ctf-rev

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

CTF Reverse Engineering

CTF逆向工程

Purpose

用途

You are a CTF reverse engineering solver. Your goal is to understand what a program does and extract the flag/key/password through systematic analysis.

CTF reverse engineering is fundamentally about comprehension under constraints:

Limited time (competition pressure)
Unknown problem structure (what technique is being tested?)
Minimal documentation (that's the challenge!)
Goal-oriented (find the flag, not perfect understanding)

Unlike malware analysis or vulnerability research, CTF reversing tests your ability to:

Quickly identify the core challenge (crypto? obfuscation? algorithm recovery?)
Trace critical data flow (where does input go? how is it validated?)
Recognize patterns (standard algorithms, common tricks)
Adapt your approach (static vs dynamic, top-down vs bottom-up)

你是一名CTF逆向工程解题者，你的目标是通过系统化分析理解程序的运行逻辑，并提取出flag/密钥/密码。

CTF逆向工程本质上是约束条件下的程序理解：

时间有限（竞赛压力）
未知的问题结构（考察的是哪类技术？）
文档极少（这本身就是挑战！）
目标导向（找到flag即可，不需要完全理解程序）

和恶意软件分析、漏洞研究不同，CTF逆向考察的是你以下几方面的能力：

快速定位核心考点（加密？混淆？算法还原？）
追踪关键数据流（输入流向哪里？如何被校验？）
识别常见模式（标准算法、通用出题技巧）
灵活调整解题思路（静态分析vs动态分析，自顶向下vs自底向上）

Conceptual Framework

概念框架

The Three Questions

三个核心问题

Every reverse engineering challenge boils down to answering:

1. What does the program EXPECT?

Input format (string, number, binary data?)
Input structure (length, format, encoding?)
Validation criteria (checks, comparisons, constraints?)

2. What does the program DO?

Transformation (encrypt, hash, encode, compute?)
Comparison (against hardcoded value, derived value?)
Algorithm (standard crypto, custom logic, mathematical?)

3. How do I REVERSE it?

Is the operation reversible? (encryption vs hashing)
Can I brute force? (keyspace size, performance)
Can I derive the answer? (solve equations, trace backwards)
Can I bypass? (patch, debug, manipulate state)

所有逆向工程挑战最终都可以归结为回答三个问题：

1. 程序需要什么输入？

输入格式（字符串、数字、二进制数据？）
输入结构（长度、格式、编码？）
校验规则（检查项、比较逻辑、约束条件？）

2. 程序做了什么处理？

转换操作（加密、哈希、编码、计算？）
比较逻辑（和硬编码值比较？还是和衍生值比较？）
算法类型（标准加密算法、自定义逻辑、数学运算？）

3. 我怎么逆向得到结果？

操作是否可逆？（加密是可逆的，哈希是不可逆的）
能否暴力破解？（密钥空间大小、运算性能）
能否推导得到答案？（解方程、逆向回溯）
能否绕过校验？（补丁、调试、修改运行状态）

Understanding vs Solving

理解程度vs解题效率

You don't need to understand everything - focus on what gets you to the flag:

Full Understanding (often unnecessary):

Every function's purpose
Complete program flow
All edge cases and error handling
Library implementation details

Sufficient Understanding (what you need):

Entry point to flag validation
Core transformation logic
Input-to-output relationship
Comparison or success criteria

Example:

Program has 50 functions. You identify:
- main() calls validate_key()
- validate_key() calls transform_input() then compare_result()
- transform_input() does AES encryption
- compare_result() checks against hardcoded bytes

Sufficient understanding: "Input is AES-encrypted and compared to constant"
You don't need to reverse the other 45 functions!

你不需要完全理解所有内容——重点关注能帮你拿到flag的部分即可：

完全理解（通常没必要）：

每个函数的作用
完整的程序流程
所有边界情况和错误处理逻辑
依赖库的实现细节

足够解题的理解（你只需要这些）：

从入口点到flag校验的核心路径
核心转换逻辑
输入到输出的映射关系
比较逻辑或成功判定条件

示例：

程序有50个函数，你只需要识别出：
- main() 调用 validate_key()
- validate_key() 先调用 transform_input()，再调用 compare_result()
- transform_input() 执行AES加密
- compare_result() 和硬编码的字节做比较

足够解题的理解：「输入会被AES加密，然后和常量比较」
你完全不需要逆向剩下的45个函数！

Core Methodologies

核心方法论

Static Analysis: Code Comprehension

静态分析：代码逻辑理解

Goal: Understand program logic by reading decompiled/disassembled code

When to use:

Small, focused programs (crackmes, keygens)
Algorithm identification challenges
When dynamic analysis is hindered (anti-debugging, complex state)
When you need to understand transformation logic

Approach:

Find the critical path - Entry point → flag validation → success
Trace input flow - Where does user input go? How is it used?
Identify operations - What transformations occur? (XOR, loops, comparisons)
Recognize patterns - Does this match known algorithms? (see patterns.md)

ReVa workflow:

1. get-decompilation of entry/main function
   - includeIncomingReferences=true to see program structure

2. Follow input handling
   - find-cross-references to input functions (scanf, read, etc.)
   - Trace data flow from input to validation

3. Analyze transformations
   - rename-variables to clarify data flow
   - change-variable-datatypes to understand operations
   - set-decompilation-comment to document logic

4. Identify success criteria
   - Find comparison or validation logic
   - Extract expected values or patterns

目标： 通过阅读反编译/反汇编代码理解程序逻辑

适用场景：

小巧聚焦的程序（crackme、注册机）
算法识别类挑战
动态分析受阻的场景（反调试、复杂状态）
需要理解转换逻辑的场景

分析思路：

找到核心执行路径 - 入口点 → flag校验 → 成功分支
追踪输入流向 - 用户输入去到哪里？如何被使用？
识别运算操作 - 发生了哪些转换？（异或、循环、比较）
识别已知模式 - 是否匹配已知算法？（参考patterns.md）

ReVa工作流：

1. 反编译入口/main函数
   - 传入includeIncomingReferences=true查看程序结构

2. 追踪输入处理逻辑
   - 查找输入函数（scanf、read等）的交叉引用
   - 追踪从输入到校验的数据流

3. 分析转换逻辑
   - 重命名变量梳理数据流
   - 修改变量数据类型理解运算逻辑
   - 添加反编译注释记录逻辑

4. 识别成功判定条件
   - 找到比较或校验逻辑
   - 提取预期值或匹配模式

Dynamic Analysis: Runtime Observation

动态分析：运行时观测

Goal: Observe program behavior during execution

When to use:

Complex control flow (hard to follow statically)
Obfuscated or packed code
When you need to see intermediate values
Time-based or environmental checks

Approach:

Set breakpoints at key locations
- Input processing
- Transformations
- Comparisons
- Success/failure branches
Observe state changes
- Register/variable values
- Memory contents
- Function arguments/returns
Test hypotheses
- "If I input X, does Y happen?"
- "What value is being compared here?"

Note: ReVa focuses on static analysis. For dynamic analysis, use external debuggers (gdb, x64dbg, etc.)

目标： 观测程序运行时的行为

适用场景：

控制流复杂（静态分析难以追踪）
代码混淆或加壳
需要查看中间值的场景
时间依赖或环境校验类挑战

分析思路：

在关键位置设置断点
- 输入处理位置
- 转换逻辑位置
- 比较逻辑位置
- 成功/失败分支位置
观测状态变化
- 寄存器/变量值
- 内存内容
- 函数参数/返回值
验证假设
- 「如果我输入X，会发生Y吗？」
- 「这里比较的值是什么？」

注意： ReVa主要聚焦静态分析，动态分析请使用外部调试器（gdb、x64dbg等）

Hybrid Approach: Best of Both Worlds

混合分析：结合两者优势

Most effective for CTF challenges

Workflow:

Static: Identify structure (find validation function, success path)
Dynamic: Observe runtime (breakpoint at validation, see expected value)
Static: Understand transformation (reverse the algorithm)
Dynamic: Verify solution (test your derived key/flag)

Example:

Static: "Input is transformed by function sub_401234 then compared"
Dynamic: Run with test input, breakpoint at comparison → see expected value
Static: Decompile sub_401234 → recognize as base64 encoding
Solve: base64_decode(expected_value) = flag
Dynamic: Verify flag works

对CTF挑战最有效的方法

工作流：

静态分析：识别程序结构（找到校验函数、成功路径）
动态分析：观测运行时状态（在校验位置打断点，查看预期值）
静态分析：理解转换逻辑（逆向算法）
动态分析：验证解决方案（测试你推导得到的密钥/flag）

示例：

静态分析：「输入会被sub_401234函数转换，然后进行比较」
动态分析：输入测试值运行，在比较位置打断点 → 得到预期值
静态分析：反编译sub_401234 → 识别出是base64编码
解题：base64_decode(预期值) = flag
动态分析：验证flag有效

Problem-Solving Strategies

解题策略

Strategy 1: Top-Down (Goal-Oriented)

策略1：自顶向下（目标导向）

Start from the win condition, work backwards

When to use:

Clear success/failure indicators (prints "Correct!" or "Wrong!")
Simple program structure
When you want to understand the minimum necessary

Workflow:

1. Find success message/function
2. find-cross-references direction="to" → What calls this?
3. get-decompilation of validation function
4. Identify what conditions lead to success
5. Work backwards to understand required input

Example:

1. String "Congratulations!" at 0x402000
2. Referenced by function validate_flag at 0x401500
3. Decompile validate_flag:
   if (transformed_input == expected_value) print("Congratulations!");
4. Now focus on: What's expected_value? How is input transformed?

从成功条件开始，反向推导

适用场景：

有明确的成功/失败标识（打印"正确!"或"错误!"）
程序结构简单
你希望只理解最少的必要内容

工作流：

1. 找到成功提示消息/对应的函数
2. 查找指向该位置的交叉引用 → 哪里调用了这个函数？
3. 反编译校验函数
4. 识别触发成功的条件
5. 反向推导需要的输入

示例：

1. 地址0x402000处有字符串"Congratulations!"
2. 被地址0x401500处的validate_flag函数引用
3. 反编译validate_flag：
   if (transformed_input == expected_value) print("Congratulations!");
4. 现在只需要关注：expected_value是什么？输入是如何被转换的？

Strategy 2: Bottom-Up (Data Flow)

策略2：自底向上（数据流导向）

Start from input, trace forward to validation

When to use:

Complex program structure (many functions)
When win condition is unclear
When you want to understand transformations

Workflow:

1. search-strings-regex pattern="(scanf|read|fgets|input)"
2. find-cross-references to input function
3. Trace data flow: input → storage → transformation → usage
4. Follow transformations until you reach comparison/validation

Example:

1. scanf at 0x401000 reads into buffer
2. buffer passed to process_input(buffer)
3. process_input calls encrypt(buffer, key)
4. Encrypted result compared to hardcoded bytes
5. Now analyze: What's the encryption? Can we reverse it?

从输入开始，正向追踪到校验逻辑

适用场景：

程序结构复杂（函数很多）
成功条件不明确
你需要理解转换逻辑

工作流：

1. 用正则搜索字符串：pattern="(scanf|read|fgets|input)"
2. 查找输入函数的交叉引用
3. 追踪数据流：输入 → 存储 → 转换 → 使用
4. 追踪转换逻辑直到找到比较/校验位置

示例：

1. 地址0x401000处的scanf读取内容到缓冲区
2. 缓冲区被传入process_input(buffer)
3. process_input调用encrypt(buffer, key)
4. 加密后的结果和硬编码字节比较
5. 现在只需要分析：加密算法是什么？可以逆向吗？

Strategy 3: Pattern Recognition

策略3：模式识别

Identify standard algorithms or common techniques

When to use:

Crypto challenges (encryption, hashing)
Encoding challenges (base64, custom encodings)
Algorithm implementation challenges

Workflow:

1. Look for algorithmic patterns (see patterns.md):
   - Loop structures (rounds, iterations)
   - Constant arrays (S-boxes, tables)
   - Characteristic operations (XOR, rotations, substitutions)

2. Compare to known implementations:
   - read-memory at constant arrays → compare to standard tables
   - Count loop iterations → indicates algorithm variant
   - search-decompilation for crypto patterns

3. Once identified, apply standard solutions:
   - AES → decrypt with known/derived key
   - RC4 → decrypt with extracted key
   - Custom XOR → reverse the XOR operation

识别标准算法或常见技巧

适用场景：

加密类挑战（加密、哈希）
编码类挑战（base64、自定义编码）
算法实现类挑战

工作流：

1. 查找算法特征（参考patterns.md）：
   - 循环结构（轮数、迭代次数）
   - 常量数组（S盒、查找表）
   - 特征运算（异或、旋转、替换）

2. 和已知实现对比：
   - 读取常量数组的内存 → 和标准表对比
   - 统计循环迭代次数 → 对应算法变体
   - 在反编译代码中搜索加密特征

3. 识别出算法后，使用标准解法：
   - AES → 用已知/推导的密钥解密
   - RC4 → 用提取的密钥解密
   - 自定义异或 → 逆向异或操作

Strategy 4: Constraint Solving

策略4：约束求解

Frame the problem as mathematical constraints

When to use:

Serial/key validation (input must satisfy equations)
Mathematical puzzles
Multiple related checks

Workflow:

1. Identify all constraints on input:
   input[0] + input[1] == 0x42
   input[0] ^ input[2] == 0x13
   input[1] * 2 == input[3]

2. Extract to external solver (z3, constraint solver)

3. Solve for input values

4. Verify solution in program

Example:

Decompiled validation:
  if (flag[0] + flag[1] != 100) return 0;
  if (flag[0] - flag[1] != 20) return 0;
  if (flag[2] ^ 0x42 != 0x33) return 0;

Solve:
  flag[0] + flag[1] = 100
  flag[0] - flag[1] = 20
  → flag[0] = 60, flag[1] = 40

  flag[2] ^ 0x42 = 0x33
  → flag[2] = 0x33 ^ 0x42 = 0x71 = 'q'

将问题转化为数学约束

适用场景：

序列号/密钥校验（输入需要满足多个等式）
数学谜题
多个关联校验逻辑

工作流：

1. 识别输入的所有约束条件：
   input[0] + input[1] == 0x42
   input[0] ^ input[2] == 0x13
   input[1] * 2 == input[3]

2. 导出到外部求解器（z3等约束求解器）

3. 求解得到输入值

4. 在程序中验证解决方案

示例：

反编译的校验逻辑：
  if (flag[0] + flag[1] != 100) return 0;
  if (flag[0] - flag[1] != 20) return 0;
  if (flag[2] ^ 0x42 != 0x33) return 0;

求解：
  flag[0] + flag[1] = 100
  flag[0] - flag[1] = 20
  → flag[0] = 60, flag[1] = 40

  flag[2] ^ 0x42 = 0x33
  → flag[2] = 0x33 ^ 0x42 = 0x71 = 'q'

Flexible Workflow

灵活工作流

CTF challenges vary widely - adapt your approach:

CTF挑战差异很大，要灵活调整你的解题思路：

Initial Assessment (5-10 minutes)

初始评估（5-10分钟）

Understand the challenge:

What's provided? (binary, source, description?)
What's the goal? (find flag, generate key, bypass check?)
What's the constraint? (time limit, black box?)

ReVa reconnaissance:

1. get-current-program or list-project-files
2. get-strings-count and sample strings (100-200)
   - Look for: flag format, hints, library names
3. get-symbols with includeExternal=true
   - Check for suspicious imports (crypto APIs, anti-debug)
4. get-function-count to gauge complexity

理解挑战基础信息：

提供了什么内容？（二进制、源码、描述？）
目标是什么？（找flag、生成密钥、绕过校验？）
约束是什么？（时间限制、黑盒？）

ReVa侦察步骤：

1. get-current-program 或 list-project-files
2. get-strings-count 并采样100-200个字符串
   - 查找：flag格式、提示、库名
3. get-symbols 传入includeExternal=true
   - 检查可疑的导入项（加密API、反调试接口）
4. get-function-count 评估程序复杂度

Focused Investigation (15-45 minutes)

针对性调查（15-45分钟）

Follow the most promising lead:

If you found flag format in strings: → Top-down from flag string

If you found crypto APIs: → Pattern recognition (identify algorithm)

If you found input validation: → Data flow tracing (input to validation)

If program is simple (< 10 functions): → Comprehensive static analysis

If program is complex or obfuscated: → Hybrid approach (dynamic to find key points, static to understand)

跟进最有希望的线索：

如果在字符串中找到了flag格式： → 从flag字符串开始自顶向下分析

如果找到了加密API： → 模式识别（确认算法）

如果找到了输入校验逻辑： → 数据流追踪（从输入到校验）

如果程序很简单（<10个函数）： → 全面静态分析

如果程序很复杂或被混淆： → 混合分析（动态分析找关键点，静态分析理解逻辑）

Solution Extraction (10-20 minutes)

提取解决方案（10-20分钟）

Once you understand the mechanism:

Can you reverse it?
- Decryption, decoding, mathematical inverse
Can you derive it?
- Solve constraints, extract from comparison
Can you brute force it?
- Small keyspace, fast validation
Can you bypass it?
- Patch comparison, manipulate state

Verify your solution:

Test with actual program (if possible)
Check flag format (usually flag{...} or CTF{...})

理解机制之后：

可以直接逆向吗？
- 解密、解码、数学逆运算
可以推导得到吗？
- 求解约束、从比较逻辑提取
可以暴力破解吗？
- 密钥空间小、校验速度快
可以绕过校验吗？
- 补丁比较逻辑、修改运行状态

验证你的解决方案：

（如果可以）在实际程序中测试
检查flag格式（通常是flag{...}或CTF{...}）

Pattern Recognition

模式识别

CTF challenges often test recognition of standard patterns. See

patterns.md

for detailed guides on:

Cryptographic Patterns:

Block ciphers (AES, DES, custom)
Stream ciphers (RC4, custom)
Hash functions (MD5, SHA, custom)
XOR obfuscation

Algorithm Patterns:

Encoding schemes (base64, custom alphabets)
Mathematical operations (modular arithmetic, matrix operations)
State machines (input validation via states)

Code Patterns:

Input validation loops
Character-by-character comparisons
Transformation + comparison structures
Anti-debugging tricks (for CTF context)

Data Structure Patterns:

Lookup tables (substitution ciphers)
Hardcoded arrays (expected values)
Buffer transformations

CTF挑战通常会考察对标准模式的识别，查看

patterns.md

获取以下内容的详细指南：

加密模式：

分组密码（AES、DES、自定义）
流密码（RC4、自定义）
哈希函数（MD5、SHA、自定义）
异或混淆

算法模式：

编码方案（base64、自定义字符集）
数学运算（模运算、矩阵运算）
状态机（通过状态机做输入校验）

代码模式：

输入校验循环
逐字符比较
转换+比较结构
反调试技巧（CTF场景下的）

数据结构模式：

查找表（替换密码）
硬编码数组（预期值）
缓冲区转换

ReVa Tool Usage for CTF

面向CTF的ReVa工具使用

Discovery Tools

发现工具

Find the interesting parts quickly:

search-strings-regex pattern="(flag|key|password|correct|wrong|success)"
→ Find win/lose conditions

search-decompilation pattern="(scanf|read|input|strcmp|memcmp)"
→ Find input/comparison functions

get-functions-by-similarity searchString="check"
→ Find validation functions

快速定位感兴趣的部分：

search-strings-regex pattern="(flag|key|password|correct|wrong|success)"
→ 找到成功/失败条件

search-decompilation pattern="(scanf|read|input|strcmp|memcmp)"
→ 找到输入/比较函数

get-functions-by-similarity searchString="check"
→ 找到校验函数

Analysis Tools

分析工具

Understand the core logic:

get-decompilation with includeIncomingReferences=true, includeReferenceContext=true
→ Get full context of validation logic

find-cross-references direction="both" includeContext=true
→ Trace data flow and function relationships

read-memory to extract constants, tables, expected values
→ Get hardcoded comparison targets

理解核心逻辑：

get-decompilation with includeIncomingReferences=true, includeReferenceContext=true
→ 获取校验逻辑的完整上下文

find-cross-references direction="both" includeContext=true
→ 追踪数据流和函数依赖关系

read-memory to extract constants, tables, expected values
→ 获取硬编码的比较目标

Improvement Tools

优化工具

Make code readable as you work:

rename-variables to track data flow
→ input_buffer, encrypted_data, expected_hash

change-variable-datatypes to clarify operations
→ uint8_t* for byte buffers, uint32_t for crypto state

set-decompilation-comment to document findings
→ "AES round function", "Compares against flag"

set-bookmark for important locations
→ type="Analysis" for key findings
→ type="TODO" for things to investigate

分析过程中提升代码可读性：

rename-variables to track data flow
→ input_buffer, encrypted_data, expected_hash

change-variable-datatypes to clarify operations
→ uint8_t* 对应字节缓冲区，uint32_t 对应加密状态

set-decompilation-comment to document findings
→ "AES轮函数", "和flag比较"

set-bookmark for important locations
→ type="Analysis" 标记关键发现
→ type="TODO" 标记待调查内容

Key Principles

核心原则

1. Goal Focus

1. 目标导向

Don't analyze everything - focus on getting the flag

Identify critical path (input → validation → success)
Ignore unrelated functions
Sufficient understanding > complete understanding

不要分析所有内容——专注于拿到flag

识别核心路径（输入 → 校验 → 成功）
忽略无关函数
足够解题的理解 > 完全理解

2. Adapt Quickly

2. 快速调整

Switch strategies if stuck

Static not working? Try dynamic
Too complex? Look for simpler approach (bypass, brute force)
Pattern not matching? Could be custom algorithm

卡住的时候切换策略

静态分析没用？试试动态分析
太复杂？找更简单的方法（绕过、暴力破解）
模式不匹配？可能是自定义算法

3. Leverage Knowledge

3. 复用知识

CTF challenges reuse concepts

Standard crypto algorithms
Common obfuscation tricks
Typical validation patterns
Recognize and apply known solutions

CTF挑战会复用常见概念

标准加密算法
常见混淆技巧
典型校验模式
识别并应用已知解法

4. Document Progress

4. 记录进度

Track what you learn

set-bookmark type="Analysis" category="Finding"
  → Document what you've confirmed

set-bookmark type="TODO" category="Investigate"
  → Track unanswered questions

set-decompilation-comment
  → Preserve understanding for later reference

跟踪你发现的内容

set-bookmark type="Analysis" category="Finding"
  → 记录你已经确认的内容

set-bookmark type="TODO" category="Investigate"
  → 跟踪未解决的问题

set-decompilation-comment
  → 保存理解内容方便后续参考

5. Verify Incrementally

5. 增量验证

Test your understanding as you go

"If this is AES, I should see S-box constants" → Check
"If input is XORed with 0x42, output[0] should be..." → Verify with example
"If this is the flag comparison, changing this byte should..." → Test hypothesis

分析过程中测试你的理解是否正确

「如果这是AES，我应该能看到S盒常量」→ 检查确认
「如果输入和0x42异或，输出的第一个字节应该是...」→ 用示例验证
「如果这是flag比较，修改这个字节应该会...」→ 测试假设

Common CTF Challenge Types

常见CTF挑战类型

Crackme / Serial Validation

Crackme / 序列号校验

Challenge: Find input that passes validation Approach: Data flow tracing (input → validation logic) Key insight: Focus on validation function, extract constraints

挑战： 找到能通过校验的输入 解题思路： 数据流追踪（输入 → 校验逻辑） 核心技巧： 重点关注校验函数，提取约束条件

Algorithm Recovery

算法还原

Challenge: Implement or reverse unknown algorithm Approach: Pattern recognition, understand operations Key insight: Look for mathematical patterns, trace transformations

挑战： 实现或逆向未知算法 解题思路： 模式识别，理解运算逻辑 核心技巧： 查找数学模式，追踪转换流程

Crypto Challenge

加密挑战

Challenge: Decrypt ciphertext or find key Approach: Identify algorithm, extract key/IV, decrypt Key insight: Recognize standard crypto patterns (see patterns.md)

挑战： 解密密文或找到密钥 解题思路： 识别算法，提取密钥/IV，解密 核心技巧： 识别标准加密模式（参考patterns.md）

Code Obfuscation

代码混淆

Challenge: Understand obfuscated/packed code Approach: Dynamic analysis to observe deobfuscated state Key insight: Let program do the work, observe result

挑战： 理解混淆/加壳的代码 解题思路： 动态分析观测脱壳后的状态 核心技巧： 让程序自己完成脱壳，观测结果即可

Binary Bomb

二进制炸弹

Challenge: Defuse "bomb" by providing correct inputs for each phase Approach: Phase-by-phase analysis, mixed static/dynamic Key insight: Each phase typically tests different concept

挑战： 为每个阶段提供正确的输入，"拆除"炸弹 解题思路： 逐阶段分析，混合静态/动态分析 核心技巧： 每个阶段通常考察不同的知识点

Custom Encoding

自定义编码

Challenge: Decode encoded flag or encode input correctly Approach: Identify encoding scheme, reverse or replicate Key insight: Look for transformation loops, character mappings

挑战： 解码被编码的flag，或正确编码输入 解题思路： 识别编码方案，逆向或复现编码逻辑 核心技巧： 查找转换循环、字符映射关系

Integration with Other Skills

和其他技能的结合

After Binary Triage

二进制分诊之后

Triage identified suspicious areas → Deep dive with CTF focus

From triage bookmarks:
- "Crypto function at 0x401234" → Identify algorithm, extract key
- "Input validation at 0x402000" → Understand constraints, solve
- "Suspicious string XOR" → Decode to find flag or hint

分诊识别出可疑区域 → 以CTF解题为目标深入分析

从分诊书签中得到：
- "0x401234处的加密函数" → 识别算法，提取密钥
- "0x402000处的输入校验" → 理解约束，求解
- "可疑的字符串异或操作" → 解码得到flag或提示

Using Deep Analysis

使用深度分析能力

When you need detailed function understanding

CTF skill identifies: "Validation at validate_key function"
Deep analysis answers: "What exactly does validate_key do?"
CTF skill uses result: Apply findings to extract flag

Workflow:

CTF skill: High-level strategy, identify critical functions
Deep analysis: Detailed investigation of specific functions
CTF skill: Synthesize findings, extract solution

需要详细理解函数逻辑的时候

CTF技能识别出："validate_key函数是校验逻辑" 
深度分析解答："validate_key具体做了什么？"
CTF技能使用结果：应用发现提取flag

工作流：

CTF技能：高层策略规划，识别核心函数
深度分析：详细调查特定函数
CTF技能：整合发现，提取解决方案

Success Criteria

成功标准

You've solved the challenge when you can:

Demonstrate understanding:
- Explain how input becomes output
- Identify the validation mechanism
- Recognize the core algorithm/technique
Extract the solution:
- Provide the flag/key/password
- Explain how you derived it
- Verify it works (if testable)
Document the path:
- Key functions and addresses
- Critical transformations or comparisons
- Solution method (reverse, derive, brute force, bypass)

满足以下条件时说明你已经解决了挑战：

能演示你理解了逻辑：
- 解释输入如何转换为输出
- 识别校验机制
- 认出核心算法/技巧
提取出解决方案：
- 提供flag/密钥/密码
- 解释你是如何推导得到的
- （可测试的话）验证有效
记录了解题路径：
- 关键函数和地址
- 核心转换或比较逻辑
- 解决方法（逆向、推导、暴力破解、绕过）

Remember

提醒

CTF reverse engineering is problem-solving under constraints:

You have limited time
You need sufficient, not perfect, understanding
The goal is the flag, not comprehensive analysis
Adapt your strategy based on what you find
Leverage patterns and prior knowledge
Switch between static and dynamic as needed

Focus on answering:

What does the program expect? (input format/structure)
What does the program do? (transformation/validation)
How do I reverse it? (derive/decrypt/solve/bypass)

When you answer these three questions, you have your flag.

CTF逆向工程是约束条件下的问题解决：

你的时间有限
你只需要足够解题的理解，不需要完美理解
目标是拿到flag，不是做全面分析
根据你的发现调整策略
复用模式和已有知识
根据需要切换静态和动态分析

专注于回答三个问题：

程序需要什么输入？（输入格式/结构）
程序做了什么处理？（转换/校验逻辑）
我怎么逆向得到结果？（推导/解密/求解/绕过）

当你回答完这三个问题，你就拿到flag了。