A lot of times it is just poring over code looking for bugs that have already been found in other locations in the code.
For example. this is a use after free bug. You can statically analyze disassembled code to find places where this might be happenning, and then figure out how to exploit that instance of the bug.
For example. this is a use after free bug. You can statically analyze disassembled code to find places where this might be happenning, and then figure out how to exploit that instance of the bug.