Common targets
Malware analysis
Understand what a suspicious binary does: C2 communication, persistence mechanisms, evasion tricks.
CTF challenges
Find hidden flags by reversing licence checks, custom crypto, obfuscated logic, or game mechanics.
Vulnerability research
Identify unsafe functions, integer overflows, or logic flaws in closed-source software.
Interoperability
Understand proprietary protocols or file formats to build compatible tooling.
Reversing methodology
Static overview
Run
file, strings, and checksec first. Identify the architecture, format (ELF/PE/Mach-O), packing (UPX, custom), and enabled mitigations.Disassembly / decompilation
Load the binary into Ghidra, IDA, or Binary Ninja. Rename functions and variables as you understand them. Start from
main or any well-known entry point.Dynamic analysis
Run the binary under GDB, x64dbg, or Frida. Set breakpoints on interesting functions, inspect registers and memory at key points, and trace system calls with
strace/ltrace.Focus on interesting logic
Follow string references, xrefs to crypto constants (S-boxes, magic numbers like
0x61C88647), network functions, or comparison instructions that look like key or flag checks.Key concepts
Calling conventions
Understanding how arguments are passed is essential to reading disassembly:| Convention | Arguments | Return value | Used on |
|---|---|---|---|
| x86 cdecl | Stack (right-to-left) | EAX | Linux/Windows 32-bit |
| x86-64 System V | RDI, RSI, RDX, RCX, R8, R9 | RAX | Linux/macOS 64-bit |
| x86-64 Windows | RCX, RDX, R8, R9 | RAX | Windows 64-bit |
| ARM64 (AAPCS64) | X0–X7 | X0 | Linux/macOS ARM64 |
Recognising common patterns
- String comparisons: look for
strcmp,memcmp, or XOR loops near conditional jumps. - Crypto constants: AES S-box starts with
0x63, SHA-256 uses specific round constants, RC4 has a 256-byte key-scheduling loop. - Anti-debug:
IsDebuggerPresent, PTRACE_TRACEME self-check, timing checks withRDTSC, or exception-based tricks. - Packers: a short first section that allocates RWX memory, writes data into it, and jumps — the payload is unpacked at runtime.
Anti-analysis techniques in malware
Real-world malware uses many tricks to hinder analysis:Locale / keyboard guards
Locale / keyboard guards
Many stealers abort execution on specific locale or keyboard layouts (commonly CIS countries) to avoid analysing researcher machines. The API chain is
GetKeyboardLayout → GetLocaleInfoA/W → compare against a block-list.Emulator fingerprinting
Emulator fingerprinting
Malware scans for Defender’s emulator exports (
MpVmp32Entry, VFS_Open, ThrdMgr_GetCurrentThreadHandle, etc.). If found, it sleeps for 10–30 minutes before continuing.Argument gatekeeping
Argument gatekeeping
A CLI switch (e.g.,
/i:--type=renderer mimicking Chromium) must be present or the loader exits immediately, preventing sandbox auto-execution.Process hollowing (RunPE)
Process hollowing (RunPE)
Legitimate processes (
RegAsm.exe, MSBuild.exe) are launched suspended, their image unmapped, and a malicious PE written in its place. The payload never touches disk in plain form.Language-specific tips
- .NET
- Java / Android
- Rust
- Go
- Delphi
Use dnSpy or ILSpy to decompile MSIL back to C#. For debugging, enable
DebuggableAttribute in the assembly and attach dnSpy to the IIS/process.Quick tool reference
| Tool | Category | Notes |
|---|---|---|
| Ghidra | Disassembler / decompiler | Free, scriptable, great for large binaries |
| IDA Pro / Free | Disassembler / decompiler | Industry standard; free version covers x86/x64 |
| Binary Ninja | Disassembler / decompiler | Strong API, good for automation |
| x64dbg / x32dbg | Debugger (Windows) | Plugin ecosystem, ScyllaHide for anti-anti-debug |
| GDB + pwndbg/GEF | Debugger (Linux) | Heap-aware, ROP-aware |
| Frida | Dynamic instrumentation | Inject JS hooks into any process, cross-platform |
| radare2 / Cutter | Multi-tool | CLI + GUI; good for shellcode analysis |
| Detect-It-Easy (DIE) | Packer/compiler ID | Recognises packers, compilers, protectors |