Skill

find-function

Locates functions in target processes by string references, RTTI patterns, behavior via hardware breakpoints, or disassembly. Useful for reverse engineering without symbols.

developer-tools

npx claudepluginhub vzco/arc-probe --plugin arc-probe

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Locate a function in the target process by its behavior or string references.

SKILL.md

Similar Skills

find-string-xref

Locates functions in x64 binaries by tracing LEA instructions that reference known strings like error messages, UI labels, or log output, via string search and disassembly.

arc-probe

functions

Find and list functions in binaries by name, address, regex, or byte pattern. Use for binary analysis, locating specific functions, or enumerating matches.

vulhunt

data

Queries IDA strings, bytes, and binary data to search patterns, rebuild string tables, and analyze binary content. Use for string/byte hunts, IOCs, and reverse engineering data signals.

1 file4 tools

idasql

Stats

Parent Repo Stars10

Parent Repo Forks3

Last CommitMar 7, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/probe:find

Locate a function in the target process by its behavior or string references.

Arguments

description (required): Natural language description of the function to find (e.g., "the function that handles player damage", "where the chat message is processed")

module (optional): Module to search in (narrows the search)

Steps

Identify search strategy based on the description:

If the description mentions a string or message: search for that string first
If it mentions a class or method name: scan for RTTI or known symbol patterns
If it mentions behavior: identify what data the function would access and work backwards

String-based search (most common path): a. Think about what strings the function might reference (error messages, log output, format strings, UI text) b. Call probe_pattern_scan or probe_find_value (experimental) with type "string" to find the string in the module's data section c. Note the string's address d. Search for LEA instructions that reference the string address:

Calculate the RIP-relative offset from likely code locations
Pattern: 48 8D ?? ?? ?? ?? ?? (LEA reg, [rip+disp32]) or 4C 8D ?? ?? ?? ?? ?? e. For each reference found, disassemble the surrounding code with probe_disassemble f. Walk backwards to find the function prologue (push rbp / sub rsp pattern)

RTTI-based search (for known class methods): a. Pattern scan for the class name string .?AV<ClassName>@@ b. Find the TypeDescriptor, then the Complete Object Locator, then the vtable c. Dump the vtable to enumerate virtual functions d. Disassemble each vtable entry to find the target method

Behavior-based search (for data-touching functions): a. Identify what memory address the function reads or writes b. Set a hardware breakpoint on that address: probe_hwbp_set with type "w" or "rw" c. Trigger the behavior in the application d. Read the breakpoint registers to get the RIP of the writing instruction e. Disassemble the function containing that instruction

Validate the result: a. Disassemble the full function with probe_disassemble_function b. Check that it references the expected strings, calls expected APIs, or touches expected data c. Generate a signature with probe_generate_signature for future reference d. Test the signature with probe_test_signature to confirm it's unique

Report:

Function: <description>
Address: 0x7FF612345678
Module: target.dll + 0x5678
Size: ~0x1A0 bytes
Signature: 48 89 5C 24 08 57 48 83 EC 20 48 8B D9 E8 ?? ?? ?? ??
References: "error message string" at +0x42
Calls: SubFunction at 0x7FF612346000

Tips

Most functions reference at least one string -- always try string search first

If the function has no strings, look for unique constant values (magic numbers, enum values)

Virtual functions are best found via RTTI -> vtable -> disassemble

Hardware breakpoints are the most reliable way to find functions that modify specific data

Always generate and test a signature so the function can be found again after updates

/probe:find

Locate a function in the target process by its behavior or string references.

Arguments

description (required): Natural language description of the function to find (e.g., "the function that handles player damage", "where the chat message is processed")

module (optional): Module to search in (narrows the search)

Steps

Identify search strategy based on the description:

If the description mentions a string or message: search for that string first
If it mentions a class or method name: scan for RTTI or known symbol patterns
If it mentions behavior: identify what data the function would access and work backwards

Calculate the RIP-relative offset from likely code locations
Pattern: 48 8D ?? ?? ?? ?? ?? (LEA reg, [rip+disp32]) or 4C 8D ?? ?? ?? ?? ?? e. For each reference found, disassemble the surrounding code with probe_disassemble f. Walk backwards to find the function prologue (push rbp / sub rsp pattern)

Report:

Function: <description>
Address: 0x7FF612345678
Module: target.dll + 0x5678
Size: ~0x1A0 bytes
Signature: 48 89 5C 24 08 57 48 83 EC 20 48 8B D9 E8 ?? ?? ?? ??
References: "error message string" at +0x42
Calls: SubFunction at 0x7FF612346000

Tips

Most functions reference at least one string -- always try string search first

If the function has no strings, look for unique constant values (magic numbers, enum values)

Virtual functions are best found via RTTI -> vtable -> disassemble

Hardware breakpoints are the most reliable way to find functions that modify specific data

Always generate and test a signature so the function can be found again after updates