← ClaudeAtlas

ctf-revlisted

Use when solving a CTF reverse engineering challenge — stripped binaries, packed binaries, anti-debug, custom VMs, .NET/Java decomp, Android dex, obfuscated JS, ELF/PE/Mach-O analysis. Provides workflow and tool ordering from the reversing module. Triggers on "ctf rev", "reversing", "reverse engineer", "decompile", "stripped binary".
26zl/cybersec-toolkit · ★ 6 · AI & Automation · score 73
Install: claude install-skill 26zl/cybersec-toolkit
# CTF reverse engineering methodology ## 1. Triage ```bash file ./bin strings ./bin | head -50 strings ./bin | grep -i "flag\|ctf{\|password\|key" xxd ./bin | head -20 # magic bytes checksec --file=./bin # protections ``` ## 2. Detect packing ```bash # Entropy check (>7.5 = packed/encrypted) ent ./bin # or: python3 -c "from collections import Counter; ..." # UPX / known packers upx -t ./bin # tests + identifies UPX detect-it-easy-cli ./bin diec ./bin ``` If UPX-packed: `upx -d ./bin -o unpacked`. For custom packers: dump from memory after unpacking stub runs (gdb / x64dbg). ## 3. Pick the decompiler | Binary type | Best tool | | --- | --- | | ELF / PE / Mach-O | Ghidra (registry), IDA (commercial), Binary Ninja | | Stripped ELF | Ghidra + recover symbols via FunctionID / Lumen | | .NET (DLL/EXE) | `dnSpyEx`, `ilspycmd`, `dotPeek` | | Java JAR | `jadx`, `cfr`, `procyon` | | Java class | `javap -c -p` | | Android APK | `jadx-gui`, `apktool d` then `jadx` on dex | | iOS / Mach-O | Hopper, Ghidra | | Go binary | `redress`, `GoReSym`, Ghidra + Go plugin | | Rust | Ghidra + `rustfilt` for symbols | | WASM | `wabt` (`wasm-decompile`), `wasmer` for run | | Python `.pyc` | `uncompyle6`, `decompyle3`, `pycdc` | | PyInstaller .exe | `pyinstxtractor` then `pycdc` on .pyc | | Compiled Lua | `unluac`, `luadec` | ## 4. Dynamic analysis ```bash # Trace ltrace ./bin strace ./bin strace -f -e trace=read,write,open ./bin # Debug