ctf-reverse

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

CTF Reverse Engineering

CTF逆向工程

Quick reference for RE challenges. For detailed techniques, see supporting files.

RE（逆向工程）挑战速查手册。如需详细技术内容，请参阅配套文件。

Additional Resources

额外资源

tools.md - Static analysis tools (GDB, Ghidra, radare2, IDA, Binary Ninja, dogbolt.org, RISC-V with Capstone, Unicorn emulation, Python bytecode, WASM, Android APK, .NET, packed binaries)
tools-dynamic.md (includes Intel Pin instruction-counting side channel for movfuscated binaries) - Dynamic analysis tools: Frida (hooking, anti-debug bypass, memory scanning, Android/iOS), angr symbolic execution (path exploration, constraints, CFG), lldb (macOS/LLVM debugger), x64dbg (Windows), Qiling (cross-platform emulation with OS support), Triton (dynamic symbolic execution)
tools-advanced.md - Advanced tools: VMProtect/Themida analysis, binary diffing (BinDiff, Diaphora), deobfuscation frameworks (D-810, GOOMBA, Miasm), Rizin/Cutter, RetDec, advanced GDB (Python scripting, conditional breakpoints, watchpoints, reverse debugging with rr, pwndbg/GEF), advanced Ghidra scripting, patching (Binary Ninja API, LIEF)
ebpf-analysis.md - eBPF program analysis: structure/opcodes, identifying eBPF in challenges, bpftool disassembly, map data extraction, verifier constraints, extracting eBPF from binaries/PCAP, bpftrace dynamic analysis, CTF patterns (flag in map, eBPF as VM, seccomp filter bypass)
js-engine-re.md - JS engine & LLVM obfuscation: V8 object layout/tagged pointers/bytecode disassembly, SpiderMonkey shapes, JIT spray recognition, LLVM control flow flattening (D-810/angr deobfuscation), bogus control flow (Miasm), instruction substitution (sympy), JS AST deobfuscation (babel), eval/Function hook, V8 snapshot flag extraction, Wasm+JS combined challenges
anti-analysis.md - Comprehensive anti-analysis: Linux anti-debug (ptrace, /proc, timing, signals, direct syscalls), Windows anti-debug (PEB, NtQueryInformationProcess, heap flags, TLS callbacks, HW/SW breakpoint detection, exception-based, thread hiding), anti-VM/sandbox (CPUID, MAC, timing, artifacts, resources), anti-DBI (Frida detection/bypass), code integrity/self-hashing, anti-disassembly (opaque predicates, junk bytes), MBA identification/simplification, bypass strategies
patterns.md - Foundational binary patterns: custom VMs, anti-debugging, nanomites, self-modifying code, XOR ciphers, mixed-mode stagers, LLVM obfuscation, S-box/keystream, SECCOMP/BPF, exception handlers, memory dumps, byte-wise transforms, x86-64 gotchas, signal-based exploration, malware anti-analysis, multi-stage shellcode, timing side-channel, multi-thread anti-debug with decoy + signal handler MBA
patterns-ctf.md - Competition-specific patterns (Part 1): hidden emulator opcodes, LD_PRELOAD key extraction, SPN static extraction, image XOR smoothness, byte-at-a-time cipher, mathematical convergence bitmap, Windows PE XOR bitmap OCR, two-stage RC4+VM loaders, GBA ROM meet-in-the-middle, Sprague-Grundy game theory, kernel module maze solving, multi-threaded VM channels, backdoored shared library detection via string diffing
patterns-ctf-2.md - Competition-specific patterns (Part 2): multi-layer self-decrypting brute-force, embedded ZIP+XOR license, stack string deobfuscation, prefix hash brute-force, CVP/LLL lattice for integer validation, decision tree function obfuscation, GLSL shader VM, GF(2^8) Gaussian elimination, Z3 single-line Python circuit, sliding window popcount, keyboard LED Morse code via ioctl
languages.md - Language/platform-specific: Python bytecode & opcode remapping, Python version-specific bytecode, Pyarmor static unpack, DOS stubs, Unity IL2CPP, HarmonyOS HAP/ABC, Brainfuck/esolangs, UEFI, transpilation to C, code coverage side-channel, OPAL functional reversing, non-bijective substitution, Roblox place file analysis, Godot game asset extraction, Rust serde_json schema recovery, Verilog/hardware RE, Android JNI RegisterNatives, Ruby/Perl polyglot, Electron ASAR extraction + native binary analysis, Node.js npm runtime introspection
languages-compiled.md - Go binary reversing (GoReSym, goroutines, memory layout, channel ops, embed.FS), Rust binary reversing (demangling, Option/Result, Vec, panic strings), Swift binary reversing (demangling, protocol witness tables), Kotlin/JVM (coroutine state machines), C++ (vtable reconstruction, RTTI, STL patterns)
platforms.md - Platform-specific RE: macOS/iOS (Mach-O, code signing, Objective-C runtime, Swift, dyld, jailbreak bypass), embedded/IoT firmware (binwalk, UART/JTAG/SPI extraction, ARM/MIPS, RTOS), kernel drivers (Linux .ko, eBPF, Windows .sys), game engines (Unreal Engine, Unity, anti-cheat, Lua), automotive CAN bus, RISC-V advanced

tools.md - 静态分析工具（GDB、Ghidra、radare2、IDA、Binary Ninja、dogbolt.org、搭配Capstone的RISC-V分析、Unicorn仿真、Python字节码、WASM、Android APK、.NET、加壳二进制文件）
tools-dynamic.md（包含针对movfuscated二进制文件的Intel Pin指令计数侧信道分析）- 动态分析工具：Frida（挂钩、反调试绕过、内存扫描、Android/iOS分析）、angr符号执行（路径探索、约束分析、CFG生成）、lldb（macOS/LLVM调试器）、x64dbg（Windows平台）、Qiling（带系统支持的跨平台仿真）、Triton（动态符号执行）
tools-advanced.md - 高级工具：VMProtect/Themida分析、二进制对比（BinDiff、Diaphora）、反混淆框架（D-810、GOOMBA、Miasm）、Rizin/Cutter、RetDec、高级GDB（Python脚本、条件断点、观察点、基于rr的逆向调试、pwndbg/GEF插件）、高级Ghidra脚本、二进制补丁（Binary Ninja API、LIEF）
ebpf-analysis.md - eBPF程序分析：结构/操作码、识别挑战中的eBPF、bpftool反汇编、映射数据提取、验证器约束、从二进制文件/PCAP中提取eBPF、bpftrace动态分析、CTF常见模式（映射中的flag、作为VM的eBPF、seccomp过滤器绕过）
js-engine-re.md - JS引擎与LLVM混淆：V8对象布局/标记指针/字节码反汇编、SpiderMonkey形状识别、JIT喷射识别、LLVM控制流平坦化（D-810/angr反混淆）、虚假控制流（Miasm）、指令替换（sympy）、JS AST反混淆（babel）、eval/Function挂钩、V8快照flag提取、Wasm+JS混合挑战分析
anti-analysis.md - 全面反分析技术：Linux反调试（ptrace、/proc文件系统、计时检查、信号、直接系统调用）、Windows反调试（PEB、NtQueryInformationProcess、堆标志、TLS回调、硬件/软件断点检测、基于异常的检测、线程隐藏）、反VM/沙箱（CPUID、MAC地址、计时检查、 artifacts检测、资源检查）、反DBI（Frida检测与绕过）、代码完整性/自哈希、反汇编（不透明谓词、垃圾字节）、MBA识别与简化、绕过策略
patterns.md - 基础二进制模式：自定义VM、反调试、纳米断点、自修改代码、XOR加密、混合模式加载器、LLVM混淆、S盒/密钥流、SECCOMP/BPF、异常处理程序、内存转储、逐字节变换、x86-64陷阱、基于信号的探索、恶意软件反分析、多阶段Shellcode、计时侧信道、带诱饵+信号处理程序MBA的多线程反调试
patterns-ctf.md - 竞赛专属模式（第一部分）：隐藏的仿真器操作码、LD_PRELOAD密钥提取、SPN静态提取、图像XOR平滑度检测、逐字节加密、数学收敛位图、Windows PE XOR位图OCR、两阶段RC4+VM加载器、GBA ROM中间相遇攻击、Sprague-Grundy博弈论、内核模块迷宫求解、多线程VM信道、基于字符串对比的后门共享库检测
patterns-ctf-2.md - 竞赛专属模式（第二部分）：多层自解密暴力破解、嵌入式ZIP+XOR许可证、栈字符串反混淆、前缀哈希暴力破解、用于整数验证的CVP/LLL格基、决策树函数混淆、GLSL着色器VM、GF(2^8)高斯消元、基于Z3的单行Python电路、滑动窗口汉明权重、通过ioctl实现的键盘LED摩尔斯电码
languages.md - 特定语言/平台分析：Python字节码与操作码重映射、特定Python版本的字节码、Pyarmor静态脱壳、DOS存根、Unity IL2CPP、鸿蒙OS HAP/ABC、Brainfuck/小众编程语言、UEFI、转译为C语言、代码覆盖率侧信道、OPAL函数逆向、非双射替换、Roblox场景文件分析、Godot游戏资源提取、Rust serde_json Schema恢复、Verilog/硬件逆向、Android JNI RegisterNatives、Ruby/Perl多语言文件、Electron ASAR提取+原生二进制分析、Node.js npm运行时自省
languages-compiled.md - 编译型语言二进制逆向：Go二进制逆向（GoReSym、goroutines、内存布局、信道操作、embed.FS）、Rust二进制逆向（符号还原、Option/Result、Vec、panic字符串）、Swift二进制逆向（符号还原、协议见证表）、Kotlin/JVM（协程状态机）、C++（虚表重建、RTTI、STL模式）
platforms.md - 特定平台逆向：macOS/iOS（Mach-O、代码签名、Objective-C运行时、Swift、dyld、越狱绕过）、嵌入式/IoT固件（binwalk、UART/JTAG/SPI提取、ARM/MIPS、RTOS）、内核驱动（Linux .ko、eBPF、Windows .sys）、游戏引擎（Unreal Engine、Unity、反作弊、Lua）、汽车CAN总线、高级RISC-V分析

Output Size Rules

输出大小规则

CRITICAL: Never print large data directly to the conversation. Always write to a file first.

bash

undefined

重要提示：切勿直接在对话中打印大量数据。务必先写入文件。

bash

undefined

BAD — causes token limit errors:

错误示例——会触发令牌限制错误：

strings binary | grep -A2 base64 # may output megabytes cat large_output.txt # may exceed 32k tokens

strings binary | grep -A2 base64 # 可能输出数兆字节内容 cat large_output.txt # 可能超过32k令牌限制

GOOD — write to file, then read selectively:

正确示例——先写入文件，再选择性读取：

strings binary > /tmp/strings_out.txt wc -l /tmp/strings_out.txt # check size first grep -i 'base64|flag|key|pass' /tmp/strings_out.txt | head -50

strings binary > /tmp/strings_out.txt wc -l /tmp/strings_out.txt # 先检查大小 grep -i 'base64|flag|key|pass' /tmp/strings_out.txt | head -50

Extracting embedded base64 — always write decoded result to file:

提取嵌入式base64——始终将解码结果写入文件：

strings binary | grep -E '^[A-Za-z0-9+/]{40,}={0,2}$' > /tmp/b64_candidates.txt wc -l /tmp/b64_candidates.txt

Then decode each candidate to file:

然后将每个候选内容解码到文件：

head -1 /tmp/b64_candidates.txt | base64 -d > /tmp/decoded_1.bin file /tmp/decoded_1.bin # identify what it is

head -1 /tmp/b64_candidates.txt | base64 -d > /tmp/decoded_1.bin file /tmp/decoded_1.bin # 识别文件类型

For Python bytecode / large blobs:

处理Python字节码/大 blob：

base64 -d /tmp/b64_candidates.txt > /tmp/payload.bin file /tmp/payload.bin # check type before reading python3 -c "import dis,marshal; dis.dis(marshal.loads(open('/tmp/payload.bin','rb').read()[16:]))" \

/tmp/disasm.txt 2>&1 wc -l /tmp/disasm.txt grep -i 'flag|key|pass|LOAD_CONST' /tmp/disasm.txt | head -30


**Rule: if output might exceed 200 lines, pipe to a file. Read with grep/head/tail.**

base64 -d /tmp/b64_candidates.txt > /tmp/payload.bin file /tmp/payload.bin # 读取前先检查类型 python3 -c "import dis,marshal; dis.dis(marshal.loads(open('/tmp/payload.bin','rb').read()[16:]))" \

/tmp/disasm.txt 2>&1 wc -l /tmp/disasm.txt grep -i 'flag|key|pass|LOAD_CONST' /tmp/disasm.txt | head -30


**规则：如果输出可能超过200行，请先通过管道写入文件。使用grep/head/tail选择性读取。**

Problem-Solving Workflow

问题解决流程

Start with strings extraction - many easy challenges have plaintext flags
Try ltrace/strace - dynamic analysis often reveals flags without reversing
Try Frida hooking - hook strcmp/memcmp to capture expected values without reversing
Try angr - symbolic execution solves many flag-checkers automatically
Try Qiling - emulate foreign-arch binaries or bypass heavy anti-debug without artifacts
Map control flow before modifying execution
Automate manual processes via scripting (r2pipe, Frida, angr, Python)
Validate assumptions by comparing decompiler outputs (dogbolt.org for side-by-side)

先提取字符串 - 许多简单挑战的flag是明文形式
尝试ltrace/strace - 动态分析通常无需逆向即可获取flag
尝试Frida挂钩 - 挂钩strcmp/memcmp以捕获预期值，无需逆向
尝试angr - 符号执行可自动解决许多flag验证程序
尝试Qiling - 仿真异架构二进制文件，或无痕迹绕过重度反调试
修改执行流程前先映射控制流
通过脚本自动化手动流程（r2pipe、Frida、angr、Python）
通过对比反编译器输出验证假设（使用dogbolt.org进行并排对比）

Quick Wins (Try First!)

快速尝试技巧（优先尝试！）

bash

undefined

bash

undefined

Plaintext flag extraction

提取明文flag

strings binary | grep -E "flag{|CTF{|pico" strings binary | grep -iE "flag|secret|password" rabin2 -z binary | grep -i "flag"

Dynamic analysis - often captures flag directly

动态分析——通常可直接捕获flag

ltrace ./binary strace -f -s 500 ./binary

Hex dump search

十六进制转储搜索

xxd binary | grep -i flag

Run with test inputs

使用测试输入运行程序

./binary AAAA echo "test" | ./binary

undefined

./binary AAAA echo "test" | ./binary

undefined

Initial Analysis

初始分析

bash

file binary           # Type, architecture
checksec --file=binary # Security features (for pwn)
chmod +x binary       # Make executable

bash

file binary           # 查看文件类型、架构
checksec --file=binary # 查看安全特性（用于pwn题）
chmod +x binary       # 设置为可执行

Memory Dumping Strategy

内存转储策略

Key insight: Let the program compute the answer, then dump it. Break at final comparison (

b *main+OFFSET

), enter any input of correct length, then

x/s $rsi

to dump computed flag.

核心思路：让程序计算出答案，然后转储出来。在最终比较处设置断点（
b *main+OFFSET
），输入任意长度正确的内容，然后使用
x/s $rsi
转储计算出的flag。

Decoy Flag Detection

诱饵Flag检测

Pattern: Multiple fake targets before real check.

Identification:

Look for multiple comparison targets in sequence
Check for different success messages
Trace which comparison is checked LAST

Solution: Set breakpoint at FINAL comparison, not earlier ones.

模式：在真正的检查点之前存在多个假目标。

识别方法：

查找连续的多个比较目标
检查是否有不同的成功提示信息
追踪最后被检查的比较操作

解决方案：在最后一个比较处设置断点，而非较早的比较。

GDB PIE Debugging

GDB PIE调试

PIE binaries randomize base address. Use relative breakpoints:

bash

gdb ./binary
start                    # Forces PIE base resolution
b *main+0xca            # Relative to main
run

PIE二进制文件会随机化基地址。使用相对断点：

bash

gdb ./binary
start                    # 强制解析PIE基地址
b *main+0xca            # 相对于main的偏移
run

Comparison Direction (Critical!)

比较方向（至关重要！）

Two patterns:

```
transform(flag) == stored_target
```
- Reverse the transform
```
transform(stored_target) == flag
```
- Flag IS the transformed data!

Pattern 2 solution: Don't reverse - just apply transform to stored target.

两种模式：

```
transform(flag) == stored_target
```
- 逆向变换过程
```
transform(stored_target) == flag
```
- Flag就是变换后的目标数据！

模式2解决方案：无需逆向——直接对存储的目标应用变换即可。

Common Encryption Patterns

常见加密模式

XOR with single byte - try all 256 values
XOR with known plaintext (
```
flag{
```
,
```
CTF{
```
)
RC4 with hardcoded key
Custom permutation + XOR
XOR with position index (
```
^ i
```
or
```
^ (i & 0xff)
```
) layered with a repeating key

单字节XOR - 尝试所有256个可能值
已知明文XOR（
```
flag{
```
、
```
CTF{
```
）
硬编码密钥的RC4
自定义置换+XOR
与位置索引异或（
```
^ i
```
或
```
^ (i & 0xff)
```
）并结合重复密钥

Quick Tool Reference

快速工具参考

bash

undefined

bash

undefined

Radare2

r2 -d ./binary # Debug mode aaa # Analyze afl # List functions pdf @ main # Disassemble main

r2 -d ./binary # 调试模式 aaa # 开始分析 afl # 列出函数 pdf @ main # 反汇编main函数

Ghidra (headless)

Ghidra（无头模式）

analyzeHeadless project/ tmp -import binary -postScript script.py

IDA

ida64 binary # Open in IDA64

undefined

ida64 binary # 用IDA64打开

undefined

Binary Types

二进制文件类型

Python .pyc

Disassemble with

marshal.load()

dis.dis()

. Header: 8 bytes (2.x), 12 (3.0-3.6), 16 (3.7+). See languages.md.

使用

marshal.load()

dis.dis()

进行反汇编。头部：8字节（2.x版本）、12字节（3.0-3.6版本）、16字节（3.7+版本）。详情请参阅languages.md。

WASM

bash

wasm2c checker.wasm -o checker.c
gcc -O3 checker.c wasm-rt-impl.c -o checker

bash

wasm2c checker.wasm -o checker.c
gcc -O3 checker.c wasm-rt-impl.c -o checker

WASM patching (game challenges):

WASM补丁（游戏挑战）：

wasm2wat main.wasm -o main.wat # Binary → text

wasm2wat main.wasm -o main.wat # 二进制转文本

Edit WAT: flip comparisons, change constants

编辑WAT：翻转比较操作，修改常量

wat2wasm main.wat -o patched.wasm # Text → binary


**WASM game patching (Tac Tic Toe, Pragyan 2026):** If proof generation is independent of move quality, patch minimax (flip `i64.lt_s` → `i64.gt_s`, change bestScore sign) to make AI play badly while proofs remain valid. Invoke `/ctf-misc` for full game patching patterns (games-and-vms).

wat2wasm main.wat -o patched.wasm # 文本转二进制


**WASM游戏补丁（井字棋，Pragyan 2026）：**如果证明生成与走棋质量无关，可修补minimax算法（将`i64.lt_s`改为`i64.gt_s`，修改bestSign符号），使AI表现糟糕但仍能生成有效证明。如需完整游戏补丁模式，请参考`/ctf-misc`（游戏与VM）。

Android APK

apktool d app.apk -o decoded/

for resources;

jadx app.apk

for Java decompilation. Check

decoded/res/values/strings.xml

for flags. See tools.md.

使用

apktool d app.apk -o decoded/

提取资源；使用

jadx app.apk

进行Java反编译。检查

decoded/res/values/strings.xml

寻找flag。详情请参阅tools.md。

Flutter APK (Dart AOT)

Flutter APK（Dart AOT）

lib/arm64-v8a/libapp.so

libflutter.so

present, use Blutter:

python3 blutter.py path/to/app/lib/arm64-v8a out_dir

. Outputs reconstructed Dart symbols + Frida script. See tools.md.

如果存在

lib/arm64-v8a/libapp.so

libflutter.so

，请使用Blutter：

python3 blutter.py path/to/app/lib/arm64-v8a out_dir

。输出重构后的Dart符号+Frida脚本。详情请参阅tools.md。

.NET

dnSpy - debugging + decompilation
ILSpy - decompiler

dnSpy - 调试+反编译
ILSpy - 反编译器

Packed (UPX)

加壳（UPX）

bash

upx -d packed -o unpacked

If unpacking fails, inspect UPX metadata first: verify UPX section names, header fields, and version markers are intact. If metadata looks tampered or uncertain, review UPX source on GitHub to identify likely modification points.

bash

upx -d packed -o unpacked

如果脱壳失败，请先检查UPX元数据：验证UPX节名称、头字段和版本标记是否完整。如果元数据看起来被篡改或不确定，请查看GitHub上的UPX源码以识别可能的修改点。

Tauri Packed Desktop Apps

Tauri加壳桌面应用

Tauri embeds Brotli-compressed frontend assets in the executable. Find

index.html

xrefs to locate asset index table, dump blobs, Brotli decompress. Reference:

tauri-codegen/src/embedded_assets.rs

Tauri将Brotli压缩的前端资源嵌入可执行文件中。查找

index.html

的交叉引用以定位资源索引表，转储blob，然后进行Brotli解压。参考：

tauri-codegen/src/embedded_assets.rs

。

Anti-Debugging Bypass

反调试绕过

Common checks:

```
IsDebuggerPresent()
```
/ PEB.BeingDebugged / NtQueryInformationProcess (Windows)
```
ptrace(PTRACE_TRACEME)
```
/
```
/proc/self/status
```
TracerPid (Linux)
TLS callbacks (run before main — check PE TLS Directory)
Timing checks (
```
rdtsc
```
,
```
clock_gettime
```
,
```
GetTickCount
```
)
Hardware breakpoint detection (DR0-DR3 via GetThreadContext)
INT3 scanning / code self-hashing (CRC over .text section)
Signal-based: SIGTRAP handler, SIGALRM timeout, SIGSEGV for real logic
Frida/DBI detection:
```
/proc/self/maps
```
scan, port 27042, inline hook checks

Bypass: Set breakpoint at check, modify register to bypass conditional. pwntools patch:

elf.asm(elf.symbols.ptrace, 'ret')

to replace function with immediate return. See patterns.md.

For comprehensive anti-analysis techniques and bypasses (30+ methods with code), see anti-analysis.md.

常见检查项：

```
IsDebuggerPresent()
```
/ PEB.BeingDebugged / NtQueryInformationProcess（Windows）
```
ptrace(PTRACE_TRACEME)
```
/
```
/proc/self/status
```
中的TracerPid（Linux）
TLS回调（在main之前运行——检查PE TLS目录）
计时检查（
```
rdtsc
```
、
```
clock_gettime
```
、
```
GetTickCount
```
）
硬件断点检测（通过GetThreadContext检查DR0-DR3）
INT3扫描/代码自哈希（对.text节进行CRC校验）
基于信号的检测：SIGTRAP处理程序、SIGALRM超时、用于实际逻辑的SIGSEGV
Frida/DBI检测：扫描
```
/proc/self/maps
```
、端口27042、内联挂钩检查

绕过方法：在检查点设置断点，修改寄存器值以绕过条件判断。使用pwntools补丁：

elf.asm(elf.symbols.ptrace, 'ret')

将函数替换为直接返回。详情请参阅patterns.md。

如需全面的反分析技术与绕过方法（30+种带代码的方法），请参阅anti-analysis.md。

S-Box / Keystream Patterns

S盒/密钥流模式

Xorshift32: Shifts 13, 17, 5 Xorshift64: Shifts 12, 25, 27 Magic constants:

0x2545f4914f6cdd1d

0x9e3779b97f4a7c15

**Xorshift32：**移位13、17、5位 **Xorshift64：**移位12、25、27位 魔术常量：

0x2545f4914f6cdd1d

、

0x9e3779b97f4a7c15

Custom VM Analysis

自定义VM分析

Identify structure: registers, memory, IP
Reverse
```
executeIns
```
for opcode meanings
Write disassembler mapping opcodes to mnemonics
Often easier to bruteforce than fully reverse
Look for the bytecode file loaded via command-line arg

See patterns.md for VM workflow, opcode tables, and state machine BFS.

识别结构：寄存器、内存、指令指针（IP）
逆向
```
executeIns
```
以理解操作码含义
编写反汇编器，将操作码映射为助记符
通常暴力破解比完全逆向更简单
查找通过命令行参数加载的字节码文件

详情请参阅patterns.md中的VM工作流、操作码表和状态机BFS。

Python Bytecode Reversing

Python字节码逆向

XOR flag checkers with interleaved even/odd tables are common. See languages.md for bytecode analysis tips and reversing patterns.

带交错奇偶表的XOR flag验证程序很常见。详情请参阅languages.md中的字节码分析技巧和逆向模式。

Signal-Based Binary Exploration

基于信号的二进制探索

Binary uses UNIX signals as binary tree navigation; hook

sigaction

via

LD_PRELOAD

, DFS by sending signals. See patterns.md.

二进制文件使用UNIX信号作为二叉树导航；通过

LD_PRELOAD

挂钩

sigaction

，发送信号进行DFS探索。详情请参阅patterns.md。

Malware Anti-Analysis Bypass via Patching

通过补丁绕过恶意软件反分析

Flip

JNZ

JZ

(0x75/0x74), change sleep values, patch environment checks in Ghidra (

Ctrl+Shift+G

). See patterns.md.

翻转

JNZ

JZ

（0x75/0x74），修改睡眠值，在Ghidra中补丁环境检查（

Ctrl+Shift+G

）。详情请参阅patterns.md。

Expected Values Tables

预期值表

Locating:

bash

objdump -s -j .rodata binary | less

定位方法：

bash

objdump -s -j .rodata binary | less

Look near comparison instructions

在比较指令附近查找

Size matches flag length

大小与flag长度匹配

undefined

undefined

x86-64 Gotchas

x86-64陷阱

Sign extension and 32-bit truncation pitfalls. See patterns.md for details and code examples.

符号扩展和32位截断陷阱。详情请参阅patterns.md中的细节和代码示例。

Iterative Solver Pattern

迭代求解器模式

Try each byte (0-255) per position, match against expected output. Uniform transform shortcut: if one input byte only changes one output byte, build 0..255 mapping then invert. See patterns.md for full implementation.

对每个位置尝试每个字节（0-255），与预期输出匹配。**统一变换捷径：**如果一个输入字节只改变一个输出字节，则构建0..255的映射表然后反转。详情请参阅patterns.md中的完整实现。

Unicorn Emulation (Complex State)

Unicorn仿真（复杂状态）

from unicorn import *

-- map segments, set up stack, hook to trace. Mixed-mode pitfall: 64-bit stub jumping to 32-bit via

retf

requires switching to UC_MODE_32 and copying GPRs + EFLAGS + XMM regs. See tools.md.

from unicorn import *

—— 映射段、设置栈、挂钩以追踪。**混合模式陷阱：**64位存根通过

retf

跳转到32位代码时，需要切换到UC_MODE_32并复制GPRs + EFLAGS + XMM寄存器。详情请参阅tools.md。

Multi-Stage Shellcode Loaders

多阶段Shellcode加载器

Nested shellcode with XOR decode loops; break at

call rax

, bypass ptrace with

set $rax=0

, extract flag from

mov

instructions. See patterns.md.

嵌套的Shellcode带有XOR解码循环；在

call rax

处设置断点，通过

set $rax=0

绕过ptrace，从

mov

指令中提取flag。详情请参阅patterns.md。

Timing Side-Channel Attack

计时侧信道攻击

Validation time varies per correct character; measure elapsed time per candidate to recover flag byte-by-byte. See patterns.md.

验证时间随正确字符的不同而变化；测量每个候选字符的耗时以逐字节恢复flag。详情请参阅patterns.md。

Godot Game Asset Extraction

Godot游戏资源提取

Use KeyDot to extract encryption key from executable, then gdsdecomp to extract .pck package. See languages.md.

使用KeyDot从可执行文件中提取加密密钥，然后使用gdsdecomp提取.pck包。详情请参阅languages.md。

Roblox Place File Analysis

Roblox场景文件分析

Query Asset Delivery API for version history; parse

.rbxlbin

chunks (INST/PROP/PRNT) to diff script sources across versions. See languages.md.

查询资产交付API获取版本历史；解析

.rbxlbin

块（INST/PROP/PRNT）以对比不同版本的脚本源码。详情请参阅languages.md。

Unstripped Binary Information Leaks

未剥离二进制文件信息泄露

Pattern (Bad Opsec): Debug info and file paths leak author identity.

Quick checks:

bash

strings binary | grep "/home/"    # Home directory paths
strings binary | grep "/Users/"   # macOS paths
file binary                       # Check if stripped
readelf -S binary | grep debug    # Debug sections present?

**模式（糟糕的操作安全）：**调试信息和文件路径会泄露作者身份。

快速检查：

bash

strings binary | grep "/home/"    # 主目录路径
strings binary | grep "/Users/"   # macOS路径
file binary                       # 检查是否已剥离调试信息
readelf -S binary | grep debug    # 是否存在调试节？

Custom Mangle Function Reversing

自定义混淆函数逆向

Binary mangles input 2 bytes at a time with running state; extract target from

.rodata

, write inverse function. See patterns.md.

二进制文件每次处理2个输入字节并维护运行状态；从

.rodata

中提取目标值，编写逆函数。详情请参阅patterns.md。

Rust serde_json Schema Recovery

Rust serde_json Schema恢复

Disassemble serde

Visitor

implementations to recover expected JSON schema; field names in order reveal flag. See languages.md.

反汇编serde的

Visitor

实现以恢复预期的JSON Schema；字段顺序可揭示flag。详情请参阅languages.md。

Position-Based Transformation Reversing

基于位置的变换逆向

Binary adds/subtracts position index; reverse by undoing per-index offset. See patterns.md.

二进制文件会添加/减去位置索引；通过撤销每个索引的偏移来逆向。详情请参阅patterns.md。

Hex-Encoded String Comparison

十六进制编码字符串比较

Input converted to hex, compared against constant. Decode with

xxd -r -p

. See patterns.md.

输入被转换为十六进制，然后与常量比较。使用

xxd -r -p

解码。详情请参阅patterns.md。

Embedded ZIP + XOR License Decryption

嵌入式ZIP + XOR许可证解密

Binary with named symbols (

EMBEDDED_ZIP

ENCRYPTED_MESSAGE

) in

.rodata

→ extract ZIP containing license, XOR encrypted message with license bytes to recover flag. No execution needed. See patterns-ctf-2.md.

二进制文件的

.rodata

中包含命名符号（

EMBEDDED_ZIP

、

ENCRYPTED_MESSAGE

）→ 提取包含许可证的ZIP，使用许可证字节对加密消息进行XOR以恢复flag。无需执行程序。详情请参阅patterns-ctf-2.md。

Stack String Deobfuscation (.rodata XOR Blob)

栈字符串反混淆（.rodata XOR Blob）

Binary mmaps

.rodata

blob, XOR-deobfuscates, uses it to validate input. Reimplement verification loop with pyelftools to extract blob. Look for

0x9E3779B9

0x85EBCA6B

constants and

rol32()

. See patterns-ctf-2.md.

二进制文件映射

.rodata

blob，进行XOR反混淆，然后用它来验证输入。使用pyelftools重新实现验证循环以提取blob。查找

0x9E3779B9

、

0x85EBCA6B

常量和

rol32()

函数。详情请参阅patterns-ctf-2.md。

Prefix Hash Brute-Force

前缀哈希暴力破解

Binary hashes every prefix independently. Recover one character at a time by matching prefix hashes. See patterns-ctf-2.md.

二进制文件对每个前缀独立进行哈希。通过匹配前缀哈希逐字符恢复flag。详情请参阅patterns-ctf-2.md。

Mathematical Convergence Bitmap

数学收敛位图

Pattern: Binary classifies coordinate pairs by Newton's method convergence (e.g., z^3-1=0). Grid of pass/fail results renders ASCII art flag. Key: the binary is a classifier, not a checker — reverse the math and visualize. See patterns-ctf.md.

**模式：**二进制文件通过牛顿法收敛性对坐标对进行分类（例如z^3-1=0）。通过网格的通过/失败结果生成ASCII艺术flag。关键：该二进制文件是分类器，而非验证器——逆向数学逻辑并可视化。详情请参阅patterns-ctf.md。

RISC-V Binary Analysis

RISC-V二进制分析

Statically linked, stripped RISC-V ELF. Use Capstone with

CS_MODE_RISCVC | CS_MODE_RISCV64

for mixed compressed instructions. Emulate with

qemu-riscv64

. Watch for fake flags and XOR decryption with incremental keys. See tools.md.

静态链接、剥离调试信息的RISC-V ELF文件。使用Capstone并设置

CS_MODE_RISCVC | CS_MODE_RISCV64

以处理混合压缩指令。使用

qemu-riscv64

进行仿真。注意假flag和使用递增密钥的XOR解密。详情请参阅tools.md。

Sprague-Grundy Game Theory Binary

Sprague-Grundy博弈论二进制文件

Game binary plays bounded Nim with PRNG for losing-position moves. Identify game framework (Grundy values = pile % (k+1), XOR determines position), track PRNG state evolution through user input feedback. See patterns-ctf.md.

游戏二进制文件使用PRNG进行有界Nim游戏的必败位置移动。识别游戏框架（Grundy值 = 堆大小 % (k+1)，异或决定位置），通过用户输入反馈追踪PRNG状态演变。详情请参阅patterns-ctf.md。

Kernel Module Maze Solving

内核模块迷宫求解

Rust kernel module implements maze via device ioctls. Enumerate commands dynamically, build DFS solver with decoy avoidance, deploy as minimal static binary (raw syscalls, no libc). See patterns-ctf.md.

Rust内核模块通过设备ioctl实现迷宫。动态枚举命令，构建带诱饵规避的DFS求解器，部署为最小静态二进制文件（直接系统调用，无libc）。详情请参阅patterns-ctf.md。

Multi-Threaded VM with Channels

带信道的多线程VM

Custom VM with 16+ threads communicating via futex channels. Trace data flow across thread boundaries, extract constants from GDB, watch for inverted validity logic, solve via BFS state space search. See patterns-ctf.md.

自定义VM包含16+个通过futex信道通信的线程。追踪跨线程边界的数据流，从GDB中提取常量，注意反转的有效性逻辑，通过BFS状态空间搜索求解。详情请参阅patterns-ctf.md。

CVP/LLL Lattice for Constrained Integer Validation (HTB ShadowLabyrinth)

用于约束整数验证的CVP/LLL格基（HTB ShadowLabyrinth）

Binary validates flag via matrix multiplication with 64-bit coefficients; solutions must be printable ASCII. Use LLL reduction + CVP in SageMath to find nearest lattice point in the constrained range. Two-phase pattern: Phase 1 recovers AES key, Phase 2 decrypts custom VM bytecode with another linear system (mod 2^32). See patterns-ctf-2.md.

二进制文件通过64位系数的矩阵乘法验证flag；解必须是可打印的ASCII字符。使用SageMath中的LLL约简+CVP以找到约束范围内的最近格点。两阶段模式：第一阶段恢复AES密钥，第二阶段用另一个线性系统（模2^32）解密自定义VM字节码。详情请参阅patterns-ctf-2.md。

Decision Tree Function Obfuscation (HTB WonderSMS)

决策树函数混淆（HTB WonderSMS）

~200+ auto-generated functions routing input through polynomial comparisons. Script extraction via Ghidra headless rather than reversing each function manually. Constraint propagation from known output format cascades through arithmetic constraints. See patterns-ctf-2.md.

约200+个自动生成的函数通过多项式比较路由输入。通过Ghidra无头模式脚本提取，而非手动逆向每个函数。从已知输出格式进行约束传播，通过算术约束级联求解。详情请参阅patterns-ctf-2.md。

Android JNI RegisterNatives Obfuscation (HTB WonderSMS)

Android JNI RegisterNatives混淆（HTB WonderSMS）

RegisterNatives

JNI_OnLoad

hides which C++ function handles each Java native method (no standard

Java_com_pkg_Class_method

symbol). Find the real handler by tracing

JNI_OnLoad

→

RegisterNatives

→

fnPtr

. Use x86_64

.so

from APK for best Ghidra decompilation. See languages.md.

JNI_OnLoad

中的

RegisterNatives

隐藏了哪个C++函数处理每个Java原生方法（无标准

Java_com_pkg_Class_method

符号）。通过追踪

JNI_OnLoad

→

RegisterNatives

→

fnPtr

找到真实处理函数。使用APK中的x86_64

.so

文件以获得最佳Ghidra反编译效果。详情请参阅languages.md。

Multi-Layer Self-Decrypting Binary

多层自解密二进制文件

N-layer binary where each layer decrypts the next using user-provided key bytes + SHA-NI. Use oracle (correct key → valid code with expected pattern). JIT execution with fork-per-candidate COW isolation for speed. See patterns-ctf-2.md.

N层二进制文件，每层使用用户提供的密钥字节+SHA-NI解密下一层。使用 oracle（正确密钥→生成带有预期模式的有效代码）。使用fork-per-candidate COW隔离进行JIT执行以提高速度。详情请参阅patterns-ctf-2.md。

GLSL Shader VM with Self-Modifying Code

带自修改代码的GLSL着色器VM

Pattern: WebGL2 fragment shader implements Turing-complete VM on a 256x256 RGBA texture (program memory + VRAM). Self-modifying code (STORE opcode) patches drawing instructions. GPU parallelism causes write conflicts — emulate sequentially in Python to recover full output. See patterns-ctf-2.md.

**模式：**WebGL2片段着色器在256x256 RGBA纹理（程序内存+VRAM）上实现图灵完备VM。自修改代码（STORE操作码）会修补绘制指令。GPU并行性会导致写入冲突——在Python中顺序仿真以恢复完整输出。详情请参阅patterns-ctf-2.md。

GF(2^8) Gaussian Elimination for Flag Recovery

用于flag恢复的GF(2^8)高斯消元

Pattern: Binary performs Gaussian elimination over GF(2^8) with the AES polynomial (0x11b). Matrix + augmentation vector in

.rodata

; solution vector is the flag. Look for constant

0x1b

in disassembly. Addition is XOR, multiplication uses polynomial reduction. See patterns-ctf-2.md.

**模式：**二进制文件使用AES多项式（0x11b）在GF(2^8)上执行高斯消元。矩阵+增广向量位于

.rodata

中；解向量就是flag。在反汇编中查找常量

0x1b

。加法为XOR，乘法使用多项式约简。详情请参阅patterns-ctf-2.md。

Z3 for Single-Line Python Boolean Circuit

基于Z3的单行Python布尔电路

Pattern: Single-line Python (2000+ semicolons) with walrus operator chains validates flag as big-endian integer via boolean circuit. Obfuscated XOR

(a | b) & ~(a & b)

. Split on semicolons, translate to Z3 symbolically, solve in under a second. See patterns-ctf-2.md.

**模式：**单行Python代码（2000+个分号）使用海象运算符链将flag作为大端整数通过布尔电路验证。混淆的XOR

(a | b) & ~(a & b)

。按分号拆分，转换为Z3符号表达式，可在1秒内求解。详情请参阅patterns-ctf-2.md。

Sliding Window Popcount Differential Propagation

滑动窗口汉明权重差分传播

Pattern: Binary validates input via expected popcount for each position of a 16-bit sliding window. Popcount differences create a recurrence:

bit[i+16] = bit[i] + (data[i+1] - data[i])

. Brute-force ~4000-8000 valid initial 16-bit windows; each determines the entire bit sequence. See patterns-ctf-2.md.

**模式：**二进制文件通过16位滑动窗口每个位置的预期汉明权重验证输入。汉明权重差异形成递推关系：

bit[i+16] = bit[i] + (data[i+1] - data[i])

。暴力破解约4000-8000个有效的初始16位窗口；每个窗口可确定整个位序列。详情请参阅patterns-ctf-2.md。

Ruby/Perl Polyglot Constraint Satisfaction

Ruby/Perl多语言文件约束满足

Pattern: Single file valid in both Ruby and Perl, each imposing different constraints on a key. Exploits

=begin

=end

(Ruby block comment) vs

=begin

=cut

(Perl POD) to run different code per interpreter. Intersect constraints from both languages to recover the unique key. See languages.md.

**模式：**单个文件同时在Ruby和Perl中有效，每种语言对密钥施加不同约束。利用

=begin

=end

（Ruby块注释）与

=begin

=cut

（Perl POD）的差异，使不同解释器运行不同代码。求两种语言约束的交集以恢复唯一密钥。详情请参阅languages.md。

Verilog/Hardware RE

Verilog/硬件逆向

Pattern: Verilog HDL source for state machines with hidden conditions gated on shift register history. Analyze

always @(posedge clk)

blocks and

case

statements to find correct input sequences. See languages.md.

**模式：**Verilog HDL源码实现的状态机，其隐藏条件由移位寄存器历史控制。分析

always @(posedge clk)

块和

case

语句以找到正确的输入序列。详情请参阅languages.md。

Backdoored Shared Library Detection

后门共享库检测

Binary works in GDB but fails when run normally (suid)? Check

ldd

for non-standard libc paths, then

strings | diff

the suspicious vs. system library to find injected code/passwords. See patterns-ctf.md.

二进制文件在GDB中运行正常，但正常运行时失败（suid）？检查

ldd

是否存在非标准libc路径，然后使用

strings | diff

对比可疑库与系统库以找到注入的代码/密码。详情请参阅patterns-ctf.md。

Go Binary Reversing

Go二进制逆向

Large static binary with

go.buildid

? Use GoReSym to recover function names (works even on stripped binaries). Go strings are

{ptr, len}

pairs — not null-terminated. Look for

main.main

runtime.gopanic

, channel ops (

runtime.chansend1

chanrecv1

). Use Ghidra golang-loader plugin for best results. See languages-compiled.md.

带有

go.buildid

的大型静态二进制文件？使用GoReSym恢复函数名（即使是剥离调试信息的二进制文件也有效）。Go字符串是

{ptr, len}

对——不是以空字符结尾。查找

main.main

、

runtime.gopanic

、信道操作（

runtime.chansend1

chanrecv1

）。使用Ghidra的golang-loader插件可获得最佳效果。详情请参阅languages-compiled.md。

Rust Binary Reversing

Rust二进制逆向

Binary with

core::panicking

strings and

_ZN

mangled symbols? Use

rustfilt

for demangling. Panic messages contain source paths and line numbers —

strings binary | grep "panicked"

is the fastest approach. Option/Result enums use discriminant byte (0=None/Err, 1=Some/Ok). See languages-compiled.md.

带有

core::panicking

字符串和

_ZN

混淆符号的二进制文件？使用

rustfilt

进行符号还原。Panic消息包含源码路径和行号——

strings binary | grep "panicked"

是最快的方法。Option/Result枚举使用判别字节（0=None/Err，1=Some/Ok）。详情请参阅languages-compiled.md。

Frida Dynamic Instrumentation

Frida动态插桩

Hook runtime functions without modifying binary.

frida -f ./binary -l hook.js

to spawn with instrumentation. Hook

strcmp

memcmp

to capture expected values, bypass anti-debug by replacing

ptrace

return value, scan memory for flag patterns, replace validation functions. See tools-dynamic.md.

无需修改二进制文件即可挂钩运行时函数。使用

frida -f ./binary -l hook.js

启动并插桩。挂钩

strcmp

memcmp

以捕获预期值，通过替换

ptrace

返回值绕过反调试，扫描内存中的flag模式，替换验证函数。详情请参阅tools-dynamic.md。

angr Symbolic Execution

angr符号执行

Automatic path exploration to find inputs satisfying constraints. Load binary with

angr.Project

, set find/avoid addresses, call

simgr.explore()

. Constrain input to printable ASCII and known prefix for faster solving. Hook expensive functions (crypto, I/O) to prevent path explosion. See tools-dynamic.md.

自动路径探索以找到满足约束的输入。使用

angr.Project

加载二进制文件，设置查找/避免地址，调用

simgr.explore()

。将输入约束为可打印ASCII和已知前缀以加快求解速度。挂钩耗时函数（加密、I/O）以防止路径爆炸。详情请参阅tools-dynamic.md。

Qiling Emulation

Qiling仿真

Cross-platform binary emulation with OS-level support (syscalls, filesystem). Emulate Linux/Windows/ARM/MIPS binaries on any host. No debugger artifacts — bypasses all anti-debug by default. Hook syscalls and addresses with Python API. See tools-dynamic.md.

带系统级支持（系统调用、文件系统）的跨平台二进制仿真。可在任意主机上仿真Linux/Windows/ARM/MIPS二进制文件。无调试器痕迹——默认绕过所有反调试。使用Python API挂钩系统调用和地址。详情请参阅tools-dynamic.md。

VMProtect / Themida Analysis

VMProtect / Themida分析

VMProtect virtualizes code into custom bytecode. Identify VM entry (pushad-like), find handler table (large indirect jump), trace handlers dynamically. For CTF, focus on tracing operations on input rather than full devirtualization. Themida: dump at OEP with ScyllaHide + Scylla. See tools-advanced.md.

VMProtect将代码虚拟化为自定义字节码识别VM入口（类似pushad的操作），找到处理程序表（大型间接跳转），动态追踪处理程序。对于CTF，重点追踪对输入的操作，而非完全反虚拟化。Themida：使用ScyllaHide + Scylla在OEP处转储。详情请参阅tools-advanced.md。

Binary Diffing

二进制对比

BinDiff and Diaphora compare two binaries to highlight changes. Essential when challenge provides patched/original versions. Export from IDA/Ghidra, diff to find vulnerability or hidden functionality. See tools-advanced.md.

BinDiff和Diaphora对比两个二进制文件以突出变化。当挑战提供补丁版/原版文件时必不可少。从IDA/Ghidra导出，对比以找到漏洞或隐藏功能。详情请参阅tools-advanced.md。

Advanced GDB (pwndbg, rr)

高级GDB（pwndbg、rr）

pwndbg:

context

vmmap

search -s "flag{"

telescope $rsp

. GEF alternative. Reverse debugging with

rr record

rr replay

— step backward through execution. Python scripting for brute-force and automated tracing. See tools-advanced.md.

pwndbg：

context

、

vmmap

、

search -s "flag{"

、

telescope $rsp

。GEF的替代工具。使用

rr record

rr replay

进行逆向调试——可回溯执行流程。使用Python脚本进行暴力破解和自动追踪。详情请参阅tools-advanced.md。

macOS / iOS Reversing

macOS / iOS逆向

Mach-O binaries:

otool -l

for load commands,

class-dump

for Objective-C headers. Swift:

swift demangle

for symbols. iOS apps: decrypt FairPlay DRM with frida-ios-dump, bypass jailbreak detection with Frida hooks. Re-sign patched binaries with

codesign -f -s -

. See platforms.md.

Mach-O二进制文件：使用

otool -l

查看加载命令，使用

class-dump

提取Objective-C头文件。Swift：使用

swift demangle

还原符号。iOS应用：使用frida-ios-dump解密FairPlay DRM，使用Frida挂钩绕过越狱检测。使用

codesign -f -s -

重新签名补丁后的二进制文件。详情请参阅platforms.md。

Embedded / IoT Firmware RE

嵌入式 / IoT固件逆向

binwalk -Me firmware.bin

for recursive extraction. Hardware: UART/JTAG/SPI flash for firmware dumps. Filesystems: SquashFS (

unsquashfs

), JFFS2, UBI. Emulate with QEMU:

qemu-arm -L /usr/arm-linux-gnueabihf/ ./binary

. See platforms.md.

使用

binwalk -Me firmware.bin

进行递归提取。硬件层面：通过UART/JTAG/SPI闪存转储固件。文件系统：SquashFS（

unsquashfs

）、JFFS2、UBI。使用QEMU仿真：

qemu-arm -L /usr/arm-linux-gnueabihf/ ./binary

。详情请参阅platforms.md。

Kernel Driver Reversing

内核驱动逆向

Linux

.ko

: find ioctl handler via

file_operations

struct, trace

copy_from_user

copy_to_user

. Debug with QEMU+GDB (

-s -S

). eBPF:

bpftool prog dump xlated

. Windows

.sys

: find

DriverEntry

→

IoCreateDevice

→ IRP handlers. See platforms.md.

Linux

.ko

：通过

file_operations

结构体找到ioctl处理程序，追踪

copy_from_user

copy_to_user

。使用QEMU+GDB调试（

-s -S

）。eBPF：

bpftool prog dump xlated

。Windows

.sys

：找到

DriverEntry

→

IoCreateDevice

→ IRP处理程序。详情请参阅platforms.md。

Game Engine Reversing

游戏引擎逆向

Unreal: extract .pak with UnrealPakTool, reverse Blueprint bytecode with FModel. Unity Mono: decompile Assembly-CSharp.dll with dnSpy. Anti-cheat (EAC, BattlEye, VAC): identify system, bypass specific check. Lua games:

luadec

unluac

for bytecode. See platforms.md.

Unreal：使用UnrealPakTool提取.pak文件，使用FModel逆向Blueprint字节码。Unity Mono：使用dnSpy反编译Assembly-CSharp.dll。反作弊（EAC、BattlEye、VAC）：识别系统，绕过特定检查。Lua游戏：使用

luadec

unluac

处理字节码。详情请参阅platforms.md。

Swift / Kotlin Binary Reversing

Swift / Kotlin二进制逆向

Swift:

swift demangle

symbols, protocol witness tables for dispatch,

__swift5_*

sections. Kotlin/JVM: coroutines compile to state machines in

invokeSuspend

jadx

with Kotlin mode for best decompilation. Kotlin/Native: LLVM backend, looks like C++ in disassembly. See languages-compiled.md.

Swift：使用

swift demangle

还原符号，使用协议见证表进行调度，查找

__swift5_*

节。Kotlin/JVM：协程编译为

invokeSuspend

中的状态机，使用Kotlin模式的jadx可获得最佳反编译效果。Kotlin/Native：LLVM后端，反汇编后类似C++。详情请参阅languages-compiled.md。