Binary Analysis Tools for exploring and reverse engineering binary files, firmware, and unknown data. Quick Reference Tool Purpose Install strings Extract printable text from binaries Built-in (binutils) binwalk Firmware analysis, file extraction pip install binwalk or cargo install binwalk hexdump Hex/ASCII dump Built-in xxd Hex dump with reverse capability Built-in (vim) file Identify file type Built-in strings - Extract Text from Binaries Find human-readable strings embedded in binary files.

Basic usage - find all printable strings (min 4 chars)

strings binary_file

Set minimum string length

strings -n 10 binary_file

Only strings >= 10 chars

Show file offset of each string

strings -t x binary_file

Hex offset

strings -t d binary_file

Decimal offset

Search for specific patterns

strings binary_file | grep -i password strings binary_file | grep -E 'https?://' strings binary_file | grep -i api_key

Wide character strings (UTF-16)

strings -e l binary_file

Little-endian 16-bit

strings -e b binary_file

Big-endian 16-bit

strings -e L binary_file

Little-endian 32-bit

Scan entire file (not just initialized data sections)

strings -a binary_file Common discoveries with strings: Hardcoded credentials, API keys URLs and endpoints Error messages (hints at functionality) Library versions Debug symbols and function names Configuration paths binwalk - Firmware Analysis Identify and extract embedded files, analyze entropy, find hidden data.

Signature scan - identify embedded files/data

binwalk firmware.bin

Extract all identified files

binwalk -e firmware.bin

Extract to _firmware.bin.extracted/

binwalk --extract firmware.bin

Same as -e

Recursive extraction (extract files within extracted files)

binwalk -Me firmware.bin

Entropy analysis - find compressed/encrypted regions

binwalk -E firmware.bin

Generate entropy graph

binwalk --entropy firmware.bin

Opcode analysis - identify CPU architecture

binwalk -A firmware.bin binwalk --opcodes firmware.bin

Raw byte extraction at offset

binwalk --dd = 'type:extension' firmware.bin

Specific signature types

binwalk --signature firmware.bin

File signatures only

binwalk --raw = '\x1f\x8b' firmware.bin

Search for gzip magic bytes

binwalk output interpretation: DECIMAL HEXADECIMAL DESCRIPTION

0 0x0 TRX firmware header 28 0x1C LZMA compressed data 1835008 0x1C0000 Squashfs filesystem, little endian hexdump / xxd - Raw Hex Analysis

Hex + ASCII dump

hexdump -C binary_file xxd binary_file

Dump specific byte range

xxd -s 0x100 -l 256 binary_file

256 bytes starting at offset 0x100

Just hex, no ASCII

hexdump -v -e '/1 "%02x "' binary_file

Create hex dump that can be reversed

xxd binary_file

hex.txt xxd -r hex.txt

reconstructed_binary

Find specific bytes

xxd binary_file | grep "504b"

Look for PK (ZIP signature)

file - Identify File Types

Basic identification

file unknown_file file -i unknown_file

MIME type

Check multiple files

file *

Follow symlinks

file -L symlink Common Analysis Workflows Unknown Binary Exploration

1. Identify file type

file mystery_file

2. Check for embedded files

binwalk mystery_file

3. Extract strings

strings -n 8 mystery_file | head -100

4. Look at hex header

xxd mystery_file | head -20

5. Check entropy (compressed/encrypted?)

binwalk -E mystery_file Firmware Analysis

1. Initial scan

binwalk firmware.bin

2. Extract everything

binwalk -Me firmware.bin

3. Explore extracted filesystem

find _firmware.bin.extracted -type f -name "*.conf" find _firmware.bin.extracted -type f -name "passwd"

4. Search for secrets

grep -r "password" _firmware.bin.extracted/ strings -n 10 firmware.bin | grep -i -E "(pass|key|secret|token)" Finding Hidden Data

Check for data after end of file

binwalk -E file.jpg

Entropy spike at end = appended data

Look for embedded archives

binwalk file.jpg | grep -E "(Zip|RAR|7z|gzip)"

Extract with offset

dd

if

=

file.jpg

of

=

hidden.zip

bs

=

1

skip

=

12345

File Signatures (Magic Bytes)

Signature

Hex

File Type

PK

50 4B 03 04

ZIP archive

Rar!

52 61 72 21

RAR archive

7z

37 7A BC AF

7-Zip

ELF

7F 45 4C 46

Linux executable

MZ

4D 5A

Windows executable

PNG

89 50 4E 47

PNG image

JFIF

FF D8 FF E0

JPEG image

sqsh

73 71 73 68

SquashFS

hsqs

68 73 71 73

SquashFS (LE)

Tips

Start with entropy

High entropy = compressed or encrypted

Look for strings first

Often reveals purpose quickly

Check file headers

First 16 bytes often identify format

Use recursive extraction

Firmware often has nested archives
Save offsets: Note interesting locations for targeted extraction

安装

Basic usage - find all printable strings (min 4 chars)

Set minimum string length

Only strings >= 10 chars

Show file offset of each string

Hex offset

Decimal offset

Search for specific patterns

Wide character strings (UTF-16)

Little-endian 16-bit

Big-endian 16-bit

Little-endian 32-bit

Scan entire file (not just initialized data sections)

Signature scan - identify embedded files/data

Extract all identified files

Extract to _firmware.bin.extracted/

Same as -e

Recursive extraction (extract files within extracted files)

Entropy analysis - find compressed/encrypted regions

Generate entropy graph

Opcode analysis - identify CPU architecture

Raw byte extraction at offset

Specific signature types

File signatures only

Search for gzip magic bytes

Hex + ASCII dump

Dump specific byte range

256 bytes starting at offset 0x100

Just hex, no ASCII

Create hex dump that can be reversed

Find specific bytes

Look for PK (ZIP signature)

Basic identification

MIME type

Check multiple files

Follow symlinks

1. Identify file type

2. Check for embedded files

3. Extract strings

4. Look at hex header

5. Check entropy (compressed/encrypted?)

1. Initial scan

2. Extract everything

3. Explore extracted filesystem

4. Search for secrets

Check for data after end of file

Entropy spike at end = appended data

Look for embedded archives

Extract with offset