Back to Details

competition-reverse-pwn

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Reverse Pwn

竞赛逆向Pwn

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill for binary-heavy challenges where the decisive path runs through artifacts, decoded layers, process behavior, crash state, or exploit primitives.
Reply in Simplified Chinese unless the user explicitly requests English.
仅可在
$ctf-sandbox-orchestrator
已激活且已确立沙箱假设、节点归属和证据优先级后,作为下游专项技能使用。如果还未完成上述步骤,请先退回
$ctf-sandbox-orchestrator
流程。
该技能适用于二进制相关的重挑战,这类挑战的解题核心路径涉及样本分析、层解码、进程行为、崩溃状态或exploit原语。
除非用户明确要求使用英文,否则使用简体中文回复。

Quick Start

快速开始

  1. Preserve the original artifact before unpacking, patching, or instrumenting.
  2. Start with passive triage: type, headers, sections, imports, strings, entropy, resources.
  3. Decide whether the path is reverse-first, DFIR-first, or exploit-first.
  4. Tie every claim to an observable boundary: decode edge, persistence edge, crash edge, or leak edge.
  5. Reproduce the artifact or primitive from a clean baseline.
  1. 在解包、打补丁或插桩之前保留原始样本。
  2. 从被动分类开始:文件类型、头、节、导入表、字符串、熵、资源。
  3. 确定路径是逆向优先、DFIR优先还是exploit优先。
  4. 每一项结论都要对应可观测的边界:解码边界、持久化边界、崩溃边界或泄露边界。
  5. 从干净的基线环境复现样本或原语。

Workflow

工作流

1. Reverse Or Forensic Triage

1. 逆向或取证分类

  • Separate loader, payload, config, and post-decode behavior.
  • Correlate files, memory, logs, registry, services, tasks, IPC, and PCAPs as one graph.
  • Keep decoded or dumped artifacts separate from the pristine sample.
  • 拆分加载器、payload、配置和解码后行为。
  • 将文件、内存、日志、注册表、服务、任务、IPC和PCAP关联为一张图。
  • 将解码或转储出的样本与原始纯净样本分开存放。

2. Native And Exploit Path

2. 原生与exploit路径

  • Map mitigations, loader behavior, libc or runtime, syscall and IPC surfaces, and protocol framing.
  • Record the primitive, controllable bytes, leak source, target object, and final artifact separately.
  • Compare host, libc, loader, and framing differences before doubting the primitive.
  • 梳理防护机制、加载器行为、libc或运行时、系统调用和IPC面、协议帧结构。
  • 分别记录原语、可控字节、泄露源、目标对象和最终样本。
  • 在质疑原语有效性之前,先对比主机、libc、加载器和帧结构的差异。

Read This Reference

参考文档说明

  • Load 
    references/reverse-pwn.md
    for triage order, exploit evidence expectations, and common failure modes.
  • If the task is specifically about staged payload boundaries, config blobs, beacon parameters, or decoded IOC fields, prefer 
    $competition-malware-config
    .
  • If the task is specifically about firmware partitions, boot chains, extracted filesystems, or update-package trust boundaries, prefer 
    $competition-firmware-layout
    .
  • If the task is specifically about upload parsing, previews, archive extraction, converters, or deserialization chains, prefer 
    $competition-file-parser-chain
    .
  • If the task is specifically about source maps, emitted bundles, chunk registries, or reconstructing hidden runtime structure from served frontend assets, prefer 
    $competition-bundle-sourcemap-recovery
    .
  • If the task is specifically about container-to-host boundary crossing, kernel exploit preconditions, namespace or cgroup crossover, or escape primitive verification, prefer 
    $competition-kernel-container-escape
    .
  • If the task is specifically about reconstructing protocols, streams, or transferred artifacts from packet captures, prefer 
    $competition-pcap-protocol
    .
  • If the task is specifically about a custom binary or text protocol where replay state, message order, or checksum logic is the real blocker, prefer 
    $competition-custom-protocol-replay
    .
  • If the task is specifically about reconstructing chronology across EVTX, PCAP, registry, mail, or disk artifacts, prefer 
    $competition-forensic-timeline
    .
  • 加载
    references/reverse-pwn.md
    查看分类顺序、exploit证据要求和常见失败模式。
  • 如果任务明确涉及分段payload边界、配置块、信标参数或解码后的IOC字段,优先使用
    $competition-malware-config
  • 如果任务明确涉及固件分区、启动链、提取的文件系统或更新包信任边界,优先使用
    $competition-firmware-layout
  • 如果任务明确涉及上传解析、预览、归档解压、转换器或反序列化链,优先使用
    $competition-file-parser-chain
  • 如果任务明确涉及source map、构建产物bundle、块注册表,或是从对外提供的前端资产中还原隐藏的运行时结构,优先使用
    $competition-bundle-sourcemap-recovery
  • 如果任务明确涉及容器跨主机边界、内核exploit前置条件、命名空间或cgroup越界,或是逃逸原语验证,优先使用
    $competition-kernel-container-escape
  • 如果任务明确涉及从数据包捕获文件中还原协议、流或传输的样本,优先使用
    $competition-pcap-protocol
  • 如果任务明确涉及自定义二进制或文本协议,且核心阻碍是重放状态、消息顺序或校验和逻辑,优先使用
    $competition-custom-protocol-replay
  • 如果任务明确涉及跨EVTX、PCAP、注册表、邮件或磁盘样本还原时间线,优先使用
    $competition-forensic-timeline

What To Preserve

需要留存的内容

  • Offsets, hashes, section names, imports, config blobs, mutexes, registry keys
  • Crash offsets, registers, heap or stack shape, leak addresses, and protocol steps
  • Original, decoded, dumped, and instrumented artifacts as separate files
  • 偏移、哈希、节名、导入表、配置块、互斥量、注册表键
  • 崩溃偏移、寄存器、堆或栈结构、泄露地址和协议步骤
  • 原始、解码、转储和插桩后的样本要作为独立文件分开存放