reverse-engineering_skill

This skill analyzes and reverse engineers binaries using MCP servers to identify functions, decompile code, and reveal vulnerabilities.
  • HTML

6

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill plurigrid/asi --skill reverse-engineering

  • SKILL.md12.3 KB

Overview

This skill provides a practical reverse engineering toolkit that orchestrates MCP servers for Ghidra, IDA Pro, radare2, and angr to analyze binaries, recover symbols, and decompile functions. It focuses on automation-friendly workflows for vulnerability research, malware analysis, firmware extraction, and CTF tasks. The skill exposes common operations like listing functions, decompiling routines, searching for dangerous APIs, and creating or annotating structures.

How this skill works

The skill communicates with MCP servers running in analysis backends (Ghidra, IDA, radare2, multi-tool bridges) to run inspection and modification commands remotely. It issues queries such as list_functions, decompile_function, xrefs_to, and list_imports, then aggregates results to surface relevant findings (suspicious APIs, cross-references, protection flags). It can also drive headless analysis, run radare2 CLI commands, and apply automated struct recovery and renaming to speed triage.

When to use it

  • Triage unknown binaries to find entry points, imports, and strings.
  • Confirm and reproduce vulnerabilities by decompiling and tracing xrefs.
  • Analyze malware to locate C2 endpoints, obfuscated routines, or persistence logic.
  • Solve CTF reverse challenges: find flag functions, check protections, build ROP chains.
  • Perform firmware extraction and symbol recovery across multiple backends.

Best practices

  • Start with get_program_info to capture architecture, compiler and protection flags before deeper analysis.
  • Automate noisy searches (strings, imports, dangerous APIs) to narrow candidate functions quickly.
  • Use xrefs_to/xrefs_from to trace data flow rather than relying solely on decompiled output.
  • Keep annotations and decompiler comments in the project to preserve triage context.
  • Cross-validate findings across tools (Ghidra, IDA, radare2) to reduce false positives.

Example use cases

  • Malware triage: list_imports, list_strings, search_functions for obfuscation or encryption routines.
  • Vulnerability research: search for parse|read|copy handlers, decompile suspected functions, trace callers.
  • CTF workflow: check PIE/RELRO/canary, find win_or_flag functions, inspect segments for ROP gadgets.
  • Firmware analysis: extract segments, recover structures with auto_create_struct, identify hardware IO routines.
  • Binary diffing and patch review: list_functions and function_xrefs to locate changed code paths.

FAQ

Supported backends include Ghidra (free, rich decompiler), IDA Pro (commercial, advanced features), radare2 (CLI-focused), and multi-tool MCPs. Choose based on available licenses, desired automation, and target format.

How do I start an automated analysis session?

Load the binary into your chosen tool, start its MCP server, run get_program_info then automated scans (list_functions, list_strings, list_imports), and then target decompilation and xref queries for candidate functions.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational