Relyze - Interactive Binary Disassembler & Diff Cheatsheet
Relyze is a commercial interactive disassembler, decompiler, and binary-diffing platform for native software, supporting x86, x64, ARM32, and ARM64. It analyzes PE/ELF binaries into functions and control-flow graphs, provides a decompiler to recover higher-level pseudocode, and includes a strong binary diff engine for comparing two versions of a binary — invaluable for patch analysis and tracking malware variants. It is extensible through a Ruby plugin/scripting framework. A free non-commercial edition is available.
Installation
| Step | Notes |
|---|
| Download | Get the installer from the official site (Windows) |
| Editions | Free (non-commercial) and Professional |
| First run | Configure the decompiler and analysis options |
| Plugins | Ruby scripting available out of the box |
Analysis Workflow
| Action | Description |
|---|
| Open a file | Analyze a PE or ELF binary into functions/CFG |
| Functions view | Browse discovered functions |
| Graph view | Control-flow graph of the selected function |
| Decompiler | Recover C-like pseudocode for a function |
| Strings | List referenced strings and their xrefs |
| Imports/Exports | Inspect the import/export tables |
| Cross-references | Jump to where a function/data is used |
Navigation Essentials
| Task | How |
|---|
| Rename a symbol | Select and rename (propagates to xrefs) |
| Comment | Annotate instructions/functions |
| Follow a call | Double-click a call target |
| Go to address | Address navigation box |
| Switch view | Toggle disassembly / graph / decompiler |
Binary Diffing
Relyze’s diff engine matches functions between two binaries and classifies them as identical, changed, added, or removed — the core workflow for analyzing a security patch or comparing malware samples.
| Task | How |
|---|
| Start a diff | Open binary A, then diff against binary B |
| Matched functions | Review functions paired across the two builds |
| Changed functions | Focus on functions whose code differs |
| Added/removed | See what the patch introduced or deleted |
| Port annotations | Carry names/comments from one build to the next |
Patch analysis pattern: diff the pre-patch and post-patch binaries, focus on the small set of changed functions, and study what the vendor fixed to understand the underlying vulnerability.
Ruby Scripting
Relyze exposes its analysis model to Ruby for automation.
# Conceptual: iterate functions and flag large ones
model = Relyze::Engine.instance.active_model
model.functions.each do |func|
if func.instructions.length > 500
puts "Large function at #{func.address.to_s(16)}"
end
end
| Use | Example |
|---|
| Bulk renaming | Apply naming heuristics across functions |
| Custom analysis | Detect patterns (crypto constants, gadgets) |
| Export data | Dump functions/strings to a file |
| Automate diffing | Script comparisons across many samples |
Common Workflows
| Goal | Approach |
|---|
| Understand a security patch | Diff pre/post binaries → study changed functions |
| Triage a native sample | Strings + imports → decompile suspicious functions |
| Track malware variants | Diff new sample against a known family member |
| Recover logic | Use the decompiler + rename/comment to rebuild intent |
Relyze vs Other Disassemblers
| Aspect | Relyze | IDA Pro | Ghidra | Binary Ninja |
|---|
| Decompiler | Yes | Yes (Hex-Rays) | Yes | Yes |
| Binary diff | Built-in | Add-on (BinDiff) | Plugins | Plugins |
| Scripting | Ruby | Python/IDC | Java/Python | Python |
| Cost | Free + Pro | Commercial | Free | Commercial |
Resources
