Analyzing source code and other reversing tips

Code flow/Call Graphs

Understand from scitools is pretty good and you can try out all features using their trial license.

Want to generate a flow chart diagram from code? Try visustin v8.

Code flows can be tricky when a project has a complex build process like a bunch of macro definitions. If you can obtain a compiled binary then your best option might be to put it through a disassembler like Radare2, IDA proBinary ninja, or Hopper.

Code browser


I was surprised how useful Opengrok ended up being. Can take a while to start when initially indexing files.

The tool starts a webserver which allows you to easily search and jump around your code.

You can install using this docker image.

Eclipse Photon c/c++

I’ve been using Eclipse for reading the Linux kernel and really like it. Out of the box you get indexing for code jumping. If a function jump has multiple possible options, like architecture dependent code, a dialog windows pops up for you to select.

Searching is also really useful.

Tip: Large projects will require more memory allocation for Eclipse. Refer to Eclipse settings on how to do this.

Eclox (Eclipse plugin)

Combines Doxygen, Graphviz, and Mscgen.

Very quick and easy to get started.

Can generate call graphs, among other things.

Static analysis

Clang static analyzer. Debian package available for install. Can be integrated into build process. Output is html format and defaults to /tmp


afl (american fuzzy lop). Debian package available for quick install

First you instrument during compile phase using

$ afl-gcc ./bug.c -o ./bug
$ sudo apt-get install g++-multilib libc6-dev-i386
$ afl-gcc ./bug.c -m32 -o ./bug

You need to make sure you specify inputs during the fuzzing stage. Source code has testcases folder.

Then you start fuzzing

$ afl-fuzz -o /tmp -i ./inputs ./bug


Trail of bits ctf guide

Eclox plugin was discovered after finding this blog –