Exécutez n'importe quel Skill dans Manus
en un clic

Exécutez n'importe quel Skill dans Manus en un clic

Commencer

$pwd:

rev-symbol

Name: Rev Symbol
Author: P4nda0s

// Restore function symbols by analyzing code patterns, strings, constants, and cross-references

Exécuter dans Manus

$ git log --oneline --stat

stars:1 171

forks:158

updated:21 avril 2026 à 07:46

SKILL.md

readonly

name	rev-symbol
description	Restore function symbols by analyzing code patterns, strings, constants, and cross-references

rev-symbol - Symbol Recovery

Analyze function code characteristics to recover/identify function symbols and names.

Pre-check

Determine which IDA access method is available:

Option A — IDA Pro MCP (preferred if connected): Check if the IDA Pro MCP server is connected (look for an active ida-pro or equivalent MCP connection). If connected, you can query IDA directly via MCP tools — no exported files needed. Proceed with the analysis using MCP.

Option B — IDA-NO-MCP exported data: If MCP is not connected, check if IDA-NO-MCP exported data exists in the current directory:

Check if decompile/ directory exists
Check if there are .c files inside

If neither MCP nor exported data is available, prompt the user:

No IDA access method detected. Choose one of the following:

Option A — IDA Pro MCP (recommended):
  Connect the IDA Pro MCP server so Claude can query IDA directly.

Option B — IDA-NO-MCP export:
  1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
  2. Copy INP.py to IDA plugins directory
  3. Press Ctrl-Shift-E in IDA to export
  4. Open the exported directory with Claude Code

Export Directory Structure

./
├── decompile/              # Decompiled C code directory
│   ├── 0x401000.c          # One file per function, named by hex address
│   ├── 0x401234.c
│   └── ...
├── decompile_failed.txt    # Failed decompilation list
├── decompile_skipped.txt   # Skipped functions list
├── strings.txt             # String table (address, length, type, content)
├── imports.txt             # Import table (address:function_name)
├── exports.txt             # Export table (address:function_name)
└── memory/                 # Memory hexdump (1MB chunks)

Function File Format (decompile/*.c)

Each .c file contains function metadata comments and decompiled code:

/*
 * func-name: sub_401000
 * func-address: 0x401000
 * callers: 0x402000, 0x403000    // List of functions that call this function
 * callees: 0x404000, 0x405000    // List of functions called by this function
 */

int __fastcall sub_401000(int a1, int a2)
{
    // Decompiled code...
}

Symbol Recovery Steps

Step 1: Analyze Internal Characteristics

Carefully examine the target function for:

String constants: Strings used in the function may reveal its purpose
Numeric constants / Magic Numbers:
- MD5: 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476
- CRC32: 0xEDB88320
- Base64 charset: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
- AES S-Box: 0x63, 0x7C, 0x77, 0x7B...
- Zlib: 0x78, 0x9C (compression header)
- other constants/magic numbers...
Code structure: Loop patterns, bitwise operations, specific algorithm flows

If you can identify a known algorithm through constants/structure, tell the user directly.

Step 2: Analyze Cross-References

Analyze Callees (called functions):

Read functions in the callees list
For each callee, check if its address exists in imports.txt

Recognize call patterns even when symbols are missing:

Paired function patterns (identify by matching call pairs):

// malloc/free, new/delete, alloc/dealloc
xx = sub_A(0x100);        // alloc: takes size, returns pointer
...
sub_B(xx);                // free: takes the same pointer

// mutex_lock/mutex_unlock, pthread_mutex_lock/unlock
sub_A(lock_ptr);          // lock
...                       // critical section
sub_B(lock_ptr);          // unlock (same lock object)

// open/close, fopen/fclose, CreateFile/CloseHandle
fd = sub_A("/path", 0);   // open: path + flags, returns handle
...
sub_B(fd);                // close: takes the handle

// pthread_create/pthread_join
sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg
...
sub_B(tid, &ret);          // join: tid, out param


**Argument pattern recognition:**
```c
// socket(AF_INET, SOCK_STREAM, 0) - fixed constants
sub_XXX(2, 1, 0);         // socket: domain=2, type=1, protocol=0

// connect/bind(sockfd, addr, addrlen)
sub_XXX(fd, &var, 16);   // addr struct, len=16 for IPv4

// memcpy/memmove(dst, src, size)
sub_XXX(dst, src, n);     // 3 params: dst, src, count

// memset(ptr, value, size)
sub_XXX(ptr, 0, 0x100);   // 3 params: ptr, byte value, count

// read/write(fd, buf, count)
ret = sub_XXX(fd, buf, n); // returns bytes read/written

// strcmp/strncmp(s1, s2) or (s1, s2, n)
if (sub_XXX(s1, s2) == 0)  // returns 0 on equal

Return value patterns:

// file/socket operations: -1 on error
if ((fd = sub_XXX(...)) == -1) goto error;

// allocation: NULL on failure
if (!(ptr = sub_XXX(size))) goto error;

// success/error: 0 = success
if (sub_XXX(...) != 0) goto error;

// strlen: returns size_t
len = sub_XXX(str);
sub_YYY(dst, src, len);   // len used in memcpy

Analyze Callers (calling functions):

Read functions in the callers list
If a caller has a symbol (check exports.txt), infer the callee's purpose from context
Recursive check: trace up the call chain until you find a function with a symbol
Analyze how the return value is used by callers

Step 3: Information Gathering and Search

Collect the following information:

Strings in the function (check strings.txt for addresses used in the function)
Magic Numbers / constants
Known imports called (cross-reference callees with imports.txt)
Caller/callee symbols from exports.txt
Paired function patterns identified

Based on collected information:

First attempt local reasoning based on:
- Function signature (number and types of parameters)
- Paired call patterns (alloc/free, lock/unlock)
- Known imports in the call chain
- Code structure similarity to known algorithms
If uncertain, use Web Search to search:
- Search Magic Numbers: 0x67452301 0xEFCDAB89 algorithm
- Search code patterns: rotate left xor constant algorithm
- Search unique strings found in the function
- Search parameter patterns: function(int, int, 0) socket

Output Format

## Symbol Recovery Analysis: <function_address>

### Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>

### Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>

### Inference Result
- **Suggested symbol name**: <suggested_name>
- **Confidence**: High / Medium / Low
- **Reasoning**: <explain why this name is suggested>

### Similar Open Source Implementation
- <if similar open source code is found, provide link>

related-skills.json

même dépôt

rev-ios-dump.md

from "P4nda0s/reverse-skills"

Dump decrypted iOS app binaries (砸壳) from jailbroken devices using frida-ios-dump. Activate when the user wants to decrypt an iOS app, dump an IPA from a device, or extract a decrypted Mach-O binary for reverse engineering.

2026-05-061.2k

rev-struct.md

from "P4nda0s/reverse-skills"

Reconstruct data structures by analyzing memory access patterns across functions

2026-04-211.2k

rev-frida.md

from "P4nda0s/reverse-skills"

Generate Frida hook scripts using modern Frida API. Activate when the user wants to write Frida scripts, hook functions at runtime, trace calls or arguments or return values, intercept native or ObjC or Java methods, dump memory or exports, or handle native module load timing for Android and other targets.

2026-04-201.2k

rev-idapython.md

from "P4nda0s/reverse-skills"

IDAPython and IDALib script reference for reverse engineering. Activate when the user needs to write IDAPython scripts in IDA, use IDALib for headless analysis, operate on IDB databases, debug with IDA, manipulate memory/registers, traverse functions/blocks/instructions, work with Hex-Rays decompiler API, handle obfuscation, or batch-process binaries.

2026-04-131.2k

rev-u3d-dump.md

from "P4nda0s/reverse-skills"

Dump Unity IL2CPP symbols from iOS/Android builds. Extract method names, addresses, and type info from IL2CPP binaries and global-metadata.dat, then generate IDA/Ghidra import scripts.

2026-04-121.2k

rev-dex-dumper.md

from "P4nda0s/reverse-skills"

Dump DEX files from a running Android app for unpacking/deobfuscation. Activate when the user wants to unpack an Android APK, dump DEX from memory, extract decrypted DEX files, or defeat class-loading packing.

2026-04-121.2k

package.json

"author": "P4nda0s"

"repository": "P4nda0s/reverse-skills"

Ouvrir le dépôt GitHub Voir les dépôts du créateur

$ install --global

$ download --local

Exécuter dans Manus

$ useful --forSOC

Analystes en sécurité de l'informationProfessions informatiques et mathématiques15-1212L4

name	rev-symbol
description	Restore function symbols by analyzing code patterns, strings, constants, and cross-references

rev-symbol - Symbol Recovery

Analyze function code characteristics to recover/identify function symbols and names.

Pre-check

Determine which IDA access method is available:

Option B — IDA-NO-MCP exported data: If MCP is not connected, check if IDA-NO-MCP exported data exists in the current directory:

Check if decompile/ directory exists
Check if there are .c files inside

If neither MCP nor exported data is available, prompt the user:

No IDA access method detected. Choose one of the following:

Option A — IDA Pro MCP (recommended):
  Connect the IDA Pro MCP server so Claude can query IDA directly.

Option B — IDA-NO-MCP export:
  1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
  2. Copy INP.py to IDA plugins directory
  3. Press Ctrl-Shift-E in IDA to export
  4. Open the exported directory with Claude Code

Export Directory Structure

./
├── decompile/              # Decompiled C code directory
│   ├── 0x401000.c          # One file per function, named by hex address
│   ├── 0x401234.c
│   └── ...
├── decompile_failed.txt    # Failed decompilation list
├── decompile_skipped.txt   # Skipped functions list
├── strings.txt             # String table (address, length, type, content)
├── imports.txt             # Import table (address:function_name)
├── exports.txt             # Export table (address:function_name)
└── memory/                 # Memory hexdump (1MB chunks)

Function File Format (decompile/*.c)

Each .c file contains function metadata comments and decompiled code:

/*
 * func-name: sub_401000
 * func-address: 0x401000
 * callers: 0x402000, 0x403000    // List of functions that call this function
 * callees: 0x404000, 0x405000    // List of functions called by this function
 */

int __fastcall sub_401000(int a1, int a2)
{
    // Decompiled code...
}

Symbol Recovery Steps

Step 1: Analyze Internal Characteristics

Carefully examine the target function for:

String constants: Strings used in the function may reveal its purpose
Numeric constants / Magic Numbers:
- MD5: 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476
- CRC32: 0xEDB88320
- Base64 charset: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
- AES S-Box: 0x63, 0x7C, 0x77, 0x7B...
- Zlib: 0x78, 0x9C (compression header)
- other constants/magic numbers...
Code structure: Loop patterns, bitwise operations, specific algorithm flows

If you can identify a known algorithm through constants/structure, tell the user directly.

Step 2: Analyze Cross-References

Analyze Callees (called functions):

Read functions in the callees list
For each callee, check if its address exists in imports.txt

Recognize call patterns even when symbols are missing:

Paired function patterns (identify by matching call pairs):

// malloc/free, new/delete, alloc/dealloc
xx = sub_A(0x100);        // alloc: takes size, returns pointer
...
sub_B(xx);                // free: takes the same pointer

// mutex_lock/mutex_unlock, pthread_mutex_lock/unlock
sub_A(lock_ptr);          // lock
...                       // critical section
sub_B(lock_ptr);          // unlock (same lock object)

// open/close, fopen/fclose, CreateFile/CloseHandle
fd = sub_A("/path", 0);   // open: path + flags, returns handle
...
sub_B(fd);                // close: takes the handle

// pthread_create/pthread_join
sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg
...
sub_B(tid, &ret);          // join: tid, out param


**Argument pattern recognition:**
```c
// socket(AF_INET, SOCK_STREAM, 0) - fixed constants
sub_XXX(2, 1, 0);         // socket: domain=2, type=1, protocol=0

// connect/bind(sockfd, addr, addrlen)
sub_XXX(fd, &var, 16);   // addr struct, len=16 for IPv4

// memcpy/memmove(dst, src, size)
sub_XXX(dst, src, n);     // 3 params: dst, src, count

// memset(ptr, value, size)
sub_XXX(ptr, 0, 0x100);   // 3 params: ptr, byte value, count

// read/write(fd, buf, count)
ret = sub_XXX(fd, buf, n); // returns bytes read/written

// strcmp/strncmp(s1, s2) or (s1, s2, n)
if (sub_XXX(s1, s2) == 0)  // returns 0 on equal

Return value patterns:

// file/socket operations: -1 on error
if ((fd = sub_XXX(...)) == -1) goto error;

// allocation: NULL on failure
if (!(ptr = sub_XXX(size))) goto error;

// success/error: 0 = success
if (sub_XXX(...) != 0) goto error;

// strlen: returns size_t
len = sub_XXX(str);
sub_YYY(dst, src, len);   // len used in memcpy

Analyze Callers (calling functions):

Read functions in the callers list
If a caller has a symbol (check exports.txt), infer the callee's purpose from context
Recursive check: trace up the call chain until you find a function with a symbol
Analyze how the return value is used by callers

Step 3: Information Gathering and Search

Collect the following information:

Strings in the function (check strings.txt for addresses used in the function)
Magic Numbers / constants
Known imports called (cross-reference callees with imports.txt)
Caller/callee symbols from exports.txt
Paired function patterns identified

Based on collected information:

First attempt local reasoning based on:
- Function signature (number and types of parameters)
- Paired call patterns (alloc/free, lock/unlock)
- Known imports in the call chain
- Code structure similarity to known algorithms
If uncertain, use Web Search to search:
- Search Magic Numbers: 0x67452301 0xEFCDAB89 algorithm
- Search code patterns: rotate left xor constant algorithm
- Search unique strings found in the function
- Search parameter patterns: function(int, int, 0) socket

Output Format

## Symbol Recovery Analysis: <function_address>

### Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>

### Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>

### Inference Result
- **Suggested symbol name**: <suggested_name>
- **Confidence**: High / Medium / Low
- **Reasoning**: <explain why this name is suggested>

### Similar Open Source Implementation
- <if similar open source code is found, provide link>

rev-symbol

rev-symbol - Symbol Recovery

Pre-check

Export Directory Structure

Function File Format (decompile/*.c)

Symbol Recovery Steps

Step 1: Analyze Internal Characteristics

Step 2: Analyze Cross-References

Step 3: Information Gathering and Search

Output Format

Plus depuis ce dépôt

Plus depuis ce dépôt

rev-symbol - Symbol Recovery

Pre-check

Export Directory Structure

Function File Format (decompile/*.c)

Symbol Recovery Steps

Step 1: Analyze Internal Characteristics

Step 2: Analyze Cross-References

Step 3: Information Gathering and Search

Output Format