binary-analysis-patterns

by wshobson

binary-analysis-patterns is a reverse-engineering skill for interpreting x86-64 disassembly, calling conventions, stack frames, and control flow to support faster binary review and Security Audit work.

Stars32.6k

Favorites0

Comments0

AddedMar 30, 2026

CategorySecurity Audit

Install Command

npx skills add wshobson/agents --skill binary-analysis-patterns

Curation Score

This skill scores 68/100, which means it is acceptable to list for directory users who want a reusable reference for static binary analysis patterns, but they should expect a knowledge-heavy guide rather than a tightly operational skill with stepwise execution support.

68/100

Strengths

Frontmatter gives a clear trigger: use for analyzing executables, understanding compiled code, or static analysis on binaries.
Substantive SKILL.md content covers concrete reverse-engineering topics such as disassembly, calling conventions, control-flow and code-pattern recognition, with code examples.
Well-structured document with multiple headings and code fences makes it easier to scan than a generic prompt when interpreting compiled code patterns.

Cautions

No support files, references, or tooling guidance, so agents may still need guesswork about which binary-analysis tools to use and in what order.
Content appears primarily reference-oriented rather than a strict workflow, with limited explicit constraints or decision rules for edge cases.

Reverse Engineering Security Systems Programming Cli Developer Audience

Overview

Overview of binary-analysis-patterns skill

What the binary-analysis-patterns skill is for

The binary-analysis-patterns skill is a pattern library for reading compiled code: common x86-64 instruction shapes, calling conventions, stack frame layouts, control-flow structures, and recognizable compiler-generated sequences. It is most useful when you already have disassembly or decompiler output and need to turn low-level instructions into a plausible explanation of program behavior.

Best fit users and jobs-to-be-done

This skill fits security engineers, reverse engineers, malware analysts, CTF players, and developers doing a security audit on native binaries. The real job is not “explain assembly” in the abstract. It is to identify what a function is doing, spot suspicious or vulnerable logic, reconstruct arguments and returns, and move from raw instructions to an audit-ready narrative faster than with a generic prompt.

What makes this skill different from an ordinary prompt

A normal prompt often gives shallow summaries of assembly. The binary-analysis-patterns skill is stronger when you need consistent interpretation of recurring structures such as:

function prologue and epilogue patterns
System V AMD64 vs Microsoft x64 calling conventions
loop, branch, and switch-like control flow
stack variable usage and frame reconstruction
compiler idioms that look confusing if read literally

That makes it better for structured binary review than asking a model to “analyze this assembly” with no framework.

What matters before you install

This is a text-first guidance skill, not an automated disassembler, debugger, or signature engine. It does not replace tools like objdump, Ghidra, IDA, radare2, or Binary Ninja; it helps you reason about the output from those tools. If you need automated extraction from binaries, the skill alone is not enough. If you already have snippets, function listings, CFG notes, or decompiler pseudocode, it becomes much more useful.

When binary-analysis-patterns is a strong choice

Use binary-analysis-patterns when you want a reusable interpretation aid for:

triaging unfamiliar functions quickly
validating decompiler guesses against assembly
mapping register usage to function arguments
recognizing likely library wrappers and boilerplate
documenting findings for a security audit

How to Use binary-analysis-patterns skill

Install binary-analysis-patterns skill

Install it from the wshobson/agents repository:

npx skills add https://github.com/wshobson/agents --skill binary-analysis-patterns

Because this skill lives at plugins/reverse-engineering/skills/binary-analysis-patterns, install expectations are simple: there are no extra helper scripts or reference packs to configure.

Read this file first

Start with:

SKILL.md

This skill is concentrated in a single file, so there is little repo archaeology required. Read the headings first to understand its coverage, then use it as a checklist while reviewing your own disassembly.

What input the skill needs to work well

The binary-analysis-patterns skill performs best when you provide concrete binary-analysis artifacts, such as:

assembly for one function at a time
decompiler pseudocode plus the matching assembly
target platform and ABI if known
symbol names, if partial symbols exist
your current hypothesis, for example “I think this is argument parsing”
the security question you care about, such as bounds checks or auth logic

Weak input:

“Analyze this binary.”

Strong input:

“Analyze this x86-64 function from a Linux ELF. Assume System V AMD64. Identify the arguments, local variables, likely return value, and whether the control flow suggests input validation or unsafe memory handling.”

Turn a rough goal into a good prompt

A good binary-analysis-patterns usage prompt usually includes five parts:

architecture and OS convention
function scope
output format
audit question
uncertainty handling

Example:

Use the binary-analysis-patterns skill on the following x86-64 disassembly from a Linux ELF.
Assume System V AMD64 unless the code contradicts it.
For this single function:
1. identify probable parameters and return value
2. describe the stack frame and local variables
3. summarize each branch and loop
4. call out any patterns consistent with parsing, copying, comparison, or allocation
5. note where confidence is low and what extra context would confirm the interpretation

This is better than a generic request because it forces ABI-aware reasoning and a useful output structure.

Suggested workflow for Security Audit

For binary-analysis-patterns for Security Audit, use a narrow, repeatable workflow:

export one suspicious function from your RE tool
identify platform and likely calling convention
ask for frame reconstruction and control-flow summary
ask a second pass focused on security-relevant operations
compare the result against adjacent caller/callee functions

This works especially well for authentication logic, parsers, deserializers, string handling, and wrapper functions around sensitive APIs.

Use the skill to identify calling conventions early

One of the fastest ways to improve output quality is to tell the model whether the function follows System V AMD64 or Microsoft x64. Many interpretation errors come from wrong assumptions about where arguments live.

Useful prompt addition:

“This is from Windows x64; treat RCX, RDX, R8, and R9 as early arguments and account for shadow space.”

Without that context, argument mapping and stack interpretation can drift quickly.

Feed assembly in function-sized chunks

Do not paste hundreds of unrelated instructions and expect a clean result. The skill is most reliable on one function or one small control-flow region at a time. If the binary is stripped and messy, start with:

function entry
all call sites in that function
branch targets
return path

Then expand only after you have a stable hypothesis.

Pair assembly with decompiler output when possible

A practical binary-analysis-patterns guide approach is to provide both low-level and high-level views. Decompiler output is faster to summarize, but assembly reveals where the decompiler may be wrong about:

signed vs unsigned comparisons
stack variable boundaries
indirect calls
tail calls
optimized-out frame pointers

Prompt pattern:

“Use the decompiler output as a hypothesis, but validate it against the assembly before concluding.”

Ask for pattern recognition, not just translation

The skill is more valuable when you ask it to classify code shapes, not merely paraphrase instructions. Good questions include:

“Is this a counted loop, sentinel loop, or state machine?”
“Does this prologue suggest a normal frame, leaf function, or optimized omission?”
“Do these compare-and-branch blocks look like bounds checks or command dispatch?”

That is where binary-analysis-patterns usage starts to outperform ordinary prompting.

Practical output formats that save time

Request one of these formats depending on your task:

audit notes: issue-oriented bullets with confidence
reverse-engineering notes: argument list, locals, CFG summary
decompiler validation: “likely correct / likely wrong / ambiguous”
triage format: “purpose, evidence, open questions”

For adoption decisions, this matters: the skill is strongest when it feeds a human review workflow, not when used as a black-box final answer generator.

binary-analysis-patterns skill FAQ

Is binary-analysis-patterns good for beginners?

Yes, if you already know very basic assembly concepts and want help recognizing recurring patterns. It is less suitable as a first-ever introduction to reverse engineering because it assumes you can provide relevant disassembly and understand why architecture and ABI details matter.

Does binary-analysis-patterns install any analysis tools?

No. The binary-analysis-patterns install step adds the skill guidance, not a disassembler or debugger. You still need your own tooling to extract assembly, pseudocode, symbols, or CFG context.

When should I use this instead of a normal LLM prompt?

Use binary-analysis-patterns skill when you want more disciplined interpretation of low-level code structure. If your task is “summarize this source file,” a normal prompt is enough. If your task is “reconstruct what this stripped function does and whether it validates input safely,” the skill is the better fit.

Is it limited to x86-64?

The visible emphasis is x86-64, especially calling conventions and function structure. If your target is ARM, MIPS, or WebAssembly, this skill may still help with general reasoning, but it is not the best specialized fit.

Is binary-analysis-patterns useful for malware analysis?

Yes, especially for initial triage of suspicious routines, unpacking helpers, string decoding logic, and API wrapper functions. But it is not a full malware workflow. You still need sandboxing, dynamic analysis, and threat-context tooling outside the skill.

When is binary-analysis-patterns not a good fit?

Skip it if you need:

automated binary extraction or scanning
exploit generation
dynamic instrumentation
architecture-specific depth outside its covered patterns
turnkey vulnerability detection without human review

It is a reasoning aid, not a replacement for a reverse-engineering toolchain.

How to Improve binary-analysis-patterns skill

Give stronger context than “analyze this”

The biggest quality jump comes from specifying:

binary format: ELF, PE, Mach-O
platform: Linux, Windows, macOS
architecture: x86-64 if known
function boundary
your audit objective

For example:

“Use binary-analysis-patterns to review this PE x64 function for credential checks and unsafe buffer handling.”

That is much better than a broad request because it narrows both the ABI and the threat model.

Mark uncertainties and known anchors

If you know one call target, one string reference, or one imported API, include it. Even a single anchor can transform the interpretation of surrounding blocks.

Examples:

“This function calls memcmp shortly before the final branch.”
“Cross-references suggest this is reached from the login handler.”
“Decompiler labels one local as a 256-byte stack buffer.”

These anchors reduce hallucinated narratives.

Split analysis into two passes

To improve binary-analysis-patterns results, run it in two passes:

structural pass: arguments, stack frame, loops, branches, calls
semantic pass: likely purpose, security implications, missing evidence

This avoids mixing uncertain semantics into basic reconstruction too early.

Ask the model to show evidence for each claim

A common failure mode is overconfident interpretation. Reduce that by requiring instruction-level support.

Prompt addition:

“For every major conclusion, cite the instruction sequence or register behavior that supports it.”

That makes it easier to verify whether the skill is truly reading patterns or merely guessing from superficial cues.

Correct the calling convention explicitly when outputs drift

If the first answer mislabels arguments or locals, do not start over with the same input. Tell it exactly what to fix:

“Re-run using Microsoft x64, not System V AMD64.”
“Assume frame-pointer omission and infer locals from rsp offsets.”
“Treat this indirect call as a possible vtable dispatch.”

Small corrections often recover the analysis quickly.

Focus the improvement loop on audit questions

When iterating, ask narrower follow-ups instead of repeating the entire task. Good examples:

“Which branch is the actual authentication decision?”
“Where is length validation performed before the copy?”
“Are any stack writes indexed by untrusted input?”
“Does this loop terminate on length or sentinel value?”

This is the fastest way to turn binary-analysis-patterns for Security Audit into actionable review notes.

Compare adjacent functions to refine confidence

If the first output is plausible but thin, provide one caller or one callee. Many binary patterns become clearer when you can see:

argument preparation at the call site
cleanup behavior after return
repeated helper wrappers
shared error-handling paths

That context often distinguishes business logic from boilerplate.

Use the skill as a hypothesis engine, not final ground truth

The best way to improve binary-analysis-patterns skill results is to treat its output as a structured hypothesis to validate in your RE tool. Check branch conditions, stack offsets, and imported calls before turning conclusions into findings. That workflow is where the skill adds the most value: faster interpretation with less guesswork, while keeping the human analyst in control.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

azure-ai-contentsafety-ts

by microsoft

azure-ai-contentsafety-ts helps analyze text and images for harmful content with Azure AI Content Safety in TypeScript. Use this skill for moderation workflows, blocklists, and security audit checks for hate, violence, sexual content, and self-harm. It also covers Azure endpoint and auth setup.

Security Audit

Favorites 0GitHub 2.3k

sharp-edges

by trailofbits

The sharp-edges skill helps you find APIs, configs, and interfaces where the easy path leads to insecure use. Use it to review authentication flows, cryptographic wrappers, dangerous defaults, null or zero semantics, and misuse-prone design choices. It is a strong fit for sharp-edges for Security Audit work when you need concrete footguns, not generic security guesses.

Security Audit

Favorites 0GitHub 5k

security-review

by affaan-m

Use the security-review skill to review auth, user input, secrets, APIs, payments, uploads, and other sensitive flows. It provides a practical security-review guide with clear pass/fail checks, risky-pattern examples, and a focused process for catching common issues before release.

Security Audit

Favorites 0GitHub 156.3k

django-security

by affaan-m

django-security is a practical guide for hardening Django apps with authentication, authorization, CSRF, XSS, SQL injection prevention, secure cookies, and production settings. It helps developers and reviewers run a focused Security Audit, quickly spot risky config, and apply concrete fixes before deployment.

Security Audit

Favorites 0GitHub 156.1k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

building-patch-tuesday-response-process

by mukul975

building-patch-tuesday-response-process helps teams build a repeatable Microsoft Patch Tuesday process to triage advisories, rank risk, test patches, approve rollout, and track compliance. Useful for security operations, vulnerability management, and building-patch-tuesday-response-process for Project Management.

Project Management

Favorites 0GitHub 6.1k

ossfuzz

by trailofbits

Learn the ossfuzz skill for continuous fuzzing setup, project enrollment, harness planning, and build workflow review. This guide helps security engineers and maintainers assess readiness, spot build blockers, and prepare a practical path from source tree to OSS-Fuzz or private fuzzing infrastructure.

Security Audit

Favorites 0GitHub 5k

codeql

by trailofbits

The codeql skill helps you run CodeQL with fewer blind spots during a security audit. It focuses on database quality, suite selection, data extensions, and SARIF review so you can use codeql usage more reliably across supported languages. Use it for repeatable codeql guide steps when analyzing real repositories.

Security Audit

Favorites 0GitHub 5k

semgrep-rule-creator

by trailofbits

semgrep-rule-creator creates production-quality Semgrep rules for security vulnerabilities, bug patterns, taint-flow detections, and coding standards. Use the semgrep-rule-creator skill for Security Audit work when you need precise rules, test cases, and validation instead of a generic draft.

Security Audit

Favorites 0GitHub 5k

insecure-defaults

by trailofbits

The insecure-defaults skill helps spot fail-open configuration patterns that let software run with unsafe settings instead of stopping. Use it for a Security Audit of production code, deployment configs, and secret-handling logic to catch weak auth, hardcoded secrets, and permissive defaults.

Security Audit

Favorites 0GitHub 5k

constant-time-analysis

by trailofbits

constant-time-analysis is a security-audit skill for finding timing side-channel risks in cryptographic code before they become exploitable bugs. Use it to review secret-dependent math, branches, comparisons, and compiled output when checking C, C++, Go, Rust, Swift, Java, Kotlin, PHP, JavaScript, TypeScript, Python, or Ruby.

Security Audit

Favorites 0GitHub 5k

secure-workflow-guide

by trailofbits

secure-workflow-guide guides a 5-step Solidity security workflow: Slither triage, feature-specific checks, visual inspection, security-property notes, and manual review. It is built for smart contract teams, auditors, and builders who want a repeatable secure-workflow-guide guide before deployment or release.

Security Audit

Favorites 0GitHub 4.9k