Labsco
president-xd logo

Reverse Engineering MCP

β˜… 62

from president-xd

Production grade MCP for Reverse Engineering (includes almost all necessary tools)

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeAdvanced setup

revula

Production-grade MCP server for universal reverse engineering automation.

Connect Claude Desktop, MCP-compatible IDEs, or custom tooling to a broad reverse engineering backend through the Model Context Protocol.


Table of Contents


Features

Static Analysis (8 tools)

  • Binary Parsing: PE/ELF/Mach-O via LIEF with hash computation and suspicious indicator detection
  • Disassembly: Multi-backend support including Capstone (always available), radare2, and objdump for x86/x64/ARM/MIPS/RISC-V
  • String Extraction: FLOSS integration, regex fallback, 17 classifier patterns (URLs, IPs, crypto, registry keys)
  • Entropy Analysis: Shannon entropy with sliding window, per-section analysis, and packing detection
  • Symbol Extraction: DWARF, PDB, LIEF universal; function prologue scanning for stripped binaries
  • YARA Scanning: Inline rules, file/directory rules, and community rules support
  • Capa Integration: ATT&CK mapping, MBC behaviors, capability enumeration
  • Decompilation: Ghidra (headless), RetDec, Binary Ninja with caching

Dynamic Analysis (29 tools)

  • GDB Adapter: Full GDB/MI protocol with breakpoints, stepping, registers, memory, backtrace, and heap inspection
  • LLDB Adapter: Native SB API integration for macOS/Linux debugging
  • Frida Adapter: Spawn/attach, script injection, function interception, memory scan/dump, and RPC exports
  • Code Coverage: DynamoRIO drcov, Frida Stalker block tracing, and coverage analysis

Android RE (24 tools)

  • APK Parsing: Manifest extraction, permission analysis, component enumeration, and resource inspection
  • DEX Analysis: Class/method listing, bytecode stats, and string extraction
  • Decompilation: jadx/apktool integration, smali disassembly/assembly/patching
  • Native Binary Analysis: ARM/AArch64 .so analysis with JNI detection
  • Device Interaction: ADB bridge with 12 actions (logcat, install, shell, dumpsys, screenshot)
  • Frida for Android: Root bypass, crypto hooking, SSL pinning bypass, API tracing, and memory dump
  • Traffic Interception: tcpdump/mitmproxy integration with SSL key extraction
  • Repack and Sign: APK rebuild with smali patches, zipalign + apksigner
  • Security Scanners: MobSF, Quark-Engine, Semgrep, and manifest vulnerability detection

Cross-Platform RE Tools (7 tools)

  • Rizin/r2: Automated analysis with 13 actions and binary diffing
  • GDB Enhanced: Heap analysis, ROP gadget finding, exploit helpers (pattern create/find, checksec)
  • QEMU: User-mode emulation (4 actions) and full system emulation (5 actions)

Exploit Development (11 tools)

  • ROP Chain Builder: Multi-architecture gadget finding (x86/x64/ARM/ARM64) with semantic classification, automatic chain generation for execve/mprotect/syscalls, bad-char avoidance, and pwntools script generation
  • Heap Exploitation: Malloc chunk analysis, bin classification (tcache/fastbin/smallbin/largebin), fake chunk generation, safe-linking encode/decode for glibc 2.32+, and technique templates (House of Force, Tcache Poisoning, Fastbin Dup, Unsafe Unlink)
  • Libc Database: Symbol/offset extraction, libc identification from leaked addresses, ASLR defeat helpers (base calculation, GOT-to-libc, PLT-to-GOT), and one-gadget RCE finder
  • Shellcode: Generation, encoding, bad-char analysis, extraction, and emulation testing
  • Format String: Offset calculation, write payload generation, GOT overwrite, and address leaking

Anti-Analysis (2 tools)

  • Detection: Scan for anti-debug, anti-VM, anti-tamper, and packing indicators
  • Bypass Generation: Frida/GDB/patch/LD_PRELOAD scripts for ptrace, IsDebuggerPresent, timing, and VM checks

Malware Analysis (4 tools)

  • Triage: Multi-hash, IoC extraction, suspicious import scoring, and risk assessment
  • Sandbox Queries: VirusTotal, Hybrid Analysis, and MalwareBazaar API integration
  • YARA Generation: Auto-generate YARA rules from binary artifacts
  • Config Extraction: C2 URLs, IPs, domains, encryption keys, and mutexes

Firmware RE (3 tools)

  • Extraction: binwalk scan/extract, entropy analysis, and filesystem identification
  • Vulnerability Scanning: Hardcoded credentials, known CVEs, unsafe functions, and weak crypto
  • Base Address Detection: String reference analysis for firmware base address recovery

Protocol RE (3 tools)

  • PCAP Analysis: tshark-based with 8 actions (summary, flows, DNS, HTTP, TLS, filter, export, IoC)
  • Protocol Dissection: Binary structure inference, field boundary detection, and pattern analysis
  • Protocol Fuzzing: Mutation-based, boundary testing, field-specific, and template fuzzing

Unpacking (4 tools)

  • Packer Detection: UPX, Themida, VMProtect, ASPack, PECompact, MPRESS, and more
  • UPX Unpacking: Static unpacking with automatic backup
  • Dynamic Unpacking: Frida-based memory dump with OEP detection
  • PE Rebuild: Fix section alignments, imports, and entry point after memory dump

Deobfuscation (3 tools)

  • String Deobfuscation: XOR brute force, ROT variants, Base64, RC4, and stack string reconstruction
  • Control Flow Flattening Detection: OLLVM-style CFF pattern identification
  • Opaque Predicate Detection: Always-true/false branch identification

Symbolic Execution (4 tools)

  • angr Integration: Path exploration, constraint solving, CFG generation, and vulnerability scanning
  • Triton DSE: Dynamic symbolic execution with concrete and symbolic state

Binary Format Specializations (4 tools)

  • APK/DEX: Android analysis including manifest, permissions, native libs, and DEX parsing
  • .NET IL: Assembly metadata, type/method listing, and IL disassembly
  • Java Class: Class file parsing, javap integration, and bytecode disassembly
  • WebAssembly: WASM section parsing, import/export extraction, and disassembly

Utilities (8 tools)

  • Hex Tools: Hexdump, pattern search (IDA-style wildcards), and binary diff
  • Crypto: Hashing (MD5/SHA/TLSH/ssdeep), XOR analysis, and crypto constant scanning
  • Patching: Binary patching with backup and NOP-sled support
  • Network: PCAP analysis with protocol stats, DNS extraction, and C2 beacon detection

Admin (2 tools)

  • Server Status: Version, tool count, cache stats, rate limit stats, and available tools
  • Cache Management: View stats, clear cache, and invalidate specific entries

Tool Availability

revula degrades gracefully. Tools that depend on missing backends return clear error messages instead of crashing. Here is what each category needs:

CategoryAlways AvailableNeeds External ToolNeeds Python Module
StaticPE/ELF parsing, entropy, stringsobjdump, radare2, ghidra, retdec, floss, capacapstone βœ“, lief βœ“, pefile βœ“, yara βœ“
Dynamicgdb, lldbfrida
AndroidAPK manifest/DEX parsing (via zipfile)jadx, apktool, adb, zipalign, apksigner, tcpdumpfrida, quark-engine
Platformrizin, radare2, gdb, qemu-user, qemu-system-*r2pipe, binaryninja
ExploitROP chain builder, heap analysis, libc database, format string helperscapstone βœ“, pwntools, keystone-engine
Anti-AnalysisPattern scanning (via lief + capstone)
MalwareFile hashing, IoC extraction, risk scoringyara βœ“, ssdeep, tlsh
Firmwarebinwalk, sasquatch
ProtocolBinary protocol dissection, fuzzingtsharkscapy
UnpackingPacker signature detectionupxfrida
DeobfuscationXOR/ROT/Base64 deobfuscationcapstone βœ“
Symbolicangr, triton (source-build only; tool auto-enables when installed)
Binary Formatsaapt, javap, monodis, wasm2wat
UtilitiesHex dump, binary diff, patchingtsharkscapy, ssdeep, tlsh

βœ“ = included in core dependencies (always installed).

Installing Optional Dependencies

Copy & paste β€” that's it
# Frida (dynamic instrumentation)
pip install frida frida-tools

# angr (symbolic execution, large install ~2 GB)
pip install angr

# radare2 bindings
pip install r2pipe

# Fuzzy hashing
pip install ssdeep tlsh

# Network analysis
pip install scapy

# Everything at once
pip install -e ".[full]"

Installing External Tools (Debian/Ubuntu/Kali)

Copy & paste β€” that's it
# Core analysis/tooling from distro repos
sudo apt install gdb binutils binwalk checksec apksigner mono-utils mono-devel ruby-full llvm-19

# Android RE
sudo apt install apktool jadx android-sdk adb zipalign

# Network
sudo apt install tshark

# For full optional toolchain coverage (radare2/rizin/upx/drrun/msfvenom/retdec/diec/cfr),
# use the maintained installer:
bash scripts/install/install_all.sh

Architecture

Copy & paste β€” that's it
src/revula/                     # 19,400+ LOC across 63 Python files
β”œβ”€β”€ __init__.py                 # Version (__version__ = "0.1.0")
β”œβ”€β”€ config.py                   # Tool detection, TOML config, env var loading
β”œβ”€β”€ sandbox.py                  # Secure subprocess execution, path validation
β”œβ”€β”€ session.py                  # Session lifecycle manager (debuggers, Frida)
β”œβ”€β”€ server.py                   # MCP server entrypoint (stdio transport)
β”œβ”€β”€ cache.py                    # LRU result cache with TTL
β”œβ”€β”€ rate_limit.py               # Token-bucket rate limiter
└── tools/
    β”œβ”€β”€ __init__.py             # Tool registry + @register_tool decorator
    β”œβ”€β”€ static/                 # 8 files: PE/ELF, disasm, strings, entropy, symbols, YARA, capa, decompile
    β”œβ”€β”€ dynamic/                # 4 files: GDB, LLDB, Frida, coverage
    β”œβ”€β”€ android/                # 9 files: APK, DEX, decompile, native, device, frida, traffic, repack, scanners
    β”œβ”€β”€ platform/               # 3 files: Rizin, GDB-enhanced, QEMU
    β”œβ”€β”€ exploit/                # 5 files: ROP builder, heap exploitation, libc database, shellcode, format strings
    β”œβ”€β”€ antianalysis/           # 1 file:  anti-debug/VM detection and bypass generation
    β”œβ”€β”€ malware/                # 1 file:  triage, sandbox queries, YARA gen, config extraction
    β”œβ”€β”€ firmware/               # 1 file:  extraction, vuln scanning, base address detection
    β”œβ”€β”€ protocol/               # 1 file:  PCAP analysis, protocol dissection, fuzzing
    β”œβ”€β”€ deobfuscation/          # 1 file:  string deobfuscation, CFF, opaque predicates
    β”œβ”€β”€ unpacking/              # 1 file:  packer detection, UPX, dynamic unpack, PE rebuild
    β”œβ”€β”€ symbolic/               # 1 file:  angr + Triton
    β”œβ”€β”€ binary_formats/         # 1 file:  .NET, Java, WASM
    β”œβ”€β”€ utils/                  # 4 files: hex, crypto, patching, network
    └── admin/                  # 1 file:  server status, cache management

How It Works

  1. Startup. server.py loads config.py, which probes the system for external tools (via shutil.which) and Python modules (via importlib.util.find_spec). Results are cached in a ServerConfig singleton.

  2. Tool Registration. Each tool file uses @TOOL_REGISTRY.register() to declare its name, description, input/output schemas, annotations, and async handler. Tools self-register on import.

  3. Request Dispatch. When a tools/call request arrives, the server resolves namespaced aliases, validates arguments (Pydantic-first with JSON Schema fallback), checks rate limits, checks cache eligibility, dispatches the handler, and returns protocol-level isError metadata.

  4. Subprocess Execution. All external tool invocations go through sandbox.safe_subprocess(), which enforces shell=False, sets RLIMIT_AS and RLIMIT_CPU, validates paths, and captures stdout/stderr.

  5. Result Caching. Deterministic operations (disassembly, parsing) are cached with a configurable TTL. Mutating operations (patching, Frida injection) bypass the cache automatically.

  6. Session Management. Long-lived debugger and Frida sessions are tracked by SessionManager, with automatic cleanup after 30 minutes of idle time.

Infrastructure Components

ComponentPurposeKey Detail
ResultCacheAvoid redundant subprocess callsLRU, 256 entries, 10-minute TTL
RateLimiterPrevent resource exhaustionToken-bucket with config/env overrides
ToolRegistryDecorator-based tool dispatchAnnotations + strict schema hardening + structured errors
SessionManagerDebugger/Frida persistenceAuto-cleanup after 30 min idle
sandbox.pySecure execution layershell=False, RLIMIT enforcement, path validation

Security Model

revula operates on the principle that user-supplied arguments are untrusted. The following hardening measures are applied:

Subprocess Isolation

  • No shell=True: Every subprocess call uses shell=False with explicit argument lists. This is enforced by a CI test (test_no_shell_true) that scans every source file.
  • No eval() / exec(): No dynamic code evaluation of user input.
  • No f-string injection: User-supplied values are never interpolated into python3 -c code strings. Values are passed via sys.argv, stdin, or environment variables. Enforced by test_no_fstring_in_subprocess_python_code.
  • JavaScript escaping: All user-controlled values interpolated into Frida JavaScript strings pass through _js_escape(), which escapes backslashes, quotes, newlines, and other injection vectors.
  • Resource limits: Every subprocess gets RLIMIT_AS (512 MB default) and RLIMIT_CPU (60 s default) via resource.setrlimit().
  • Timeout enforcement: asyncio.wait_for() wraps all subprocess calls.

Path Validation

  • Fail-closed: validate_path() rejects all paths when no allowed_dirs are configured (falls back to get_config().security.allowed_dirs). It does not silently pass.
  • Traversal blocked: .. components are rejected after os.path.realpath() resolution.
  • Absolute paths required: Relative paths are rejected.
  • Validated everywhere: All file-accepting tool handlers call validate_path() before any file I/O.

Frida Hardening

  • Script size limit: Frida scripts are capped at 1 MB to prevent memory exhaustion.
  • Memory dump limit: Memory dumps are capped at 100 MB.
  • JS injection prevention: Class names, method names, module names, and other user-supplied values are escaped before interpolation into JavaScript templates.

Temporary Files

  • No tempfile.mktemp(): All temporary files use tempfile.NamedTemporaryFile() or tempfile.mkdtemp() to prevent TOCTOU race conditions.
  • No hardcoded /tmp paths: All temporary paths use the tempfile module.

Rate Limiting & Caching

  • Global limit: 120 requests per minute (configurable).
  • Per-tool limit: 30 requests per minute (configurable).
  • Result cache policy: fail-closed explicit opt-in per tool (cacheable=True); mutating/stateful tools are never cached by default.
  • Session TTL: Idle sessions auto-cleaned after 30 minutes.

Testing

Copy & paste β€” that's it
# Run full test suite
python -m pytest tests/ --timeout=30

# With coverage
python -m pytest tests/ --cov=revula --cov-report=html --timeout=30

# Verbose output
python -m pytest tests/ -v --timeout=30

# Specific test suites
python -m pytest tests/test_infra.py -v      # Cache, rate limiter, sessions
python -m pytest tests/test_core.py -v       # Config, sandbox, tool registry
python -m pytest tests/test_static.py -v     # Static analysis tools
python -m pytest tests/test_android.py -v    # Android module tests
python -m pytest tests/test_exploit.py -v    # ROP, heap, libc tools (32 tests)
python -m pytest tests/test_tools_new.py -v  # Exploit, malware, firmware, protocol, etc.
python -m pytest tests/test_security.py -v   # Security invariant tests

# Using the test runner script
bash scripts/test/run_tests.sh

Test Categories

SuiteTestsCovers
test_infra.pyCache, rate limiter, session managerInfrastructure correctness
test_core.pyConfig loading, sandbox, tool registryCore module behavior
test_static.pyEntropy, hex, crypto, strings, symbolsStatic analysis tools
test_android.pyAPK parse, DEX, device, Frida AndroidAndroid module tests
test_tools_new.pyExploit, malware, firmware, protocol, antianalysis, platform, deobfuscation, symbolic, unpacking, binary formatsAll remaining tool categories
test_security.pyshell=True scan, injection scan, mktemp scan, hardcoded /tmp scan, path validation, JS escaping, shellcode validationSecurity regression tests

Security Tests

The TestVulnerabilityHardeningV3 suite in test_security.py enforces:

  • No f-string code injection: Scans all source files for "-c" arguments containing f-strings.
  • No tempfile.mktemp(): Prevents TOCTOU race conditions.
  • No hardcoded /tmp/ paths: Enforces use of the tempfile module.
  • Fail-closed path validation: Verifies validate_path() rejects paths when allowed_dirs is empty.
  • Frida JS escaping: Verifies _js_escape() blocks injection payloads.
  • Shellcode hex validation: Verifies non-hex input is rejected, not passed to subprocess.

Scripts & Automation

Primary automation scripts live in scripts/:

Installation

ScriptPurpose
scripts/install/install_all.shMaster installer: Python check, deps, external tools, config
scripts/install/install_verify.shPost-install verification: checks all dependencies and paths

Setup

ScriptPurpose
scripts/setup/setup_ide.pyUniversal IDE/client configurator for Claude Desktop, VS Code, Cursor, Windsurf, Zed, and Continue
scripts/setup/setup_claude_desktop.pyClaude Desktop-specific auto-configurator (legacy, still functional)
scripts/setup/setup_config_toml.pyInteractive config.toml generator
scripts/setup/setup_android_device.shPrepare an Android device for RE (root, frida-server, certs)

Testing & Development

ScriptPurpose
scripts/test/run_tests.shRun full test suite with coverage
scripts/test/validate_install.pyComprehensive installation validator
scripts/dev/add_tool.pyScaffold a new tool module (creates file, registers, adds test)
scripts/dev/lint_and_type.shRun ruff + mypy
scripts/utils/download_frida_server.pyDownload frida-server for a target architecture

Docker

ScriptPurpose
scripts/docker/test.shAutomated Docker build and stdio-oriented smoke checks
scripts/docker/validate.shDocker configuration validation

Contributing

Adding a New Tool

Use the scaffold generator:

Copy & paste β€” that's it
python scripts/dev/add_tool.py

This creates the tool file, registers it in the category __init__.py, and generates a test stub.

Code Quality

Copy & paste β€” that's it
# Lint and type-check
bash scripts/dev/lint_and_type.sh

# Run full test suite
python -m pytest tests/ --timeout=30 -q

# Validate install
python scripts/test/validate_install.py

Guidelines

  • Every tool handler is async and returns list[dict] (MCP content blocks).
  • All subprocess calls go through sandbox.safe_subprocess().
  • All file paths must be validated via sandbox.validate_path().
  • No shell=True, no eval(), no f-string interpolation into subprocess code.
  • Every new tool needs at least one test.

License

Released under the GNU General Public License. See LICENSE for details.