‹ 首页

reverse-engineering-binary-analysis

@masriyan · 收录于 1 周前

Binary analysis, assembly interpretation, disassembly, decompilation, firmware RE, and protocol reverse engineering

适合你,如果需要分析二进制文件或逆向工程来理解软件行为

/ 下载安装
reverse-engineering-binary-analysis.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add masriyan/claude-code-cybersecurity-skill/reverse-engineering-binary-analysis
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- masriyan/claude-code-cybersecurity-skill/reverse-engineering-binary-analysis
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify masriyan/claude-code-cybersecurity-skill/reverse-engineering-binary-analysis
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
160GitHub stars
~2.7K最小装载
~5.1K含声明引用
~5.2K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · MIT · 2c864e3

Reverse Engineering & Binary Analysis

Purpose

Enable Claude to assist with reverse engineering tasks including binary analysis, assembly interpretation, decompilation, firmware reverse engineering, and protocol analysis. Claude directly reads and interprets disassembled code, identifies patterns, reconstructs logic, and helps navigate complex binaries using RE tool output.


Activation Triggers

This skill activates when the user asks about:

  • Analyzing an ELF, PE (exe/dll), Mach-O, or raw binary
  • Interpreting x86, x64, ARM, MIPS, or RISC-V assembly code
  • Reverse engineering firmware from embedded/IoT devices
  • Reverse engineering a network protocol
  • Using Ghidra, IDA Pro, radare2, or Binary Ninja output
  • Identifying what a binary or function does
  • Finding vulnerabilities in disassembly
  • CTF binary challenges (pwn, reversing categories)
  • Anti-debugging or anti-analysis technique identification
  • Unpacking or deobfuscating binaries

Prerequisites
pip install capstone pyelftools pefile lief

Recommended RE tools:

  • Ghidra — NSA open-source RE framework (free)
  • radare2 / Cutter — Open-source RE framework
  • Binary Ninja — Commercial RE platform with scripting
  • IDA Pro / Free — Industry standard disassembler
  • GDB + GEF/PEDA/pwndbg — Dynamic debugging
  • Binwalk — Firmware extraction and analysis
  • strings, file, objdump, readelf — Standard Linux utilities

Core Capabilities
1. Initial Binary Triage

When the user provides a binary or asks what a file is:

Run these commands and share output with Claude for analysis:

# File type identification
file suspicious_binary

# Strings extraction (often reveals C2, keys, paths)
strings -a suspicious_binary | grep -E "(http|/etc|password|key|secret|flag)"

# ELF analysis
readelf -a suspicious_binary
objdump -d suspicious_binary | head -100

# PE analysis
python scripts/binary_analyzer.py --file malware.exe --strings --imports

# Entropy analysis (high entropy = packed/encrypted)
python scripts/binary_analyzer.py --file binary --entropy

Binary Triage Checklist:

[ ] File type and format (magic bytes): ELF / PE / Mach-O / raw
[ ] Target architecture: x86 / x64 / ARM32 / ARM64 / MIPS / RISC-V
[ ] Endianness: little-endian / big-endian
[ ] Linking type: statically linked / dynamically linked
[ ] Security features: PIE / ASLR / NX/DEP / Stack Canary / RELRO
[ ] Packing detected: UPX / Themida / custom (high entropy sections)
[ ] Compiler identified: GCC / MSVC / Clang / Rust / Go
[ ] Interesting strings: URLs, IPs, credentials, file paths
[ ] Import/Export table: suspicious API calls
[ ] Entry point and sections mapping

Security feature detection:

# Linux: checksec (from pwntools)
checksec --file=./binary

# Or check manually:
readelf -l binary | grep GNU_STACK    # NX bit
readelf -d binary | grep RELRO        # RELRO
2. Assembly Code Interpretation

When the user pastes disassembled code or Ghidra decompilation:

Claude will:

  1. Identify the architecture from instruction syntax
  2. Trace execution flow from the provided entry point
  3. Identify function calls (call/bl/jal instructions)
  4. Reconstruct high-level logic from the assembly
  5. Annotate each block with a comment explaining its purpose
  6. Flag security-relevant patterns

Common x86-64 Patterns:

| Pattern | Instructions | Meaning | |---------|--------------|---------| | Function prologue | push rbp; mov rbp, rsp; sub rsp, N | Stack frame setup | | Function epilogue | leave; ret or pop rbp; ret | Stack frame teardown | | Local variable | mov [rbp-N], rax | Store value on stack | | Loop counter | cmp rax, N; jl/jge loop_top | Loop with counter | | Buffer on stack | sub rsp, 0x100 | 256-byte local buffer | | String copy | rep movsb | Memory copy | | Memset | rep stosb | Memory zero/fill | | Switch-case | Indirect jump: jmp [rax*8 + table] | Jump table | | System call (Linux) | mov rax, N; syscall | Direct system call | | Printf/format string | lea rdi, [rip+str]; call printf@plt | Print statement | | Heap allocation | call malloc / call operator new | Dynamic memory |

Common ARM64 Patterns: | Pattern | Instructions | Meaning | |---------|--------------|---------| | Function prologue | stp x29, x30, [sp, #-N]! | Save frame pointer & LR | | Return | ret (uses x30) | Return from function | | Load/store pair | ldp/stp | Load/store two registers | | Branch + link | bl func | Call function | | Conditional branch | b.eq / b.ne / b.lt | Conditional jump | | System call | svc #0 | System call |

Crypto constant detection:

# Common crypto constants to watch for:
AES_SBOX = bytes.fromhex("637c777bf26b6fc5...") # AES SubBytes table
SHA256_K = [0x428a2f98, 0x71374491, ...]         # SHA-256 round constants
RC4_INIT_PATTERN                                   # Sequential 0x00-0xFF
3. Firmware Reverse Engineering

When the user asks to analyze embedded firmware:

# Step 1: Identify firmware format
file firmware.bin
binwalk firmware.bin

# Step 2: Extract filesystem
binwalk -e firmware.bin
# Extracts to _firmware.bin.extracted/

# Step 3: Analyze extracted filesystem
ls -la _firmware.bin.extracted/
find . -name "*.cgi" -o -name "passwd" -o -name "shadow" -o -name "*.conf"

# Step 4: Find sensitive data
grep -r "password\|admin\|secret\|key" . --include="*.conf" --include="*.xml"

# Step 5: Find binary entry points
file _firmware.bin.extracted/bin/*
strings -a httpd | grep -E "(password|auth|key)"

Firmware Analysis Checklist:

[ ] Identify firmware packaging format (SquashFS, JFFS2, CPIO, raw)
[ ] Extract filesystem using binwalk -e
[ ] Identify target OS and RTOS (Linux, VxWorks, ThreadX, FreeRTOS)
[ ] Find hardcoded credentials in /etc/passwd, config files, binaries
[ ] Identify web interface binaries (httpd, lighttpd, uhttpd)
[ ] Check for debug interfaces (JTAG, UART, SSH enabled)
[ ] Identify update mechanism and signing verification
[ ] Search for private keys, certificates, API keys
[ ] Check for command injection in shell scripts and CGI handlers
[ ] Map memory layout from linker scripts or binary headers
4. Protocol Reverse Engineering

When the user wants to reverse engineer a protocol:

Given captured traffic or binary data:

  1. Frame structure analysis — Look for:
  2. Magic bytes or sync patterns (fixed byte sequences at start)
  3. Length fields (2 or 4 bytes, often at offset 2-4)
  4. Message type/command identifier (1-2 bytes)
  5. Checksum/CRC (last 1-4 bytes)
  6. Padding patterns (0x00 or 0xFF fills)
  1. Field type identification: ``` Common field patterns:
  2. 4 bytes, big-endian, values 0-65535 → likely length or port
  3. 16 bytes uniform random → UUID or AES key
  4. Null-terminated variable sequence → ASCII string
  5. Fixed 4 bytes: 0xDEADBEEF, 0xCAFEBABE → magic number ```
  1. Command-response mapping — Analyze pairs to find:
  2. Request: specific type byte → Response: matching acknowledgment
  3. Error responses: common error code patterns
  1. State machine construction: ``` [INIT] → send magic handshake → [AUTH] → send credentials → [CONNECTED] → send commands → [DATA] → receive data → [IDLE] ```
  1. Generate parser code: ```python import struct

MAGIC = b"\xDE\xAD\xBE\xEF"

def parse_packet(data: bytes) -> dict: if not data.startswith(MAGIC): raise ValueError("Invalid magic bytes")

msg_type, length = struct.unpack(">HH", data[4:8]) payload = data[8:8 + length] checksum = struct.unpack(">H", data[8 + length:8 + length + 2])[0]

return { "type": msg_type, "length": length, "payload": payload, "checksum": checksum } ```

5. Anti-Reversing Technique Identification & Bypass

When the user encounters anti-analysis measures:

| Technique | Indicators | Bypass | |-----------|-----------|--------| | UPX packing | UPX! string, high entropy | upx -d binary | | Anti-debug: IsDebuggerPresent | API call in imports | Patch: NOP or force return 0 | | Anti-debug: ptrace check | ptrace(PTRACE_TRACEME) | GDB: catch syscall ptrace + return 1 | | Timing checks | RDTSC, GetTickCount loops | Patch jumps or NOP timing checks | | VM detection | Check for VMware registry/files | Run on bare metal or patch | | String encryption | No readable strings, XOR loops | Find decryption routine, set breakpoint after | | Control flow flattening | Switch dispatch with state machine | Trace execution to map real CFG | | Code virtualization | Custom VM interpreter | Analyze VM bytecode semantics | | Self-modifying code | WriteProcessMemory, VirtualProtect | Set breakpoint at write target |

Ghidra scripting for automation:

// Ghidra script: find all XOR loops (common string decryption)
FunctionManager fm = currentProgram.getFunctionManager();
for (Function f : fm.getFunctions(true)) {
    // Analyze function for XOR instructions
    // Flag functions with XOR + loop patterns
}
6. CTF Binary Challenges

When the user is working on a CTF challenge (pwn/rev category):

Quick CTF triage:

# Check protections
checksec --file=./challenge

# Find win functions, hidden strings
strings ./challenge | grep -i "flag\|win\|cat\|/bin"
objdump -d ./challenge | grep -A2 "win\|backdoor\|system"

# Run with strace to see syscalls
strace ./challenge < /dev/null 2>&1 | head -50

# Dynamic analysis with pwndbg
gdb ./challenge
# In GDB:
# info functions       → list all functions
# disas main           → disassemble main
# b *0x401234          → breakpoint at address
# r < input.txt        → run with input

Common CTF patterns:

  • gets() / scanf("%s") without bounds → stack buffer overflow
  • printf(user_input) without format string → format string vulnerability
  • strcmp(input, flag) → timing attack or direct comparison
  • Custom cipher with key → find key, XOR to decrypt
  • VM-based challenge → trace bytecode execution to find flag check

Output Standards

When analyzing binaries, Claude produces:

  • File summary: type, arch, security features
  • Function list: key functions and their purpose
  • Annotated disassembly: line-by-line explanation
  • Vulnerability assessment: security issues found in the code
  • Pseudocode reconstruction: high-level equivalent of the assembly

Script Reference
binary_analyzer.py
# Full static analysis
python scripts/binary_analyzer.py --file suspicious.elf --output analysis.json

# Extract strings and imports only
python scripts/binary_analyzer.py --file malware.exe --strings --imports

# Entropy analysis (detect packing/encryption)
python scripts/binary_analyzer.py --file firmware.bin --entropy

Skill Integration

| Condition | Adjacent Skill | |-----------|---------------| | Sample needs dynamic behavioral analysis | → Skill 05 (Malware Analysis) | | Vulnerability found → develop exploit | → Skill 03 (Exploit Development) | | Extract IOCs from analysis | → Skill 06 (Threat Hunting) | | Create detection from findings | → Skill 15 (Blue Team Defense) |


References

v3.0 Enhancements (2026 Update)

Faster, more capable RE workflow:

  • AI-assisted decompilation — use Claude to annotate Ghidra/IDA decompiler output: rename variables, recover structs, infer function purpose, and summarize control flow. Treat AI naming as hypotheses to verify, not ground truth.
  • Ghidra headless automation — script bulk analysis (analyzeHeadless) with post-scripts for cross-binary IOC and string extraction.
  • Emulation-first triage — Qiling/Unicorn to run snippets and resolve dynamic strings/config without a full debugger; angr for symbolic exploration of CTF-style logic.
  • Go / Rust / Nim binaries — apply language-specific recovery (Go: gopclntab function/string recovery; Rust: demangling, panic-string pivots) since stripped modern binaries dominate.
  • eBPF & kernel objects — recognize eBPF bytecode and kernel modules used for stealth.
  • Firmwarebinwalk extraction → filesystem mount → emulate with FirmAE/QEMU; locate hardcoded creds, update mechanisms, and crypto keys.

Precision rule: record load address/base, architecture, calling convention, and compiler/toolchain in every analysis so offsets are reproducible.

按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。