Binary Analysis Patterns

Master reverse engineering with comprehensive binary analysis patterns

✨ The solution you've been looking for

Verified
Tested and verified by our team
25450 Stars

Master binary analysis patterns including disassembly, decompilation, control flow analysis, and code pattern recognition. Use when analyzing executables, understanding compiled code, or performing static analysis on binaries.

reverse-engineering binary-analysis disassembly decompilation malware-analysis security-research debugging assembly
Repository

See It In Action

Interactive preview & real-world examples

Live Demo
Skill Demo Animation

AI Conversation Simulator

See how users interact with this skill

User Prompt

Help me analyze this binary - I need to understand the function prologue at 0x401000 and identify what calling convention it uses

Skill Processing

Analyzing request...

Agent Response

Detailed analysis of assembly patterns, calling conventions, and potential malicious behaviors with security implications

Quick Start (3 Steps)

Get up and running in minutes

1

Install

claude-code skill install binary-analysis-patterns

claude-code skill install binary-analysis-patterns
2

Config

3

First Trigger

@binary-analysis-patterns help

Commands

CommandDescriptionRequired Args
@binary-analysis-patterns malware-analysisAnalyze suspicious executables to understand their behavior and identify threatsNone
@binary-analysis-patterns legacy-code-reverse-engineeringReconstruct source logic from compiled binaries when source code is unavailableNone
@binary-analysis-patterns vulnerability-researchIdentify potential security vulnerabilities through static binary analysisNone

Typical Use Cases

Malware Analysis

Analyze suspicious executables to understand their behavior and identify threats

Legacy Code Reverse Engineering

Reconstruct source logic from compiled binaries when source code is unavailable

Vulnerability Research

Identify potential security vulnerabilities through static binary analysis

Overview

Binary Analysis Patterns

Comprehensive patterns and techniques for analyzing compiled binaries, understanding assembly code, and reconstructing program logic.

Disassembly Fundamentals

x86-64 Instruction Patterns

Function Prologue/Epilogue

 1; Standard prologue
 2push rbp           ; Save base pointer
 3mov rbp, rsp       ; Set up stack frame
 4sub rsp, 0x20      ; Allocate local variables
 5
 6; Leaf function (no calls)
 7; May skip frame pointer setup
 8sub rsp, 0x18      ; Just allocate locals
 9
10; Standard epilogue
11mov rsp, rbp       ; Restore stack pointer
12pop rbp            ; Restore base pointer
13ret
14
15; Leave instruction (equivalent)
16leave              ; mov rsp, rbp; pop rbp
17ret

Calling Conventions

System V AMD64 (Linux, macOS)

 1; Arguments: RDI, RSI, RDX, RCX, R8, R9, then stack
 2; Return: RAX (and RDX for 128-bit)
 3; Caller-saved: RAX, RCX, RDX, RSI, RDI, R8-R11
 4; Callee-saved: RBX, RBP, R12-R15
 5
 6; Example: func(a, b, c, d, e, f, g)
 7mov rdi, [a]       ; 1st arg
 8mov rsi, [b]       ; 2nd arg
 9mov rdx, [c]       ; 3rd arg
10mov rcx, [d]       ; 4th arg
11mov r8, [e]        ; 5th arg
12mov r9, [f]        ; 6th arg
13push [g]           ; 7th arg on stack
14call func

Microsoft x64 (Windows)

 1; Arguments: RCX, RDX, R8, R9, then stack
 2; Shadow space: 32 bytes reserved on stack
 3; Return: RAX
 4
 5; Example: func(a, b, c, d, e)
 6sub rsp, 0x28      ; Shadow space + alignment
 7mov rcx, [a]       ; 1st arg
 8mov rdx, [b]       ; 2nd arg
 9mov r8, [c]        ; 3rd arg
10mov r9, [d]        ; 4th arg
11mov [rsp+0x20], [e] ; 5th arg on stack
12call func
13add rsp, 0x28

ARM Assembly Patterns

ARM64 (AArch64) Calling Convention

 1; Arguments: X0-X7
 2; Return: X0 (and X1 for 128-bit)
 3; Frame pointer: X29
 4; Link register: X30
 5
 6; Function prologue
 7stp x29, x30, [sp, #-16]!  ; Save FP and LR
 8mov x29, sp                 ; Set frame pointer
 9
10; Function epilogue
11ldp x29, x30, [sp], #16    ; Restore FP and LR
12ret

ARM32 Calling Convention

 1; Arguments: R0-R3, then stack
 2; Return: R0 (and R1 for 64-bit)
 3; Link register: LR (R14)
 4
 5; Function prologue
 6push {fp, lr}
 7add fp, sp, #4
 8
 9; Function epilogue
10pop {fp, pc}    ; Return by popping PC

Control Flow Patterns

Conditional Branches

 1; if (a == b)
 2cmp eax, ebx
 3jne skip_block
 4; ... if body ...
 5skip_block:
 6
 7; if (a < b) - signed
 8cmp eax, ebx
 9jge skip_block    ; Jump if greater or equal
10; ... if body ...
11skip_block:
12
13; if (a < b) - unsigned
14cmp eax, ebx
15jae skip_block    ; Jump if above or equal
16; ... if body ...
17skip_block:

Loop Patterns

 1; for (int i = 0; i < n; i++)
 2xor ecx, ecx           ; i = 0
 3loop_start:
 4cmp ecx, [n]           ; i < n
 5jge loop_end
 6; ... loop body ...
 7inc ecx                ; i++
 8jmp loop_start
 9loop_end:
10
11; while (condition)
12jmp loop_check
13loop_body:
14; ... body ...
15loop_check:
16cmp eax, ebx
17jl loop_body
18
19; do-while
20loop_body:
21; ... body ...
22cmp eax, ebx
23jl loop_body

Switch Statement Patterns

 1; Jump table pattern
 2mov eax, [switch_var]
 3cmp eax, max_case
 4ja default_case
 5jmp [jump_table + eax*8]
 6
 7; Sequential comparison (small switch)
 8cmp eax, 1
 9je case_1
10cmp eax, 2
11je case_2
12cmp eax, 3
13je case_3
14jmp default_case

Data Structure Patterns

Array Access

 1; array[i] - 4-byte elements
 2mov eax, [rbx + rcx*4]        ; rbx=base, rcx=index
 3
 4; array[i] - 8-byte elements
 5mov rax, [rbx + rcx*8]
 6
 7; Multi-dimensional array[i][j]
 8; arr[i][j] = base + (i * cols + j) * element_size
 9imul eax, [cols]
10add eax, [j]
11mov edx, [rbx + rax*4]

Structure Access

1struct Example {
2    int a;      // offset 0
3    char b;     // offset 4
4    // padding  // offset 5-7
5    long c;     // offset 8
6    short d;    // offset 16
7};

1; Accessing struct fields
2mov rdi, [struct_ptr]
3mov eax, [rdi]         ; s->a (offset 0)
4movzx eax, byte [rdi+4] ; s->b (offset 4)
5mov rax, [rdi+8]       ; s->c (offset 8)
6movzx eax, word [rdi+16] ; s->d (offset 16)

Linked List Traversal

1; while (node != NULL)
2list_loop:
3test rdi, rdi          ; node == NULL?
4jz list_done
5; ... process node ...
6mov rdi, [rdi+8]       ; node = node->next (assuming next at offset 8)
7jmp list_loop
8list_done:

Common Code Patterns

String Operations

 1; strlen pattern
 2xor ecx, ecx
 3strlen_loop:
 4cmp byte [rdi + rcx], 0
 5je strlen_done
 6inc ecx
 7jmp strlen_loop
 8strlen_done:
 9; ecx contains length
10
11; strcpy pattern
12strcpy_loop:
13mov al, [rsi]
14mov [rdi], al
15test al, al
16jz strcpy_done
17inc rsi
18inc rdi
19jmp strcpy_loop
20strcpy_done:
21
22; memcpy using rep movsb
23mov rdi, dest
24mov rsi, src
25mov rcx, count
26rep movsb

Arithmetic Patterns

 1; Multiplication by constant
 2; x * 3
 3lea eax, [rax + rax*2]
 4
 5; x * 5
 6lea eax, [rax + rax*4]
 7
 8; x * 10
 9lea eax, [rax + rax*4]  ; x * 5
10add eax, eax            ; * 2
11
12; Division by power of 2 (signed)
13mov eax, [x]
14cdq                     ; Sign extend to EDX:EAX
15and edx, 7              ; For divide by 8
16add eax, edx            ; Adjust for negative
17sar eax, 3              ; Arithmetic shift right
18
19; Modulo power of 2
20and eax, 7              ; x % 8

Bit Manipulation

 1; Test specific bit
 2test eax, 0x80          ; Test bit 7
 3jnz bit_set
 4
 5; Set bit
 6or eax, 0x10            ; Set bit 4
 7
 8; Clear bit
 9and eax, ~0x10          ; Clear bit 4
10
11; Toggle bit
12xor eax, 0x10           ; Toggle bit 4
13
14; Count leading zeros
15bsr eax, ecx            ; Bit scan reverse
16xor eax, 31             ; Convert to leading zeros
17
18; Population count (popcnt)
19popcnt eax, ecx         ; Count set bits

Decompilation Patterns

Variable Recovery

1; Local variable at rbp-8
2mov qword [rbp-8], rax  ; Store to local
3mov rax, [rbp-8]        ; Load from local
4
5; Stack-allocated array
6lea rax, [rbp-0x40]     ; Array starts at rbp-0x40
7mov [rax], edx          ; array[0] = value
8mov [rax+4], ecx        ; array[1] = value

Function Signature Recovery

1; Identify parameters by register usage
2func:
3    ; rdi used as first param (System V)
4    mov [rbp-8], rdi    ; Save param to local
5    ; rsi used as second param
6    mov [rbp-16], rsi
7    ; Identify return by RAX at end
8    mov rax, [result]
9    ret

Type Recovery

 1; 1-byte operations suggest char/bool
 2movzx eax, byte [rdi]   ; Zero-extend byte
 3movsx eax, byte [rdi]   ; Sign-extend byte
 4
 5; 2-byte operations suggest short
 6movzx eax, word [rdi]
 7movsx eax, word [rdi]
 8
 9; 4-byte operations suggest int/float
10mov eax, [rdi]
11movss xmm0, [rdi]       ; Float
12
13; 8-byte operations suggest long/double/pointer
14mov rax, [rdi]
15movsd xmm0, [rdi]       ; Double

Ghidra Analysis Tips

Improving Decompilation

 1// In Ghidra scripting
 2// Fix function signature
 3Function func = getFunctionAt(toAddr(0x401000));
 4func.setReturnType(IntegerDataType.dataType, SourceType.USER_DEFINED);
 5
 6// Create structure type
 7StructureDataType struct = new StructureDataType("MyStruct", 0);
 8struct.add(IntegerDataType.dataType, "field_a", null);
 9struct.add(PointerDataType.dataType, "next", null);
10
11// Apply to memory
12createData(toAddr(0x601000), struct);

Pattern Matching Scripts

1# Find all calls to dangerous functions
2for func in currentProgram.getFunctionManager().getFunctions(True):
3    for ref in getReferencesTo(func.getEntryPoint()):
4        if func.getName() in ["strcpy", "sprintf", "gets"]:
5            print(f"Dangerous call at {ref.getFromAddress()}")

IDA Pro Patterns

IDAPython Analysis

 1import idaapi
 2import idautils
 3import idc
 4
 5# Find all function calls
 6def find_calls(func_name):
 7    for func_ea in idautils.Functions():
 8        for head in idautils.Heads(func_ea, idc.find_func_end(func_ea)):
 9            if idc.print_insn_mnem(head) == "call":
10                target = idc.get_operand_value(head, 0)
11                if idc.get_func_name(target) == func_name:
12                    print(f"Call to {func_name} at {hex(head)}")
13
14# Rename functions based on strings
15def auto_rename():
16    for s in idautils.Strings():
17        for xref in idautils.XrefsTo(s.ea):
18            func = idaapi.get_func(xref.frm)
19            if func and "sub_" in idc.get_func_name(func.start_ea):
20                # Use string as hint for naming
21                pass

Best Practices

Analysis Workflow

  1. Initial triage: File type, architecture, imports/exports
  2. String analysis: Identify interesting strings, error messages
  3. Function identification: Entry points, exports, cross-references
  4. Control flow mapping: Understand program structure
  5. Data structure recovery: Identify structs, arrays, globals
  6. Algorithm identification: Crypto, hashing, compression
  7. Documentation: Comments, renamed symbols, type definitions

Common Pitfalls

  • Optimizer artifacts: Code may not match source structure
  • Inline functions: Functions may be expanded inline
  • Tail call optimization: jmp instead of call + ret
  • Dead code: Unreachable code from optimization
  • Position-independent code: RIP-relative addressing

What Users Are Saying

Real feedback from the community

Environment Matrix

Dependencies

Disassembler (IDA Pro, Ghidra, or Radare2)
Hex editor
Debugger (GDB, x64dbg, or WinDbg)

Framework Support

IDA Pro ✓ (recommended) Ghidra ✓ (recommended) Radare2 ✓ Binary Ninja ✓

Context Window

Token Usage ~10K-20K tokens for comprehensive binary analysis sessions

Security & Privacy

Information

Author
wshobson
Updated
2026-01-30
Category
debugging

Related Skills

Binary Analysis Patterns

Master binary analysis patterns including disassembly, decompilation, control flow analysis, and …

View Details →

Anti Reversing Techniques

Understand anti-reversing, obfuscation, and protection techniques encountered during software …

View Details →

Anti Reversing Techniques

Understand anti-reversing, obfuscation, and protection techniques encountered during software …

View Details →