Reverse Engineering Services
Decode binaries. Recover logic. Restore source code. Engagements include binary analysis, decompilation services, and related work — all under NDA.
Overview
Professional software reverse engineering services for binary analysis, decompilation, and source code recovery. Legacy systems and security research under NDA.
Engagements are scoped to a fixed deliverable list before kickoff and run under a written NDA. Daily lab notes and weekly written status keep the work auditable from your side at every step.
In the lab
Pair-review of decompiled output. Senior engineers, every step.
Software RE Lead
Anonymized pre-NDA
How we work
In both reverse engineering and custom development, we never thoughtlessly clone. We carry out improvements and adaptations to the customer's specific task, because the existing solution often cannot fully satisfy the customer's request. Reverse engineering surfaces the design intent; the engineering that follows decides what to keep, what to change, and what to engineer from scratch.
Engineering analysis
As part of both reverse engineering and custom development projects, we perform in-depth engineering analysis based on mathematical and physical modeling. Depending on project requirements this may include structural calculations, fluid dynamics, gas flow analysis, thermal processes, stress and load simulations, process modeling, and validation of engineering assumptions affecting system performance and operational reliability — used for design verification, technology assessment, process optimization, and validation of technical parameters for production and commercial deployment.
When you call us
Patterns we see across engagements. Each can stand alone or combine with adjacent capabilities.
Recover source-level logic and architecture from compiled binaries. Common on systems where the original toolchain, vendor, or developer is gone.
Inspect closed-source executables for vulnerabilities, embedded credentials, and unsafe behavior. Outputs feed responsible disclosure or internal hardening.
Reverse-engineer the parsers, codecs, and serialization logic embedded in shipping binaries to enable interoperability with downstream tooling.
Static and dynamic analysis of malicious executables under controlled conditions, with full IOC reports and behavior documentation.
Reconstruct maintainable source for legacy software in long-life platforms — defense, industrial, medical — where the alternative is a forced rewrite.
Document how a target binary defends itself, and how its protection scheme interacts with the rest of the system. Engagement scope strictly defined in writing.
Confirm what a target's binaries actually do versus what their architecture documentation claims. Confidential; results delivered only to the acquiring party.
Methodology
Vertical phasing — each step's deliverables agreed before kickoff, and not closed until you sign off.
Phase 01
Mutual NDA executed before any binaries, source, or technical materials change hands. Scope, deliverables, and legal basis (DMCA §1201(f), interoperability, security research) confirmed in writing.
Phase 02
Initial binary intake, architecture identification, packer / obfuscation profiling, and a written engagement plan with fixed scope.
Phase 03
Disassembly, decompilation, control-flow reconstruction, and symbol recovery using IDA Pro, Ghidra, and Binary Ninja.
Phase 04
Instrumented execution, debugger sessions, and trace capture where the static view is incomplete or actively obfuscated.
Phase 05
Annotated source, architecture diagrams, and reproducible build artifacts shipped on a rolling basis — not as a final scramble.
Phase 06
Behavioral parity testing against the original binary, with a written test plan and a signed attestation when required.
Tooling
Named tools, in production. We don't list anything we don't actually use.
Tool
IDA Pro
Production use — versioned per-engagement and pinned in our build.
Tool
Ghidra
Production use — versioned per-engagement and pinned in our build.
Tool
Binary Ninja
Production use — versioned per-engagement and pinned in our build.
Tool
Radare2
Production use — versioned per-engagement and pinned in our build.
Tool
x64dbg
Production use — versioned per-engagement and pinned in our build.
Tool
WinDbg
Production use — versioned per-engagement and pinned in our build.
Tool
OllyDbg
Production use — versioned per-engagement and pinned in our build.
Tool
Hex-Rays
Production use — versioned per-engagement and pinned in our build.
Tool
Frida
Production use — versioned per-engagement and pinned in our build.
Tool
Binary Analysis Platform (BAP)
Production use — versioned per-engagement and pinned in our build.
Tool
QEMU + Unicorn
Production use — versioned per-engagement and pinned in our build.
$ ghidra-server --import target.elf --auto-analyze
Loaded ELF (x86_64) · 12,841 functions identified
$ decomp --output target.c --rename-known --include-bookmarks
Wrote target.c · 287,000 LOC · 43 modules
$
Deliverables
Artifacts handed over at close-out. Each is reproducible and self-contained.
Sample deliverable
software-reverse-engineering · final report
rev.04 · pdf
Engagement summary
Findings
Our practice
Software reverse engineering is read-the-code work. Our practitioners spend most of their week inside other people's binaries — that's the depth that makes the deliverable defensible.
Decompiler in practice
Senior engineers run static and dynamic passes on every binary. No junior layers between you and the analysis.
Software RE Lead
Anonymized pre-NDA
Senior Reverse Engineer
Anonymized pre-NDA
Decompilation Specialist
Anonymized pre-NDA
Tooling Engineer
Anonymized pre-NDA
“Decompile the binary, recover the design intent, ship source your team can extend without us.”
Cross-industry
Sectors where this work is most often scoped. Cross-link to detailed industry pages for sector-specific context.
ECU, CAN, and aftermarket interoperability.
Software RE for automotiveSustainment for long-life platforms.
Software RE for aerospacePLC and legacy controller recovery.
Software RE for industrial & manufacturingAdversary research and product hardening.
Software RE for cybersecurityFirmware extraction and protocol mapping.
Software RE for iot & embeddedQuestions
Pulled from real client conversations. If yours isn't here, ask directly.
Software reverse engineering is legal in most jurisdictions when performed for interoperability, security research, error correction, or other lawful purposes. In the United States, DMCA Section 1201(f) provides an explicit interoperability carve-out. The EU Software Directive (2009/24/EC) Article 6 grants similar rights. We document the legal basis for every engagement in writing before work begins.
Yes — working from binaries alone is the core of our software reverse engineering services. We use IDA Pro, Ghidra, Binary Ninja, and dynamic instrumentation to recover source-level logic, identify data structures, and reconstruct architecture. Original source is helpful for cross-checking but not required.
Modern decompilers produce readable C-like output with recovered control flow. Variable names and comments are lost, so our work includes annotation, type inference, and structural cleanup. The result is reviewable source that engineers without reverse engineering training can work with.
Most engagements run between four and fourteen weeks. The first week is scoping and NDA execution; the last week is handover with a 30-day support window. Larger source-code-recovery programs run longer; we provide a fixed scope letter before any analysis begins.
Every engagement runs under mutual NDA. Materials are stored on encrypted-at-rest infrastructure under our sole control. When clean-room separation is required, the analysis team produces a written specification and a separate reconstruction team builds from spec only — never seeing the original artifact.
Yes, under defined research scope. We analyze malicious executables in isolated environments, document IOCs, capture network behavior, and report findings under a coordinated-disclosure framework where applicable. We do not develop or distribute offensive tooling.
Annotated source in your preferred language (C, C++, Rust, Go, Python), architecture diagrams in SVG and PDF, reproducible build artifacts with Dockerized toolchains where applicable, and a test harness demonstrating behavioral parity. Format negotiable during scoping.
Engagements start with a scoping phase under NDA. Project length and pricing depend on system complexity, source-code availability, and deliverable scope. We work fixed-bid for well-bounded scopes and time-and-materials for exploratory work. Specific rates are shared after intake.
Yes. We routinely work on x86, x86-64, ARM, AArch64, MIPS, PowerPC, RISC-V, SPARC, and various microcontroller targets. For uncommon embedded architectures we extend our toolchain rather than refusing the work.
Selected work
Engagements where this capability carried significant scope.
Case studies for this service available under NDA
Most of our work in this area is covered by mutual NDA. Request anonymized references during your inquiry — we share them with prospective clients after NDA execution.
More from us
Adjacent capabilities you may need on the same engagement.
Reverse Engineering
Extract, analyze, and document embedded firmware.
Explore Firmware REReverse Engineering
Vulnerability discovery. Code audits. Exploit research.
Explore Security ResearchDevelopment
Software for engineering systems — and the teams that operate them.
Explore Software DevelopmentEngage
All inquiries reviewed under NDA. We respond within two business days with a scoped engagement plan and fixed deliverables list.
Senior engineers · Anonymized pre-NDA
