CTF Reverse Engineering

Quick reference for RE challenges. For detailed techniques, see supporting files.

Prerequisites

Python packages (all platforms):
CODEBLOCK0

Linux (apt):
CODEBLOCK1

macOS (Homebrew):
CODEBLOCK2

radare2 plugins:
CODEBLOCK3

Manual install:

- pwndbg — Linux: GitHub, macOS: INLINECODE0

Additional Resources

- tools.md - Static analysis tools (GDB, Ghidra, radare2, IDA, Binary Ninja, dogbolt.org, RISC-V with Capstone, Unicorn emulation, Python bytecode, WASM, Android APK, .NET, packed binaries)
tools-dynamic.md (includes Intel Pin instruction-counting side channel for movfuscated binaries, opcode-only trace reconstruction) - Dynamic analysis tools: Frida (hooking, anti-debug bypass, memory scanning, Android/iOS), angr symbolic execution (path exploration, constraints, CFG), lldb (macOS/LLVM debugger), x64dbg (Windows), Qiling (cross-platform emulation with OS support), Triton (dynamic symbolic execution)
tools-advanced.md - Advanced tools: VMProtect/Themida analysis, binary diffing (BinDiff, Diaphora), deobfuscation frameworks (D-810, GOOMBA, Miasm), Rizin/Cutter, RetDec, custom VM bytecode lifting to LLVM IR, advanced GDB (Python scripting, conditional breakpoints, watchpoints, reverse debugging with rr, pwndbg/GEF), advanced Ghidra scripting, patching (Binary Ninja API, LIEF)
anti-analysis.md - Comprehensive anti-analysis: Linux anti-debug (ptrace, /proc, timing, signals, direct syscalls), Windows anti-debug (PEB, NtQueryInformationProcess, heap flags, TLS callbacks, HW/SW breakpoint detection, exception-based, thread hiding), anti-VM/sandbox (CPUID, MAC, timing, artifacts, resources), anti-DBI (Frida detection/bypass), code integrity/self-hashing, anti-disassembly (opaque predicates, junk bytes), MBA identification/simplification, SIGFPE signal handler side-channel via strace counting, bypass strategies
patterns.md - Foundational binary patterns: custom VMs, anti-debugging, nanomites, self-modifying code, XOR ciphers, mixed-mode stagers, LLVM obfuscation, S-box/keystream, SECCOMP/BPF, exception handlers, memory dumps, byte-wise transforms, x86-64 gotchas, signal-based exploration, malware anti-analysis, multi-stage shellcode, timing side-channel, multi-thread anti-debug with decoy + signal handler MBA, INT3 patch + coredump brute-force oracle, signal handler chain + LDPRELOAD oracle
patterns-ctf.md - Competition-specific patterns (Part 1): hidden emulator opcodes, LDPRELOAD key extraction, SPN static extraction, image XOR smoothness, byte-at-a-time cipher, mathematical convergence bitmap, Windows PE XOR bitmap OCR, two-stage RC4+VM loaders, GBA ROM meet-in-the-middle, Sprague-Grundy game theory, kernel module maze solving, multi-threaded VM channels, backdoored shared library detection via string diffing, custom binfmt kernel module with RC4 flat binaries, hash-resolved imports / no-import ransomware, ELF section header corruption for anti-analysis
patterns-ctf-2.md - Competition-specific patterns (Part 2): multi-layer self-decrypting brute-force, embedded ZIP+XOR license, stack string deobfuscation, prefix hash brute-force, CVP/LLL lattice for integer validation, decision tree function obfuscation, GF(2^8) Gaussian elimination, ROP chain obfuscation analysis (ROPfuscation)
patterns-ctf-3.md - Competition-specific patterns (Part 3): Z3 single-line Python circuit, sliding window popcount, keyboard LED Morse code via ioctl, C++ destructor-hidden validation, syscall side-effect memory corruption, MFC dialog event handlers, VM sequential key-chain brute-force, Burrows-Wheeler transform inversion, OpenType font ligature exploitation, GLSL shader VM with self-modifying code, instruction counter as cryptographic state, batch crackme automation via objdump, fork+pipe+dead branch anti-analysis
languages.md - Language-specific: Python bytecode & opcode remapping, Python version-specific bytecode, Pyarmor static unpack, DOS stubs, Unity IL2CPP, HarmonyOS HAP/ABC, Brainfuck/esolangs (+ BF character-by-character static analysis, BF side-channel read count oracle, BF comparison idiom detection), UEFI, transpilation to C, code coverage side-channel, OPAL functional reversing, non-bijective substitution, FRACTRAN program inversion
languages-platforms.md - Platform/framework-specific: Roblox place file analysis, Godot game asset extraction, Rust serdejson schema recovery, Android JNI RegisterNatives obfuscation, Android DEX runtime bytecode patching via /proc/self/maps, Frida Firebase Cloud Functions bypass, Verilog/hardware RE, prefix-by-prefix hash reversal, Ruby/Perl polyglot constraint satisfaction, Electron ASAR extraction + native binary analysis, Node.js npm runtime introspection
languages-compiled.md - Go binary reversing (GoReSym, goroutines, memory layout, channel ops, embed.FS, Go binary UUID patching for C2 enumeration), Rust binary reversing (demangling, Option/Result, Vec, panic strings), Swift binary reversing (demangling, protocol witness tables), Kotlin/JVM (coroutine state machines), C++ (vtable reconstruction, RTTI, STL patterns)
platforms.md - Platform-specific RE: macOS/iOS (Mach-O, code signing, Objective-C runtime, Swift, dyld, jailbreak bypass), embedded/IoT firmware (binwalk, UART/JTAG/SPI extraction, ARM/MIPS, RTOS), kernel drivers (Linux .ko, eBPF, Windows .sys), game engines (Unreal Engine, Unity, anti-cheat, Lua), automotive CAN bus
platforms-hardware.md - Hardware and advanced architecture RE: HD44780 LCD controller GPIO reconstruction, RISC-V advanced (custom extensions, privileged modes, debugging), ARM64/AArch64 reversing and exploitation (calling convention, ROP gadgets, qemu-aarch64-static emulation)

When to Pivot

- If you already understand the binary and now need heap, ROP, or kernel exploitation, switch to /ctf-pwn.
If the challenge is really about recovering deleted files, PCAP data, or disk artifacts, switch to /ctf-forensics.
If the target is a web app and you are only reversing a small client-side helper script, switch to /ctf-web.
If the binary implements a machine learning model and the challenge is about model attacks or adversarial inputs, switch to /ctf-ai-ml.
If the reversed binary's core logic is a cryptographic algorithm or math problem, switch to /ctf-crypto.
If the binary is a real malware sample with C2, packing, or evasion behavior, switch to /ctf-malware.
If the challenge is a toy VM, encoding puzzle, or pyjail rather than a real binary, switch to /ctf-misc.

Problem-Solving Workflow

1. Start with strings extraction - many easy challenges have plaintext flags
Try ltrace/strace - dynamic analysis often reveals flags without reversing
Try Frida hooking - hook strcmp/memcmp to capture expected values without reversing
Try angr - symbolic execution solves many flag-checkers automatically
Try Qiling - emulate foreign-arch binaries or bypass heavy anti-debug without artifacts
Map control flow before modifying execution
Automate manual processes via scripting (r2pipe, Frida, angr, Python)
Validate assumptions by comparing decompiler outputs (dogbolt.org for side-by-side)

Quick Wins (Try First!)

CODEBLOCK4

Initial Analysis

CODEBLOCK5

Memory Dumping Strategy

Key insight: Let the program compute the answer, then dump it. Break at final comparison (b *main+OFFSET), enter any input of correct length, then x/s $rsi to dump computed flag.

Decoy Flag Detection

Pattern: Multiple fake targets before real check. Look for multiple comparison targets in sequence with different success messages. Set breakpoint at FINAL comparison, not earlier ones.

GDB PIE Debugging

PIE binaries randomize base address. Use relative breakpoints:
CODEBLOCK6

Comparison Direction (Critical!)

Two patterns: (1) transform(flag) == stored_target — reverse the transform. (2) transform(stored_target) == flag — flag IS the transformed data, just apply transform to stored target.

Common Encryption Patterns

- XOR with single byte - try all 256 values
XOR with known plaintext (flag{, CTF{)
RC4 with hardcoded key
Custom permutation + XOR
XOR with position index (^ i or ^ (i & 0xff)) layered with a repeating key

Quick Tool Reference

CODEBLOCK7

Binary Types

Python .pyc
Disassemble with marshal.load() + dis.dis(). Header: 8 bytes (2.x), 12 (3.0-3.6), 16 (3.7+). See languages.md.
WASM
CODEBLOCK8
WASM game patching (Tac Tic Toe, Pragyan 2026): If proof generation is independent of move quality, patch minimax (flip i64.lt_s → i64.gt_s, change bestScore sign) to make AI play badly while proofs remain valid. Invoke /ctf-misc for full game patching patterns (games-and-vms).

Android APK
apktool d app.apk -o decoded/ for resources; jadx app.apk for Java decompilation. Check decoded/res/values/strings.xml for flags. See tools.md.
Flutter APK (Dart AOT)
If lib/arm64-v8a/libapp.so + libflutter.so present, use Blutter: python3 blutter.py path/to/app/lib/arm64-v8a out_dir. Outputs reconstructed Dart symbols + Frida script. See tools.md.
.NET

- dnSpy - debugging + decompilation
ILSpy - decompiler

Packed (UPX)

upx -d packed -o unpacked
If unpacking fails, inspect UPX metadata first: verify UPX section names, header fields, and version markers are intact. If metadata looks tampered or uncertain, review UPX source on GitHub to identify likely modification points.
Tauri Packed Desktop Apps
Tauri embeds Brotli-compressed frontend assets in the executable. Find index.html xrefs to locate asset index table, dump blobs, Brotli decompress. Reference: tauri-codegen/src/embedded_assets.rs.
Anti-Debugging Bypass

Common checks:

- IsDebuggerPresent() / PEB.BeingDebugged / NtQueryInformationProcess (Windows)
INLINECODE30 / /proc/self/status TracerPid (Linux)
TLS callbacks (run before main — check PE TLS Directory)
Timing checks (rdtsc, clock_gettime, GetTickCount)
Hardware breakpoint detection (DR0-DR3 via GetThreadContext)
INT3 scanning / code self-hashing (CRC over .text section)
Signal-based: SIGTRAP handler, SIGALRM timeout, SIGSEGV for real logic
Frida/DBI detection: /proc/self/maps scan, port 27042, inline hook checks

Bypass: Set breakpoint at check, modify register to bypass conditional.
pwntools patch: elf.asm(elf.symbols.ptrace, 'ret') to replace function with immediate return. See patterns.md.

For comprehensive anti-analysis techniques and bypasses (30+ methods with code), see anti-analysis.md.

S-Box / Keystream Patterns

Xorshift32: Shifts 13, 17, 5
Xorshift64: Shifts 12, 25, 27
Magic constants: 0x2545f4914f6cdd1d, INLINECODE38

Custom VM Analysis

1. Identify structure: registers, memory, IP
Reverse executeIns for opcode meanings
Write disassembler mapping opcodes to mnemonics
Often easier to bruteforce than fully reverse
Look for the bytecode file loaded via command-line arg

See patterns.md for VM workflow, opcode tables, and state machine BFS.

Sequential key-chain brute-force: When a VM validates input in small blocks (e.g., 3 bytes = 2^24 candidates) with each block's output key feeding the next, brute-force each block sequentially with OpenMP parallelization. Compile solver with gcc -O3 -march=native -fopenmp. See patterns-ctf-3.md.

Python Bytecode Reversing

XOR flag checkers with interleaved even/odd tables are common. See languages.md for bytecode analysis tips and reversing patterns.

Signal-Based Binary Exploration

Binary uses UNIX signals as binary tree navigation; hook sigaction via LD_PRELOAD, DFS by sending signals. See patterns.md.

Malware Anti-Analysis Bypass via Patching

Flip JNZ/JZ (0x75/0x74), change sleep values, patch environment checks in Ghidra (Ctrl+Shift+G). See patterns.md.

Expected Values Tables

Locate with objdump -s -j .rodata binary | less — look near comparison instructions, size matches flag length.

x86-64 Gotchas

Sign extension and 32-bit truncation pitfalls. See patterns.md for details and code examples.

Iterative Solver Pattern

Try each byte (0-255) per position, match against expected output. Uniform transform shortcut: if one input byte only changes one output byte, build 0..255 mapping then invert. See patterns.md for full implementation.

Unicorn Emulation (Complex State)

INLINECODE47 -- map segments, set up stack, hook to trace. Mixed-mode pitfall: 64-bit stub jumping to 32-bit via retf requires switching to UCMODE32 and copying GPRs + EFLAGS + XMM regs. See tools.md.

Multi-Stage Shellcode Loaders

Nested shellcode with XOR decode loops; break at call rax, bypass ptrace with set $rax=0, extract flag from mov instructions. See patterns.md.

Timing Side-Channel Attack

Validation time varies per correct character; measure elapsed time per candidate to recover flag byte-by-byte. See patterns.md.

Godot Game Asset Extraction

Use KeyDot to extract encryption key from executable, then gdsdecomp to extract .pck package. See languages-platforms.md.

Roblox Place File Analysis

Query Asset Delivery API for version history; parse .rbxlbin chunks (INST/PROP/PRNT) to diff script sources across versions. See languages-platforms.md.

Unstripped Binary Information Leaks

Pattern: Debug info and file paths leak author identity. Quick checks: strings binary | grep "/home/" (home dirs), file binary (stripped?), readelf -S binary | grep debug (debug sections).

Custom Mangle Function Reversing

Binary mangles input 2 bytes at a time with running state; extract target from .rodata, write inverse function. See patterns.md.

Rust serde_json Schema Recovery

Disassemble serde Visitor implementations to recover expected JSON schema; field names in order reveal flag. See languages-platforms.md.

Position-Based Transformation Reversing

Binary adds/subtracts position index; reverse by undoing per-index offset. See patterns.md.

Hex-Encoded String Comparison

Input converted to hex, compared against constant. Decode with xxd -r -p. See patterns.md.

Embedded ZIP + XOR License Decryption

Binary with named symbols (EMBEDDED_ZIP, ENCRYPTED_MESSAGE) in .rodata → extract ZIP containing license, XOR encrypted message with license bytes to recover flag. No execution needed. See patterns-ctf-2.md.

Stack String Deobfuscation (.rodata XOR Blob)

Binary mmaps .rodata blob, XOR-deobfuscates, uses it to validate input. Reimplement verification loop with pyelftools to extract blob. Look for 0x9E3779B9, 0x85EBCA6B constants and rol32(). See patterns-ctf-2.md.

Prefix Hash Brute-Force

Binary hashes every prefix independently. Recover one character at a time by matching prefix hashes. See patterns-ctf-2.md.

Mathematical Convergence Bitmap

Pattern: Binary classifies coordinate pairs by Newton's method convergence (e.g., z^3-1=0). Grid of pass/fail results renders ASCII art flag. Key: the binary is a classifier, not a checker — reverse the math and visualize. See patterns-ctf.md.

RISC-V Binary Analysis

Statically linked, stripped RISC-V ELF. Use Capstone with CS_MODE_RISCVC | CS_MODE_RISCV64 for mixed compressed instructions. Emulate with qemu-riscv64. Watch for fake flags and XOR decryption with incremental keys. See tools.md.

Sprague-Grundy Game Theory Binary

Game binary plays bounded Nim with PRNG for losing-position moves. Identify game framework (Grundy values = pile % (k+1), XOR determines position), track PRNG state evolution through user input feedback. See patterns-ctf.md.

Kernel Module Maze Solving

Rust kernel module implements maze via device ioctls. Enumerate commands dynamically, build DFS solver with decoy avoidance, deploy as minimal static binary (raw syscalls, no libc). See patterns-ctf.md.

Multi-Threaded VM with Channels

Custom VM with 16+ threads communicating via futex channels. Trace data flow across thread boundaries, extract constants from GDB, watch for inverted validity logic, solve via BFS state space search. See patterns-ctf.md.

CVP/LLL Lattice for Constrained Integer Validation (HTB ShadowLabyrinth)

Binary validates flag via matrix multiplication with 64-bit coefficients; solutions must be printable ASCII. Use LLL reduction + CVP in SageMath to find nearest lattice point in the constrained range. Two-phase pattern: Phase 1 recovers AES key, Phase 2 decrypts custom VM bytecode with another linear system (mod 2^32). See patterns-ctf-2.md.

Decision Tree Function Obfuscation (HTB WonderSMS)

~200+ auto-generated functions routing input through polynomial comparisons. Script extraction via Ghidra headless rather than reversing each function manually. Constraint propagation from known output format cascades through arithmetic constraints. See patterns-ctf-2.md.

Android JNI RegisterNatives Obfuscation (HTB WonderSMS)

INLINECODE68 in JNI_OnLoad hides which C++ function handles each Java native method (no standard Java_com_pkg_Class_method symbol). Find the real handler by tracing JNI_OnLoad → RegisterNatives → fnPtr. Use x8664 .so from APK for best Ghidra decompilation. See languages-platforms.md.

Multi-Layer Self-Decrypting Binary

N-layer binary where each layer decrypts the next using user-provided key bytes + SHA-NI. Use oracle (correct key → valid code with expected pattern). JIT execution with fork-per-candidate COW isolation for speed. See patterns-ctf-2.md.

GLSL Shader VM with Self-Modifying Code

Pattern: WebGL2 fragment shader implements Turing-complete VM on a 256x256 RGBA texture (program memory + VRAM). Self-modifying code (STORE opcode) patches drawing instructions. GPU parallelism causes write conflicts — emulate sequentially in Python to recover full output. See patterns-ctf-3.md.

GF(2^8) Gaussian Elimination for Flag Recovery

Pattern: Binary performs Gaussian elimination over GF(2^8) with the AES polynomial (0x11b). Matrix + augmentation vector in .rodata; solution vector is the flag. Look for constant 0x1b in disassembly. Addition is XOR, multiplication uses polynomial reduction. See patterns-ctf-2.md.

Z3 for Single-Line Python Boolean Circuit

Pattern: Single-line Python (2000+ semicolons) with walrus operator chains validates flag as big-endian integer via boolean circuit. Obfuscated XOR (a | b) & ~(a & b). Split on semicolons, translate to Z3 symbolically, solve in under a second. See patterns-ctf-3.md.

Sliding Window Popcount Differential Propagation

Pattern: Binary validates input via expected popcount for each position of a 16-bit sliding window. Popcount differences create a recurrence: bit[i+16] = bit[i] + (data[i+1] - data[i]). Brute-force ~4000-8000 valid initial 16-bit windows; each determines the entire bit sequence. See patterns-ctf-3.md.

Ruby/Perl Polyglot Constraint Satisfaction

Pattern: Single file valid in both Ruby and Perl, each imposing different constraints on a key. Exploits =begin/=end (Ruby block comment) vs =begin/=cut (Perl POD) to run different code per interpreter. Intersect constraints from both languages to recover the unique key. See languages-platforms.md.

Verilog/Hardware RE

Pattern: Verilog HDL source for state machines with hidden conditions gated on shift register history. Analyze always @(posedge clk) blocks and case statements to find correct input sequences. See languages-platforms.md.

Custom binfmt Kernel Module with RC4 Flat Binaries (BSidesSF 2026)

Pattern: Kernel module registers binfmt handler for encrypted flat binaries. Reverse the .ko to find RC4 key (in movabs immediates), decrypt the flat binary, import at the fixed virtual address from the module's vm_mmap call. See patterns-ctf.md.

Hash-Resolved Imports / No-Import Ransomware (BSidesSF 2026)

Pattern: Binary with zero visible imports resolves APIs via symbol name hashing at runtime. Skip the hash reversing — hook OpenSSL functions via LD_PRELOAD in Docker to capture AES keys directly. See patterns-ctf.md.

ELF Section Header Corruption for Anti-Analysis (BSidesSF 2026)

Pattern: Corrupted section headers crash analysis tools but program headers are intact so binary runs normally. Patch e_shoff to zero or use readelf -l (program headers only). Flag hidden after corrupted sections with magic marker + XOR. See patterns-ctf.md.

Brainfuck Character-by-Character Static Analysis (BSidesSF 2026)

Pattern: BF programs validating input have , (read char) followed by + operations whose count = expected ASCII value. Extract increment counts per input position to recover expected input without execution. See languages.md.

Brainfuck Side-Channel via Read Count Oracle (BSidesSF 2026)

Pattern: BF input validators read more bytes when a character is correct. Count , operations per candidate — highest read count = correct byte. Character-by-character recovery. See languages.md.

Brainfuck Comparison Idiom Detection (BSidesSF 2026)

Pattern: Compiled BF uses fixed idioms for equality checks (<[-<->] +<[>-<[-]]>[-<+>]). Instrument interpreter to detect patterns and extract comparison operands (expected flag bytes). See languages.md.

Backdoored Shared Library Detection

Binary works in GDB but fails when run normally (suid)? Check ldd for non-standard libc paths, then strings | diff the suspicious vs. system library to find injected code/passwords. See patterns-ctf.md.

Go Binary Reversing

Large static binary with go.buildid? Use GoReSym to recover function names (works even on stripped binaries). Go strings are {ptr, len} pairs — not null-terminated. Look for main.main, runtime.gopanic, channel ops (runtime.chansend1/chanrecv1). Use Ghidra golang-loader plugin for best results. See languages-compiled.md.

Go Binary UUID Patching for C2 Enumeration (BSidesSF 2026)

Pattern: Go C2 client with UUID from -ldflags -X. Binary-patch UUID bytes (same length), register with C2, enumerate clients/files via API. See languages-compiled.md.

D Language Binary Reversing

D language binaries have unique symbol mangling (not C++ style). Template-heavy, many function variants. Look for _D prefix in symbols. See languages-compiled.md.

Rust Binary Reversing

Binary with core::panicking strings and _ZN mangled symbols? Use rustfilt for demangling. Panic messages contain source paths and line numbers — strings binary | grep "panicked" is the fastest approach. Option/Result enums use discriminant byte (0=None/Err, 1=Some/Ok). See languages-compiled.md.

Frida Dynamic Instrumentation

Hook runtime functions without modifying binary. frida -f ./binary -l hook.js to spawn with instrumentation. Hook strcmp/memcmp to capture expected values, bypass anti-debug by replacing ptrace return value, scan memory for flag patterns, replace validation functions. See tools-dynamic.md.

Frida Firebase Cloud Functions Bypass (BSidesSF 2026)

Pattern: Android app validates via Firebase Cloud Functions. Post-login Frida hook constructs valid payload (UID + value + timestamp) and calls Cloud Function directly, bypassing QR/payment validation. See languages-platforms.md.

angr Symbolic Execution

Automatic path exploration to find inputs satisfying constraints. Load binary with angr.Project, set find/avoid addresses, call simgr.explore(). Constrain input to printable ASCII and known prefix for faster solving. Hook expensive functions (crypto, I/O) to prevent path explosion. See tools-dynamic.md.

Qiling Emulation

Cross-platform binary emulation with OS-level support (syscalls, filesystem). Emulate Linux/Windows/ARM/MIPS binaries on any host. No debugger artifacts — bypasses all anti-debug by default. Hook syscalls and addresses with Python API. See tools-dynamic.md.

VMProtect / Themida Analysis

VMProtect virtualizes code into custom bytecode. Identify VM entry (pushad-like), find handler table (large indirect jump), trace handlers dynamically. For CTF, focus on tracing operations on input rather than full devirtualization. Themida: dump at OEP with ScyllaHide + Scylla. See tools-advanced.md.

Binary Diffing

BinDiff and Diaphora compare two binaries to highlight changes. Essential when challenge provides patched/original versions. Export from IDA/Ghidra, diff to find vulnerability or hidden functionality. See tools-advanced.md.

Advanced GDB (pwndbg, rr)

pwndbg: context, vmmap, search -s "flag{", telescope $rsp. GEF alternative. Reverse debugging with rr record/rr replay — step backward through execution. Python scripting for brute-force and automated tracing. See tools-advanced.md.

macOS / iOS Reversing

Mach-O binaries: otool -l for load commands, class-dump for Objective-C headers. Swift: swift demangle for symbols. iOS apps: decrypt FairPlay DRM with frida-ios-dump, bypass jailbreak detection with Frida hooks. Re-sign patched binaries with codesign -f -s -. See platforms.md.

Embedded / IoT Firmware RE

INLINECODE125 for recursive extraction. Hardware: UART/JTAG/SPI flash for firmware dumps. Filesystems: SquashFS (unsquashfs), JFFS2, UBI. Emulate with QEMU: qemu-arm -L /usr/arm-linux-gnueabihf/ ./binary. See platforms.md.

Kernel Driver Reversing

Linux .ko: find ioctl handler via file_operations struct, trace copy_from_user/copy_to_user. Debug with QEMU+GDB (-s -S). eBPF: bpftool prog dump xlated. Windows .sys: find DriverEntry → IoCreateDevice → IRP handlers. See platforms.md.

Game Engine Reversing

Unreal: extract .pak with UnrealPakTool, reverse Blueprint bytecode with FModel. Unity Mono: decompile Assembly-CSharp.dll with dnSpy. Anti-cheat (EAC, BattlEye, VAC): identify system, bypass specific check. Lua games: luadec/unluac for bytecode. See platforms.md.

Swift / Kotlin Binary Reversing

Swift: swift demangle symbols, protocol witness tables for dispatch, __swift5_* sections. Kotlin/JVM: coroutines compile to state machines in invokeSuspend, jadx with Kotlin mode for best decompilation. Kotlin/Native: LLVM backend, looks like C++ in disassembly. See languages-compiled.md.

INT3 Patch + Coredump Brute-Force Oracle (Pwn2Win 2016)

Patch 0xCC (INT3) after transform output, enable core dumps, brute-force each input character by extracting computed state from coredump via strings. Avoids full reverse of transformation. See patterns.md.

Signal Handler Chain + LD_PRELOAD Oracle (Nuit du Hack 2016)

Binary uses signal handler chains for per-character password validation. Hook signal() via LDPRELOAD -- the call to install the next handler confirms the current character is correct. See patterns.md.

Font Ligature Exploitation (Hack The Vote 2016)

Custom OpenType font maps multi-character ligature sequences to single glyphs; reverse the GSUB table to decode hidden messages. See patterns-ctf-3.md.

Instruction Counter as Cryptographic State (MetaCTF Flash 2026)

Pattern: Hand-written assembly uses a dedicated register (e.g., r12) as an instruction counter incremented after nearly every instruction. The counter feeds into XOR/ROL/multiply transformations on input bytes, making transformation path-dependent. Byte-by-byte brute force with Unicorn emulation recovers the flag. See patterns-ctf-3.md.

Burrows-Wheeler Transform Inversion (ASIS CTF Finals 2016)

Invert BWT without terminator character by trying all possible row indices. Standard bwtool or manual column-sorting reconstruction. See patterns-ctf-3.md.

FRACTRAN Program Inversion (Boston Key Party 2016)

Esoteric language using iterated fraction multiplication. Invert by swapping numerator/denominator in fraction table, run output backward. I/O encoded as prime factorization exponents. See languages.md.

Opcode-Only Trace Reconstruction (0CTF 2016)

Execution traces with only opcodes (no data) still leak info through branch decisions. Sorting algorithm comparisons reveal element ordering. Reconstruct by deduplicating trace, splitting into basic blocks. See tools-dynamic.md.

Thread Race Signed Integer Overflow (Codegate 2017)

Game binary with thread-unsafe skill lock. Race between skill selection and damage calculation; cdqe sign-extends 0xFFFFFFFF to -1 (signed), causing HP overflow on subtraction. See patterns-ctf-3.md.

ESP32/Xtensa Firmware Reversing (Insomni'hack 2017)

No IDA support — use radare2 + ESP-IDF ROM linker script (esp32.rom.ld) for symbol resolution. Cross-reference with public ESP-IDF HTTP server examples to identify app logic. See patterns-ctf-3.md.

Custom VM Bytecode Lifting to LLVM IR (Google CTF 2017)

Transpile custom VM bytecode to LLVM IR, then use opt -O3 to simplify (inlining, constant folding, dead code elimination). Reduces 1300 lines to ~150 lines, revealing the underlying algorithm. See tools-advanced.md.

SIGFPE Signal Handler Side-Channel (PlaidCTF 2017)

SIGFPE signal handlers create implicit control flow invisible to static analysis. Count SIGFPE signals via strace -e signal=SIGFPE per candidate character -- correct characters produce more signals. See anti-analysis.md.

Batch Crackme Automation via objdump (DEF CON 2017)

Mass crackme challenges (100s of binaries) with identical structure: script objdump to extract CMP immediates and add/sub arithmetic sequences, then reverse-compute keys algebraically without execution. See patterns-ctf-3.md.

Android DEX Runtime Bytecode Patching (Google CTF 2017)

Native JNI library patches Dalvik bytecode in memory via /proc/self/maps + mprotect + XOR. Static APK analysis alone is insufficient -- extract XOR key and offsets from the native .so to reconstruct the runtime DEX. See languages-platforms.md.

Fork + Pipe + Dead Branch Anti-Analysis (RCTF 2017)

Fork/pipe IPC where parent writes data and exits, child reads and continues. Real validation hidden in a dead branch (always-false comparison). strace reveals the fork/pipe pattern; patch the comparison constant to reach hidden code. See patterns-ctf-3.md.

CTF 逆向工程

逆向工程挑战快速参考。详细技术请参见支持文件。

前置条件

Python 包（所有平台）：
bash
pip install frida-tools angr qiling uncompyle6 capstone lief z3-solver

对于 Python 3.9+ 字节码：从源码构建 pycdc

git clone https://github.com/zrax/pycdc && cd pycdc && cmake . && make

Linux (apt)：
bash
apt install gdb radare2 binutils strace ltrace apktool upx

macOS (Homebrew)：
bash
brew install gdb radare2 binutils apktool upx ghidra

radare2 插件：
bash
r2pm -ci r2ghidra # radare2 原生 Ghidra 反编译器

手动安装：

- pwndbg — Linux：GitHub，macOS：brew install pwndbg/tap/pwndbg-gdb

附加资源

- tools.md - 静态分析工具（GDB、Ghidra、radare2、IDA、Binary Ninja、dogbolt.org、带 Capstone 的 RISC-V、Unicorn 仿真、Python 字节码、WASM、Android APK、.NET、加壳二进制文件）
tools-dynamic.md（包括用于 movfuscated 二进制文件的 Intel Pin 指令计数侧信道、仅操作码的迹线重建）- 动态分析工具：Frida（钩子、反调试绕过、内存扫描、Android/iOS）、angr 符号执行（路径探索、约束、CFG）、lldb（macOS/LLVM 调试器）、x64dbg（Windows）、Qiling（带操作系统支持的跨平台仿真）、Triton（动态符号执行）
tools-advanced.md - 高级工具：VMProtect/Themida 分析、二进制差异比较（BinDiff、Diaphora）、反混淆框架（D-810、GOOMBA、Miasm）、Rizin/Cutter、RetDec、自定义 VM 字节码提升到 LLVM IR、高级 GDB（Python 脚本、条件断点、监视点、使用 rr 的反向调试、pwndbg/GEF）、高级 Ghidra 脚本、补丁（Binary Ninja API、LIEF）
anti-analysis.md - 全面的反分析：Linux 反调试（ptrace、/proc、计时、信号、直接系统调用）、Windows 反调试（PEB、NtQueryInformationProcess、堆标志、TLS 回调、HW/SW 断点检测、基于异常的、线程隐藏）、反 VM/沙箱（CPUID、MAC、计时、工件、资源）、反 DBI（Frida 检测/绕过）、代码完整性/自哈希、反反汇编（不透明谓词、垃圾字节）、MBA 识别/简化、通过 strace 计数的 SIGFPE 信号处理器侧信道、绕过策略
patterns.md - 基础二进制模式：自定义虚拟机、反调试、纳米点、自修改代码、XOR 密码、混合模式分段加载器、LLVM 混淆、S 盒/密钥流、SECCOMP/BPF、异常处理器、内存转储、逐字节变换、x86-64 陷阱、基于信号的探索、恶意软件反分析、多阶段 shellcode、计时侧信道、带诱饵 + 信号处理器 MBA 的多线程反调试、INT3 补丁 + 核心转储暴力破解预言机、信号处理器链 + LDPRELOAD 预言机
patterns-ctf.md - 竞赛特定模式（第 1 部分）：隐藏仿真器操作码、LDPRELOAD 密钥提取、SPN 静态提取、图像 XOR 平滑度、逐字节密码、数学收敛位图、Windows PE XOR 位图 OCR、两阶段 RC4+VM 加载器、GBA ROM 中间相遇、Sprague-Grundy 博弈论、内核模块迷宫求解、多线程 VM 通道、通过字符串差异比较的后门共享库检测、带 RC4 扁平二进制文件的自定义 binfmt 内核模块、哈希解析导入/无导入勒索软件、用于反分析的 ELF 节头损坏
patterns-ctf-2.md - 竞赛特定模式（第 2 部分）：多层自解密暴力破解、嵌入式 ZIP+XOR 许可证、栈字符串反混淆、前缀哈希暴力破解、用于整数验证的 CVP/LLL 格、决策树函数混淆、GF(2^8) 高斯消元、ROP 链混淆分析（ROPfuscation）
patterns-ctf-3.md - 竞赛特定模式（第 3 部分）：Z3 单行 Python 电路、滑动窗口 popcount、通过 ioctl 的键盘 LED 摩尔斯电码、C++ 析构函数隐藏验证、系统调用副作用内存损坏、MFC 对话框事件处理器、VM 顺序密钥链暴力破解、Burrows-Wheeler 变换逆变换、OpenType 字体连字利用、带自修改代码的 GLSL 着色器 VM、作为密码状态的指令计数器、通过 objdump 的批量 crackme 自动化、fork+pipe+死分支反分析
languages.md - 语言特定：Python 字节码和操作码重映射、Python 版本特定字节码、Pyarmor 静态解包、DOS 存根、Unity IL2CPP、HarmonyOS HAP/ABC、Brainfuck/深奥语言（+ BF 逐字符静态分析、BF 侧信道读取计数预言机、BF 比较惯用语检测）、UEFI、转译为 C、代码覆盖率侧信道、OPAL 函数式逆向、非双射替换、FRACTRAN 程序逆运算
languages-platforms.md - 平台/框架特定：Roblox 场所文件分析、Godot 游戏资源提取、Rust serdejson 模式恢复、Android JNI RegisterNatives 混淆、通过 /proc/self/maps 的 Android DEX 运行时字节码补丁、Frida Firebase Cloud Functions 绕过、Verilog/硬件逆向工程、逐前缀哈希反转、Ruby/Perl 多语言约束满足、Electron ASAR 提取 + 原生二进制分析、Node.js npm 运行时内省
languages-compiled.md - Go 二进制逆向（GoReSym、goroutine、内存布局、通道操作、embed.FS、用于 C2 枚举的 Go 二进制 UUID 补丁）、Rust 二进制逆向（名称还原、Option/Result、Vec、panic 字符串）、Swift 二进制逆向（名称还原、协议见证表）、Kotlin/JVM（协程状态机）、C++（vtable 重建、RTTI、STL 模式）
platforms.md - 平台特定逆向工程：macOS/iOS（Mach-O、代码签名、Objective-C 运行时、Swift、dyld、越狱绕过）、嵌入式/IoT 固件（binwalk、UART/JTAG/SPI 提取、ARM/MIPS、RTOS）、内核驱动（Linux .ko、eBPF、Windows .sys）、游戏引擎（Unreal Engine、Unity、反作弊、Lua）、汽车 CAN 总线
platforms-hardware.md - 硬件和高级架构逆向工程：HD44780 LCD 控制器 GPIO 重建、RISC-V 高级（自定义扩展、特权模式、调试）、ARM64/AArch64 逆向和利用（调用约定、ROP gadgets、qemu-aarch64-static 仿真）

何时切换

- 如果你已经理解二进制文件，现在需要堆、ROP 或内核利用，请切换到 /ctf-pwn。
如果挑战实际上是关于恢复已删除文件、PCAP 数据或磁盘工件，请切换到 /ctf-forensics。
如果目标是 Web 应用程序，而你只是在逆向一个小的客户端辅助脚本，请切换到 /ctf-web。
如果二进制文件实现了机器学习模型，而挑战是关于模型攻击或对抗性输入，请切换到 /ctf-ai-ml。
如果逆向二进制文件的核心逻辑是加密算法或数学问题，请切换到 /ctf-crypto。
如果二进制文件是带有 C2、加壳或规避行为的真实恶意软件样本，请切换到 /ctf-malware。
如果挑战是一个玩具 VM、编码谜题或 pyjail，而不是真正的二进制文件，请切换到 /ctf-misc。

问题解决工作流

1. 从字符串提取开始 - 许多简单挑战都有明文标志
尝试 ltrace/strace - 动态分析通常无需逆向即可揭示标志
尝试 Frida 钩子 - 钩子

ctf-reverseCTF逆向分析

ctf-reverse

CTF Reverse Engineering

Prerequisites

Additional Resources

When to Pivot

Problem-Solving Workflow

Quick Wins (Try First!)

Initial Analysis

Memory Dumping Strategy

Decoy Flag Detection

GDB PIE Debugging

Comparison Direction (Critical!)

Common Encryption Patterns

Quick Tool Reference

Binary Types

Python .pyc

WASM

Android APK

Flutter APK (Dart AOT)

.NET

Packed (UPX)

Tauri Packed Desktop Apps

Anti-Debugging Bypass

S-Box / Keystream Patterns

Custom VM Analysis

Python Bytecode Reversing

Signal-Based Binary Exploration

Malware Anti-Analysis Bypass via Patching

Expected Values Tables

x86-64 Gotchas

Iterative Solver Pattern

Unicorn Emulation (Complex State)

Multi-Stage Shellcode Loaders

Timing Side-Channel Attack

Godot Game Asset Extraction

Roblox Place File Analysis

Unstripped Binary Information Leaks

Custom Mangle Function Reversing

Rust serde_json Schema Recovery

Position-Based Transformation Reversing

Hex-Encoded String Comparison

Embedded ZIP + XOR License Decryption

Stack String Deobfuscation (.rodata XOR Blob)

Prefix Hash Brute-Force

Mathematical Convergence Bitmap

RISC-V Binary Analysis

Sprague-Grundy Game Theory Binary

Kernel Module Maze Solving

Multi-Threaded VM with Channels

CVP/LLL Lattice for Constrained Integer Validation (HTB ShadowLabyrinth)

Decision Tree Function Obfuscation (HTB WonderSMS)

Android JNI RegisterNatives Obfuscation (HTB WonderSMS)

Multi-Layer Self-Decrypting Binary

GLSL Shader VM with Self-Modifying Code

GF(2^8) Gaussian Elimination for Flag Recovery

Z3 for Single-Line Python Boolean Circuit

Sliding Window Popcount Differential Propagation

Ruby/Perl Polyglot Constraint Satisfaction

Verilog/Hardware RE

Custom binfmt Kernel Module with RC4 Flat Binaries (BSidesSF 2026)

Hash-Resolved Imports / No-Import Ransomware (BSidesSF 2026)

ELF Section Header Corruption for Anti-Analysis (BSidesSF 2026)

Brainfuck Character-by-Character Static Analysis (BSidesSF 2026)

Brainfuck Side-Channel via Read Count Oracle (BSidesSF 2026)

Brainfuck Comparison Idiom Detection (BSidesSF 2026)

Backdoored Shared Library Detection

Go Binary Reversing

Go Binary UUID Patching for C2 Enumeration (BSidesSF 2026)

D Language Binary Reversing

Rust Binary Reversing

Frida Dynamic Instrumentation

Frida Firebase Cloud Functions Bypass (BSidesSF 2026)

angr Symbolic Execution

Qiling Emulation

VMProtect / Themida Analysis

Binary Diffing

Advanced GDB (pwndbg, rr)

macOS / iOS Reversing

Embedded / IoT Firmware RE