Skip to content
CTF

CTF Reverse Engineering

Binary analysis and reverse engineering for CTF

CTF Reverse Engineering Cheat Sheet

Quick reference for reversing challenges in CTFs.

Initial Analysis

File Info

BASH 
file binary
strings binary | grep -i flag
strings binary | grep -i password

# Check for packed/obfuscated
upx -d binary  # Unpack UPX

ELF Analysis

BASH 
readelf -h binary     # Headers
readelf -S binary     # Sections
readelf -s binary     # Symbols
checksec binary       # Security features

Static Analysis

Ghidra

TEXT 
1. Import binary
2. Auto-analyze
3. Find main() in Symbol Tree
4. Check Functions for interesting names
5. Look for strings in Defined Strings

IDA Free

TEXT 
1. Open binary
2. F5 for decompile
3. X for cross-references
4. N to rename variables

radare2

BASH 
r2 -A binary          # Analyze
afl                   # List functions
pdf @ main            # Disassemble main
axt @ sym.func        # Cross refs to function
iz                    # Strings

objdump

BASH 
objdump -d binary           # Disassemble
objdump -d -M intel binary  # Intel syntax
objdump -t binary           # Symbols

Dynamic Analysis

GDB

BASH 
gdb ./binary

# Commands
r                    # Run
b main               # Breakpoint at main
b *0x401234          # Breakpoint at address
c                    # Continue
ni                   # Next instruction
si                   # Step into
x/s 0x401234         # Examine as string
x/10wx $rsp          # Examine 10 words at RSP
info registers       # Show registers

GDB with pwndbg/gef

BASH 
# Better interface
vmmap                # Memory mapping
heap                 # Heap info
telescope            # Smart memory view

ltrace/strace

BASH 
ltrace ./binary      # Library calls
strace ./binary      # System calls

Common Patterns

Password Check

C 
// Look for strcmp, strncmp
if (strcmp(input, "secret") == 0) {
    printf("Correct!");
}

// XOR password
for (i = 0; i < len; i++) {
    if (input[i] ^ key[i] != encrypted[i]) fail();
}

Anti-Debug

C 
// ptrace check
if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) exit(1);

// Bypass: patch the check or use LD_PRELOAD

Obfuscated Strings

BASH 
# XOR'd strings - find the XOR key
# Look for loops that modify data
# Check initialized data sections

Python Reversing

pyc Decompile

BASH 
# Python bytecode
uncompyle6 program.pyc
pycdc program.pyc

Analyze

BASH 
python -m dis program.pyc

.NET/Java

.NET

BASH 
# Decompile with dnSpy or ILSpy
dnSpy.exe program.exe
# Can also modify and save

Java

BASH 
# JAR files
jar tf program.jar           # List contents
jd-gui program.jar          # Decompile

Quick Wins

BASH 
# Check for obvious strings
strings binary | grep -iE "flag|password|secret|key"

# Check for Base64
strings binary | grep -E "^[A-Za-z0-9+/]{20,}={0,2}$"

# Run with ltrace
ltrace ./binary 2>&1 | grep -i strcmp

# Patch binary
# In GDB: set {char}0x401234 = 0x90 (NOP)

Useful Tools

Tool Purpose
Ghidra Free decompiler
IDA Free Disassembler
radare2/Cutter CLI/GUI analysis
GDB + pwndbg Dynamic analysis
Binary Ninja Commercial decompiler
dnSpy .NET decompiler
jadx Android/Java decompiler
Back to Cheatsheets
On this page