Reverse Engineering Roadmap

Category: Reverse Engineering

  • General Tools Used for Disassembly

    Disassembling is the process of converting binary executable code into assembly language. It’s often used for reverse engineering, debugging, security auditing, and malware analysis. Below is a detailed guide on how to disassemble executables on different platforms.

    GENERAL TOOLS USED FOR DISASSEMBLY

    ToolDescription
    IDA Pro / FreeInteractive disassembler (Windows/Linux/macOS)
    GhidraNSA’s reverse engineering suite (cross-platform)
    Radare2 / CutterOpen-source framework with GUI (Cutter)
    objdumpGNU binary utilities (Linux/macOS)
    HopperGUI disassembler (macOS/Linux)
    Binary NinjaCommercial, scripting-friendly disassembler
    Jadx / Bytecode ViewerJava/Android decompilation tools

    HOW TO DISASSEMBLE A WINDOWS .exe FILE

    Tools:

    • IDA Free / IDA Pro
    • Ghidra
    • x64dbg (for debugging)
    • objdump (via MinGW or WSL)
    • PEiD / Detect It Easy (for checking packers)

    Steps:

    1. Identify Architecture:
      • Use PE-bear, die.exe, or file.exe (in Git Bash or WSL) to check if it’s 32-bit or 64-bit.
    2. Disassemble with IDA:
      • Load the .exe in IDA.
      • It auto-detects 32-bit vs 64-bit and shows disassembly.
      • Can analyze code/data segments, imports/exports, functions.
    3. Alternative: Ghidra:
      • Import .exe, select correct language (x86 or x86_64).
      • Let it analyze and decompile.
      • Provides both assembly and C-like decompiled view.
    4. With objdump:
    objdump -d somefile.exe > disassembly.txt

    HOW TO DISASSEMBLE A LINUX EXECUTABLE

    Tools:

    • objdump (binutils)
    • gdb (debugger)
    • radare2 / Cutter
    • Ghidra
    • IDA Free

    Check Architecture:

    file ./binaryfile

    Disassemble with objdump:

    • For 32-bit:
    objdump -m i386 -D ./binaryfile > disasm.txt
    • For 64-bit:
    objdump -m i386:x86-64 -D ./binaryfile > disasm.txt

    With radare2:

    r2 -A ./binaryfile
# then inside r2 shell:
> pdf @ main    # disassemble function at 'main'

    HOW TO DISASSEMBLE A MAC OS EXECUTABLE

    Tools:

    • otool (Apple’s equivalent of objdump)
    • Hopper Disassembler
    • Ghidra
    • IDA
    • Radare2

    Check Binary Type:

    file ./MyApp

    Use otool:

    otool -tV ./MyApp > disasm.txt # Disassemble text section

    With Hopper:

    • Load binary, choose architecture.
    • View disassembled or decompiled output.

    Universal Binaries (Fat Binaries):

    lipo -info ./MyApp
# Strip out individual arch:
lipo -thin x86_64 ./MyApp -output MyApp64

    HOW TO DISASSEMBLE AN ANDROID APPLICATION (.apk)

    APK = Zipped Java/Kotlin + Native code (if any)

    Tools:

    • Jadx – decompile .dex to Java.
    • apktool – disassemble Smali code.
    • Ghidra – for native .so libraries inside APK.
    • Frida – dynamic analysis.

    Steps:

    1. Unpack APK:
    unzip app.apk -d unpacked_apk/
    1. Convert DEX to Smali (Disassemble):
    apktool d app.apk
# Look inside smali/ directory
    1. Decompile to Java (Optional):
    jadx-gui app.apk
    1. Disassemble Native .so files:
    objdump -D lib/armeabi-v7a/libnative.so > native_disasm.txt

    HOW TO DISASSEMBLE A .JAR (Java Application)

    Tools:

    • JD-GUI – GUI decompiler.
    • Jadx
    • CFR, Fernflower, Procyon – Java decompilers.
    • javap – disassembler built into JDK.

    Steps:

    1. List classes:
    jar tf app.jar
    1. Disassemble with javap:
    javap -c -p com/example/MyClass.class
    1. Decompile to Java (Optional):
    • Open in JD-GUI or Jadx for readable Java code.
    • Use: 
    cfr MyClass.class > MyClass.java