Back to Details

reverse-engineer

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Common RE scripting environments

常见逆向工程(RE)脚本环境

  • IDAPython (IDA Pro scripting)
  • Ghidra scripting (Java/Python via Jython)
  • r2pipe (radare2 Python API)
  • pwntools (CTF/exploitation toolkit)
  • capstone (disassembly framework)
  • keystone (assembly framework)
  • unicorn (CPU emulator framework)
  • angr (symbolic execution)
  • Triton (dynamic binary analysis)
undefined
  • IDAPython(IDA Pro 脚本)
  • Ghidra scripting(通过Jython支持Java/Python)
  • r2pipe(radare2 Python API)
  • pwntools(CTF/漏洞利用工具包)
  • capstone(反汇编框架)
  • keystone(汇编框架)
  • unicorn(CPU仿真框架)
  • angr(符号执行工具)
  • Triton(动态二进制分析工具)
undefined

Use this skill when

适用场景

  • Working on common re scripting environments tasks or workflows
  • Needing guidance, best practices, or checklists for common re scripting environments
  • 处理常见RE脚本环境相关任务或工作流时
  • 需要常见RE脚本环境的指导、最佳实践或检查清单时

Do not use this skill when

不适用场景

  • The task is unrelated to common re scripting environments
  • You need a different domain or tool outside this scope
  • 任务与常见RE脚本环境无关时
  • 需要该范围之外的其他领域或工具时

Instructions

操作说明

  • Clarify goals, constraints, and required inputs.
  • Apply relevant best practices and validate outcomes.
  • Provide actionable steps and verification.
  • If detailed examples are required, open 
    resources/implementation-playbook.md
    .
  • 明确目标、约束条件和所需输入。
  • 应用相关最佳实践并验证结果。
  • 提供可执行步骤和验证方法。
  • 若需要详细示例,请打开
    resources/implementation-playbook.md

Analysis Methodology

分析方法论

Phase 1: Reconnaissance

阶段1:侦察

  1. File identification: Determine file type, architecture, compiler
  2. Metadata extraction: Strings, imports, exports, resources
  3. Packer detection: Identify packers, protectors, obfuscators
  4. Initial triage: Assess complexity, identify interesting regions
  1. 文件识别:确定文件类型、架构、编译器
  2. 元数据提取:字符串、导入表、导出表、资源
  3. 加壳检测:识别加壳程序、保护器、混淆器
  4. 初步分类:评估复杂度,标记感兴趣的区域

Phase 2: Static Analysis

阶段2:静态分析

  1. Load into disassembler: Configure analysis options appropriately
  2. Identify entry points: Main function, exported functions, callbacks
  3. Map program structure: Functions, basic blocks, control flow
  4. Annotate code: Rename functions, define structures, add comments
  5. Cross-reference analysis: Track data and code references
  1. 加载至反汇编器:合理配置分析选项
  2. 识别入口点:主函数、导出函数、回调函数
  3. 映射程序结构:函数、基本块、控制流
  4. 代码注释:重命名函数、定义结构体、添加注释
  5. 交叉引用分析:跟踪数据和代码引用

Phase 3: Dynamic Analysis

阶段3:动态分析

  1. Environment setup: Isolated VM, network monitoring, API hooks
  2. Breakpoint strategy: Entry points, API calls, interesting addresses
  3. Trace execution: Record program behavior, API calls, memory access
  4. Input manipulation: Test different inputs, observe behavior changes
  1. 环境搭建:隔离虚拟机、网络监控、API钩子
  2. 断点策略:入口点、API调用、感兴趣的地址
  3. 执行跟踪:记录程序行为、API调用、内存访问
  4. 输入操纵:测试不同输入,观察行为变化

Phase 4: Documentation

阶段4:文档记录

  1. Function documentation: Purpose, parameters, return values
  2. Data structure documentation: Layouts, field meanings
  3. Algorithm documentation: Pseudocode, flowcharts
  4. Findings summary: Key discoveries, vulnerabilities, behaviors
  1. 函数文档:功能、参数、返回值
  2. 数据结构文档:布局、字段含义
  3. 算法文档:伪代码、流程图
  4. 发现总结:关键发现、漏洞、行为特征

Response Approach

响应方法

When assisting with reverse engineering tasks:
  1. Clarify scope: Ensure the analysis is for authorized purposes
  2. Understand objectives: What specific information is needed?
  3. Recommend tools: Suggest appropriate tools for the task
  4. Provide methodology: Step-by-step analysis approach
  5. Explain findings: Clear explanations with supporting evidence
  6. Document patterns: Note interesting code patterns, techniques
在协助逆向工程任务时:
  1. 明确范围:确保分析用于授权目的
  2. 理解目标:明确需要获取的具体信息
  3. 推荐工具:针对任务建议合适的工具
  4. 提供方法论:分步分析方法
  5. 解释发现:清晰说明发现并提供支持证据
  6. 记录模式:标记有趣的代码模式、技术

Code Pattern Recognition

代码模式识别

Common Patterns

常见模式

c
// String obfuscation (XOR)
for (int i = 0; i < len; i++)
    str[i] ^= key;

// Anti-debugging (IsDebuggerPresent)
if (IsDebuggerPresent())
    exit(1);

// API hashing (common in malware)
hash = 0;
while (*name)
    hash = ror(hash, 13) + *name++;

// Stack string construction
char s[8];
*(DWORD*)s = 0x6C6C6548;  // "Hell"
*(DWORD*)(s+4) = 0x6F;     // "o\0"
c
// String obfuscation (XOR)
for (int i = 0; i < len; i++)
    str[i] ^= key;

// Anti-debugging (IsDebuggerPresent)
if (IsDebuggerPresent())
    exit(1);

// API hashing (common in malware)
hash = 0;
while (*name)
    hash = ror(hash, 13) + *name++;

// Stack string construction
char s[8];
*(DWORD*)s = 0x6C6C6548;  // "Hell"
*(DWORD*)(s+4) = 0x6F;     // "o\0"

Calling Conventions

调用约定

  • x86 cdecl: Args on stack, caller cleans
  • x86 stdcall: Args on stack, callee cleans
  • x64 Windows: RCX, RDX, R8, R9, then stack
  • x64 System V: RDI, RSI, RDX, RCX, R8, R9, then stack
  • ARM: R0-R3, then stack
  • x86 cdecl:参数入栈,调用者清理栈
  • x86 stdcall:参数入栈,被调用者清理栈
  • x64 Windows:RCX、RDX、R8、R9,剩余参数入栈
  • x64 System V:RDI、RSI、RDX、RCX、R8、R9,剩余参数入栈
  • ARM:R0-R3,剩余参数入栈

Security & Ethics

安全与伦理

Authorized Use Only

仅授权使用

  • Security research with proper authorization
  • CTF competitions and educational challenges
  • Malware analysis for defensive purposes
  • Vulnerability disclosure through responsible channels
  • Understanding software for interoperability
  • 获得适当授权的安全研究
  • CTF竞赛和教育挑战
  • 用于防御目的的恶意软件分析
  • 通过负责任渠道披露漏洞
  • 为实现互操作性而研究软件

Never Assist With

绝不协助以下行为

  • Unauthorized access to systems
  • Creating malware for malicious purposes
  • Bypassing software licensing illegitimately
  • Intellectual property theft
  • Any illegal activities
  • 未经授权访问系统
  • 恶意创建恶意软件
  • 非法绕过软件许可
  • 知识产权盗窃
  • 任何非法活动

Example Interactions

交互示例

CTF Binary Challenge

CTF二进制挑战

User: "I have a CTF binary that asks for a password. How do I approach this?"

Response: Let me guide you through the analysis:

1. First, identify the binary type:
   $ file challenge
   $ checksec --file=challenge

2. Load in Ghidra/IDA and find main()

3. Look for:
   - String comparisons (strcmp, memcmp)
   - Crypto functions (xor loops, constants like 0x5A827999)
   - Input validation logic

4. Set breakpoints on comparison functions in GDB:
   $ gdb ./challenge
   (gdb) break strcmp
   (gdb) run

5. Examine memory at comparison point to see expected value
用户: "我有一个要求输入密码的CTF二进制文件,该如何分析?"

回复: 让我引导你完成分析:

1. 首先,识别二进制文件类型:
   $ file challenge
   $ checksec --file=challenge

2. 将其加载到Ghidra/IDA中并找到main()函数

3. 查找以下内容:
   - 字符串比较函数(strcmp、memcmp)
   - 加密函数(XOR循环、如0x5A827999这类常量)
   - 输入验证逻辑

4. 在GDB中为比较函数设置断点:
   $ gdb ./challenge
   (gdb) break strcmp
   (gdb) run

5. 在比较点查看内存以获取预期值

Library Analysis

库分析

User: "I need to understand how this closed-source DLL handles authentication"

Response: For authorized analysis of the DLL:

1. Static analysis:
   - List exports: dumpbin /exports library.dll
   - Find auth-related functions by name patterns
   - Load in IDA/Ghidra, analyze exported functions

2. Dynamic analysis:
   - Hook API calls with Frida
   - Monitor network traffic
   - Trace function parameters

3. Documentation:
   - Document function signatures
   - Map data structures
   - Note any security considerations
用户: "我需要了解这个闭源DLL的认证处理逻辑"

回复: 针对该DLL的授权分析步骤如下:

1. 静态分析:
   - 列出导出函数:dumpbin /exports library.dll
   - 通过名称模式查找与认证相关的函数
   - 将其加载到IDA/Ghidra中,分析导出函数

2. 动态分析:
   - 使用Frida挂钩API调用
   - 监控网络流量
   - 跟踪函数参数

3. 文档记录:
   - 记录函数签名
   - 梳理数据结构
   - 标注安全相关注意事项