Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cybersec-toolkit
Provides a structured methodology for CTF reverse engineering challenges: triage, packing detection, decompiler selection, dynamic analysis, anti-debug bypass, custom VM disassembly, and symbolic execution.
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitHow this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:ctf-revThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
```bash
Static-first analysis of compiled binaries (ELF/PE/Mach-O) and custom-VM bytecode for CTF and malware reverse engineering. Covers opcode inversion, callfuscation, MBA deobfuscation, and encrypted-handler decryption.
Solves CTF reverse engineering challenges using systematic analysis to extract flags, keys, or passwords from crackmes, binary bombs, key validators, and obfuscated code.
Guides binary reverse engineering with disassembly, decompilation, static/dynamic analysis using IDA Pro, Ghidra, radare2, x64dbg, and scripting via IDAPython, r2pipe, pwntools.
Share bugs, ideas, or general feedback.
file ./bin
strings ./bin | head -50
strings ./bin | grep -i "flag\|ctf{\|password\|key"
xxd ./bin | head -20 # magic bytes
checksec --file=./bin # protections
# Entropy check (>7.5 = packed/encrypted)
ent ./bin # or: python3 -c "from collections import Counter; ..."
# UPX / known packers
upx -t ./bin # tests + identifies UPX
detect-it-easy-cli ./bin
diec ./bin
If UPX-packed: upx -d ./bin -o unpacked. For custom packers: dump from memory after unpacking stub runs (gdb / x64dbg).
| Binary type | Best tool |
|---|---|
| ELF / PE / Mach-O | Ghidra (registry), IDA (commercial), Binary Ninja |
| Stripped ELF | Ghidra + recover symbols via FunctionID / Lumen |
| .NET (DLL/EXE) | dnSpyEx, ilspycmd, dotPeek |
| Java JAR | jadx, cfr, procyon |
| Java class | javap -c -p |
| Android APK | jadx-gui, apktool d then jadx on dex |
| iOS / Mach-O | Hopper, Ghidra |
| Go binary | redress, GoReSym, Ghidra + Go plugin |
| Rust | Ghidra + rustfilt for symbols |
| WASM | wabt (wasm-decompile), wasmer for run |
Python .pyc | uncompyle6, decompyle3, pycdc |
| PyInstaller .exe | pyinstxtractor then pycdc on .pyc |
| Compiled Lua | unluac, luadec |
# Trace
ltrace ./bin
strace ./bin
strace -f -e trace=read,write,open ./bin
# Debugger
gdb-multiarch ./bin
# pwndbg or gef extensions are loaded by default
# Fault injection / branch flipping
gdb> set $eax = 1 # change return value to bypass check
For Android: frida for runtime instrumentation, objection on top.
Common checks:
ptrace(PTRACE_TRACEME) returns -1 if already debugged → patch with nop/proc/self/status TracerPid: 0 check → LD_PRELOAD a fake or patchIsDebuggerPresent() (Windows) → patch the call siteTooling: ScyllaHide (Windows), gdb scripts to auto-bypass, frida to hook.
If you see a big switch dispatcher reading a "bytecode" buffer:
This is common in harder rev challenges. Don't fight the VM — disassemble it.
For challenges where input → boolean check, and check is complex but pure:
angr — Python symbolic execution. Find path to "win" basic block.manticore — alternative.z3 directly — when constraints are explicit (e.g., "input[i] ^ key[i] == ...").Pwntools venv has z3-solver already.
main, focus therestrings, objdump, readelf — use the toolsradare2 or Ghidra's patch instructionsUse the writeup-template skill. Include the key reverse-engineered algorithm or VM disassembly.