Introduction
Static analysis is the art of understanding a program without running it. It’s the first step in any reverse engineering workflow and often reveals enough to understand what a binary does.
Essential Tools
Disassemblers
| Tool | Platform | Notes |
|---|---|---|
| Ghidra | Cross-platform | Free, decompiler included |
| IDA Pro | Cross-platform | Industry standard, expensive |
| Binary Ninja | Cross-platform | Modern API, mid-range price |
| radare2 | Cross-platform | CLI-based, scriptable |
File Analysis
| |
Reading Assembly
The key skill is reading disassembly output. Here’s a simple example:
| |
Common Patterns
- Function prologue:
push rbp; mov rbp, rsp— sets up stack frame - Conditional jumps:
cmp+je/jne/jl/jg— if/else logic - Loops: backward
jmpwith a counter check - Syscalls:
mov eax, <nr>; syscall— direct kernel calls
Practical Workflow
- Identify the binary type (ELF, PE, Mach-O)
- Check mitigations (NX, PIE, RELRO, canaries)
- Map the structure — find
main(), key functions - Trace data flow — follow inputs through the program
- Annotate — rename functions, add comments in your disassembler
Next Steps
In the next post, we’ll cover dynamic analysis — using debuggers and tracing tools to observe a binary at runtime.