analyze
Analyze binary files to extract disassembly, headers, strings, and metadata for reverse engineering and debugging purposes.
Instructions
Static binary analysis tool for reverse engineering and debugging. Operations: disassemble (x86/x64/ARM/ARM64 disassembly), pe_info (PE header/sections/imports/exports), elf_info (ELF header/sections/symbols), macho_info (Mach-O header/segments/symbols), strings (extract printable strings from binary), hexdump (hex+ASCII view), pattern_search (hex byte pattern with ?? wildcards), entropy (Shannon entropy per section), bin_diff (two-file byte comparison), resource_info (PE resources and version info), imphash (PE import hash for malware classification), rich_header (PE build tool fingerprint), overlay_detect (detect appended data after last section), dwarf_info (debug symbol info). Pure Go implementation — no external tools needed. Supports x86, x64, ARM, ARM64. For runtime debugging, use the debug tool instead.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| operation | Yes | Operation: disassemble, pe_info, elf_info, macho_info, strings, hexdump, pattern_search, entropy, bin_diff, resource_info, imphash, rich_header, overlay_detect, dwarf_info,required | |
| file_path | Yes | Absolute path to the binary file,required | |
| offset | No | Byte offset to start from. Default: 0 | |
| count | No | Number of instructions (disassemble). Default: 50, Max: 200 | |
| mode | No | CPU mode: 32 or 64. Default: 64 | |
| base_addr | No | Base address for display (hex string, e.g. '0x140001000'). Default: 0x0 | |
| arch | No | CPU architecture: x86 (default) or arm. For disassemble | |
| min_length | No | Minimum string length for strings operation. Default: 4 | |
| max_results | No | Maximum number of results for strings. Default: 500, Max: 2000 | |
| encoding | No | String encoding to search for: ascii (default) or utf8 | |
| length | No | Number of bytes for hexdump. Default: 256, Max: 4096 | |
| section | No | Filter by section name (e.g. '.text', '.rdata'). Empty = show all | |
| rva | No | RVA to convert to file offset (hex string, e.g. '0x36A20'). For pe_info only | |
| pattern | No | Hex byte pattern with ?? wildcards (e.g. '4D 5A ?? ?? 50 45'). For pattern_search | |
| file_path_b | No | Absolute path to the second file for bin_diff comparison |