reverse-engineering

Reverse Engineering Skill

16 stars

Best use case

reverse-engineering is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Reverse Engineering Skill

Teams using reverse-engineering should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/reverse-engineering/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/reverse-engineering/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/reverse-engineering/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How reverse-engineering Compares

Feature / Agent	reverse-engineering	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Reverse Engineering Skill

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Reverse Engineering Skill

Binary analysis and reverse engineering via MCP servers for Ghidra, IDA Pro, radare2, and angr.

## Trigger Conditions

- User asks to analyze binaries, disassemble code, decompile functions
- Questions about malware analysis, vulnerability research, CTF challenges
- Binary diffing, patch analysis, firmware extraction
- Symbol recovery, function identification, control flow analysis

## MCP Servers

### 1. GhidrAssistMCP (Ghidra - Free)
**Repository**: https://github.com/jtang613/GhidrAssistMCP  
**Stars**: High activity  
**Transport**: HTTP/SSE on port 8080

**Installation**:
```bash
# Download from releases page
# In Ghidra: File → Install Extensions → Add Extension
# Enable: File → Configure → Configure Plugins → GhidrAssistMCP
```

**31 Built-in Tools**:
| Category | Tools |
|----------|-------|
| Program Analysis | `get_program_info`, `list_functions`, `list_data`, `list_strings`, `list_imports`, `list_exports`, `list_segments` |
| Function Analysis | `get_function_info`, `decompile_function`, `disassemble_function`, `function_xrefs`, `search_functions` |
| Navigation | `get_current_address`, `xrefs_to`, `xrefs_from`, `get_current_function` |
| Modification | `rename_function`, `rename_variable`, `set_function_prototype`, `set_local_variable_type`, `set_disassembly_comment` |
| Advanced | `auto_create_struct` |

### 2. LaurieWired/GhidraMCP (Popular Alternative)
**Repository**: https://github.com/LaurieWired/GhidraMCP  
**Transport**: Python bridge to Ghidra

### 3. IDA Pro MCP Servers

**mrexodia/ida-pro-mcp** (Most active):
```bash
git clone https://github.com/mrexodia/ida-pro-mcp
cd ida-pro-mcp
pip install -e .
```

**MxIris-Reverse-Engineering/ida-mcp-server** (473 stars):
```bash
git clone https://github.com/MxIris-Reverse-Engineering/ida-mcp-server
```

**fdrechsler/mcp-server-idapro**:
```bash
git clone https://github.com/fdrechsler/mcp-server-idapro
```

### 4. radare2-mcp (Official)
**Repository**: https://github.com/radareorg/radare2-mcp  
**Transport**: stdio

```bash
# Install radare2 first
brew install radare2  # macOS
# or: apt install radare2  # Linux

git clone https://github.com/radareorg/radare2-mcp
cd radare2-mcp
pip install -e .
```

**MCP Config**:
```json
{
  "mcpServers": {
    "radare2": {
      "command": "r2-mcp",
      "args": []
    }
  }
}
```

### 5. rand-tech/pcm (Multi-tool)
**Repository**: https://github.com/rand-tech/pcm  
MCP for reverse engineering combining multiple backends.

## Workflows

### Basic Binary Analysis
```
1. Load binary into Ghidra/IDA
2. Start MCP server
3. Query: "List all functions" → list_functions
4. Query: "Decompile main" → decompile_function
5. Query: "Find xrefs to this address" → xrefs_to
```

### Malware Analysis Pattern
```
1. get_program_info → Architecture, compiler, entry point
2. list_imports → Suspicious API calls (CreateRemoteThread, VirtualAlloc)
3. list_strings → C2 URLs, encryption keys, debug strings
4. search_functions "crypt" → Find encryption routines
5. decompile_function → Understand algorithm
6. auto_create_struct → Recover data structures
```

### Vulnerability Research
```
1. list_functions → Function list with sizes
2. search_functions "parse|read|copy" → Input handlers
3. decompile_function → Find buffer operations
4. xrefs_to → Trace data flow
5. set_decompiler_comment → Annotate findings
```

### CTF Binary Exploitation
```
1. get_program_info → Check protections (PIE, RELRO, canary)
2. list_functions → Find win/flag functions
3. decompile_function → Understand vulnerability
4. xrefs_from → Control flow analysis
5. list_segments → Memory layout for ROP
```

## CLI Quick Reference

### radare2 Commands
```bash
r2 binary                    # Open binary
aaa                          # Analyze all
afl                          # List functions
pdf @ main                   # Disassemble function
pdc @ main                   # Decompile (r2ghidra)
axt @ addr                   # Xrefs to
axf @ addr                   # Xrefs from
iz                           # List strings
ii                           # List imports
```

### Ghidra Headless
```bash
analyzeHeadless /tmp/project ProjectName \
  -import binary.exe \
  -postScript ExportDecompilation.java \
  -deleteProject
```

## Resources

- [Awesome Reverse Engineering](https://github.com/wtsxDev/reverse-engineering)
- [CTF Wiki - Reverse](https://ctf-wiki.org/reverse/)
- [Ghidra Scripting](https://ghidra.re/ghidra_docs/api/)
- [radare2 Book](https://book.rada.re/)

## r2con Speaker Repositories

Key repositories from r2con 2016-2025 speakers for process tree and binary analysis:

### Core radare2 Team
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Sergi Alvarez | pancake | [github.com/trufae](https://github.com/trufae) | radare2 creator, r2pipe |
| Anton Kochkov | xvilka | [github.com/XVilka](https://github.com/XVilka) | UEFI, radeco decompiler |
| Florian Märkl | thestr4ng3r | [github.com/thestr4ng3r](https://github.com/thestr4ng3r) | Cutter/Rizin founder |
| condret | condret | [github.com/condret](https://github.com/condret) | ESIL core, SIOL I/O |
| wargio | wargio | [github.com/wargio](https://github.com/wargio) | GSoC mentor |
| maijin | maijin | [github.com/maijin](https://github.com/maijin) | r2 book maintainer |

### ESIL & Symbolic Execution
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Chase Kanipe | alkalinesec | [github.com/alkalinesec](https://github.com/alkalinesec) | ESILSolve symbolic exec |
| Sylvain Pelissier | Pelissier_S | N/A | ESIL side-channel simulation |
| Abel Valero | skuater | [github.com/skuater](https://github.com/skuater) | r2wars, ESIL plugins |
| Gerardo García | killabytenow | [github.com/killabytenow](https://github.com/killabytenow) | ESIL limits |

### Frida Integration (r2frida)
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Ole André Ravnås | oleavr | [github.com/oleavr](https://github.com/oleavr) | Frida creator, NowSecure |
| Giovanni Rocca | iGio90 | [github.com/iGio90](https://github.com/iGio90) | Dwarf debugger |
| Grant Douglas | hexploitable | [github.com/hexploitable](https://github.com/hexploitable) | r2frida mobile |
| Alex Soler | as0ler | N/A | r2frida Kung Fu, r2env |

### Malware & Security Analysis
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Axelle Apvrille | cryptax | [github.com/cryptax](https://github.com/cryptax) | Malware, r2ai, droidlysis |
| Tim Blazytko | mr_phrazer | [github.com/mrphrazer](https://github.com/mrphrazer) | MBA deobfuscation, msynth |
| Julien Voisin | jvoisin | [github.com/jvoisin](https://github.com/jvoisin) | Security tooling |
| cmatthewbrooks | cmatthewbrooks | N/A | Windows malware |

### Signatures & Similarity
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Barton Rhodes | bmorphism | [github.com/bmorphism](https://github.com/bmorphism) | r2 Zignatures (2020) |
| swoops | swoops | [github.com/swoops](https://github.com/swoops) | libc_zignatures, dr_pebber |
| Fernando Dominguez | FernandoDoming | [github.com/FernandoDoming](https://github.com/FernandoDoming) | diaphora similarity |

### Mobile Security (OWASP MSTG)
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Carlos Holguera | cpholguera | [github.com/cpholguera](https://github.com/cpholguera) | OWASP MSTG co-author |
| Eduardo Novella | enovella | [github.com/enovella](https://github.com/enovella) | NowSecure, r2frida |
| Francesco Tamagni | mrmacete | [github.com/mrmacete](https://github.com/mrmacete) | NowSecure iOS |

### Decompilation & Analysis
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Ahmed Abd El Mawgood | oddcoder | [github.com/oddcoder](https://github.com/oddcoder) | RAIR (Radare In Rust) |
| Antide Petit | xarkes | [github.com/xarkes](https://github.com/xarkes) | Cutter development |
| Arnau Gamez | arnaugamez | [github.com/arnaugamez](https://github.com/arnaugamez) | Side-channel attacks |

### Key Tool Repositories
```bash
# radare2 ecosystem
git clone https://github.com/radareorg/radare2      # Core framework
git clone https://github.com/radareorg/r2ghidra     # Ghidra decompiler
git clone https://github.com/radareorg/radare2-mcp  # MCP server
git clone https://github.com/radareorg/esil-rs      # ESIL in Rust

# Rizin fork (Cutter backend)
git clone https://github.com/rizinorg/rizin         # Rizin framework
git clone https://github.com/rizinorg/cutter        # GUI
git clone https://github.com/rizinorg/rz-ghidra     # Ghidra integration

# Frida ecosystem
git clone https://github.com/frida/frida-core       # Core library
git clone https://github.com/frida/frida-gum        # Instrumentation
git clone https://github.com/frida/cryptoshark      # Code tracer

# Speaker tools
git clone https://github.com/swoops/libc_zignatures # libc signatures
git clone https://github.com/swoops/dr_pebber       # Fake TEB/PEB for ESIL
git clone https://github.com/mrphrazer/msynth       # MBA simplification
git clone https://github.com/cryptax/droidlysis     # Android analysis
git clone https://github.com/iGio90/Dwarf           # Frida debugger
git clone https://github.com/condret/r2premium      # r2 premium features
```

### Process Tree Analysis Perspectives

Each speaker brings unique analysis perspective:

| Speaker | Focus | Process Tree Approach |
|---------|-------|----------------------|
| **pancake** | Core r2 | `r2 -d pid://PID` attach, sandbox escape surfaces |
| **xvilka** | UEFI/radeco | Chromium shmem handles, decompile GPU process |
| **condret** | ESIL | Each PID as ESIL context, trace IPC parsing |
| **Pelissier_S** | Side-channel | Timing oracles in `--time-ticks-*` params |
| **alkalinesec** | ESILSolve | Symbolic exec on sandbox constraints |
| **iGio90** | r2frida | `frida -U -n 'process'` + r2 integration |
| **thestr4ng3r** | Cutter | GUI attach, graph shader pipeline |
| **cryptax** | Malware | Persistence via flox-watchdog, LOLbins |
| **bmorphism** | Zignatures | `zg` signature generation across renderer variants |
| **swoops** | dr_pebber | Fake PEB structures for Windows emulation |
| **mr_phrazer** | Deobfuscation | MBA expressions in obfuscated binaries |

## Example Session

```
User: Analyze this binary for buffer overflow vulnerabilities

Agent:
1. Starting GhidraMCP server...
2. Loading binary and auto-analyzing...
3. [list_functions] Found 47 functions
4. [search_functions "strcpy|sprintf|gets"] Found 3 dangerous calls:
   - sub_401234: uses strcpy with stack buffer
   - sub_401456: sprintf without bounds
5. [decompile_function "sub_401234"] 
   
   void vuln_func(char *input) {
       char buffer[64];
       strcpy(buffer, input);  // VULNERABLE: no bounds check
       ...
   }

6. [xrefs_to "sub_401234"] Called from main+0x45
7. Vulnerability confirmed: Stack buffer overflow in sub_401234
```

---

## End-of-Skill Interface

## Integration with Gay.jl Colors

Assign deterministic colors to binary analysis domains:

```julia
using Gay

# Trit classification for RE tools
GHIDRA_TRIT = 0      # ZERO - foundational analysis
IDA_TRIT = 1         # PLUS - commercial/advanced  
RADARE2_TRIT = -1    # MINUS - lightweight/CLI

# Color functions by complexity
function color_function(cyclomatic_complexity::Int, seed::UInt64)
    Gay.color_at(cyclomatic_complexity, seed)
end

# Color control flow graph nodes
function color_cfg_node(block_id::Int, func_seed::UInt64)
    Gay.color_at(block_id, func_seed)
end
```

## Related Skills

- `effective-topos`: radare2 integration
- `mcp-tripartite`: Binary analysis trit (-1 MINUS)
- `binsec`: Symbolic execution tutorials
- `gay-mcp`: Deterministic coloring for CFG visualization

Related Skills

reverse-engineering-rust-malware

from plurigrid/asi

Reverse engineer Rust-compiled malware using IDA Pro and Ghidra with techniques for handling non-null-terminated strings, crate dependency extraction, and Rust-specific control flow analysis.

reverse-engineering-ransomware-encryption-routine

from plurigrid/asi

Reverse engineer ransomware encryption routines to identify cryptographic algorithms, key generation flaws, and potential decryption opportunities using static and dynamic analysis.

reverse-engineering-malware-with-ghidra

from plurigrid/asi

Reverse engineers malware binaries using NSA's Ghidra disassembler and decompiler to understand internal logic, cryptographic routines, C2 protocols, and evasion techniques at the assembly and pseudo-C level. Activates for requests involving malware reverse engineering, disassembly analysis, decompilation, binary analysis, or understanding malware internals.

reverse-engineering-ios-app-with-frida

from plurigrid/asi

Reverse engineers iOS applications using Frida dynamic instrumentation to understand internal logic, extract encryption keys, bypass security controls, and discover hidden functionality without source code access. Use when performing authorized iOS penetration testing, analyzing proprietary protocols, understanding obfuscated logic, or extracting runtime secrets from iOS binaries. Activates for requests involving iOS reverse engineering, Frida iOS hooking, Objective-C/Swift method tracing, or iOS binary analysis.

reverse-engineering-dotnet-malware-with-dnspy

from plurigrid/asi

Reverse engineers .NET malware using dnSpy decompiler and debugger to analyze C#/VB.NET source code, identify obfuscation techniques, extract configurations, and understand malicious functionality including stealers, RATs, and loaders. Activates for requests involving .NET malware analysis, C# malware decompilation, managed code reverse engineering, or .NET obfuscation analysis.

reverse-engineering-android-malware-with-jadx

from plurigrid/asi

Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify malicious functionality including data theft, C2 communication, privilege escalation, and overlay attacks. Examines manifest permissions, receivers, services, and native libraries. Activates for requests involving Android malware analysis, APK reverse engineering, mobile malware investigation, or Android threat analysis.

reverse-derivative-validator

from plurigrid/asi

Triadic skill (validation)

reverse-derivative-generator

from plurigrid/asi

Triadic skill (generation)

reverse-derivative-coordinator

from plurigrid/asi

Triadic skill (coordination)

protocol-reverse-engineering

from plurigrid/asi

Master network protocol reverse engineering including packet analysis, protocol dissection, and custom protocol documentation. Use when analyzing network traffic, understanding proprietary protocols, or debugging network communication.

mermaid-reverse-attempt

from plurigrid/asi

Mermaid URL codec - encodes/decodes #base64: (amp CLI) and #pako: (mermaid.live) formats

implementing-security-chaos-engineering

from plurigrid/asi

Implements security chaos engineering experiments that deliberately disable or degrade security controls to verify detection and response capabilities. Tests WAF bypass, firewall rule removal, log pipeline disruption, and EDR disablement scenarios using boto3 and subprocess. Use when validating SOC detection coverage and resilience.