Agent skill

binary-re:static-analysis

Use when analyzing binary structure, disassembling code, or decompiling functions. Deep static analysis via radare2 (r2) and Ghidra headless - function enumeration, cross-references (xrefs), decompilation, control flow graphs. Keywords - "disassemble", "decompile", "what does this function do", "find functions", "analyze code", "r2", "ghidra", "pdg", "afl"

View SKILL.md on GitHub Repository
Stars 36
Forks 1

Install this agent skill to your Project

npx add-skill https://github.com/2389-research/claude-plugins/tree/main/binary-re/skills/static-analysis

SKILL.md

Static Analysis (Phases 2-3)

Purpose

Understand binary structure and logic without execution. Map functions, trace data flow, decompile critical code.

When to Use

  • After triage has established architecture and ABI
  • To understand specific functions identified as interesting
  • When dynamic analysis is impractical or risky
  • To build hypotheses before dynamic verification

Pre-Analysis: Compare Known I/O First

CRITICAL: Before diving into disassembly, check if known inputs/outputs exist.

⚠️ REQUIRES HUMAN APPROVAL - Get explicit approval before any execution, even for I/O comparison.

bash
# SAFE: Use emulation for cross-arch binaries (after human approval)
# ARM32:
qemu-arm -L /usr/arm-linux-gnueabihf -- ./binary < input.txt > actual.txt

# ARM64:
qemu-aarch64 -L /usr/aarch64-linux-gnu -- ./binary < input.txt > actual.txt

# Docker-based (macOS/cross-arch - see dynamic-analysis Option D):
docker run --rm --platform linux/arm/v7 -v ~/samples:/work:ro \
  arm32v7/debian:bullseye-slim sh -c '/work/binary < /work/input.txt' > actual.txt

# x86-64 native (still requires approval):
./binary < input.txt > actual.txt

# Compare outputs:
diff expected.txt actual.txt
cmp -l expected.txt actual.txt | head -20  # Byte-level differences

# Record findings:
# - Where does output first diverge?
# - Does file size match? (logic bug vs truncation)
# - What pattern appears in corruption?

This step often reveals the bug category before any code analysis.

Two-Stage Approach

Stage 1 (Light): Function enumeration, strings, imports - fast, broad coverage Stage 2 (Deep): Targeted decompilation, CFG analysis - slow, focused

Stage 1: Light Analysis (radare2)

Analysis Depth Selection

Binary Size Command Tradeoff
< 500KB aaa Full analysis, may be slow
500KB - 5MB aa; aac Functions + all call targets
> 5MB aa + targeted af @addr Fast, manual depth control

Session Setup

bash
# Launch r2 with controlled analysis
r2 -q0 -e scr.color=false -e anal.timeout=120 -e anal.maxsize=67108864 binary

# Inside r2 (choose based on binary size):
aa       # Basic analysis
aac      # Also analyze all call targets (recommended for most binaries)

Critical settings:

  • anal.timeout=120 - Prevent runaway analysis
  • anal.maxsize=67108864 - 64MB max function size
  • Use aa; aac for medium binaries, aaa only for small ones

Handling Unanalyzed Call Targets

If axtj returns empty for known imports:

bash
# The import may be called indirectly or analysis was too shallow
# Option 1: Deeper analysis
aac   # Analyze all calls

# Option 2: Manually create function at call target
af @0x8048abc

# Option 3: Search for references to import address
axtj @sym.imp.connect

Function Enumeration

bash
# All functions as JSON
aflj

# Filter by name pattern
aflj~main
aflj~init
aflj~network
aflj~send
aflj~recv

# Function count
afl~?

Cross-Reference Analysis

bash
# Who calls this function?
axtj @sym.imp.connect

# What does this function call?
axfj @sym.main

# Data references to address
axtj @0x12345

String-Function Correlation

bash
# Find which function contains a string
izj~api.vendor.com
# Note the vaddr, then find containing function
afi @0xVADDR

# Or search and map
"/j api"    # Search for string
axtj @@hit* # Xrefs to all hits

Import/Export Mapping

bash
# Imports with addresses
iij

# Exports with addresses
iEj

# Symbols (if not stripped)
isj

Quick Disassembly

bash
# Disassemble function as JSON
pdfj @sym.main

# Disassemble N instructions from address
pdj 20 @0x8400

# Print function summary
afi @sym.main

Stage 2: Deep Analysis

r2ghidra Availability Check

Before attempting decompilation, verify r2ghidra is installed:

bash
# Check if r2ghidra is available
r2 -qc 'pdg?' - 2>/dev/null | grep -q Usage && echo "r2ghidra OK" || echo "SKIP: r2ghidra not installed"

# If missing, install with:
r2pm -ci r2ghidra

If r2ghidra unavailable: Rely on disassembly (pdf) and cross-reference analysis (axt/axf).

Targeted Decompilation (r2ghidra)

bash
# Decompile specific function
pdgj @sym.target_function

# Or named function
pdgj @sym.main

Ghidra Headless (Large Binaries)

For complex functions or when r2ghidra struggles:

bash
# Create analysis project and run script
analyzeHeadless /tmp/ghidra_proj proj \
  -import binary \
  -overwrite \
  -processor ARM:LE:32:v7 \
  -postScript ExportDecompilation.java sym.target_function \
  -deleteProject

Processor strings:

  • ARM 32-bit: ARM:LE:32:v7 or ARM:LE:32:Cortex
  • ARM 64-bit: AARCH64:LE:64:v8A
  • x86_64: x86:LE:64:default
  • MIPS LE: MIPS:LE:32:default
  • MIPS BE: MIPS:BE:32:default

Control Flow Analysis

bash
# Basic blocks in function
afbj @sym.main

# Function call graph (dot format)
agCd @sym.main > callgraph.dot

# Control flow graph
agfd @sym.main > cfg.dot

Data Structure Recovery

bash
# Analyze local variables
afvj @sym.main

# Stack frame layout
afvd @sym.main

# Global data references
adrj

Analysis Patterns

Pattern: Network Function Tracing

bash
# Find all network-related calls
axtj @sym.imp.socket
axtj @sym.imp.connect
axtj @sym.imp.send
axtj @sym.imp.recv
axtj @sym.imp.SSL_read
axtj @sym.imp.SSL_write

# Trace caller chain
for func in $(aflj | jq -r '.[].name'); do
  axfj @$func | grep -q "socket\|connect" && echo $func
done

Pattern: Configuration File Analysis

bash
# Find file operations
axtj @sym.imp.open
axtj @sym.imp.fopen

# Trace string arguments
"/j /etc"
"/j .conf"
"/j .json"

# Check what functions reference these paths

Pattern: Crypto Identification

bash
# Common crypto imports
axtj @sym.imp.EVP_EncryptInit
axtj @sym.imp.AES_encrypt
axtj @sym.imp.SHA256

# Hardcoded keys (check strings near crypto calls)
izj | jq '.strings[] | select(.length == 16 or .length == 32)'

r2 JSON Commands Reference

Command Output Use Case
aflj Functions list Map code structure
axtj @addr Xrefs TO address Who uses this?
axfj @addr Xrefs FROM address What does it call?
pdfj @addr Disassembly Understand instructions
pdgj @addr Decompilation Pseudo-C output
afbj @addr Basic blocks Control flow
izj Data strings Configuration, URLs
iij Imports External dependencies
iEj Exports Public interface
afvj @addr Local variables Stack analysis

Output Format

Record analysis findings as structured facts:

json
{
  "functions_analyzed": [
    {
      "name": "sub_8400",
      "address": "0x8400",
      "size": 256,
      "calls": ["socket", "connect", "send"],
      "called_by": ["main", "init_network"],
      "strings_referenced": ["api.vendor.com"],
      "hypothesis": "network_initialization"
    }
  ],
  "call_graph": {
    "main": ["init_config", "init_network", "main_loop"],
    "init_network": ["sub_8400", "SSL_CTX_new"]
  },
  "data_flow": [
    {
      "source": "config_file_read",
      "through": ["parse_config", "extract_url"],
      "sink": "connect_to_server"
    }
  ]
}

Knowledge Journaling

After static analysis, record findings for episodic memory:

[BINARY-RE:static] {filename} (sha256: {hash})

Functions analyzed: {count}
Decompilation performed: {yes|no}

Key functions:
  FACT: Function at {addr} calls {imports} (source: r2 axfj)
  FACT: Function at {addr} references string "{string}" (source: r2 axtj)
  FACT: Function {name} appears to {purpose} (source: decompilation)

Cross-references:
  FACT: {caller} calls {callee} (source: r2 axtj)

HYPOTHESIS UPDATE: {refined theory} (confidence: {new_value})
  Supporting: {fact_ids}
  Contradicting: {fact_ids}

New questions:
  QUESTION: {discovered unknown}

Answered questions:
  RESOLVED: {question} → {answer}

Example Journal Entry

[BINARY-RE:static] thermostat_daemon (sha256: a1b2c3d4...)

Functions analyzed: 47
Decompilation performed: yes (function 0x8400)

Key functions:
  FACT: Function 0x8400 calls curl_easy_perform, curl_easy_setopt (source: r2 axfj)
  FACT: Function 0x8400 references string "api.thermco.com/telemetry" (source: r2 axtj)
  FACT: Function 0x9200 parses JSON using jsmn library (source: decompilation)
  FACT: Function 0x10800 is main loop, calls 0x8400 after sleep(30) (source: r2 pdf)

Cross-references:
  FACT: main calls init_config (0x9000) then main_loop (0x10800) (source: r2 axtj)
  FACT: main_loop calls send_telemetry (0x8400) in loop (source: r2 pdf)

HYPOTHESIS UPDATE: Telemetry client sending to api.thermco.com every 30 seconds (confidence: 0.85)
  Supporting: URL string, curl imports, sleep(30) in loop
  Contradicting: none

New questions:
  QUESTION: What data fields are included in telemetry payload?
  QUESTION: Is there any authentication/API key?

Answered questions:
  RESOLVED: "What endpoint?" → api.thermco.com/telemetry via HTTPS

Decision Points

After static analysis:

  1. Identified critical functions? → Ready for dynamic verification
  2. Unclear behavior? → Try dynamic analysis for runtime observation
  3. Crypto detected? → Document key handling, note for security review
  4. Anti-analysis patterns? → Consider Unicorn snippet emulation

Next Steps

binary-re-dynamic-analysis to verify hypotheses with runtime observation → binary-re-synthesis if sufficient understanding reached

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

2389-research/claude-plugins

css-development

This skill should be used when working with CSS, creating components, styling elements, refactoring styles, or reviewing CSS code. Triggers on "CSS", "styles", "Tailwind", "dark mode", "component styling", "semantic class", "@apply", "stylesheet". Routes to specialized sub-skills for creation, validation, or refactoring.

36 1
Explore
2389-research/claude-plugins

css-development:create-component

This skill should be used when creating new styled components or adding new CSS classes. Triggers on "create component", "new button", "new card", "add styles", "style component", "build UI element". Guides semantic naming, Tailwind composition, dark mode support, and test coverage.

36 1
Explore
2389-research/claude-plugins

css-development:refactor

This skill should be used when refactoring existing CSS from inline styles or utility classes to semantic patterns. Triggers on "refactor CSS", "extract styles", "consolidate CSS", "convert inline", "clean up styles", "migrate to semantic". Transforms to semantic classes with dark mode and tests.

36 1
Explore
2389-research/claude-plugins

css-development:validate

This skill should be used when reviewing or auditing existing CSS code for consistency with established patterns. Triggers on "review CSS", "audit styles", "check CSS", "validate stylesheet", "CSS review". Checks semantic naming, dark mode coverage, Tailwind usage, and test coverage.

36 1
Explore
2389-research/claude-plugins

ceo-personal-os

This skill should be used when building a personal productivity or operating system for a CEO, founder, or executive. Triggers on "personal OS", "annual review", "life planning", "goal setting system", "Bill Campbell", "Trillion Dollar Coach", "startup failure patterns", "Good to Great", "Level 5 Leadership", "Buy Back Your Time", "E-Myth", "Customer Development", "Steve Blank", "Small Is Beautiful", "Schumacher", "human-scale", "subsidiarity", "Buddhist economics", "permanence".

36 1
Explore
2389-research/claude-plugins

gtm-partner

Strategic go-to-market partner that recommends channels, validates strategy with the user, and generates only the assets that matter. Use when a user has a validated business idea and needs tailored GTM strategy, not generic marketing assets.

36 1
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results