Reverse Engineering

1

Select Reverse Engineering from Home Screen

Click ⚙️ Reverse Engineering. Upload your binary or enter the path on disk.
2

Claude Runs Full RE Pipeline

Phase 1: Security posture — checksec: NX, ASLR, PIE, stack canary, RELRO Phase 2: Architecture — file, readelf: arch, bitness, endianness, OS Phase 3: Strings analysis — extract credentials, URLs, debug strings, crypto Phase 4: Symbol analysis — imported libs, exported functions, syscalls Phase 5: Ghidra decompile — decompile all functions to C pseudocode Phase 6: Pattern matching — find: strcpy, gets, sprintf, system(), eval Phase 7: Symbolic exec — angr: buffer overflows, null derefs, format strings Phase 8: AI analysis — Claude reviews decompiled code (anonymized) Phase 9: Report — findings with CWE mapping and PoC
3

Review in the RE Dashboard

The RE Dashboard shows: binary header (arch, security flags), function list with complexity scores, decompiled C pseudocode viewer, and the Findings panel. Click any function to view its decompiled code with vulnerability annotations.
4

Generate Binary Security Report

Reports → RE Report includes: binary posture (checksec summary), findings by category, AI narrative analysis, decompiled function excerpts showing vulnerabilities, and remediation guidance.

⏱️ Automated analysis: 15–60 minutes. Ghidra decompilation of large binaries can take up to 30 minutes.

1

Upload Binary and Receive Security Posture Check

Proposal: "Run checksec on the binary — identify security mitigations" → [Approve] → NX: enabled | ASLR: disabled | PIE: disabled | Canary: disabled | RELRO: partial → ⚠ PIE and canary disabled — exploitable buffer overflows likely
2

Approve Analysis Phases Sequentially

Proposal: "Extract strings — look for credentials, keys, hardcoded URLs" → [Approve] → Found: "admin:P@ssw0rd123", "DEBUG_MODE=1", AWS key prefix Proposal: "Decompile with Ghidra headless — focus on network-handling functions" → [Approve] → 247 functions decompiled — 3 flagged as high-risk Proposal: "Run angr symbolic execution on get_user_input() — check for buffer overflow" → [Approve] → Buffer overflow confirmed: 512-byte stack buffer, no bounds check

⏱️ Typical duration: 2–5 hours with active approval and manual review of decompiled code.

1

Initial Binary Assessment

file binary # type, arch, stripped/not checksec --file=binary # security mitigations readelf -h binary # ELF header strings -a binary | head -100 # quick string scan
2

String and Symbol Analysis

strings -a binary | grep -E "(password|secret|key|token|admin|debug|http)" nm -D binary 2>/dev/null | grep -E "(gets|strcpy|sprintf|system|exec)" objdump -d binary | grep -A5 "call.*gets\|call.*strcpy"
3

radare2 Analysis

r2 -A binary # auto-analyze # In r2 shell: afl # list all functions pdf @main # disassemble main pdf @sym.handle_request # disassemble specific function axt @sym.gets # find all callers of gets() /R pop rdi # search for ROP gadgets
4

Ghidra Decompilation

analyzeHeadless /tmp/proj MyProj \ -import ./binary \ -postScript DecompileAll.py \ -scriptPath /opt/phantomyerra/config/ghidra_scripts/ # View output cat /tmp/proj/MyProj.rep/decompiled/*.c | less
5

angr Symbolic Execution

python3 << 'EOF' import angr proj = angr.Project('./binary', auto_load_libs=False) state = proj.factory.entry_state() simgr = proj.factory.simulation_manager(state) simgr.explore(find=0x401234, avoid=0x401567) # find vuln, avoid safe path if simgr.found: print(simgr.found[0].posix.dumps(0)) # print stdin that reaches vuln EOF

⏱️ Duration: 1 day (simple binary) to 2 weeks (complex proprietary software with obfuscation).

Common Issues