LIBRARY-FIRST PROTOCOL (MANDATORY)

Before writing ANY code, you MUST check:

Step 1: Library Catalog

• Location: .claude/library/catalog.json

• If match >70%: REUSE or ADAPT

Step 2: Patterns Guide

• Location: .claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md

• If pattern exists: FOLLOW documented approach

Step 3: Existing Projects

• Location: D:\Projects*

• If found: EXTRACT and adapt

Decision Matrix

Match Action

Library >90% REUSE directly

Library 70-90% ADAPT minimally

Pattern exists FOLLOW pattern

In project EXTRACT

No match BUILD (add to library after)

When to Use This Skill

Use this skill when analyzing malware samples, reverse engineering binaries for security research, conducting vulnerability assessments, extracting IOCs from suspicious files, validating software for supply chain security, or performing CTF challenges and binary exploitation research.

When NOT to Use This Skill

Do NOT use for unauthorized reverse engineering of commercial software, analyzing binaries on production systems, reversing software without legal authorization, violating terms of service or EULAs, or analyzing malware outside isolated environments. Avoid for simple string extraction (use basic tools instead).

Success Criteria

• All security-relevant behaviors identified (network, file, registry, process activity)

• Malicious indicators extracted with confidence scores (IOCs, C2 domains, encryption keys)

• Vulnerabilities documented with CVE mapping where applicable

• Analysis completed within sandbox environment (VM/container with snapshots)

• Findings validated through multiple analysis methods (static + dynamic + symbolic)

• Complete IOC report generated (STIX/MISP format for threat intelligence sharing)

• Zero false positives in vulnerability assessments

• Exploitation proof-of-concept created (if vulnerability research)

Edge Cases & Challenges

• Anti-analysis techniques (debugger detection, VM detection, timing checks)

• Obfuscated or packed binaries requiring unpacking

• Multi-stage malware with encrypted payloads

• Kernel-mode rootkits requiring specialized analysis

• Symbolic execution state explosion (>10,000 paths)

• Binary analysis timeout on complex programs (>24 hours)

• False positives from legitimate software behavior

• Encrypted network traffic requiring SSL interception

Guardrails (CRITICAL SECURITY RULES)

• NEVER execute unknown binaries on host systems (ONLY in isolated VM/sandbox)

• NEVER analyze malware without proper containment (air-gapped lab preferred)

• NEVER reverse engineer software without legal authorization

• NEVER share extracted credentials or encryption keys publicly

• NEVER bypass licensing mechanisms for unauthorized use

• ALWAYS use sandboxed environments with network monitoring

• ALWAYS take VM snapshots before executing suspicious binaries

• ALWAYS validate findings through multiple analysis methods

• ALWAYS document analysis methodology with timestamps

• ALWAYS assume binaries are malicious until proven safe

• ALWAYS use network isolation to prevent malware communication

• ALWAYS sanitize IOCs before sharing (redact internal IP addresses)

Evidence-Based Validation

All reverse engineering findings MUST be validated through:

• Multi-method analysis - Static + dynamic + symbolic execution confirm same behavior

• Sandbox validation - Execute in isolated environment, capture all activity

• Network monitoring - Packet capture validates network-based findings

• Memory forensics - Validate runtime secrets through memory dumps

• Behavioral correlation - Cross-reference with known malware signatures (YARA, ClamAV)

• Reproducibility - Second analyst can replicate findings from analysis artifacts

Reverse Engineering: Deep Analysis

What This Skill Does

Performs deep reverse engineering through runtime execution and symbolic exploration:

• Level 3 (≤1 hr): Dynamic analysis - Execute in sandbox with GDB, capture memory/secrets, trace syscalls

• Level 4 (2-6 hrs): Symbolic execution - Use Angr/Z3 to synthesize inputs that reach target states

Decision Gate: After Level 3, evaluates if symbolic execution needed to reach unexplored paths.

Timebox: 3-7 hours total

Prerequisites

Level 3 Tools

• GDB with GEF or Pwndbg extensions

• strace/ltrace - System/library call tracing

• Sandbox environment - Isolated execution (firejail, Docker, or custom)

Level 4 Tools

• Angr - Symbolic execution framework (Python)

• Z3 - SMT solver

• Python 3.9+ - For Angr scripts

MCP Servers

• sandbox-validator

• Safe binary execution

• memory-mcp

• Store runtime findings

• sequential-thinking

• Path exploration decisions

• graph-analyst

• Visualize execution paths

⚠️ CRITICAL SECURITY WARNING

NEVER execute unknown binaries on your host system!

All dynamic analysis, debugging, and symbolic execution MUST be performed in:

• Isolated VM (VMware/VirtualBox with snapshots for rollback)

• Docker container with security policies (--security-opt , --cap-drop=ALL )

• E2B sandbox via sandbox-configurator skill with network monitoring

• Dedicated malware analysis lab (air-gapped if handling APTs)

Consequences of unsafe execution:

• Malware infection with kernel-level rootkits

• Memory corruption and system instability

• Data exfiltration via covert channels

• Supply chain attacks via trojanized builds

• Complete system compromise

Safe Practices:

• Always use sandboxed environments with snapshots

• Monitor syscalls and network activity during execution

• Use GDB/Angr in isolated containers only

• Never attach debuggers to binaries on production systems

• Validate all inputs before symbolic execution

• Assume all binaries are malicious until proven safe through static analysis

Quick Start

1. Full deep analysis (Levels 3+4)

/re:deep crackme.exe

2. Dynamic analysis only (Level 3)

/re:dynamic server.bin --args "--port 8080"

3. Symbolic execution only (Level 4)

/re:symbolic challenge.exe --target-addr 0x401337

Level 3: Dynamic Analysis (≤1 hour)

Step 1: Safe Execution in Sandbox

/re:dynamic binary.exe --args "test input" --sandbox true

Sandboxing:

• Filesystem isolation (read-only /usr, /bin)

• Network disabled or monitored

• Process limits (CPU, memory, time)

• Prevents malware escape

Step 2: Retrieve Static Analysis Context

Before executing, the skill automatically retrieves Level 2 findings:

// Check memory-mcp for static analysis results const staticFindings = await mcp__memory-mcp__vector_search({ query: binary_hash, filter: {category: "reverse-engineering", re_level: 2} })

// Extract critical functions and suggested breakpoints const breakpoints = staticFindings.critical_functions.map(f => f.address) // Example: ["0x401234", "0x401567", "0x4018ab"]

Step 3: GDB Session with Auto-Loaded Breakpoints

Automatically loads breakpoints from Level 2 static analysis:

Auto-generated from static analysis

break *0x401234 # check_password function break *0x401567 # validate_license function break *0x4018ab # decrypt_config function

Run with test input

run --flag "test_input_from_user"

GDB Session Commands (executed automatically):

At each breakpoint:

1. Dump all registers

info registers

2. Dump stack (100 bytes)

x/100x $rsp

3. Dump heap allocations (if applicable)

info proc mappings x/100x [heap_address]

4. Search for secrets in memory

find 0x600000, 0x700000, "password" find 0x600000, 0x700000, "admin"

5. Dump interesting strings from registers

x/s $rdi # First argument (often string pointer) x/s $rsi # Second argument

Step 4: Capture Runtime State

At each breakpoint, the skill captures:

Register State:

RAX: 0x0000000000401337 RBX: 0x0000000000000000 RCX: 0x00007fffffffe010 → "user_input_here" RDX: 0x0000000000000010 RSI: 0x00007fffffffe020 → "expected_password" RDI: 0x00007fffffffe030 → buffer RBP: 0x00007fffffffe100 RSP: 0x00007fffffffe0e0 RIP: 0x0000000000401234 → check_password

Stack Dump (saved to re-project/dbg/0x401234-stack.bin ):

0x7fffffffe0e0: 0x0000000000401337 0x0000000000000000 0x7fffffffe0f0: 0x00007fffffffe200 0x0000000000000001

Memory Secrets (extracted automatically):

Found at 0x601000: "admin:SecretP@ss123" Found at 0x601020: "license_key=ABC-DEF-GHI-JKL" Found at 0x601040: "api_token=eyJhbGciOiJIUzI1NiIs..."

Syscall Trace (via strace):

Automatically executed in parallel

strace -o re-project/dbg/syscalls.log ./binary.exe --flag test

Output:

open("/etc/config.ini", O_RDONLY) = 3 read(3, "password=admin123\n", 1024) = 18 socket(AF_INET, SOCK_STREAM, 0) = 4 connect(4, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("192.168.1.100")}, 16) = 0 send(4, "POST /api/login HTTP/1.1\r\n...", 256, 0) = 256

Step 5: Output Structure

re-project/dbg/ ├── gdb-session.log # Full GDB transcript ├── breakpoints.txt # List of breakpoints set ├── memory-dumps/ │ ├── 0x401234-registers.txt │ ├── 0x401234-stack.bin │ ├── 0x401567-registers.txt │ ├── 0x401567-stack.bin │ └── 0x4018ab-heap.bin ├── syscalls.log # strace output ├── libcalls.log # ltrace output └── runtime-secrets.txt # Extracted passwords, keys, tokens

Step 6: Decision Gate - Escalate to Level 4?

// Automatically evaluated via sequential-thinking MCP const decision = await mcp__sequential-thinking__evaluate({ question: "Should we proceed to symbolic execution (Level 4)?", factors: [ Branches explored: ${explored_branches}/${total_branches}, Unreachable code found: ${unreachable_functions.length > 0}, User's question answered: ${findings_sufficient}, Input-dependent paths: ${symbolic_paths_needed} ] })

// Example evaluation: // - Explored 12/20 branches (60% coverage) // - Found 3 unreachable functions (possible anti-debug) // - User wants to reach "win" function at 0x401337 (NOT YET REACHED) // - Input-dependent path detected (password check with strcmp) // DECISION: ESCALATE TO LEVEL 4

Level 4: Symbolic Execution (2-6 hours)

Step 1: Define Target State from Dynamic Analysis

From Level 3: Couldn't reach "win" function at 0x401337 with manual inputs

target_addr = 0x401337 # Goal: Find input that reaches this

From Level 3: These functions lead to failure/exit

avoid_addrs = [ 0x401400, # fail_message function 0x401500, # bad_password function 0x401600 # exit_program function ]

Step 2: Launch Symbolic Exploration

/re:symbolic binary.exe
--target-addr 0x401337
--avoid-addrs 0x401400,0x401500,0x401600
--max-states 1000
--timeout 7200

What Happens Under the Hood:

import angr import claripy

Step 2.1: Load binary into Angr project

project = angr.Project('./binary.exe', auto_load_libs=False)

Step 2.2: Create symbolic input

Assume input is 32-byte flag

flag_length = 32 flag = claripy.BVS('flag', flag_length * 8)

Step 2.3: Create entry state with symbolic stdin

state = project.factory.entry_state( stdin=flag, add_options={angr.options.LAZY_SOLVES} )

Step 2.4: Add constraints - printable ASCII only

for byte in flag.chop(8): state.add_constraints(byte >= 0x20) # Printable ASCII start state.add_constraints(byte <= 0x7e) # Printable ASCII end

Step 2.5: Create simulation manager

simgr = project.factory.simulation_manager(state)

Step 2.6: Explore paths (DFS strategy)

simgr.explore( find=0x401337, # Target address avoid=[0x401400, 0x401500, 0x401600], # Avoid addresses num_find=1, # Stop after finding first solution max_states=1000 # Prevent state explosion )

Step 2.7: Check if solution found

if simgr.found: # Extract concrete input solution_state = simgr.found[0] solution = solution_state.solver.eval(flag, cast_to=bytes) print(f"Solution: {solution.decode()}")

# Save solution
with open('re-project/sym/solutions/solution-1.txt', 'wb') as f:
    f.write(solution)

else: print("No solution found within constraints")

Step 3: Advanced Symbolic Techniques

Technique 1: Hook Library Functions

Replace complex library functions with symbolic summaries

import angr

Hook strcmp to return symbolic value

class StrCmpHook(angr.SimProcedure): def run(self, s1, s2): # Return symbolic comparison result s1_str = self.state.memory.load(s1, 32) s2_str = self.state.memory.load(s2, 32) return s1_str == s2_str

project.hook_symbol('strcmp', StrCmpHook())

Technique 2: State Merging for Complex Paths

Merge states at loop entry to prevent explosion

simgr.use_technique(angr.exploration_techniques.Veritesting())

Alternative: Manual state merging

while simgr.active: simgr.step() if len(simgr.active) > 50: # Merge similar states simgr.merge()

Technique 3: Constraint Simplification

Add intermediate constraints to guide exploration

state.add_constraints( flag[0:4] == b'FLAG' # Known prefix from hints )

This reduces search space dramatically

Without: 256^32 possibilities

With: 256^28 possibilities (4 bytes fixed)

Step 4: Validate Solution

Test synthesized input

echo "FLAG_synthesized_solution_here" | ./binary.exe

Expected output:

"Success! You reached the target state."

"Congratulations! Flag: CTF{...}"

Validation Steps:

• Run binary with synthesized input

• Verify execution reaches target address (0x401337)

• Check output matches expected success message

• Store validated solution in memory-mcp

Step 5: Output Structure

re-project/sym/ ├── angr-script.py # Reproducible Angr script ├── solutions/ │ ├── solution-1.txt # First valid solution │ ├── solution-2.txt # Alternative solution (if --find-all) │ └── solution-3.txt ├── constraints/ │ ├── path-1.smt2 # Z3 constraints for path 1 │ ├── path-2.smt2 │ └── simplified.smt2 # Simplified constraint set ├── validation.log # Validation test results └── exploration-metrics.json # States explored, time taken, coverage

exploration-metrics.json:

{ "total_states": 847, "found_states": 3, "avoided_states": 124, "deadended_states": 720, "execution_time_sec": 3245, "coverage_percent": 78.5, "memory_usage_mb": 2847, "solutions_found": 3 }

Advanced Options

Custom Breakpoints (Dynamic Analysis)

Set breakpoints at crypto functions

/re:dynamic binary.exe --breakpoints AES_encrypt,RSA_sign,MD5_update

Set breakpoints at specific addresses

/re:dynamic binary.exe --breakpoints 0x401000,0x402000,0x403000

Conditional breakpoints (GDB syntax)

/re:dynamic binary.exe --breakpoints "0x401234 if $rdi == 0x601000"

Advanced GDB Scripting:

Custom GDB Python script (auto-loaded if found)

re-project/gdb-script.py

import gdb

class PasswordBreakpoint(gdb.Breakpoint): def init(self, location): super().init(location)

def stop(self):
    # Extract password from RDI register
    rdi = gdb.parse_and_eval('$rdi')
    password = gdb.execute(f'x/s {rdi}', to_string=True)

    # Log to file
    with open('passwords.log', 'a') as f:
        f.write(f"{password}\n")

    # Continue execution
    return False

Set custom breakpoint

PasswordBreakpoint("check_password")

Symbolic Exploration Strategies

Strategy 1: Find ALL Solutions

Exhaustive search (may take hours)

/re:symbolic binary.exe
--target-addr 0x401337
--find-all true
--max-solutions 10
--timeout 14400

In Angr script

simgr.explore( find=0x401337, avoid=avoid_addrs, num_find=10 # Find up to 10 solutions )

Process all found solutions

for idx, state in enumerate(simgr.found): solution = state.solver.eval(flag, cast_to=bytes) with open(f'solution-{idx+1}.txt', 'wb') as f: f.write(solution)

Strategy 2: Limit State Explosion

Aggressive pruning

/re:symbolic binary.exe
--max-states 100
--avoid-addrs 0x401400,0x401500,0x401600
--strategy dfs # Depth-first search (memory efficient)

Use Veritesting to merge paths

simgr.use_technique(angr.exploration_techniques.Veritesting())

Drop states if too many active

simgr.use_technique(angr.exploration_techniques.LengthLimiter(max_length=100))

Prioritize states closer to target

simgr.use_technique(angr.exploration_techniques.Explorer( find=0x401337, avoid=avoid_addrs, num_find=1 ))

Strategy 3: Under-Constrained Symbolic Execution

Start from target address and work backwards

project = angr.Project('./binary.exe')

Create state at target address (not entry point)

state = project.factory.blank_state(addr=0x401337)

Make all memory symbolic

state.options.add(angr.options.SYMBION_SYNC_CLE)

Explore backwards to find required input

simgr = project.factory.simulation_manager(state) simgr.explore(find=project.entry)

This finds inputs that MUST lead to target

Memory Dump Analysis

Dump specific memory regions

/re:dynamic binary.exe
--dump-regions heap,stack,data
--dump-at-breakpoints 0x401234,0x401567

Custom Memory Analysis:

GDB Python script for heap analysis

import gdb

def analyze_heap(): # Get heap boundaries mappings = gdb.execute('info proc mappings', to_string=True) heap_start = extract_heap_start(mappings) heap_end = extract_heap_end(mappings)

# Scan for interesting patterns
for addr in range(heap_start, heap_end, 8):
    value = gdb.execute(f'x/g {addr}', to_string=True)

    # Check if value looks like a pointer
    if is_valid_pointer(value):
        gdb.execute(f'x/s {value}')  # Dereference as string

analyze_heap()

Comprehensive Workflow Examples

Workflow 1: Malware Analysis with Runtime Secrets

Scenario: Analyze malware sample to extract C2 server URL and encryption keys

Phase 1: Dynamic Analysis (Level 3)

Step 1: Safe sandbox execution

/re:dynamic malware.exe --sandbox true --network-monitor true

Step 2: GDB session auto-starts with breakpoints from static analysis

Breakpoints at: decrypt_config, connect_to_c2, send_beacon

Step 3: At decrypt_config breakpoint (0x401234)

(gdb) info registers RAX: 0x0000000000601000 → encrypted_buffer RDI: 0x0000000000601100 → decryption_key

(gdb) x/s 0x601100 0x601100: "hardcoded_AES_key_12345"

Step 4: Continue to connect_to_c2 breakpoint (0x401567)

(gdb) continue

(gdb) x/s $rdi 0x601200: "http://malicious-c2.tk:8443/beacon"

Step 5: Extract all findings

Runtime Secrets Found:

• AES Key: "hardcoded_AES_key_12345"
• C2 URL: "http://malicious-c2.tk:8443/beacon"
• User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Phase 2: Decision Gate

// Automatically evaluated QUESTION: "Proceed to symbolic execution?" FACTORS:

• All critical functions reached ✅
• Secrets extracted (AES key, C2 URL) ✅
• User's question answered (extract IOCs) ✅
• No unreachable paths requiring symbolic execution ❌ DECISION: STOP AT LEVEL 3 (sufficient findings)

Output: Malware analysis complete in 45 minutes with full IOC extraction.

Workflow 2: CTF Challenge - Reversing License Check

Scenario: Find valid license key to unlock "premium features" in binary

Phase 1: Dynamic Analysis (Level 3)

Step 1: Test with invalid key

/re:dynamic challenge.exe --args "--license AAAA-BBBB-CCCC-DDDD"

Output: "Invalid license key"

Step 2: GDB reveals license check at 0x401234

(gdb) break *0x401234 (gdb) run --license AAAA-BBBB-CCCC-DDDD

Step 3: Examine comparison

(gdb) x/s $rdi 0x7fffffffe010: "AAAA-BBBB-CCCC-DDDD" # User input

(gdb) x/s $rsi 0x601000: [encrypted data, not readable]

Observation: License key is compared against encrypted/hashed value

Cannot extract valid key directly from memory

Phase 2: Decision Gate

QUESTION: "Proceed to symbolic execution?" FACTORS:

• License check function found ✅
• Valid key NOT extractable from memory ✅
• Comparison is complex (encryption/hashing) ✅
• User wants valid license key ✅ DECISION: ESCALATE TO LEVEL 4 (symbolic execution required)

Phase 3: Symbolic Execution (Level 4)

Launch Angr symbolic execution

/re:symbolic challenge.exe
--target-addr 0x401337 \ # "Premium features unlocked" message --avoid-addrs 0x401400 \ # "Invalid license" path --input-format "FLAG-XXXX-XXXX-XXXX"
--max-states 500

Angr Script (auto-generated):

import angr import claripy

project = angr.Project('./challenge.exe', auto_load_libs=False)

License key format: FLAG-XXXX-XXXX-XXXX (19 chars)

license_key = claripy.BVS('license', 19 * 8)

Create entry state with symbolic license as argv[2]

state = project.factory.entry_state(args=['./challenge.exe', '--license', license_key])

Constrain to valid format: FLAG-XXXX-XXXX-XXXX

for i in range(19): if i in [0, 1, 2, 3]: # "FLAG" state.add_constraints(license_key.get_byte(i) == ord("FLAG"[i])) elif i in [4, 9, 14]: # Dashes state.add_constraints(license_key.get_byte(i) == ord('-')) else: # X = uppercase letters or digits byte = license_key.get_byte(i) state.add_constraints( claripy.Or( claripy.And(byte >= ord('A'), byte <= ord('Z')), claripy.And(byte >= ord('0'), byte <= ord('9')) ) )

Explore

simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337, avoid=0x401400)

if simgr.found: solution = simgr.found[0].solver.eval(license_key, cast_to=bytes) print(f"Valid License: {solution.decode()}") # Output: "FLAG-A7B2-C9D4-E1F6"

Validation:

$ ./challenge.exe --license FLAG-A7B2-C9D4-E1F6 Premium features unlocked! Congratulations! Here is your flag: CTF{symbolic_execution_wins}

Output: Challenge solved in 3.5 hours total (45min dynamic + 3hr symbolic).

Workflow 3: Vulnerability Research - Buffer Overflow

Scenario: Find exploitable buffer overflow in server binary

Phase 1: Dynamic Analysis (Level 3)

Step 1: Launch server in sandbox

/re:dynamic server.bin --args "--port 8080" --sandbox true

Step 2: Fuzz with large inputs

echo "A"*1000 | nc localhost 8080

GDB catches segfault

Program received signal SIGSEGV, Segmentation fault. 0x4141414141414141 in ?? ()

Step 3: Analyze crash

(gdb) info registers RIP: 0x4141414141414141 # Overwritten return address RSP: 0x7fffffffe100 RBP: 0x4141414141414141

(gdb) x/100x $rsp

Shows stack completely overwritten with 'A' (0x41)

Step 4: Find offset to return address

Use pattern_create and pattern_offset from GEF/Pwndbg

(gdb) pattern create 1000 (gdb) run

Crash at offset 512

Confirmed: Buffer overflow at offset 512, control of RIP

Phase 2: Decision Gate

QUESTION: "Proceed to symbolic execution?" FACTORS:

• Buffer overflow confirmed ✅
• Offset to RIP known (512 bytes) ✅
• Exploitation demonstrated ✅
• User's goal: find vulnerability ✅ (COMPLETE) DECISION: STOP AT LEVEL 3 (vulnerability found)

Output: Vulnerability research complete in 30 minutes.

Troubleshooting

Issue 1: Sandbox Blocks Execution

Symptoms: Binary fails to run with "Permission denied" or syscall blocked errors

Cause: Sandbox too restrictive, blocking necessary syscalls

Solution 1: Whitelist necessary syscalls

Check which syscalls are blocked

strace ./binary.exe 2>&1 | grep "Operation not permitted"

Create custom seccomp profile

cat > sandbox-profile.json <<EOF { "defaultAction": "SCMP_ACT_ERRNO", "syscalls": [ {"names": ["read", "write", "open", "close"], "action": "SCMP_ACT_ALLOW"}, {"names": ["socket", "connect"], "action": "SCMP_ACT_ALLOW"} ] } EOF

Use custom profile

/re:dynamic binary.exe --sandbox-profile sandbox-profile.json

Solution 2: Use less restrictive sandbox

Disable network isolation only (allow file access)

/re:dynamic server.bin --sandbox true --allow-network true

Or use Docker instead of seccomp

docker run --rm -v $(pwd):/work -it ubuntu:20.04 /work/binary.exe

Issue 2: GDB Fails to Attach

Symptoms: "ptrace: Operation not permitted" or GDB won't start

Cause: System security settings prevent ptrace

Solution 1: Temporarily allow ptrace (Linux)

Check current setting

cat /proc/sys/kernel/yama/ptrace_scope

1 = restricted, 0 = unrestricted

Temporarily allow (requires sudo)

echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope

Rerun analysis

/re:dynamic binary.exe

Solution 2: Run GDB with sudo

sudo /re:dynamic binary.exe

Solution 3: Use container (bypass host restrictions)

docker run --cap-add=SYS_PTRACE --rm -it ubuntu:20.04 bash

Inside container:

apt update && apt install gdb gdb ./binary.exe

Issue 3: Angr State Explosion

Symptoms: Symbolic execution runs out of memory or times out with thousands of active states

Cause: Binary has too many branches, creating exponential state explosion

Solution 1: Add more avoid states

Find all "failure" functions from static analysis

/re:static binary.exe --list-functions | grep -i "fail|error|exit"

Add all failure addresses to avoid list

/re:symbolic binary.exe
--target-addr 0x401337
--avoid-addrs 0x401400,0x401500,0x401600,0x401700,0x401800
--max-states 100

Solution 2: Use Veritesting (merge states automatically)

In custom Angr script

simgr.use_technique(angr.exploration_techniques.Veritesting())

This merges similar states, reducing explosion by 10-100x

Solution 3: Start from intermediate address (skip unimportant code)

Skip initialization code, start at license check function

state = project.factory.blank_state(addr=0x401234)

Set up expected register/memory state (from Level 3 analysis)

state.regs.rdi = state.solver.BVS('input', 32*8)

Explore from this point only

simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337)

Issue 4: Memory Dumps Too Large

Symptoms: GDB dumps gigabytes of memory, fills disk space

Cause: Dumping entire address space instead of targeted regions

Solution 1: Target specific memory regions from vmmap

Check memory mappings

(gdb) info proc mappings

Example output:

0x400000-0x600000 r-xp /path/binary.exe (code)

0x600000-0x700000 rw-p /path/binary.exe (data)

0x7ffff7a0d000-0x7ffff7bcd000 r-xp /lib/libc.so (library)

Dump ONLY data section (where secrets likely are)

(gdb) dump binary memory data-section.bin 0x600000 0x700000

Dump ONLY stack (where local variables are)

(gdb) dump binary memory stack.bin $rsp-0x1000 $rsp+0x1000

Solution 2: Use selective breakpoint dumps

Only dump memory at specific breakpoints, not every instruction

/re:dynamic binary.exe
--breakpoints 0x401234,0x401567
--dump-at-breakpoints true
--dump-regions stack,heap

Issue 5: Symbolic Execution Timeout

Symptoms: Angr runs for hours without finding solution

Cause: Constraint solver (Z3) stuck on complex constraints

Solution 1: Increase timeout and simplify constraints

/re:symbolic binary.exe
--timeout 14400 \ # 4 hours --max-states 200
--simplify-constraints true

Solution 2: Use incremental solving

Add constraints incrementally instead of all at once

state.solver.add(constraint1) if state.satisfiable(): state.solver.add(constraint2) if state.satisfiable(): state.solver.add(constraint3)

Solution 3: Use faster solver (CVC4 or Boolector)

import angr import claripy

Use faster solver backend

claripy.backends.backend_manager.backends._eager_backends = [ claripy.backends.BackendConcrete, claripy.backends.BackendZ3 # Replace with BackendCVC4 ]

Performance Optimization

Speed Up Dynamic Analysis (Level 3)

Optimization 1: Parallel Syscall Tracing

Run strace and ltrace in parallel

(strace -o syscalls.log ./binary.exe &) (ltrace -o libcalls.log ./binary.exe &) wait

Optimization 2: GDB Scripting for Automation

GDB Python script for automatic analysis

re-project/auto-analyze.py

import gdb

breakpoints = [0x401234, 0x401567, 0x4018ab]

for bp_addr in breakpoints: gdb.Breakpoint(f"*{bp_addr}")

Run until first breakpoint

gdb.execute('run')

At each breakpoint, dump and continue

for i in range(len(breakpoints)): # Dump state regs = gdb.execute('info registers', to_string=True) stack = gdb.execute('x/100x $rsp', to_string=True)

with open(f'bp-{i}-state.txt', 'w') as f:
    f.write(f"Registers:\n{regs}\nStack:\n{stack}\n")

# Continue
if i < len(breakpoints) - 1:
    gdb.execute('continue')

Usage:

gdb -x auto-analyze.py ./binary.exe

Optimization 3: Selective Memory Dumping

Only dump memory if interesting patterns found

/re:dynamic binary.exe
--dump-on-pattern "password|secret|key|token"
--dump-regions heap

Speed Up Symbolic Execution (Level 4)

Optimization 1: Use Faster Exploration Strategy

DFS is memory-efficient but may explore wrong paths

simgr.use_technique(angr.exploration_techniques.DFS())

BFS finds shortest path but uses more memory

simgr.use_technique(angr.exploration_techniques.BFS())

Hybrid: BFS until 100 states, then switch to DFS

simgr.use_technique(angr.exploration_techniques.Explorer( find=0x401337, num_find=1 ))

Optimization 2: Pre-Constrain Input Space

If you know input must start with "FLAG"

for i, char in enumerate("FLAG"): state.add_constraints(flag.get_byte(i) == ord(char))

This reduces search space from 256^32 to 256^28

Optimization 3: Hook Complex Functions

Replace slow library functions with fast symbolic summaries

project.hook_symbol('strlen', angr.SIM_PROCEDURES['libc']'strlen') project.hook_symbol('strcmp', angr.SIM_PROCEDURES['libc']'strcmp') project.hook_symbol('memcpy', angr.SIM_PROCEDURES['libc']'memcpy')

These are much faster than symbolically executing the actual implementations

Optimization 4: Parallelize Exploration

Split state space across multiple cores

from multiprocessing import Pool

def explore_from_state(state): simgr = project.factory.simulation_manager(state) simgr.explore(find=0x401337, avoid=avoid_addrs) return simgr.found

Split initial state into 4 copies with different constraints

states = [state.copy() for _ in range(4)] states[0].add_constraints(flag[0] < 0x40) states[1].add_constraints(claripy.And(flag[0] >= 0x40, flag[0] < 0x60)) states[2].add_constraints(claripy.And(flag[0] >= 0x60, flag[0] < 0x80)) states[3].add_constraints(flag[0] >= 0x80)

Explore in parallel

with Pool(4) as p: results = p.map(explore_from_state, states)

Collect solutions

for found_states in results: if found_states: print(found_states[0].solver.eval(flag, cast_to=bytes))

Memory-MCP Integration

Storing Level 3 Findings

// After dynamic analysis completes mcp__memory-mcp__memory_store({ content: { binary_hash: "sha256:abc123...", re_level: 3, execution_summary: { breakpoints_hit: ["0x401234", "0x401567", "0x4018ab"], runtime_secrets: [ {type: "password", value: "admin123", location: "0x601000"}, {type: "api_key", value: "sk_live_...", location: "0x601020"} ], syscalls: ["open", "read", "socket", "connect", "send"], network_activity: [ {proto: "HTTP", dest: "192.168.1.100:443", data: "POST /api/login"} ] }, gdb_dumps: { registers: "re-project/dbg/memory-dumps/", stack: "re-project/dbg/memory-dumps/", heap: "re-project/dbg/memory-dumps/" } }, metadata: { agent: "RE-Runtime-Tracer", category: "reverse-engineering", intent: "dynamic-analysis", layer: "long_term", project: binary-analysis-${date}, keywords: ["gdb", "dynamic", "runtime", "secrets"], re_level: 3, binary_hash: "sha256:abc123...", timestamp: new Date().toISOString() } })

Storing Level 4 Findings

// After symbolic execution completes mcp__memory-mcp__memory_store({ content: { binary_hash: "sha256:abc123...", re_level: 4, symbolic_summary: { target_address: "0x401337", avoid_addresses: ["0x401400", "0x401500"], solutions_found: 3, solutions: [ {input: "FLAG-A7B2-C9D4-E1F6", validated: true}, {input: "FLAG-B8C3-D0E5-F2G7", validated: true}, {input: "FLAG-C9D4-E1F6-G3H8", validated: true} ], exploration_metrics: { total_states: 847, execution_time_sec: 3245, coverage_percent: 78.5 } }, angr_script: "re-project/sym/angr-script.py", constraints: "re-project/sym/constraints/" }, metadata: { agent: "RE-Symbolic-Solver", category: "reverse-engineering", intent: "symbolic-execution", layer: "long_term", project: binary-analysis-${date}, keywords: ["angr", "symbolic", "z3", "solver"], re_level: 4, binary_hash: "sha256:abc123...", timestamp: new Date().toISOString() } })

Handoff Pattern: Level 3 → Level 4

// Level 3 stores handoff data mcp__memory-mcp__memory_store({ key: re-handoff/dynamic-to-symbolic/${binary_hash}, value: { decision: "ESCALATE_TO_LEVEL_4", reason: "Target function unreachable with manual inputs", target_address: "0x401337", avoid_addresses: ["0x401400", "0x401500", "0x401600"], input_format: "FLAG-XXXX-XXXX-XXXX", breakpoint_findings: { "0x401234": { description: "License check function", comparison_type: "encrypted", extractable: false } } } })

// Level 4 retrieves handoff data const handoff = await mcp__memory-mcp__vector_search({ query: re-handoff/dynamic-to-symbolic/${binary_hash} })

// Use handoff data to configure Angr const target = handoff.target_address const avoid = handoff.avoid_addresses const input_format = handoff.input_format

Agents & Commands

Agents Invoked

RE-Runtime-Tracer (Level 3)

• Specialist: Dynamic analysis with GDB/strace/ltrace

• Tools: GDB+GEF/Pwndbg, strace, ltrace, sandbox environments

• Output: Memory dumps, syscall traces, runtime secrets

RE-Symbolic-Solver (Level 4)

• Specialist: Symbolic execution with Angr/Z3

• Tools: Angr, Z3, Python symbolic execution frameworks

• Output: Synthesized inputs, constraint files, validated solutions

sandbox-validator (Level 3, automatic)

• Provides safe binary execution environment

• Prevents malware escape and system damage

graph-analyst (Level 4, automatic)

• Generates execution path visualizations

• Creates constraint dependency graphs

Slash Commands

• /re:deep <binary>

• Full Level 3+4 analysis (this skill's primary command)

• /re:dynamic <binary>

• Level 3 only (dynamic analysis)

• /re:symbolic <binary>

• Level 4 only (symbolic execution)

MCP Servers

• sandbox-validator: Safe binary execution with isolation

• memory-mcp: Cross-session persistence, handoff coordination

• sequential-thinking: Decision gate logic for escalation

• graph-analyst: Visualization of execution paths and constraints

Related Skills

• Reverse Engineering: Quick Triage - Levels 1-2 (string + static)

• Reverse Engineering: Firmware - Level 5 (firmware extraction)

• Functionality Audit - Validate reverse-engineered logic

• Production Validator - Ensure analysis results are production-ready

Resources

External Tools

• GDB - GNU Debugger

• GEF - GDB Enhanced Features

• Pwndbg - GDB plugin for exploit development

• Angr - Binary analysis platform

• Z3 - Microsoft SMT solver

Learning Resources

• Angr Documentation - Complete Angr guide

• Z3 Tutorial - Z3 Python bindings

• GDB to LLDB Command Map - For macOS users

• Practical Binary Analysis - Book

Community

• Angr Slack - Official Angr community

• r/ReverseEngineering - Subreddit

• Binary Ninja Discord - Reverse engineering community

Created: 2025-11-01 RE Levels: 3-4 (Dynamic Analysis + Symbolic Execution) Timebox: 3-7 hours Agents: RE-Runtime-Tracer, RE-Symbolic-Solver Category: Security, Malware Analysis, CTF, Binary Exploitation Difficulty: Advanced

Core Principles

Reverse Engineering: Deep Analysis operates on 3 fundamental principles:

Principle 1: Isolation-First Execution

Runtime analysis MUST occur in isolated environments to prevent malware escape and system compromise.

In practice:

• Execute all binaries in snapshots VMs/containers with network monitoring

• Use sandboxed debuggers (GDB in Docker, QEMU with snapshot mode)

• Monitor syscalls, network traffic, and file operations during execution

• Maintain air-gapped lab infrastructure for APT analysis

Principle 2: Multi-Method Validation

No single analysis technique provides complete truth - cross-validation prevents false positives.

In practice:

• Static analysis findings must be confirmed by dynamic execution

• Dynamic behavior must be reproducible across multiple runs

• Symbolic execution results must validate against real execution paths

• Memory dumps must correlate with network captures and syscall traces

Principle 3: Progressive Escalation

Start with lightweight methods, escalate only when necessary to minimize analysis time.

In practice:

• Level 3 (dynamic) reveals 80% of malware behavior in under 1 hour

• Escalate to Level 4 (symbolic) only when paths are unreachable manually

• Use decision gates to avoid over-engineering simple analysis tasks

• Cache findings in memory-mcp to prevent duplicate work

Common Anti-Patterns

Anti-Pattern Problem Solution

Executing malware on host system Complete system compromise, data exfiltration, ransomware deployment ALWAYS use isolated VM with snapshots, network monitoring, and rollback capability

Skipping static analysis before dynamic Waste time executing without understanding, miss packed binaries Run Level 1-2 (strings + static) first to identify entry points and breakpoints

Over-relying on symbolic execution State explosion, analysis timeout, resource exhaustion Use symbolic execution only for input-dependent paths unreachable by manual fuzzing

Ignoring anti-analysis techniques Debugger detection terminates analysis, VM detection changes behavior Patch anti-debug checks, use stealthy debugging environments, monitor timing attacks

Not documenting methodology Results not reproducible, findings challenged, legal issues Timestamp all actions, save GDB transcripts, document tool versions and commands used

Conclusion

Reverse Engineering: Deep Analysis represents the critical bridge between static code inspection and complete program comprehension. By combining runtime execution (Level 3) with symbolic path exploration (Level 4), this skill enables security researchers to extract secrets, validate vulnerabilities, and synthesize inputs that reach specific program states - capabilities essential for malware analysis, CTF challenges, and vulnerability research.

The skill's power lies in its automated decision gates and progressive escalation strategy. Rather than immediately jumping to resource-intensive symbolic execution, the skill starts with lightweight dynamic analysis using GDB and system call tracing. Only when manual execution fails to reach target states does it escalate to Angr-based symbolic execution, minimizing analysis time while maximizing findings.

Use this skill when you need to understand runtime behavior that static analysis cannot reveal: memory secrets, network communication patterns, or valid inputs for complex authentication schemes. The skill excels at extracting indicators of compromise from malware, finding valid license keys in crackmes, and generating proof-of-concept exploits for vulnerabilities. Combined with memory-mcp integration for cross-session persistence and handoff coordination with firmware analysis (Level 5), it forms a comprehensive reverse engineering workflow suitable for both academic research and production security operations.