Rev Symbol
Recover likely function names and symbols from decompiled binaries using IDA Pro MCP live queries or IDA-NO-MCP exported decompile trees.
Install
npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-symbolWhat is this skill?
- Dual access path: IDA Pro MCP when connected, otherwise IDA-NO-MCP `decompile/` export layout
- Pre-check gate prompts users when neither MCP nor exported `.c` files exist
- One decompiled file per function, address-named like `0x401000.c`
- Focuses on pattern, string, constant, and xref-driven symbol restoration
- Documents INP.py plugin install and Ctrl-Shift-E export steps for offline mode
Adoption & trust: 665 installs on skills.sh; 1.3k GitHub stars; 2/3 security scanners passed (skills.sh audits).
Recommended Skills
Azure Diagnosticsmicrosoft/azure-skills
Diagnosemattpocock/skills
Systematic Debuggingobra/superpowers
Safe Debuglllllllama/rigorpilot-skills
Mastramastra-ai/skills
Insforge Debuginsforge/agent-skills
Journey fit
Symbol recovery supports pre-release or post-release security review and malware analysis, which Prism groups under Ship security rather than greenfield Build UI. The workflow analyzes decompiled C and cross-references—classic application security and reverse-engineering review work.
Common Questions / FAQ
Is Rev Symbol safe to install?
skills.sh reports 2 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Rev Symbol
# rev-symbol - Symbol Recovery Analyze function code characteristics to recover/identify function symbols and names. ## Pre-check **Determine which IDA access method is available:** **Option A — IDA Pro MCP (preferred if connected):** Check if the IDA Pro MCP server is connected (look for an active `ida-pro` or equivalent MCP connection). If connected, you can query IDA directly via MCP tools — no exported files needed. Proceed with the analysis using MCP. **Option B — IDA-NO-MCP exported data:** If MCP is not connected, check if IDA-NO-MCP exported data exists in the current directory: 1. Check if `decompile/` directory exists 2. Check if there are `.c` files inside If neither MCP nor exported data is available, prompt the user: ``` No IDA access method detected. Choose one of the following: Option A — IDA Pro MCP (recommended): Connect the IDA Pro MCP server so Claude can query IDA directly. Option B — IDA-NO-MCP export: 1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP 2. Copy INP.py to IDA plugins directory 3. Press Ctrl-Shift-E in IDA to export 4. Open the exported directory with Claude Code ``` --- ## Export Directory Structure ``` ./ ├── decompile/ # Decompiled C code directory │ ├── 0x401000.c # One file per function, named by hex address │ ├── 0x401234.c │ └── ... ├── decompile_failed.txt # Failed decompilation list ├── decompile_skipped.txt # Skipped functions list ├── strings.txt # String table (address, length, type, content) ├── imports.txt # Import table (address:function_name) ├── exports.txt # Export table (address:function_name) └── memory/ # Memory hexdump (1MB chunks) ``` ## Function File Format (decompile/*.c) Each `.c` file contains function metadata comments and decompiled code: ```c /* * func-name: sub_401000 * func-address: 0x401000 * callers: 0x402000, 0x403000 // List of functions that call this function * callees: 0x404000, 0x405000 // List of functions called by this function */ int __fastcall sub_401000(int a1, int a2) { // Decompiled code... } ``` --- ## Symbol Recovery Steps ### Step 1: Analyze Internal Characteristics Carefully examine the target function for: - **String constants**: Strings used in the function may reveal its purpose - **Numeric constants / Magic Numbers**: - MD5: `0x67452301`, `0xEFCDAB89`, `0x98BADCFE`, `0x10325476` - CRC32: `0xEDB88320` - Base64 charset: `ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/` - AES S-Box: `0x63, 0x7C, 0x77, 0x7B...` - Zlib: `0x78`, `0x9C` (compression header) - other constants/magic numbers... - **Code structure**: Loop patterns, bitwise operations, specific algorithm flows If you can identify a known algorithm through constants/structure, tell the user directly. ### Step 2: Analyze Cross-References **Analyze Callees (called functions):** - Read functions in the callees list - For each callee, check if its address exists in `imports.txt` - Recognize call patterns even when symbols are missing: **Paired function patterns (identify by matching call pairs):** ```c // malloc/free, new/delete, alloc/dealloc xx = sub_A(0x100); // alloc: takes size, returns pointer ... sub_B(xx); // free: takes the same pointer // mutex_lock/mutex_unlock, pthread_mutex_lock/unlock sub_A(lock_ptr); // lock ... // critical section sub_B(lock_ptr); // unlock (same lock object) // open/close, fopen/fclose, CreateFile/CloseHandle fd = sub_A("/path", 0); // open: path + flags, returns handle ... sub_B(fd); // close: takes the handle // pthread_create/pthread_join sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg ... sub_B(tid, &ret);