plurigrid/asi
Overview
This skill provides a practical reverse engineering toolkit that orchestrates MCP servers for Ghidra, IDA Pro, radare2, and angr to analyze binaries, recover symbols, and decompile functions. It focuses on automation-friendly workflows for vulnerability research, malware analysis, firmware extraction, and CTF tasks. The skill exposes common operations like listing functions, decompiling routines, searching for dangerous APIs, and creating or annotating structures.
How this skill works
The skill communicates with MCP servers running in analysis backends (Ghidra, IDA, radare2, multi-tool bridges) to run inspection and modification commands remotely. It issues queries such as list_functions, decompile_function, xrefs_to, and list_imports, then aggregates results to surface relevant findings (suspicious APIs, cross-references, protection flags). It can also drive headless analysis, run radare2 CLI commands, and apply automated struct recovery and renaming to speed triage.
When to use it
- Triage unknown binaries to find entry points, imports, and strings.
- Confirm and reproduce vulnerabilities by decompiling and tracing xrefs.
- Analyze malware to locate C2 endpoints, obfuscated routines, or persistence logic.
- Solve CTF reverse challenges: find flag functions, check protections, build ROP chains.
- Perform firmware extraction and symbol recovery across multiple backends.
Best practices
- Start with get_program_info to capture architecture, compiler and protection flags before deeper analysis.
- Automate noisy searches (strings, imports, dangerous APIs) to narrow candidate functions quickly.
- Use xrefs_to/xrefs_from to trace data flow rather than relying solely on decompiled output.
- Keep annotations and decompiler comments in the project to preserve triage context.
- Cross-validate findings across tools (Ghidra, IDA, radare2) to reduce false positives.
Example use cases
- Malware triage: list_imports, list_strings, search_functions for obfuscation or encryption routines.
- Vulnerability research: search for parse|read|copy handlers, decompile suspected functions, trace callers.
- CTF workflow: check PIE/RELRO/canary, find win_or_flag functions, inspect segments for ROP gadgets.
- Firmware analysis: extract segments, recover structures with auto_create_struct, identify hardware IO routines.
- Binary diffing and patch review: list_functions and function_xrefs to locate changed code paths.
FAQ
Supported backends include Ghidra (free, rich decompiler), IDA Pro (commercial, advanced features), radare2 (CLI-focused), and multi-tool MCPs. Choose based on available licenses, desired automation, and target format.
How do I start an automated analysis session?
Load the binary into your chosen tool, start its MCP server, run get_program_info then automated scans (list_functions, list_strings, list_imports), and then target decompilation and xref queries for candidate functions.
3 skills
This skill analyzes and reverse engineers binaries using MCP servers to identify functions, decompile code, and reveal vulnerabilities.
This skill helps you create logos, icons, diagrams, and slide decks from the command line and Slidev, saving design time.
This skill helps you create, read, edit, and analyze spreadsheets using formulas and formatting to optimize data workflows.