Ghidra
Ghidra Ghidra is the NSA's open-source powerhouse for disassembling and decompiling binaries across architectures, with scripting in Java/Python for automated analysis of malware or firmware. Load your ELF/PE file, auto-analyze with function graphing, and dive into decompiled C-like pseudocode for reverse engineering workflows. GitHub-hosted and extensible, it's the free alternative to IDA for solo researchers cracking complex executables.
Explore →Radare2
Radare2 Radare2 is the modular reverse engineering framework with a built-in disassembler for ARM, x86, MIPS, and more, letting you script r2pipe integrations for batch analysis or live debugging. Cut into binaries with rizin for disassembly views, annotate with comments, and export graphs for reports—all from a single CLI powerhouse. Open-source and scriptable, it's the versatile vice for pentesters dissecting firmware or packed malware.
Explore →Cutter
Cutter Cutter is the Qt-based GUI frontend to Radare2, transforming raw disassembly into interactive graphs and decompiler views for easier navigation of complex binaries. Load your sample, set breakpoints, and script analyses with Python—all while enjoying a modern interface that speeds up reverse tasks. Open-source and user-friendly, it's the visual vanguard for individuals bridging CLI power with graphical insights.
Explore →Capstone
Capstone Capstone is the lightweight disassembly engine that powers tools like Ghidra, supporting 10+ arches with bindings in Python/C++/Go for embedding in custom rev scripts. Disassemble chunks or full binaries with detail levels, feeding outputs to your analyzers for instruction-level hunts. Open-source and bindable, it's the engine block for devs building tailored disassemblers without reinventing the wheel.
Explore →RetDec
RetDec RetDec is the retargetable decompiler that goes beyond disassembly to generate C-like code from binaries, handling obfuscated or stripped executables with control flow recovery. Upload or CLI-process your PE/ELF, tweaking options for variable renaming or type inference in outputs. Open-source from Avast, it's the code resurrector for reverse engineers breathing life into dead assembly.
Explore →angr
angr angr is the binary analysis framework with a disassembly backend for symbolic execution and path exploration, uncovering hidden behaviors in packed or anti-debug samples. Script state explorations in Python to solve CTFs or trace data flows, integrating with CLE for loader magic. Open-source and symbolic, it's the pathfinder for researchers navigating disassembly mazes with logic.
Explore →BinDiff
BinDiff BinDiff is the binary diffing plugin for Ghidra/IDA that aligns disassemblies of similar files, highlighting code changes or malware variants with graph matching. Load pairs of binaries, run diffs, and explore matched functions for evolution tracking. Open-source from Google, it's the comparator for analysts spotting mutations in family trees of malicious code.
Explore →QBDI
QBDI QBDI is the dynamic binary instrumentation engine with disassembly hooks for tracing and modifying execution in user-space binaries across arches. Bind it in C++/Python to inject breakpoints or log instructions during runtime rev, perfect for unpacking or hook analysis. Open-source and runtime-ready, it's the live dissector for pentesters probing behaviors beyond static views.
Explore →Rekall
Rekall Rekall is the advanced memory forensics tool with disassembly capabilities for analyzing dumps, extracting code artifacts and reconstructing execution from volatile state. Query profiles for arch-specific disasm, scripting hunts for injected modules or hooks. Open-source from Google, it's the RAM reviver for examiners disassembling malware from memory shadows.
Explore →BAP