home / skills / plurigrid / asi / reverse-engineering
This skill analyzes and reverse engineers binaries using MCP servers to identify functions, decompile code, and reveal vulnerabilities.
npx playbooks add skill plurigrid/asi --skill reverse-engineeringReview the files below or copy the command above to add this skill to your agents.
---
name: reverse-engineering
description: Reverse Engineering Skill
version: 1.0.0
---
# Reverse Engineering Skill
Binary analysis and reverse engineering via MCP servers for Ghidra, IDA Pro, radare2, and angr.
## Trigger Conditions
- User asks to analyze binaries, disassemble code, decompile functions
- Questions about malware analysis, vulnerability research, CTF challenges
- Binary diffing, patch analysis, firmware extraction
- Symbol recovery, function identification, control flow analysis
## MCP Servers
### 1. GhidrAssistMCP (Ghidra - Free)
**Repository**: https://github.com/jtang613/GhidrAssistMCP
**Stars**: High activity
**Transport**: HTTP/SSE on port 8080
**Installation**:
```bash
# Download from releases page
# In Ghidra: File → Install Extensions → Add Extension
# Enable: File → Configure → Configure Plugins → GhidrAssistMCP
```
**31 Built-in Tools**:
| Category | Tools |
|----------|-------|
| Program Analysis | `get_program_info`, `list_functions`, `list_data`, `list_strings`, `list_imports`, `list_exports`, `list_segments` |
| Function Analysis | `get_function_info`, `decompile_function`, `disassemble_function`, `function_xrefs`, `search_functions` |
| Navigation | `get_current_address`, `xrefs_to`, `xrefs_from`, `get_current_function` |
| Modification | `rename_function`, `rename_variable`, `set_function_prototype`, `set_local_variable_type`, `set_disassembly_comment` |
| Advanced | `auto_create_struct` |
### 2. LaurieWired/GhidraMCP (Popular Alternative)
**Repository**: https://github.com/LaurieWired/GhidraMCP
**Transport**: Python bridge to Ghidra
### 3. IDA Pro MCP Servers
**mrexodia/ida-pro-mcp** (Most active):
```bash
git clone https://github.com/mrexodia/ida-pro-mcp
cd ida-pro-mcp
pip install -e .
```
**MxIris-Reverse-Engineering/ida-mcp-server** (473 stars):
```bash
git clone https://github.com/MxIris-Reverse-Engineering/ida-mcp-server
```
**fdrechsler/mcp-server-idapro**:
```bash
git clone https://github.com/fdrechsler/mcp-server-idapro
```
### 4. radare2-mcp (Official)
**Repository**: https://github.com/radareorg/radare2-mcp
**Transport**: stdio
```bash
# Install radare2 first
brew install radare2 # macOS
# or: apt install radare2 # Linux
git clone https://github.com/radareorg/radare2-mcp
cd radare2-mcp
pip install -e .
```
**MCP Config**:
```json
{
"mcpServers": {
"radare2": {
"command": "r2-mcp",
"args": []
}
}
}
```
### 5. rand-tech/pcm (Multi-tool)
**Repository**: https://github.com/rand-tech/pcm
MCP for reverse engineering combining multiple backends.
## Workflows
### Basic Binary Analysis
```
1. Load binary into Ghidra/IDA
2. Start MCP server
3. Query: "List all functions" → list_functions
4. Query: "Decompile main" → decompile_function
5. Query: "Find xrefs to this address" → xrefs_to
```
### Malware Analysis Pattern
```
1. get_program_info → Architecture, compiler, entry point
2. list_imports → Suspicious API calls (CreateRemoteThread, VirtualAlloc)
3. list_strings → C2 URLs, encryption keys, debug strings
4. search_functions "crypt" → Find encryption routines
5. decompile_function → Understand algorithm
6. auto_create_struct → Recover data structures
```
### Vulnerability Research
```
1. list_functions → Function list with sizes
2. search_functions "parse|read|copy" → Input handlers
3. decompile_function → Find buffer operations
4. xrefs_to → Trace data flow
5. set_decompiler_comment → Annotate findings
```
### CTF Binary Exploitation
```
1. get_program_info → Check protections (PIE, RELRO, canary)
2. list_functions → Find win/flag functions
3. decompile_function → Understand vulnerability
4. xrefs_from → Control flow analysis
5. list_segments → Memory layout for ROP
```
## CLI Quick Reference
### radare2 Commands
```bash
r2 binary # Open binary
aaa # Analyze all
afl # List functions
pdf @ main # Disassemble function
pdc @ main # Decompile (r2ghidra)
axt @ addr # Xrefs to
axf @ addr # Xrefs from
iz # List strings
ii # List imports
```
### Ghidra Headless
```bash
analyzeHeadless /tmp/project ProjectName \
-import binary.exe \
-postScript ExportDecompilation.java \
-deleteProject
```
## Resources
- [Awesome Reverse Engineering](https://github.com/wtsxDev/reverse-engineering)
- [CTF Wiki - Reverse](https://ctf-wiki.org/reverse/)
- [Ghidra Scripting](https://ghidra.re/ghidra_docs/api/)
- [radare2 Book](https://book.rada.re/)
## r2con Speaker Repositories
Key repositories from r2con 2016-2025 speakers for process tree and binary analysis:
### Core radare2 Team
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Sergi Alvarez | pancake | [github.com/trufae](https://github.com/trufae) | radare2 creator, r2pipe |
| Anton Kochkov | xvilka | [github.com/XVilka](https://github.com/XVilka) | UEFI, radeco decompiler |
| Florian Märkl | thestr4ng3r | [github.com/thestr4ng3r](https://github.com/thestr4ng3r) | Cutter/Rizin founder |
| condret | condret | [github.com/condret](https://github.com/condret) | ESIL core, SIOL I/O |
| wargio | wargio | [github.com/wargio](https://github.com/wargio) | GSoC mentor |
| maijin | maijin | [github.com/maijin](https://github.com/maijin) | r2 book maintainer |
### ESIL & Symbolic Execution
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Chase Kanipe | alkalinesec | [github.com/alkalinesec](https://github.com/alkalinesec) | ESILSolve symbolic exec |
| Sylvain Pelissier | Pelissier_S | N/A | ESIL side-channel simulation |
| Abel Valero | skuater | [github.com/skuater](https://github.com/skuater) | r2wars, ESIL plugins |
| Gerardo García | killabytenow | [github.com/killabytenow](https://github.com/killabytenow) | ESIL limits |
### Frida Integration (r2frida)
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Ole André Ravnås | oleavr | [github.com/oleavr](https://github.com/oleavr) | Frida creator, NowSecure |
| Giovanni Rocca | iGio90 | [github.com/iGio90](https://github.com/iGio90) | Dwarf debugger |
| Grant Douglas | hexploitable | [github.com/hexploitable](https://github.com/hexploitable) | r2frida mobile |
| Alex Soler | as0ler | N/A | r2frida Kung Fu, r2env |
### Malware & Security Analysis
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Axelle Apvrille | cryptax | [github.com/cryptax](https://github.com/cryptax) | Malware, r2ai, droidlysis |
| Tim Blazytko | mr_phrazer | [github.com/mrphrazer](https://github.com/mrphrazer) | MBA deobfuscation, msynth |
| Julien Voisin | jvoisin | [github.com/jvoisin](https://github.com/jvoisin) | Security tooling |
| cmatthewbrooks | cmatthewbrooks | N/A | Windows malware |
### Signatures & Similarity
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Barton Rhodes | bmorphism | [github.com/bmorphism](https://github.com/bmorphism) | r2 Zignatures (2020) |
| swoops | swoops | [github.com/swoops](https://github.com/swoops) | libc_zignatures, dr_pebber |
| Fernando Dominguez | FernandoDoming | [github.com/FernandoDoming](https://github.com/FernandoDoming) | diaphora similarity |
### Mobile Security (OWASP MSTG)
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Carlos Holguera | cpholguera | [github.com/cpholguera](https://github.com/cpholguera) | OWASP MSTG co-author |
| Eduardo Novella | enovella | [github.com/enovella](https://github.com/enovella) | NowSecure, r2frida |
| Francesco Tamagni | mrmacete | [github.com/mrmacete](https://github.com/mrmacete) | NowSecure iOS |
### Decompilation & Analysis
| Speaker | Handle | Repository | Specialty |
|---------|--------|------------|-----------|
| Ahmed Abd El Mawgood | oddcoder | [github.com/oddcoder](https://github.com/oddcoder) | RAIR (Radare In Rust) |
| Antide Petit | xarkes | [github.com/xarkes](https://github.com/xarkes) | Cutter development |
| Arnau Gamez | arnaugamez | [github.com/arnaugamez](https://github.com/arnaugamez) | Side-channel attacks |
### Key Tool Repositories
```bash
# radare2 ecosystem
git clone https://github.com/radareorg/radare2 # Core framework
git clone https://github.com/radareorg/r2ghidra # Ghidra decompiler
git clone https://github.com/radareorg/radare2-mcp # MCP server
git clone https://github.com/radareorg/esil-rs # ESIL in Rust
# Rizin fork (Cutter backend)
git clone https://github.com/rizinorg/rizin # Rizin framework
git clone https://github.com/rizinorg/cutter # GUI
git clone https://github.com/rizinorg/rz-ghidra # Ghidra integration
# Frida ecosystem
git clone https://github.com/frida/frida-core # Core library
git clone https://github.com/frida/frida-gum # Instrumentation
git clone https://github.com/frida/cryptoshark # Code tracer
# Speaker tools
git clone https://github.com/swoops/libc_zignatures # libc signatures
git clone https://github.com/swoops/dr_pebber # Fake TEB/PEB for ESIL
git clone https://github.com/mrphrazer/msynth # MBA simplification
git clone https://github.com/cryptax/droidlysis # Android analysis
git clone https://github.com/iGio90/Dwarf # Frida debugger
git clone https://github.com/condret/r2premium # r2 premium features
```
### Process Tree Analysis Perspectives
Each speaker brings unique analysis perspective:
| Speaker | Focus | Process Tree Approach |
|---------|-------|----------------------|
| **pancake** | Core r2 | `r2 -d pid://PID` attach, sandbox escape surfaces |
| **xvilka** | UEFI/radeco | Chromium shmem handles, decompile GPU process |
| **condret** | ESIL | Each PID as ESIL context, trace IPC parsing |
| **Pelissier_S** | Side-channel | Timing oracles in `--time-ticks-*` params |
| **alkalinesec** | ESILSolve | Symbolic exec on sandbox constraints |
| **iGio90** | r2frida | `frida -U -n 'process'` + r2 integration |
| **thestr4ng3r** | Cutter | GUI attach, graph shader pipeline |
| **cryptax** | Malware | Persistence via flox-watchdog, LOLbins |
| **bmorphism** | Zignatures | `zg` signature generation across renderer variants |
| **swoops** | dr_pebber | Fake PEB structures for Windows emulation |
| **mr_phrazer** | Deobfuscation | MBA expressions in obfuscated binaries |
## Example Session
```
User: Analyze this binary for buffer overflow vulnerabilities
Agent:
1. Starting GhidraMCP server...
2. Loading binary and auto-analyzing...
3. [list_functions] Found 47 functions
4. [search_functions "strcpy|sprintf|gets"] Found 3 dangerous calls:
- sub_401234: uses strcpy with stack buffer
- sub_401456: sprintf without bounds
5. [decompile_function "sub_401234"]
void vuln_func(char *input) {
char buffer[64];
strcpy(buffer, input); // VULNERABLE: no bounds check
...
}
6. [xrefs_to "sub_401234"] Called from main+0x45
7. Vulnerability confirmed: Stack buffer overflow in sub_401234
```
---
## End-of-Skill Interface
## Integration with Gay.jl Colors
Assign deterministic colors to binary analysis domains:
```julia
using Gay
# Trit classification for RE tools
GHIDRA_TRIT = 0 # ZERO - foundational analysis
IDA_TRIT = 1 # PLUS - commercial/advanced
RADARE2_TRIT = -1 # MINUS - lightweight/CLI
# Color functions by complexity
function color_function(cyclomatic_complexity::Int, seed::UInt64)
Gay.color_at(cyclomatic_complexity, seed)
end
# Color control flow graph nodes
function color_cfg_node(block_id::Int, func_seed::UInt64)
Gay.color_at(block_id, func_seed)
end
```
## Related Skills
- `effective-topos`: radare2 integration
- `mcp-tripartite`: Binary analysis trit (-1 MINUS)
- `binsec`: Symbolic execution tutorials
- `gay-mcp`: Deterministic coloring for CFG visualization
## SDF Interleaving
This skill connects to **Software Design for Flexibility** (Hanson & Sussman, 2021):
### Primary Chapter: 3. Variations on an Arithmetic Theme
**Concepts**: generic arithmetic, coercion, symbolic, numeric
### GF(3) Balanced Triad
```
reverse-engineering (−) + SDF.Ch3 (○) + [balancer] (+) = 0
```
**Skill Trit**: -1 (MINUS - verification)
### Secondary Chapters
- Ch10: Adventure Game Example
- Ch4: Pattern Matching
- Ch7: Propagators
### Connection Pattern
Generic arithmetic crosses type boundaries. This skill handles heterogeneous data.
This skill provides a practical reverse engineering toolkit that orchestrates MCP servers for Ghidra, IDA Pro, radare2, and angr to analyze binaries, recover symbols, and decompile functions. It focuses on automation-friendly workflows for vulnerability research, malware analysis, firmware extraction, and CTF tasks. The skill exposes common operations like listing functions, decompiling routines, searching for dangerous APIs, and creating or annotating structures.
The skill communicates with MCP servers running in analysis backends (Ghidra, IDA, radare2, multi-tool bridges) to run inspection and modification commands remotely. It issues queries such as list_functions, decompile_function, xrefs_to, and list_imports, then aggregates results to surface relevant findings (suspicious APIs, cross-references, protection flags). It can also drive headless analysis, run radare2 CLI commands, and apply automated struct recovery and renaming to speed triage.
Which backends are supported and how do they differ?
Supported backends include Ghidra (free, rich decompiler), IDA Pro (commercial, advanced features), radare2 (CLI-focused), and multi-tool MCPs. Choose based on available licenses, desired automation, and target format.
How do I start an automated analysis session?
Load the binary into your chosen tool, start its MCP server, run get_program_info then automated scans (list_functions, list_strings, list_imports), and then target decompilation and xref queries for candidate functions.