Binary Reverse Engineering
Purpose
Comprehensive guide for binary reverse engineering. This skill provides the overall methodology, philosophy, and reference material. Related skills handle specific phases:
Related Skills
| Skill | Purpose | Trigger Keywords |
|---|---|---|
binary-re:triage | Fast fingerprinting | "what is this binary", "identify", "file type" |
binary-re:static-analysis | r2 + Ghidra analysis | "disassemble", "decompile", "functions" |
binary-re:dynamic-analysis | QEMU + GDB + Frida | "run", "execute", "debug", "trace" |
binary-re:synthesis | Report generation | "summarize", "report", "document findings" |
binary-re:tool-setup | Install tools | "install", "setup", "tool not found" |
Note: Each skill auto-detects based on keywords. You don't need to explicitly route - just ask what you need.
Pre-Flight Verification
Before beginning any analysis, verify tooling availability:
Core Tools (Required)
bash1rabin2 -v # Should show version 2r2 -v # Should show version
Decompilation (Optional)
bash1# Check r2ghidra availability 2r2 -qc 'pdg?' - 2>/dev/null | grep -q Usage && echo "r2ghidra OK" || echo "r2ghidra missing - install with: r2pm -ci r2ghidra"
Dynamic Analysis Platform Check
| Host Platform | Method | Setup Required |
|---|---|---|
| Linux x86_64 | Native QEMU | apt install qemu-user |
| macOS (any) | Docker + binfmt | See binary-re-tool-setup skill |
| Windows | WSL2 | Use Linux method inside WSL |
If dynamic tools unavailable: Proceed with static-only analysis, note reduced confidence in synthesis phase.
Fallback Tooling (No r2/Ghidra)
When radare2 or Ghidra aren't available, use standard binutils/LLVM tools:
bash1# Metadata (replaces rabin2 -I) 2readelf -h binary # ELF header 3readelf -d binary # Dynamic section (dependencies) 4file binary # Quick identification 5 6# Imports/Exports (replaces rabin2 -i/-E) 7readelf -Ws binary | grep -E "FUNC|OBJECT" | awk '{print $8}' 8nm -D binary 2>/dev/null # Dynamic symbols 9 10# Strings (replaces rabin2 -zz) 11strings -a -n 8 binary | grep -Ei 'http|ftp|/etc|/var|error|pass|key|token|api' 12 13# Disassembly (replaces r2 pdf) 14objdump -d -M intel binary | head -500 15# Or LLVM (better cross-arch support): 16llvm-objdump -d --no-show-raw-insn binary | head -500 17 18# Dependencies (replaces rabin2 -l) 19ldd binary 2>/dev/null || readelf -d binary | grep NEEDED
Limitations of fallback approach:
- No cross-references (axt/axf) - must trace manually
- No decompilation - assembly only
- No function boundary detection - raw disassembly
- Reduced accuracy for stripped binaries
Philosophy
The LLM drives analysis; the human provides context.
Human provides:
- Platform info (device type, OS, hardware)
- Suspected purpose (what the binary might do)
- Constraints (no network, isolated env, etc.)
LLM executes:
- Tool selection and invocation
- Hypothesis formation from evidence
- Experiment design
- Knowledge synthesis
The Agentic Loop
┌─────────────────────────────────────────────────┐
│ HYPOTHESIS-DRIVEN ANALYSIS │
├─────────────────────────────────────────────────┤
│ │
│ 0. I/O SANITY → Compare known inputs/outputs │
│ 1. OBSERVE → Gather facts via tools │
│ 2. HYPOTHESIZE → Form theories from facts │
│ 3. PLAN → Design experiments to test theories │
│ 4. EXECUTE → Run tools (gate risky ops) │
│ 5. RECORD → Capture observations │
│ 6. UPDATE → Confirm/refute hypotheses │
│ 7. LOOP → Until understanding sufficient │
│ │
└─────────────────────────────────────────────────┘
Step 0: Compare Known I/O First (CRITICAL)
Before diving into code analysis, always check if known inputs/outputs exist.
This step prevents hours of wasted analysis by establishing ground truth first.
⚠️ REQUIRES HUMAN APPROVAL - Even for I/O comparison, get explicit approval before execution.
bash1# SAFE: Use emulation for cross-arch binaries (after human approval) 2# ARM32 example: 3qemu-arm -L /usr/arm-linux-gnueabihf -- ./binary input.txt > actual_output.txt 4 5# x86-64 native (still requires approval): 6./binary input.txt > actual_output.txt 7 8# Docker-based (macOS - safest option): 9docker run --rm --platform linux/arm/v7 -v ~/samples:/work:ro \ 10 arm32v7/debian:bullseye-slim /work/binary /work/input.txt > actual_output.txt 11 12# Compare outputs: 13diff expected_output.txt actual_output.txt 14cmp -l expected_output.txt actual_output.txt | head -20 # Byte-level 15 16# Document the delta: 17# - Where does output first diverge? 18# - What pattern appears in the corruption? 19# - Does file size match (logic bug) or differ (truncation)?
Record as FACT:
FACT: Output differs at byte {N}, expected "{X}" got "{Y}" (source: diff/cmp)
FACT: File sizes match/differ by {N} bytes (source: ls -l)
This single step often reveals the bug category before any disassembly.
Knowledge Model
Throughout analysis, maintain structured knowledge via episodic memory:
FACTS: Verified observations with tool attribution
HYPOTHESES: Theories with confidence and evidence
QUESTIONS: Open unknowns blocking progress
EXPERIMENTS: Planned tool invocations
OBSERVATIONS: Results from experiments
DECISIONS: Human-approved choices with rationale
Episodic Memory Integration
Knowledge persists across sessions via episodic memory. Use consistent tagging:
[BINARY-RE:{phase}] {artifact_name} (sha256: {hash})
FACT: {observation} (source: {tool})
HYPOTHESIS: {theory} (confidence: {0.0-1.0})
QUESTION: {unknown}
DECISION: {choice} (rationale: {why})
Starting analysis: Search episodic memory for artifact hash first
After each phase: Findings are automatically captured in conversation
Resuming: Search [BINARY-RE] {artifact_name} to restore context
Human-in-the-Loop Triggers
ALWAYS ask human before:
- Executing the binary - Even under QEMU, confirm sandbox
- Network operations - Prevent unintended phone-home
- Conflicting evidence - Resolve contradictory findings
- Privileged operations - Device access, root actions
- Major direction changes - Significant analysis pivots
Session Management
Starting New Analysis
1. Compute artifact hash: sha256sum binary
2. Search episodic memory: "[BINARY-RE] sha256:{hash}"
3. If previous analysis found:
→ "Found previous analysis from {date}. Resume or start fresh?"
4. If resuming: Load facts/hypotheses, continue from last phase
5. If fresh: Begin with triage phase
Resuming Interrupted Analysis
User: "Continue analyzing that thermostat binary"
Claude:
1. Invoke episodic-memory:search-conversations
Query: "[BINARY-RE] thermostat"
2. Retrieve previous session findings
3. Summarize: "Last session identified ARM32/musl, found network
functions. We were about to run dynamic analysis."
4. Continue from that phase
Searching Past Analyses
User: "Have we analyzed any ARM binaries with hardcoded passwords?"
Claude:
1. Search: "[BINARY-RE] FACT: hardcoded" or "[BINARY-RE] ARM"
2. Return matching artifacts and findings
Standard Analysis Flow
For typical unknown binary analysis:
1. Triage (binary-re-triage)
└─ Architecture, ABI, dependencies, capabilities
2. Static Analysis (binary-re-static-analysis)
└─ Functions, strings, xrefs, decompilation
3. Dynamic Analysis (binary-re-dynamic-analysis) - if safe
└─ Syscalls, network, file access
4. Synthesis (binary-re-synthesis)
└─ Structured report with evidence
Quick Reference
Essential Commands
bash1# Fast triage 2rabin2 -I binary # Metadata 3rabin2 -l binary # Dependencies 4rabin2 -zz binary # Strings 5 6# Static analysis 7r2 -q -c 'aa; aflj' binary # Functions 8r2 -q -c 'izj' binary # Strings 9 10# Dynamic (ARM example) 11qemu-arm -L /usr/arm-linux-gnueabihf -strace ./binary
Architecture Detection
| Indicator | Architecture | QEMU Binary | Ghidra Processor |
|---|---|---|---|
e_machine=EM_386 (3) | x86 32-bit | qemu-i386 or Docker --platform linux/i386 | x86:LE:32:default |
e_machine=EM_ARM (40) | ARM 32-bit | qemu-arm or Docker --platform linux/arm/v7 | ARM:LE:32:v7 |
e_machine=EM_AARCH64 (183) | ARM 64-bit | qemu-aarch64 or Docker --platform linux/arm64 | AARCH64:LE:64:v8A |
e_machine=EM_X86_64 (62) | x86-64 | Native or Docker --platform linux/amd64 | x86:LE:64:default |
e_machine=EM_MIPS (8) | MIPS 32 LE | qemu-mipsel | MIPS:LE:32:default |
e_machine=EM_MIPS (8) BE | MIPS 32 BE | qemu-mips | MIPS:BE:32:default |
e_machine=EM_RISCV (243) | RISC-V 64 | qemu-riscv64 | RISCV:LE:64:RV64I |
e_machine=EM_RISCV (243) 32 | RISC-V 32 | qemu-riscv32 | RISCV:LE:32:RV32I |
Libc Detection
| Interpreter | Libc |
|---|---|
ld-linux-armhf.so.3 | glibc (ARM hard-float) |
ld-musl-arm.so.1 | musl |
ld-uClibc.so.0 | uClibc |
Error Recovery
| Situation | Action |
|---|---|
| Tool not found | Use binary-re-tool-setup skill |
| Wrong architecture | Re-run triage, verify file output |
| QEMU fails | Try Qiling, Unicorn, or on-device |
| Analysis timeout | Reduce scope, use aa not aaa |
| Conflicting evidence | Ask human, document both interpretations |
Documentation
See companion docs:
docs/r2-commands.md- Complete r2 reference for LLMsdocs/ghidra-headless.md- Ghidra scripting guidedocs/arch-adapters.md- Per-architecture quirksdocs/python-bytecode-re.md- Python .pyc/marshal obfuscation patterns
Integration
Works with other plugins:
- remote-system-maintenance: Extract binaries from devices via SSH
- fresh-eyes-review: Validate conclusions before documenting
- scenario-testing: Create reproducible analysis environments
