reverse-engineering-deep-analysis

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

LIBRARY-FIRST PROTOCOL (MANDATORY)

库优先协议（强制要求）

Before writing ANY code, you MUST check:

编写任何代码之前，你必须检查：

Step 1: Library Catalog

步骤1：库目录

Location:
```
.claude/library/catalog.json
```
If match >70%: REUSE or ADAPT

位置：
```
.claude/library/catalog.json
```
如果匹配度>70%：复用或适配现有内容

Step 2: Patterns Guide

步骤2：模式指南

Location:

.claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md

If pattern exists: FOLLOW documented approach

位置：

.claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md

如果存在对应模式：遵循文档记录的实现方案

Step 3: Existing Projects

步骤3：现有项目

Location:
```
D:\Projects\*
```
If found: EXTRACT and adapt

位置：
```
D:\Projects\*
```
如果找到相关内容：提取并适配

Decision Matrix

决策矩阵

Match	Action
Library >90%	REUSE directly
Library 70-90%	ADAPT minimally
Pattern exists	FOLLOW pattern
In project	EXTRACT
No match	BUILD (add to library after)

匹配度	操作
库匹配>90%	直接复用
库匹配70-90%	最小化适配
存在对应模式	遵循模式
存在于项目中	提取适配
无匹配	新建（完成后添加到库中）

When to Use This Skill

何时使用本技能

Use this skill when analyzing malware samples, reverse engineering binaries for security research, conducting vulnerability assessments, extracting IOCs from suspicious files, validating software for supply chain security, or performing CTF challenges and binary exploitation research.

当你需要分析恶意软件样本、为安全研究逆向二进制文件、开展漏洞评估、从可疑文件中提取IOC、验证软件供应链安全、完成CTF挑战或二进制漏洞利用研究时，可使用本技能。

When NOT to Use This Skill

何时不应使用本技能

Do NOT use for unauthorized reverse engineering of commercial software, analyzing binaries on production systems, reversing software without legal authorization, violating terms of service or EULAs, or analyzing malware outside isolated environments. Avoid for simple string extraction (use basic tools instead).

不要将本技能用于未经授权的商业软件逆向、在生产系统上分析二进制文件、未获得法律授权的软件逆向、违反服务条款或最终用户许可协议，或在隔离环境之外分析恶意软件。简单字符串提取场景不要使用本技能（改用基础工具即可）。

Success Criteria

成功标准

All security-relevant behaviors identified (network, file, registry, process activity)
Malicious indicators extracted with confidence scores (IOCs, C2 domains, encryption keys)
Vulnerabilities documented with CVE mapping where applicable
Analysis completed within sandbox environment (VM/container with snapshots)
Findings validated through multiple analysis methods (static + dynamic + symbolic)
Complete IOC report generated (STIX/MISP format for threat intelligence sharing)
Zero false positives in vulnerability assessments
Exploitation proof-of-concept created (if vulnerability research)

识别所有与安全相关的行为（网络、文件、注册表、进程活动）
提取带置信度评分的恶意指标（IOC、C2域名、加密密钥）
记录漏洞并在适用时关联对应CVE
所有分析在沙箱环境内完成（带快照的VM/容器）
通过多种分析方法验证结果（静态+动态+符号执行）
生成完整的IOC报告（支持STIX/MISP格式用于威胁情报共享）
漏洞评估零误报
生成漏洞利用概念验证（如果是漏洞研究场景）

Edge Cases & Challenges

边缘情况与挑战

Anti-analysis techniques (debugger detection, VM detection, timing checks)
Obfuscated or packed binaries requiring unpacking
Multi-stage malware with encrypted payloads
Kernel-mode rootkits requiring specialized analysis
Symbolic execution state explosion (>10,000 paths)
Binary analysis timeout on complex programs (>24 hours)
False positives from legitimate software behavior
Encrypted network traffic requiring SSL interception

反分析技术（调试器检测、VM检测、时序检查）
需要脱壳的混淆或加壳二进制文件
带加密 payload 的多阶段恶意软件
需要专用分析工具的内核模式rootkit
符号执行状态爆炸（路径数>10000）
复杂程序二进制分析超时（>24小时）
合法软件行为导致的误报
需要SSL拦截的加密网络流量

Guardrails (CRITICAL SECURITY RULES)

防护规则（关键安全条例）

NEVER execute unknown binaries on host systems (ONLY in isolated VM/sandbox)
NEVER analyze malware without proper containment (air-gapped lab preferred)
NEVER reverse engineer software without legal authorization
NEVER share extracted credentials or encryption keys publicly
NEVER bypass licensing mechanisms for unauthorized use
ALWAYS use sandboxed environments with network monitoring
ALWAYS take VM snapshots before executing suspicious binaries
ALWAYS validate findings through multiple analysis methods
ALWAYS document analysis methodology with timestamps
ALWAYS assume binaries are malicious until proven safe
ALWAYS use network isolation to prevent malware communication
ALWAYS sanitize IOCs before sharing (redact internal IP addresses)

永远不要在主机系统上执行未知二进制文件（仅允许在隔离的VM/沙箱中运行）
永远不要在没有适当 containment 的情况下分析恶意软件（优先使用气隙隔离实验室）
永远不要逆向未获得法律授权的软件
永远不要公开分享提取到的凭证或加密密钥
永远不要为了未授权使用绕过许可机制
始终使用带网络监控的沙箱环境
执行可疑二进制文件前始终拍摄VM快照
始终通过多种分析方法验证结果
始终记录分析方法并附带时间戳
始终默认二进制文件是恶意的，直到证明其安全
始终使用网络隔离阻止恶意软件通信
分享IOC前始终做脱敏处理（隐去内部IP地址）

Evidence-Based Validation

基于证据的验证

All reverse engineering findings MUST be validated through:

Multi-method analysis - Static + dynamic + symbolic execution confirm same behavior
Sandbox validation - Execute in isolated environment, capture all activity
Network monitoring - Packet capture validates network-based findings
Memory forensics - Validate runtime secrets through memory dumps
Behavioral correlation - Cross-reference with known malware signatures (YARA, ClamAV)
Reproducibility - Second analyst can replicate findings from analysis artifacts

所有逆向工程结果必须通过以下方式验证：

多方法分析 - 静态+动态+符号执行确认相同行为
沙箱验证 - 在隔离环境中执行，捕获所有活动
网络监控 - 数据包捕获验证基于网络的结果
内存取证 - 通过内存转储验证运行时密钥
行为关联 - 与已知恶意软件特征（YARA、ClamAV）交叉比对
可复现性 - 第二名分析人员可以通过分析工件复现结果

Reverse Engineering: Deep Analysis

逆向工程：深度分析

What This Skill Does

本技能功能

Performs deep reverse engineering through runtime execution and symbolic exploration:

Level 3 (≤1 hr): Dynamic analysis - Execute in sandbox with GDB, capture memory/secrets, trace syscalls
Level 4 (2-6 hrs): Symbolic execution - Use Angr/Z3 to synthesize inputs that reach target states

Decision Gate: After Level 3, evaluates if symbolic execution needed to reach unexplored paths.

Timebox: 3-7 hours total

通过运行时执行和符号探索执行深度逆向工程：

等级3（≤1小时）：动态分析 - 在沙箱中用GDB执行，捕获内存/密钥，跟踪系统调用
等级4（2-6小时）：符号执行 - 使用Angr/Z3合成能到达目标状态的输入

决策门：完成等级3分析后，评估是否需要符号执行来探索未覆盖路径。 时间限制：总计3-7小时

Prerequisites

前置条件

Level 3 Tools

等级3工具

GDB with GEF or Pwndbg extensions
strace/ltrace - System/library call tracing
Sandbox environment - Isolated execution (firejail, Docker, or custom)

GDB 搭配 GEF 或 Pwndbg 扩展
strace/ltrace - 系统/库调用追踪
沙箱环境 - 隔离执行环境（firejail、Docker或自定义环境）

Level 4 Tools

等级4工具

Angr - Symbolic execution framework (Python)
Z3 - SMT solver
Python 3.9+ - For Angr scripts

Angr - 符号执行框架（Python）
Z3 - SMT求解器
Python 3.9+ - 运行Angr脚本

MCP Servers

MCP服务器

```
sandbox-validator
```
- Safe binary execution
```
memory-mcp
```
- Store runtime findings
```
sequential-thinking
```
- Path exploration decisions
```
graph-analyst
```
- Visualize execution paths

```
sandbox-validator
```
- 安全的二进制执行环境
```
memory-mcp
```
- 存储运行时分析结果
```
sequential-thinking
```
- 路径探索决策
```
graph-analyst
```
- 执行路径可视化

⚠️ CRITICAL SECURITY WARNING

⚠️ 关键安全警告

NEVER execute unknown binaries on your host system!

All dynamic analysis, debugging, and symbolic execution MUST be performed in:

Isolated VM (VMware/VirtualBox with snapshots for rollback)
Docker container with security policies (
```
--security-opt
```
,
```
--cap-drop=ALL
```
)
E2B sandbox via sandbox-configurator skill with network monitoring
Dedicated malware analysis lab (air-gapped if handling APTs)

Consequences of unsafe execution:

Malware infection with kernel-level rootkits
Memory corruption and system instability
Data exfiltration via covert channels
Supply chain attacks via trojanized builds
Complete system compromise

Safe Practices:

Always use sandboxed environments with snapshots
Monitor syscalls and network activity during execution
Use GDB/Angr in isolated containers only
Never attach debuggers to binaries on production systems
Validate all inputs before symbolic execution
Assume all binaries are malicious until proven safe through static analysis

永远不要在主机系统上执行未知二进制文件！

所有动态分析、调试和符号执行必须在以下环境中执行：

隔离VM（VMware/VirtualBox，带回滚快照）
配置安全策略的Docker容器（
```
--security-opt
```
、
```
--cap-drop=ALL
```
）
由sandbox-configurator技能配置的带网络监控的E2B沙箱
专用恶意软件分析实验室（处理APT时优先气隙隔离）

不安全执行的后果：

内核级rootkit恶意软件感染
内存损坏和系统不稳定
通过隐蔽信道的数据泄露
木马化构建导致的供应链攻击
系统完全被攻陷

安全实践：

始终使用带快照的沙箱环境
执行期间监控系统调用和网络活动
仅在隔离容器中使用GDB/Angr
永远不要在生产系统上的二进制文件附加调试器
符号执行前验证所有输入
始终默认二进制文件是恶意的，直到静态分析证明其安全

Quick Start

快速开始

bash

undefined

bash

undefined

1. Full deep analysis (Levels 3+4)

1. 完整深度分析（等级3+4）

/re:deep crackme.exe

2. Dynamic analysis only (Level 3)

2. 仅动态分析（等级3）

/re:dynamic server.bin --args "--port 8080"

3. Symbolic execution only (Level 4)

3. 仅符号执行（等级4）

/re:symbolic challenge.exe --target-addr 0x401337

---

/re:symbolic challenge.exe --target-addr 0x401337

---

Level 3: Dynamic Analysis (≤1 hour)

等级3：动态分析（≤1小时）

Step 1: Safe Execution in Sandbox

步骤1：沙箱中安全执行

bash

/re:dynamic binary.exe --args "test input" --sandbox true

Sandboxing:

Filesystem isolation (read-only /usr, /bin)
Network disabled or monitored
Process limits (CPU, memory, time)
Prevents malware escape

bash

/re:dynamic binary.exe --args "test input" --sandbox true

沙箱特性：

文件系统隔离（/usr、/bin只读）
网络禁用或受监控
进程限制（CPU、内存、时间）
防止恶意软件逃逸

Step 2: Retrieve Static Analysis Context

步骤2：获取静态分析上下文

Before executing, the skill automatically retrieves Level 2 findings:

javascript

// Check memory-mcp for static analysis results
const staticFindings = await mcp__memory-mcp__vector_search({
  query: binary_hash,
  filter: {category: "reverse-engineering", re_level: 2}
})

// Extract critical functions and suggested breakpoints
const breakpoints = staticFindings.critical_functions.map(f => f.address)
// Example: ["0x401234", "0x401567", "0x4018ab"]

执行前，本技能会自动获取等级2的分析结果：

javascript

// 从memory-mcp查询静态分析结果
const staticFindings = await mcp__memory-mcp__vector_search({
  query: binary_hash,
  filter: {category: "reverse-engineering", re_level: 2}
})

// 提取关键函数和建议断点
const breakpoints = staticFindings.critical_functions.map(f => f.address)
// 示例：["0x401234", "0x401567", "0x4018ab"]

Step 3: GDB Session with Auto-Loaded Breakpoints

步骤3：自动加载断点的GDB会话

Automatically loads breakpoints from Level 2 static analysis:

gdb

undefined

自动加载等级2静态分析得到的断点：

gdb

undefined

Auto-generated from static analysis

由静态分析自动生成

break *0x401234 # check_password function break *0x401567 # validate_license function break *0x4018ab # decrypt_config function

Run with test input

使用测试输入运行

run --flag "test_input_from_user"


**GDB Session Commands** (executed automatically):

```gdb

run --flag "test_input_from_user"


**GDB会话命令**（自动执行）：

```gdb

At each breakpoint:

每个断点触发时执行：

1. Dump all registers

1. 导出所有寄存器

info registers

2. Dump stack (100 bytes)

2. 导出栈（100字节）

x/100x $rsp

3. Dump heap allocations (if applicable)

3. 导出堆分配（如果适用）

info proc mappings x/100x [heap_address]

4. Search for secrets in memory

4. 内存中搜索密钥

find 0x600000, 0x700000, "password" find 0x600000, 0x700000, "admin"

5. Dump interesting strings from registers

5. 导出寄存器中的敏感字符串

x/s $rdi # First argument (often string pointer) x/s $rsi # Second argument

undefined

x/s $rdi # 第一个参数（通常是字符串指针） x/s $rsi # 第二个参数

undefined

Step 4: Capture Runtime State

步骤4：捕获运行时状态

At each breakpoint, the skill captures:

Register State:

RAX: 0x0000000000401337
RBX: 0x0000000000000000
RCX: 0x00007fffffffe010  → "user_input_here"
RDX: 0x0000000000000010
RSI: 0x00007fffffffe020  → "expected_password"
RDI: 0x00007fffffffe030  → buffer
RBP: 0x00007fffffffe100
RSP: 0x00007fffffffe0e0
RIP: 0x0000000000401234  → check_password

Stack Dump (saved to

re-project/dbg/0x401234-stack.bin

0x7fffffffe0e0: 0x0000000000401337  0x0000000000000000
0x7fffffffe0f0: 0x00007fffffffe200  0x0000000000000001

Memory Secrets (extracted automatically):

Found at 0x601000: "admin:SecretP@ss123"
Found at 0x601020: "license_key=ABC-DEF-GHI-JKL"
Found at 0x601040: "api_token=eyJhbGciOiJIUzI1NiIs..."

Syscall Trace (via strace):

bash

undefined

每个断点触发时，本技能会捕获：

寄存器状态：

RAX: 0x0000000000401337
RBX: 0x0000000000000000
RCX: 0x00007fffffffe010  → "user_input_here"
RDX: 0x0000000000000010
RSI: 0x00007fffffffe020  → "expected_password"
RDI: 0x00007fffffffe030  → buffer
RBP: 0x00007fffffffe100
RSP: 0x00007fffffffe0e0
RIP: 0x0000000000401234  → check_password

栈转储（保存到

re-project/dbg/0x401234-stack.bin

）：

0x7fffffffe0e0: 0x0000000000401337  0x0000000000000000
0x7fffffffe0f0: 0x00007fffffffe200  0x0000000000000001

内存密钥（自动提取）：

Found at 0x601000: "admin:SecretP@ss123"
Found at 0x601020: "license_key=ABC-DEF-GHI-JKL"
Found at 0x601040: "api_token=eyJhbGciOiJIUzI1NiIs..."

系统调用追踪（通过strace）：

bash

undefined

Automatically executed in parallel

自动并行执行

strace -o re-project/dbg/syscalls.log ./binary.exe --flag test


**Output**:

open("/etc/config.ini", O_RDONLY) = 3 read(3, "password=admin123\n", 1024) = 18 socket(AF_INET, SOCK_STREAM, 0) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("192.168.1.100")}, 16) = 0 send(4, "POST /api/login HTTP/1.1\r\n...", 256, 0) = 256

undefined

strace -o re-project/dbg/syscalls.log ./binary.exe --flag test


**输出**：

undefined

Step 5: Output Structure

步骤5：输出结构

re-project/dbg/
├── gdb-session.log          # Full GDB transcript
├── breakpoints.txt          # List of breakpoints set
├── memory-dumps/
│   ├── 0x401234-registers.txt
│   ├── 0x401234-stack.bin
│   ├── 0x401567-registers.txt
│   ├── 0x401567-stack.bin
│   └── 0x4018ab-heap.bin
├── syscalls.log             # strace output
├── libcalls.log             # ltrace output
└── runtime-secrets.txt      # Extracted passwords, keys, tokens

re-project/dbg/
├── gdb-session.log          # 完整GDB会话记录
├── breakpoints.txt          # 设置的断点列表
├── memory-dumps/
│   ├── 0x401234-registers.txt
│   ├── 0x401234-stack.bin
│   ├── 0x401567-registers.txt
│   ├── 0x401567-stack.bin
│   └── 0x4018ab-heap.bin
├── syscalls.log             # strace输出
├── libcalls.log             # ltrace输出
└── runtime-secrets.txt      # 提取的密码、密钥、token

Step 6: Decision Gate - Escalate to Level 4?

步骤6：决策门 - 是否升级到等级4？

javascript

// Automatically evaluated via sequential-thinking MCP
const decision = await mcp__sequential-thinking__evaluate({
  question: "Should we proceed to symbolic execution (Level 4)?",
  factors: [
    `Branches explored: ${explored_branches}/${total_branches}`,
    `Unreachable code found: ${unreachable_functions.length > 0}`,
    `User's question answered: ${findings_sufficient}`,
    `Input-dependent paths: ${symbolic_paths_needed}`
  ]
})

// Example evaluation:
// - Explored 12/20 branches (60% coverage)
// - Found 3 unreachable functions (possible anti-debug)
// - User wants to reach "win" function at 0x401337 (NOT YET REACHED)
// - Input-dependent path detected (password check with strcmp)
// DECISION: ESCALATE TO LEVEL 4

javascript

// 通过sequential-thinking MCP自动评估
const decision = await mcp__sequential-thinking__evaluate({
  question: "Should we proceed to symbolic execution (Level 4)?",
  factors: [
    `Branches explored: ${explored_branches}/${total_branches}`,
    `Unreachable code found: ${unreachable_functions.length > 0}`,
    `User's question answered: ${findings_sufficient}`,
    `Input-dependent paths: ${symbolic_paths_needed}`
  ]
})

// 评估示例：
// - 已探索12/20个分支（覆盖率60%）
// - 发现3个不可达函数（可能是反调试逻辑）
// - 用户想要到达0x401337处的"win"函数（尚未到达）
// - 检测到输入依赖路径（使用strcmp的密码校验）
// 决策：升级到等级4

Level 4: Symbolic Execution (2-6 hours)

等级4：符号执行（2-6小时）

Step 1: Define Target State from Dynamic Analysis

步骤1：从动态分析结果定义目标状态

python

undefined

python

undefined

From Level 3: Couldn't reach "win" function at 0x401337 with manual inputs

来自等级3：手动输入无法到达0x401337处的"win"函数

target_addr = 0x401337 # Goal: Find input that reaches this

target_addr = 0x401337 # 目标：找到能到达该地址的输入

From Level 3: These functions lead to failure/exit

来自等级3：这些函数会导致失败/退出

avoid_addrs = [ 0x401400, # fail_message function 0x401500, # bad_password function 0x401600 # exit_program function ]

undefined

avoid_addrs = [ 0x401400, # fail_message function 0x401500, # bad_password function 0x401600 # exit_program function ]

undefined

Step 2: Launch Symbolic Exploration

步骤2：启动符号探索

bash

/re:symbolic binary.exe \
  --target-addr 0x401337 \
  --avoid-addrs 0x401400,0x401500,0x401600 \
  --max-states 1000 \
  --timeout 7200

What Happens Under the Hood:

python

import angr
import claripy

bash

/re:symbolic binary.exe \
  --target-addr 0x401337 \
  --avoid-addrs 0x401400,0x401500,0x401600 \
  --max-states 1000 \
  --timeout 7200

内部执行逻辑：

python

import angr
import claripy

Step 2.1: Load binary into Angr project

步骤2.1：将二进制文件加载到Angr项目

project = angr.Project('./binary.exe', auto_load_libs=False)

Step 2.2: Create symbolic input

步骤2.2：创建符号输入

Assume input is 32-byte flag

假设输入是32字节的flag

flag_length = 32 flag = claripy.BVS('flag', flag_length * 8)

Step 2.3: Create entry state with symbolic stdin

步骤2.3：创建带符号标准输入的入口状态

state = project.factory.entry_state( stdin=flag, add_options={angr.options.LAZY_SOLVES} )

Step 2.4: Add constraints - printable ASCII only

步骤2.4：添加约束 - 仅允许可打印ASCII字符

for byte in flag.chop(8): state.add_constraints(byte >= 0x20) # Printable ASCII start state.add_constraints(byte <= 0x7e) # Printable ASCII end

for byte in flag.chop(8): state.add_constraints(byte >= 0x20) # 可打印ASCII起始 state.add_constraints(byte <= 0x7e) # 可打印ASCII结束

Step 2.5: Create simulation manager

步骤2.5：创建仿真管理器

simgr = project.factory.simulation_manager(state)

Step 2.6: Explore paths (DFS strategy)

步骤2.6：探索路径（DFS策略）

simgr.explore( find=0x401337, # Target address avoid=[0x401400, 0x401500, 0x401600], # Avoid addresses num_find=1, # Stop after finding first solution max_states=1000 # Prevent state explosion )

simgr.explore( find=0x401337, # 目标地址 avoid=[0x401400, 0x401500, 0x401600], # 规避地址 num_find=1, # 找到第一个解后停止 max_states=1000 # 防止状态爆炸 )

Step 2.7: Check if solution found

步骤2.7：检查是否找到解

if simgr.found: # Extract concrete input solution_state = simgr.found[0] solution = solution_state.solver.eval(flag, cast_to=bytes) print(f"Solution: {solution.decode()}")

# Save solution
with open('re-project/sym/solutions/solution-1.txt', 'wb') as f:
    f.write(solution)

else: print("No solution found within constraints")

undefined

if simgr.found: # 提取具体输入 solution_state = simgr.found[0] solution = solution_state.solver.eval(flag, cast_to=bytes) print(f"Solution: {solution.decode()}")

# 保存解
with open('re-project/sym/solutions/solution-1.txt', 'wb') as f:
    f.write(solution)

else: print("No solution found within constraints")

undefined

Step 3: Advanced Symbolic Techniques

步骤3：高级符号执行技术

Technique 1: Hook Library Functions

技术1：Hook库函数

python

undefined

python

undefined

Replace complex library functions with symbolic summaries

用符号摘要替换复杂库函数

import angr

Hook strcmp to return symbolic value

Hook strcmp返回符号比较结果

class StrCmpHook(angr.SimProcedure): def run(self, s1, s2): # Return symbolic comparison result s1_str = self.state.memory.load(s1, 32) s2_str = self.state.memory.load(s2, 32) return s1_str == s2_str

project.hook_symbol('strcmp', StrCmpHook())

undefined

class StrCmpHook(angr.SimProcedure): def run(self, s1, s2): # 返回符号比较结果 s1_str = self.state.memory.load(s1, 32) s2_str = self.state.memory.load(s2, 32) return s1_str == s2_str

project.hook_symbol('strcmp', StrCmpHook())

undefined

Technique 2: State Merging for Complex Paths

技术2：复杂路径的状态合并

python

undefined

python

undefined

Merge states at loop entry to prevent explosion

在循环入口合并状态防止爆炸

simgr.use_technique(angr.exploration_techniques.Veritesting())

Alternative: Manual state merging

替代方案：手动状态合并

while simgr.active: simgr.step() if len(simgr.active) > 50: # Merge similar states simgr.merge()

undefined

while simgr.active: simgr.step() if len(simgr.active) > 50: # 合并相似状态 simgr.merge()

undefined

Technique 3: Constraint Simplification

技术3：约束简化

python

undefined

python

undefined

Add intermediate constraints to guide exploration

添加中间约束引导探索

state.add_constraints( flag[0:4] == b'FLAG' # Known prefix from hints )

state.add_constraints( flag[0:4] == b'FLAG' # 从提示得知的前缀 )

This reduces search space dramatically

大幅减少搜索空间

Without: 256^32 possibilities

无约束：256^32种可能

With: 256^28 possibilities (4 bytes fixed)

有约束：256^28种可能（4字节固定）

undefined

undefined

Step 4: Validate Solution

步骤4：验证解

bash

undefined

bash

undefined

Test synthesized input

测试合成的输入

echo "FLAG_synthesized_solution_here" | ./binary.exe

Expected output:

预期输出：

"Success! You reached the target state."

"Congratulations! Flag: CTF{...}"


**Validation Steps**:
1. Run binary with synthesized input
2. Verify execution reaches target address (0x401337)
3. Check output matches expected success message
4. Store validated solution in memory-mcp


**验证步骤**：
1. 使用合成输入运行二进制文件
2. 确认执行到达目标地址（0x401337）
3. 检查输出匹配预期的成功消息
4. 将验证通过的解存储到memory-mcp

Step 5: Output Structure

步骤5：输出结构

re-project/sym/
├── angr-script.py           # Reproducible Angr script
├── solutions/
│   ├── solution-1.txt       # First valid solution
│   ├── solution-2.txt       # Alternative solution (if --find-all)
│   └── solution-3.txt
├── constraints/
│   ├── path-1.smt2          # Z3 constraints for path 1
│   ├── path-2.smt2
│   └── simplified.smt2      # Simplified constraint set
├── validation.log           # Validation test results
└── exploration-metrics.json # States explored, time taken, coverage

exploration-metrics.json:

json

{
  "total_states": 847,
  "found_states": 3,
  "avoided_states": 124,
  "deadended_states": 720,
  "execution_time_sec": 3245,
  "coverage_percent": 78.5,
  "memory_usage_mb": 2847,
  "solutions_found": 3
}

re-project/sym/
├── angr-script.py           # 可复现的Angr脚本
├── solutions/
│   ├── solution-1.txt       # 第一个有效解
│   ├── solution-2.txt       # 替代解（如果使用--find-all）
│   └── solution-3.txt
├── constraints/
│   ├── path-1.smt2          # 路径1的Z3约束
│   ├── path-2.smt2
│   └── simplified.smt2      # 简化后的约束集
├── validation.log           # 验证测试结果
└── exploration-metrics.json # 探索的状态数、耗时、覆盖率

exploration-metrics.json：

json

{
  "total_states": 847,
  "found_states": 3,
  "avoided_states": 124,
  "deadended_states": 720,
  "execution_time_sec": 3245,
  "coverage_percent": 78.5,
  "memory_usage_mb": 2847,
  "solutions_found": 3
}

Advanced Options

高级选项

Custom Breakpoints (Dynamic Analysis)

自定义断点（动态分析）

bash

undefined

bash

undefined

Set breakpoints at crypto functions

在加密函数处设置断点

/re:dynamic binary.exe --breakpoints AES_encrypt,RSA_sign,MD5_update

Set breakpoints at specific addresses

在指定地址设置断点

/re:dynamic binary.exe --breakpoints 0x401000,0x402000,0x403000

Conditional breakpoints (GDB syntax)

条件断点（GDB语法）

/re:dynamic binary.exe --breakpoints "0x401234 if $rdi == 0x601000"


**Advanced GDB Scripting**:

```python

/re:dynamic binary.exe --breakpoints "0x401234 if $rdi == 0x601000"


**高级GDB脚本**：

```python

Custom GDB Python script (auto-loaded if found)

自定义GDB Python脚本（存在时自动加载）

re-project/gdb-script.py

import gdb

class PasswordBreakpoint(gdb.Breakpoint): def init(self, location): super().init(location)

def stop(self):
    # Extract password from RDI register
    rdi = gdb.parse_and_eval('$rdi')
    password = gdb.execute(f'x/s {rdi}', to_string=True)

    # Log to file
    with open('passwords.log', 'a') as f:
        f.write(f"{password}\n")

    # Continue execution
    return False

import gdb

class PasswordBreakpoint(gdb.Breakpoint): def init(self, location): super().init(location)

def stop(self):
    # 从RDI寄存器提取密码
    rdi = gdb.parse_and_eval('$rdi')
    password = gdb.execute(f'x/s {rdi}', to_string=True)

    # 记录到文件
    with open('passwords.log', 'a') as f:
        f.write(f"{password}\n")

    # 继续执行
    return False

Set custom breakpoint

设置自定义断点

PasswordBreakpoint("check_password")

undefined

PasswordBreakpoint("check_password")

undefined

Symbolic Exploration Strategies

符号探索策略

Strategy 1: Find ALL Solutions

策略1：查找所有解

bash

undefined

bash

undefined

Exhaustive search (may take hours)

穷尽搜索（可能耗时数小时）

/re:symbolic binary.exe
--target-addr 0x401337
--find-all true
--max-solutions 10
--timeout 14400


```python

/re:symbolic binary.exe
--target-addr 0x401337
--find-all true
--max-solutions 10
--timeout 14400


```python

In Angr script

在Angr脚本中

simgr.explore( find=0x401337, avoid=avoid_addrs, num_find=10 # Find up to 10 solutions )

simgr.explore( find=0x401337, avoid=avoid_addrs, num_find=10 # 最多找10个解 )

Process all found solutions

处理所有找到的解

for idx, state in enumerate(simgr.found): solution = state.solver.eval(flag, cast_to=bytes) with open(f'solution-{idx+1}.txt', 'wb') as f: f.write(solution)

undefined

for idx, state in enumerate(simgr.found): solution = state.solver.eval(flag, cast_to=bytes) with open(f'solution-{idx+1}.txt', 'wb') as f: f.write(solution)

undefined

Strategy 2: Limit State Explosion

策略2：限制状态爆炸

bash

undefined

bash

undefined

Aggressive pruning

激进剪枝

/re:symbolic binary.exe
--max-states 100
--avoid-addrs 0x401400,0x401500,0x401600
--strategy dfs # Depth-first search (memory efficient)


```python

/re:symbolic binary.exe
--max-states 100
--avoid-addrs 0x401400,0x401500,0x401600
--strategy dfs # 深度优先搜索（内存高效）


```python

Use Veritesting to merge paths

使用Veritesting合并路径

simgr.use_technique(angr.exploration_techniques.Veritesting())

Drop states if too many active

活跃状态过多时丢弃部分状态

simgr.use_technique(angr.exploration_techniques.LengthLimiter(max_length=100))

Prioritize states closer to target

优先探索更接近目标的状态

simgr.use_technique(angr.exploration_techniques.Explorer( find=0x401337, avoid=avoid_addrs, num_find=1 ))

undefined

simgr.use_technique(angr.exploration_techniques.Explorer( find=0x401337, avoid=avoid_addrs, num_find=1 ))

undefined

Strategy 3: Under-Constrained Symbolic Execution

策略3：欠约束符号执行

python

undefined

python

undefined

Start from target address and work backwards

从目标地址反向探索

project = angr.Project('./binary.exe')

Create state at target address (not entry point)

在目标地址创建状态（而非入口点）

state = project.factory.blank_state(addr=0x401337)

Make all memory symbolic

将所有内存设为符号

state.options.add(angr.options.SYMBION_SYNC_CLE)

Explore backwards to find required input

反向探索找到所需输入

simgr = project.factory.simulation_manager(state) simgr.explore(find=project.entry)

This finds inputs that MUST lead to target

该方法会找到必然能到达目标的输入

undefined

undefined

Memory Dump Analysis

内存转储分析

bash

undefined

bash

undefined

Dump specific memory regions

导出指定内存区域

/re:dynamic binary.exe
--dump-regions heap,stack,data
--dump-at-breakpoints 0x401234,0x401567


**Custom Memory Analysis**:

```python

/re:dynamic binary.exe
--dump-regions heap,stack,data
--dump-at-breakpoints 0x401234,0x401567


**自定义内存分析**：

```python

GDB Python script for heap analysis

用于堆分析的GDB Python脚本

import gdb

def analyze_heap(): # Get heap boundaries mappings = gdb.execute('info proc mappings', to_string=True) heap_start = extract_heap_start(mappings) heap_end = extract_heap_end(mappings)

# Scan for interesting patterns
for addr in range(heap_start, heap_end, 8):
    value = gdb.execute(f'x/g {addr}', to_string=True)

    # Check if value looks like a pointer
    if is_valid_pointer(value):
        gdb.execute(f'x/s {value}')  # Dereference as string

analyze_heap()

---

import gdb

def analyze_heap(): # 获取堆边界 mappings = gdb.execute('info proc mappings', to_string=True) heap_start = extract_heap_start(mappings) heap_end = extract_heap_end(mappings)

# 扫描感兴趣的模式
for addr in range(heap_start, heap_end, 8):
    value = gdb.execute(f'x/g {addr}', to_string=True)

    # 检查值是否看起来像指针
    if is_valid_pointer(value):
        gdb.execute(f'x/s {value}')  # 解引用为字符串

analyze_heap()

---

Comprehensive Workflow Examples

完整工作流示例

Workflow 1: Malware Analysis with Runtime Secrets

工作流1：提取运行时密钥的恶意软件分析

Scenario: Analyze malware sample to extract C2 server URL and encryption keys

Phase 1: Dynamic Analysis (Level 3)

bash

undefined

场景：分析恶意软件样本，提取C2服务器URL和加密密钥

阶段1：动态分析（等级3）

bash

undefined

Step 1: Safe sandbox execution

步骤1：沙箱中安全执行

/re:dynamic malware.exe --sandbox true --network-monitor true

Step 2: GDB session auto-starts with breakpoints from static analysis

步骤2：GDB会话自动启动，加载静态分析得到的断点

Breakpoints at: decrypt_config, connect_to_c2, send_beacon

断点位置：decrypt_config, connect_to_c2, send_beacon

Step 3: At decrypt_config breakpoint (0x401234)

步骤3：触发decrypt_config断点（0x401234）

(gdb) info registers RAX: 0x0000000000601000 → encrypted_buffer RDI: 0x0000000000601100 → decryption_key

(gdb) x/s 0x601100 0x601100: "hardcoded_AES_key_12345"

(gdb) info registers RAX: 0x0000000000601000 → encrypted_buffer RDI: 0x0000000000601100 → decryption_key

(gdb) x/s 0x601100 0x601100: "hardcoded_AES_key_12345"

Step 4: Continue to connect_to_c2 breakpoint (0x401567)

步骤4：继续执行到connect_to_c2断点（0x401567）

(gdb) continue

(gdb) x/s $rdi 0x601200: "http://malicious-c2.tk:8443/beacon"

(gdb) continue

(gdb) x/s $rdi 0x601200: "http://malicious-c2.tk:8443/beacon"

Step 5: Extract all findings

步骤5：提取所有结果

Runtime Secrets Found:

AES Key: "hardcoded_AES_key_12345"
C2 URL: "http://malicious-c2.tk:8443/beacon"
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"


**Phase 2: Decision Gate**

```javascript
// Automatically evaluated
QUESTION: "Proceed to symbolic execution?"
FACTORS:
- All critical functions reached ✅
- Secrets extracted (AES key, C2 URL) ✅
- User's question answered (extract IOCs) ✅
- No unreachable paths requiring symbolic execution ❌
DECISION: STOP AT LEVEL 3 (sufficient findings)

Output: Malware analysis complete in 45 minutes with full IOC extraction.

发现的运行时密钥：

AES密钥："hardcoded_AES_key_12345"
C2 URL："http://malicious-c2.tk:8443/beacon"
User-Agent："Mozilla/5.0 (Windows NT 10.0; Win64; x64)"


**阶段2：决策门**

```javascript
// 自动评估
问题："是否继续执行符号执行？"
因素：
- 已到达所有关键函数 ✅
- 已提取密钥（AES密钥、C2 URL） ✅
- 已回答用户问题（提取IOC） ✅
- 无需要符号执行的不可达路径 ❌
决策：停留在等级3（结果足够）

输出：恶意软件分析在45分钟内完成，成功提取所有IOC。

Workflow 2: CTF Challenge - Reversing License Check

工作流2：CTF挑战 - 逆向许可证校验

Scenario: Find valid license key to unlock "premium features" in binary

Phase 1: Dynamic Analysis (Level 3)

bash

undefined

场景：找到有效许可证密钥，解锁二进制文件的“高级功能”

阶段1：动态分析（等级3）

bash

undefined

Step 1: Test with invalid key

步骤1：使用无效密钥测试

/re:dynamic challenge.exe --args "--license AAAA-BBBB-CCCC-DDDD"

Output: "Invalid license key"

输出："Invalid license key"

Step 2: GDB reveals license check at 0x401234

步骤2：GDB显示许可证校验位于0x401234

(gdb) break *0x401234 (gdb) run --license AAAA-BBBB-CCCC-DDDD

Step 3: Examine comparison

步骤3：检查比较逻辑

(gdb) x/s $rdi 0x7fffffffe010: "AAAA-BBBB-CCCC-DDDD" # User input

(gdb) x/s $rsi 0x601000: [encrypted data, not readable]

(gdb) x/s $rdi 0x7fffffffe010: "AAAA-BBBB-CCCC-DDDD" # 用户输入

(gdb) x/s $rsi 0x601000: [encrypted data, not readable]

Observation: License key is compared against encrypted/hashed value

观察：许可证密钥与加密/哈希值比较

Cannot extract valid key directly from memory

无法直接从内存提取有效密钥


**Phase 2: Decision Gate**

```javascript
QUESTION: "Proceed to symbolic execution?"
FACTORS:
- License check function found ✅
- Valid key NOT extractable from memory ✅
- Comparison is complex (encryption/hashing) ✅
- User wants valid license key ✅
DECISION: ESCALATE TO LEVEL 4 (symbolic execution required)

Phase 3: Symbolic Execution (Level 4)

bash

undefined


**阶段2：决策门**

```javascript
问题："是否继续执行符号执行？"
因素：
- 已找到许可证校验函数 ✅
- 无法从内存提取有效密钥 ✅
- 比较逻辑复杂（加密/哈希） ✅
- 用户需要有效许可证密钥 ✅
决策：升级到等级4（需要符号执行）

阶段3：符号执行（等级4）

bash

undefined

Launch Angr symbolic execution

启动Angr符号执行

/re:symbolic challenge.exe
--target-addr 0x401337 \ # "Premium features unlocked" message --avoid-addrs 0x401400 \ # "Invalid license" path --input-format "FLAG-XXXX-XXXX-XXXX"
--max-states 500


**Angr Script** (auto-generated):

```python
import angr
import claripy

project = angr.Project('./challenge.exe', auto_load_libs=False)

/re:symbolic challenge.exe
--target-addr 0x401337 \ # "高级功能已解锁"消息位置 --avoid-addrs 0x401400 \ # "许可证无效"路径 --input-format "FLAG-XXXX-XXXX-XXXX"
--max-states 500


**Angr脚本**（自动生成）：

```python
import angr
import claripy

project = angr.Project('./challenge.exe', auto_load_libs=False)

License key format: FLAG-XXXX-XXXX-XXXX (19 chars)

许可证密钥格式：FLAG-XXXX-XXXX-XXXX（19个字符）

license_key = claripy.BVS('license', 19 * 8)

Create entry state with symbolic license as argv[2]

创建入口状态，将符号许可证作为argv[2]

state = project.factory.entry_state(args=['./challenge.exe', '--license', license_key])

Constrain to valid format: FLAG-XXXX-XXXX-XXXX

约束为有效格式：FLAG-XXXX-XXXX-XXXX

for i in range(19): if i in [0, 1, 2, 3]: # "FLAG" state.add_constraints(license_key.get_byte(i) == ord("FLAG"[i])) elif i in [4, 9, 14]: # Dashes state.add_constraints(license_key.get_byte(i) == ord('-')) else: # X = uppercase letters or digits byte = license_key.get_byte(i) state.add_constraints( claripy.Or( claripy.And(byte >= ord('A'), byte <= ord('Z')), claripy.And(byte >= ord('0'), byte <= ord('9')) ) )

for i in range(19): if i in [0, 1, 2, 3]: # "FLAG" state.add_constraints(license_key.get_byte(i) == ord("FLAG"[i])) elif i in [4, 9, 14]: # 短横线 state.add_constraints(license_key.get_byte(i) == ord('-')) else: # X = 大写字母或数字 byte = license_key.get_byte(i) state.add_constraints( claripy.Or( claripy.And(byte >= ord('A'), byte <= ord('Z')), claripy.And(byte >= ord('0'), byte <= ord('9')) ) )

Explore

探索

simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337, avoid=0x401400)

if simgr.found: solution = simgr.found[0].solver.eval(license_key, cast_to=bytes) print(f"Valid License: {solution.decode()}") # Output: "FLAG-A7B2-C9D4-E1F6"


**Validation**:

```bash
$ ./challenge.exe --license FLAG-A7B2-C9D4-E1F6
Premium features unlocked!
Congratulations! Here is your flag: CTF{symbolic_execution_wins}

Output: Challenge solved in 3.5 hours total (45min dynamic + 3hr symbolic).

simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337, avoid=0x401400)

if simgr.found: solution = simgr.found[0].solver.eval(license_key, cast_to=bytes) print(f"Valid License: {solution.decode()}") # 输出："FLAG-A7B2-C9D4-E1F6"


**验证**：

```bash
$ ./challenge.exe --license FLAG-A7B2-C9D4-E1F6
Premium features unlocked!
Congratulations! Here is your flag: CTF{symbolic_execution_wins}

输出：挑战总计耗时3.5小时解决（45分钟动态分析+3小时符号执行）。

Workflow 3: Vulnerability Research - Buffer Overflow

工作流3：漏洞研究 - 缓冲区溢出

Scenario: Find exploitable buffer overflow in server binary

Phase 1: Dynamic Analysis (Level 3)

bash

undefined

场景：在服务器二进制文件中找到可利用的缓冲区溢出

阶段1：动态分析（等级3）

bash

undefined

Step 1: Launch server in sandbox

步骤1：在沙箱中启动服务器

/re:dynamic server.bin --args "--port 8080" --sandbox true

Step 2: Fuzz with large inputs

步骤2：用大输入进行fuzz

echo "A"*1000 | nc localhost 8080

GDB catches segfault

GDB捕获段错误

Program received signal SIGSEGV, Segmentation fault. 0x4141414141414141 in ?? ()

Step 3: Analyze crash

步骤3：分析崩溃

(gdb) info registers RIP: 0x4141414141414141 # Overwritten return address RSP: 0x7fffffffe100 RBP: 0x4141414141414141

(gdb) x/100x $rsp

(gdb) info registers RIP: 0x4141414141414141 # 返回地址被覆盖 RSP: 0x7fffffffe100 RBP: 0x4141414141414141

(gdb) x/100x $rsp

Shows stack completely overwritten with 'A' (0x41)

显示栈完全被'A'（0x41）覆盖

Step 4: Find offset to return address

步骤4：找到返回地址的偏移

Use pattern_create and pattern_offset from GEF/Pwndbg

使用GEF/Pwndbg的pattern_create和pattern_offset

(gdb) pattern create 1000 (gdb) run

Crash at offset 512

崩溃时偏移为512

Confirmed: Buffer overflow at offset 512, control of RIP

确认：偏移512处存在缓冲区溢出，可控制RIP


**Phase 2: Decision Gate**

```javascript
QUESTION: "Proceed to symbolic execution?"
FACTORS:
- Buffer overflow confirmed ✅
- Offset to RIP known (512 bytes) ✅
- Exploitation demonstrated ✅
- User's goal: find vulnerability ✅ (COMPLETE)
DECISION: STOP AT LEVEL 3 (vulnerability found)

Output: Vulnerability research complete in 30 minutes.


**阶段2：决策门**

```javascript
问题："是否继续执行符号执行？"
因素：
- 已确认缓冲区溢出 ✅
- 已知RIP偏移（512字节） ✅
- 已证明可利用 ✅
- 用户目标：找到漏洞 ✅（已完成）
决策：停留在等级3（已找到漏洞）

输出：漏洞研究在30分钟内完成。

Troubleshooting

故障排查

Issue 1: Sandbox Blocks Execution

问题1：沙箱阻止执行

Symptoms: Binary fails to run with "Permission denied" or syscall blocked errors

Cause: Sandbox too restrictive, blocking necessary syscalls

Solution 1: Whitelist necessary syscalls

bash

undefined

症状：二进制文件运行失败，提示“Permission denied”或系统调用被阻止错误

原因：沙箱限制过严，阻止了必要的系统调用

解决方案1：将必要的系统调用加入白名单

bash

undefined

Check which syscalls are blocked

检查哪些系统调用被阻止

strace ./binary.exe 2>&1 | grep "Operation not permitted"

Create custom seccomp profile

创建自定义seccomp配置文件

cat > sandbox-profile.json <<EOF { "defaultAction": "SCMP_ACT_ERRNO", "syscalls": [ {"names": ["read", "write", "open", "close"], "action": "SCMP_ACT_ALLOW"}, {"names": ["socket", "connect"], "action": "SCMP_ACT_ALLOW"} ] } EOF

Use custom profile

使用自定义配置

/re:dynamic binary.exe --sandbox-profile sandbox-profile.json


**Solution 2**: Use less restrictive sandbox

```bash

/re:dynamic binary.exe --sandbox-profile sandbox-profile.json


**解决方案2：使用限制更少的沙箱**

```bash

Disable network isolation only (allow file access)

仅禁用网络隔离（允许文件访问）

/re:dynamic server.bin --sandbox true --allow-network true

Or use Docker instead of seccomp

或者使用Docker替代seccomp

docker run --rm -v $(pwd):/work -it ubuntu:20.04 /work/binary.exe

---

docker run --rm -v $(pwd):/work -it ubuntu:20.04 /work/binary.exe

---

Issue 2: GDB Fails to Attach

问题2：GDB无法附加进程

Symptoms: "ptrace: Operation not permitted" or GDB won't start

Cause: System security settings prevent ptrace

Solution 1: Temporarily allow ptrace (Linux)

bash

undefined

症状：提示“ptrace: Operation not permitted”或GDB无法启动

原因：系统安全设置阻止ptrace

解决方案1：临时允许ptrace（Linux）

bash

undefined

Check current setting

检查当前设置

cat /proc/sys/kernel/yama/ptrace_scope

1 = restricted, 0 = unrestricted

1 = 受限，0 = 不受限

Temporarily allow (requires sudo)

临时允许（需要sudo）

echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope

Rerun analysis

重新运行分析

/re:dynamic binary.exe


**Solution 2**: Run GDB with sudo

```bash
sudo /re:dynamic binary.exe

Solution 3: Use container (bypass host restrictions)

bash

docker run --cap-add=SYS_PTRACE --rm -it ubuntu:20.04 bash

/re:dynamic binary.exe


**解决方案2：用sudo运行GDB**

```bash
sudo /re:dynamic binary.exe

解决方案3：使用容器（绕过主机限制）

bash

docker run --cap-add=SYS_PTRACE --rm -it ubuntu:20.04 bash

Inside container:

容器内执行：

apt update && apt install gdb gdb ./binary.exe

---

apt update && apt install gdb gdb ./binary.exe

---

Issue 3: Angr State Explosion

问题3：Angr状态爆炸

Symptoms: Symbolic execution runs out of memory or times out with thousands of active states

Cause: Binary has too many branches, creating exponential state explosion

Solution 1: Add more avoid states

bash

undefined

症状：符号执行内存不足或超时，同时存在数千个活跃状态

原因：二进制文件分支过多，导致指数级状态爆炸

解决方案1：添加更多规避状态

bash

undefined

Find all "failure" functions from static analysis

从静态分析中找到所有“失败”函数

/re:static binary.exe --list-functions | grep -i "fail|error|exit"

Add all failure addresses to avoid list

将所有失败地址加入规避列表

/re:symbolic binary.exe
--target-addr 0x401337
--avoid-addrs 0x401400,0x401500,0x401600,0x401700,0x401800
--max-states 100


**Solution 2**: Use Veritesting (merge states automatically)

```python

/re:symbolic binary.exe
--target-addr 0x401337
--avoid-addrs 0x401400,0x401500,0x401600,0x401700,0x401800
--max-states 100


**解决方案2：使用Veritesting（自动合并状态）**

```python

In custom Angr script

在自定义Angr脚本中

simgr.use_technique(angr.exploration_techniques.Veritesting())

This merges similar states, reducing explosion by 10-100x

该方法会合并相似状态，减少10-100倍的状态爆炸


**Solution 3**: Start from intermediate address (skip unimportant code)

```python


**解决方案3：从中间地址开始执行（跳过不重要的代码）**

```python

Skip initialization code, start at license check function

跳过初始化代码，从许可证校验函数开始

state = project.factory.blank_state(addr=0x401234)

Set up expected register/memory state (from Level 3 analysis)

设置预期的寄存器/内存状态（来自等级3分析）

state.regs.rdi = state.solver.BVS('input', 32*8)

Explore from this point only

仅从该点开始探索

simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337)

---

simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337)

---

Issue 4: Memory Dumps Too Large

问题4：内存转储过大

Symptoms: GDB dumps gigabytes of memory, fills disk space

Cause: Dumping entire address space instead of targeted regions

Solution 1: Target specific memory regions from vmmap

gdb

undefined

症状：GDB导出数GB的内存，占满磁盘空间

原因：导出了整个地址空间，而非目标区域

解决方案1：从vmmap中导出指定内存区域

gdb

undefined

Check memory mappings

检查内存映射

(gdb) info proc mappings

Example output:

示例输出：

0x400000-0x600000 r-xp /path/binary.exe (code)

0x400000-0x600000 r-xp /path/binary.exe (代码段)

0x600000-0x700000 rw-p /path/binary.exe (data)

0x600000-0x700000 rw-p /path/binary.exe (数据段)

0x7ffff7a0d000-0x7ffff7bcd000 r-xp /lib/libc.so (library)

0x7ffff7a0d000-0x7ffff7bcd000 r-xp /lib/libc.so (库文件)

Dump ONLY data section (where secrets likely are)

仅导出数据段（密钥大概率存在此处）

(gdb) dump binary memory data-section.bin 0x600000 0x700000

Dump ONLY stack (where local variables are)

仅导出栈（局部变量存在此处）

(gdb) dump binary memory stack.bin $rsp-0x1000 $rsp+0x1000


**Solution 2**: Use selective breakpoint dumps

```bash

(gdb) dump binary memory stack.bin $rsp-0x1000 $rsp+0x1000


**解决方案2：使用选择性断点导出**

```bash

Only dump memory at specific breakpoints, not every instruction

仅在指定断点处导出内存，而非每条指令都导出

/re:dynamic binary.exe
--breakpoints 0x401234,0x401567
--dump-at-breakpoints true
--dump-regions stack,heap

---

/re:dynamic binary.exe
--breakpoints 0x401234,0x401567
--dump-at-breakpoints true
--dump-regions stack,heap

---

Issue 5: Symbolic Execution Timeout

问题5：符号执行超时

Symptoms: Angr runs for hours without finding solution

Cause: Constraint solver (Z3) stuck on complex constraints

Solution 1: Increase timeout and simplify constraints

bash

/re:symbolic binary.exe \
  --timeout 14400 \  # 4 hours
  --max-states 200 \
  --simplify-constraints true

Solution 2: Use incremental solving

python

undefined

症状：Angr运行数小时未找到解

原因：约束求解器（Z3）卡在复杂约束上

解决方案1：增加超时时间并简化约束

bash

/re:symbolic binary.exe \
  --timeout 14400 \  # 4小时
  --max-states 200 \
  --simplify-constraints true

解决方案2：使用增量求解

python

undefined

Add constraints incrementally instead of all at once

增量添加约束，而非一次性添加所有约束

state.solver.add(constraint1) if state.satisfiable(): state.solver.add(constraint2) if state.satisfiable(): state.solver.add(constraint3)


**Solution 3**: Use faster solver (CVC4 or Boolector)

```python
import angr
import claripy

state.solver.add(constraint1) if state.satisfiable(): state.solver.add(constraint2) if state.satisfiable(): state.solver.add(constraint3)


**解决方案3：使用更快的求解器（CVC4或Boolector）**

```python
import angr
import claripy

Use faster solver backend

使用更快的求解器后端

claripy.backends.backend_manager.backends._eager_backends = [ claripy.backends.BackendConcrete, claripy.backends.BackendZ3 # Replace with BackendCVC4 ]

---

claripy.backends.backend_manager.backends._eager_backends = [ claripy.backends.BackendConcrete, claripy.backends.BackendZ3 # 替换为BackendCVC4 ]

---

Performance Optimization

性能优化

Speed Up Dynamic Analysis (Level 3)

加速动态分析（等级3）

Optimization 1: Parallel Syscall Tracing

优化1：并行系统调用追踪

bash

undefined

bash

undefined

Run strace and ltrace in parallel

并行运行strace和ltrace

(strace -o syscalls.log ./binary.exe &) (ltrace -o libcalls.log ./binary.exe &) wait

undefined

(strace -o syscalls.log ./binary.exe &) (ltrace -o libcalls.log ./binary.exe &) wait

undefined

Optimization 2: GDB Scripting for Automation

优化2：GDB脚本自动化

python

undefined

python

undefined

GDB Python script for automatic analysis

用于自动分析的GDB Python脚本

re-project/auto-analyze.py

import gdb

breakpoints = [0x401234, 0x401567, 0x4018ab]

for bp_addr in breakpoints: gdb.Breakpoint(f"*{bp_addr}")

import gdb

breakpoints = [0x401234, 0x401567, 0x4018ab]

for bp_addr in breakpoints: gdb.Breakpoint(f"*{bp_addr}")

Run until first breakpoint

运行到第一个断点

gdb.execute('run')

.gdb.execute('run')

At each breakpoint, dump and continue

每个断点处导出状态后继续执行

for i in range(len(breakpoints)): # Dump state regs = gdb.execute('info registers', to_string=True) stack = gdb.execute('x/100x $rsp', to_string=True)

with open(f'bp-{i}-state.txt', 'w') as f:
    f.write(f"Registers:\n{regs}\nStack:\n{stack}\n")

# Continue
if i < len(breakpoints) - 1:
    gdb.execute('continue')


**Usage**:

```bash
gdb -x auto-analyze.py ./binary.exe

for i in range(len(breakpoints)): # 导出状态 regs = gdb.execute('info registers', to_string=True) stack = gdb.execute('x/100x $rsp', to_string=True)

with open(f'bp-{i}-state.txt', 'w') as f:
    f.write(f"Registers:\n{regs}\nStack:\n{stack}\n")

# 继续执行
if i < len(breakpoints) - 1:
    gdb.execute('continue')


**用法**：

```bash
gdb -x auto-analyze.py ./binary.exe

Optimization 3: Selective Memory Dumping

优化3：选择性内存导出

bash

undefined

bash

undefined

Only dump memory if interesting patterns found

仅在发现感兴趣的模式时导出内存

/re:dynamic binary.exe
--dump-on-pattern "password|secret|key|token"
--dump-regions heap

---

/re:dynamic binary.exe
--dump-on-pattern "password|secret|key|token"
--dump-regions heap

---

Speed Up Symbolic Execution (Level 4)

加速符号执行（等级4）

Optimization 1: Use Faster Exploration Strategy

优化1：使用更快的探索策略

python

undefined

python

undefined

DFS is memory-efficient but may explore wrong paths

DFS内存高效，但可能探索错误路径

simgr.use_technique(angr.exploration_techniques.DFS())

BFS finds shortest path but uses more memory

BFS能找到最短路径，但内存占用更高

simgr.use_technique(angr.exploration_techniques.BFS())

Hybrid: BFS until 100 states, then switch to DFS

混合模式：BFS到100个状态，之后切换为DFS

simgr.use_technique(angr.exploration_techniques.Explorer( find=0x401337, num_find=1 ))

undefined

simgr.use_technique(angr.exploration_techniques.Explorer( find=0x401337, num_find=1 ))

undefined

Optimization 2: Pre-Constrain Input Space

优化2：预先约束输入空间

python

undefined

python

undefined

If you know input must start with "FLAG"

如果你知道输入必须以"FLAG"开头

for i, char in enumerate("FLAG"): state.add_constraints(flag.get_byte(i) == ord(char))

This reduces search space from 256^32 to 256^28

该操作将搜索空间从256^32减少到256^28

undefined

undefined

Optimization 3: Hook Complex Functions

优化3：Hook复杂函数

python

undefined

python

undefined

Replace slow library functions with fast symbolic summaries

用快速符号摘要替换慢速库函数

project.hook_symbol('strlen', angr.SIM_PROCEDURES['libc']'strlen') project.hook_symbol('strcmp', angr.SIM_PROCEDURES['libc']'strcmp') project.hook_symbol('memcpy', angr.SIM_PROCEDURES['libc']'memcpy')

These are much faster than symbolically executing the actual implementations

这些实现比符号执行实际的库函数快得多

undefined

undefined

Optimization 4: Parallelize Exploration

优化4：并行化探索

python

undefined

python

undefined

Split state space across multiple cores

将状态空间拆分到多个核心

from multiprocessing import Pool

def explore_from_state(state): simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337, avoid=avoid_addrs) return simgr.found

from multiprocessing import Pool

def explore_from_state(state): simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337, avoid=avoid_addrs) return simgr.found

Split initial state into 4 copies with different constraints

将初始状态拆分为4个副本，添加不同约束

states = [state.copy() for _ in range(4)] states[0].add_constraints(flag[0] < 0x40) states[1].add_constraints(claripy.And(flag[0] >= 0x40, flag[0] < 0x60)) states[2].add_constraints(claripy.And(flag[0] >= 0x60, flag[0] < 0x80)) states[3].add_constraints(flag[0] >= 0x80)

Explore in parallel

并行探索

with Pool(4) as p: results = p.map(explore_from_state, states)

Collect solutions

收集解

for found_states in results: if found_states: print(found_states[0].solver.eval(flag, cast_to=bytes))

---

for found_states in results: if found_states: print(found_states[0].solver.eval(flag, cast_to=bytes))

---

Memory-MCP Integration

Memory-MCP集成

Storing Level 3 Findings

存储等级3结果

javascript

// After dynamic analysis completes
mcp__memory-mcp__memory_store({
  content: {
    binary_hash: "sha256:abc123...",
    re_level: 3,
    execution_summary: {
      breakpoints_hit: ["0x401234", "0x401567", "0x4018ab"],
      runtime_secrets: [
        {type: "password", value: "admin123", location: "0x601000"},
        {type: "api_key", value: "sk_live_...", location: "0x601020"}
      ],
      syscalls: ["open", "read", "socket", "connect", "send"],
      network_activity: [
        {proto: "HTTP", dest: "192.168.1.100:443", data: "POST /api/login"}
      ]
    },
    gdb_dumps: {
      registers: "re-project/dbg/memory-dumps/",
      stack: "re-project/dbg/memory-dumps/",
      heap: "re-project/dbg/memory-dumps/"
    }
  },
  metadata: {
    agent: "RE-Runtime-Tracer",
    category: "reverse-engineering",
    intent: "dynamic-analysis",
    layer: "long_term",
    project: `binary-analysis-${date}`,
    keywords: ["gdb", "dynamic", "runtime", "secrets"],
    re_level: 3,
    binary_hash: "sha256:abc123...",
    timestamp: new Date().toISOString()
  }
})

javascript

// 动态分析完成后执行
mcp__memory-mcp__memory_store({
  content: {
    binary_hash: "sha256:abc123...",
    re_level: 3,
    execution_summary: {
      breakpoints_hit: ["0x401234", "0x401567", "0x4018ab"],
      runtime_secrets: [
        {type: "password", value: "admin123", location: "0x601000"},
        {type: "api_key", value: "sk_live_...", location: "0x601020"}
      ],
      syscalls: ["open", "read", "socket", "connect", "send"],
      network_activity: [
        {proto: "HTTP", dest: "192.168.1.100:443", data: "POST /api/login"}
      ]
    },
    gdb_dumps: {
      registers: "re-project/dbg/memory-dumps/",
      stack: "re-project/dbg/memory-dumps/",
      heap: "re-project/dbg/memory-dumps/"
    }
  },
  metadata: {
    agent: "RE-Runtime-Tracer",
    category: "reverse-engineering",
    intent: "dynamic-analysis",
    layer: "long_term",
    project: `binary-analysis-${date}`,
    keywords: ["gdb", "dynamic", "runtime", "secrets"],
    re_level: 3,
    binary_hash: "sha256:abc123...",
    timestamp: new Date().toISOString()
  }
})

Storing Level 4 Findings

存储等级4结果

javascript

// After symbolic execution completes
mcp__memory-mcp__memory_store({
  content: {
    binary_hash: "sha256:abc123...",
    re_level: 4,
    symbolic_summary: {
      target_address: "0x401337",
      avoid_addresses: ["0x401400", "0x401500"],
      solutions_found: 3,
      solutions: [
        {input: "FLAG-A7B2-C9D4-E1F6", validated: true},
        {input: "FLAG-B8C3-D0E5-F2G7", validated: true},
        {input: "FLAG-C9D4-E1F6-G3H8", validated: true}
      ],
      exploration_metrics: {
        total_states: 847,
        execution_time_sec: 3245,
        coverage_percent: 78.5
      }
    },
    angr_script: "re-project/sym/angr-script.py",
    constraints: "re-project/sym/constraints/"
  },
  metadata: {
    agent: "RE-Symbolic-Solver",
    category: "reverse-engineering",
    intent: "symbolic-execution",
    layer: "long_term",
    project: `binary-analysis-${date}`,
    keywords: ["angr", "symbolic", "z3", "solver"],
    re_level: 4,
    binary_hash: "sha256:abc123...",
    timestamp: new Date().toISOString()
  }
})

javascript

// 符号执行完成后执行
mcp__memory-mcp__memory_store({
  content: {
    binary_hash: "sha256:abc123...",
    re_level: 4,
    symbolic_summary: {
      target_address: "0x401337",
      avoid_addresses: ["0x401400", "0x401500"],
      solutions_found: 3,
      solutions: [
        {input: "FLAG-A7B2-C9D4-E1F6", validated: true},
        {input: "FLAG-B8C3-D0E5-F2G7", validated: true},
        {input: "FLAG-C9D4-E1F6-G3H8", validated: true}
      ],
      exploration_metrics: {
        total_states: 847,
        execution_time_sec: 3245,
        coverage_percent: 78.5
      }
    },
    angr_script: "re-project/sym/angr-script.py",
    constraints: "re-project/sym/constraints/"
  },
  metadata: {
    agent: "RE-Symbolic-Solver",
    category: "reverse-engineering",
    intent: "symbolic-execution",
    layer: "long_term",
    project: `binary-analysis-${date}`,
    keywords: ["angr", "symbolic", "z3", "solver"],
    re_level: 4,
    binary_hash: "sha256:abc123...",
    timestamp: new Date().toISOString()
  }
})

Handoff Pattern: Level 3 → Level 4

交接模式：等级3 → 等级4

javascript

// Level 3 stores handoff data
mcp__memory-mcp__memory_store({
  key: `re-handoff/dynamic-to-symbolic/${binary_hash}`,
  value: {
    decision: "ESCALATE_TO_LEVEL_4",
    reason: "Target function unreachable with manual inputs",
    target_address: "0x401337",
    avoid_addresses: ["0x401400", "0x401500", "0x401600"],
    input_format: "FLAG-XXXX-XXXX-XXXX",
    breakpoint_findings: {
      "0x401234": {
        description: "License check function",
        comparison_type: "encrypted",
        extractable: false
      }
    }
  }
})

// Level 4 retrieves handoff data
const handoff = await mcp__memory-mcp__vector_search({
  query: `re-handoff/dynamic-to-symbolic/${binary_hash}`
})

// Use handoff data to configure Angr
const target = handoff.target_address
const avoid = handoff.avoid_addresses
const input_format = handoff.input_format

javascript

// 等级3存储交接数据
mcp__memory-mcp__memory_store({
  key: `re-handoff/dynamic-to-symbolic/${binary_hash}`,
  value: {
    decision: "ESCALATE_TO_LEVEL_4",
    reason: "Target function unreachable with manual inputs",
    target_address: "0x401337",
    avoid_addresses: ["0x401400", "0x401500", "0x401600"],
    input_format: "FLAG-XXXX-XXXX-XXXX",
    breakpoint_findings: {
      "0x401234": {
        description: "License check function",
        comparison_type: "encrypted",
        extractable: false
      }
    }
  }
})

// 等级4获取交接数据
const handoff = await mcp__memory-mcp__vector_search({
  query: `re-handoff/dynamic-to-symbolic/${binary_hash}`
})

// 使用交接数据配置Angr
const target = handoff.target_address
const avoid = handoff.avoid_addresses
const input_format = handoff.input_format

Agents & Commands

Agent与命令

Agents Invoked

调用的Agent

RE-Runtime-Tracer (Level 3)
- Specialist: Dynamic analysis with GDB/strace/ltrace
- Tools: GDB+GEF/Pwndbg, strace, ltrace, sandbox environments
- Output: Memory dumps, syscall traces, runtime secrets
RE-Symbolic-Solver (Level 4)
- Specialist: Symbolic execution with Angr/Z3
- Tools: Angr, Z3, Python symbolic execution frameworks
- Output: Synthesized inputs, constraint files, validated solutions
sandbox-validator (Level 3, automatic)
- Provides safe binary execution environment
- Prevents malware escape and system damage
graph-analyst (Level 4, automatic)
- Generates execution path visualizations
- Creates constraint dependency graphs

RE-Runtime-Tracer（等级3）
- 专长：使用GDB/strace/ltrace进行动态分析
- 工具：GDB+GEF/Pwndbg、strace、ltrace、沙箱环境
- 输出：内存转储、系统调用追踪、运行时密钥
RE-Symbolic-Solver（等级4）
- 专长：使用Angr/Z3进行符号执行
- 工具：Angr、Z3、Python符号执行框架
- 输出：合成输入、约束文件、验证通过的解
sandbox-validator（等级3，自动调用）
- 提供安全的二进制执行环境
- 防止恶意软件逃逸和系统损坏
graph-analyst（等级4，自动调用）
- 生成执行路径可视化
- 创建约束依赖图

Slash Commands

斜杠命令

```
/re:deep <binary>
```
- Full Level 3+4 analysis (this skill's primary command)
```
/re:dynamic <binary>
```
- Level 3 only (dynamic analysis)
```
/re:symbolic <binary>
```
- Level 4 only (symbolic execution)

```
/re:deep <binary>
```
- 完整等级3+4分析（本技能的主命令）
```
/re:dynamic <binary>
```
- 仅等级3分析（动态分析）
```
/re:symbolic <binary>
```
- 仅等级4分析（符号执行）

MCP Servers

MCP服务器

sandbox-validator: Safe binary execution with isolation
memory-mcp: Cross-session persistence, handoff coordination
sequential-thinking: Decision gate logic for escalation
graph-analyst: Visualization of execution paths and constraints

sandbox-validator：带隔离的安全二进制执行环境
memory-mcp：跨会话持久化、交接协调
sequential-thinking：升级决策门逻辑
graph-analyst：执行路径和约束可视化

Related Skills

Resources

资源

External Tools

外部工具

GDB - GNU Debugger
GEF - GDB Enhanced Features
Pwndbg - GDB plugin for exploit development
Angr - Binary analysis platform
Z3 - Microsoft SMT solver

GDB - GNU调试器
GEF - GDB增强功能扩展
Pwndbg - 用于漏洞利用开发的GDB插件
Angr - 二进制分析平台
Z3 - 微软SMT求解器

Learning Resources

学习资源

Angr Documentation - Complete Angr guide
Z3 Tutorial - Z3 Python bindings
GDB to LLDB Command Map - For macOS users
Practical Binary Analysis - Book

Angr文档 - 完整Angr指南
Z3教程 - Z3 Python绑定教程
GDB到LLDB命令映射 - 适用于macOS用户
实用二进制分析 - 书籍

Community

社区

Angr Slack - Official Angr community
r/ReverseEngineering - Subreddit
Binary Ninja Discord - Reverse engineering community

Created: 2025-11-01 RE Levels: 3-4 (Dynamic Analysis + Symbolic Execution) Timebox: 3-7 hours Agents: RE-Runtime-Tracer, RE-Symbolic-Solver Category: Security, Malware Analysis, CTF, Binary Exploitation Difficulty: Advanced

Angr Slack - 官方Angr社区
r/ReverseEngineering - Reddit子版块
Binary Ninja Discord - 逆向工程社区

创建时间：2025-11-01 RE等级：3-4（动态分析+符号执行）时间限制：3-7小时 Agent：RE-Runtime-Tracer、RE-Symbolic-Solver 分类：安全、恶意软件分析、CTF、二进制漏洞利用难度：高级

Core Principles

核心原则

Reverse Engineering: Deep Analysis operates on 3 fundamental principles:

逆向工程：深度分析基于3个基本原则运行：

Principle 1: Isolation-First Execution

原则1：隔离优先执行

Runtime analysis MUST occur in isolated environments to prevent malware escape and system compromise.

In practice:

Execute all binaries in snapshots VMs/containers with network monitoring
Use sandboxed debuggers (GDB in Docker, QEMU with snapshot mode)
Monitor syscalls, network traffic, and file operations during execution
Maintain air-gapped lab infrastructure for APT analysis

运行时分析必须在隔离环境中执行，防止恶意软件逃逸和系统被攻陷。

实践要求：

所有二进制文件在带网络监控的快照VM/容器中执行
使用沙箱化调试器（Docker中的GDB、带快照模式的QEMU）
执行期间监控系统调用、网络流量和文件操作
为APT分析维护气隙隔离的实验室基础设施

Principle 2: Multi-Method Validation

原则2：多方法验证

No single analysis technique provides complete truth - cross-validation prevents false positives.

In practice:

Static analysis findings must be confirmed by dynamic execution
Dynamic behavior must be reproducible across multiple runs
Symbolic execution results must validate against real execution paths
Memory dumps must correlate with network captures and syscall traces

没有任何单一分析技术能提供完整的真相 - 交叉验证可避免误报。

实践要求：

静态分析结果必须通过动态执行确认
动态行为必须在多次运行中可复现
符号执行结果必须针对真实执行路径验证
内存转储必须与网络捕获和系统调用轨迹关联

Principle 3: Progressive Escalation

原则3：渐进式升级

Start with lightweight methods, escalate only when necessary to minimize analysis time.

In practice:

Level 3 (dynamic) reveals 80% of malware behavior in under 1 hour
Escalate to Level 4 (symbolic) only when paths are unreachable manually
Use decision gates to avoid over-engineering simple analysis tasks
Cache findings in memory-mcp to prevent duplicate work

从轻量方法开始，仅在必要时升级，以最小化分析时间。

实践要求：

等级3（动态分析）可在1小时内揭示80%的恶意软件行为
仅当手动无法到达路径时升级到等级4（符号执行）
使用决策门避免对简单分析任务过度工程
将结果缓存到memory-mcp避免重复工作

Common Anti-Patterns

常见反模式

Anti-Pattern	Problem	Solution
Executing malware on host system	Complete system compromise, data exfiltration, ransomware deployment	ALWAYS use isolated VM with snapshots, network monitoring, and rollback capability
Skipping static analysis before dynamic	Waste time executing without understanding, miss packed binaries	Run Level 1-2 (strings + static) first to identify entry points and breakpoints
Over-relying on symbolic execution	State explosion, analysis timeout, resource exhaustion	Use symbolic execution only for input-dependent paths unreachable by manual fuzzing
Ignoring anti-analysis techniques	Debugger detection terminates analysis, VM detection changes behavior	Patch anti-debug checks, use stealthy debugging environments, monitor timing attacks
Not documenting methodology	Results not reproducible, findings challenged, legal issues	Timestamp all actions, save GDB transcripts, document tool versions and commands used

反模式	问题	解决方案
在主机系统上执行恶意软件	系统完全被攻陷、数据泄露、勒索软件部署	始终使用带快照、网络监控和回滚能力的隔离VM
动态分析前跳过静态分析	不了解程序逻辑就浪费时间执行，错过加壳二进制文件	先运行等级1-2（字符串+静态分析）识别入口点和断点
过度依赖符号执行	状态爆炸、分析超时、资源耗尽	仅对手动fuzz无法到达的输入依赖路径使用符号执行
忽略反分析技术	调试器检测导致分析终止，VM检测改变程序行为	补丁反调试检查，使用隐蔽调试环境，监控时序攻击
不记录分析方法	结果不可复现、结论被质疑、法律问题	为所有操作添加时间戳，保存GDB会话记录，记录工具版本和使用的命令

Conclusion

结论

Reverse Engineering: Deep Analysis represents the critical bridge between static code inspection and complete program comprehension. By combining runtime execution (Level 3) with symbolic path exploration (Level 4), this skill enables security researchers to extract secrets, validate vulnerabilities, and synthesize inputs that reach specific program states - capabilities essential for malware analysis, CTF challenges, and vulnerability research.

The skill's power lies in its automated decision gates and progressive escalation strategy. Rather than immediately jumping to resource-intensive symbolic execution, the skill starts with lightweight dynamic analysis using GDB and system call tracing. Only when manual execution fails to reach target states does it escalate to Angr-based symbolic execution, minimizing analysis time while maximizing findings.

Use this skill when you need to understand runtime behavior that static analysis cannot reveal: memory secrets, network communication patterns, or valid inputs for complex authentication schemes. The skill excels at extracting indicators of compromise from malware, finding valid license keys in crackmes, and generating proof-of-concept exploits for vulnerabilities. Combined with memory-mcp integration for cross-session persistence and handoff coordination with firmware analysis (Level 5), it forms a comprehensive reverse engineering workflow suitable for both academic research and production security operations.

逆向工程：深度分析是静态代码检查和完整程序理解之间的关键桥梁。通过结合运行时执行（等级3）和符号路径探索（等级4），本技能使安全研究人员能够提取密钥、验证漏洞、合成能到达特定程序状态的输入 - 这些能力对恶意软件分析、CTF挑战和漏洞研究至关重要。

本技能的优势在于其自动化决策门和渐进式升级策略。它不会直接跳到资源密集的符号执行，而是先使用GDB和系统调用追踪开展轻量动态分析。仅当手动执行无法到达目标状态时，才升级到基于Angr的符号执行，在最小化分析时间的同时最大化分析结果。

当你需要了解静态分析无法揭示的运行时行为时，可使用本技能：内存密钥、网络通信模式、复杂认证方案的有效输入。本技能擅长从恶意软件中提取妥协指标、在crackme中找到有效许可证密钥、生成漏洞的概念验证利用代码。结合用于跨会话持久化的memory-mcp集成，以及与固件分析（等级5）的交接协调，它构成了适用于学术研究和生产安全运营的完整逆向工程工作流。