Binary Analysis
Tools for exploring and reverse engineering binary files, firmware, and unknown data.
When to Use This Skill
| Use this skill when... | Use rg-code-search instead when... |
|---|---|
| Identifying unknown or non-text file types (file, xxd) | Searching tracked source files for a regex |
| Extracting strings or symbols from compiled binaries / firmware | Auditing a repo's text-encoded files for hardcoded patterns |
| Inspecting raw hex layout of an ELF, Mach-O, or .bin blob | The input is human-readable code or markdown |
| Use this skill when... | Use jq-json-processing instead when... |
|---|---|
| Reverse-engineering an opaque binary format | The data is already structured JSON awaiting transformation |
| Hunting embedded files with binwalk -e | A field needs extraction from a parsed JSON payload |
Quick Reference
| Tool | Purpose | Install |
|------|---------|---------|
| strings | Extract printable text from binaries | Built-in (binutils) |
| binwalk | Firmware analysis, file extraction | pip install binwalk or cargo install binwalk |
| hexdump | Hex/ASCII dump | Built-in |
| xxd | Hex dump with reverse capability | Built-in (vim) |
| file | Identify file type | Built-in |
strings - Extract Text from Binaries
Find human-readable strings embedded in binary files.
# Basic usage - find all printable strings (min 4 chars)
strings binary_file
# Set minimum string length
strings -n 10 binary_file # Only strings >= 10 chars
# Show file offset of each string
strings -t x binary_file # Hex offset
strings -t d binary_file # Decimal offset
# Search for specific patterns
strings binary_file | grep -i password
strings binary_file | grep -E 'https?://'
strings binary_file | grep -i api_key
# Wide character strings (UTF-16)
strings -e l binary_file # Little-endian 16-bit
strings -e b binary_file # Big-endian 16-bit
strings -e L binary_file # Little-endian 32-bit
# Scan entire file (not just initialized data sections)
strings -a binary_file
Common discoveries with strings:
- Hardcoded credentials, API keys
- URLs and endpoints
- Error messages (hints at functionality)
- Library versions
- Debug symbols and function names
- Configuration paths
binwalk - Firmware Analysis
Identify and extract embedded files, analyze entropy, find hidden data.
# Signature scan - identify embedded files/data
binwalk firmware.bin
# Extract all identified files
binwalk -e firmware.bin # Extract to _firmware.bin.extracted/
binwalk --extract firmware.bin # Same as -e
# Recursive extraction (extract files within extracted files)
binwalk -Me firmware.bin
# Entropy analysis - find compressed/encrypted regions
binwalk -E firmware.bin # Generate entropy graph
binwalk --entropy firmware.bin
# Opcode analysis - identify CPU architecture
binwalk -A firmware.bin
binwalk --opcodes firmware.bin
# Raw byte extraction at offset
binwalk --dd='type:extension' firmware.bin
# Specific signature types
binwalk --signature firmware.bin # File signatures only
binwalk --raw='\\x1f\\x8b' firmware.bin # Search for gzip magic bytes
binwalk output interpretation:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 TRX firmware header
28 0x1C LZMA compressed data
1835008 0x1C0000 Squashfs filesystem, little endian
hexdump / xxd - Raw Hex Analysis
# Hex + ASCII dump
hexdump -C binary_file
xxd binary_file
# Dump specific byte range
xxd -s 0x100 -l 256 binary_file # 256 bytes starting at offset 0x100
# Just hex, no ASCII
hexdump -v -e '/1 "%02x "' binary_file
# Create hex dump that can be reversed
xxd binary_file > hex.txt
xxd -r hex.txt > reconstructed_binary
# Find specific bytes
xxd binary_file | grep "504b" # Look for PK (ZIP signature)
file - Identify File Types
# Basic identification
file unknown_file
file -i unknown_file # MIME type
# Check multiple files
file *
# Follow symlinks
file -L symlink
Common Analysis Workflows
Unknown Binary Exploration
# 1. Identify file type
file mystery_file
# 2. Check for embedded files
binwalk mystery_file
# 3. Extract strings
strings -n 8 mystery_file | head -100
# 4. Look at hex header
xxd mystery_file | head -20
# 5. Check entropy (compressed/encrypted?)
binwalk -E mystery_file
Firmware Analysis
# 1. Initial scan
binwalk firmware.bin
# 2. Extract everything
binwalk -Me firmware.bin
# 3. Explore extracted filesystem
find _firmware.bin.extracted -type f -name "*.conf"
find _firmware.bin.extracted -type f -name "passwd"
# 4. Search for secrets
grep -r "password" _firmware.bin.extracted/
strings -n 10 firmware.bin | grep -i -E "(pass|key|secret|token)"
Finding Hidden Data
# Check for data after end of file
binwalk -E file.jpg # Entropy spike at end = appended data
# Look for embedded archives
binwalk file.jpg | grep -E "(Zip|RAR|7z|gzip)"
# Extract with offset
dd if=file.jpg of=hidden.zip bs=1 skip=12345
File Signatures (Magic Bytes)
| Signature | Hex | File Type |
|-----------|-----|-----------|
| PK | 50 4B 03 04 | ZIP archive |
| Rar! | 52 61 72 21 | RAR archive |
| 7z | 37 7A BC AF | 7-Zip |
| ELF | 7F 45 4C 46 | Linux executable |
| MZ | 4D 5A | Windows executable |
| PNG | 89 50 4E 47 | PNG image |
| JFIF | FF D8 FF E0 | JPEG image |
| sqsh | 73 71 73 68 | SquashFS |
| hsqs | 68 73 71 73 | SquashFS (LE) |
Tips
- Start with entropy: High entropy = compressed or encrypted
- Look for strings first: Often reveals purpose quickly
- Check file headers: First 16 bytes often identify format
- Use recursive extraction: Firmware often has nested archives
- Save offsets: Note interesting locations for targeted extraction