How to install rev-symbol
npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-symbolFull instructions (SKILL.md)
Source of truth, from p4nda0s/reverse-skills.
name: rev-symbol description: Restore function symbols by analyzing code patterns, strings, constants, and cross-references
rev-symbol - Symbol Recovery
Analyze function code characteristics to recover/identify function symbols and names.
Pre-check
Determine which IDA access method is available:
Option A — IDA Pro MCP (preferred if connected):
Check if the IDA Pro MCP server is connected (look for an active ida-pro or equivalent MCP connection). If connected, you can query IDA directly via MCP tools — no exported files needed. Proceed with the analysis using MCP.
Option B — IDA-NO-MCP exported data: If MCP is not connected, check if IDA-NO-MCP exported data exists in the current directory:
- Check if
decompile/directory exists - Check if there are
.cfiles inside
If neither MCP nor exported data is available, prompt the user:
No IDA access method detected. Choose one of the following:
Option A — IDA Pro MCP (recommended):
Connect the IDA Pro MCP server so Claude can query IDA directly.
Option B — IDA-NO-MCP export:
1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
2. Copy INP.py to IDA plugins directory
3. Press Ctrl-Shift-E in IDA to export
4. Open the exported directory with Claude Code
Export Directory Structure
./
├── decompile/ # Decompiled C code directory
│ ├── 0x401000.c # One file per function, named by hex address
│ ├── 0x401234.c
│ └── ...
├── decompile_failed.txt # Failed decompilation list
├── decompile_skipped.txt # Skipped functions list
├── strings.txt # String table (address, length, type, content)
├── imports.txt # Import table (address:function_name)
├── exports.txt # Export table (address:function_name)
└── memory/ # Memory hexdump (1MB chunks)
Function File Format (decompile/*.c)
Each .c file contains function metadata comments and decompiled code:
/*
* func-name: sub_401000
* func-address: 0x401000
* callers: 0x402000, 0x403000 // List of functions that call this function
* callees: 0x404000, 0x405000 // List of functions called by this function
*/
int __fastcall sub_401000(int a1, int a2)
{
// Decompiled code...
}
Symbol Recovery Steps
Step 1: Analyze Internal Characteristics
Carefully examine the target function for:
- String constants: Strings used in the function may reveal its purpose
- Numeric constants / Magic Numbers:
- MD5:
0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476 - CRC32:
0xEDB88320 - Base64 charset:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ - AES S-Box:
0x63, 0x7C, 0x77, 0x7B... - Zlib:
0x78,0x9C(compression header) - other constants/magic numbers...
- MD5:
- Code structure: Loop patterns, bitwise operations, specific algorithm flows
If you can identify a known algorithm through constants/structure, tell the user directly.
Step 2: Analyze Cross-References
Analyze Callees (called functions):
-
Read functions in the callees list
-
For each callee, check if its address exists in
imports.txt -
Recognize call patterns even when symbols are missing:
Paired function patterns (identify by matching call pairs):
// malloc/free, new/delete, alloc/dealloc xx = sub_A(0x100); // alloc: takes size, returns pointer ... sub_B(xx); // free: takes the same pointer // mutex_lock/mutex_unlock, pthread_mutex_lock/unlock sub_A(lock_ptr); // lock ... // critical section sub_B(lock_ptr); // unlock (same lock object) // open/close, fopen/fclose, CreateFile/CloseHandle fd = sub_A("/path", 0); // open: path + flags, returns handle ... sub_B(fd); // close: takes the handle // pthread_create/pthread_join sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg ... sub_B(tid, &ret); // join: tid, out param **Argument pattern recognition:** ```c // socket(AF_INET, SOCK_STREAM, 0) - fixed constants sub_XXX(2, 1, 0); // socket: domain=2, type=1, protocol=0 // connect/bind(sockfd, addr, addrlen) sub_XXX(fd, &var, 16); // addr struct, len=16 for IPv4 // memcpy/memmove(dst, src, size) sub_XXX(dst, src, n); // 3 params: dst, src, count // memset(ptr, value, size) sub_XXX(ptr, 0, 0x100); // 3 params: ptr, byte value, count // read/write(fd, buf, count) ret = sub_XXX(fd, buf, n); // returns bytes read/written // strcmp/strncmp(s1, s2) or (s1, s2, n) if (sub_XXX(s1, s2) == 0) // returns 0 on equalReturn value patterns:
// file/socket operations: -1 on error if ((fd = sub_XXX(...)) == -1) goto error; // allocation: NULL on failure if (!(ptr = sub_XXX(size))) goto error; // success/error: 0 = success if (sub_XXX(...) != 0) goto error; // strlen: returns size_t len = sub_XXX(str); sub_YYY(dst, src, len); // len used in memcpy
Analyze Callers (calling functions):
- Read functions in the callers list
- If a caller has a symbol (check exports.txt), infer the callee's purpose from context
- Recursive check: trace up the call chain until you find a function with a symbol
- Analyze how the return value is used by callers
Step 3: Information Gathering and Search
Collect the following information:
- Strings in the function (check
strings.txtfor addresses used in the function) - Magic Numbers / constants
- Known imports called (cross-reference callees with
imports.txt) - Caller/callee symbols from
exports.txt - Paired function patterns identified
Based on collected information:
-
First attempt local reasoning based on:
- Function signature (number and types of parameters)
- Paired call patterns (alloc/free, lock/unlock)
- Known imports in the call chain
- Code structure similarity to known algorithms
-
If uncertain, use Web Search to search:
- Search Magic Numbers:
0x67452301 0xEFCDAB89 algorithm - Search code patterns:
rotate left xor constant algorithm - Search unique strings found in the function
- Search parameter patterns:
function(int, int, 0) socket
- Search Magic Numbers:
Output Format
## Symbol Recovery Analysis: <function_address>
### Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>
### Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>
### Inference Result
- **Suggested symbol name**: <suggested_name>
- **Confidence**: High / Medium / Low
- **Reasoning**: <explain why this name is suggested>
### Similar Open Source Implementation
- <if similar open source code is found, provide link>
Related skills
More from p4nda0s/reverse-skills and the wider catalog.
rev-frida
Generate Frida hook scripts using modern Frida API. Activate when the user wants to write Frida scripts, hook functions at runtime, trace calls or arguments or return values, intercept native or ObjC or Java methods, dump memory or exports, or handle native module load timing for Android and other targets.
rev-struct
Reconstruct data structures by analyzing memory access patterns across functions
rev-dex-dumper
Dump DEX files from a running Android app for unpacking/deobfuscation. Activate when the user wants to unpack an Android APK, dump DEX from memory, extract decrypted DEX files, or defeat class-loading packing.
rev-idapython
IDAPython and IDALib script reference for reverse engineering. Activate when the user needs to write IDAPython scripts in IDA, use IDALib for headless analysis, operate on IDB databases, debug with IDA, manipulate memory/registers, traverse functions/blocks/instructions, work with Hex-Rays decompiler API, handle obfuscation, or batch-process binaries.
rev-unicorn-debug
Debug and emulate specific code fragments or functions using the Unicorn engine. Activate when the user wants to emulate a function with Unicorn, trace binary execution without running the full program, decrypt or decode data by emulating the algorithm, or bypass environment dependencies (JNI, syscalls, libc) during emulation.
rev-u3d-dump
Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts.