John Smith
895514bd93
Post-run follow-up to the 2026-06-06-r01 stress test (Output/2026-06-06-r01/gap-analysis.md). The C1 catalog refactor split 'activation' into 'ue-component-activation' and 'license-activation'; ANTI-TAMPER-TAXONOMY.md's Pattern B fire rule was still reading 'activation.count' which now points to the (much smaller) license-activation bucket. The 615 false-positive hits in P3R.exe's UE component vocabulary no longer trip the Pattern B threshold of 50 strings. CHANGELOG.md [2.5.1] entry: full release notes for the Cycle 2 post-run follow-up (14 tool-bug fixes + 6 catalog refactors + 1 new leak category + 1 KSY backport, no new MCP servers, no new skills). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
RE-AI
A Claude Code plugin that turns Claude into a reverse-engineering workstation.
RE-AI is not an agent — Claude Code is the agent. RE-AI ships 16 skills (prompt-instruction markdown) and 15 MCP servers (standalone JSON-RPC tools) that plug into Claude Code and give it deep binary-analysis capabilities.
Encrypted-VM bytecode families
The plugin's anti-tamper / DRM coverage is categorical: the
catalog in data/drm-indicators.yaml::pattern_indicators.mappings
describes the observable patterns an analyst sees in a binary's
section table + import set + string table, and maps them to a
category of protection. The user supplies the vendor attribution
based on their context — see ANTI-TAMPER-TAXONOMY.md for the
inference chain.
The two encrypted-VM bytecode target families the plugin currently covers:
| Family | Section set | Encrypted body | Other markers |
|---|---|---|---|
| Unity IL2CPP target | .xtls / .didata / .ecode / .xdata / .xpdata / .udata / .00cfg |
.xtls (highest entropy, 7.85+) |
GameAssembly.dll + global-metadata.dat pairing |
| Proprietary-engine target | .arch / .link / .xcode / .xtext / .sbss |
.rodata (huge, 7.5+ entropy, 100x+ .text size) |
no GameAssembly.dll; small .text (real native code) |
Plus the historical patterns (encrypted-VM bytecode (alternative dispatcher variant), encrypted-VM bytecode (WinLicense-family),
encrypted-VM bytecode (CISC-dispatch variant)) and the
publisher telemetry pipeline leak pattern category.
The re-drm-fingerprint and re-encrypted-vm-tamper skills
both consume this catalog. The first produces a per-pattern
confidence score; the second produces a per-family
characterization (section table, dispatcher disassembly,
lazy-decrypt-stub detection). For runtime traces of the
encrypted body decrypting, escalate to re-vm-reverse
(Wine + re-winedbg).
What you get
Skills (loaded into Claude's prompt context)
| Skill | Use when… |
|---|---|
re-static-triage |
You're handed an unknown binary and want a first-pass report. |
re-decompile |
You want a function in C-like pseudocode. |
re-api-reverse |
You captured HTTP traffic and want to reconstruct the REST API. |
re-format-decode |
You have a custom binary blob (firmware, save file, .DAT) and want to understand its format. |
re-dynamic-analysis |
You want to step through code in GDB + GEF. |
re-symbolic-exec |
You want to solve for inputs that reach a particular branch. |
re-malware-triage |
You want a safe static-only malware analysis report. |
re-vuln-research |
You're hunting for bugs in a binary. |
re-report |
You want a final Markdown report aggregating the prior work. |
re-vm-reverse |
You're analyzing a custom bytecode VM (encrypted-VM bytecode interpreter, packed interpreter, custom-VM-pack pattern). |
re-mba-deobfuscate |
You see MBA-rewritten code and want to recover the original form. |
re-drm-fingerprint |
You want to know whether a binary is DRM-protected and what kind. |
re-il2cpp-decompile |
You're handed a Unity game binary (GameAssembly.dll + global-metadata.dat) and want to recover the C# class/method/field structure. |
re-dotnet-analysis |
You're handed a .NET-style launcher / mod loader (imphash empty, mscoree.dll entry stub) and want a class graph + C# decompile. |
re-leak-scan |
You want to find Sentry DSNs, Logstash URLs, Confluence links, Google Drive docs, AWS keys, Slack tokens in a binary's string table. |
re-telemetry-extract |
You want to extract publisher telemetry endpoints AND actively verify each is live (HTTP probe). |
re-encrypted-vm-tamper |
You want to characterize a binary's encrypted-VM bytecode family + lazy-decrypt stub. |
re-archive-author |
You're reverse-engineering a custom binary archive format and want to author a .ksy for it. |
MCP servers (tool-providing processes)
| Server | Wraps | Requires |
|---|---|---|
re-rizin |
rizin CLI (rz-bin, rz-asm, pdc) |
system rizin |
re-capa |
capa (Mandiant) |
pip install flare-capa |
re-lief |
LIEF library (in-process) | pip install lief |
re-llm-decompile |
LLM4Decompile / Ollama / vLLM HTTP | a running OpenAI-compatible endpoint |
re-mitm2swagger |
mitmproxy + mitmproxy2swagger |
pip install mitmproxy mitmproxy2swagger |
re-kaitai |
kaitai-struct-compiler |
system kaitai-struct-compiler |
re-gdb |
GDB + GEF | system gdb |
re-triton |
Triton library (in-process) | pip install triton |
re-il2cpp |
Unity global-metadata.dat reader (pure Python, mmap-based) |
none |
re-winedbg |
Wine + winedbg + gdb (headless Windows .exe debugging from Linux/macOS) | system wine + winedbg |
re-dotnet |
.NET 10 CLI (System.Reflection.Metadata) + ilspycmd for C# decompilation |
.NET 10 SDK |
re-leak-scan |
Pure-Python regex catalog for telemetry pipeline leaks | none |
re-vtil |
VTIL-Core C++ helper (lift / optimize / emit pseudo-C for VM handlers) | C++20 compiler + cmake + VTIL-Core source |
re-speakeasy |
Mandiant Speakeasy Windows API emulator | pip install speakeasy-emulator |
re-angr |
angr symbolic execution + CFG + reaching-definitions | pip install angr (heavy) |
Requirements
- Python 3.11+ (the plugin uses modern type syntax and
FastMCP) uv(the plugin's preferred runner — install withpip install uvif missing)- Optional system tools:
rizin,gdb,kaitai-struct-compiler. The plugin is useful even with some of these missing — see the Degraded mode section below.
Install
Linux / macOS
git clone https://github.com/yourname/re-ai.git
cd re-ai
./install.sh
Windows
git clone https://github.com/yourname/re-ai.git
cd re-ai
install.bat
The installer is idempotent and prints a green/yellow/red table of what it managed to install. Missing optional tools are reported as warnings, not errors.
Verify
After install:
./verify.sh # POSIX
verify.bat # Windows
Then in Claude Code:
claude --plugin-dir /path/to/re-ai
Inside Claude Code, run /mcp to confirm the 9 servers are listed. Then try:
- "Analyze /usr/bin/ls" — should trigger
re-lief,re-rizin, andre-capain parallel and summarize. - "Decompile main in /usr/bin/ls" — should pull a function list and ask
re-llm-decompilefor pseudocode. - "Capture HTTP traffic to example.com" — should start
re-mitm2swaggercapture.
Companion data
The plugin ships a data/ directory with reference material the skills read directly:
| File | Used by |
|---|---|
data/drm-indicators.yaml |
re-vm-reverse, re-mba-deobfuscate, re-drm-fingerprint (KUSER offsets, PEB fields, HWID-vector API catalog, section heuristics, VM dispatcher patterns, MBA identities, anti-debug catalog, pattern indicators for the encrypted-VM / VM-pack / legacy disc-protection categories) |
data/ksy/unityfs.ksy |
re-format-decode (starter Kaitai Struct spec for UnityFS asset bundle headers) |
Quickstart examples
| Goal | Skill | MCP servers used |
|---|---|---|
| "What is this binary?" | re-static-triage |
re-lief, re-rizin, re-capa |
"What does main do in /bin/ls?" |
re-decompile |
re-rizin, re-llm-decompile |
| "Reverse the API at api.example.com" | re-api-reverse |
re-mitm2swagger |
| "Decode this firmware blob" | re-format-decode |
re-lief, re-kaitai |
| "Step through this in a debugger" | re-dynamic-analysis |
re-gdb |
| "Find input that triggers branch X" | re-symbolic-exec |
re-triton |
| "Is this sample malicious?" | re-malware-triage |
re-capa, re-lief, re-rizin |
| "Audit this for vulns" | re-vuln-research |
all of the above |
| "Write up the findings" | re-report |
(aggregates prior outputs) |
| "What C# classes are in this Unity game?" | re-il2cpp-decompile |
re-il2cpp, re-rizin |
Platform support
| Server | Linux | macOS | Windows | Notes |
|---|---|---|---|---|
re-lief |
✅ | ✅ | ✅ | Pure Python |
re-llm-decompile |
✅ | ✅ | ✅ | HTTP only |
re-rizin |
✅ | ✅ | ✅ | System rizin |
re-capa |
✅ | ✅ | ✅ | pip-only |
re-mitm2swagger |
✅ | ✅ | ✅ | pip-only |
re-kaitai |
✅ | ✅ | ✅ | System compiler |
re-gdb |
✅ | ✅ | ⚠️ | Windows gdb is rough; prefer WSL |
re-triton |
✅ | ✅ | ⚠️ | Best-effort on Windows |
Degraded mode: every server exposes a check_<name>() tool. Servers whose underlying dependency is missing will report it cleanly rather than crashing. The re-lief, re-llm-decompile, and re-il2cpp servers have no system dependencies and are always available.
Architecture
See docs/ARCHITECTURE.md for plugin design, skill frontmatter convention, and the MCP server pattern.
Adding a new MCP server
- Create
servers/<name>/pyproject.tomlandservers/<name>/src/<name>/{__init__,__main__,server}.py. - The server module exposes a
FastMCP("<name>")instance and amain()that callsmcp.run(transport="stdio"). - Add the server to
.mcp.jsonat the repo root. - Add an entry to
install.sh/install.bat(Python deps and any system-tool install). - Add a check function
check_<name>()and updatescripts/check_deps.py.
Migrating from v1
RE-AI v1 was a FastAPI + React + SQLite + ChromaDB app with its own agent loop. v2 replaces it entirely. See CHANGELOG.md and the migration notes in docs/MIGRATION_FROM_V1.md.
License
MIT — see LICENSE.