cyberkaida/reverse-engineering-assistant

Overview

This skill performs focused, depth-first reverse engineering investigations to answer concrete questions about binary behavior. It iteratively analyzes code, makes small, evidence-based improvements to the Ghidra database, and returns findings with precise evidence and follow-up threads. Use it after a triage pass or when you need a targeted deep dive into suspicious areas.

How this skill works

The skill runs an investigation loop: gather decompilation and data context, analyze operations and references, make incremental database edits (renames, types, comments), then re-verify and follow promising threads. Each claim is tied to concrete evidence: addresses, code snippets, and rationale. The loop repeats until the question is answered or clear next tasks are produced.

When to use it

• After binary-triage highlights suspicious functions or strings
• When you need to know "What does this function do?" or verify use of crypto
• To locate potential C2 addresses or network behavior in a binary
• When callers or types are unclear and need precise fixing
• When you want evidence-backed conclusions with documented assumptions

Best practices

• Limit each iteration to a few tool calls and focused goals to avoid scope creep
• Prioritize low-cost, high-impact edits: variable renames, then type fixes, then prototypes
• Always attach addresses and short decompilation snippets to every claim
• Document assumptions explicitly, give confidence ratings, and set bookmarks for follow-ups
• Return actionable unanswered threads with starting points and priorities

Example use cases

• Determine if sub_401234 implements AES and where the key comes from
• Trace an obfuscated string to the network connect call to identify C2
• Fix parameter and local types in a function that mis-decompiles into many casts
• Follow data flow from a suspicious API call to find what data is exfiltrated
• Validate whether a routine uses standard crypto primitives or custom obfuscation