Skill Security →

Binary Analysis Patterns

Master binary analysis patterns including disassembly, decompilation, control flow analysis…

A reference catalog of patterns for analyzing compiled binaries: disassembly, decompilation, control-flow analysis, and code-pattern recognition across x86-64, ARM64, and ARM32. It maps real assembly to its source-level meaning: calling conventions, loops, switch jump tables, struct access, type recovery, and ties observed behavior to threat frameworks. It turns opaque executables into understood program logic.

$15 one-time
Add to a kit →

Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in

  • Type Skill
  • Category Security
  • Delivery Email · instant
  • License One-time
Run preview
forgehouse, binary-analysis-patterns

Inside the run · no black box

See the actual work before you buy it.

An unknown executable gives up its secrets in a fixed order. Starting from import tables and strings, the skill works seven stages deep until renamed symbols and documented behavior replace raw disassembly.

  1. Initial triage: file type, architecture, calling convention (System V vs Microsoft x64 vs ARM64) and the import/export tables, because imports like CreateRemoteThread or VirtualAllocEx already point to injection behavior before a single instruction is read.
  2. String analysis next: interesting strings, error messages and URLs are extracted, and every hit like "password" gets its cross references followed so the functions touching it move to the front of the queue.
  3. Function identification and control flow mapping: entry points, prologues/epilogues, then loops, conditionals and switch patterns (jump table vs sequential compare) are reconstructed, applying Occam's razor: assume standard compiler output before suspecting obfuscation.
  4. Data structure recovery: array indexing patterns, struct field offsets and linked list traversals are read back from the addressing math, and type recovery uses the instructions themselves (movzx vs movsx decides unsigned vs signed, not guesswork).
  5. Algorithm identification: optimizer artifacts are translated back (lea chains as multiplication, sar sequences as division), crypto and hashing routines are spotted, and behaviors are mapped to MITRE ATT&CK technique IDs.
  6. Documentation as the closing gate: renamed symbols, applied types and comments in Ghidra or IDA, with Python scripting to auto-flag dangerous calls like strcpy, sprintf and gets across the whole binary.
Use cases · what happens when you plug it in

One power source. 6 lines out.

binary-analysis-patterns · core

core active · 6 lines

  1. Reverse-engineering an executable whose source is unavailable

    ✓ reverse-engineering an e…

  2. Recognizing function prologues, calling conventions, and stack frames in disassembly

    ✓ recognizing function pro…

  3. Reconstructing loops, switch statements, arrays, structs, and linked lists from assembly

    ✓ reconstructing loops, sw…

  4. Recovering variable types from byte-width and sign-extension instruction patterns

    ✓ recovering variable types

  5. Mapping a binary's imports and strings to known attacker techniques during malware triage

    ✓ mapping a binary's imports

  6. Detecting anti-analysis tricks like anti-debug checks and packed sections

    ✓ detecting anti-analysis…
Benefits · what you walk away with

Yours to keep.

Drag time forward. Watch what stays.

Forever

That's what owning means.

The rented stack

ai writing tool: subscription

expired · access lost

analytics suite: subscription

expired · access lost

design platform: subscription

expired · access lost

(nothing left)

Your forge

  1. Faster comprehension of unknown binaries by recognizing standard compiler output instead of guessing

    license: perpetual

  2. Reliable malware triage that links binary artifacts to attack stages and known techniques

    license: perpetual

  3. Fewer dead ends, because optimizer artifacts and anti-analysis blind spots are anticipated

    license: perpetual

  4. Repeatable analysis through a defined triage-to-documentation workflow

    license: perpetual

subscriptions expire · deeds don't

What's included · the full manifest

Everything in the box.

Pick a piece up. Watch it work.

x86-64, ARM64, and ARM32 calling-convention and prologue/epilogue references

part 01 of 06 · in the box

6 parts · one working system · ships instantly by email

Who it's for

This wasn't forged for everyone.

  • Not for you if you'd rather rent a tool than own one.
  • Not for you if you want someone else to run your stack.
  • Not for you if you're happy guessing.
Still here? Good.

Reverse engineers, malware analysts, and security researchers who need to understand compiled code and perform static binary analysis with discipline.

then this was forged for you.

Works with

Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.

  • Claude Native format
  • ChatGPT Adapts via open standards
  • Gemini Adapts via open standards
  • Cursor Adapts via open standards
  • Copilot Adapts via open standards
Questions · still in the air

Catch what's on your mind.

the air is clear. nothing between you and the forge.
catch a spark: the forge will answer

  1. Does this only cover x86, or ARM too?

    It spans x86-64, ARM64, and ARM32: so mobile and embedded ARM binaries are in scope, not just desktop x86. The calling-convention and stack-frame patterns are mapped per architecture.

  2. Modern decompilers already spit out C. What does reading patterns add on top of that?

    Decompiler output is an approximation: it guesses at structs, loops, and switch tables and often gets them subtly wrong. Recognizing prologues, jump tables, and struct access yourself lets you correct those guesses instead of trusting a noisy reconstruction.

  3. Will it get me through a packed or heavily obfuscated binary?

    No, this is static source-level reconstruction, not unpacking. When the binary fights back with anti-debugging or obfuscation, that's a separate problem; this assumes you can already read the disassembly.

  4. How is it delivered?

    By email right after purchase: ready to run, downloaded instantly, no setup wait.

  5. One-time or subscription?

    A one-time purchase; no subscription or hidden fees. VAT (20%) is included.

  6. Can I get a refund?

    As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.

Related products

All skills →