Reverse Engineering Skill
/plugin marketplace add plurigrid/asi/plugin install asi-skills@asi-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Binary analysis and reverse engineering via MCP servers for Ghidra, IDA Pro, radare2, and angr.
Repository: https://github.com/jtang613/GhidrAssistMCP
Stars: High activity
Transport: HTTP/SSE on port 8080
Installation:
# Download from releases page
# In Ghidra: File → Install Extensions → Add Extension
# Enable: File → Configure → Configure Plugins → GhidrAssistMCP
31 Built-in Tools:
| Category | Tools |
|---|---|
| Program Analysis | get_program_info, list_functions, list_data, list_strings, list_imports, list_exports, list_segments |
| Function Analysis | get_function_info, decompile_function, disassemble_function, function_xrefs, search_functions |
| Navigation | get_current_address, xrefs_to, xrefs_from, get_current_function |
| Modification | rename_function, rename_variable, set_function_prototype, set_local_variable_type, set_disassembly_comment |
| Advanced | auto_create_struct |
Repository: https://github.com/LaurieWired/GhidraMCP
Transport: Python bridge to Ghidra
mrexodia/ida-pro-mcp (Most active):
git clone https://github.com/mrexodia/ida-pro-mcp
cd ida-pro-mcp
pip install -e .
MxIris-Reverse-Engineering/ida-mcp-server (473 stars):
git clone https://github.com/MxIris-Reverse-Engineering/ida-mcp-server
fdrechsler/mcp-server-idapro:
git clone https://github.com/fdrechsler/mcp-server-idapro
Repository: https://github.com/radareorg/radare2-mcp
Transport: stdio
# Install radare2 first
brew install radare2 # macOS
# or: apt install radare2 # Linux
git clone https://github.com/radareorg/radare2-mcp
cd radare2-mcp
pip install -e .
MCP Config:
{
"mcpServers": {
"radare2": {
"command": "r2-mcp",
"args": []
}
}
}
Repository: https://github.com/rand-tech/pcm
MCP for reverse engineering combining multiple backends.
1. Load binary into Ghidra/IDA
2. Start MCP server
3. Query: "List all functions" → list_functions
4. Query: "Decompile main" → decompile_function
5. Query: "Find xrefs to this address" → xrefs_to
1. get_program_info → Architecture, compiler, entry point
2. list_imports → Suspicious API calls (CreateRemoteThread, VirtualAlloc)
3. list_strings → C2 URLs, encryption keys, debug strings
4. search_functions "crypt" → Find encryption routines
5. decompile_function → Understand algorithm
6. auto_create_struct → Recover data structures
1. list_functions → Function list with sizes
2. search_functions "parse|read|copy" → Input handlers
3. decompile_function → Find buffer operations
4. xrefs_to → Trace data flow
5. set_decompiler_comment → Annotate findings
1. get_program_info → Check protections (PIE, RELRO, canary)
2. list_functions → Find win/flag functions
3. decompile_function → Understand vulnerability
4. xrefs_from → Control flow analysis
5. list_segments → Memory layout for ROP
r2 binary # Open binary
aaa # Analyze all
afl # List functions
pdf @ main # Disassemble function
pdc @ main # Decompile (r2ghidra)
axt @ addr # Xrefs to
axf @ addr # Xrefs from
iz # List strings
ii # List imports
analyzeHeadless /tmp/project ProjectName \
-import binary.exe \
-postScript ExportDecompilation.java \
-deleteProject
Key repositories from r2con 2016-2025 speakers for process tree and binary analysis:
| Speaker | Handle | Repository | Specialty |
|---|---|---|---|
| Sergi Alvarez | pancake | github.com/trufae | radare2 creator, r2pipe |
| Anton Kochkov | xvilka | github.com/XVilka | UEFI, radeco decompiler |
| Florian Märkl | thestr4ng3r | github.com/thestr4ng3r | Cutter/Rizin founder |
| condret | condret | github.com/condret | ESIL core, SIOL I/O |
| wargio | wargio | github.com/wargio | GSoC mentor |
| maijin | maijin | github.com/maijin | r2 book maintainer |
| Speaker | Handle | Repository | Specialty |
|---|---|---|---|
| Chase Kanipe | alkalinesec | github.com/alkalinesec | ESILSolve symbolic exec |
| Sylvain Pelissier | Pelissier_S | N/A | ESIL side-channel simulation |
| Abel Valero | skuater | github.com/skuater | r2wars, ESIL plugins |
| Gerardo García | killabytenow | github.com/killabytenow | ESIL limits |
| Speaker | Handle | Repository | Specialty |
|---|---|---|---|
| Ole André Ravnås | oleavr | github.com/oleavr | Frida creator, NowSecure |
| Giovanni Rocca | iGio90 | github.com/iGio90 | Dwarf debugger |
| Grant Douglas | hexploitable | github.com/hexploitable | r2frida mobile |
| Alex Soler | as0ler | N/A | r2frida Kung Fu, r2env |
| Speaker | Handle | Repository | Specialty |
|---|---|---|---|
| Axelle Apvrille | cryptax | github.com/cryptax | Malware, r2ai, droidlysis |
| Tim Blazytko | mr_phrazer | github.com/mrphrazer | MBA deobfuscation, msynth |
| Julien Voisin | jvoisin | github.com/jvoisin | Security tooling |
| cmatthewbrooks | cmatthewbrooks | N/A | Windows malware |
| Speaker | Handle | Repository | Specialty |
|---|---|---|---|
| Barton Rhodes | bmorphism | github.com/bmorphism | r2 Zignatures (2020) |
| swoops | swoops | github.com/swoops | libc_zignatures, dr_pebber |
| Fernando Dominguez | FernandoDoming | github.com/FernandoDoming | diaphora similarity |
| Speaker | Handle | Repository | Specialty |
|---|---|---|---|
| Carlos Holguera | cpholguera | github.com/cpholguera | OWASP MSTG co-author |
| Eduardo Novella | enovella | github.com/enovella | NowSecure, r2frida |
| Francesco Tamagni | mrmacete | github.com/mrmacete | NowSecure iOS |
| Speaker | Handle | Repository | Specialty |
|---|---|---|---|
| Ahmed Abd El Mawgood | oddcoder | github.com/oddcoder | RAIR (Radare In Rust) |
| Antide Petit | xarkes | github.com/xarkes | Cutter development |
| Arnau Gamez | arnaugamez | github.com/arnaugamez | Side-channel attacks |
# radare2 ecosystem
git clone https://github.com/radareorg/radare2 # Core framework
git clone https://github.com/radareorg/r2ghidra # Ghidra decompiler
git clone https://github.com/radareorg/radare2-mcp # MCP server
git clone https://github.com/radareorg/esil-rs # ESIL in Rust
# Rizin fork (Cutter backend)
git clone https://github.com/rizinorg/rizin # Rizin framework
git clone https://github.com/rizinorg/cutter # GUI
git clone https://github.com/rizinorg/rz-ghidra # Ghidra integration
# Frida ecosystem
git clone https://github.com/frida/frida-core # Core library
git clone https://github.com/frida/frida-gum # Instrumentation
git clone https://github.com/frida/cryptoshark # Code tracer
# Speaker tools
git clone https://github.com/swoops/libc_zignatures # libc signatures
git clone https://github.com/swoops/dr_pebber # Fake TEB/PEB for ESIL
git clone https://github.com/mrphrazer/msynth # MBA simplification
git clone https://github.com/cryptax/droidlysis # Android analysis
git clone https://github.com/iGio90/Dwarf # Frida debugger
git clone https://github.com/condret/r2premium # r2 premium features
Each speaker brings unique analysis perspective:
| Speaker | Focus | Process Tree Approach |
|---|---|---|
| pancake | Core r2 | r2 -d pid://PID attach, sandbox escape surfaces |
| xvilka | UEFI/radeco | Chromium shmem handles, decompile GPU process |
| condret | ESIL | Each PID as ESIL context, trace IPC parsing |
| Pelissier_S | Side-channel | Timing oracles in --time-ticks-* params |
| alkalinesec | ESILSolve | Symbolic exec on sandbox constraints |
| iGio90 | r2frida | frida -U -n 'process' + r2 integration |
| thestr4ng3r | Cutter | GUI attach, graph shader pipeline |
| cryptax | Malware | Persistence via flox-watchdog, LOLbins |
| bmorphism | Zignatures | zg signature generation across renderer variants |
| swoops | dr_pebber | Fake PEB structures for Windows emulation |
| mr_phrazer | Deobfuscation | MBA expressions in obfuscated binaries |
User: Analyze this binary for buffer overflow vulnerabilities
Agent:
1. Starting GhidraMCP server...
2. Loading binary and auto-analyzing...
3. [list_functions] Found 47 functions
4. [search_functions "strcpy|sprintf|gets"] Found 3 dangerous calls:
- sub_401234: uses strcpy with stack buffer
- sub_401456: sprintf without bounds
5. [decompile_function "sub_401234"]
void vuln_func(char *input) {
char buffer[64];
strcpy(buffer, input); // VULNERABLE: no bounds check
...
}
6. [xrefs_to "sub_401234"] Called from main+0x45
7. Vulnerability confirmed: Stack buffer overflow in sub_401234
Assign deterministic colors to binary analysis domains:
using Gay
# Trit classification for RE tools
GHIDRA_TRIT = 0 # ZERO - foundational analysis
IDA_TRIT = 1 # PLUS - commercial/advanced
RADARE2_TRIT = -1 # MINUS - lightweight/CLI
# Color functions by complexity
function color_function(cyclomatic_complexity::Int, seed::UInt64)
Gay.color_at(cyclomatic_complexity, seed)
end
# Color control flow graph nodes
function color_cfg_node(block_id::Int, func_seed::UInt64)
Gay.color_at(block_id, func_seed)
end
effective-topos: radare2 integrationmcp-tripartite: Binary analysis trit (-1 MINUS)binsec: Symbolic execution tutorialsgay-mcp: Deterministic coloring for CFG visualization