handle avatar~/handle $
reversingnotes

Notes on staring at an unfamiliar binary

A short field guide to the first ten minutes with a binary you've never seen, before you reach for the disassembler.

Before opening anything heavy, there’s a cheap triage pass worth doing. None of this is novel — it’s just the order I try to remember to follow.

Start with the boring questions

What is this file, really? Not what the extension claims:

file ./sample
sha256sum ./sample          # so you can talk about "the same binary" later
strings -n 8 ./sample | less # cheap intel: URLs, paths, error messages

strings alone often answers half your questions — hardcoded paths, library names, format strings, the occasional embarrassing debug message.

Then the shape of it

# Linux ELF
readelf -h ./sample          # header: arch, entry point, type
readelf -d ./sample          # dynamic section: what it links against

The imports tell you what the program is allowed to do. A binary that imports no networking functions probably isn’t phoning home, no matter what the README claims.

Only then, the disassembler

By the time you open Ghidra or your tool of choice, you already have a hypothesis to test rather than a blank wall to climb. That’s the whole point of the triage pass — it turns “reverse this” into “confirm or kill this specific guess.”

I’ll go deeper on the disassembly step in a later post. For now this is the checklist I keep forgetting and re-learning.