During the last years I spent some time analyzing software and games, to enable new cheats, find unused areas, rip assets or just for fun.

Reverse engineering games requires a lot of patience and knowledge, and unfortunately there is not much information about it on the web. To shed some light on this dark art, in this post I'm sharing some of the tools that I commonly use to understand the inner workings of games.

Some of the tools that I talk about are native for macOS since it's my platform of choice, but I try to provide some alternatives for Windows and Linux as well.

Hex editor: Hex Fiend

Maybe the most important tool you'll ever need is an hex editor. When dealing with executables or unknown binary files it allows you to read everything the computer can understand, and perform patches too. Hex Fiend it's a simple but powerful tool: it can interpret and edit bytes in various formats, such as ints and floats, helping you understanding unknown file formats and data structures. It also support scripting using the TCL language to decode files into arrays and structs.

Alternatives

• HxD: A great alternative if you are working on Windows
• xxd: A command line tool that you can find on Linux and Unix-like OSes

Debugger/memory editor: Bit Slicer

Sometimes statically analyzing file formats and executables it's not enough to figure out what is going on, you need to see the actual program in action. Or perhaps you want to edit the content of the memory to see what changes or to apply some cheats. Bit Slicer got you covered! It features a memory viewer, a debugger and a powerful memory search tool.

Its memory search tool can be used, for example, to find player variables in a game: search for a known or unknown value, perform actions in the game and use the modifiers to narrow your search.

In some cases the memory viewer can be even used to look into emulators. I had success, for example, using it to look into DOSBox memory, which is way easier to use than the actual DOSBox debugger.

Alternatives

• Cheat Engine: Very similar, but native for Windows
• x64dbg: A nice free debugger and disassembler for Windows
• GDB/LLDB: Command line debuggers for Linux and macOS

Disassembler/decompiler: Ghidra

When statically analyzing executables a disassembler is an essential tool, since it allows you to read the assembly code of the program, showing you what is going on inside it on every address. Ghidra goes even further providing a debugger and a decompiler, showing you the functions code in a pseudo-C language. And it's free and open source!

Alternatives

• IDA Pro: The most famous decompiler and debugger for virtually any platform (quite expensive though!)
• Hopper: A paid alternative with some very cool features, native for macOS
• Cutter: A cross-platform free alternative based on rizin (a fork of radare2)

Syscall monitor: Instruments

Sometimes it's not necessary to delve into a full disassembly to understand what a program is doing: monitoring the syscalls it does and the files it opens it's often enough to make interesting findings. Instruments it's the official macOS profiler and analyzer, and can also do recordings of filesystem activity and syscalls.

Alternatives

• ltrace: A syscall monitoring tool for Linux and Unix-like OSs
• Process Monitor: A very powerful process monitor for Windows

Image Viewer: RAW pixels viewer

An hex editor can be used to understand data structures and numerical data, but when it comes to images you need something able to show you the pixels as they should be. RAW pixels viewer is an online tool that does exactly that, and it has been a big help everytime I faced an unknown bitmap file in a game, such as textures and heightmaps. Its interface allows you to select several pixel formats and bit depths, to help you find the correct encoding.

Raw Audio Player: Audacity

When ripping audio files you may face some unknown file format. Especially in old software, it may just be raw PCM data with some encoding. To read these files you can try using the "Import Raw Data" feature of Audacity, which interprets the file as header-less PCM audio.

I had success using this tool to rip audio from some old DOS and console games, and even samples from synthesizer's ROMs.

Command line tools

Python

One of the most popular languages with an interactive command-line interface, Python is an essential tool in the reverse-engineer's arsenal. Whenever used as a simple interactive calculator or to build a full utility for converting file formats, its simplicity and libraries will prove themselves very powerful.

Need to fill a file with the same byte many times? Type this in a terminal:

python3 -c "print('FF'*1024)" | pbcopy

and paste the result into an hex editor.

File

Why recognizing unknown files by hand where there is an utility to do it? The file command, available on many unix-like systems, uses a set of heuristics to determine common file types, such as checking for keywords and magic numbers. It may not be able to recognize unknown 3D file formats, but it may save you some time when the file it's actually a simple tar with the wrong extension.

Strings

A common first step when analyzing unknown binary files and executables is looking for human-readable strings. This can be very useful to understand what is going on, especially with debug messages and file paths. The strings utility, commonly available on Linux and macOS, makes this task very easy. Using a binary file as first argument, it will try to find every possible human-readable string inside it.