[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-c57919a2-1c3d-4928-8cfb-adb19ccf39ce":3,"$fRWv0CBF50_qQ-JrB0ZkPAXMR_uZJEn6n9pE0evmvNCw":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"c57919a2-1c3d-4928-8cfb-adb19ccf39ce","binary-analysis-patterns","综合分析编译二进制文件、理解汇编代码和重构程序逻辑的模式和技术。","cat_life_career","mod_other","sickn33,other","---\nname: binary-analysis-patterns\ndescription: \"Comprehensive patterns and techniques for analyzing compiled binaries, understanding assembly code, and reconstructing program logic.\"\nrisk: unknown\nsource: community\ndate_added: \"2026-02-27\"\n---\n\n# Binary Analysis Patterns\n\nComprehensive patterns and techniques for analyzing compiled binaries, understanding assembly code, and reconstructing program logic.\n\n## Use this skill when\n\n- Working on binary analysis patterns tasks or workflows\n- Needing guidance, best practices, or checklists for binary analysis patterns\n\n## Do not use this skill when\n\n- The task is unrelated to binary analysis patterns\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Disassembly Fundamentals\n\n### x86-64 Instruction Patterns\n\n#### Function Prologue\u002FEpilogue\n```asm\n; Standard prologue\npush rbp ; Save base pointer\nmov rbp, rsp ; Set up stack frame\nsub rsp, 0x20 ; Allocate local variables\n\n; Leaf function (no calls)\n; May skip frame pointer setup\nsub rsp, 0x18 ; Just allocate locals\n\n; Standard epilogue\nmov rsp, rbp ; Restore stack pointer\npop rbp ; Restore base pointer\nret\n\n; Leave instruction (equivalent)\nleave ; mov rsp, rbp; pop rbp\nret\n```\n\n#### Calling Conventions\n\n**System V AMD64 (Linux, macOS)**\n```asm\n; Arguments: RDI, RSI, RDX, RCX, R8, R9, then stack\n; Return: RAX (and RDX for 128-bit)\n; Caller-saved: RAX, RCX, RDX, RSI, RDI, R8-R11\n; Callee-saved: RBX, RBP, R12-R15\n\n; Example: func(a, b, c, d, e, f, g)\nmov rdi, [a] ; 1st arg\nmov rsi, [b] ; 2nd arg\nmov rdx, [c] ; 3rd arg\nmov rcx, [d] ; 4th arg\nmov r8, [e] ; 5th arg\nmov r9, [f] ; 6th arg\npush [g] ; 7th arg on stack\ncall func\n```\n\n**Microsoft x64 (Windows)**\n```asm\n; Arguments: RCX, RDX, R8, R9, then stack\n; Shadow space: 32 bytes reserved on stack\n; Return: RAX\n\n; Example: func(a, b, c, d, e)\nsub rsp, 0x28 ; Shadow space + alignment\nmov rcx, [a] ; 1st arg\nmov rdx, [b] ; 2nd arg\nmov r8, [c] ; 3rd arg\nmov r9, [d] ; 4th arg\nmov [rsp+0x20], [e] ; 5th arg on stack\ncall func\nadd rsp, 0x28\n```\n\n### ARM Assembly Patterns\n\n#### ARM64 (AArch64) Calling Convention\n```asm\n; Arguments: X0-X7\n; Return: X0 (and X1 for 128-bit)\n; Frame pointer: X29\n; Link register: X30\n\n; Function prologue\nstp x29, x30, [sp, #-16]! ; Save FP and LR\nmov x29, sp ; Set frame pointer\n\n; Function epilogue\nldp x29, x30, [sp], #16 ; Restore FP and LR\nret\n```\n\n#### ARM32 Calling Convention\n```asm\n; Arguments: R0-R3, then stack\n; Return: R0 (and R1 for 64-bit)\n; Link register: LR (R14)\n\n; Function prologue\npush {fp, lr}\nadd fp, sp, #4\n\n; Function epilogue\npop {fp, pc} ; Return by popping PC\n```\n\n## Control Flow Patterns\n\n### Conditional Branches\n\n```asm\n; if (a == b)\ncmp eax, ebx\njne skip_block\n; ... if body ...\nskip_block:\n\n; if (a \u003C b) - signed\ncmp eax, ebx\njge skip_block ; Jump if greater or equal\n; ... if body ...\nskip_block:\n\n; if (a \u003C b) - unsigned\ncmp eax, ebx\njae skip_block ; Jump if above or equal\n; ... if body ...\nskip_block:\n```\n\n### Loop Patterns\n\n```asm\n; for (int i = 0; i \u003C n; i++)\nxor ecx, ecx ; i = 0\nloop_start:\ncmp ecx, [n] ; i \u003C n\njge loop_end\n; ... loop body ...\ninc ecx ; i++\njmp loop_start\nloop_end:\n\n; while (condition)\njmp loop_check\nloop_body:\n; ... body ...\nloop_check:\ncmp eax, ebx\njl loop_body\n\n; do-while\nloop_body:\n; ... body ...\ncmp eax, ebx\njl loop_body\n```\n\n### Switch Statement Patterns\n\n```asm\n; Jump table pattern\nmov eax, [switch_var]\ncmp eax, max_case\nja default_case\njmp [jump_table + eax*8]\n\n; Sequential comparison (small switch)\ncmp eax, 1\nje case_1\ncmp eax, 2\nje case_2\ncmp eax, 3\nje case_3\njmp default_case\n```\n\n## Data Structure Patterns\n\n### Array Access\n\n```asm\n; array[i] - 4-byte elements\nmov eax, [rbx + rcx*4] ; rbx=base, rcx=index\n\n; array[i] - 8-byte elements\nmov rax, [rbx + rcx*8]\n\n; Multi-dimensional array[i][j]\n; arr[i][j] = base + (i * cols + j) * element_size\nimul eax, [cols]\nadd eax, [j]\nmov edx, [rbx + rax*4]\n```\n\n### Structure Access\n\n```c\nstruct Example {\n int a; \u002F\u002F offset 0\n char b; \u002F\u002F offset 4\n \u002F\u002F padding \u002F\u002F offset 5-7\n long c; \u002F\u002F offset 8\n short d; \u002F\u002F offset 16\n};\n```\n\n```asm\n; Accessing struct fields\nmov rdi, [struct_ptr]\nmov eax, [rdi] ; s->a (offset 0)\nmovzx eax, byte [rdi+4] ; s->b (offset 4)\nmov rax, [rdi+8] ; s->c (offset 8)\nmovzx eax, word [rdi+16] ; s->d (offset 16)\n```\n\n### Linked List Traversal\n\n```asm\n; while (node != NULL)\nlist_loop:\ntest rdi, rdi ; node == NULL?\njz list_done\n; ... process node ...\nmov rdi, [rdi+8] ; node = node->next (assuming next at offset 8)\njmp list_loop\nlist_done:\n```\n\n## Common Code Patterns\n\n### String Operations\n\n```asm\n; strlen pattern\nxor ecx, ecx\nstrlen_loop:\ncmp byte [rdi + rcx], 0\nje strlen_done\ninc ecx\njmp strlen_loop\nstrlen_done:\n; ecx contains length\n\n; strcpy pattern\nstrcpy_loop:\nmov al, [rsi]\nmov [rdi], al\ntest al, al\njz strcpy_done\ninc rsi\ninc rdi\njmp strcpy_loop\nstrcpy_done:\n\n; memcpy using rep movsb\nmov rdi, dest\nmov rsi, src\nmov rcx, count\nrep movsb\n```\n\n### Arithmetic Patterns\n\n```asm\n; Multiplication by constant\n; x * 3\nlea eax, [rax + rax*2]\n\n; x * 5\nlea eax, [rax + rax*4]\n\n; x * 10\nlea eax, [rax + rax*4] ; x * 5\nadd eax, eax ; * 2\n\n; Division by power of 2 (signed)\nmov eax, [x]\ncdq ; Sign extend to EDX:EAX\nand edx, 7 ; For divide by 8\nadd eax, edx ; Adjust for negative\nsar eax, 3 ; Arithmetic shift right\n\n; Modulo power of 2\nand eax, 7 ; x % 8\n```\n\n### Bit Manipulation\n\n```asm\n; Test specific bit\ntest eax, 0x80 ; Test bit 7\njnz bit_set\n\n; Set bit\nor eax, 0x10 ; Set bit 4\n\n; Clear bit\nand eax, ~0x10 ; Clear bit 4\n\n; Toggle bit\nxor eax, 0x10 ; Toggle bit 4\n\n; Count leading zeros\nbsr eax, ecx ; Bit scan reverse\nxor eax, 31 ; Convert to leading zeros\n\n; Population count (popcnt)\npopcnt eax, ecx ; Count set bits\n```\n\n## Decompilation Patterns\n\n### Variable Recovery\n\n```asm\n; Local variable at rbp-8\nmov qword [rbp-8], rax ; Store to local\nmov rax, [rbp-8] ; Load from local\n\n; Stack-allocated array\nlea rax, [rbp-0x40] ; Array starts at rbp-0x40\nmov [rax], edx ; array[0] = value\nmov [rax+4], ecx ; array[1] = value\n```\n\n### Function Signature Recovery\n\n```asm\n; Identify parameters by register usage\nfunc:\n ; rdi used as first param (System V)\n mov [rbp-8], rdi ; Save param to local\n ; rsi used as second param\n mov [rbp-16], rsi\n ; Identify return by RAX at end\n mov rax, [result]\n ret\n```\n\n### Type Recovery\n\n```asm\n; 1-byte operations suggest char\u002Fbool\nmovzx eax, byte [rdi] ; Zero-extend byte\nmovsx eax, byte [rdi] ; Sign-extend byte\n\n; 2-byte operations suggest short\nmovzx eax, word [rdi]\nmovsx eax, word [rdi]\n\n; 4-byte operations suggest int\u002Ffloat\nmov eax, [rdi]\nmovss xmm0, [rdi] ; Float\n\n; 8-byte operations suggest long\u002Fdouble\u002Fpointer\nmov rax, [rdi]\nmovsd xmm0, [rdi] ; Double\n```\n\n## Ghidra Analysis Tips\n\n### Improving Decompilation\n\n```java\n\u002F\u002F In Ghidra scripting\n\u002F\u002F Fix function signature\nFunction func = getFunctionAt(toAddr(0x401000));\nfunc.setReturnType(IntegerDataType.dataType, SourceType.USER_DEFINED);\n\n\u002F\u002F Create structure type\nStructureDataType struct = new StructureDataType(\"MyStruct\", 0);\nstruct.add(IntegerDataType.dataType, \"field_a\", null);\nstruct.add(PointerDataType.dataType, \"next\", null);\n\n\u002F\u002F Apply to memory\ncreateData(toAddr(0x601000), struct);\n```\n\n### Pattern Matching Scripts\n\n```python\n# Find all calls to dangerous functions\nfor func in currentProgram.getFunctionManager().getFunctions(True):\n for ref in getReferencesTo(func.getEntryPoint()):\n if func.getName() in [\"strcpy\", \"sprintf\", \"gets\"]:\n print(f\"Dangerous call at {ref.getFromAddress()}\")\n```\n\n## IDA Pro Patterns\n\n### IDAPython Analysis\n\n```python\nimport idaapi\nimport idautils\nimport idc\n\n# Find all function calls\ndef find_calls(func_name):\n for func_ea in idautils.Functions():\n for head in idautils.Heads(func_ea, idc.find_func_end(func_ea)):\n if idc.print_insn_mnem(head) == \"call\":\n target = idc.get_operand_value(head, 0)\n if idc.get_func_name(target) == func_name:\n print(f\"Call to {func_name} at {hex(head)}\")\n\n# Rename functions based on strings\ndef auto_rename():\n for s in idautils.Strings():\n for xref in idautils.XrefsTo(s.ea):\n func = idaapi.get_func(xref.frm)\n if func and \"sub_\" in idc.get_func_name(func.start_ea):\n # Use string as hint for naming\n pass\n```\n\n## Best Practices\n\n### Analysis Workflow\n\n1. **Initial triage**: File type, architecture, imports\u002Fexports\n2. **String analysis**: Identify interesting strings, error messages\n3. **Function identification**: Entry points, exports, cross-references\n4. **Control flow mapping**: Understand program structure\n5. **Data structure recovery**: Identify structs, arrays, globals\n6. **Algorithm identification**: Crypto, hashing, compression\n7. **Documentation**: Comments, renamed symbols, type definitions\n\n### Common Pitfalls\n\n- **Optimizer artifacts**: Code may not match source structure\n- **Inline functions**: Functions may be expanded inline\n- **Tail call optimization**: `jmp` instead of `call` + `ret`\n- **Dead code**: Unreachable code from optimization\n- **Position-independent code**: RIP-relative addressing\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,67,754,"2026-05-16 13:08:46",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"3bbaf436-fae6-4321-b212-7974c2a76a99","1.0.0","binary-analysis-patterns.zip",4202,"uploads\u002Fskills\u002Fc57919a2-1c3d-4928-8cfb-adb19ccf39ce\u002Fbinary-analysis-patterns.zip","c49eba3c667ced9aaf67f405cd832476fad6aac94df5c5a08cdd10527039b303","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":10164}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]