Reverse Engineering Skill
Binary analysis and reverse engineering via MCP servers for Ghidra, IDA Pro, radare2, and angr.
Trigger Conditions
- User asks to analyze binaries, disassemble code, decompile functions
- Questions about malware analysis, vulnerability research, CTF challenges
- Binary diffing, patch analysis, firmware extraction
- Symbol recovery, function identification, control flow analysis
MCP Servers
1. GhidrAssistMCP (Ghidra - Free)
Repository: https://github.com/jtang613/GhidrAssistMCP
Stars: High activity
Transport: HTTP/SSE on port 8080
Installation:
# Download from releases page
# In Ghidra: File → Install Extensions → Add Extension
# Enable: File → Configure → Configure Plugins → GhidrAssistMCP
31 Built-in Tools:
| Category | Tools |
|----------|-------|
| Program Analysis | get_program_info, list_functions, list_data, list_strings, list_imports, list_exports, list_segments |
| Function Analysis | get_function_info, decompile_function, disassemble_function, function_xrefs, search_functions |
| Navigation | get_current_address, xrefs_to, xrefs_from, get_current_function |
| Modification | rename_function, rename_variable, set_function_prototype, set_local_variable_type, set_disassembly_comment |
| Advanced | auto_create_struct |
2. LaurieWired/GhidraMCP (Popular Alternative)
Repository: https://github.com/LaurieWired/GhidraMCP
Transport: Python bridge to Ghidra
3. IDA Pro MCP Servers
mrexodia/ida-pro-mcp (Most active):
git clone https://github.com/mrexodia/ida-pro-mcp
cd ida-pro-mcp
pip install -e .
MxIris-Reverse-Engineering/ida-mcp-server (473 stars):
git clone https://github.com/MxIris-Reverse-Engineering/ida-mcp-server
fdrechsler/mcp-server-idapro:
git clone https://github.com/fdrechsler/mcp-server-idapro
4. radare2-mcp (Official)
Repository: https://github.com/radareorg/radare2-mcp
Transport: stdio
# Install radare2 first
brew install radare2 # macOS
# or: apt install radare2 # Linux
git clone https://github.com/radareorg/radare2-mcp
cd radare2-mcp
pip install -e .
MCP Config:
{
"mcpServers": {
"radare2": {
"command": "r2-mcp",
"args": []
}
}
}
5. rand-tech/pcm (Multi-tool)
Repository: https://github.com/rand-tech/pcm
MCP for reverse engineering combining multiple backends.
Workflows
Basic Binary Analysis
1. Load binary into Ghidra/IDA
2. Start MCP server
3. Query: "List all functions" → list_functions
4. Query: "Decompile main" → decompile_function
5. Query: "Find xrefs to this address" → xrefs_to
Malware Analysis Pattern
1. get_program_info → Architecture, compiler, entry point
2. list_imports → Suspicious API calls (CreateRemoteThread, VirtualAlloc)
3. list_strings → C2 URLs, encryption keys, debug strings
4. search_functions "crypt" → Find encryption routines
5. decompile_function → Understand algorithm
6. auto_create_struct → Recover data structures
Vulnerability Research
1. list_functions → Function list with sizes
2. search_functions "parse|read|copy" → Input handlers
3. decompile_function → Find buffer operations
4. xrefs_to → Trace data flow
5. set_decompiler_comment → Annotate findings
CTF Binary Exploitation
1. get_program_info → Check protections (PIE, RELRO, canary)
2. list_functions → Find win/flag functions
3. decompile_function → Understand vulnerability
4. xrefs_from → Control flow analysis
5. list_segments → Memory layout for ROP
CLI Quick Reference
radare2 Commands
r2 binary # Open binary
aaa # Analyze all
afl # List functions
pdf @ main # Disassemble function
pdc @ main # Decompile (r2ghidra)
axt @ addr # Xrefs to
axf @ addr # Xrefs from
iz # List strings
ii # List imports
Ghidra Headless
analyzeHeadless /tmp/project ProjectName \
-import binary.exe \
-postScript ExportDecompilation.java \
-deleteProject
Resources
r2con Speaker Repositories
Key repositories from r2con 2016-2025 speakers for process tree and binary analysis:
Core radare2 Team
| Speaker | Handle | Repository | Specialty | |---------|--------|------------|-----------| | Sergi Alvarez | pancake | github.com/trufae | radare2 creator, r2pipe | | Anton Kochkov | xvilka | github.com/XVilka | UEFI, radeco decompiler | | Florian Märkl | thestr4ng3r | github.com/thestr4ng3r | Cutter/Rizin founder | | condret | condret | github.com/condret | ESIL core, SIOL I/O | | wargio | wargio | github.com/wargio | GSoC mentor | | maijin | maijin | github.com/maijin | r2 book maintainer |
ESIL & Symbolic Execution
| Speaker | Handle | Repository | Specialty | |---------|--------|------------|-----------| | Chase Kanipe | alkalinesec | github.com/alkalinesec | ESILSolve symbolic exec | | Sylvain Pelissier | Pelissier_S | N/A | ESIL side-channel simulation | | Abel Valero | skuater | github.com/skuater | r2wars, ESIL plugins | | Gerardo García | killabytenow | github.com/killabytenow | ESIL limits |
Frida Integration (r2frida)
| Speaker | Handle | Repository | Specialty | |---------|--------|------------|-----------| | Ole André Ravnås | oleavr | github.com/oleavr | Frida creator, NowSecure | | Giovanni Rocca | iGio90 | github.com/iGio90 | Dwarf debugger | | Grant Douglas | hexploitable | github.com/hexploitable | r2frida mobile | | Alex Soler | as0ler | N/A | r2frida Kung Fu, r2env |
Malware & Security Analysis
| Speaker | Handle | Repository | Specialty | |---------|--------|------------|-----------| | Axelle Apvrille | cryptax | github.com/cryptax | Malware, r2ai, droidlysis | | Tim Blazytko | mr_phrazer | github.com/mrphrazer | MBA deobfuscation, msynth | | Julien Voisin | jvoisin | github.com/jvoisin | Security tooling | | cmatthewbrooks | cmatthewbrooks | N/A | Windows malware |
Signatures & Similarity
| Speaker | Handle | Repository | Specialty | |---------|--------|------------|-----------| | Barton Rhodes | bmorphism | github.com/bmorphism | r2 Zignatures (2020) | | swoops | swoops | github.com/swoops | libc_zignatures, dr_pebber | | Fernando Dominguez | FernandoDoming | github.com/FernandoDoming | diaphora similarity |
Mobile Security (OWASP MSTG)
| Speaker | Handle | Repository | Specialty | |---------|--------|------------|-----------| | Carlos Holguera | cpholguera | github.com/cpholguera | OWASP MSTG co-author | | Eduardo Novella | enovella | github.com/enovella | NowSecure, r2frida | | Francesco Tamagni | mrmacete | github.com/mrmacete | NowSecure iOS |
Decompilation & Analysis
| Speaker | Handle | Repository | Specialty | |---------|--------|------------|-----------| | Ahmed Abd El Mawgood | oddcoder | github.com/oddcoder | RAIR (Radare In Rust) | | Antide Petit | xarkes | github.com/xarkes | Cutter development | | Arnau Gamez | arnaugamez | github.com/arnaugamez | Side-channel attacks |
Key Tool Repositories
# radare2 ecosystem
git clone https://github.com/radareorg/radare2 # Core framework
git clone https://github.com/radareorg/r2ghidra # Ghidra decompiler
git clone https://github.com/radareorg/radare2-mcp # MCP server
git clone https://github.com/radareorg/esil-rs # ESIL in Rust
# Rizin fork (Cutter backend)
git clone https://github.com/rizinorg/rizin # Rizin framework
git clone https://github.com/rizinorg/cutter # GUI
git clone https://github.com/rizinorg/rz-ghidra # Ghidra integration
# Frida ecosystem
git clone https://github.com/frida/frida-core # Core library
git clone https://github.com/frida/frida-gum # Instrumentation
git clone https://github.com/frida/cryptoshark # Code tracer
# Speaker tools
git clone https://github.com/swoops/libc_zignatures # libc signatures
git clone https://github.com/swoops/dr_pebber # Fake TEB/PEB for ESIL
git clone https://github.com/mrphrazer/msynth # MBA simplification
git clone https://github.com/cryptax/droidlysis # Android analysis
git clone https://github.com/iGio90/Dwarf # Frida debugger
git clone https://github.com/condret/r2premium # r2 premium features
Process Tree Analysis Perspectives
Each speaker brings unique analysis perspective:
| Speaker | Focus | Process Tree Approach |
|---------|-------|----------------------|
| pancake | Core r2 | r2 -d pid://PID attach, sandbox escape surfaces |
| xvilka | UEFI/radeco | Chromium shmem handles, decompile GPU process |
| condret | ESIL | Each PID as ESIL context, trace IPC parsing |
| Pelissier_S | Side-channel | Timing oracles in --time-ticks-* params |
| alkalinesec | ESILSolve | Symbolic exec on sandbox constraints |
| iGio90 | r2frida | frida -U -n 'process' + r2 integration |
| thestr4ng3r | Cutter | GUI attach, graph shader pipeline |
| cryptax | Malware | Persistence via flox-watchdog, LOLbins |
| bmorphism | Zignatures | zg signature generation across renderer variants |
| swoops | dr_pebber | Fake PEB structures for Windows emulation |
| mr_phrazer | Deobfuscation | MBA expressions in obfuscated binaries |
Example Session
User: Analyze this binary for buffer overflow vulnerabilities
Agent:
1. Starting GhidraMCP server...
2. Loading binary and auto-analyzing...
3. [list_functions] Found 47 functions
4. [search_functions "strcpy|sprintf|gets"] Found 3 dangerous calls:
- sub_401234: uses strcpy with stack buffer
- sub_401456: sprintf without bounds
5. [decompile_function "sub_401234"]
void vuln_func(char *input) {
char buffer[64];
strcpy(buffer, input); // VULNERABLE: no bounds check
...
}
6. [xrefs_to "sub_401234"] Called from main+0x45
7. Vulnerability confirmed: Stack buffer overflow in sub_401234
End-of-Skill Interface
Integration with Gay.jl Colors
Assign deterministic colors to binary analysis domains:
using Gay
# Trit classification for RE tools
GHIDRA_TRIT = 0 # ZERO - foundational analysis
IDA_TRIT = 1 # PLUS - commercial/advanced
RADARE2_TRIT = -1 # MINUS - lightweight/CLI
# Color functions by complexity
function color_function(cyclomatic_complexity::Int, seed::UInt64)
Gay.color_at(cyclomatic_complexity, seed)
end
# Color control flow graph nodes
function color_cfg_node(block_id::Int, func_seed::UInt64)
Gay.color_at(block_id, func_seed)
end
Related Skills
effective-topos: radare2 integrationmcp-tripartite: Binary analysis trit (-1 MINUS)binsec: Symbolic execution tutorialsgay-mcp: Deterministic coloring for CFG visualization