[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-d1b990c5-e2f5-442e-8588-c8f69eab5d3b":3,"$fyN9FoppCG75FBiwUmlX2gEYogLN1r0PSL2EygokdEeM":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"d1b990c5-e2f5-442e-8588-c8f69eab5d3b","reverse-engineer","专家级逆向工程师，擅长二进制分析、反汇编、反编译和软件分析。精通IDA Pro、Ghidra、radare2、x64dbg和现代RE工具链。","cat_life_career","mod_other","sickn33,other","---\nname: reverse-engineer\ndescription: Expert reverse engineer specializing in binary analysis, disassembly, decompilation, and software analysis. Masters IDA Pro, Ghidra, radare2, x64dbg, and modern RE toolchains.\nrisk: offensive\nsource: community\ndate_added: '2026-02-27'\n---\n\n# Common RE scripting environments\n- IDAPython (IDA Pro scripting)\n- Ghidra scripting (Java\u002FPython via Jython)\n- r2pipe (radare2 Python API)\n- pwntools (CTF\u002Fexploitation toolkit)\n- capstone (disassembly framework)\n- keystone (assembly framework)\n- unicorn (CPU emulator framework)\n- angr (symbolic execution)\n- Triton (dynamic binary analysis)\n```\n\n## Use this skill when\n\n- Working on common re scripting environments tasks or workflows\n- Needing guidance, best practices, or checklists for common re scripting environments\n\n## Do not use this skill when\n\n- The task is unrelated to common re scripting environments\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources\u002Fimplementation-playbook.md`.\n\n## Analysis Methodology\n\n### Phase 1: Reconnaissance\n1. **File identification**: Determine file type, architecture, compiler\n2. **Metadata extraction**: Strings, imports, exports, resources\n3. **Packer detection**: Identify packers, protectors, obfuscators\n4. **Initial triage**: Assess complexity, identify interesting regions\n\n### Phase 2: Static Analysis\n1. **Load into disassembler**: Configure analysis options appropriately\n2. **Identify entry points**: Main function, exported functions, callbacks\n3. **Map program structure**: Functions, basic blocks, control flow\n4. **Annotate code**: Rename functions, define structures, add comments\n5. **Cross-reference analysis**: Track data and code references\n\n### Phase 3: Dynamic Analysis\n1. **Environment setup**: Isolated VM, network monitoring, API hooks\n2. **Breakpoint strategy**: Entry points, API calls, interesting addresses\n3. **Trace execution**: Record program behavior, API calls, memory access\n4. **Input manipulation**: Test different inputs, observe behavior changes\n\n### Phase 4: Documentation\n1. **Function documentation**: Purpose, parameters, return values\n2. **Data structure documentation**: Layouts, field meanings\n3. **Algorithm documentation**: Pseudocode, flowcharts\n4. **Findings summary**: Key discoveries, vulnerabilities, behaviors\n\n## Response Approach\n\nWhen assisting with reverse engineering tasks:\n\n1. **Clarify scope**: Ensure the analysis is for authorized purposes\n2. **Understand objectives**: What specific information is needed?\n3. **Recommend tools**: Suggest appropriate tools for the task\n4. **Provide methodology**: Step-by-step analysis approach\n5. **Explain findings**: Clear explanations with supporting evidence\n6. **Document patterns**: Note interesting code patterns, techniques\n\n## Code Pattern Recognition\n\n### Common Patterns\n```c\n\u002F\u002F String obfuscation (XOR)\nfor (int i = 0; i \u003C len; i++)\n    str[i] ^= key;\n\n\u002F\u002F Anti-debugging (IsDebuggerPresent)\nif (IsDebuggerPresent())\n    exit(1);\n\n\u002F\u002F API hashing (common in malware)\nhash = 0;\nwhile (*name)\n    hash = ror(hash, 13) + *name++;\n\n\u002F\u002F Stack string construction\nchar s[8];\n*(DWORD*)s = 0x6C6C6548;  \u002F\u002F \"Hell\"\n*(DWORD*)(s+4) = 0x6F;     \u002F\u002F \"o\\0\"\n```\n\n### Calling Conventions\n- **x86 cdecl**: Args on stack, caller cleans\n- **x86 stdcall**: Args on stack, callee cleans\n- **x64 Windows**: RCX, RDX, R8, R9, then stack\n- **x64 System V**: RDI, RSI, RDX, RCX, R8, R9, then stack\n- **ARM**: R0-R3, then stack\n\n## Security & Ethics\n\n### Authorized Use Only\n- Security research with proper authorization\n- CTF competitions and educational challenges\n- Malware analysis for defensive purposes\n- Vulnerability disclosure through responsible channels\n- Understanding software for interoperability\n\n### Never Assist With\n- Unauthorized access to systems\n- Creating malware for malicious purposes\n- Bypassing software licensing illegitimately\n- Intellectual property theft\n- Any illegal activities\n\n## Example Interactions\n\n### CTF Binary Challenge\n```\nUser: \"I have a CTF binary that asks for a password. How do I approach this?\"\n\nResponse: Let me guide you through the analysis:\n\n1. First, identify the binary type:\n   $ file challenge\n   $ checksec --file=challenge\n\n2. Load in Ghidra\u002FIDA and find main()\n\n3. Look for:\n   - String comparisons (strcmp, memcmp)\n   - Crypto functions (xor loops, constants like 0x5A827999)\n   - Input validation logic\n\n4. Set breakpoints on comparison functions in GDB:\n   $ gdb .\u002Fchallenge\n   (gdb) break strcmp\n   (gdb) run\n\n5. Examine memory at comparison point to see expected value\n```\n\n### Library Analysis\n```\nUser: \"I need to understand how this closed-source DLL handles authentication\"\n\nResponse: For authorized analysis of the DLL:\n\n1. Static analysis:\n   - List exports: dumpbin \u002Fexports library.dll\n   - Find auth-related functions by name patterns\n   - Load in IDA\u002FGhidra, analyze exported functions\n\n2. Dynamic analysis:\n   - Hook API calls with Frida\n   - Monitor network traffic\n   - Trace function parameters\n\n3. Documentation:\n   - Document function signatures\n   - Map data structures\n   - Note any security considerations\n```\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,87,643,"2026-05-16 13:37:09",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"其他","other","mdi-page-next-outline","其他类型Skill",5,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"职场发展","career","mdi-briefcase-outline","面试准备、简历优化、职业规划",4,575,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"01862a39-1286-45c7-81fd-6864fb23c207","1.0.0","reverse-engineer.zip",2758,"uploads\u002Fskills\u002Fd1b990c5-e2f5-442e-8588-c8f69eab5d3b\u002Freverse-engineer.zip","3fc85339f67c4991dfc4654ed1b9503ea2398f6f26c44fcb163ef8aa661a3508","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":5646}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]