Agent skill

vulnerable-secret

Guidance for extracting secrets from protected or obfuscated binaries through systematic static and dynamic analysis. This skill should be used when tasks involve reverse engineering executables, extracting hidden flags or keys, analyzing binary protections, or decoding obfuscated data within compiled programs.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/development/vulnerable-secret-letta-ai-skills

SKILL.md

Vulnerable Secret Extraction

Overview

This skill provides a systematic methodology for extracting secrets (flags, keys, passwords) from protected or obfuscated binary executables. It emphasizes methodical analysis, proper verification of findings, and avoiding common pitfalls in binary reverse engineering.

Systematic Analysis Workflow

Follow these phases in order for reliable results:

Phase 1: Initial Reconnaissance

Gather basic information about the target before deeper analysis:

  1. File type identification - Determine binary format (ELF, PE, Mach-O)

    bash
    file <binary>

  2. Check permissions and attributes

    bash
    ls -la <binary>

  3. Identify architecture and linking

    bash
    readelf -h <binary>  # For ELF binaries

  4. List sections and segments

    bash
    readelf -S <binary>  # Section headers
readelf -l <binary>  # Program headers

Phase 2: Symbol and String Analysis

Extract human-readable information:

  1. Dump strings - Look for embedded text, error messages, and potential secrets

    bash
    strings <binary>
strings -a <binary>  # All sections

  2. Check symbol table - Identify function names and exported symbols

    bash
    nm <binary>
readelf -s <binary>

  3. Look for dangerous functions - Identify potential vulnerabilities

    • gets, strcpy, sprintf - Buffer overflow candidates
    • system, exec* - Command injection points
    • ptrace - Anti-debugging protection

Phase 3: Disassembly and Code Analysis

Examine the actual code:

  1. Disassemble key functions

    bash
    objdump -d <binary>
objdump -d -M intel <binary>  # Intel syntax

  2. Focus on specific areas:

    • main function entry point
    • Functions referencing interesting strings
    • Data sections containing potential encoded secrets

  3. Identify encoding schemes - Look for:

    • XOR operations with constant keys
    • Base64 encoding patterns
    • Custom obfuscation routines

Phase 4: Data Extraction and Decoding

Extract and decode hidden data:

  1. Extract raw data sections

    bash
    objcopy -O binary --only-section=.rodata <binary> rodata.bin
hexdump -C <binary>

  2. Common decoding operations:

    • XOR decoding: Identify the key from disassembly, apply to encoded data
    • Base64: Look for character set patterns
    • Custom algorithms: Trace through disassembly to understand transformation

  3. Python decoding template:

    python
    # XOR decoding example
encoded = bytes.fromhex('HEXDATA')
key = 0xKEY
decoded = bytes([b ^ key for b in encoded])
print(decoded.decode('utf-8', errors='ignore'))

Phase 5: Dynamic Analysis (When Safe)

If static analysis is insufficient:

  1. Check for anti-debugging:

    • ptrace calls
    • Timing checks
    • Environment detection

  2. Bypass techniques:

    • LD_PRELOAD to override functions
    • Patching binary to skip checks
    • Using debugger scripts

  3. Run with monitoring:

    bash
    strace <binary>
ltrace <binary>

Verification Strategies

Always verify findings before concluding:

  1. Cross-reference disassembly - Ensure the decoding logic matches what the code does

  2. Validate decoded output - Check that results are plausible (readable text, expected format)

  3. Test edge cases - Verify handling of:

    • Partial data
    • Incorrect keys
    • Malformed input

  4. Document the derivation - Record which specific instructions or data led to conclusions

Common Pitfalls

Analysis Mistakes

  1. Incomplete disassembly review - When output is truncated, explicitly request additional sections rather than making assumptions about unseen code

  2. Jumping to conclusions - Avoid assuming encoding schemes without seeing the actual instructions that implement them

  3. Ignoring vulnerability hints - If function names or flag content suggest an attack vector (e.g., "buffer_overflow" in the flag), explore that path even if static analysis succeeds

Implementation Errors

  1. Hex string formatting - Ensure hex strings have no spaces or invalid characters before decoding

  2. Key identification - Verify the XOR key or encoding parameter from actual disassembly, not from data patterns alone

  3. Endianness issues - Consider byte order when extracting multi-byte values

Workflow Inefficiencies

  1. Repeated tool calls - Combine related checks (file type + permissions + sections) when possible

  2. Excessive verification - Once content is confirmed written, avoid redundant reads

  3. Missing tool output - If disassembly is truncated, request specific address ranges rather than re-running the entire dump

Decision Tree

Start
  │
  ├─► Run file identification
  │     └─► Is it an executable? ─No─► Check if packed/obfuscated
  │                │
  │               Yes
  │                │
  ├─► Extract strings
  │     └─► Found readable secret? ─Yes─► Verify and extract
  │                │
  │               No
  │                │
  ├─► Check for dangerous functions
  │     └─► Found gets/strcpy? ─Yes─► Consider buffer overflow
  │                │
  │               No/Also
  │                │
  ├─► Disassemble and analyze
  │     └─► Found encoding logic? ─Yes─► Extract key and decode
  │                │
  │               No
  │                │
  ├─► Check for anti-debugging
  │     └─► Present? ─Yes─► Bypass or use static analysis
  │                │
  │               No
  │                │
  └─► Dynamic analysis with tracing

Output Requirements

When extracting secrets:

  1. Verify the output format matches expected patterns (e.g., FLAG{...}, key format)
  2. Save to the correct location as specified in task requirements
  3. Confirm file was written successfully before concluding

Didn't find tool you were looking for?

Be as detailed as possible for better results