SKILL.md
rev-symbol - Symbol Recovery
Analyze function code characteristics to recover/identify function symbols and names.
Pre-check
Determine which IDA access method is available:
Option A — IDA Pro MCP (preferred if connected):
Check if the IDA Pro MCP server is connected (look for an active ida-pro or equivalent MCP connection). If connected, you can query IDA directly via MCP tools — no exported files needed. Proceed with the analysis using MCP.
Option B — IDA-NO-MCP exported data:
If MCP is not connected, check if IDA-NO-MCP exported data exists in the current directory:
- Check if
decompile/directory exists
- Check if there are
.cfiles inside
If neither MCP nor exported data is available, prompt the user:
No IDA access method detected. Choose one of the following:
Option A — IDA Pro MCP (recommended):
Connect the IDA Pro MCP server so Claude can query IDA directly.
Option B — IDA-NO-MCP export:
1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
2. Copy INP.py to IDA plugins directory
3. Press Ctrl-Shift-E in IDA to export
4. Open the exported directory with Claude CodeExport Directory Structure
./
├── decompile/ # Decompiled C code directory
│ ├── 0x401000.c # One file per function, named by hex address
│ ├── 0x401234.c
│ └── ...
├── decompile_failed.txt # Failed decompilation list
├── decompile_skipped.txt # Skipped functions list
├── strings.txt # String table (address, length, type, content)
├── imports.txt # Import table (address:function_name)
├── exports.txt # Export table (address:function_name)
└── memory/ # Memory hexdump (1MB chunks)Function File Format (decompile/*.c)
Each .c file contains function metadata comments and decompiled code:
/*
* func-name: sub_401000
* func-address: 0x401000
* callers: 0x402000, 0x403000 // List of functions that call this function
* callees: 0x404000, 0x405000 // List of functions called by this function
*/
int __fastcall sub_401000(int a1, int a2)
{
// Decompiled code...
}Symbol Recovery Steps
Step 1: Analyze Internal Characteristics
Carefully examine the target function for:
- String constants: Strings used in the function may reveal its purpose
- Numeric constants / Magic Numbers:
- MD5:
0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476
- CRC32:
0xEDB88320
- Base64 charset:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
- AES S-Box:
0x63, 0x7C, 0x77, 0x7B...
- Zlib:
0x78,0x9C(compression header)
- other constants/magic numbers...
- Code structure: Loop patterns, bitwise operations, specific algorithm flows
If you can identify a known algorithm through constants/structure, tell the user directly.
Step 2: Analyze Cross-References
Analyze Callees (called functions):
-
Read functions in the callees list
-
For each callee, check if its address exists in imports.txt
-
Recognize call patterns even when symbols are missing:
Paired function patterns (identify by matching call pairs):
// malloc/free, new/delete, alloc/dealloc
xx = sub_A(0x100); // alloc: takes size, returns pointer
...
sub_B(xx); // free: takes the same pointer
// mutex_lock/mutex_unlock, pthread_mutex_lock/unlock
sub_A(lock_ptr); // lock
... // critical section
sub_B(lock_ptr); // unlock (same lock object)
// open/close, fopen/fclose, CreateFile/CloseHandle
fd = sub_A("/path", 0); // open: path + flags, returns handle
...
sub_B(fd); // close: takes the handle
// pthread_create/pthread_join
sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg
...
sub_B(tid, &ret); // join: tid, out param
**Argument pattern recognition:**
// socket(AF_INET, SOCK_STREAM, 0) - fixed constants
sub_XXX(2, 1, 0); // socket: domain=2, type=1, protocol=0
// connect/bind(sockfd, addr, addrlen)
sub_XXX(fd, &var, 16); // addr struct, len=16 for IPv4
// memcpy/memmove(dst, src, size)
sub_XXX(dst, src, n); // 3 params: dst, src, count
// memset(ptr, value, size)
sub_XXX(ptr, 0, 0x100); // 3 params: ptr, byte value, count
// read/write(fd, buf, count)
ret = sub_XXX(fd, buf, n); // returns bytes read/written
// strcmp/strncmp(s1, s2) or (s1, s2, n)
if (sub_XXX(s1, s2) == 0) // returns 0 on equal
**Return value patterns:**
// file/socket operations: -1 on error
if ((fd = sub_XXX(...)) == -1) goto error;
// allocation: NULL on failure
if (!(ptr = sub_XXX(size))) goto error;
// success/error: 0 = success
if (sub_XXX(...) != 0) goto error;
// strlen: returns size_t
len = sub_XXX(str);
sub_YYY(dst, src, len); // len used in memcpy
**Analyze Callers (calling functions):**
- Read functions in the callers list
- If a caller has a symbol (check exports.txt), infer the callee's purpose from context
- Recursive check: trace up the call chain until you find a function with a symbol
- Analyze how the return value is used by callers
### Step 3: Information Gathering and Search
Collect the following information:
- Strings in the function (check `strings.txt` for addresses used in the function)
- Magic Numbers / constants
- Known imports called (cross-reference callees with `imports.txt`)
- Caller/callee symbols from `exports.txt`
- Paired function patterns identified
Based on collected information:
-
First attempt local reasoning based on:
- Function signature (number and types of parameters)
- Paired call patterns (alloc/free, lock/unlock)
- Known imports in the call chain
- Code structure similarity to known algorithms
-
If uncertain, use **Web Search** to search:
- Search Magic Numbers: `0x67452301 0xEFCDAB89 algorithm`
- Search code patterns: `rotate left xor constant algorithm`
- Search unique strings found in the function
- Search parameter patterns: `function(int, int, 0) socket`
## Output Format
Symbol Recovery Analysis: <function_address>
Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>
Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>
Inference Result
- Suggested symbol name: <suggested_name>
- Confidence: High / Medium / Low
- Reasoning: <explain why this name is suggested>
Similar Open Source Implementation
- <if similar open source code is found, provide link>