PluginBench
Skill
Fail
Audit score 45

rev-symbol

p4nda0s/reverse-skills

How to install rev-symbol

npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-symbol
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from p4nda0s/reverse-skills.


name: rev-symbol description: Restore function symbols by analyzing code patterns, strings, constants, and cross-references

rev-symbol - Symbol Recovery

Analyze function code characteristics to recover/identify function symbols and names.

Pre-check

Determine which IDA access method is available:

Option A — IDA Pro MCP (preferred if connected): Check if the IDA Pro MCP server is connected (look for an active ida-pro or equivalent MCP connection). If connected, you can query IDA directly via MCP tools — no exported files needed. Proceed with the analysis using MCP.

Option B — IDA-NO-MCP exported data: If MCP is not connected, check if IDA-NO-MCP exported data exists in the current directory:

  1. Check if decompile/ directory exists
  2. Check if there are .c files inside

If neither MCP nor exported data is available, prompt the user:

No IDA access method detected. Choose one of the following:

Option A — IDA Pro MCP (recommended):
  Connect the IDA Pro MCP server so Claude can query IDA directly.

Option B — IDA-NO-MCP export:
  1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
  2. Copy INP.py to IDA plugins directory
  3. Press Ctrl-Shift-E in IDA to export
  4. Open the exported directory with Claude Code

Export Directory Structure

./
├── decompile/              # Decompiled C code directory
│   ├── 0x401000.c          # One file per function, named by hex address
│   ├── 0x401234.c
│   └── ...
├── decompile_failed.txt    # Failed decompilation list
├── decompile_skipped.txt   # Skipped functions list
├── strings.txt             # String table (address, length, type, content)
├── imports.txt             # Import table (address:function_name)
├── exports.txt             # Export table (address:function_name)
└── memory/                 # Memory hexdump (1MB chunks)

Function File Format (decompile/*.c)

Each .c file contains function metadata comments and decompiled code:

/*
 * func-name: sub_401000
 * func-address: 0x401000
 * callers: 0x402000, 0x403000    // List of functions that call this function
 * callees: 0x404000, 0x405000    // List of functions called by this function
 */

int __fastcall sub_401000(int a1, int a2)
{
    // Decompiled code...
}

Symbol Recovery Steps

Step 1: Analyze Internal Characteristics

Carefully examine the target function for:

  • String constants: Strings used in the function may reveal its purpose
  • Numeric constants / Magic Numbers:
    • MD5: 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476
    • CRC32: 0xEDB88320
    • Base64 charset: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
    • AES S-Box: 0x63, 0x7C, 0x77, 0x7B...
    • Zlib: 0x78, 0x9C (compression header)
    • other constants/magic numbers...
  • Code structure: Loop patterns, bitwise operations, specific algorithm flows

If you can identify a known algorithm through constants/structure, tell the user directly.

Step 2: Analyze Cross-References

Analyze Callees (called functions):

  • Read functions in the callees list

  • For each callee, check if its address exists in imports.txt

  • Recognize call patterns even when symbols are missing:

    Paired function patterns (identify by matching call pairs):

    // malloc/free, new/delete, alloc/dealloc
    xx = sub_A(0x100);        // alloc: takes size, returns pointer
    ...
    sub_B(xx);                // free: takes the same pointer
    
    // mutex_lock/mutex_unlock, pthread_mutex_lock/unlock
    sub_A(lock_ptr);          // lock
    ...                       // critical section
    sub_B(lock_ptr);          // unlock (same lock object)
    
    // open/close, fopen/fclose, CreateFile/CloseHandle
    fd = sub_A("/path", 0);   // open: path + flags, returns handle
    ...
    sub_B(fd);                // close: takes the handle
    
    // pthread_create/pthread_join
    sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg
    ...
    sub_B(tid, &ret);          // join: tid, out param
    
    
    **Argument pattern recognition:**
    ```c
    // socket(AF_INET, SOCK_STREAM, 0) - fixed constants
    sub_XXX(2, 1, 0);         // socket: domain=2, type=1, protocol=0
    
    // connect/bind(sockfd, addr, addrlen)
    sub_XXX(fd, &var, 16);   // addr struct, len=16 for IPv4
    
    // memcpy/memmove(dst, src, size)
    sub_XXX(dst, src, n);     // 3 params: dst, src, count
    
    // memset(ptr, value, size)
    sub_XXX(ptr, 0, 0x100);   // 3 params: ptr, byte value, count
    
    // read/write(fd, buf, count)
    ret = sub_XXX(fd, buf, n); // returns bytes read/written
    
    // strcmp/strncmp(s1, s2) or (s1, s2, n)
    if (sub_XXX(s1, s2) == 0)  // returns 0 on equal
    

    Return value patterns:

    // file/socket operations: -1 on error
    if ((fd = sub_XXX(...)) == -1) goto error;
    
    // allocation: NULL on failure
    if (!(ptr = sub_XXX(size))) goto error;
    
    // success/error: 0 = success
    if (sub_XXX(...) != 0) goto error;
    
    // strlen: returns size_t
    len = sub_XXX(str);
    sub_YYY(dst, src, len);   // len used in memcpy
    

Analyze Callers (calling functions):

  • Read functions in the callers list
  • If a caller has a symbol (check exports.txt), infer the callee's purpose from context
  • Recursive check: trace up the call chain until you find a function with a symbol
  • Analyze how the return value is used by callers

Step 3: Information Gathering and Search

Collect the following information:

  • Strings in the function (check strings.txt for addresses used in the function)
  • Magic Numbers / constants
  • Known imports called (cross-reference callees with imports.txt)
  • Caller/callee symbols from exports.txt
  • Paired function patterns identified

Based on collected information:

  1. First attempt local reasoning based on:

    • Function signature (number and types of parameters)
    • Paired call patterns (alloc/free, lock/unlock)
    • Known imports in the call chain
    • Code structure similarity to known algorithms
  2. If uncertain, use Web Search to search:

    • Search Magic Numbers: 0x67452301 0xEFCDAB89 algorithm
    • Search code patterns: rotate left xor constant algorithm
    • Search unique strings found in the function
    • Search parameter patterns: function(int, int, 0) socket

Output Format

## Symbol Recovery Analysis: <function_address>

### Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>

### Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>

### Inference Result
- **Suggested symbol name**: <suggested_name>
- **Confidence**: High / Medium / Low
- **Reasoning**: <explain why this name is suggested>

### Similar Open Source Implementation
- <if similar open source code is found, provide link>

Related skills

More from p4nda0s/reverse-skills and the wider catalog.

RE

rev-frida

p4nda0s/reverse-skills

Generate Frida hook scripts using modern Frida API. Activate when the user wants to write Frida scripts, hook functions at runtime, trace calls or arguments or return values, intercept native or ObjC or Java methods, dump memory or exports, or handle native module load timing for Android and other targets.

1.1k installs
RE

rev-struct

p4nda0s/reverse-skills

Reconstruct data structures by analyzing memory access patterns across functions

982 installsAudited
RE

rev-dex-dumper

p4nda0s/reverse-skills

Dump DEX files from a running Android app for unpacking/deobfuscation. Activate when the user wants to unpack an Android APK, dump DEX from memory, extract decrypted DEX files, or defeat class-loading packing.

940 installs
RE

rev-idapython

p4nda0s/reverse-skills

IDAPython and IDALib script reference for reverse engineering. Activate when the user needs to write IDAPython scripts in IDA, use IDALib for headless analysis, operate on IDB databases, debug with IDA, manipulate memory/registers, traverse functions/blocks/instructions, work with Hex-Rays decompiler API, handle obfuscation, or batch-process binaries.

927 installs
RE

rev-unicorn-debug

p4nda0s/reverse-skills

Debug and emulate specific code fragments or functions using the Unicorn engine. Activate when the user wants to emulate a function with Unicorn, trace binary execution without running the full program, decrypt or decode data by emulating the algorithm, or bypass environment dependencies (JNI, syscalls, libc) during emulation.

926 installs
RE

rev-u3d-dump

p4nda0s/reverse-skills

Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts.

881 installs