Rev Idapython
Generate IDAPython and IDALib snippets for headless or interactive reverse-engineering workflows on binaries in IDA.
Overview
rev-idapython is an agent skill most often used in Ship (also Build integrations) that supplies IDAPython and IDALib script patterns for IDA-based binary reverse engineering.
Install
npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-idapythonWhat is this skill?
- Reference snippets for IDAPython in-gui and IDALib headless (IDA 9.0+) without opening the GUI
- Registers, debug memory, local IDB patches, disassembly traversal, and Hex-Rays decompiler API patterns
- Function, block, and instruction navigation plus batch binary processing hooks
- Breakpoint and image-base helpers for live debug sessions
- Obfuscation-focused workflows called out in the skill activation triggers
Adoption & trust: 620 installs on skills.sh; 1.3k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need to automate IDA analysis or headless IDALib runs but keep mistyping IDC/IDA API calls or mixing debug versus IDB memory operations.
Who is it for?
Indie security researchers, malware triage, and builders maintaining custom IDA automation without re-reading the SDK docs each session.
Skip if: Teams with no IDA license, purely source-level debugging in VS Code, or beginners who have never opened an IDB.
When should I use this skill?
User needs IDAPython scripts in IDA, IDALib headless analysis, IDB operations, debug memory/registers, function/instruction traversal, Hex-Rays API, obfuscation work, or batch binary processing.
What do I get? / Deliverables
Your agent emits vetted IDAPython/IDALib snippets for registers, memory, disassembly, decompiler, and breakpoints so you can run them in IDA or batch headless pipelines.
- IDAPython or IDALib code blocks ready for Script Command or headless execution
- Patterns for register, memory, disassembly, and decompiler operations
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship/Security because the skill is invoked when hardening understanding of unknown binaries, malware, or licensed software before release or incident response—not during greenfield product UI work. Security subphase matches reverse engineering, obfuscation handling, and decompiler API work that inform vulnerability assessment and binary integrity checks.
Where it fits
Decompile a suspicious DLL with Hex-Rays patterns before signing a release build.
Scaffold an IDALib headless job that exports function lists into your CI artifact store.
Attach breakpoints and dump registers when investigating a production crash dump mapped to a VA.
How it compares
Use as an in-agent API cheat sheet for IDA scripting, not as a generic Ghidra or radare2 skill pack.
Common Questions / FAQ
Who is rev-idapython for?
Solo builders and small teams who already use IDA Pro and want their AI coding agent to draft correct IDAPython or IDALib automation for binaries, decompilation, and debug sessions.
When should I use rev-idapython?
During Ship security review when analyzing unknown binaries, in Operate incident triage for malware samples, and in Build integrations when wiring headless IDALib batch jobs—whenever SKILL.md triggers mention IDB work, Hex-Rays, registers, or obfuscation.
Is rev-idapython safe to install?
It is read-only reference material for script generation; review the Security Audits panel on this Prism page before trusting any third-party skill in a regulated environment.
SKILL.md
READMESKILL.md - Rev Idapython
# rev-idapython - IDAPython / IDALib Script Reference IDAPython script snippets for IDA interactive use and IDALib headless analysis. Use as reference when generating IDAPython code. - **IDAPython**: scripts run inside IDA GUI (Script Command, plugin, or IDC console) - **IDALib**: headless mode introduced in IDA 9.0 — run analysis scripts without opening the IDA GUI --- ## Common API ### Register Operations ```python idc.get_reg_value('rax') idaapi.set_reg_val("rax", 1234) ``` ### Debug Memory Operations ```python idc.read_dbg_byte(addr) idc.read_dbg_memory(addr, size) idc.read_dbg_dword(addr) idc.read_dbg_qword(addr) idc.patch_dbg_byte(addr, val) idc.add_bpt(0x409437) # add breakpoint idaapi.get_imagebase() # get image base address ``` ### Local Memory Operations (modifies IDB database) ```python idc.get_qword(addr) idc.patch_qword(addr, val) idc.patch_dword(addr, val) idc.patch_word(addr, val) idc.patch_byte(addr, val) idc.get_db_byte(addr) idc.get_bytes(addr, size) idaapi.get_dword(addr) idc.get_strlit_contents # read string literal ``` ### Disassembly ```python GetDisasm(addr) # get disassembly text idc.next_head(ea) # get next instruction address idc.create_insn(addr) # c, Make Code ida_bytes.create_strlit # create string, same as 'A' key ida_funcs.add_func(addr) # p, create function idc.del_items(addr) # U, undefine ``` ### Address Conversion ```python idc.get_name_ea(0, '_sub_6051') # get address by function name ``` ### Function Operations ```python ida_funcs.get_func(ea) # get function descriptor # enumerate all functions for func in idautils.Functions(): print("0x%x, %s" % (func, idc.get_func_name(func))) ``` --- ## Code Snippets ### Byte Pattern Search ```python import ida_bytes import ida_idaapi import ida_funcs import idc # find_bytes_list("90 90 90 90 90") # find_bytes_list("55 ??") # returns list of matching addresses def find_bytes_list(bytes_pattern): ea = -1 result = [] while True: ea = idc.find_bytes(bytes_pattern, ea + 1) if ea == ida_idaapi.BADADDR: break result.append(ea) return result ``` ### Appcall - Call Debuggee Functions ```python # test check_passwd(char *passwd) -> int passwd = ida_idd.Appcall.byref("MyFirstGuess") res = ida_idd.Appcall.check_passwd(passwd) if res.value == 0: print("Good passwd !") else: print("Bad passwd...") ``` ```python # Explicitly create the buffer as a byref object s_in = Appcall.byref("SomeEncryptedBuffer") # Buffers are always returned byref s_out = Appcall.buffer(" ", SizeOfBuffer) # Call the debuggee Appcall.decrypt_buffer(s_in, s_out, SizeOfBuffer) # Print the result print "decrypted=", s_out.value ``` ```python loadlib = Appcall.proto("kernel32_LoadLibraryA", "int __stdcall loadlib(const char *fn);") hmod = loadlib("dll_to_inject.dll") getlasterror = Appcall.proto("kernel32_GetLastError", "DWORD __stdcall GetLastError();") print "lasterror=", getlasterror() getcmdline = Appcall.proto("kernel32_GetCommandLineA", "const char *__stdcall getcmdline();") print "command line:", getcmdline() ``` ### Cross References ```python for ref in idautils.XrefsTo(ea): print(hex(ref.frm)) # shorthand [ref.frm for ref in idautils.XrefsTo(start_ea)] ``` ### Basic Block Traversal ```python fn = 0x4800 f_blocks = idaapi.FlowChart(idaapi.get_func(fn), flags=idaapi.FC_PREDS) for block in f_blocks: print(hex(block.start_ea)) ``` ```python # successor blocks for succ in block.succs(): print he