rev-symbol
Restore function symbols by analyzing code patterns, strings, constants, and cross-references
How do I install this agent skill?
npx skills add https://github.com/p4nda0s/reverse-skills --skill rev-symbolIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is designed for reverse engineering tasks, helping to identify function names in decompiled code. It requires data exported from IDA Pro using a specific plugin. Potential security considerations include indirect prompt injection from analyzed binary files and the exposure of binary strings or constants during web searches.
- Socketpass
No alerts
- Snykfail
Risk: HIGH · 2 issues
- ZeroLeakspass
2 findings · Score: 80/100
What does this agent skill do?
rev-symbol - Symbol Recovery
Analyze function code characteristics to recover/identify function symbols and names.
Pre-check
Determine which IDA access method is available:
Option A — IDA Pro MCP (preferred if connected):
Check if the IDA Pro MCP server is connected (look for an active ida-pro or equivalent MCP connection). If connected, you can query IDA directly via MCP tools — no exported files needed. Proceed with the analysis using MCP.
Option B — IDA-NO-MCP exported data: If MCP is not connected, check if IDA-NO-MCP exported data exists in the current directory:
- Check if
decompile/directory exists - Check if there are
.cfiles inside
If neither MCP nor exported data is available, prompt the user:
No IDA access method detected. Choose one of the following:
Option A — IDA Pro MCP (recommended):
Connect the IDA Pro MCP server so Claude can query IDA directly.
Option B — IDA-NO-MCP export:
1. Download plugin: https://github.com/P4nda0s/IDA-NO-MCP
2. Copy INP.py to IDA plugins directory
3. Press Ctrl-Shift-E in IDA to export
4. Open the exported directory with Claude Code
Export Directory Structure
./
├── decompile/ # Decompiled C code directory
│ ├── 0x401000.c # One file per function, named by hex address
│ ├── 0x401234.c
│ └── ...
├── decompile_failed.txt # Failed decompilation list
├── decompile_skipped.txt # Skipped functions list
├── strings.txt # String table (address, length, type, content)
├── imports.txt # Import table (address:function_name)
├── exports.txt # Export table (address:function_name)
└── memory/ # Memory hexdump (1MB chunks)
Function File Format (decompile/*.c)
Each .c file contains function metadata comments and decompiled code:
/*
* func-name: sub_401000
* func-address: 0x401000
* callers: 0x402000, 0x403000 // List of functions that call this function
* callees: 0x404000, 0x405000 // List of functions called by this function
*/
int __fastcall sub_401000(int a1, int a2)
{
// Decompiled code...
}
Symbol Recovery Steps
Step 1: Analyze Internal Characteristics
Carefully examine the target function for:
- String constants: Strings used in the function may reveal its purpose
- Numeric constants / Magic Numbers:
- MD5:
0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476 - CRC32:
0xEDB88320 - Base64 charset:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ - AES S-Box:
0x63, 0x7C, 0x77, 0x7B... - Zlib:
0x78,0x9C(compression header) - other constants/magic numbers...
- MD5:
- Code structure: Loop patterns, bitwise operations, specific algorithm flows
If you can identify a known algorithm through constants/structure, tell the user directly.
Step 2: Analyze Cross-References
Analyze Callees (called functions):
-
Read functions in the callees list
-
For each callee, check if its address exists in
imports.txt -
Recognize call patterns even when symbols are missing:
Paired function patterns (identify by matching call pairs):
// malloc/free, new/delete, alloc/dealloc xx = sub_A(0x100); // alloc: takes size, returns pointer ... sub_B(xx); // free: takes the same pointer // mutex_lock/mutex_unlock, pthread_mutex_lock/unlock sub_A(lock_ptr); // lock ... // critical section sub_B(lock_ptr); // unlock (same lock object) // open/close, fopen/fclose, CreateFile/CloseHandle fd = sub_A("/path", 0); // open: path + flags, returns handle ... sub_B(fd); // close: takes the handle // pthread_create/pthread_join sub_A(&tid, 0, func, arg); // create: out param, attr, func, arg ... sub_B(tid, &ret); // join: tid, out param **Argument pattern recognition:** ```c // socket(AF_INET, SOCK_STREAM, 0) - fixed constants sub_XXX(2, 1, 0); // socket: domain=2, type=1, protocol=0 // connect/bind(sockfd, addr, addrlen) sub_XXX(fd, &var, 16); // addr struct, len=16 for IPv4 // memcpy/memmove(dst, src, size) sub_XXX(dst, src, n); // 3 params: dst, src, count // memset(ptr, value, size) sub_XXX(ptr, 0, 0x100); // 3 params: ptr, byte value, count // read/write(fd, buf, count) ret = sub_XXX(fd, buf, n); // returns bytes read/written // strcmp/strncmp(s1, s2) or (s1, s2, n) if (sub_XXX(s1, s2) == 0) // returns 0 on equalReturn value patterns:
// file/socket operations: -1 on error if ((fd = sub_XXX(...)) == -1) goto error; // allocation: NULL on failure if (!(ptr = sub_XXX(size))) goto error; // success/error: 0 = success if (sub_XXX(...) != 0) goto error; // strlen: returns size_t len = sub_XXX(str); sub_YYY(dst, src, len); // len used in memcpy
Analyze Callers (calling functions):
- Read functions in the callers list
- If a caller has a symbol (check exports.txt), infer the callee's purpose from context
- Recursive check: trace up the call chain until you find a function with a symbol
- Analyze how the return value is used by callers
Step 3: Information Gathering and Search
Collect the following information:
- Strings in the function (check
strings.txtfor addresses used in the function) - Magic Numbers / constants
- Known imports called (cross-reference callees with
imports.txt) - Caller/callee symbols from
exports.txt - Paired function patterns identified
Based on collected information:
-
First attempt local reasoning based on:
- Function signature (number and types of parameters)
- Paired call patterns (alloc/free, lock/unlock)
- Known imports in the call chain
- Code structure similarity to known algorithms
-
If uncertain, use Web Search to search:
- Search Magic Numbers:
0x67452301 0xEFCDAB89 algorithm - Search code patterns:
rotate left xor constant algorithm - Search unique strings found in the function
- Search parameter patterns:
function(int, int, 0) socket
- Search Magic Numbers:
Output Format
## Symbol Recovery Analysis: <function_address>
### Function Characteristics
- Strings: <list discovered strings>
- Constants: <list key constants>
- Called imports: <list>
### Cross-Reference Analysis
- Callers: <callers and their symbols>
- Callees: <callees and their symbols>
### Inference Result
- **Suggested symbol name**: <suggested_name>
- **Confidence**: High / Medium / Low
- **Reasoning**: <explain why this name is suggested>
### Similar Open Source Implementation
- <if similar open source code is found, provide link>
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/p4nda0s/reverse-skills/rev-symbol">View rev-symbol on skillZs</a>