with proper compatibility frameworks).

    Constraints

    • Memory limitations (especially for media apps).
    • Deprecated by Apple.
    • Many newer libraries and APIs are 64-bit only.

    64-bit macOS (10.7+)

    Memory Layout

    • Full support for 64-bit processes and system libraries.
    • As of macOS Catalina, 32-bit apps are no longer supported.
    • Uses Mach-O 64 binary format.
    • System frameworks (AppKit, Cocoa) all require 64-bit compliance.

    Features

    • ASLR, SIP (System Integrity Protection), DEP, sandboxing.
    • Robust thread/process control via launchd, Activity Monitor, or ps.
    • Uses dyld for dynamic library loading (like Linux’s ld.so).

    Tools & Commands

    • Activity Monitor (GUI)
    • ps, top, htop (CLI)
    • launchctl – for managing services/processes
    • dtruss, fs_usage, vmmap, sample – debugging tools
    • /proc/ is not present; uses sysctl, /usr/bin/stat, and other BSD-style tools.

  • Reverse Engineering Roadmap

    Prerequisites (Foundational Knowledge)

    Operating Systems & Computer Architecture

    • Learn how OS works: processes, memory, system calls, file systems
    • Study computer architecture (x86/x86_64/ARM):
      • Registers, flags, stack, heap
    • Recommended:
      • “Computer Systems: A Programmer’s Perspective”
      • “Operating Systems: Three Easy Pieces”

    Programming Skills

    • C and C++ (you’ll need this to understand compiled binaries)
    • Assembly Language:
      • x86 and x86-64 at minimum
      • ARM if you’re interested in mobile/IoT RE
    • Scripting: Python (for automating RE tasks)

    Introduction to Reverse Engineering

    Learn Basic RE Concepts:

    • What is disassembly, decompilation?
    • Static vs Dynamic Analysis
    • Understanding binary formats: PE (Windows), ELF (Linux), Mach-O (macOS)

    Tools:

    • IDA Free / Ghidra / Binary Ninja (Disassemblers & Decompilers)
    • x64dbg / OllyDbg / WinDbg (Windows Debuggers)
    • radare2 / GDB / pwndbg (Linux Debuggers)
    • Cutter (GUI frontend for radare2)

    Static Analysis Skills

    • Learn to read and interpret disassembled code
    • Recognize standard library functions (e.g., strcmp, printf)
    • Understand control flow graphs (CFGs), function prologues/epilogues

    Focus Areas:

    • String references
    • API calls
    • Code obfuscation techniques

    Dynamic Analysis Skills

    • Set breakpoints, step through code
    • Modify registers, memory at runtime
    • Trace system/API calls (e.g., with Procmon, strace, ltrace)
    • Use frida, Valgrind, or unicorn for advanced instrumentation

    Software Modifying

    • Learn how to:
      • Bypass checks or popup dialogs
      • Modify control flow in binaries
      • Patch binaries (with tools like Hiew, LordPE, or 010 Editor)
    • Understand:
      • Software protection mechanisms (packing, obfuscation)
      • Anti-debugging techniques and how to bypass them