From offensive-claude
Reverse-engineers binaries and firmware via static triage, decompilation (Ghidra/IDA/Binary Ninja), dynamic instrumentation (GDB/Frida/angr), anti-reversing bypass, OLLVM/VM deobfuscation, UEFI/BIOS RE, and patch-diffing for n-days.
How this skill is triggered — by the user, by Claude, or both
Slash command
/offensive-claude:reverse-engineeringThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- Triaging an unknown compiled binary (ELF/PE/Mach-O) or stripped/obfuscated sample for vulns or capability.
references/anti-reversing-bypass.mdreferences/coverage-reachability.mdreferences/deobfuscation.mdreferences/dynamic-instrumentation.mdreferences/firmware-uefi.mdreferences/patch-diffing-protocol.mdreferences/rr-time-travel.mdreferences/static-triage-decompilation.mdscripts/antidebug_unhook.pyscripts/cve_diff.pyscripts/deflatten_triton.pyscripts/frida_universal.jsscripts/ghidra/DecompileToC.javascripts/patchdiff_fetch.pyscripts/proto_infer.pyscripts/rr_root_cause.shscripts/string_decrypt_emu.pyscripts/triage.pyscripts/uefi_triage.py| Technique | ATT&CK | CWE | Reference | Script |
|---|---|---|---|---|
| Binary triage (format/arch/mitigations/strings/imports) | T1592.002, T1518.001 | CWE-1395 | references/static-triage-decompilation.md | scripts/triage.py |
| Headless decompilation (Ghidra 11.4 / r2 / IDA) | T1592.002 | CWE-noinfo | references/static-triage-decompilation.md | scripts/triage.py |
| AI/MCP-assisted RE (Sidekick / GhidrAssistMCP / LLM4Decompile) | T1592.002 | CWE-noinfo | references/static-triage-decompilation.md | - |
| Dynamic debugging (GDB/GEF, x64dbg, conditional bps) | T1622 | CWE-noinfo | references/dynamic-instrumentation.md | - |
| Frida 17 instrumentation + SSL-pin/JNI hooking | T1622, T1562.001 | CWE-noinfo | references/dynamic-instrumentation.md | scripts/frida_universal.js |
| Symbolic / concolic execution (angr, Triton) | T1480.001 | CWE-noinfo | references/dynamic-instrumentation.md | scripts/deflatten_triton.py |
| Anti-debug detection & bypass (PEB/ptrace/HW-bp/timing) | T1622, T1497.001 | CWE-noinfo | references/anti-reversing-bypass.md | scripts/antidebug_unhook.py |
| Anti-VM / sandbox-evasion neutralization | T1497, T1497.003 | CWE-noinfo | references/anti-reversing-bypass.md | scripts/antidebug_unhook.py |
| Packer unpack → OEP dump (UPX/runtime packers) | T1027.002, T1620 | CWE-noinfo | references/anti-reversing-bypass.md | scripts/antidebug_unhook.py |
| String / API-hash deobfuscation (Unicorn emulation) | T1027.013, T1140, T1027.007 | CWE-noinfo | references/deobfuscation.md | scripts/string_decrypt_emu.py |
| OLLVM control-flow-flattening de-flattening | T1027.009, T1027 | CWE-noinfo | references/deobfuscation.md | scripts/deflatten_triton.py |
| VM-protector devirtualization (VMProtect 3.x / Themida) | T1027.009 | CWE-noinfo | references/deobfuscation.md | scripts/deflatten_triton.py |
| Firmware extraction (binwalk/squashfs/QEMU emulation) | T1542.001 | CWE-1263 | references/firmware-uefi.md | scripts/uefi_triage.py |
| UEFI/BIOS RE + Secure Boot bypass research | T1542.001, T1542.003 | CWE-347 | references/firmware-uefi.md | scripts/uefi_triage.py |
| Patch diffing → n-day root cause (BinDiff/Diaphora/ghidriff) | T1203, T1592.002 | CWE-noinfo | references/patch-diffing-protocol.md | scripts/patchdiff_fetch.py |
| Protocol / file-format inference (Netzob/Kaitai) | T1592.002 | CWE-noinfo | references/patch-diffing-protocol.md | scripts/proto_infer.py |
# 0. Triage: format, arch, mitigations, packer entropy, strings, imports, capabilities → JSON
python3 scripts/triage.py ./sample -o out/triage.json
# 1. Headless decompile to C (Ghidra 11.4 analyzeHeadless wrapper inside triage.py --decompile)
python3 scripts/triage.py ./sample --decompile --ghidra "$GHIDRA_HOME" -o out/
# 2. If packed/protected → defeat anti-debug, dump OEP (run under x64dbg+ScyllaHide on Windows)
python3 scripts/antidebug_unhook.py --scan ./sample # enumerate anti-debug primitives first
# 3. Dynamic: attach Frida (Android/Linux/Win), universal SSL-unpin + native trace
frida -U -f com.target.app -l scripts/frida_universal.js --no-pause
# 4. Deobfuscate: emulate string decryptor over all xrefs; de-flatten OLLVM with Triton
python3 scripts/string_decrypt_emu.py ./sample --func 0x401500 --auto-xref -o out/strings.txt
python3 scripts/deflatten_triton.py ./sample --func 0x401abc -o out/cfg.dot
# 5. Firmware: carve + identify + map UEFI DXE/PEI attack surface, scan for PKfail/known hashes
python3 scripts/uefi_triage.py firmware.bin -o out/fw/
# 6. n-day: fetch pre/post-patch Windows binary from winbindex and diff
python3 scripts/patchdiff_fetch.py --pe afd.sys --kb-after KB5050000 -o out/diff/
# 7. Unknown protocol: infer fields/state machine from a pcap, emit Kaitai + Wireshark dissector
python3 scripts/proto_infer.py capture.pcap --port 4444 -o out/proto/
| Technique | Telemetry / IOC | Detection (Sigma/EDR) | OPSEC note |
|---|---|---|---|
| Static triage / decompile | None (offline on analyst box) | N/A — runs in lab | Analyze copies in an isolated, snapshotted VM; never on the target |
| Frida / dynamic hooking | frida-agent.so in /proc/self/maps, port 27042, gum-js-loop/gmain threads, ptrace on target | App-side RASP (Talsec/DeepID), frida-string scans, EDR userland hook tripwires | Rename agent, use gadget+-l script mode, embed gadget in APK to dodge port checks |
| Anti-debug bypass | Debug registers DR0-7 set, PEB.BeingDebugged flips, hooked Nt* prologues | Self-integrity checks, KiUserExceptionDispatcher checks, TitanHide-vs-malware arms race | Prefer kernel TitanHide/HyperHide for hardened packers; snapshot before each run |
| Packer/OEP dump | New RWX region, IAT rebuild, written dump.exe on disk | EDR RWX-alloc + tail-jump heuristics (lab only) | All in lab; dumped sample is for analysis, not redeployment |
| String/API-hash decrypt (Unicorn) | None on target (offline emulation) | N/A | Pure offline; safe — no sample execution of network/FS code |
| Firmware / SPI flash dump | Hardware: chip-clip on SPI; software: chipsec/flashrom reads | Boot Guard / measured boot (TPM PCRs), Binarly/CHIPSEC verifiers | Physical/authorized only; flashing back a modded image is destructive & loud |
| Secure Boot bypass research | New unsigned bootloader in ESP, MokList/dbx anomalies, unexpected bootmgfw hash | Measured boot PCR[0/2/4/7] drift, dbx revocation checks, ESET/Binarly scanners | Lab VMs / disposable hardware; document, never persist a real implant |
| Patch diffing | None on target (fetches public binaries) | N/A | Public Microsoft/distro binaries; n-day PoC stays in lab until disclosure/ROE |
| Protocol inference | Replays captured/crafted packets at the service | IDS on malformed/replayed frames; rate anomalies | Throttle active probes; prefer passive pcap when a live target is in scope |
analyzeHeadless + PyGhidra, r2/rizin & IDA decompile flows, and the 2025 AI/MCP-assisted layer (Binary Ninja Sidekick, GhidrAssistMCP, LLM4Decompile / SK²Decompile) with verification discipline.trace_proof artifact. Backed by scripts/rr_root_cause.sh (degrades gracefully where rr is absent). Runs in .devcontainer/.--coverage, run the witness, assert the line is not #####) and -finstrument-functions/rr/uftrace function traces; the coverage_proof/trace_proof the native-bug bar in validate_findings.py requires before [CONFIRMED].scripts/cve_diff.py — multi-source canonical fix-commit discovery (OSV/NVD/GitHub Advisories) with de-dup by (repo, sha) + OSV GIT-range fixed events, then a scope-gated, git_safe-hardened clone + git diff fix^..fix. Use it to locate the patch before BinDiff/ghidriff; chain into /engage.crash for root-cause + exploitability.npx claudepluginhub hypnguyen1209/offensive-claude --plugin offensive-claudeStatic-first analysis of compiled binaries (ELF/PE/Mach-O) and custom-VM bytecode for CTF and malware reverse engineering. Covers opcode inversion, callfuscation, MBA deobfuscation, and encrypted-handler decryption.
Assists with binary analysis, disassembly, firmware reverse engineering, and protocol RE. Helps read and interpret x86/ARM/MIPS assembly, decompiled output from Ghidra/IDA/radare2, and CTF binary challenges.
Provides a structured methodology for CTF reverse engineering challenges: triage, packing detection, decompiler selection, dynamic analysis, anti-debug bypass, custom VM disassembly, and symbolic execution.