Back to Details

vulnerable-secret

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Vulnerable Secret Extraction

受保护/混淆二进制文件的秘密提取

Overview

概述

This skill provides a systematic methodology for extracting secrets (flags, keys, passwords) from protected or obfuscated binary executables. It emphasizes methodical analysis, proper verification of findings, and avoiding common pitfalls in binary reverse engineering.
本技能提供了一套系统化的方法,用于从受保护或经过混淆处理的二进制可执行文件中提取秘密信息(如标识flag、密钥、密码)。它强调有条理的分析、对结果的合理验证,以及避免二进制逆向工程中的常见陷阱。

Systematic Analysis Workflow

系统化分析流程

Follow these phases in order for reliable results:
按以下阶段依次操作,以获得可靠结果:

Phase 1: Initial Reconnaissance

阶段1:初步侦察

Gather basic information about the target before deeper analysis:
  1. File type identification - Determine binary format (ELF, PE, Mach-O)
    bash
    file <binary>
  2. Check permissions and attributes
    bash
    ls -la <binary>
  3. Identify architecture and linking
    bash
    readelf -h <binary>  # For ELF binaries
  4. List sections and segments
    bash
    readelf -S <binary>  # Section headers
readelf -l <binary>  # Program headers
在深入分析前,先收集目标文件的基本信息:
  1. 文件类型识别 - 确定二进制文件格式(ELF、PE、Mach-O)
    bash
    file <binary>
  2. 检查权限与属性
    bash
    ls -la <binary>
  3. 识别架构与链接方式
    bash
    readelf -h <binary>  # 针对ELF二进制文件
  4. 列出节区与段
    bash
    readelf -S <binary>  # 节区头
readelf -l <binary>  # 程序头

Phase 2: Symbol and String Analysis

阶段2:符号与字符串分析

Extract human-readable information:
  1. Dump strings - Look for embedded text, error messages, and potential secrets
    bash
    strings <binary>
strings -a <binary>  # All sections
  2. Check symbol table - Identify function names and exported symbols
    bash
    nm <binary>
readelf -s <binary>
  3. Look for dangerous functions - Identify potential vulnerabilities
    • gets
      , 
      strcpy
      , 
      sprintf
      - Buffer overflow candidates
    • system
      , 
      exec*
      - Command injection points
    • ptrace
      - Anti-debugging protection
提取人类可读的信息:
  1. 导出字符串 - 查找嵌入的文本、错误信息及潜在的秘密信息
    bash
    strings <binary>
strings -a <binary>  # 所有节区
  2. 检查符号表 - 识别函数名称与导出符号
    bash
    nm <binary>
readelf -s <binary>
  3. 查找危险函数 - 识别潜在漏洞
    • gets
      strcpy
      sprintf
      - 缓冲区溢出候选函数
    • system
      exec*
      - 命令注入点
    • ptrace
      - 反调试保护函数

Phase 3: Disassembly and Code Analysis

阶段3:反汇编与代码分析

Examine the actual code:
  1. Disassemble key functions
    bash
    objdump -d <binary>
objdump -d -M intel <binary>  # Intel syntax
  2. Focus on specific areas:
    • main
      function entry point
    • Functions referencing interesting strings
    • Data sections containing potential encoded secrets
  3. Identify encoding schemes - Look for:
    • XOR operations with constant keys
    • Base64 encoding patterns
    • Custom obfuscation routines
检查实际代码逻辑:
  1. 反汇编关键函数
    bash
    objdump -d <binary>
objdump -d -M intel <binary>  # Intel语法
  2. 重点关注以下区域
    • main
      函数入口点
    • 引用了可疑字符串的函数
    • 包含潜在编码秘密的数据节区
  3. 识别编码方案 - 查找以下特征:
    • 使用常量密钥的XOR操作
    • Base64编码模式
    • 自定义混淆例程

Phase 4: Data Extraction and Decoding

阶段4:数据提取与解码

Extract and decode hidden data:
  1. Extract raw data sections
    bash
    objcopy -O binary --only-section=.rodata <binary> rodata.bin
hexdump -C <binary>
  2. Common decoding operations:
    • XOR decoding: Identify the key from disassembly, apply to encoded data
    • Base64: Look for character set patterns
    • Custom algorithms: Trace through disassembly to understand transformation
  3. Python decoding template:
    python
    # XOR decoding example
encoded = bytes.fromhex('HEXDATA')
key = 0xKEY
decoded = bytes([b ^ key for b in encoded])
print(decoded.decode('utf-8', errors='ignore'))
提取并解码隐藏数据:
  1. 提取原始数据节区
    bash
    objcopy -O binary --only-section=.rodata <binary> rodata.bin
hexdump -C <binary>
  2. 常见解码操作
    • XOR解码:从反汇编结果中识别密钥,对编码数据进行解码
    • Base64解码:查找字符集模式
    • 自定义算法解码:跟踪反汇编代码以理解转换逻辑
  3. Python解码模板
    python
    # XOR解码示例
encoded = bytes.fromhex('HEXDATA')
key = 0xKEY
decoded = bytes([b ^ key for b in encoded])
print(decoded.decode('utf-8', errors='ignore'))

Phase 5: Dynamic Analysis (When Safe)

阶段5:动态分析(确保安全时使用)

If static analysis is insufficient:
  1. Check for anti-debugging:
    • ptrace
      calls
    • Timing checks
    • Environment detection
  2. Bypass techniques:
    • LD_PRELOAD to override functions
    • Patching binary to skip checks
    • Using debugger scripts
  3. Run with monitoring:
    bash
    strace <binary>
ltrace <binary>
若静态分析不足以获取结果:
  1. 检查反调试机制
    • ptrace
      调用
    • 计时检查
    • 环境检测
  2. 绕过技巧
    • 使用LD_PRELOAD覆盖函数
    • 修补二进制文件以跳过检查
    • 使用调试器脚本
  3. 在监控下运行
    bash
    strace <binary>
ltrace <binary>

Verification Strategies

验证策略

Always verify findings before concluding:
  1. Cross-reference disassembly - Ensure the decoding logic matches what the code does
  2. Validate decoded output - Check that results are plausible (readable text, expected format)
  3. Test edge cases - Verify handling of:
    • Partial data
    • Incorrect keys
    • Malformed input
  4. Document the derivation - Record which specific instructions or data led to conclusions
在得出结论前,务必验证结果:
  1. 交叉引用反汇编代码 - 确保解码逻辑与代码实现一致
  2. 验证解码输出 - 检查结果是否合理(可读文本、符合预期格式)
  3. 测试边缘情况 - 验证以下场景的处理:
    • 部分数据
    • 错误密钥
    • 格式错误的输入
  4. 记录推导过程 - 记录得出结论所依据的具体指令或数据

Common Pitfalls

常见陷阱

Analysis Mistakes

分析错误

  1. Incomplete disassembly review - When output is truncated, explicitly request additional sections rather than making assumptions about unseen code
  2. Jumping to conclusions - Avoid assuming encoding schemes without seeing the actual instructions that implement them
  3. Ignoring vulnerability hints - If function names or flag content suggest an attack vector (e.g., "buffer_overflow" in the flag), explore that path even if static analysis succeeds
  1. 反汇编审查不完整 - 当输出被截断时,应明确请求查看额外节区,而非对未查看的代码做出假设
  2. 过早下结论 - 若未看到实现编码的实际指令,请勿随意假设编码方案
  3. 忽略漏洞提示 - 若函数名或标识(flag)内容暗示了攻击向量(如flag中包含"buffer_overflow"),即使静态分析成功,也应探索该路径

Implementation Errors

实现错误

  1. Hex string formatting - Ensure hex strings have no spaces or invalid characters before decoding
  2. Key identification - Verify the XOR key or encoding parameter from actual disassembly, not from data patterns alone
  3. Endianness issues - Consider byte order when extracting multi-byte values
  1. 十六进制字符串格式问题 - 解码前确保十六进制字符串无空格或无效字符
  2. 密钥识别错误 - 从实际反汇编结果中验证XOR密钥或编码参数,而非仅依据数据模式
  3. 字节序问题 - 提取多字节值时需考虑字节顺序

Workflow Inefficiencies

流程低效

  1. Repeated tool calls - Combine related checks (file type + permissions + sections) when possible
  2. Excessive verification - Once content is confirmed written, avoid redundant reads
  3. Missing tool output - If disassembly is truncated, request specific address ranges rather than re-running the entire dump
  1. 重复调用工具 - 尽可能合并相关检查(如文件类型+权限+节区)
  2. 过度验证 - 一旦确认内容已写入,避免重复读取
  3. 遗漏工具输出 - 若反汇编被截断,请求查看特定地址范围,而非重新运行完整的反汇编

Decision Tree

决策树

Start
  ├─► Run file identification
  │     └─► Is it an executable? ─No─► Check if packed/obfuscated
  │                │
  │               Yes
  │                │
  ├─► Extract strings
  │     └─► Found readable secret? ─Yes─► Verify and extract
  │                │
  │               No
  │                │
  ├─► Check for dangerous functions
  │     └─► Found gets/strcpy? ─Yes─► Consider buffer overflow
  │                │
  │               No/Also
  │                │
  ├─► Disassemble and analyze
  │     └─► Found encoding logic? ─Yes─► Extract key and decode
  │                │
  │               No
  │                │
  ├─► Check for anti-debugging
  │     └─► Present? ─Yes─► Bypass or use static analysis
  │                │
  │               No
  │                │
  └─► Dynamic analysis with tracing
开始
  ├─► 运行文件类型识别
  │     └─► 是否为可执行文件? ─否─► 检查是否被打包/混淆
  │                │
  │               是
  │                │
  ├─► 提取字符串
  │     └─► 找到可读的秘密信息? ─是─► 验证并提取
  │                │
  │               否
  │                │
  ├─► 检查危险函数
  │     └─► 找到gets/strcpy? ─是─► 考虑缓冲区溢出
  │                │
  │               否/同时进行
  │                │
  ├─► 反汇编并分析
  │     └─► 找到编码逻辑? ─是─► 提取密钥并解码
  │                │
  │               否
  │                │
  ├─► 检查反调试机制
  │     └─► 是否存在? ─是─► 绕过或使用静态分析
  │                │
  │               否
  │                │
  └─► 结合追踪的动态分析

Output Requirements

输出要求

When extracting secrets:
  1. Verify the output format matches expected patterns (e.g., FLAG{...}, key format)
  2. Save to the correct location as specified in task requirements
  3. Confirm file was written successfully before concluding
提取秘密信息时:
  1. 验证输出格式 符合预期模式(如FLAG{...}、指定的密钥格式)
  2. 保存到指定位置 按照任务要求的路径保存
  3. 确认文件写入成功 再结束任务