Reverse Engineering & Binary Analysis

# Reverse Engineering & Binary Analysis

## Purpose

Enable Claude to assist with reverse engineering tasks including binary analysis, assembly interpretation, decompilation, firmware reverse engineering, and protocol analysis. Claude directly reads and interprets disassembled code, identifies patterns, reconstructs logic, and helps navigate complex binaries using RE tool output.

---

## Activation Triggers

This skill activates when the user asks about:
- Analyzing an ELF, PE (exe/dll), Mach-O, or raw binary
- Interpreting x86, x64, ARM, MIPS, or RISC-V assembly code
- Reverse engineering firmware from embedded/IoT devices
- Reverse engineering a network protocol
- Using Ghidra, IDA Pro, radare2, or Binary Ninja output
- Identifying what a binary or function does
- Finding vulnerabilities in disassembly
- CTF binary challenges (pwn, reversing categories)
- Anti-debugging or anti-analysis technique identification
- Unpacking or deobfuscating binaries

---

## Prerequisites

```bash
pip install capstone pyelftools pefile lief
```

**Recommended RE tools:**
- `Ghidra` — NSA open-source RE framework (free)
- `radare2` / `Cutter` — Open-source RE framework
- `Binary Ninja` — Commercial RE platform with scripting
- `IDA Pro / Free` — Industry standard disassembler
- `GDB + GEF/PEDA/pwndbg` — Dynamic debugging
- `Binwalk` — Firmware extraction and analysis
- `strings, file, objdump, readelf` — Standard Linux utilities

---

## Core Capabilities

### 1. Initial Binary Triage

**When the user provides a binary or asks what a file is:**

Run these commands and share output with Claude for analysis:

```bash
# File type identification
file suspicious_binary

# Strings extraction (often reveals C2, keys, paths)
strings -a suspicious_binary | grep -E "(http|/etc|password|key|secret|flag)"

# ELF analysis
readelf -a suspicious_binary
objdump -d suspicious_binary | head -100

# PE analysis
python scripts/binary_analyzer.py --file malware.exe --strings --imports

# Entropy analysis (high entropy = packed/encrypted)
python scripts/binary_analyzer.py --file binary --entropy
```

**Binary Triage Checklist:**
```
[ ] File type and format (magic bytes): ELF / PE / Mach-O / raw
[ ] Target architecture: x86 / x64 / ARM32 / ARM64 / MIPS / RISC-V
[ ] Endianness: little-endian / big-endian
[ ] Linking type: statically linked / dynamically linked
[ ] Security features: PIE / ASLR / NX/DEP / Stack Canary / RELRO
[ ] Packing detected: UPX / Themida / custom (high entropy sections)
[ ] Compiler identified: GCC / MSVC / Clang / Rust / Go
[ ] Interesting strings: URLs, IPs, credentials, file paths
[ ] Import/Export table: suspicious API calls
[ ] Entry point and sections mapping
```

**Security feature detection:**
```bash
# Linux: checksec (from pwntools)
checksec --file=./binary

# Or check manually:
readelf -l binary | grep GNU_STACK    # NX bit
readelf -d binary | grep RELRO        # RELRO
```

### 2. Assembly Code Interpretation

**When the user pastes disassembled code or Ghidra decompilation:**

Claude will:
1. Identify the architecture from instruction syntax
2. Trace execution flow from the provided entry point
3. Identify function calls (call/bl/jal instructions)
4. Reconstruct high-level logic from the assembly
5. Annotate each block with a comment explaining its purpose
6. Flag security-relevant patterns

**Common x86-64 Patterns:**

| Pattern | Instructions | Meaning |
|---------|--------------|---------|
| Function prologue | `push rbp; mov rbp, rsp; sub rsp, N` | Stack frame setup |
| Function epilogue | `leave; ret` or `pop rbp; ret` | Stack frame teardown |
| Local variable | `mov [rbp-N], rax` | Store value on stack |
| Loop counter | `cmp rax, N; jl/jge loop_top` | Loop with counter |
| Buffer on stack | `sub rsp, 0x100` | 256-byte local buffer |
| String copy | `rep movsb` | Memory copy |
| Memset | `rep stosb` | Memory zero/fill |
| Switch-case | Indirect jump: `jmp [rax*8 + table]` | Jump table |
| System call (Linux) | `mov rax, N; syscall` | Direct system call |
| Printf/format string | `lea rdi, [rip+str]; call printf@plt` | Print statement |
| Heap allocation | `call malloc` / `call operator new` | Dynamic memory |

**Common ARM64 Patterns:**
| Pattern | Instructions | Meaning |
|---------|--------------|---------|
| Function prologue | `stp x29, x30, [sp, #-N]!` | Save frame pointer & LR |
| Return | `ret` (uses x30) | Return from function |
| Load/store pair | `ldp/stp` | Load/store two registers |
| Branch + link | `bl func` | Call function |
| Conditional branch | `b.eq / b.ne / b.lt` | Conditional jump |
| System call | `svc #0` | System call |

**Crypto constant detection:**
```python
# Common crypto constants to watch for:
AES_SBOX = bytes.fromhex("637c777bf26b6fc5...") # AES SubBytes table
SHA256_K = [0x428a2f98, 0x71374491, ...]         # SHA-256 round constants
RC4_INIT_PATTERN                                   # Sequential 0x00-0xFF
```

### 3. Firmware Reverse Engineering

**When the user asks to analyze embedded firmware:**

```bash
# Step 1: Identify firmware format
file firmware.bin
binwalk firmware.bin

# Step 2: Extract filesystem
binwalk -e firmware.bin
# Extracts to _firmware.bin.extracted/

# Step 3: Analyze extracted filesystem
ls -la _firmware.bin.extracted/
find . -name "*.cgi" -o -name "passwd" -o -name "shadow" -o -name "*.conf"

# Step 4: Find sensitive data
grep -r "password\|admin\|secret\|key" . --include="*.conf" --include="*.xml"

# Step 5: Find binary entry points
file _firmware.bin.extracted/bin/*
strings -a httpd | grep -E "(password|auth|key)"
```

**Firmware Analysis Checklist:**
```
[ ] Identify firmware packaging format (SquashFS, JFFS2, CPIO, raw)
[ ] Extract filesystem using binwalk -e
[ ] Identify target OS and RTOS (Linux, VxWorks, ThreadX, FreeRTOS)
[ ] Find hardcoded credentials in /etc/passwd, config files, binaries
[ ] Identify web interface binaries (httpd, lighttpd, uhttpd)
[ ] Check for debug interfaces (JTAG, UART, SSH enabled)
[ ] Identify