| name | reverse-engineering |
| description | Use when reverse-engineering a binary or firmware — static triage + decompilation (Ghidra/IDA/Binary Ninja), dynamic instrumentation (GDB/Frida 17/angr), anti-reversing & packer bypass, OLLVM/VM deobfuscation, UEFI/BIOS RE & Secure Boot research, patch-diffing for n-days |
| metadata | {"type":"offensive","phase":"analysis","tools":"ghidra, ida, binary-ninja, radare2, rizin, gdb-gef, frida, x64dbg, x96dbg, triton, angr, unicorn, capstone, scyllahide, titanhide, novmp, bindiff, diaphora, ghidriff, binwalk, uefitool, chipsec, kaitai-struct","mitre":"TA0042"} |
| kill_chain | {"phase":["weaponize","exploit"],"step":[2,4],"attck_tactics":["TA0042","TA0002","TA0005"],"attck_techniques":["T1027","T1027.002","T1027.007","T1027.009","T1027.013","T1620","T1140","T1622","T1497","T1497.001","T1497.003","T1542.001","T1542.003","T1592.002","T1203","T1518.001"]} |
| depends_on | ["recon-osint"] |
| feeds_into | ["exploit-development","malware-analysis","vulnerability-analysis","mobile-pentest","windows-mitigations"] |
| inputs | ["binary_samples","firmware_images","packed_malware","patched_binaries","pcap_captures","unknown_file_formats"] |
| outputs | ["disassembly_report","decompiled_source","vulnerability_details","unpacked_payload","deobfuscated_code","protocol_specs","nday_root_cause","ioc_list"] |
| references | ["references/static-triage-decompilation.md","references/dynamic-instrumentation.md","references/anti-reversing-bypass.md","references/deobfuscation.md","references/firmware-uefi.md","references/patch-diffing-protocol.md","references/rr-time-travel.md","references/coverage-reachability.md"] |
| scripts | ["scripts/triage.py","scripts/frida_universal.js","scripts/antidebug_unhook.py","scripts/string_decrypt_emu.py","scripts/deflatten_triton.py","scripts/uefi_triage.py","scripts/patchdiff_fetch.py","scripts/proto_infer.py","scripts/rr_root_cause.sh","scripts/cve_diff.py"] |