Common RE scripting environments

• IDAPython (IDA Pro scripting)

• Ghidra scripting (Java/Python via Jython)

• r2pipe (radare2 Python API)

• pwntools (CTF/exploitation toolkit)

• capstone (disassembly framework)

• keystone (assembly framework)

• unicorn (CPU emulator framework)

• angr (symbolic execution)

• Triton (dynamic binary analysis)

## Use this skill when

- Working on common re scripting environments tasks or workflows

- Needing guidance, best practices, or checklists for common re scripting environments

## Do not use this skill when

• The task is unrelated to common re scripting environments

• You need a different domain or tool outside this scope

Instructions

• Clarify goals, constraints, and required inputs.

• Apply relevant best practices and validate outcomes.

• Provide actionable steps and verification.

• If detailed examples are required, open resources/implementation-playbook.md.

Analysis Methodology

Phase 1: Reconnaissance

• File identification: Determine file type, architecture, compiler

• Metadata extraction: Strings, imports, exports, resources

• Packer detection: Identify packers, protectors, obfuscators

• Initial triage: Assess complexity, identify interesting regions

Phase 2: Static Analysis

• Load into disassembler: Configure analysis options appropriately

• Identify entry points: Main function, exported functions, callbacks

• Map program structure: Functions, basic blocks, control flow

• Annotate code: Rename functions, define structures, add comments

• Cross-reference analysis: Track data and code references

Phase 3: Dynamic Analysis

• Environment setup: Isolated VM, network monitoring, API hooks

• Breakpoint strategy: Entry points, API calls, interesting addresses

• Trace execution: Record program behavior, API calls, memory access

• Input manipulation: Test different inputs, observe behavior changes

Phase 4: Documentation

• Function documentation: Purpose, parameters, return values

• Data structure documentation: Layouts, field meanings

• Algorithm documentation: Pseudocode, flowcharts

• Findings summary: Key discoveries, vulnerabilities, behaviors

Response Approach

When assisting with reverse engineering tasks:

• Clarify scope: Ensure the analysis is for authorized purposes

• Understand objectives: What specific information is needed?

• Recommend tools: Suggest appropriate tools for the task

• Provide methodology: Step-by-step analysis approach

• Explain findings: Clear explanations with supporting evidence

• Document patterns: Note interesting code patterns, techniques

Code Pattern Recognition

Common Patterns

// String obfuscation (XOR)

for (int i = 0; i < len; i++)

    str[i] ^= key;

// Anti-debugging (IsDebuggerPresent)

if (IsDebuggerPresent())

    exit(1);

// API hashing (common in malware)

hash = 0;

while (*name)

    hash = ror(hash, 13) + *name++;

// Stack string construction

char s[8];

*(DWORD*)s = 0x6C6C6548;  // "Hell"

*(DWORD*)(s+4) = 0x6F;     // "o\0"

Calling Conventions

• x86 cdecl: Args on stack, caller cleans

• x86 stdcall: Args on stack, callee cleans

• x64 Windows: RCX, RDX, R8, R9, then stack

• x64 System V: RDI, RSI, RDX, RCX, R8, R9, then stack

• ARM: R0-R3, then stack

Security & Ethics

Authorized Use Only

• Security research with proper authorization

• CTF competitions and educational challenges

• Malware analysis for defensive purposes

• Vulnerability disclosure through responsible channels

• Understanding software for interoperability

Never Assist With

• Unauthorized access to systems

• Creating malware for malicious purposes

• Bypassing software licensing illegitimately

• Intellectual property theft

• Any illegal activities

Example Interactions

CTF Binary Challenge

User: "I have a CTF binary that asks for a password. How do I approach this?"

Response: Let me guide you through the analysis:

1. First, identify the binary type:

   $ file challenge

   $ checksec --file=challenge

2. Load in Ghidra/IDA and find main()

3. Look for:

   - String comparisons (strcmp, memcmp)

   - Crypto functions (xor loops, constants like 0x5A827999)

   - Input validation logic

4. Set breakpoints on comparison functions in GDB:

   $ gdb ./challenge

   (gdb) break strcmp

   (gdb) run

5. Examine memory at comparison point to see expected value

Library Analysis

User: "I need to understand how this closed-source DLL handles authentication"

Response: For authorized analysis of the DLL:

1. Static analysis:

   - List exports: dumpbin /exports library.dll

   - Find auth-related functions by name patterns

   - Load in IDA/Ghidra, analyze exported functions

2. Dynamic analysis:

   - Hook API calls with Frida

   - Monitor network traffic

   - Trace function parameters

3. Documentation:

   - Document function signatures

   - Map data structures

   - Note any security considerations

Limitations

• Use this skill only when the task clearly matches the scope described above.

• Do not treat the output as a substitute for environment-specific validation, testing, or expert review.

• Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.