Reverse Engineering
sol-azy provides a reverse engineering module tailored for Solana programs compiled to eBPF.
It allows you to disassemble .so binaries, extract control flow, and track embedded immediate data.
This tooling is especially useful for:
- Security researchers auditing deployed programs
- Developers understanding bytecode behavior
- Anyone comparing compiled output to source logic
Features
- Disassembler: Converts raw bytecode into human-readable SBPF instructions + Rust-like comparisons
- Control Flow Graph: Generates
.dotfiles representing program structure - Immediate Tracker: Resolves strings or data loaded from
.rodata
Each of these features is accessible through the reverse CLI command.
Input
The reverse engine operates on compiled Solana .so files, typically generated by:
anchor build
# or
cargo build-sbf
You pass the .so file using --bytecodes-file.
Output
Depending on the selected mode, sol-azy produces one or more of the following:
| File | Description |
|---|---|
disassembly.out | Instruction-by-instruction disassembly |
immediate_data_table.out | Extracted strings or data from RODATA |
cfg.dot | Control flow graph (Graphviz-compatible) |
You can visualize cfg.dot with:
dot -Tpng cfg.dot -o cfg.png
Subsections
To dive deeper into how reverse analysis works in sol-azy:
Usage Example
cargo run -- reverse \
--mode both \
--out-dir ./out/ \
--bytecodes-file ./bytecodes/program.so \
--labeling
Compatibility
- Supports
.sofiles compiled using Solana's official toolchain - Compatible with both Anchor and native SBF programs
- Works on programs targeting
solana_rbpf/solana_sbpf
Note
The reverse engineering core in sol-azy is based on the excellent open-source project
sbpf-solana by Anza (anza-xyz).
We have modified and extended its disassembly and control flow analysis logic to better fit sol-azy’s needs, especially for static audits, immediate tracking, and custom export formats.