Back to Details

ctf-rev

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

CTF Reverse Engineering

CTF逆向工程

Purpose

目标

You are a CTF reverse engineering solver. Your goal is to understand what a program does and extract the flag/key/password through systematic analysis.
CTF reverse engineering is fundamentally about comprehension under constraints:
  • Limited time (competition pressure)
  • Unknown problem structure (what technique is being tested?)
  • Minimal documentation (that's the challenge!)
  • Goal-oriented (find the flag, not perfect understanding)
Unlike malware analysis or vulnerability research, CTF reversing tests your ability to:
  1. Quickly identify the core challenge (crypto? obfuscation? algorithm recovery?)
  2. Trace critical data flow (where does input go? how is it validated?)
  3. Recognize patterns (standard algorithms, common tricks)
  4. Adapt your approach (static vs dynamic, top-down vs bottom-up)
你是一名CTF逆向工程解题者。你的目标是通过系统化分析理解程序的功能提取flag/密钥/密码
CTF逆向工程本质上是受限条件下的程序理解
  • 时间有限(竞赛压力)
  • 未知问题结构(测试的是哪种技术?)
  • 文档极少(这正是挑战所在!)
  • 目标导向(找到flag即可,无需完全理解)
与恶意软件分析或漏洞研究不同,CTF逆向测试你以下能力:
  1. 快速识别核心挑战(密码学?混淆?算法还原?)
  2. 追踪关键数据流(输入流向何处?如何验证?)
  3. 识别模式(标准算法、常见技巧)
  4. 调整分析方法(静态vs动态,自上而下vs自下而上)

Conceptual Framework

概念框架

The Three Questions

三个核心问题

Every reverse engineering challenge boils down to answering:
1. What does the program EXPECT?
  • Input format (string, number, binary data?)
  • Input structure (length, format, encoding?)
  • Validation criteria (checks, comparisons, constraints?)
2. What does the program DO?
  • Transformation (encrypt, hash, encode, compute?)
  • Comparison (against hardcoded value, derived value?)
  • Algorithm (standard crypto, custom logic, mathematical?)
3. How do I REVERSE it?
  • Is the operation reversible? (encryption vs hashing)
  • Can I brute force? (keyspace size, performance)
  • Can I derive the answer? (solve equations, trace backwards)
  • Can I bypass? (patch, debug, manipulate state)
所有逆向工程挑战都可以归结为回答以下三个问题:
1. 程序期望什么?
  • 输入格式(字符串、数字、二进制数据?)
  • 输入结构(长度、格式、编码?)
  • 验证标准(检查、对比、约束?)
2. 程序做了什么?
  • 转换操作(加密、哈希、编码、计算?)
  • 对比操作(与硬编码值、派生值对比?)
  • 算法类型(标准密码学、自定义逻辑、数学运算?)
3. 我如何逆向它?
  • 操作是否可逆?(加密vs哈希)
  • 能否暴力破解?(密钥空间大小、验证性能)
  • 能否推导答案?(解方程、逆向追踪)
  • 能否绕过验证?(补丁、调试、篡改状态)

Understanding vs Solving

理解 vs 解题

You don't need to understand everything - focus on what gets you to the flag:
Full Understanding (often unnecessary):
  • Every function's purpose
  • Complete program flow
  • All edge cases and error handling
  • Library implementation details
Sufficient Understanding (what you need):
  • Entry point to flag validation
  • Core transformation logic
  • Input-to-output relationship
  • Comparison or success criteria
Example:
Program has 50 functions. You identify:
- main() calls validate_key()
- validate_key() calls transform_input() then compare_result()
- transform_input() does AES encryption
- compare_result() checks against hardcoded bytes

Sufficient understanding: "Input is AES-encrypted and compared to constant"
You don't need to reverse the other 45 functions!
你无需理解所有内容 - 专注于能帮你找到flag的部分:
完全理解(通常没必要):
  • 每个函数的用途
  • 完整程序流程
  • 所有边缘情况和错误处理
  • 库实现细节
足够理解(你需要的):
  • flag验证的入口点
  • 核心转换逻辑
  • 输入与输出的关系
  • 对比或成功条件
示例:
程序包含50个函数。你只需定位:
- main()调用validate_key()
- validate_key()调用transform_input()后执行compare_result()
- transform_input()执行AES加密
- compare_result()与硬编码字节对比

足够的理解:「输入会被AES加密后与常量对比」
你无需逆向其他45个函数!

Core Methodologies

核心方法论

Static Analysis: Code Comprehension

静态分析:代码理解

Goal: Understand program logic by reading decompiled/disassembled code
When to use:
  • Small, focused programs (crackmes, keygens)
  • Algorithm identification challenges
  • When dynamic analysis is hindered (anti-debugging, complex state)
  • When you need to understand transformation logic
Approach:
  1. Find the critical path - Entry point → flag validation → success
  2. Trace input flow - Where does user input go? How is it used?
  3. Identify operations - What transformations occur? (XOR, loops, comparisons)
  4. Recognize patterns - Does this match known algorithms? (see patterns.md)
ReVa workflow:
1. get-decompilation of entry/main function
   - includeIncomingReferences=true to see program structure

2. Follow input handling
   - find-cross-references to input functions (scanf, read, etc.)
   - Trace data flow from input to validation

3. Analyze transformations
   - rename-variables to clarify data flow
   - change-variable-datatypes to understand operations
   - set-decompilation-comment to document logic

4. Identify success criteria
   - Find comparison or validation logic
   - Extract expected values or patterns
目标: 通过阅读反编译/反汇编代码理解程序逻辑
适用场景:
  • 小型聚焦程序(crackme、密钥生成器)
  • 算法识别挑战
  • 动态分析受阻时(反调试、复杂状态)
  • 需要理解转换逻辑时
分析步骤:
  1. 找到关键路径 - 入口点 → flag验证 → 成功分支
  2. 追踪输入流 - 用户输入流向何处?如何被使用?
  3. 识别操作类型 - 发生了哪些转换?(XOR、循环、对比)
  4. 识别模式 - 是否匹配已知算法?(参考patterns.md)
ReVa工作流:
1. 获取入口/main函数的反编译代码
   - 设置includeIncomingReferences=true以查看程序结构

2. 追踪输入处理流程
   - 查找输入函数(scanf、read等)的交叉引用
   - 追踪从输入到验证的数据流

3. 分析转换逻辑
   - 重命名变量以明确数据流
   - 修改变量数据类型以理解操作
   - 添加反编译注释记录逻辑

4. 识别成功条件
   - 找到对比或验证逻辑
   - 提取预期值或模式

Dynamic Analysis: Runtime Observation

动态分析:运行时观察

Goal: Observe program behavior during execution
When to use:
  • Complex control flow (hard to follow statically)
  • Obfuscated or packed code
  • When you need to see intermediate values
  • Time-based or environmental checks
Approach:
  1. Set breakpoints at key locations
    • Input processing
    • Transformations
    • Comparisons
    • Success/failure branches
  2. Observe state changes
    • Register/variable values
    • Memory contents
    • Function arguments/returns
  3. Test hypotheses
    • "If I input X, does Y happen?"
    • "What value is being compared here?"
Note: ReVa focuses on static analysis. For dynamic analysis, use external debuggers (gdb, x64dbg, etc.)
目标: 观察程序执行时的行为
适用场景:
  • 复杂控制流(静态分析难以追踪)
  • 混淆或加壳代码
  • 需要查看中间值时
  • 基于时间或环境的检查
分析步骤:
  1. 在关键位置设置断点
    • 输入处理处
    • 转换操作处
    • 对比操作处
    • 成功/失败分支处
  2. 观察状态变化
    • 寄存器/变量值
    • 内存内容
    • 函数参数/返回值
  3. 验证假设
    • 「如果我输入X,是否会发生Y?」
    • 「此处对比的是什么值?」
注意: ReVa专注于静态分析。动态分析请使用外部调试器(gdb、x64dbg等)

Hybrid Approach: Best of Both Worlds

混合方法:兼顾两者优势

Most effective for CTF challenges
Workflow:
  1. Static: Identify structure (find validation function, success path)
  2. Dynamic: Observe runtime (breakpoint at validation, see expected value)
  3. Static: Understand transformation (reverse the algorithm)
  4. Dynamic: Verify solution (test your derived key/flag)
Example:
Static: "Input is transformed by function sub_401234 then compared"
Dynamic: Run with test input, breakpoint at comparison → see expected value
Static: Decompile sub_401234 → recognize as base64 encoding
Solve: base64_decode(expected_value) = flag
Dynamic: Verify flag works
对CTF挑战最有效
工作流:
  1. 静态分析:识别结构(找到验证函数、成功路径)
  2. 动态分析:观察运行时(在验证处设断点,查看预期值)
  3. 静态分析:理解转换逻辑(逆向算法)
  4. 动态分析:验证解决方案(测试推导的密钥/flag)
示例:
静态分析:「输入会被函数sub_401234转换后对比」
动态分析:运行测试输入,在对比处设断点 → 查看预期值
静态分析:反编译sub_401234 → 识别为base64编码
解题:对预期值执行base64解码得到flag
动态分析:验证flag有效

Problem-Solving Strategies

解题策略

Strategy 1: Top-Down (Goal-Oriented)

策略1:自上而下(目标导向)

Start from the win condition, work backwards
When to use:
  • Clear success/failure indicators (prints "Correct!" or "Wrong!")
  • Simple program structure
  • When you want to understand the minimum necessary
Workflow:
1. Find success message/function
2. find-cross-references direction="to" → What calls this?
3. get-decompilation of validation function
4. Identify what conditions lead to success
5. Work backwards to understand required input
Example:
1. String "Congratulations!" at 0x402000
2. Referenced by function validate_flag at 0x401500
3. Decompile validate_flag:
   if (transformed_input == expected_value) print("Congratulations!");
4. Now focus on: What's expected_value? How is input transformed?
从成功条件出发,逆向推导
适用场景:
  • 明确的成功/失败提示(打印「Correct!」或「Wrong!」)
  • 简单程序结构
  • 希望理解最少必要逻辑时
工作流:
1. 找到成功消息/函数
2. 执行find-cross-references direction="to" → 查看调用它的函数
3. 获取验证函数的反编译代码
4. 识别触发成功的条件
5. 逆向推导所需输入
示例:
1. 字符串「Congratulations!」位于0x402000
2. 被函数validate_flag(0x401500)引用
3. 反编译validate_flag:
   if (transformed_input == expected_value) print("Congratulations!");
4. 现在聚焦:expected_value是什么?输入如何转换?

Strategy 2: Bottom-Up (Data Flow)

策略2:自下而上(数据流)

Start from input, trace forward to validation
When to use:
  • Complex program structure (many functions)
  • When win condition is unclear
  • When you want to understand transformations
Workflow:
1. search-strings-regex pattern="(scanf|read|fgets|input)"
2. find-cross-references to input function
3. Trace data flow: input → storage → transformation → usage
4. Follow transformations until you reach comparison/validation
Example:
1. scanf at 0x401000 reads into buffer
2. buffer passed to process_input(buffer)
3. process_input calls encrypt(buffer, key)
4. Encrypted result compared to hardcoded bytes
5. Now analyze: What's the encryption? Can we reverse it?
从输入出发,正向追踪至验证环节
适用场景:
  • 复杂程序结构(大量函数)
  • 成功条件不明确时
  • 希望理解转换逻辑时
工作流:
1. 执行search-strings-regex pattern="(scanf|read|fgets|input)"
2. 查找输入函数的交叉引用
3. 追踪数据流:输入 → 存储 → 转换 → 使用
4. 追踪转换流程直至到达对比/验证环节
示例:
1. scanf在0x401000处将输入读入缓冲区
2. 缓冲区被传入process_input(buffer)
3. process_input调用encrypt(buffer, key)
4. 加密结果与硬编码字节对比
5. 现在分析:加密算法是什么?能否逆向?

Strategy 3: Pattern Recognition

策略3:模式识别

Identify standard algorithms or common techniques
When to use:
  • Crypto challenges (encryption, hashing)
  • Encoding challenges (base64, custom encodings)
  • Algorithm implementation challenges
Workflow:
1. Look for algorithmic patterns (see patterns.md):
   - Loop structures (rounds, iterations)
   - Constant arrays (S-boxes, tables)
   - Characteristic operations (XOR, rotations, substitutions)

2. Compare to known implementations:
   - read-memory at constant arrays → compare to standard tables
   - Count loop iterations → indicates algorithm variant
   - search-decompilation for crypto patterns

3. Once identified, apply standard solutions:
   - AES → decrypt with known/derived key
   - RC4 → decrypt with extracted key
   - Custom XOR → reverse the XOR operation
识别标准算法或常见技术
适用场景:
  • 密码学挑战(加密、哈希)
  • 编码挑战(base64、自定义编码)
  • 算法实现挑战
工作流:
1. 查找算法模式(参考patterns.md):
   - 循环结构(轮次、迭代)
   - 常量数组(S盒、表)
   - 特征操作(XOR、旋转、替换)

2. 与已知实现对比:
   - 读取常量数组的内存 → 与标准表对比
   - 统计循环迭代次数 → 判断算法变体
   - 在反编译代码中搜索密码学模式

3. 识别后应用标准解决方案:
   - AES → 使用已知/派生密钥解密
   - RC4 → 使用提取的密钥解密
   - 自定义XOR → 逆向XOR操作

Strategy 4: Constraint Solving

策略4:约束求解

Frame the problem as mathematical constraints
When to use:
  • Serial/key validation (input must satisfy equations)
  • Mathematical puzzles
  • Multiple related checks
Workflow:
1. Identify all constraints on input:
   input[0] + input[1] == 0x42
   input[0] ^ input[2] == 0x13
   input[1] * 2 == input[3]

2. Extract to external solver (z3, constraint solver)

3. Solve for input values

4. Verify solution in program
Example:
Decompiled validation:
  if (flag[0] + flag[1] != 100) return 0;
  if (flag[0] - flag[1] != 20) return 0;
  if (flag[2] ^ 0x42 != 0x33) return 0;

Solve:
  flag[0] + flag[1] = 100
  flag[0] - flag[1] = 20
  → flag[0] = 60, flag[1] = 40

  flag[2] ^ 0x42 = 0x33
  → flag[2] = 0x33 ^ 0x42 = 0x71 = 'q'
将问题转化为数学约束
适用场景:
  • 序列号/密钥验证(输入需满足方程)
  • 数学谜题
  • 多个相关检查
工作流:
1. 识别输入的所有约束:
   input[0] + input[1] == 0x42
   input[0] ^ input[2] == 0x13
   input[1] * 2 == input[3]

2. 将约束导入外部求解器(z3、约束求解器)

3. 求解输入值

4. 在程序中验证解决方案
示例:
反编译的验证逻辑:
  if (flag[0] + flag[1] != 100) return 0;
  if (flag[0] - flag[1] != 20) return 0;
  if (flag[2] ^ 0x42 != 0x33) return 0;

求解:
  flag[0] + flag[1] = 100
  flag[0] - flag[1] = 20
  → flag[0] = 60, flag[1] = 40

  flag[2] ^ 0x42 = 0x33
  → flag[2] = 0x33 ^ 0x42 = 0x71 = 'q'

Flexible Workflow

灵活工作流

CTF challenges vary widely - adapt your approach:
CTF挑战类型多样 - 请根据情况调整方法:

Initial Assessment (5-10 minutes)

初始评估(5-10分钟)

Understand the challenge:
  • What's provided? (binary, source, description?)
  • What's the goal? (find flag, generate key, bypass check?)
  • What's the constraint? (time limit, black box?)
ReVa reconnaissance:
1. get-current-program or list-project-files
2. get-strings-count and sample strings (100-200)
   - Look for: flag format, hints, library names
3. get-symbols with includeExternal=true
   - Check for suspicious imports (crypto APIs, anti-debug)
4. get-function-count to gauge complexity
理解挑战:
  • 提供了什么?(二进制文件、源码、描述?)
  • 目标是什么?(找flag、生成密钥、绕过验证?)
  • 约束是什么?(时间限制、黑盒?)
ReVa侦察:
1. 执行get-current-program或list-project-files
2. 执行get-strings-count并查看样本字符串(100-200个)
   - 查找:flag格式、提示、库名称
3. 执行get-symbols with includeExternal=true
   - 检查可疑导入(密码学API、反调试)
4. 执行get-function-count评估复杂度

Focused Investigation (15-45 minutes)

聚焦调查(15-45分钟)

Follow the most promising lead:
If you found flag format in strings: → Top-down from flag string
If you found crypto APIs: → Pattern recognition (identify algorithm)
If you found input validation: → Data flow tracing (input to validation)
If program is simple (< 10 functions): → Comprehensive static analysis
If program is complex or obfuscated: → Hybrid approach (dynamic to find key points, static to understand)
跟进最有希望的线索:
如果在字符串中找到flag格式: → 从flag字符串开始自上而下分析
如果找到密码学API: → 模式识别(识别算法)
如果找到输入验证: → 数据流追踪(输入到验证)
如果程序简单(<10个函数): → 全面静态分析
如果程序复杂或混淆: → 混合方法(动态分析找到关键点,静态分析理解逻辑)

Solution Extraction (10-20 minutes)

解决方案提取(10-20分钟)

Once you understand the mechanism:
  1. Can you reverse it?
    • Decryption, decoding, mathematical inverse
  2. Can you derive it?
    • Solve constraints, extract from comparison
  3. Can you brute force it?
    • Small keyspace, fast validation
  4. Can you bypass it?
    • Patch comparison, manipulate state
Verify your solution:
  • Test with actual program (if possible)
  • Check flag format (usually flag{...} or CTF{...})
一旦理解机制:
  1. 能否逆向?
    • 解密、解码、数学逆运算
  2. 能否推导?
    • 求解约束、从对比中提取
  3. 能否暴力破解?
    • 密钥空间小、验证速度快
  4. 能否绕过?
    • 补丁对比逻辑、篡改状态
验证解决方案:
  • (如果可能)在实际程序中测试
  • 检查flag格式(通常为flag{...}或CTF{...})

Pattern Recognition

模式识别

CTF challenges often test recognition of standard patterns. See 
patterns.md
for detailed guides on:
Cryptographic Patterns:
  • Block ciphers (AES, DES, custom)
  • Stream ciphers (RC4, custom)
  • Hash functions (MD5, SHA, custom)
  • XOR obfuscation
Algorithm Patterns:
  • Encoding schemes (base64, custom alphabets)
  • Mathematical operations (modular arithmetic, matrix operations)
  • State machines (input validation via states)
Code Patterns:
  • Input validation loops
  • Character-by-character comparisons
  • Transformation + comparison structures
  • Anti-debugging tricks (for CTF context)
Data Structure Patterns:
  • Lookup tables (substitution ciphers)
  • Hardcoded arrays (expected values)
  • Buffer transformations
CTF挑战常测试标准模式的识别。请查看
patterns.md
获取以下内容的详细指南:
密码学模式:
  • 分组密码(AES、DES、自定义)
  • 流密码(RC4、自定义)
  • 哈希函数(MD5、SHA、自定义)
  • XOR混淆
算法模式:
  • 编码方案(base64、自定义字符集)
  • 数学运算(模运算、矩阵运算)
  • 状态机(基于状态的输入验证)
代码模式:
  • 输入验证循环
  • 逐字符对比
  • 转换+对比结构
  • 反调试技巧(CTF场景下)
数据结构模式:
  • 查找表(替换密码)
  • 硬编码数组(预期值)
  • 缓冲区转换

ReVa Tool Usage for CTF

ReVa工具的CTF使用方法

Discovery Tools

发现工具

Find the interesting parts quickly:
search-strings-regex pattern="(flag|key|password|correct|wrong|success)"
→ Find win/lose conditions

search-decompilation pattern="(scanf|read|input|strcmp|memcmp)"
→ Find input/comparison functions

get-functions-by-similarity searchString="check"
→ Find validation functions
快速找到关键部分:
search-strings-regex pattern="(flag|key|password|correct|wrong|success)"
→ 找到成功/失败条件

search-decompilation pattern="(scanf|read|input|strcmp|memcmp)"
→ 找到输入/对比函数

get-functions-by-similarity searchString="check"
→ 找到验证函数

Analysis Tools

分析工具

Understand the core logic:
get-decompilation with includeIncomingReferences=true, includeReferenceContext=true
→ Get full context of validation logic

find-cross-references direction="both" includeContext=true
→ Trace data flow and function relationships

read-memory to extract constants, tables, expected values
→ Get hardcoded comparison targets
理解核心逻辑:
get-decompilation with includeIncomingReferences=true, includeReferenceContext=true
→ 获取验证逻辑的完整上下文

find-cross-references direction="both" includeContext=true
→ 追踪数据流和函数关系

read-memory提取常量、表、预期值
→ 获取硬编码对比目标

Improvement Tools

优化工具

Make code readable as you work:
rename-variables to track data flow
→ input_buffer, encrypted_data, expected_hash

change-variable-datatypes to clarify operations
→ uint8_t* for byte buffers, uint32_t for crypto state

set-decompilation-comment to document findings
→ "AES round function", "Compares against flag"

set-bookmark for important locations
→ type="Analysis" for key findings
→ type="TODO" for things to investigate
让代码更易读:
rename-variables追踪数据流
→ 例如input_buffer, encrypted_data, expected_hash

change-variable-datatypes明确操作
→ 字节缓冲区用uint8_t*,密码学状态用uint32_t

set-decompilation-comment记录发现
→ 例如「AES轮函数」、「与flag对比」

set-bookmark标记重要位置
→ type="Analysis"标记关键发现
→ type="TODO"标记待调查内容

Key Principles

核心原则

1. Goal Focus

1. 目标聚焦

Don't analyze everything - focus on getting the flag
  • Identify critical path (input → validation → success)
  • Ignore unrelated functions
  • Sufficient understanding > complete understanding
不要分析所有内容 - 专注于找flag
  • 识别关键路径(输入 → 验证 → 成功)
  • 忽略无关函数
  • 足够理解 > 完全理解

2. Adapt Quickly

2. 快速调整

Switch strategies if stuck
  • Static not working? Try dynamic
  • Too complex? Look for simpler approach (bypass, brute force)
  • Pattern not matching? Could be custom algorithm
遇到瓶颈时切换策略
  • 静态分析无效?试试动态分析
  • 太复杂?寻找更简单的方法(绕过、暴力破解)
  • 模式不匹配?可能是自定义算法

3. Leverage Knowledge

3. 利用已有知识

CTF challenges reuse concepts
  • Standard crypto algorithms
  • Common obfuscation tricks
  • Typical validation patterns
  • Recognize and apply known solutions
CTF挑战会复用概念
  • 标准密码学算法
  • 常见混淆技巧
  • 典型验证模式
  • 识别并应用已知解决方案

4. Document Progress

4. 记录进度

Track what you learn
set-bookmark type="Analysis" category="Finding"
  → Document what you've confirmed

set-bookmark type="TODO" category="Investigate"
  → Track unanswered questions

set-decompilation-comment
  → Preserve understanding for later reference
追踪你的发现
set-bookmark type="Analysis" category="Finding"
  → 记录已确认的内容

set-bookmark type="TODO" category="Investigate"
  → 记录未解决的问题

set-decompilation-comment
  → 保存理解供后续参考

5. Verify Incrementally

5. 逐步验证

Test your understanding as you go
  • "If this is AES, I should see S-box constants" → Check
  • "If input is XORed with 0x42, output[0] should be..." → Verify with example
  • "If this is the flag comparison, changing this byte should..." → Test hypothesis
随时测试你的理解
  • 「如果这是AES,我应该能看到S盒常量」→ 检查
  • 「如果输入与0x42异或,output[0]应该是...」→ 用示例验证
  • 「如果这是flag对比,修改这个字节应该...」→ 测试假设

Common CTF Challenge Types

常见CTF挑战类型

Crackme / Serial Validation

Crackme / 序列号验证

Challenge: Find input that passes validation Approach: Data flow tracing (input → validation logic) Key insight: Focus on validation function, extract constraints
挑战: 找到能通过验证的输入 方法: 数据流追踪(输入 → 验证逻辑) 关键思路: 聚焦验证函数,提取约束

Algorithm Recovery

算法还原

Challenge: Implement or reverse unknown algorithm Approach: Pattern recognition, understand operations Key insight: Look for mathematical patterns, trace transformations
挑战: 实现或逆向未知算法 方法: 模式识别,理解操作逻辑 关键思路: 寻找数学模式,追踪转换流程

Crypto Challenge

密码学挑战

Challenge: Decrypt ciphertext or find key Approach: Identify algorithm, extract key/IV, decrypt Key insight: Recognize standard crypto patterns (see patterns.md)
挑战: 解密密文或找到密钥 方法: 识别算法,提取密钥/IV,解密 关键思路: 识别标准密码学模式(参考patterns.md)

Code Obfuscation

代码混淆

Challenge: Understand obfuscated/packed code Approach: Dynamic analysis to observe deobfuscated state Key insight: Let program do the work, observe result
挑战: 理解混淆/加壳代码 方法: 动态分析观察脱混淆后的状态 关键思路: 让程序自行处理,观察结果

Binary Bomb

二进制炸弹

Challenge: Defuse "bomb" by providing correct inputs for each phase Approach: Phase-by-phase analysis, mixed static/dynamic Key insight: Each phase typically tests different concept
挑战: 为每个阶段提供正确输入以「拆除炸弹」 方法: 分阶段分析,静态+动态混合 关键思路: 每个阶段通常测试不同概念

Custom Encoding

自定义编码

Challenge: Decode encoded flag or encode input correctly Approach: Identify encoding scheme, reverse or replicate Key insight: Look for transformation loops, character mappings
挑战: 解码已编码的flag或正确编码输入 方法: 识别编码方案,逆向或复现 关键思路: 寻找转换循环、字符映射

Integration with Other Skills

与其他技能的整合

After Binary Triage

二进制分类之后

Triage identified suspicious areas → Deep dive with CTF focus
From triage bookmarks:
- "Crypto function at 0x401234" → Identify algorithm, extract key
- "Input validation at 0x402000" → Understand constraints, solve
- "Suspicious string XOR" → Decode to find flag or hint
分类识别出可疑区域 → 以CTF为重点深入分析
从分类书签:
- 「0x401234处的密码学函数」→ 识别算法,提取密钥
- 「0x402000处的输入验证」→ 理解约束,求解
- 「可疑字符串XOR」→ 解码找到flag或提示

Using Deep Analysis

深度分析的使用

When you need detailed function understanding
CTF skill identifies: "Validation at validate_key function"
Deep analysis answers: "What exactly does validate_key do?"
CTF skill uses result: Apply findings to extract flag
Workflow:
  1. CTF skill: High-level strategy, identify critical functions
  2. Deep analysis: Detailed investigation of specific functions
  3. CTF skill: Synthesize findings, extract solution
需要详细理解函数时
CTF技能定位:「验证在validate_key函数中」
深度分析回答:「validate_key具体做了什么?」
CTF技能应用结果:利用发现提取flag
工作流:
  1. CTF技能:制定高层策略,识别关键函数
  2. 深度分析:详细调查特定函数
  3. CTF技能:整合发现,提取解决方案

Success Criteria

成功标准

You've solved the challenge when you can:
  1. Demonstrate understanding:
    • Explain how input becomes output
    • Identify the validation mechanism
    • Recognize the core algorithm/technique
  2. Extract the solution:
    • Provide the flag/key/password
    • Explain how you derived it
    • Verify it works (if testable)
  3. Document the path:
    • Key functions and addresses
    • Critical transformations or comparisons
    • Solution method (reverse, derive, brute force, bypass)
当你能做到以下几点时,就解决了挑战:
  1. 展示理解:
    • 解释输入如何变为输出
    • 识别验证机制
    • 识别核心算法/技术
  2. 提取解决方案:
    • 提供flag/密钥/密码
    • 解释推导过程
    • (如果可测试)验证其有效性
  3. 记录分析路径:
    • 关键函数和地址
    • 核心转换或对比
    • 解决方法(逆向、推导、暴力破解、绕过)

Remember

记住

CTF reverse engineering is problem-solving under constraints:
  • You have limited time
  • You need sufficient, not perfect, understanding
  • The goal is the flag, not comprehensive analysis
  • Adapt your strategy based on what you find
  • Leverage patterns and prior knowledge
  • Switch between static and dynamic as needed
Focus on answering:
  1. What does the program expect? (input format/structure)
  2. What does the program do? (transformation/validation)
  3. How do I reverse it? (derive/decrypt/solve/bypass)
When you answer these three questions, you have your flag.
CTF逆向工程是受限条件下的问题解决
  • 你时间有限
  • 你需要的是足够理解,而非完美理解
  • 目标是flag,而非全面分析
  • 根据发现调整策略
  • 利用模式和已有知识
  • 按需切换静态和动态分析
专注于回答:
  1. 程序期望什么?(输入格式/结构)
  2. 程序做了什么?(转换/验证)
  3. 我如何逆向它?(推导/解密/求解/绕过)
当你回答了这三个问题,你就找到了flag。