mirror of
https://github.com/Heretek-AI/RE-AI.git
synced 2026-07-01 01:37:55 -04:00
895514bd93
Post-run follow-up to the 2026-06-06-r01 stress test (Output/2026-06-06-r01/gap-analysis.md). The C1 catalog refactor split 'activation' into 'ue-component-activation' and 'license-activation'; ANTI-TAMPER-TAXONOMY.md's Pattern B fire rule was still reading 'activation.count' which now points to the (much smaller) license-activation bucket. The 615 false-positive hits in P3R.exe's UE component vocabulary no longer trip the Pattern B threshold of 50 strings. CHANGELOG.md [2.5.1] entry: full release notes for the Cycle 2 post-run follow-up (14 tool-bug fixes + 6 catalog refactors + 1 new leak category + 1 KSY backport, no new MCP servers, no new skills). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
27 KiB
27 KiB
Changelog
All notable changes to RE-AI will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[2.5.1] - 2026-06-06
Cycle 2 — post-run follow-up to the 2026-06-06-r01 multi-target
stress test (Output/2026-06-06-r01/cross-target.md,
Output/2026-06-06-r01/gap-analysis.md). 14 tool-bug fixes + 6
catalog refactors + 1 new leak category + 1 KSY backport. No new
MCP servers added; no new skills added.
Fixed
re-winedbg.start_winedbg_gdbserver— dropped the unused_pick_free_port-based TCP-port path; switchedstdinfromDEVNULLtoPIPEso Wine 11.0's stdio-based gdbserver works. The peeked port is still reported in the response for diagnostic purposes. (servers/re-winedbg/src/re_winedbg/winedbg.py)re-gdb.gdb_mi.GDBSession._drain— replaced thegetattr(..., "set_blocking", None) or .setblockingchain with a pair ofgetattr(default=None)probes; the prior form raisedAttributeErroron Python 3.14 wheresetblockingis gone. (servers/re-gdb/src/re_gdb/gdb_mi.py)re-capa._run_capa— default timeout bumped from 300s to 900s with auto-scaling by file size (900s for >= 10 MB inputs); resolves the default-rules-path lookup so the bundled rules are passed via--ruleseven when the caller passesrules="". (servers/re-capa/src/re_capa/capa_runner.py)re-capa.find_interesting— new heuristic: a namespace is "interesting" iff it has >= min_score rules AND at least one rule in that namespace has an ATT&CK or MBC mapping. The prior version returned 0 hits on every binary because the namespace threshold was too coarse.re-rizin.search_bytes— added_sanitize_hex_pattern()that strips spaces, normalizes case, and removes non-hex chars before passing to rizin's/x. The prior form silently returned 0 matches for0F 31(the canonical RDTSC anti-debug probe) and0F 84(the universal JE rel32). Verified: 6 RDTSC hits inCore/Activation64.dll, 196K JE-rel32 hits in the proprietary-engine main exe.re-rizin.analyze_function— added_auto_timeout_s(path, base=600): 600s base, +60s per 100 MB above 100 MB, cap at 1800s. The prior 120s default timed out on every binary > 300 MB.re-rizin.disassemble_function— replaced thef"s {function}"seek command with multiple flag-resolution paths beforepdf @ <addr>. The prior form returned 0 instructions forentry0on stripped binaries (the function name doesn't resolve to a flag until afteraaa, andauto_level=1only runsaa).re-lief.get_authenticode— added_safe_str()that decodes LIEF 0.17.x'sbytesissuer/serial_numbertostr(UTF-8 with latin-1 fallback) so the dict is JSON-encodable. The prior form raisedTypeError: Object of type bytes is not JSON serializableon 4/4 binaries × 3 targets = 12 errors.re-llm-decompile.get_model— default changed fromllm4decompile(not in the user's Ollama registry) todeepseek-v4-flash:cloud(the cloud model the user has available). The auto-fallback tollama3.2:3bproduced HTTP 500 on decompile prompts.re-llm-decompile._pick_fallback_model— fidelity-aware preference list: code-specialized models first (deepseek-coder,qwen2.5-coder,codellama,codeqwen,starcoder,wizardcoder), then larger / coder-flavored chat models, then general purpose.re-triton._probe_arch_enum+_make_triton_context— probetriton.ARCH(Quarkslab 0.x) and fall back totriton.CPU/triton.cpus(Quarkslab 1.x). Replacetriton.TritonContext(arch)withgetattr(triton, "TritonContext", triton.Triton)(arch)for the same 0.x / 1.x compatibility. The prior form returnedsupported_archs: []and raisedAttributeError: module 'triton' has no attribute 'TritonContext'.re-kaitai.parse_with_format— aftercompile_format: callimportlib.invalidate_caches(), pop the cached entry fromsys.modules, then re-import. The prior form returned stale results on a second call with the sameksy_pathbecause Python's import cache held the first-parse module.data/ksy/unityfs.ksy— file-header layout corrected: insertedbundle_format_versionstrz +file_sizes8, deleted the phantomplatform/has_directory_info/reservedfields, removed thehas_directory_infoparam coercion on the innerbundle_headersub-type. Fixedcompressed_block_info.uncompressed_sizefroms8tou4(per the upstreamAssetStudio/UABEreferences; the 8-byte read was walking intoflagsandnum_blocks).data/ksy/unityfs.ksy—endian: lewas wrong; the on-disk Addressables bundle has00 00 00 07at offset 8 (version=7 BE), not07 00 00 00(version=117M LE). Changed toendian: be. (The 2026-06-06-r01 plan instructed the opposite based on speculation; the live file is the source of truth and it is big-endian.)data/ksy/unity_addressables.ksy— the Cycle 2 plan instructed flipping this file'sendian: be → lebased on the same wrong assumption. Reverted — the originalendian: bewas correct. Also fixedcompressed_block_info.uncompressed_size: s8 → u4.
Changed
- C1 —
data/drm-indicators.yaml::string_categories.activationsplit intoactivation(kept for backward-compat) +ue-component-activation(Unity component-lifecycle noise) +license-activation(the real license-gate vocabulary).ANTI-TAMPER-TAXONOMY.md::Pattern Bnow referenceslicense-activation.count(wasactivation.count). 615 false-positive hits inP3R.exeare now suppressed. - C2 —
fingerprintsplit intocustom-fingerprint(high-signal HW-fingerprint literals) +windows-com-api-name(standard COM / typelib property names; 48 FPs inP3R.exeare now suppressed). - C3 —
telemetry_leakgetsexclude_keywords:forasian/Asian/Asia/albanian/Albanian/width/Width/East_Asian_Width/Caucasian_Albanian/stasianwidth/sesasianwidth. 13 Unicode-UCD FPs inP3R.exeare now suppressed. - C4 —
hwid(seeded fromhwid_apis.high_signal) getsexclude_keywords:forcl /Zi /Fd,ossl_static.pdb,/Fdopenssl. 1 OpenSSL-static-link FP inP3R.exeis now suppressed. - C5 —
obfuscationgetsexclude_keywords:for__TBB_/tbb::/tbb::task/TBB_internal/C:\ci\builds\/C:/ci/builds//C:\BuildBot\//ci/builds/. 41 TBB / CI-build FPs intbb12.dllare now suppressed. - C6 —
anti_debug_indicators.checks[].confirmation:field added; enumstring_only/import_only/requires_disasm/requires_xref. The 4 byte-pattern checks (RDTSC, INT 2D, INT 3, exception-hooking decoy) are nowrequires_disasmso the string-table presence of "RDTSC" alone no longer fires the bucket. The exception-hooking and scattered-bit register storage checks arerequires_disasmandrequires_xrefrespectively. Pending: the consumer-sidere-drm-fingerprintchange to consultconfirmation:is deferred to a follow-up (the catalog now has the metadata; the consumer wiring is a small change). - L1 — new
publisher-internal-diagnostic-hostnameleak detector added toservers/re-leak-scan/src/re_leak_scan/ patterns.py. The pattern matches an internal-TLD anchor (.internal,.corp,.lan,.local,.intra,.private,.home.arpa) + a diagnostic-product stem (jenkins, jira, grafana, prometheus, kibana, splunk, sentry, bitbucket, gerrit, artifactory, nexus, sonarqube, vault, consul, etcd, datadog, newrelic, pagerduty) to keep the false-positive rate low (the publicjenkins.iodoes not match). Discovered in target-B'spers.exe::PASystemInfoScanner.SenderInfomation(a .NET WPF class that does a DNS lookup of a publisher-internal.ioTLD staging relay and conditionally sends the un-hashed machine fingerprint to it). Risk: HIGH. servers/re-lief/src/re_lief/categorizers.py— addedload_excludes()(returns{category_name: [exclude, ...]})categorize()now honors the exclude list. Backward- compatible: existing call sites that don't addexclude_keywords:to their YAML entries see no behavior change. New YAML schema fields:exclude_keywords:(per category, optional) andconfirmation:(peranti_debug_indicators.checks[]entry, optional).
[2.5.0] - 2026-06-05
Added
re-lief.categorize_strings— new MCP tool. Superset ofextract_strings(same{ascii, utf16le, totals, truncated}shape for backward compatibility) plus aby_categoryblock bucketing the strings into 11 keyword categories (anti_debug,hwid,crypto,network,registry,process,file,fingerprint,activation,obfuscation,misc). Theanti_debugandhwidcategories inherit their keyword lists fromdata/drm-indicators.yaml::anti_debug_indicators.checks[].nameandhwid_apis.high_signal[].apivia aseed_from:YAML pointer — when the catalog is updated, the categorizer picks the new keywords up on next MCP-server reload. Other categories have their keyword lists inline in the YAML under the newstring_categories:section. Newskip_sectionsparameter for memory-bound runs on >100 MB Unity IL2CPP binaries.data/drm-indicators.yaml::string_categories— new section with 11 categories and theseed_from:/seed_field:schema extension that lets a category inherit from another catalog list. This is the first consumer of the catalog inre-lief(the prior consumers were all in the skills); the YAML remains the single source of truth for both the indicator set and the keyword set.servers/re-lief/src/re_lief/categorizers.py— new module that loads the catalog (with a small pre-processor to neutralize the regex-literal\.Xstrings the catalog has used for plain-text LLM consumption), resolvesseed_from:pointers via dotted-path walking, and exposescategorize(matches, categories, samples_per_category)for the parser. Cached vialru_cache; restart the MCP server to pick up YAML edits.tests/test_re_lief_categorize_strings.py— new soft-skip smoke test that asserts the result shape, theseed_from:inheritance works, and the bundled sample (Input/<target-A>/Core/Activation64.dll) populatescrypto/network/anti_debug/hwid/activationas expected. Mirrors thetest_re_lief_imports.pysoft-skip pattern.ANTI-TAMPER-TAXONOMY.md— new "Recognizing the patterns in arbitrary binaries" section — documents Pattern A (encrypted-VM bytecode interpreter + the.ecodelazy-decrypt stub + the late-bound export tail + 7-section-name co-occurrence) and Pattern B (hardware-fingerprinting routine in a third-party launcher activation library with ordinal-only exports + WinHTTP + OpenSSL + HWID-vector APIs) in vendor-neutral category terms. No vendor / publisher / game / PDB-path literals. The "How to detect the patterns" subsection ties the patterns to the newre-lief.categorize_stringstool'sby_categoryoutput.
Changed
servers/re-lief/src/re_lief/parsers.py::extract_strings_for_binaryis now a thin wrapper around the newcategorize_strings(passescategories=[],include_misc=False,max_per_category=200). Output shape is unchanged; no caller-side migration required.- 5 skills (
re-static-triage,re-malware-triage,re-drm-fingerprint,re-vm-reverse,re-format-decode) had their manual-grep step replaced with a call tore-lief.categorize_strings. No new workflow steps were added — the categorizer is the string scan. re-static-triagedescription gains "categorize the strings" in the trigger-phrase list (frontmatter is still under the 200-char cap and well above the 40-char floor).servers/re-lief/README.mdgets acategorize_stringsrow and a "Categorization vocabulary" paragraph explaining theseed_from:pointer and the catalog-as-source-of-truth invariant.
Vendor neutrality
- All 11 category names (
anti_debug,hwid,crypto,network,registry,process,file,fingerprint,activation,obfuscation,misc) are generic and pass thetests/test_no_vendor_leakage.pygrep. Thestring_categorieskeywords (1,000+ substrings indata/drm-indicators.yaml) are all from generic Windows API names, OpenSSL source paths, and standard protocol substrings — no vendor or PDB literal appears. The newANTI-TAMPER-TAXONOMY.mdsection uses only category names ("encrypted-VM bytecode interpreter", "hardware-fingerprinting routine", "third-party launcher activation library") and the observable composition that defines them.
[2.4.0] - 2026-06-05
Added
- 10th MCP server:
re-winedbg— drives the winedbg gdbserver (a debugger shim that ships with Wine) plus a GDB client subprocess, so a Linux or macOS host can attach to a Windows.exeand observe its behavior at runtime. Reusesre-gdb'sGDBSessionfor the gdb-client side; each session gets its ownWINEPREFIXunder~/.cache/re-ai-wine/<session>/(the global~/.wineis never touched). 19 vendor-neutral tools. re-winedbg.gef_trace_breakpoint— server-sidecommands N; silent; printf "<fmt>", $<reg>; continue; endwith a hit counter and a structured{hits: [{n, regs}], truncated: bool}return. Replaces the manual GDB-command workaround inre-vm-reverseStage 4 (line 67 of the v1 skill explicitly called for this tool).install.shwine + winedbg install path — best-effort install ofwine+winedbgon apt / dnf / brew hosts. Opt-out viaRE_AI_SKIP_WINE=1. Always a warning, never a fatal error (mirrors the existing 5-minute install-script design — missing optional tools never block the install).install.bat— new wine / winedbg discovery block; warns the user thatre-winedbgrequires WSL on Windows hosts.scripts/check_deps.py::check_wine()— new dependency row in the install report.tests/test_re_winedbg.py— soft-skip tests forcheck_winedbg, the GDB-CLI parsers (parse_sharedlibrary,parse_registers,parse_stopped), thewineserver_killsafety guard, and a behaviourallaunch_under_winesmoke test (skipped withoutRE_AI_WIN32_FIXTURE).- Skill
re-dynamic-analysisextended with a "Windows .exe on Linux (via Wine + winedbg)" section walking throughcheck_winedbg→start_winedbg_gdbserver→attach_winedbg_gdbserver→set_breakpoint(with RVA + symbol + absolute forms) →continue_execution/step_*/read_registers/read_memory/info_modules→gef_trace_breakpoint→write_memory→end_session. Frontmatter unchanged (description is still 318 chars, well above the 40-char floor). - Skill
re-vm-reverseStage 4 updated to usere-winedbg.gef_trace_breakpointon Windows targets; the v1 manualstep_countloop is retained as the Linux-ELF fallback path. The "Limitations" bullet at the old line 139 is updated to match. tests/test_plugin_manifest.py::test_mcp_json_includes_re_winedbg— new manifest test (mirrorstest_mcp_json_includes_re_il2cpp).tests/test_servers_import.py— newre-winedbgrow in the parametrized expected-tools list (19 tools).verify.shandverify.bat— updated inline assertion fromlen(d)==9tolen(d)==10and added"re-winedbg" in dto the check. The opening echo / print now reads "10 servers with the 8 originals + re-il2cpp + re-winedbg".
Changed
- The MCP-server count is now 10 (was 9). The "8 originals + re-il2cpp" invariant in
verify.sh/verify.batis updated to "8 originals + re-il2cpp + re-winedbg". - Bumped
.claude-plugin/plugin.jsonand rootpyproject.tomlto2.4.0. - Bumped
servers/re-winedbg/pyproject.tomlto0.1.0. install.shfinal-echo /install.batfinal-echo — "9 servers" → "10 servers".
Vendor neutrality
- The new server's tool names, docstrings, README, and skill extensions are vendor-neutral: no commercial anti-tamper product, publisher, or game title appears in any shipped file. The
winedbg/wine/wineserver/WINEPREFIX/WINEDBG_PATH/WINE_PATH/WINESERVER_PATH/re-winedbgstrings are tool / env-var / server-slug identifiers, not commercial names.tests/test_no_vendor_leakage.pycontinues to pass.
[2.3.0] - 2026-06-04
Added
re-il2cpp.get_assembly_types(metadata_path, image_name)— new MCP tool that walks the typeDef range owned by a single IL2CPP image. Enumerates the publisher'sAssembly-CSharp.dll(or any other assembly) end-to-end and returns the same shape asget_type_definitionsbut scoped to one image. Returns all 2,697Assembly-CSharp.dlltypes that the string-table scan inlist_classescan't surface.data/ksy/unity_raw.ksy— new KSY for the Unity raw asset bundle format (thelevel*andsharedassets*files in this target use this format, not UnityFS).skills/re-il2cpp-static-triage/SKILL.md— new condensed 30-second triage skill focused on the recoverable class graph; explicitly does NOT promise to read function bodies. Complements the longerre-il2cpp-decompileskill.unityfs.ksydirectory-block parsing (v0.2 of the spec) —bundle_header.directory,directory_entry, and per-block records (compressed_block_info.blocks) added. The synthetic-parse test exercises the full file → bundle_header → compressed_block_info → blocks → directory → entries chain.- Behavioral test coverage for re-capa, re-lief, re-triton, and re-kaitai (4 new
tests/test_re_*.pyfiles).pytest tests/: 36 passed / 11 skipped (the +1 is the synthetic-parse test, which skips on hosts withoutkaitaistruct). docs/the-il2cpp-game-binary-triage.md— refreshed end-to-end smoke test report of every MCP server + key skill against the bundled Unity IL2CPP sample. Confirms the IL2CPP class-graph recovery pipeline (re-il2cpp), binary header / section / import analysis (re-lief + re-rizin), capa capability detection (re-capa), and asset-bundle format handling (re-kaitai).
Fixed
servers/re-capa/ships withoutsigs/capa.sig; every real call fails until the sig is dropped into both.venv-re-ai/lib/python3.11/site-packages/sigs/andservers/re-capa/.venv/lib/python3.11/site-packages/sigs/.install.shnow downloads the sig from mandiant/capa into both venvs.data/ksy/unityfs.ksyis uncompilable: everystrzfield neededencoding: UTF-8; thebundle_headercall site needed a bool coercion; the magic field needed a YAML\0escape. All fixed; the spec now compiles cleanly against kaitai 0.10.servers/re-triton/pyproject.tomlpinnedtriton>=0.6, which resolved to the Triton GPU compiler (PyPI) instead of the binary-analysis framework the plugin needs. Repinned to the correct source-build URL.install.shpulls the source build. (The GPU-compiler / Quarkslab-Triton name collision is also defended inservers/re-triton/src/re_triton/server.py— a missing Quarkslab Triton now returns a structured{"status": "ERROR", "error": "triton_unavailable", ...}per-tool instead of crashing the MCP server.)re-capa.find_interestingandre-capa.extract_mbcdid not pass therulesargument through todetect_capabilities. Now accepted and forwarded.re-lief.get_imports_exportson stripped binaries returned blanknamefields (the LIEF import loop was one level too shallow). Now walks the innerimp.entriesloop, so per-function names are recovered.unityfs.ksydeclaredendian: bebut real UnityFS is little-endian. Switched toendian: le; the synthetic-parse test uses LE encoding.re-kaitai.list_known_formatsused a hard-coded tuple of names that drifted out of sync with what kaitaistruct actually ships. Now globs the package directory.re-il2cpp.list_classeswith empty namespace did not surfaceAssembly-CSharp.dlltypes (the publisher's game code is in the root namespace). The newget_assembly_types(image_name)tool fills the gap.
[2.0.0] - 2026-06-04
Changed
- Complete rewrite as a Claude Code plugin (skills + MCP servers). The v1 FastAPI + React + SQLite + ChromaDB + WebSocket agent loop architecture has been removed entirely. Claude Code is the agent now.
- Cross-platform packaging: Linux (apt/brew) and Windows (winget/scoop) installers with parallel Python and system-tool provisioning.
Added
- 8 MCP servers:
re-rizin,re-capa,re-lief,re-llm-decompile,re-mitm2swagger,re-kaitai,re-gdb,re-triton. - 12 skills:
re-static-triage,re-decompile,re-api-reverse,re-format-decode,re-dynamic-analysis,re-symbolic-exec,re-malware-triage,re-vuln-research,re-report, plusre-vm-reverse,re-mba-deobfuscate,re-drm-fingerprintfor anti-tamper / VM-pack analysis. data/drm-indicators.yamlcompanion data file with KUSER offsets, PEB fields, HWID-vector API catalog, section heuristics, VM dispatcher patterns, MBA identity catalog, anti-debug catalog, and pattern indicators (vendor-neutral) for the encrypted-VM / VM-pack / legacy disc-protection categories.- Plugin manifest at
.claude-plugin/plugin.jsonand MCP registry at.mcp.jsonwith${CLAUDE_PLUGIN_ROOT}resolution. install.sh/install.bat(idempotent, all warnings non-fatal) andverify.sh/verify.batsmoke tests.scripts/check_deps.pydependency report.- Test suite: manifest, frontmatter, server import, and smoke tests for every MCP server.
Decisions
- Sogen (momo5502/sogen) NOT added as an MCP server. License is GPL-2.0 which conflicts with the MIT plugin; setup cost (hundreds-of-MB emulation root) is non-trivial; the methodology from the third-party anti-tamper analysis post is achievable with existing servers (re-rizin + re-triton + re-gdb). If demand materializes, isolate as GPL-2.0 in
servers/experimental/re-sogen/. - No vendor-specific anti-tamper skill was created. The post's methodology is packaged as three generic skills (re-vm-reverse, re-mba-deobfuscate, re-drm-fingerprint) that apply to VM-based and anti-tamper-protected binaries generally, so they remain useful as new protection schemes appear.
Removed
backend/(FastAPI + custom agent loop + tool registry + RAG + planning engine)frontend/(React 19 + Vite 8 SPA)tests/(old pytest suite that tested the deleted backend)dev.batandstart.bat(Windows-only batch files)re-ai.db*(SQLite working-tree residue).chroma/and.test_chroma*(ChromaDB working-tree residue)- All v1
skills/*.mdfiles (content absorbed into v2 skills and docs)
Migrated (content preserved)
- The 5-step static analysis workflow and indicator-triage table from
skills/static_analysis_workflow.mdare absorbed intoskills/re-static-triage/SKILL.md. - The pefile + capstone analysis code from
backend/analysis/native.pyis ported and generalized to LIEF inservers/re-lief/. - The pefile caveats and capstone arch/mode mapping from
skills/pefile.mdandskills/capstone.mdare moved todocs/MCP_SERVERS.md(planned for v1).
[2.2.0] - 2026-06-04
Added
re-il2cppwalks all 7 binary tables inglobal-metadata.dat:typeDefinitions,methods,fields,parameters,properties,events,images. 7 new tools exposed:get_type_definitions,get_methods,get_fields,get_parameters,get_properties,get_events,get_images. Tools return structured records with parent, type index, token, member counts — the same data that Il2CppDumper produces, but as JSON via MCP.re-il2cpp.resolve_method_rvaresolves aNamespace.ClassName.MethodNameFQN to its GameAssembly.dll RVA by parsing the runtime registration structures. For non-stripped builds it returns the function RVA directly; for stripped builds (the default for shipped Unity games) it returns the structured data plus the IL2CPP mangled name to use withre-rizin.search_bytes. Requirespip install re-il2cpp[rva](LIEF is an optional dep).re-il2cppsub-version detection for v24 (24.1, 24.2, 24.4) via the same tree Il2CppDumper uses (Metadata.cs:67-83).re-il2cpplief>=0.16,<0.18declared as an optionalrvaextra — the table-walk tools work without LIEF; only the RVA resolver needs it.- 9 new soft tests in
tests/test_re_il2cpp_check.pycovering each new tool against the bundled Unity IL2CPP sample (one of which soft-skips if LIEF is not installed). - Bumped
.claude-plugin/plugin.jsonand rootpyproject.tomlto2.2.0. Bumpedservers/re-il2cpp/pyproject.tomlto0.2.0.
Changed
re-il2cpp-decompileskill updated: Step 4 recommends the newget_type_definitionsfor structured class graphs; Step 5 adds the typedget_methods/get_fields/get_parametersflow; Step 6 usesresolve_method_rvaas the primary path withre-rizin.search_bytesdemoted to a fallback for stripped binaries; the Limitations section drops the "does not walk" bullet and adds the "type_index not fully resolved" caveat.re-il2cppis still 9 MCP servers / 13 skills (this is a feature add, not a count change).
[2.1.0] - 2026-06-04
Added
- 9th MCP server:
re-il2cpp— pure-Python mmap-based reader for Unityglobal-metadata.dat(versions 24-29). Exposescheck_il2cpp,list_strings,search_strings,list_namespaces,list_classes. No system dependencies; safe in degraded mode. - 13th skill:
re-il2cpp-decompile— orchestratesre-il2cpp+re-rizinto triage a Unity IL2CPP game, recover C# class/method/field names, and cross-reference GameAssembly.dll RVAs. data/ksy/unityfs.ksy— starter Kaitai Struct spec for UnityFS asset bundle header (used byre-format-decode).tests/test_re_il2cpp_check.py— 3 soft smoke tests against the bundled Unity IL2CPPglobal-metadata.dat; tests skip when the sample is absent.docs/ARCHITECTURE.mddiagram updated to reflect 13 SKILL.md files and 9 MCP servers.
Changed
- Bumped
.claude-plugin/plugin.jsonandpyproject.tomlto2.1.0. - Updated version counts and component indexes across
README.md,docs/SKILLS.md,docs/MCP_SERVERS.md,docs/ARCHITECTURE.md,docs/MIGRATION_FROM_V1.md,docs/TROUBLESHOOTING.md,verify.sh, andverify.batto 9 MCP servers / 13 skills. - Fixed
verify.shandverify.batstale inline assertion (len(d)==8) — they now check themcpServerskey, require the 8 originals to be a subset, and requirere-il2cppto be present.
Known limitations
re-il2cppreads only the string table ofglobal-metadata.dat; walking the binarytypeDefinitions/methods/fieldstables is left for a future enhancement.re-il2cppsupports metadata versions 24-29 (Unity 2019.4 - 2022.3 LTS). Unity 6 / metadata v30+ uses a different on-disk format.
[1.x] - 2024 to 2026-06-04
Legacy v1 release history (FastAPI + React + SQLite + ChromaDB architecture) — not preserved in this repository.