reverse-skills
🥈SilverReverse engineering skills for Claude Code. Designed for IDA-NO-MCP, this plugin exports decompiled results from IDA for analysis. Benefits security teams and reverse engineers. Integrates with IDA-NO-MCP and Claude Code.
75510Updated 1mo ago
Intermediate30min to implementautomation
Saves ~210 min per use
Quick InstallView Source
git clone https://github.com/P4nda0s/reverse-skills.gitWorks with:
Claude
Overview
About This Skill
Reverse-skills is a comprehensive skill collection for reverse engineering and binary analysis, built to work with IDA-NO-MCP and 40+ AI programming tools. It includes eight specialized skills covering function symbol analysis, data structure reconstruction, dynamic instrumentation with Frida, code emulation via Unicorn, DEX dumping from Android apps, Unity IL2CPP symbol extraction, IDAPython scripting reference, and iOS app decryption. The skills enable security teams and reverse engineers to automate decompiled result analysis, generate dynamic instrumentation scripts, and extract symbols across multiple platforms. Setup is straightforward via npm with the command `npx skills add P4nda0s/reverse-skills`, and the collection supports updating and selective removal of individual skills.
How to Use
1. **Export Decompiled Code**: Use IDA-NO-MCP to export decompiled pseudocode for your target binary. Run `ida -A -S"ida_no_mcp_export.py" target_binary` in your terminal. 2. **Load Output**: Paste the exported pseudocode into your AI tool (e.g., Claude Code) or save it as a `.c` file for analysis. 3. **Specify Analysis Focus**: Provide the AI with clear targets (e.g., function names, address ranges) and patterns to check (e.g., buffer overflows, hardcoded keys). 4. **Review Results**: Use the AI's output to prioritize fixes. Cross-reference with IDA's graph view for visual confirmation of control flow issues. 5. **Iterate**: Refine the analysis by adjusting the exported code or AI prompts based on initial findings. **Tips**: - For large binaries, export only relevant functions to reduce noise. - Use the AI's output to generate patches or test cases (e.g., fuzzing inputs for buffer overflows). - Combine with dynamic analysis tools (e.g., Valgrind) to confirm static findings.
Use Cases
Analyzing decompiled functions to identify symbols and reconstruct data structures
Generating Frida instrumentation scripts for dynamic binary analysis on Android and iOS
Dumping and decrypting applications (DEX files, IL2CPP binaries, encrypted iOS apps) for security research
Emulating and debugging code segments using Unicorn engine for isolated execution analysis
Setup & Installation
Quick Install
No install command available. Check the GitHub repository for manual installation instructions.
Alternative Install (Git Clone)
git clone https://github.com/P4nda0s/reverse-skillsRequirements
- Claude Code or compatible AI agent
- Works with: Claude
Quick Start Guide
1
Install the Skill
Copy the install command above and run it in your terminal.
2
Open Your AI Agent
Launch Claude Code, Cursor, or your preferred AI coding agent.
3
Try It Out
Use the prompt template or examples below to test the skill.
4
Customize
Adapt the skill to your specific use case and workflow.
Usage Examples
Prompt Template
Use IDA-NO-MCP to export decompiled code from [TARGET_BINARY] with [SPECIFIC_FUNCTION_NAME] or [ADDRESS_RANGE]. Analyze the decompiled output for [SECURITY_PATTERNS] (e.g., buffer overflows, hardcoded credentials) or [LOGIC_FLAWS]. Provide a breakdown of critical vulnerabilities, suggested patches, and potential exploit paths. Include pseudocode snippets where relevant.
Example Output
After analyzing the decompiled output of `libauth.so` (address range 0x400000-0x405000) using IDA-NO-MCP, the following critical issues were identified:
1. **Buffer Overflow in `authenticate_user()`**
- **Location**: Function at 0x401234
- **Issue**: Unbounded `strcpy()` into a 64-byte stack buffer from user-controlled input (parameter `username`).
- **Exploit Path**: Attacker can craft a 256-byte username to overwrite the return address, redirecting execution to shellcode in the heap.
- **Pseudocode**:
```c
void authenticate_user(char *username) {
char local_buf[64]; // Stack buffer
strcpy(local_buf, username); // No bounds checking
// ... rest of auth logic
}
```
- **Patch**: Replace `strcpy()` with `strncpy(local_buf, username, sizeof(local_buf)-1)` and add null terminator.
2. **Hardcoded AES Key**
- **Location**: Global variable at 0x403000
- **Issue**: AES-256 key is hardcoded as `0xdeadbeefcafebabe...` in plaintext.
- **Risk**: Compromised binary exposes key, allowing decryption of sensitive data in transit.
- **Mitigation**: Fetch key from secure key management system (e.g., AWS KMS) at runtime.
3. **Race Condition in `file_write()`**
- **Location**: Function at 0x402560
- **Issue**: No file locking mechanism when writing to `/tmp/auth.log`.
- **Exploit Path**: Symlink attack allows overwriting arbitrary files (e.g., `/etc/passwd`).
- **Patch**: Use `flock()` or `O_EXCL` flag when opening files.
**Recommendations**:
- Prioritize patching the buffer overflow (CVSS 9.8) and hardcoded key (CVSS 7.5).
- Deploy static analysis tools (e.g., CodeQL) in CI/CD to catch similar issues early.
- Conduct a threat modeling exercise to identify additional attack surfaces.Apply to these tools
Browse all toolsClaude
AI assistant built for thoughtful, nuanced conversation
IronCalc
IronCalc is a spreadsheet engine and ecosystem
Vivantio
ITIL-aligned IT service management platform
Supahub
Customer feedback management made simple
ServiceNow
Enterprise workflow automation and service management platform
GPT for work
Automate your spreadsheet tasks with AI power
Compatible MCP servers
Browse all MCP servers
Find the right skills for your stack
Take a free 3-minute scan and get personalized AI skill recommendations.
Take free scan