CTF逆向工程实战指南：工具、反分析技术与二进制模式解析

ctf-reverse by ljagiello/ctf-skills

774 周安装量

694 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-reverse

开发安全

🇨🇳中文介绍

CTF 逆向工程

逆向工程挑战快速参考。详细技术请参阅支持文件。

额外资源

tools.md - 静态分析工具（GDB、Ghidra、radare2、IDA、Binary Ninja、dogbolt.org、使用 Capstone 的 RISC-V、Unicorn 模拟、Python 字节码、WASM、Android APK、.NET、加壳二进制文件）
tools-dynamic.md （包含针对 movfuscated 二进制文件的 Intel Pin 指令计数侧信道）- 动态分析工具：Frida（挂钩、反调试绕过、内存扫描、Android/iOS）、angr 符号执行（路径探索、约束、CFG）、lldb（macOS/LLVM 调试器）、x64dbg（Windows）、Qiling（支持操作系统的跨平台模拟）、Triton（动态符号执行）
tools-advanced.md - 高级工具：VMProtect/Themida 分析、二进制差异比较（BinDiff、Diaphora）、反混淆框架（D-810、GOOMBA、Miasm）、Rizin/Cutter、RetDec、高级 GDB（Python 脚本、条件断点、观察点、使用 rr 进行反向调试、pwndbg/GEF）、高级 Ghidra 脚本、补丁（Binary Ninja API、LIEF）
anti-analysis.md - 全面的反分析：Linux 反调试（ptrace、/proc、计时、信号、直接系统调用）、Windows 反调试（PEB、NtQueryInformationProcess、堆标志、TLS 回调、硬件/软件断点检测、基于异常、线程隐藏）、反虚拟机/沙箱（CPUID、MAC、计时、特征、资源）、反 DBI（Frida 检测/绕过）、代码完整性/自哈希、反反汇编（不透明谓词、垃圾字节）、MBA 识别/简化、绕过策略
patterns.md - 基础二进制模式：自定义虚拟机、反调试、nanomites、自修改代码、XOR 密码、混合模式加载器、LLVM 混淆、S-box/密钥流、SECCOMP/BPF、异常处理程序、内存转储、逐字节转换、x86-64 陷阱、基于信号的探索、恶意软件反分析、多阶段 shellcode、计时侧信道、使用诱饵 + 信号处理程序的 MBA 多线程反调试
patterns-ctf.md - 竞赛特定模式（第一部分）：隐藏的模拟器操作码、LD_PRELOAD 密钥提取、SPN 静态提取、图像 XOR 平滑度、逐字节密码、数学收敛位图、Windows PE XOR 位图 OCR、两阶段 RC4+VM 加载器、GBA ROM 中间相遇、Sprague-Grundy 博弈论、内核模块迷宫求解、多线程虚拟机通道、通过字符串差异比较检测后门共享库、带有 RC4 扁平二进制文件的自定义 binfmt 内核模块、哈希解析导入 / 无导入勒索软件、用于反分析的 ELF 节头损坏
patterns-ctf-2.md - 竞赛特定模式（第二部分）：多层自解密暴力破解、嵌入式 ZIP+XOR 许可证、栈字符串反混淆、前缀哈希暴力破解、用于整数验证的 CVP/LLL 格、决策树函数混淆、GLSL 着色器虚拟机、GF(2^8) 高斯消元法、Z3 单行 Python 电路、滑动窗口人口计数、通过 ioctl 的键盘 LED 摩尔斯电码

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

问题解决工作流

从字符串提取开始 - 许多简单挑战包含明文 flag
尝试 ltrace/strace - 动态分析通常无需逆向即可揭示 flag
尝试 Frida 挂钩 - 挂钩 strcmp/memcmp 以捕获期望值，无需逆向
尝试 angr - 符号执行可自动解决许多 flag 检查器
尝试 Qiling - 模拟异架构二进制文件或绕过繁重的反调试，不留痕迹
在修改执行流程之前映射控制流
通过脚本（r2pipe、Frida、angr、Python）自动化手动流程
通过比较反编译器输出（使用 dogbolt.org 进行并排比较）验证假设

快速制胜（先尝试这些！）

# 明文 flag 提取
strings binary | grep -E "flag\{|CTF\{|pico"
strings binary | grep -iE "flag|secret|password"
rabin2 -z binary | grep -i "flag"

# 动态分析 - 通常直接捕获 flag
ltrace ./binary
strace -f -s 500 ./binary

# 十六进制转储搜索
xxd binary | grep -i flag

# 使用测试输入运行
./binary AAAA
echo "test" | ./binary

file binary           # 类型，架构
checksec --file=binary # 安全特性（用于 pwn）
chmod +x binary       # 设为可执行

关键洞察： 让程序计算答案，然后转储它。在最终比较处中断（b *main+OFFSET），输入任何长度正确的输入，然后使用 x/s $rsi 转储计算出的 flag。

模式： 在真实检查之前有多个虚假目标。

查找序列中的多个比较目标
检查不同的成功消息
追踪哪个比较是最后被检查的

解决方案： 在最终比较处设置断点，而不是在较早的比较处。

PIE 二进制文件随机化基地址。使用相对断点：

gdb ./binary
start                    # 强制 PIE 基地址解析
b *main+0xca            # 相对于 main
run

比较方向（关键！）

transform(flag) == stored_target - 反转变换
transform(stored_target) == flag - Flag 就是变换后的数据！

模式 2 解决方案： 不要反转 - 直接对存储的目标应用变换。

与单字节 XOR - 尝试所有 256 个值
与已知明文 XOR（flag{、CTF{）
使用硬编码密钥的 RC4
自定义排列 + XOR
与位置索引 XOR（^ i 或 ^ (i & 0xff)）并与重复密钥分层

# Radare2
r2 -d ./binary     # 调试模式
aaa                # 分析
afl                # 列出函数
pdf @ main         # 反汇编 main

# Ghidra（无头模式）
analyzeHeadless project/ tmp -import binary -postScript script.py

# IDA
ida64 binary       # 在 IDA64 中打开

二进制文件类型

使用 marshal.load() + dis.dis() 反汇编。头部：8 字节（2.x）、12（3.0-3.6）、16（3.7+）。参见 languages.md。

wasm2c checker.wasm -o checker.c
gcc -O3 checker.c wasm-rt-impl.c -o checker

# WASM 修补（游戏挑战）：
wasm2wat main.wasm -o main.wat    # 二进制 → 文本
# 编辑 WAT：翻转比较，更改常量
wat2wasm main.wat -o patched.wasm # 文本 → 二进制

WASM 游戏修补（Tac Tic Toe, Pragyan 2026）： 如果证明生成与移动质量无关，则修补 minimax（将 i64.lt_s 翻转为 i64.gt_s，更改 bestScore 符号）以使 AI 表现糟糕，同时证明保持有效。调用 /ctf-misc 获取完整的游戏修补模式（games-and-vms）。

apktool d app.apk -o decoded/ 用于资源；jadx app.apk 用于 Java 反编译。检查 decoded/res/values/strings.xml 中的 flag。参见 tools.md。

Flutter APK（Dart AOT）

如果存在 lib/arm64-v8a/libapp.so + libflutter.so，使用 Blutter：python3 blutter.py path/to/app/lib/arm64-v8a out_dir。输出重建的 Dart 符号 + Frida 脚本。参见 tools.md。

dnSpy - 调试 + 反编译
ILSpy - 反编译器

upx -d packed -o unpacked

如果解包失败，首先检查 UPX 元数据：验证 UPX 节名称、头部字段和版本标记是否完整。如果元数据看起来被篡改或不确定，请查看 GitHub 上的 UPX 源代码以识别可能的修改点。

Tauri 打包的桌面应用

Tauri 将 Brotli 压缩的前端资源嵌入可执行文件中。查找 index.html 的交叉引用以定位资源索引表，转储 blob，Brotli 解压缩。参考：tauri-codegen/src/embedded_assets.rs。

IsDebuggerPresent() / PEB.BeingDebugged / NtQueryInformationProcess（Windows）
ptrace(PTRACE_TRACEME) / /proc/self/status TracerPid（Linux）
TLS 回调（在 main 之前运行 — 检查 PE TLS 目录）
计时检查（rdtsc、clock_gettime、GetTickCount）
硬件断点检测（通过 GetThreadContext 的 DR0-DR3）
INT3 扫描 / 代码自哈希（.text 节的 CRC）
基于信号：SIGTRAP 处理程序、SIGALRM 超时、用于真实逻辑的 SIGSEGV
Frida/DBI 检测：/proc/self/maps 扫描、端口 27042、内联钩子检查

绕过：在检查处设置断点，修改寄存器以绕过条件。pwntools 补丁：elf.asm(elf.symbols.ptrace, 'ret') 将函数替换为立即返回。参见 patterns.md。

有关全面的反分析技术和绕过方法（30 多种方法及代码），请参阅 anti-analysis.md。

S-Box / 密钥流模式

Xorshift32： 位移 13, 17, 5 Xorshift64： 位移 12, 25, 27 魔法常量： 0x2545f4914f6cdd1d、0x9e3779b97f4a7c15

自定义虚拟机分析

识别结构：寄存器、内存、指令指针
反转 executeIns 以获取操作码含义
编写将操作码映射到助记符的反汇编器
通常比完全反转更容易进行暴力破解
查找通过命令行参数加载的字节码文件

参见 patterns.md 了解虚拟机工作流、操作码表和状态机 BFS。

顺序密钥链暴力破解： 当虚拟机以小数据块（例如，3 字节 = 2^24 个候选）验证输入，且每个块的输出密钥馈送到下一个块时，使用 OpenMP 并行化顺序暴力破解每个块。使用 gcc -O3 -march=native -fopenmp 编译求解器。参见 patterns-ctf-2.md。

Python 字节码逆向工程

带有交错奇偶表的 XOR flag 检查器很常见。参见 languages.md 了解字节码分析技巧和逆向模式。

基于信号的二进制探索

二进制文件使用 UNIX 信号作为二叉树导航；通过 LD_PRELOAD 挂钩 sigaction，通过发送信号进行 DFS。参见 patterns.md。

通过修补绕过恶意软件反分析

翻转 JNZ/JZ（0x75/0x74），更改休眠值，在 Ghidra 中修补环境检查（Ctrl+Shift+G）。参见 patterns.md。

objdump -s -j .rodata binary | less
# 在比较指令附近查找
# 大小与 flag 长度匹配

符号扩展和 32 位截断的陷阱。参见 patterns.md 了解详情和代码示例。

迭代求解器模式

每个位置尝试每个字节（0-255），与期望输出匹配。统一变换捷径： 如果一个输入字节只改变一个输出字节，则构建 0..255 映射然后反转。参见 patterns.md 了解完整实现。

Unicorn 模拟（复杂状态）

from unicorn import * -- 映射段，设置栈，挂钩以跟踪。混合模式陷阱： 64 位存根通过 retf 跳转到 32 位需要切换到 UC_MODE_32 并复制 GPRs + EFLAGS + XMM 寄存器。参见 tools.md。

多阶段 Shellcode 加载器

嵌套的 shellcode 带有 XOR 解码循环；在 call rax 处中断，使用 set $rax=0 绕过 ptrace，从 mov 指令中提取 flag。参见 patterns.md。

计时侧信道攻击

验证时间随每个正确字符而变化；测量每个候选的经过时间以逐字节恢复 flag。参见 patterns.md。

Godot 游戏资源提取

使用 KeyDot 从可执行文件中提取加密密钥，然后使用 gdsdecomp 提取 .pck 包。参见 languages-platforms.md。

Roblox 场景文件分析

查询 Asset Delivery API 获取版本历史；解析 .rbxlbin 块（INST/PROP/PRNT）以跨版本差异比较脚本源代码。参见 languages-platforms.md。

未剥离二进制信息泄露

模式（不良操作安全）： 调试信息和文件路径泄露作者身份。

strings binary | grep "/home/"    # 主目录路径
strings binary | grep "/Users/"   # macOS 路径
file binary                       # 检查是否已剥离
readelf -S binary | grep debug    # 调试节是否存在？

自定义混淆函数逆向工程

二进制文件使用运行状态每次混淆输入 2 个字节；从 .rodata 提取目标，编写逆函数。参见 patterns.md。

Rust serde_json 模式恢复

反汇编 serde Visitor 实现以恢复预期的 JSON 模式；按顺序的字段名揭示 flag。参见 languages-platforms.md。

基于位置的变换逆向工程

二进制文件添加/减去位置索引；通过撤销每个索引的偏移量来反转。参见 patterns.md。

十六进制编码字符串比较

输入转换为十六进制，与常量比较。使用 xxd -r -p 解码。参见 patterns.md。

嵌入式 ZIP + XOR 许可证解密

二进制文件在 .rodata 中具有命名符号（EMBEDDED_ZIP、ENCRYPTED_MESSAGE）→ 提取包含许可证的 ZIP，将加密消息与许可证字节进行 XOR 以恢复 flag。无需执行。参见 patterns-ctf-2.md。

栈字符串反混淆（.rodata XOR 块）

二进制文件 mmap .rodata 块，XOR 反混淆，并使用它来验证输入。使用 pyelftools 重新实现验证循环以提取块。查找 0x9E3779B9、0x85EBCA6B 常量和 rol32()。参见 patterns-ctf-2.md。

前缀哈希暴力破解

二进制文件独立哈希每个前缀。通过匹配前缀哈希逐个恢复字符。参见 patterns-ctf-2.md。

模式： 二进制文件通过牛顿法收敛（例如，z^3-1=0）对坐标对进行分类。通过/失败结果的网格渲染 ASCII 艺术 flag。关键：二进制文件是分类器，而不是检查器 — 反转数学并可视化。参见 patterns-ctf.md。

RISC-V 二进制分析

静态链接、已剥离的 RISC-V ELF。使用带有 CS_MODE_RISCVC | CS_MODE_RISCV64 的 Capstone 处理混合压缩指令。使用 qemu-riscv64 模拟。注意假 flag 和带有增量密钥的 XOR 解密。参见 tools.md。

Sprague-Grundy 博弈论二进制

游戏二进制文件玩有界 Nim，使用 PRNG 进行必败位置移动。识别游戏框架（Grundy 值 = 堆数 % (k+1)，XOR 决定位置），通过用户输入反馈跟踪 PRNG 状态演变。参见 patterns-ctf.md。

内核模块迷宫求解

Rust 内核模块通过设备 ioctl 实现迷宫。动态枚举命令，构建带有诱饵避免的 DFS 求解器，部署为最小静态二进制文件（原始系统调用，无 libc）。参见 patterns-ctf.md。

带通道的多线程虚拟机

具有 16+ 个线程通过 futex 通道通信的自定义虚拟机。跨线程边界跟踪数据流，从 GDB 提取常量，注意反转的有效性逻辑，通过 BFS 状态空间搜索解决。参见 patterns-ctf.md。

用于约束整数验证的 CVP/LLL 格（HTB ShadowLabyrinth）

二进制文件通过矩阵乘法验证 flag，使用 64 位系数；解必须是可打印的 ASCII。在 SageMath 中使用 LLL 约简 + CVP 在约束范围内找到最近的格点。两阶段模式：阶段 1 恢复 AES 密钥，阶段 2 使用另一个线性系统（模 2^32）解密自定义虚拟机字节码。参见 patterns-ctf-2.md。

决策树函数混淆（HTB WonderSMS）

约 200+ 个自动生成的函数通过多项式比较路由输入。通过 Ghidra 无头模式脚本提取，而不是手动反转每个函数。来自已知输出格式的约束传播通过算术约束级联。参见 patterns-ctf-2.md。

Android JNI RegisterNatives 混淆（HTB WonderSMS）

JNI_OnLoad 中的 RegisterNatives 隐藏了哪个 C++ 函数处理每个 Java 本地方法（没有标准的 Java_com_pkg_Class_method 符号）。通过跟踪 JNI_OnLoad → RegisterNatives → fnPtr 找到真正的处理程序。使用来自 APK 的 x86_64 .so 以获得最佳的 Ghidra 反编译。参见 languages-platforms.md。

多层自解密二进制

N 层二进制文件，其中每一层使用用户提供的密钥字节 + SHA-NI 解密下一层。使用预言机（正确密钥 → 具有预期模式的有效代码）。使用每个候选 fork 的 COW 隔离进行 JIT 执行以提高速度。参见 patterns-ctf-2.md。

带有自修改代码的 GLSL 着色器虚拟机

模式： WebGL2 片段着色器在 256x256 RGBA 纹理（程序内存 + VRAM）上实现图灵完备虚拟机。自修改代码（STORE 操作码）修补绘图指令。GPU 并行性导致写入冲突 — 在 Python 中顺序模拟以恢复完整输出。参见 patterns-ctf-2.md。

用于 Flag 恢复的 GF(2^8) 高斯消元法

模式： 二进制文件在 GF(2^8) 上使用 AES 多项式（0x11b）执行高斯消元法。矩阵 + 增广向量在 .rodata 中；解向量就是 flag。在反汇编中查找常量 0x1b。加法是 XOR，乘法使用多项式约简。参见 patterns-ctf-2.md。

用于单行 Python 布尔电路的 Z3

模式： 单行 Python（2000+ 分号）带有海象运算符链，通过布尔电路将 flag 验证为大端整数。混淆的 XOR (a | b) & ~(a & b)。按分号分割，符号化翻译到 Z3，在一秒内解决。参见 patterns-ctf-2.md。

滑动窗口人口计数差分传播

模式： 二进制文件通过每个 16 位滑动窗口位置的期望人口计数来验证输入。人口计数差异创建递推关系：bit[i+16] = bit[i] + (data[i+1] - data[i])。暴力破解约 4000-8000 个有效的初始 16 位窗口；每个窗口确定整个位序列。参见 patterns-ctf-2.md。

Ruby/Perl 多语言约束满足

模式： 单个文件在 Ruby 和 Perl 中均有效，每种语言对密钥施加不同的约束。利用 =begin/=end（Ruby 块注释）与 =begin/=cut（Perl POD）在每个解释器中运行不同的代码。交集两种语言的约束以恢复唯一密钥。参见 languages-platforms.md。

Verilog/硬件逆向工程

模式： 用于状态机的 Verilog HDL 源代码，其隐藏条件受移位寄存器历史门控。分析 always @(posedge clk) 块和 case 语句以找到正确的输入序列。参见 languages-platforms.md。

带有 RC4 扁平二进制文件的自定义 binfmt 内核模块（BSidesSF 2026）

模式： 内核模块为加密的扁平二进制文件注册 binfmt 处理程序。反转 .ko 以找到 RC4 密钥（在 movabs 立即数中），解密扁平二进制文件，从模块的 vm_mmap 调用中按固定虚拟地址导入。参见 patterns-ctf.md。

哈希解析导入 / 无导入勒索软件（BSidesSF 2026）

模式： 具有零可见导入的二进制文件在运行时通过符号名哈希解析 API。跳过哈希反转 — 在 Docker 中通过 LD_PRELOAD 挂钩 OpenSSL 函数以直接捕获 AES 密钥。参见 patterns-ctf.md。

用于反分析的 ELF 节头损坏（BSidesSF 2026）

模式： 损坏的节头导致分析工具崩溃，但程序头完好无损，因此二进制文件正常运行。将 e_shoff 修补为零或使用 readelf -l（仅程序头）。Flag 隐藏在损坏的节之后，带有魔法标记 + XOR。参见 patterns-ctf.md。

Brainfuck 逐字符静态分析（BSidesSF 2026）

模式： 验证输入的 BF 程序具有 ,（读取字符）后跟 + 操作，其计数 = 期望的 ASCII 值。提取每个输入位置的增量计数以在不执行的情况下恢复期望输入。参见 languages.md。

通过读取计数预言机的 Brainfuck 侧信道（BSidesSF 2026）

模式： BF 输入验证器在字符正确时读取更多字节。计算每个候选的 , 操作次数 — 最高读取计数 = 正确字节。逐字符恢复。参见 languages.md。

Brainfuck 比较惯用法检测（BSidesSF 2026）

模式： 编译的 BF 使用固定的惯用法进行相等性检查（<[-<->] +<[>-<[-]]>[-<+>]）。检测解释器以检测模式并提取比较操作数（期望的 flag 字节）。参见 languages.md。

后门共享库检测

二进制文件在 GDB 中工作但在正常运行时失败（suid）？检查 ldd 是否有非标准 libc 路径，然后对可疑库与系统库进行 strings | diff 以查找注入的代码/密码。参见 patterns-ctf.md。

Go 二进制逆向工程

具有 go.buildid 的大型静态二进制文件？使用 GoReSym 恢复函数名（即使在已剥离的二进制文件上也有效）。Go 字符串是 {ptr, len} 对 — 不以空字符结尾。查找 main.main、runtime.gopanic、通道操作（runtime.chansend1/chanrecv1）。使用 Ghidra golang-loader 插件以获得

🇺🇸English

CTF Reverse Engineering

Quick reference for RE challenges. For detailed techniques, see supporting files.

Additional Resources

tools.md - Static analysis tools (GDB, Ghidra, radare2, IDA, Binary Ninja, dogbolt.org, RISC-V with Capstone, Unicorn emulation, Python bytecode, WASM, Android APK, .NET, packed binaries)
tools-dynamic.md (includes Intel Pin instruction-counting side channel for movfuscated binaries) - Dynamic analysis tools: Frida (hooking, anti-debug bypass, memory scanning, Android/iOS), angr symbolic execution (path exploration, constraints, CFG), lldb (macOS/LLVM debugger), x64dbg (Windows), Qiling (cross-platform emulation with OS support), Triton (dynamic symbolic execution)
tools-advanced.md - Advanced tools: VMProtect/Themida analysis, binary diffing (BinDiff, Diaphora), deobfuscation frameworks (D-810, GOOMBA, Miasm), Rizin/Cutter, RetDec, advanced GDB (Python scripting, conditional breakpoints, watchpoints, reverse debugging with rr, pwndbg/GEF), advanced Ghidra scripting, patching (Binary Ninja API, LIEF)
anti-analysis.md - Comprehensive anti-analysis: Linux anti-debug (ptrace, /proc, timing, signals, direct syscalls), Windows anti-debug (PEB, NtQueryInformationProcess, heap flags, TLS callbacks, HW/SW breakpoint detection, exception-based, thread hiding), anti-VM/sandbox (CPUID, MAC, timing, artifacts, resources), anti-DBI (Frida detection/bypass), code integrity/self-hashing, anti-disassembly (opaque predicates, junk bytes), MBA identification/simplification, bypass strategies
patterns.md - Foundational binary patterns: custom VMs, anti-debugging, nanomites, self-modifying code, XOR ciphers, mixed-mode stagers, LLVM obfuscation, S-box/keystream, SECCOMP/BPF, exception handlers, memory dumps, byte-wise transforms, x86-64 gotchas, signal-based exploration, malware anti-analysis, multi-stage shellcode, timing side-channel, multi-thread anti-debug with decoy + signal handler MBA
patterns-ctf.md - Competition-specific patterns (Part 1): hidden emulator opcodes, LD_PRELOAD key extraction, SPN static extraction, image XOR smoothness, byte-at-a-time cipher, mathematical convergence bitmap, Windows PE XOR bitmap OCR, two-stage RC4+VM loaders, GBA ROM meet-in-the-middle, Sprague-Grundy game theory, kernel module maze solving, multi-threaded VM channels, backdoored shared library detection via string diffing, custom binfmt kernel module with RC4 flat binaries, hash-resolved imports / no-import ransomware, ELF section header corruption for anti-analysis
patterns-ctf-2.md - Competition-specific patterns (Part 2): multi-layer self-decrypting brute-force, embedded ZIP+XOR license, stack string deobfuscation, prefix hash brute-force, CVP/LLL lattice for integer validation, decision tree function obfuscation, GLSL shader VM, GF(2^8) Gaussian elimination, Z3 single-line Python circuit, sliding window popcount, keyboard LED Morse code via ioctl
languages.md - Language-specific: Python bytecode & opcode remapping, Python version-specific bytecode, Pyarmor static unpack, DOS stubs, Unity IL2CPP, HarmonyOS HAP/ABC, Brainfuck/esolangs (+ BF character-by-character static analysis, BF side-channel read count oracle, BF comparison idiom detection), UEFI, transpilation to C, code coverage side-channel, OPAL functional reversing, non-bijective substitution
languages-platforms.md - Platform/framework-specific: Roblox place file analysis, Godot game asset extraction, Rust serde_json schema recovery, Android JNI RegisterNatives obfuscation, Frida Firebase Cloud Functions bypass, Verilog/hardware RE, prefix-by-prefix hash reversal, Ruby/Perl polyglot constraint satisfaction, Electron ASAR extraction + native binary analysis, Node.js npm runtime introspection
languages-compiled.md - Go binary reversing (GoReSym, goroutines, memory layout, channel ops, embed.FS, Go binary UUID patching for C2 enumeration), Rust binary reversing (demangling, Option/Result, Vec, panic strings), Swift binary reversing (demangling, protocol witness tables), Kotlin/JVM (coroutine state machines), C++ (vtable reconstruction, RTTI, STL patterns)
platforms.md - Platform-specific RE: macOS/iOS (Mach-O, code signing, Objective-C runtime, Swift, dyld, jailbreak bypass), embedded/IoT firmware (binwalk, UART/JTAG/SPI extraction, ARM/MIPS/AArch64, RTOS), kernel drivers (Linux .ko, eBPF, Windows .sys), game engines (Unreal Engine, Unity, anti-cheat, Lua), automotive CAN bus, RISC-V advanced, ARM64/AArch64 reversing and exploitation (calling convention, ROP gadgets, qemu-aarch64-static emulation)

Problem-Solving Workflow

Start with strings extraction - many easy challenges have plaintext flags
Try ltrace/strace - dynamic analysis often reveals flags without reversing
Try Frida hooking - hook strcmp/memcmp to capture expected values without reversing
Try angr - symbolic execution solves many flag-checkers automatically
Try Qiling - emulate foreign-arch binaries or bypass heavy anti-debug without artifacts
Map control flow before modifying execution
Automate manual processes via scripting (r2pipe, Frida, angr, Python)
Validate assumptions by comparing decompiler outputs (dogbolt.org for side-by-side)

Quick Wins (Try First!)

# Plaintext flag extraction
strings binary | grep -E "flag\{|CTF\{|pico"
strings binary | grep -iE "flag|secret|password"
rabin2 -z binary | grep -i "flag"

# Dynamic analysis - often captures flag directly
ltrace ./binary
strace -f -s 500 ./binary

# Hex dump search
xxd binary | grep -i flag

# Run with test inputs
./binary AAAA
echo "test" | ./binary

Initial Analysis

file binary           # Type, architecture
checksec --file=binary # Security features (for pwn)
chmod +x binary       # Make executable

Memory Dumping Strategy

Key insight: Let the program compute the answer, then dump it. Break at final comparison (b *main+OFFSET), enter any input of correct length, then x/s $rsi to dump computed flag.

Decoy Flag Detection

Pattern: Multiple fake targets before real check.

Identification:

Look for multiple comparison targets in sequence
Check for different success messages
Trace which comparison is checked LAST

Solution: Set breakpoint at FINAL comparison, not earlier ones.

GDB PIE Debugging

PIE binaries randomize base address. Use relative breakpoints:

gdb ./binary
start                    # Forces PIE base resolution
b *main+0xca            # Relative to main
run

Comparison Direction (Critical!)

Two patterns:

transform(flag) == stored_target - Reverse the transform
transform(stored_target) == flag - Flag IS the transformed data!

Pattern 2 solution: Don't reverse - just apply transform to stored target.

Common Encryption Patterns

XOR with single byte - try all 256 values
XOR with known plaintext (flag{, CTF{)
RC4 with hardcoded key
Custom permutation + XOR
XOR with position index (^ i or ^ (i & 0xff)) layered with a repeating key

Quick Tool Reference

# Radare2
r2 -d ./binary     # Debug mode
aaa                # Analyze
afl                # List functions
pdf @ main         # Disassemble main

# Ghidra (headless)
analyzeHeadless project/ tmp -import binary -postScript script.py

# IDA
ida64 binary       # Open in IDA64

Binary Types

Python .pyc

Disassemble with marshal.load() + dis.dis(). Header: 8 bytes (2.x), 12 (3.0-3.6), 16 (3.7+). See languages.md.

WASM

wasm2c checker.wasm -o checker.c
gcc -O3 checker.c wasm-rt-impl.c -o checker

# WASM patching (game challenges):
wasm2wat main.wasm -o main.wat    # Binary → text
# Edit WAT: flip comparisons, change constants
wat2wasm main.wat -o patched.wasm # Text → binary

WASM game patching (Tac Tic Toe, Pragyan 2026): If proof generation is independent of move quality, patch minimax (flip i64.lt_s → i64.gt_s, change bestScore sign) to make AI play badly while proofs remain valid. Invoke /ctf-misc for full game patching patterns (games-and-vms).

Android APK

apktool d app.apk -o decoded/ for resources; jadx app.apk for Java decompilation. Check decoded/res/values/strings.xml for flags. See tools.md.

Flutter APK (Dart AOT)

If lib/arm64-v8a/libapp.so + libflutter.so present, use Blutter: python3 blutter.py path/to/app/lib/arm64-v8a out_dir. Outputs reconstructed Dart symbols + Frida script. See tools.md.

.NET

dnSpy - debugging + decompilation
ILSpy - decompiler

Packed (UPX)

upx -d packed -o unpacked

If unpacking fails, inspect UPX metadata first: verify UPX section names, header fields, and version markers are intact. If metadata looks tampered or uncertain, review UPX source on GitHub to identify likely modification points.

Tauri Packed Desktop Apps

Tauri embeds Brotli-compressed frontend assets in the executable. Find index.html xrefs to locate asset index table, dump blobs, Brotli decompress. Reference: tauri-codegen/src/embedded_assets.rs.

Anti-Debugging Bypass

Common checks:

IsDebuggerPresent() / PEB.BeingDebugged / NtQueryInformationProcess (Windows)
ptrace(PTRACE_TRACEME) / /proc/self/status TracerPid (Linux)
TLS callbacks (run before main — check PE TLS Directory)
Timing checks (rdtsc, clock_gettime, GetTickCount)
Hardware breakpoint detection (DR0-DR3 via GetThreadContext)
INT3 scanning / code self-hashing (CRC over .text section)
Signal-based: SIGTRAP handler, SIGALRM timeout, SIGSEGV for real logic
Frida/DBI detection: /proc/self/maps scan, port 27042, inline hook checks

Bypass: Set breakpoint at check, modify register to bypass conditional. pwntools patch: elf.asm(elf.symbols.ptrace, 'ret') to replace function with immediate return. See patterns.md.

For comprehensive anti-analysis techniques and bypasses (30+ methods with code), see anti-analysis.md.

S-Box / Keystream Patterns

Xorshift32: Shifts 13, 17, 5 Xorshift64: Shifts 12, 25, 27 Magic constants: 0x2545f4914f6cdd1d, 0x9e3779b97f4a7c15

Custom VM Analysis

Identify structure: registers, memory, IP
Reverse executeIns for opcode meanings
Write disassembler mapping opcodes to mnemonics
Often easier to bruteforce than fully reverse
Look for the bytecode file loaded via command-line arg

See patterns.md for VM workflow, opcode tables, and state machine BFS.

Sequential key-chain brute-force: When a VM validates input in small blocks (e.g., 3 bytes = 2^24 candidates) with each block's output key feeding the next, brute-force each block sequentially with OpenMP parallelization. Compile solver with gcc -O3 -march=native -fopenmp. See patterns-ctf-2.md.

Python Bytecode Reversing

XOR flag checkers with interleaved even/odd tables are common. See languages.md for bytecode analysis tips and reversing patterns.

Signal-Based Binary Exploration

Binary uses UNIX signals as binary tree navigation; hook sigaction via LD_PRELOAD, DFS by sending signals. See patterns.md.

Malware Anti-Analysis Bypass via Patching

Flip JNZ/JZ (0x75/0x74), change sleep values, patch environment checks in Ghidra (Ctrl+Shift+G). See patterns.md.

Expected Values Tables

Locating:

objdump -s -j .rodata binary | less
# Look near comparison instructions
# Size matches flag length

x86-64 Gotchas

Sign extension and 32-bit truncation pitfalls. See patterns.md for details and code examples.

Iterative Solver Pattern

Try each byte (0-255) per position, match against expected output. Uniform transform shortcut: if one input byte only changes one output byte, build 0..255 mapping then invert. See patterns.md for full implementation.

Unicorn Emulation (Complex State)

from unicorn import * -- map segments, set up stack, hook to trace. Mixed-mode pitfall: 64-bit stub jumping to 32-bit via retf requires switching to UC_MODE_32 and copying GPRs + EFLAGS + XMM regs. See tools.md.

Multi-Stage Shellcode Loaders

Nested shellcode with XOR decode loops; break at call rax, bypass ptrace with set $rax=0, extract flag from mov instructions. See patterns.md.

Timing Side-Channel Attack

Validation time varies per correct character; measure elapsed time per candidate to recover flag byte-by-byte. See patterns.md.

Godot Game Asset Extraction

Use KeyDot to extract encryption key from executable, then gdsdecomp to extract .pck package. See languages-platforms.md.

Roblox Place File Analysis

Query Asset Delivery API for version history; parse .rbxlbin chunks (INST/PROP/PRNT) to diff script sources across versions. See languages-platforms.md.

Unstripped Binary Information Leaks

Pattern (Bad Opsec): Debug info and file paths leak author identity.

Quick checks:

strings binary | grep "/home/"    # Home directory paths
strings binary | grep "/Users/"   # macOS paths
file binary                       # Check if stripped
readelf -S binary | grep debug    # Debug sections present?

Custom Mangle Function Reversing

Binary mangles input 2 bytes at a time with running state; extract target from .rodata, write inverse function. See patterns.md.

Rust serde_json Schema Recovery

Disassemble serde Visitor implementations to recover expected JSON schema; field names in order reveal flag. See languages-platforms.md.

Position-Based Transformation Reversing

Binary adds/subtracts position index; reverse by undoing per-index offset. See patterns.md.

Hex-Encoded String Comparison

Input converted to hex, compared against constant. Decode with xxd -r -p. See patterns.md.

Embedded ZIP + XOR License Decryption

Binary with named symbols (EMBEDDED_ZIP, ENCRYPTED_MESSAGE) in .rodata → extract ZIP containing license, XOR encrypted message with license bytes to recover flag. No execution needed. See patterns-ctf-2.md.

Stack String Deobfuscation (.rodata XOR Blob)

Binary mmaps .rodata blob, XOR-deobfuscates, uses it to validate input. Reimplement verification loop with pyelftools to extract blob. Look for 0x9E3779B9, 0x85EBCA6B constants and rol32(). See patterns-ctf-2.md.

Prefix Hash Brute-Force

Binary hashes every prefix independently. Recover one character at a time by matching prefix hashes. See patterns-ctf-2.md.

Mathematical Convergence Bitmap

Pattern: Binary classifies coordinate pairs by Newton's method convergence (e.g., z^3-1=0). Grid of pass/fail results renders ASCII art flag. Key: the binary is a classifier, not a checker — reverse the math and visualize. See patterns-ctf.md.

RISC-V Binary Analysis

Statically linked, stripped RISC-V ELF. Use Capstone with CS_MODE_RISCVC | CS_MODE_RISCV64 for mixed compressed instructions. Emulate with qemu-riscv64. Watch for fake flags and XOR decryption with incremental keys. See tools.md.

Sprague-Grundy Game Theory Binary

Game binary plays bounded Nim with PRNG for losing-position moves. Identify game framework (Grundy values = pile % (k+1), XOR determines position), track PRNG state evolution through user input feedback. See patterns-ctf.md.

Kernel Module Maze Solving

Rust kernel module implements maze via device ioctls. Enumerate commands dynamically, build DFS solver with decoy avoidance, deploy as minimal static binary (raw syscalls, no libc). See patterns-ctf.md.

Multi-Threaded VM with Channels

Custom VM with 16+ threads communicating via futex channels. Trace data flow across thread boundaries, extract constants from GDB, watch for inverted validity logic, solve via BFS state space search. See patterns-ctf.md.

CVP/LLL Lattice for Constrained Integer Validation (HTB ShadowLabyrinth)

Binary validates flag via matrix multiplication with 64-bit coefficients; solutions must be printable ASCII. Use LLL reduction + CVP in SageMath to find nearest lattice point in the constrained range. Two-phase pattern: Phase 1 recovers AES key, Phase 2 decrypts custom VM bytecode with another linear system (mod 2^32). See patterns-ctf-2.md.

Decision Tree Function Obfuscation (HTB WonderSMS)

~200+ auto-generated functions routing input through polynomial comparisons. Script extraction via Ghidra headless rather than reversing each function manually. Constraint propagation from known output format cascades through arithmetic constraints. See patterns-ctf-2.md.

Android JNI RegisterNatives Obfuscation (HTB WonderSMS)

RegisterNatives in JNI_OnLoad hides which C++ function handles each Java native method (no standard Java_com_pkg_Class_method symbol). Find the real handler by tracing JNI_OnLoad → RegisterNatives → fnPtr. Use x86_64 .so from APK for best Ghidra decompilation. See languages-platforms.md.

Multi-Layer Self-Decrypting Binary

N-layer binary where each layer decrypts the next using user-provided key bytes + SHA-NI. Use oracle (correct key → valid code with expected pattern). JIT execution with fork-per-candidate COW isolation for speed. See patterns-ctf-2.md.

GLSL Shader VM with Self-Modifying Code

Pattern: WebGL2 fragment shader implements Turing-complete VM on a 256x256 RGBA texture (program memory + VRAM). Self-modifying code (STORE opcode) patches drawing instructions. GPU parallelism causes write conflicts — emulate sequentially in Python to recover full output. See patterns-ctf-2.md.

GF(2^8) Gaussian Elimination for Flag Recovery

Pattern: Binary performs Gaussian elimination over GF(2^8) with the AES polynomial (0x11b). Matrix + augmentation vector in .rodata; solution vector is the flag. Look for constant 0x1b in disassembly. Addition is XOR, multiplication uses polynomial reduction. See patterns-ctf-2.md.

Z3 for Single-Line Python Boolean Circuit

Pattern: Single-line Python (2000+ semicolons) with walrus operator chains validates flag as big-endian integer via boolean circuit. Obfuscated XOR (a | b) & ~(a & b). Split on semicolons, translate to Z3 symbolically, solve in under a second. See patterns-ctf-2.md.

Sliding Window Popcount Differential Propagation

Pattern: Binary validates input via expected popcount for each position of a 16-bit sliding window. Popcount differences create a recurrence: bit[i+16] = bit[i] + (data[i+1] - data[i]). Brute-force ~4000-8000 valid initial 16-bit windows; each determines the entire bit sequence. See patterns-ctf-2.md.

Ruby/Perl Polyglot Constraint Satisfaction

Pattern: Single file valid in both Ruby and Perl, each imposing different constraints on a key. Exploits =begin/=end (Ruby block comment) vs =begin/=cut (Perl POD) to run different code per interpreter. Intersect constraints from both languages to recover the unique key. See languages-platforms.md.

Verilog/Hardware RE

Pattern: Verilog HDL source for state machines with hidden conditions gated on shift register history. Analyze always @(posedge clk) blocks and case statements to find correct input sequences. See languages-platforms.md.

Custom binfmt Kernel Module with RC4 Flat Binaries (BSidesSF 2026)

Pattern: Kernel module registers binfmt handler for encrypted flat binaries. Reverse the .ko to find RC4 key (in movabs immediates), decrypt the flat binary, import at the fixed virtual address from the module's vm_mmap call. See patterns-ctf.md.

Hash-Resolved Imports / No-Import Ransomware (BSidesSF 2026)

Pattern: Binary with zero visible imports resolves APIs via symbol name hashing at runtime. Skip the hash reversing — hook OpenSSL functions via LD_PRELOAD in Docker to capture AES keys directly. See patterns-ctf.md.

ELF Section Header Corruption for Anti-Analysis (BSidesSF 2026)

Pattern: Corrupted section headers crash analysis tools but program headers are intact so binary runs normally. Patch e_shoff to zero or use readelf -l (program headers only). Flag hidden after corrupted sections with magic marker + XOR. See patterns-ctf.md.

Brainfuck Character-by-Character Static Analysis (BSidesSF 2026)

Pattern: BF programs validating input have , (read char) followed by + operations whose count = expected ASCII value. Extract increment counts per input position to recover expected input without execution. See languages.md.

Brainfuck Side-Channel via Read Count Oracle (BSidesSF 2026)

Pattern: BF input validators read more bytes when a character is correct. Count , operations per candidate — highest read count = correct byte. Character-by-character recovery. See languages.md.

Brainfuck Comparison Idiom Detection (BSidesSF 2026)

Pattern: Compiled BF uses fixed idioms for equality checks (<[-<->] +<[>-<[-]]>[-<+>]). Instrument interpreter to detect patterns and extract comparison operands (expected flag bytes). See languages.md.

Backdoored Shared Library Detection

Binary works in GDB but fails when run normally (suid)? Check ldd for non-standard libc paths, then strings | diff the suspicious vs. system library to find injected code/passwords. See patterns-ctf.md.

Go Binary Reversing

Large static binary with go.buildid? Use GoReSym to recover function names (works even on stripped binaries). Go strings are {ptr, len} pairs — not null-terminated. Look for main.main, runtime.gopanic, channel ops (runtime.chansend1/chanrecv1). Use Ghidra golang-loader plugin for best results. See languages-compiled.md.

Go Binary UUID Patching for C2 Enumeration (BSidesSF 2026)

Pattern: Go C2 client with UUID from -ldflags -X. Binary-patch UUID bytes (same length), register with C2, enumerate clients/files via API. See languages-compiled.md.

Rust Binary Reversing

Binary with core::panicking strings and _ZN mangled symbols? Use rustfilt for demangling. Panic messages contain source paths and line numbers — strings binary | grep "panicked" is the fastest approach. Option/Result enums use discriminant byte (0=None/Err, 1=Some/Ok). See languages-compiled.md.

Frida Dynamic Instrumentation

Hook runtime functions without modifying binary. frida -f ./binary -l hook.js to spawn with instrumentation. Hook strcmp/memcmp to capture expected values, bypass anti-debug by replacing ptrace return value, scan memory for flag patterns, replace validation functions. See tools-dynamic.md.

Frida Firebase Cloud Functions Bypass (BSidesSF 2026)

Pattern: Android app validates via Firebase Cloud Functions. Post-login Frida hook constructs valid payload (UID + value + timestamp) and calls Cloud Function directly, bypassing QR/payment validation. See languages-platforms.md.

angr Symbolic Execution

Automatic path exploration to find inputs satisfying constraints. Load binary with angr.Project, set find/avoid addresses, call simgr.explore(). Constrain input to printable ASCII and known prefix for faster solving. Hook expensive functions (crypto, I/O) to prevent path explosion. See tools-dynamic.md.

Qiling Emulation

Cross-platform binary emulation with OS-level support (syscalls, filesystem). Emulate Linux/Windows/ARM/MIPS binaries on any host. No debugger artifacts — bypasses all anti-debug by default. Hook syscalls and addresses with Python API. See tools-dynamic.md.

VMProtect / Themida Analysis

VMProtect virtualizes code into custom bytecode. Identify VM entry (pushad-like), find handler table (large indirect jump), trace handlers dynamically. For CTF, focus on tracing operations on input rather than full devirtualization. Themida: dump at OEP with ScyllaHide + Scylla. See tools-advanced.md.

Binary Diffing

BinDiff and Diaphora compare two binaries to highlight changes. Essential when challenge provides patched/original versions. Export from IDA/Ghidra, diff to find vulnerability or hidden functionality. See tools-advanced.md.

Advanced GDB (pwndbg, rr)

pwndbg: context, vmmap, search -s "flag{", telescope $rsp. GEF alternative. Reverse debugging with rr record/rr replay — step backward through execution. Python scripting for brute-force and automated tracing. See tools-advanced.md.

macOS / iOS Reversing

Mach-O binaries: otool -l for load commands, class-dump for Objective-C headers. Swift: swift demangle for symbols. iOS apps: decrypt FairPlay DRM with frida-ios-dump, bypass jailbreak detection with Frida hooks. Re-sign patched binaries with codesign -f -s -. See platforms.md.

Embedded / IoT Firmware RE

binwalk -Me firmware.bin for recursive extraction. Hardware: UART/JTAG/SPI flash for firmware dumps. Filesystems: SquashFS (unsquashfs), JFFS2, UBI. Emulate with QEMU: qemu-arm -L /usr/arm-linux-gnueabihf/ ./binary. See platforms.md.

Kernel Driver Reversing

Linux .ko: find ioctl handler via file_operations struct, trace copy_from_user/copy_to_user. Debug with QEMU+GDB (-s -S). eBPF: bpftool prog dump xlated. Windows .sys: find DriverEntry → IoCreateDevice → IRP handlers. See platforms.md.

Game Engine Reversing

Unreal: extract .pak with UnrealPakTool, reverse Blueprint bytecode with FModel. Unity Mono: decompile Assembly-CSharp.dll with dnSpy. Anti-cheat (EAC, BattlEye, VAC): identify system, bypass specific check. Lua games: luadec/unluac for bytecode. See platforms.md.

Swift / Kotlin Binary Reversing

Swift: swift demangle symbols, protocol witness tables for dispatch, __swift5_* sections. Kotlin/JVM: coroutines compile to state machines in invokeSuspend, jadx with Kotlin mode for best decompilation. Kotlin/Native: LLVM backend, looks like C++ in disassembly. See languages-compiled.md.

Weekly Installs

697

Repository

ljagiello/ctf-skills

GitHub Stars

664

First Seen

Feb 1, 2026

Security Audits

Gen Agent Trust HubWarn SocketWarn SnykWarn

Installed on

codex679

opencode677

github-copilot665

gemini-cli664

cursor662

amp659

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

103,800 周安装