SOT

SOT

SOAR
Security Orchestration, Automation and Response

Automation of response to information security incidents using dynamic playbooks and information security tools, building an attack chain and with an object-oriented approach

NG SOAR
Next Generation SOAR

Automation of response to information security incidents with built-in basic correlation (SIEM), vulnerability Scanner (VS), collection of raw events directly from information security tools, dynamic playbooks, building an attack chain and an object-oriented approach. AM and VM are included

AM
Asset Management

Description of the IT landscape, detection of new objects on the network, categorization of assets, inventory, life cycle management of equipment and software on automated workstations and servers of organizations

VS
Vulnerability Scanner

Scanning information assets with enrichment from any external services (additional scanners, The Data Security Threats Database and other analytical databases) to analyze the security of the infrastructure.

VM
Vulnerability Management

Building a process for detecting and eliminating technical vulnerabilities, collecting information from existing security scanners, update management platforms, expert external services and other solutions

FinCERT
Financial Computer Emergency Response Team

Bilateral interaction with the Central Bank, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

GovCERT
Government Computer Emergency Response Team

Bilateral interaction with the state coordination center for computer incidents, namely the transfer of information about incidents and receipt of prompt notifications/bulletins from the regulator

Mail us to sales@securityvision.ru or get demo presentation

SDA

SDA

TIP
Threat Intelligence Platform

Cybersecurity threat data collection, analysis, enrichment, infrastructure detection, investigation and response.

UEBA
User and Entity Behavior Analytics

Building behavior models and detecting deviations from them using several dozen built-in static analysis rules.

AD + ML
User and Entity Behavior Analysis

Dynamic behavioral analysis to search for anomalies using machine learning and to search for possible incidents.

Mail us to sales@securityvision.ru or get demo presentation

GRC

GRC

RM
Risk Management

Formation of a register of risks, threats, protection measures and other control parameters, assessment using the chosen methodology, formation of a list of additional measures to change the level of risk, control of execution, periodic reassessment.

ORM
Operational Risk Management

Accounting and recording of operational risk events, monitoring of key risk indicators and self-assessment/control

CM
Compliance Management

Audit of compliance with various methodologies and standards

BCM
Business Continuity Management

Automation of ensuring continuity and restoration of activities after emergencies.

OTS
Operational Technology Security

Operational Technology Security

Mail us to sales@securityvision.ru or get demo presentation

DEMO
presentation

SOT

Technology
SOAR

Security Orchestration, Automation and Response
NG SOAR

Next Generation SOAR
AM

Asset Management
VS

Vulnerability Scanner
VM

Vulnerability Management
FinCERT

Financial Computer Emergency Response Team
GovCERT

Government Computer Emergency Response Team

GRC

Processes
RM

Risk Management
ORM

Operational Risk Management
CM

Compliance Management
BCM

Business Continuity Management
OTS

Operational Technology Security

SDA

Analytics
TIP

Threat Intelligence Platform
UEBA

User and Entity Behavior Analytics
AD + ML

User and Entity Behavior Analysis

All products

SOT

Technology

SOAR

Security Orchestration, Automation and Response

NG SOAR

Next Generation SOAR

AM

Asset Management

VS

Vulnerability Scanner

VM

Vulnerability Management

FinCERT

Financial Computer Emergency Response Team

GovCERT

Government Computer Emergency Response Team

GRC

Processes

RM

Risk Management

ORM

Operational Risk Management

CM

Compliance Management

BCM

Business Continuity Management

OTS

Operational Technology Security

SDA

Analytics

TIP

Threat Intelligence Platform

UEBA

User and Entity Behavior Analytics

AD + ML

User and Entity Behavior Analysis
All products
Clients FAQ

Reverse Engineering and Application Security

Reverse Engineering and Application Security
16.03.2026

Ruslan Rakhmetov, Security Vision


Having covered the obfuscation of various objects in two previous publications, we touched on the topic of reverse engineering – the study and analysis of various products and programs. In this article, we'll cover hardware and software reverse engineering in more detail, its goals and stages, decompilers, disassemblers, and debuggers, as well as how reverse engineering is used in cybersecurity.

 

Reverse engineering is the process of opening and analyzing a specific object to understand how it is constructed and how it works. In the publication "Reverse Engineering and Design Recovery: A Taxonomy" provides the following definition: Reverse engineering is the process of systematically studying system samples to discover system components and their relationships, describe the system at specific levels of abstraction, and develop a set of specifications. Generally, reverse engineers do not have access to detailed information about the object being studied, such as design documentation, electrical schematics, or program source code. Reverse engineering, like obfuscation, can be applied to both software and hardware. In the case of hardware, the principles of reverse engineering can be applied to manufacturing, mechanical engineering, automotive, aerospace, shipbuilding, and other areas of the production of structurally complex physical objects.

 

I. Objects of hardware reverse engineering can include various complex devices (engines, turbines, compressors, instruments, automobiles, and aircraft), microelectronic devices (microcircuits, microcontrollers, processors), electronics, and household appliances. The goals of hardware reverse engineering can be:


  • Recreating a copy of the object under study: Developing a new complex product is a resource-intensive task, so tackling it from scratch is often irrational and cost-ineffective. Creating a copy of a product without documentation and schematics requires studying the original device: disassembling it, understanding its structure and operating principles, studying the component relationships and the materials used, creating a model of the device and documentation. If multiple copies need to be recreated on an industrial scale, it will also require launching a production line.


  • Improving the performance of the studied product: By thoroughly studying the device's operation and internals, as well as its performance under real-world conditions, engineers can suggest ways to improve the product. For example, replacing the material of the most heavily loaded components with a more wear-resistant one, redistributing the device's own weight, increasing performance, or expanding the device's operating temperature range.


  • Recreation of documentation, electrical circuit diagrams, functional and structural diagrams, creation of a 3D model of the device: to ensure the production of a similar or improved product, components and spare parts for the product, a complete set of documentation, drawings and models, chemical formulas of materials, and a description of the production process conditions will be required.


  • Ensuring interoperability between different products that are either no longer supported by the manufacturer or were not originally designed to interact with third-party systems: Some manufacturers do not build in interfaces or functional elements to ensure the product integrates with other devices, so reverse engineering can be used to modify the original system to provide such capabilities.


  • Ensuring the functionality of an obsolete product whose support has been discontinued by the manufacturer, including due to a transition to other models, the manufacturer's bankruptcy, or its acquisition by another vendor: consumers may face a situation where a device they purchased in good faith is no longer supported by the manufacturer, making it impossible to obtain original spare parts or have it repaired at an authorized center. In such cases, reverse engineering can help replicate the manufacturer's manufacturing process and create the necessary parts and components, at least by hand.


  • Competitive analysis: a detailed study of the operation of competitors' systems and technologies in order to understand the real capabilities of a competing product, identify its weaknesses, and identify ways to improve one's own solutions.


  • Industrial espionage: When it is impossible to legally obtain information about a product (such as the inability to purchase or lease it), certain actors may employ industrial espionage methods that violate certain legal provisions (e.g., regulations on the protection of trade secrets and intellectual property, and in some cases, requirements for the protection of state and official secrets). In addition to competitors and private companies, foreign intelligence agencies may also be interested in certain developments. Industrial espionage may involve methods such as the theft of the product of interest and/or documentation and drawings, the capture of a captured product on the battlefield, the interception of a prototype or its components within the supply chain, the targeted infiltration of an insider or the recruitment of disloyal employees of the manufacturer of the product of interest, the study of production facilities and the digital footprint of the developer, cyberattacks using spyware, remote access Trojans, and unauthorized remote connections using stolen accounts.


  • Verifying the conformity of the characteristics of a real product sample with design calculations: Having received a finished sample or a sample of products from an established production facility, the manufacturer or customer can use reverse engineering to verify that the properties of the real object correspond to what was planned and funded.


  • Conducting a functional cost analysis: To reduce production costs, the manufacturer reverse engineers a used product to identify opportunities to reduce unnecessary production costs while maintaining consumer properties – for example, replacing one type of material with another and increasing the strength of individual components and elements of the product may be rational.


  • Improving product properties: A manufacturer may reverse engineer a used product to improve its performance – for example, analyzing a device that failed prematurely may lead to a strengthened design and changes to the materials used.


  • Efficient use of all available functionality: Some manufacturers, for the purposes of product positioning or increasing sales in a certain segment, artificially limit the functionality of their products. For example, the difference between two devices at different prices may be only in different firmware versions or in the artificially disabled functionality of the cheaper product. Enthusiasts who want to extract the maximum functionality from a legally purchased device begin to study its components and firmware, often simultaneously eliminating visible flaws or defects intentionally introduced by the manufacturer (the effect of "planned obsolescence" or "programmed obsolescence" of products). The first enthusiastic hackers were researchers and analysts first, and crackers second, so they sought to thoroughly understand the technologies and devices used, reverse engineering them.


  • Security: Reverse engineering allows us not only to understand the operating principle of a product but also to protect it from external influences – for example, by securing weak components, adding additional protection to sensitive parts of the housing, or modifying the material to improve impact resistance. Furthermore, by conducting a controlled break-in or damage attempt, we can determine whether the device should be used in combat situations to protect important assets – for example, a practice attempt at breaking a lock ourselves can demonstrate whether it should be installed on a front door.

 

The stages of hardware reverse engineering include:


1. Obtaining an object: the methods may be either entirely legal (good faith acquisition, lease, gratuitous receipt for academic purposes) or illegal (theft, interception, receipt under a false pretext with the participation of fictitious persons, etc.).


2. Disassembling the object into its component parts: removing the body, protective elements, attachments, etc., cleaning the components.


3. Analysis: obtaining information about the linear dimensions of an object (geometry measurement) using measuring instruments and coordinate measuring machines, determining the composition of the material using elemental analysis methods (spectroscopy, spectrometry, chromatography), studying the product using electron microscopes and industrial computer tomographs (to analyze the internal structure of the product without destroying it/decorpusing), analyzing the principles and features of the device's operation.


4. Documentation: recording the analysis results obtained in the previous stage, creating a CAD/3D model using 3D scanners, generating diagrams and drawings of the product, creating a specification and description of the device’s operation.


5. Creation of a prototype (sample) of the replicated product, comparison of its characteristics with the properties of the original, revision of models and documentation if necessary.

 

II. Objects of software reverse engineering can include individual files (of arbitrary formats), software, drivers, communication protocols, operating systems, and device firmware (microprograms). The goals of software reverse engineering include:


  • Ensuring functionality: if an object (program, OS) is no longer supported by the manufacturer (the support period has expired, the vendor has left the market), then reverse engineering becomes almost the only way to continue its effective use, which allows for the correction of emerging errors and ensures compatibility with newer environments (software, hardware).


  • Ensuring interaction with third-party objects: Developers often fail to ensure or support the functional compatibility of their solutions with other systems – this could include both the software environment (software and business systems) and various security solutions. To effectively use a software product, users must resort to reverse engineering methods, which allows them to discover hidden API endpoints and methods, understand the structure of the program's saved files, discover data export capabilities, study the program's network protocols, and then implement integration with the target system.


  • Competitive analysis: By legally obtaining a software asset, researchers can study the operation of a competing solution – this raises legal issues, which we will discuss below.


  • Industrial espionage: the study of a software object can be carried out after unauthorized acquisition of the product and in violation of legal requirements. This type of activity is also used by dishonest competitors, intelligence agencies, and various APT groups and cyberspies, who gain access to software samples through various means (e.g., cyberattacks, supply chain attacks, bribery or blackmail of employees, or insider infiltration) and then study them either to copy them in violation of licenses, or to hack or remotely control them.


  • Malware development: Large cybercriminal clusters and APT groups invest significant resources in reverse engineering software to discover vulnerabilities and develop exploits. Exploits for popular malware can cost tens or hundreds of thousands of dollars, and identifying a vulnerability (or a chain of vulnerabilities) and developing an exploit for proprietary software (e.g., for industrial control systems or cyber-physical systems) is so labor-intensive that it can only be performed by intelligence agencies and pro-government hacker groups. Some information security vendors operate in this "gray zone", professionally reverse engineering vulnerabilities and developing exploits for them, which they then sell as a software package – for example, Pegasus from NSO Group, Hermit from RCS Lab, Predator from Cytrox, and Graphite from Paragon. Solutions, products of the Memento company Labs (formerly Hacking Team) and some others.


  • Software cracking: Historically, software companies relied not only on technical measures to protect their products from unauthorized copying or use in violation of license restrictions, but also on organizational measures, including various legal provisions on intellectual property and copyright protection. Western players entering new markets were not always able to protect their interests legally, as in the 1990s and early 2000s, the legislation of many countries was unprepared to deal with copyright and software license violations, partly due to the low level of digitalization of the economy. Due to this legal uncertainty and the limited financial resources of users in developing countries, demand arose for bypassing licensing restrictions by hacking software security features using various "cracks", " keygens", "serial keys" and "emulators". To bypass software restrictions, enthusiastic researchers ("crackers") used reverse engineering techniques on obtained samples of programs and computer games. In the simplest case, this allowed them to find in the executable file an algorithm for verifying the serial number of a legally purchased copy of the program entered by the user and either change the program's executable file to a "patched" one (in which the verification is not performed) or create a key generator (which undergoes authentication). Software manufacturers subsequently improved their protection methods - adding a link to the original CD, supplying licenses on USB tokens, enabling online license verification and binding the key activation to hardware, etc. Software crackers, meanwhile, united into warez groups and focused on bypassing licensing restrictions not for consumer software and games, but for expensive business systems. While this type of computer piracy has virtually disappeared, reverse engineering of user software continues to be used, for example, to gain root access on the latest smartphone models and to bypass anti-cheat restrictions in computer games.


  • Identifying and fixing vulnerabilities: Information security researchers (bug hunters) study software to find various vulnerabilities and then report their findings to vendors. However, not all vendors promptly release updates, and users of unsupported and outdated products or software from outdated players risk never receiving a patch. In such cases, enthusiasts and some vendors release patches for vulnerable software after reverse engineering it.


  • Cybersecurity audit and ensuring compatibility with security solutions: To effectively protect a software product, it's essential to understand how it works. Typically, software developers collaborate with cybersecurity companies to conduct information security audits to ensure compatibility and proper operation of information security tools with the products being protected. However, in the absence of constructive dialogue, information security companies use reverse engineering methods to understand the software, verify its security, identify vulnerabilities, and develop protective functionality.


  • Developing protective measures and solutions: Reverse engineering is used in cybersecurity to analyze malware, exploits, and hacking tools, enabling understanding of their operation and the creation of signatures, behavioral indicators, indicators of compromise, and attack indicators for successful malware detection by security solutions. Reverse engineering allows for a "peek" into the malware and understanding its actions, the vulnerabilities it exploits, the external resources it interacts with, the additional modules it loads, and the specific tasks it performs (data theft, encryption, espionage, covert remote access, etc.). In some cases, an information security analyst can identify the cybercriminal group behind a particular malware sample and use the resulting information for cyberthreat analysis using the TIP solution.

 

The stages of software reverse engineering include:


1. Obtaining an object: in the case of malware, analysts obtain a sample of the malware from sandboxes, honeypot / honeynet solutions, and TDP/DDP class systems (Threat Deception Platform / Distributed Deception Platform), from a network traffic dump, from quarantined network and host information security systems, or from the memory or disk of the attacked device using forensic tools. If reverse engineering of non-public software is required, competitive analysis and industrial espionage tools are used.


2. Non-invasive analysis: program operation can be studied using indirect indicators – by monitoring the network and program environment (OS system calls, running processes, memory management, used libraries, modified file objects, the registry, DCOM objects, and environment variables). For example, using a sniffer , you can examine the network traffic of a device with the program being analyzed installed and understand which external and local network resources it uses, as well as examine the device's data exchange with peripherals (e.g., USB devices).


3. Dynamic analysis: Analyzing a program using a debugger allows you to study its behavior after launch. Setting breakpoints, tracing, and working with memory and CPU registers in a debugger not only helps identify program errors but also helps understand its operating principles during reverse engineering. Popular debuggers include OllyDbg, GDB, LLDB, x64dbg, WinDbg, and the outdated but once extremely popular SoftICE. However, it's important to note that most protected programs and malware detect when launched under a debugger and either stop functioning normally or terminate prematurely.


4. Static analysis: Disassembly and decompilation methods are used for a deep analysis of program structure. A disassembler translates the machine code of a binary file into low-level assembly code, i.e., a list of data and instructions for the processor. However, the difficulty of understanding the resulting code is extremely high. Examples of disassemblers include IDA Pro, Binary Ninja, Ghidra, Hiew, Radare2. A decompiler translates the machine code of a binary file into human-readable code in a high-level language (such as C or Java), reducing the difficulty of understanding the code. However, the code will be far from the original due to the specifics of compilers, optimizers, and obfuscators. Examples of decompilers include ILSpy, dotPeek, uncompyle6, and JEB decompiler.


5. Documentation: Having understood the structure and logic of the program, the analyst records the findings and saves the created projects and reports in the tools used (debugger, disassembler, decompiler).


6. Application: If a malicious object was analyzed for detection by security solutions, the analyst creates signatures, behavioral indicators, and indicators of compromise/attack. If the goal was to develop a patch or security update, the knowledge gained in the previous stages will allow for the release of a new version of the program with fixed bugs and vulnerabilities or the updating of the installation by other means. If the task involved modifying the program, the resulting file resulting from the necessary adjustments is saved and used instead of the original.

 

In conclusion, let's consider the legal aspects of reverse engineering. Reverse engineering, in the context of intellectual property protection, refers to the process of extracting know-how or knowledge from a product. This practice has traditionally been considered legally acceptable and viewed as scientific research of legally sold and purchased products, as opposed to the theft of trade secrets through industrial cyberespionage, bribery, and so on. With technological advances, new regulations have emerged prohibiting hacking or circumventing protective measures. For example, software licenses may include prohibitions on reverse engineering, decompilation, and disassembly. However, in the European Union, Directive 2009/24/EC explicitly prohibits restrictions on the analysis and study of software by legitimate users. In Russia, the rights of software users are regulated by Article 1280 of the Civil Code of the Russian Federation, which states that the legitimate owner of a program may, without the consent of the copyright holder and without payment of additional compensation, decompile the software, but only to ensure compatibility and interoperability with other programs. Organizational measures for protecting the source code and logic of a program may include the application of legislative norms on the protection of trade secrets (know-how) (Article 1465 of the Civil Code of the Russian Federation) and on the state registration of a program with Rospatent (Article 1262 of the Civil Code of the Russian Federation) by the developer company.

Recommended

Cloud-based versions of information security solutions: pros and cons
Cloud-based versions of information security solutions: pros and cons

25.11.2024

Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3
Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3

10.07.2025

From asset chaos to service harmony
From asset chaos to service harmony

16.02.2026

The process of finding, analysing and assessing vulnerabilities
The process of finding, analysing and assessing vulnerabilities

13.01.2025

Education in IS. Expectation vs Reality
Education in IS. Expectation vs Reality

19.09.2024

Compliance in information security
Compliance in information security

16.12.2024

NIST CSF 2.0 implementation
NIST CSF 2.0 implementation

23.10.2025

Ecosystem of products for retrospective analysis
Ecosystem of products for retrospective analysis

22.09.2025

Business continuity management
Business continuity management

23.12.2024

How the CVSS vulnerability rating system works
How the CVSS vulnerability rating system works

28.07.2025

IT asset management
IT asset management

09.09.2024

Testing methods in IS - black box, grey box, white box technologies
Testing methods in IS - black box, grey box, white box technologies

03.03.2025

Recommended

Cloud-based versions of information security solutions: pros and cons

25.11.2024

Cloud-based versions of information security solutions: pros and cons
Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3

10.07.2025

Comparative Review: Shodan, ZoomEye , Netlas , Censys , FOFA and Criminal IP. Part 3
From asset chaos to service harmony

16.02.2026

From asset chaos to service harmony
The process of finding, analysing and assessing vulnerabilities

13.01.2025

The process of finding, analysing and assessing vulnerabilities
Education in IS. Expectation vs Reality

19.09.2024

Education in IS. Expectation vs Reality
Compliance in information security

16.12.2024

Compliance in information security
NIST CSF 2.0 implementation

23.10.2025

NIST CSF 2.0 implementation
Ecosystem of products for retrospective analysis

22.09.2025

Ecosystem of products for retrospective analysis
Business continuity management

23.12.2024

Business continuity management
How the CVSS vulnerability rating system works

28.07.2025

How the CVSS vulnerability rating system works
IT asset management

09.09.2024

IT asset management
Testing methods in IS - black box, grey box, white box technologies

03.03.2025

Testing methods in IS - black box, grey box, white box technologies

Other articles

How AI tools work in cybersecurity
How AI tools work in cybersecurity

07.07.2025

Cybersecurity incident response scenarios. Part 1. Study guides, playbooks, and SOP
Cybersecurity incident response scenarios. Part 1. Study guides, playbooks, and SOP

06.10.2025

CyBОК. Chapter 3. Laws and regulations. Part 4
CyBОК. Chapter 3. Laws and regulations. Part 4

30.10.2025

CyBOK. Chapter 3. Laws and regulations. Part 1
CyBOK. Chapter 3. Laws and regulations. Part 1

17.07.2025

CyBОК. Chapter 3. Laws and regulations. Part 3
CyBОК. Chapter 3. Laws and regulations. Part 3

02.10.2025

Data-Centric Audit and Protection (DCAP)
Data-Centric Audit and Protection (DCAP)

07.10.2024

Next Generation Firewall (NGFW) – what is it and what does it protect against
Next Generation Firewall (NGFW) – what is it and what does it protect against

30.06.2025

CyBOK. Chapter 3. Laws and regulations. Part 7
CyBOK. Chapter 3. Laws and regulations. Part 7

12.03.2026

AI vs. AI (Cyber Threat Attack and Defense)
AI vs. AI (Cyber Threat Attack and Defense)

26.03.2026

Other articles

How AI tools work in cybersecurity

07.07.2025

How AI tools work in cybersecurity
Cybersecurity incident response scenarios. Part 1. Study guides, playbooks, and SOP

06.10.2025

Cybersecurity incident response scenarios. Part 1. Study guides, playbooks, and SOP
CyBОК. Chapter 3. Laws and regulations. Part 4

30.10.2025

CyBОК. Chapter 3. Laws and regulations. Part 4
CyBOK. Chapter 3. Laws and regulations. Part 1

17.07.2025

CyBOK. Chapter 3. Laws and regulations. Part 1
CyBОК. Chapter 3. Laws and regulations. Part 3

02.10.2025

CyBОК. Chapter 3. Laws and regulations. Part 3
Data-Centric Audit and Protection (DCAP)

07.10.2024

Data-Centric Audit and Protection (DCAP)
Next Generation Firewall (NGFW) – what is it and what does it protect against

30.06.2025

Next Generation Firewall (NGFW) – what is it and what does it protect against
CyBOK. Chapter 3. Laws and regulations. Part 7

12.03.2026

CyBOK. Chapter 3. Laws and regulations. Part 7
AI vs. AI (Cyber Threat Attack and Defense)

26.03.2026

AI vs. AI (Cyber Threat Attack and Defense)

This website uses cookies to ensure you get the best experience.