Binary Analysis Patterns

1---
2name: binary-analysis-patterns
3description: Master binary analysis patterns including disassembly, decompilation, control flow analysis, and code pattern recognition. Use when analyzing executables, understanding compiled code, or performing static analysis on binaries.
4---
5 
6# Binary Analysis Patterns
7 
8Comprehensive patterns and techniques for analyzing compiled binaries, understanding assembly code, and reconstructing program logic.
9 
10## Use this skill when
11 
12- Working on binary analysis patterns tasks or workflows
13- Needing guidance, best practices, or checklists for binary analysis patterns
14 
15## Do not use this skill when
16 
17- The task is unrelated to binary analysis patterns
18- You need a different domain or tool outside this scope
19 
20## Instructions
21 
22- Clarify goals, constraints, and required inputs.
23- Apply relevant best practices and validate outcomes.
24- Provide actionable steps and verification.
25- If detailed examples are required, open `resources/implementation-playbook.md`.
26 
27## Disassembly Fundamentals
28 
29### x86-64 Instruction Patterns
30 
31#### Function Prologue/Epilogue
32```asm
33; Standard prologue
34push rbp           ; Save base pointer
35mov rbp, rsp       ; Set up stack frame
36sub rsp, 0x20      ; Allocate local variables
37 
38; Leaf function (no calls)
39; May skip frame pointer setup
40sub rsp, 0x18      ; Just allocate locals
41 
42; Standard epilogue
43mov rsp, rbp       ; Restore stack pointer
44pop rbp            ; Restore base pointer
45ret
46 
47; Leave instruction (equivalent)
48leave              ; mov rsp, rbp; pop rbp
49ret
50```
51 
52#### Calling Conventions
53 
54**System V AMD64 (Linux, macOS)**
55```asm
56; Arguments: RDI, RSI, RDX, RCX, R8, R9, then stack
57; Return: RAX (and RDX for 128-bit)
58; Caller-saved: RAX, RCX, RDX, RSI, RDI, R8-R11
59; Callee-saved: RBX, RBP, R12-R15
60 
61; Example: func(a, b, c, d, e, f, g)
62mov rdi, [a]       ; 1st arg
63mov rsi, [b]       ; 2nd arg
64mov rdx, [c]       ; 3rd arg
65mov rcx, [d]       ; 4th arg
66mov r8, [e]        ; 5th arg
67mov r9, [f]        ; 6th arg
68push [g]           ; 7th arg on stack
69call func
70```
71 
72**Microsoft x64 (Windows)**
73```asm
74; Arguments: RCX, RDX, R8, R9, then stack
75; Shadow space: 32 bytes reserved on stack
76; Return: RAX
77 
78; Example: func(a, b, c, d, e)
79sub rsp, 0x28      ; Shadow space + alignment
80mov rcx, [a]       ; 1st arg
81mov rdx, [b]       ; 2nd arg
82mov r8, [c]        ; 3rd arg
83mov r9, [d]        ; 4th arg
84mov [rsp+0x20], [e] ; 5th arg on stack
85call func
86add rsp, 0x28
87```
88 
89### ARM Assembly Patterns
90 
91#### ARM64 (AArch64) Calling Convention
92```asm
93; Arguments: X0-X7
94; Return: X0 (and X1 for 128-bit)
95; Frame pointer: X29
96; Link register: X30
97 
98; Function prologue
99stp x29, x30, [sp, #-16]!  ; Save FP and LR
100mov x29, sp                 ; Set frame pointer
101 
102; Function epilogue
103ldp x29, x30, [sp], #16    ; Restore FP and LR
104ret
105```
106 
107#### ARM32 Calling Convention
108```asm
109; Arguments: R0-R3, then stack
110; Return: R0 (and R1 for 64-bit)
111; Link register: LR (R14)
112 
113; Function prologue
114push {fp, lr}
115add fp, sp, #4
116 
117; Function epilogue
118pop {fp, pc}    ; Return by popping PC
119```
120 
121## Control Flow Patterns
122 
123### Conditional Branches
124 
125```asm
126; if (a == b)
127cmp eax, ebx
128jne skip_block
129; ... if body ...
130skip_block:
131 
132; if (a < b) - signed
133cmp eax, ebx
134jge skip_block    ; Jump if greater or equal
135; ... if body ...
136skip_block:
137 
138; if (a < b) - unsigned
139cmp eax, ebx
140jae skip_block    ; Jump if above or equal
141; ... if body ...
142skip_block:
143```
144 
145### Loop Patterns
146 
147```asm
148; for (int i = 0; i < n; i++)
149xor ecx, ecx           ; i = 0
150loop_start:
151cmp ecx, [n]           ; i < n
152jge loop_end
153; ... loop body ...
154inc ecx                ; i++
155jmp loop_start
156loop_end:
157 
158; while (condition)
159jmp loop_check
160loop_body:
161; ... body ...
162loop_check:
163cmp eax, ebx
164jl loop_body
165 
166; do-while
167loop_body:
168; ... body ...
169cmp eax, ebx
170jl loop_body
171```
172 
173### Switch Statement Patterns
174 
175```asm
176; Jump table pattern
177mov eax, [switch_var]
178cmp eax, max_case
179ja default_case
180jmp [jump_table + eax*8]
181 
182; Sequential comparison (small switch)
183cmp eax, 1
184je case_1
185cmp eax, 2
186je case_2
187cmp eax, 3
188je case_3
189jmp default_case
190```
191 
192## Data Structure Patterns
193 
194### Array Access
195 
196```asm
197; array[i] - 4-byte elements
198mov eax, [rbx + rcx*4]        ; rbx=base, rcx=index
199 
200; array[i] - 8-byte elements
201mov rax, [rbx + rcx*8]
202 
203; Multi-dimensional array[i][j]
204; arr[i][j] = base + (i * cols + j) * element_size
205imul eax, [cols]
206add eax, [j]
207mov edx, [rbx + rax*4]
208```
209 
210### Structure Access
211 
212```c
213struct Example {
214    int a;      // offset 0
215    char b;     // offset 4
216    // padding  // offset 5-7
217    long c;     // offset 8
218    short d;    // offset 16
219};
220```
221 
222```asm
223; Accessing struct fields
224mov rdi, [struct_ptr]
225mov eax, [rdi]         ; s->a (offset 0)
226movzx eax, byte [rdi+4] ; s->b (offset 4)
227mov rax, [rdi+8]       ; s->c (offset 8)
228movzx eax, word [rdi+16] ; s->d (offset 16)
229```
230 
231### Linked List Traversal
232 
233```asm
234; while (node != NULL)
235list_loop:
236test rdi, rdi          ; node == NULL?
237jz list_done
238; ... process node ...
239mov rdi, [rdi+8]       ; node = node->next (assuming next at offset 8)
240jmp list_loop
241list_done:
242```
243 
244## Common Code Patterns
245 
246### String Operations
247 
248```asm
249; strlen pattern
250xor ecx, ecx
251strlen_loop:
252cmp byte [rdi + rcx], 0
253je strlen_done
254inc ecx
255jmp strlen_loop
256strlen_done:
257; ecx contains length
258 
259; strcpy pattern
260strcpy_loop:
261mov al, [rsi]
262mov [rdi], al
263test al, al
264jz strcpy_done
265inc rsi
266inc rdi
267jmp strcpy_loop
268strcpy_done:
269 
270; memcpy using rep movsb
271mov rdi, dest
272mov rsi, src
273mov rcx, count
274rep movsb
275```
276 
277### Arithmetic Patterns
278 
279```asm
280; Multiplication by constant
281; x * 3
282lea eax, [rax + rax*2]
283 
284; x * 5
285lea eax, [rax + rax*4]
286 
287; x * 10
288lea eax, [rax + rax*4]  ; x * 5
289add eax, eax            ; * 2
290 
291; Division by power of 2 (signed)
292mov eax, [x]
293cdq                     ; Sign extend to EDX:EAX
294and edx, 7              ; For divide by 8
295add eax, edx            ; Adjust for negative
296sar eax, 3              ; Arithmetic shift right
297 
298; Modulo power of 2
299and eax, 7              ; x % 8
300```
301 
302### Bit Manipulation
303 
304```asm
305; Test specific bit
306test eax, 0x80          ; Test bit 7
307jnz bit_set
308 
309; Set bit
310or eax, 0x10            ; Set bit 4
311 
312; Clear bit
313and eax, ~0x10          ; Clear bit 4
314 
315; Toggle bit
316xor eax, 0x10           ; Toggle bit 4
317 
318; Count leading zeros
319bsr eax, ecx            ; Bit scan reverse
320xor eax, 31             ; Convert to leading zeros
321 
322; Population count (popcnt)
323popcnt eax, ecx         ; Count set bits
324```
325 
326## Decompilation Patterns
327 
328### Variable Recovery
329 
330```asm
331; Local variable at rbp-8
332mov qword [rbp-8], rax  ; Store to local
333mov rax, [rbp-8]        ; Load from local
334 
335; Stack-allocated array
336lea rax, [rbp-0x40]     ; Array starts at rbp-0x40
337mov [rax], edx          ; array[0] = value
338mov [rax+4], ecx        ; array[1] = value
339```
340 
341### Function Signature Recovery
342 
343```asm
344; Identify parameters by register usage
345func:
346    ; rdi used as first param (System V)
347    mov [rbp-8], rdi    ; Save param to local
348    ; rsi used as second param
349    mov [rbp-16], rsi
350    ; Identify return by RAX at end
351    mov rax, [result]
352    ret
353```
354 
355### Type Recovery
356 
357```asm
358; 1-byte operations suggest char/bool
359movzx eax, byte [rdi]   ; Zero-extend byte
360movsx eax, byte [rdi]   ; Sign-extend byte
361 
362; 2-byte operations suggest short
363movzx eax, word [rdi]
364movsx eax, word [rdi]
365 
366; 4-byte operations suggest int/float
367mov eax, [rdi]
368movss xmm0, [rdi]       ; Float
369 
370; 8-byte operations suggest long/double/pointer
371mov rax, [rdi]
372movsd xmm0, [rdi]       ; Double
373```
374 
375## Ghidra Analysis Tips
376 
377### Improving Decompilation
378 
379```java
380// In Ghidra scripting
381// Fix function signature
382Function func = getFunctionAt(toAddr(0x401000));
383func.setReturnType(IntegerDataType.dataType, SourceType.USER_DEFINED);
384 
385// Create structure type
386StructureDataType struct = new StructureDataType("MyStruct", 0);
387struct.add(IntegerDataType.dataType, "field_a", null);
388struct.add(PointerDataType.dataType, "next", null);
389 
390// Apply to memory
391createData(toAddr(0x601000), struct);
392```
393 
394### Pattern Matching Scripts
395 
396```python
397# Find all calls to dangerous functions
398for func in currentProgram.getFunctionManager().getFunctions(True):
399    for ref in getReferencesTo(func.getEntryPoint()):
400        if func.getName() in ["strcpy", "sprintf", "gets"]:
401            print(f"Dangerous call at {ref.getFromAddress()}")
402```
403 
404## IDA Pro Patterns
405 
406### IDAPython Analysis
407 
408```python
409import idaapi
410import idautils
411import idc
412 
413# Find all function calls
414def find_calls(func_name):
415    for func_ea in idautils.Functions():
416        for head in idautils.Heads(func_ea, idc.find_func_end(func_ea)):
417            if idc.print_insn_mnem(head) == "call":
418                target = idc.get_operand_value(head, 0)
419                if idc.get_func_name(target) == func_name:
420                    print(f"Call to {func_name} at {hex(head)}")
421 
422# Rename functions based on strings
423def auto_rename():
424    for s in idautils.Strings():
425        for xref in idautils.XrefsTo(s.ea):
426            func = idaapi.get_func(xref.frm)
427            if func and "sub_" in idc.get_func_name(func.start_ea):
428                # Use string as hint for naming
429                pass
430```
431 
432## Best Practices
433 
434### Analysis Workflow
435 
4361. **Initial triage**: File type, architecture, imports/exports
4372. **String analysis**: Identify interesting strings, error messages
4383. **Function identification**: Entry points, exports, cross-references
4394. **Control flow mapping**: Understand program structure
4405. **Data structure recovery**: Identify structs, arrays, globals
4416. **Algorithm identification**: Crypto, hashing, compression
4427. **Documentation**: Comments, renamed symbols, type definitions
443 
444### Common Pitfalls
445 
446- **Optimizer artifacts**: Code may not match source structure
447- **Inline functions**: Functions may be expanded inline
448- **Tail call optimization**: `jmp` instead of `call` + `ret`
449- **Dead code**: Unreachable code from optimization
450- **Position-independent code**: RIP-relative addressing
451