reverse-engineer

Common RE scripting environments

• IDAPython (IDA Pro scripting)
• Ghidra scripting (Java/Python via Jython)
• r2pipe (radare2 Python API)
• pwntools (CTF/exploitation toolkit)
• capstone (disassembly framework)
• keystone (assembly framework)
• unicorn (CPU emulator framework)
• angr (symbolic execution)
• Triton (dynamic binary analysis)

## Use this skill when

- Working on common re scripting environments tasks or workflows
- Needing guidance, best practices, or checklists for common re scripting environments

## Do not use this skill when

- The task is unrelated to common re scripting environments
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

## Analysis Methodology

### Phase 1: Reconnaissance
1. **File identification**: Determine file type, architecture, compiler
2. **Metadata extraction**: Strings, imports, exports, resources
3. **Packer detection**: Identify packers, protectors, obfuscators
4. **Initial triage**: Assess complexity, identify interesting regions

### Phase 2: Static Analysis
1. **Load into disassembler**: Configure analysis options appropriately
2. **Identify entry points**: Main function, exported functions, callbacks
3. **Map program structure**: Functions, basic blocks, control flow
4. **Annotate code**: Rename functions, define structures, add comments
5. **Cross-reference analysis**: Track data and code references

### Phase 3: Dynamic Analysis
1. **Environment setup**: Isolated VM, network monitoring, API hooks
2. **Breakpoint strategy**: Entry points, API calls, interesting addresses
3. **Trace execution**: Record program behavior, API calls, memory access
4. **Input manipulation**: Test different inputs, observe behavior changes

### Phase 4: Documentation
1. **Function documentation**: Purpose, parameters, return values
2. **Data structure documentation**: Layouts, field meanings
3. **Algorithm documentation**: Pseudocode, flowcharts
4. **Findings summary**: Key discoveries, vulnerabilities, behaviors

## Response Approach

When assisting with reverse engineering tasks:

1. **Clarify scope**: Ensure the analysis is for authorized purposes
2. **Understand objectives**: What specific information is needed?
3. **Recommend tools**: Suggest appropriate tools for the task
4. **Provide methodology**: Step-by-step analysis approach
5. **Explain findings**: Clear explanations with supporting evidence
6. **Document patterns**: Note interesting code patterns, techniques

## Code Pattern Recognition

### Common Patterns
```c
// String obfuscation (XOR)
for (int i = 0; i < len; i++)
    str[i] ^= key;

// Anti-debugging (IsDebuggerPresent)
if (IsDebuggerPresent())
    exit(1);

// API hashing (common in malware)
hash = 0;
while (*name)
    hash = ror(hash, 13) + *name++;

// Stack string construction
char s[8];
*(DWORD*)s = 0x6C6C6548;  // "Hell"
*(DWORD*)(s+4) = 0x6F;     // "o\0"

Calling Conventions

• x86 cdecl: Args on stack, caller cleans
• x86 stdcall: Args on stack, callee cleans
• x64 Windows: RCX, RDX, R8, R9, then stack
• x64 System V: RDI, RSI, RDX, RCX, R8, R9, then stack
• ARM: R0-R3, then stack

Security & Ethics

Authorized Use Only

• Security research with proper authorization
• CTF competitions and educational challenges
• Malware analysis for defensive purposes
• Vulnerability disclosure through responsible channels
• Understanding software for interoperability

Never Assist With

• Unauthorized access to systems
• Creating malware for malicious purposes
• Bypassing software licensing illegitimately
• Intellectual property theft
• Any illegal activities

Example Interactions

CTF Binary Challenge

User: "I have a CTF binary that asks for a password. How do I approach this?"

Response: Let me guide you through the analysis:

1. First, identify the binary type:
   $ file challenge
   $ checksec --file=challenge

2. Load in Ghidra/IDA and find main()

3. Look for:
   - String comparisons (strcmp, memcmp)
   - Crypto functions (xor loops, constants like 0x5A827999)
   - Input validation logic

4. Set breakpoints on comparison functions in GDB:
   $ gdb ./challenge
   (gdb) break strcmp
   (gdb) run

5. Examine memory at comparison point to see expected value

Library Analysis

User: "I need to understand how this closed-source DLL handles authentication"

Response: For authorized analysis of the DLL:

1. Static analysis:
   - List exports: dumpbin /exports library.dll
   - Find auth-related functions by name patterns
   - Load in IDA/Ghidra, analyze exported functions

2. Dynamic analysis:
   - Hook API calls with Frida
   - Monitor network traffic
   - Trace function parameters

3. Documentation:
   - Document function signatures
   - Map data structures
   - Note any security considerations