- Home
- Skills
- Cyberkaida
- Reverse Engineering Assistant
- Deep Analysis
deep-analysis_skill
- Java
510
GitHub Stars
3
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill cyberkaida/reverse-engineering-assistant --skill deep-analysis- examples.md18.9 KB
- patterns.md17.3 KB
- SKILL.md19.9 KB
Overview
This skill performs focused, depth-first reverse engineering investigations to answer concrete questions about binary behavior. It iteratively analyzes code, makes small, evidence-based improvements to the Ghidra database, and returns findings with precise evidence and follow-up threads. Use it after a triage pass or when you need a targeted deep dive into suspicious areas.
How this skill works
The skill runs an investigation loop: gather decompilation and data context, analyze operations and references, make incremental database edits (renames, types, comments), then re-verify and follow promising threads. Each claim is tied to concrete evidence: addresses, code snippets, and rationale. The loop repeats until the question is answered or clear next tasks are produced.
When to use it
- After binary-triage highlights suspicious functions or strings
- When you need to know "What does this function do?" or verify use of crypto
- To locate potential C2 addresses or network behavior in a binary
- When callers or types are unclear and need precise fixing
- When you want evidence-backed conclusions with documented assumptions
Best practices
- Limit each iteration to a few tool calls and focused goals to avoid scope creep
- Prioritize low-cost, high-impact edits: variable renames, then type fixes, then prototypes
- Always attach addresses and short decompilation snippets to every claim
- Document assumptions explicitly, give confidence ratings, and set bookmarks for follow-ups
- Return actionable unanswered threads with starting points and priorities
Example use cases
- Determine if sub_401234 implements AES and where the key comes from
- Trace an obfuscated string to the network connect call to identify C2
- Fix parameter and local types in a function that mis-decompiles into many casts
- Follow data flow from a suspicious API call to find what data is exfiltrated
- Validate whether a routine uses standard crypto primitives or custom obfuscation