{"passport":{"unfragile":{"@version":"1.0","version":"2026-05","artifact":{"id":"hn-46882389","slug":"ghidra-mcp-server-110-tools-for-ai-assisted-revers","name":"Ghidra MCP Server – 110 tools for AI-assisted reverse engineering","type":"mcp","url":"https://github.com/bethington/ghidra-mcp","page_url":"https://unfragile.ai/ghidra-mcp-server-110-tools-for-ai-assisted-revers","categories":["mcp-servers"],"tags":["hackernews","show-hn"],"pricing":{"model":"open_source","free":true,"starting_price":null},"status":"active","verified":false},"capabilities":[{"id":"hn-46882389__cap_0","uri":"capability://code.generation.editing.binary.function.analysis.and.annotation.via.llm.assisted.disassembly","name":"binary function analysis and annotation via llm-assisted disassembly","description":"Leverages Ghidra's native disassembly engine to extract function boundaries, control flow graphs, and decompiled pseudocode, then pipes structured representations to LLMs for semantic analysis and naming. Uses Ghidra's Java API to traverse the program database (PDB), extract function signatures, and apply AI-generated annotations back to the binary without manual re-analysis.","intents":["I want to understand what an unknown function does by having an AI analyze its disassembly and decompilation","I need to rename hundreds of obfuscated functions with meaningful names based on their behavior","I want to generate docstrings and type hints for reverse-engineered functions automatically"],"best_for":["reverse engineers analyzing malware or closed-source binaries","security researchers automating function classification at scale","teams migrating from manual RE to AI-assisted workflows"],"limitations":["Accuracy depends on Ghidra's decompilation quality — optimized or stripped binaries may produce incomplete pseudocode","LLM context window limits analysis to functions under ~4KB of disassembly; larger functions require chunking","No built-in handling of architecture-specific calling conventions beyond Ghidra's native support"],"requires":["Ghidra 10.0+","Python 3.8+ with MCP client library","API key for Claude, GPT-4, or compatible LLM","Binary file in format supported by Ghidra (ELF, PE, Mach-O, etc.)"],"input_types":["binary executable","disassembly text","function address or name"],"output_types":["function annotations","renamed symbols","generated docstrings","structured JSON metadata"],"categories":["code-generation-editing","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_1","uri":"capability://data.processing.analysis.cross.reference.graph.traversal.and.data.flow.tracing","name":"cross-reference graph traversal and data-flow tracing","description":"Exposes Ghidra's reference graph (xrefs) as queryable MCP tools, allowing LLMs to trace data flow, call chains, and memory access patterns across the binary. Implements depth-limited graph traversal to prevent explosion, with support for filtering by reference type (read, write, call, flow) and scope (function-local, module-wide, global).","intents":["I want to trace where a specific variable or memory location is read and written throughout the binary","I need to find all callers of a function and understand the call chain context","I want to identify data dependencies between functions to understand program logic flow"],"best_for":["vulnerability researchers tracing taint flow through binaries","malware analysts understanding command-and-control communication patterns","developers decompiling legacy code to extract business logic"],"limitations":["Graph traversal is limited to statically-resolvable references; indirect calls via function pointers may be missed","Performance degrades on large binaries (>10MB) without depth limits; default max depth is 5 levels","No support for inter-procedural data-flow analysis (IPDA) — only local reference tracking"],"requires":["Ghidra 10.0+","Binary must be analyzed in Ghidra with reference analysis enabled","MCP server running with access to Ghidra project database"],"input_types":["function address","variable name","memory address","reference type filter"],"output_types":["reference graph JSON","call chain list","data-flow trace","cross-reference summary"],"categories":["data-processing-analysis","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_10","uri":"capability://planning.reasoning.interactive.llm.guided.reverse.engineering.with.multi.turn.context","name":"interactive llm-guided reverse engineering with multi-turn context","description":"Maintains conversation context across multiple analysis queries, allowing LLMs to build understanding incrementally. Implements context management to track analyzed functions, inferred types, and previous findings, enabling coherent multi-turn analysis workflows without redundant re-analysis.","intents":["I want to have a conversation with an AI about a binary, asking follow-up questions","I need to build understanding incrementally, with each query building on previous findings","I want the AI to remember what we've analyzed and avoid re-analyzing the same code"],"best_for":["reverse engineers conducting exploratory analysis","security researchers investigating complex binaries","teams using AI as an interactive analysis partner"],"limitations":["Context window is limited by LLM token limits; very large analyses may exceed context","No persistent context storage; context is lost between server restarts","Context management overhead increases latency with each turn"],"requires":["Ghidra 10.0+","MCP client with multi-turn conversation support","LLM with sufficient context window (8K+ tokens recommended)"],"input_types":["natural language query","follow-up question","analysis directive"],"output_types":["analysis response","findings summary","next steps recommendation","context state"],"categories":["planning-reasoning","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_11","uri":"capability://code.generation.editing.architecture.and.calling.convention.detection.with.function.signature.inference","name":"architecture and calling convention detection with function signature inference","description":"Detects binary architecture (x86, ARM, MIPS, etc.) and calling convention (cdecl, stdcall, fastcall, etc.) using Ghidra's analysis, then infers function signatures based on parameter passing patterns. Generates type-safe function prototypes suitable for re-implementation or API documentation.","intents":["I want to understand the calling convention used by a binary","I need to infer function signatures for external API calls","I want to generate C headers for reverse-engineered functions"],"best_for":["developers porting code across architectures","researchers documenting binary APIs","teams reconstructing source code from binaries"],"limitations":["Signature inference is heuristic-based; complex or variadic functions may be inferred incorrectly","Calling convention detection assumes standard conventions; custom or obfuscated conventions may be misidentified","No support for C++ name mangling or exception handling conventions"],"requires":["Ghidra 10.0+","Binary must be analyzed with architecture detection enabled","Function must have sufficient parameter passing patterns for inference"],"input_types":["function address","architecture hint","calling convention hint"],"output_types":["architecture identifier","calling convention name","function signature","C header declaration"],"categories":["code-generation-editing","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_12","uri":"capability://safety.moderation.obfuscation.detection.and.deobfuscation.assistance","name":"obfuscation detection and deobfuscation assistance","description":"Detects common obfuscation techniques (control flow flattening, dead code injection, string encryption, etc.) using pattern matching and heuristics. Provides deobfuscation hints and assists LLMs in understanding obfuscated code by highlighting suspicious patterns and suggesting analysis strategies.","intents":["I want to detect if a binary is obfuscated and identify the obfuscation technique","I need help understanding obfuscated control flow","I want to identify and remove dead code injected by obfuscators"],"best_for":["malware analysts dealing with obfuscated samples","security researchers studying obfuscation techniques","teams automating obfuscation detection in binaries"],"limitations":["Obfuscation detection is pattern-based; novel or sophisticated techniques may be missed","Deobfuscation is limited to pattern-based hints; automatic deobfuscation is not supported","False positives possible; legitimate code patterns may be flagged as obfuscation"],"requires":["Ghidra 10.0+","Binary must be analyzed with control flow analysis enabled","Obfuscation pattern database (built-in or custom)"],"input_types":["binary file","function address","obfuscation pattern set"],"output_types":["obfuscation detection report","technique identification","deobfuscation hints","suspicious code regions"],"categories":["safety-moderation","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_2","uri":"capability://code.generation.editing.decompilation.to.pseudocode.extraction.with.language.specific.formatting","name":"decompilation-to-pseudocode extraction with language-specific formatting","description":"Wraps Ghidra's decompiler to extract high-level pseudocode for functions, with options to format output as C, Python, or pseudo-assembly for different analysis contexts. Handles decompiler failures gracefully by falling back to raw disassembly, and caches decompilation results to avoid redundant computation.","intents":["I want to see a function's logic in readable pseudocode form to understand its purpose","I need to convert decompiled code to Python-like syntax for easier LLM comprehension","I want to compare decompilation output across multiple binaries or architectures"],"best_for":["security analysts reading decompiled code for vulnerability assessment","researchers comparing decompilation quality across tools","teams building automated code-to-documentation pipelines"],"limitations":["Decompilation quality varies by architecture and optimization level; stripped binaries often produce less readable output","Pseudocode formatting is lossy — some low-level details (register allocation, exact memory layout) are abstracted away","Caching is in-memory only; no persistent cache across server restarts"],"requires":["Ghidra 10.0+","Function must be successfully analyzed by Ghidra's decompiler","Sufficient memory for decompilation (typically 512MB+ for large binaries)"],"input_types":["function address","function name","output format preference"],"output_types":["pseudocode string","formatted code block","decompilation metadata (confidence, errors)"],"categories":["code-generation-editing","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_3","uri":"capability://data.processing.analysis.memory.layout.and.data.structure.inference.from.binary","name":"memory layout and data structure inference from binary","description":"Analyzes Ghidra's type inference engine and data-type definitions to extract inferred struct layouts, class hierarchies, and memory organization. Reconstructs data structures from memory access patterns and type annotations, exposing them as queryable JSON schemas for LLM-driven reverse engineering of complex data types.","intents":["I want to understand the memory layout of a C++ class or struct used in a binary","I need to identify and document all data structures used by a function","I want to extract type information to help reconstruct source code from a binary"],"best_for":["C++ reverse engineers reconstructing class hierarchies","malware analysts understanding data exfiltration formats","teams recovering source-level type information from stripped binaries"],"limitations":["Type inference is heuristic-based; complex or obfuscated types may be inferred incorrectly","No support for C++ RTTI (Run-Time Type Information) extraction beyond what Ghidra's type inference provides","Struct field offsets are approximate if alignment or padding is non-standard"],"requires":["Ghidra 10.0+","Binary with debug symbols or sufficient type hints for inference","Type inference analysis enabled in Ghidra project"],"input_types":["struct/class name","memory address","function address (to infer local types)"],"output_types":["struct definition JSON","field offset table","type hierarchy graph","memory layout diagram"],"categories":["data-processing-analysis","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_4","uri":"capability://search.retrieval.string.and.constant.extraction.with.context.and.usage.analysis","name":"string and constant extraction with context and usage analysis","description":"Scans the binary for embedded strings, numeric constants, and immediate values, then correlates them with their usage sites (function calls, memory writes, comparisons). Returns structured data including string encoding (ASCII, UTF-16, etc.), cross-references, and inferred purpose based on context.","intents":["I want to find all hardcoded strings in a binary and understand where they're used","I need to identify magic numbers or constants and trace their usage patterns","I want to extract error messages, URLs, or configuration strings for analysis"],"best_for":["malware analysts extracting C2 URLs and command strings","security researchers identifying hardcoded credentials or API keys","teams analyzing binary behavior through string artifacts"],"limitations":["String detection relies on heuristics (null-termination, printable characters); obfuscated or encrypted strings will be missed","Encoding detection is limited to common formats (ASCII, UTF-16); custom encodings require manual analysis","Context analysis is limited to immediate usage sites; indirect references via string tables may be missed"],"requires":["Ghidra 10.0+","String analysis enabled in Ghidra project","Binary must be loaded with proper memory mapping"],"input_types":["string pattern (regex or literal)","constant value","address range"],"output_types":["string list with metadata","usage cross-reference list","constant value table","encoded string analysis"],"categories":["search-retrieval","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_5","uri":"capability://data.processing.analysis.symbol.and.import.export.table.analysis.with.semantic.linking","name":"symbol and import/export table analysis with semantic linking","description":"Parses Ghidra's symbol table, import/export tables, and relocation records to extract function and variable symbols with their addresses, types, and external dependencies. Links symbols to their definitions and usage sites, enabling LLM-driven analysis of API surfaces and external dependencies.","intents":["I want to identify all external library functions called by a binary and understand their purpose","I need to extract the public API surface of a shared library or DLL","I want to trace how external functions are used throughout the binary"],"best_for":["binary compatibility researchers analyzing API usage patterns","security analysts identifying dangerous library functions","teams documenting external dependencies in reverse-engineered code"],"limitations":["Symbol information is only available if present in the binary (not stripped); stripped binaries require heuristic recovery","Import/export tables may be obfuscated or redirected through trampolines; direct symbol resolution may fail","No support for lazy binding or runtime symbol resolution analysis"],"requires":["Ghidra 10.0+","Binary with symbol table (or symbol recovery enabled)","Import/export table parsing enabled"],"input_types":["symbol name or pattern","library name","address range"],"output_types":["symbol table JSON","import/export list","symbol usage graph","API surface definition"],"categories":["data-processing-analysis","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_6","uri":"capability://data.processing.analysis.control.flow.graph.cfg.extraction.and.visualization.for.llm.analysis","name":"control flow graph (cfg) extraction and visualization for llm analysis","description":"Extracts Ghidra's control flow graph for functions as structured JSON, including basic blocks, edges (conditional/unconditional), and loop detection. Supports multiple visualization formats (DOT, JSON, adjacency list) and provides metrics (cyclomatic complexity, loop nesting depth) to help LLMs understand program structure.","intents":["I want to understand the control flow of a function to identify branches and loops","I need to analyze the complexity of a function's logic before attempting decompilation","I want to identify unreachable code or dead branches in a binary"],"best_for":["vulnerability researchers analyzing branch conditions for logic flaws","malware analysts understanding obfuscated control flow","teams measuring code complexity for prioritization"],"limitations":["CFG extraction assumes linear disassembly; indirect jumps and computed branches may create incomplete graphs","Loop detection uses heuristics (back edges); complex control flow may be misclassified","Visualization formats are static; no interactive exploration support"],"requires":["Ghidra 10.0+","Function must be successfully disassembled","Flow analysis enabled in Ghidra project"],"input_types":["function address","function name","visualization format preference"],"output_types":["CFG JSON","DOT graph format","complexity metrics","loop analysis"],"categories":["data-processing-analysis","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_7","uri":"capability://automation.workflow.batch.binary.analysis.and.report.generation","name":"batch binary analysis and report generation","description":"Orchestrates analysis of multiple binaries in parallel, aggregating results into comprehensive reports with cross-binary comparisons. Uses MCP's async capabilities to manage long-running analyses, with progress tracking and result caching to avoid redundant work.","intents":["I want to analyze a set of malware samples and generate a comparative report","I need to extract common patterns across multiple versions of a binary","I want to automate analysis of a large corpus of binaries for research"],"best_for":["malware researchers analyzing sample families","security teams conducting bulk binary audits","researchers building datasets from multiple binaries"],"limitations":["Parallel analysis is limited by available system resources; large batches may require queuing","Result caching is in-memory; no persistent cache across server restarts","Cross-binary comparison requires manual aggregation; no built-in diff or similarity analysis"],"requires":["Ghidra 10.0+","Sufficient disk space for multiple binary projects","MCP server with async task support"],"input_types":["binary file list","analysis configuration","report format preference"],"output_types":["analysis report JSON","comparison matrix","aggregated metrics","cross-binary findings"],"categories":["automation-workflow","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_8","uri":"capability://search.retrieval.semantic.search.across.binary.code.and.metadata","name":"semantic search across binary code and metadata","description":"Implements semantic search using embeddings or keyword matching to find functions, strings, and code patterns matching natural language queries. Integrates with LLM embeddings to enable queries like 'find functions that handle network communication' or 'locate crypto operations'.","intents":["I want to find all functions related to cryptography without knowing their names","I need to locate network communication code in a binary","I want to search for functions matching a specific behavior description"],"best_for":["malware analysts searching for specific behaviors across large binaries","security researchers identifying vulnerability patterns","teams building automated code classification systems"],"limitations":["Semantic search accuracy depends on embedding quality; may produce false positives/negatives","Keyword-based search is limited to exact or regex matches; fuzzy matching not supported","No support for cross-binary semantic search without pre-computing embeddings"],"requires":["Ghidra 10.0+","Embedding model (local or API-based) for semantic search","Binary must be analyzed with function extraction enabled"],"input_types":["natural language query","keyword pattern","embedding vector"],"output_types":["matching functions list","relevance scores","code snippets","metadata summary"],"categories":["search-retrieval","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"hn-46882389__cap_9","uri":"capability://safety.moderation.vulnerability.pattern.detection.and.annotation","name":"vulnerability pattern detection and annotation","description":"Implements pattern matching for known vulnerability signatures (buffer overflows, use-after-free, integer overflows, etc.) using Ghidra's analysis results. Annotates detected patterns with severity, affected functions, and remediation suggestions, enabling LLM-driven vulnerability assessment.","intents":["I want to automatically detect potential vulnerabilities in a binary","I need to identify functions with unsafe memory operations","I want to prioritize security analysis based on detected risk patterns"],"best_for":["security auditors screening binaries for known vulnerability classes","vulnerability researchers building detection datasets","teams automating security assessment workflows"],"limitations":["Pattern detection is signature-based; zero-day or novel vulnerabilities will be missed","False positive rate varies by pattern; manual verification required for high-confidence findings","No support for context-aware vulnerability analysis (e.g., whether a buffer overflow is exploitable)"],"requires":["Ghidra 10.0+","Vulnerability pattern database (built-in or custom)","Binary must be analyzed with data-flow analysis enabled"],"input_types":["binary file","vulnerability pattern set","severity threshold"],"output_types":["vulnerability list","annotated functions","risk assessment report","remediation suggestions"],"categories":["safety-moderation","reverse-engineering"],"confidence":0.5,"matches":0,"success_rate":0}],"trust":{"score":49,"verified":false,"data_access_risk":"high","permissions":["Ghidra 10.0+","Python 3.8+ with MCP client library","API key for Claude, GPT-4, or compatible LLM","Binary file in format supported by Ghidra (ELF, PE, Mach-O, etc.)","Binary must be analyzed in Ghidra with reference analysis enabled","MCP server running with access to Ghidra project database","MCP client with multi-turn conversation support","LLM with sufficient context window (8K+ tokens recommended)","Binary must be analyzed with architecture detection enabled","Function must have sufficient parameter passing patterns for inference"],"failure_modes":["Accuracy depends on Ghidra's decompilation quality — optimized or stripped binaries may produce incomplete pseudocode","LLM context window limits analysis to functions under ~4KB of disassembly; larger functions require chunking","No built-in handling of architecture-specific calling conventions beyond Ghidra's native support","Graph traversal is limited to statically-resolvable references; indirect calls via function pointers may be missed","Performance degrades on large binaries (>10MB) without depth limits; default max depth is 5 levels","No support for inter-procedural data-flow analysis (IPDA) — only local reference tracking","Context window is limited by LLM token limits; very large analyses may exceed context","No persistent context storage; context is lost between server restarts","Context management overhead increases latency with each turn","Signature inference is heuristic-based; complex or variadic functions may be inferred incorrectly","builder identity is not verified yet","no observed match outcomes yet"],"rank_breakdown":{"adoption":0.82,"quality":0.35,"ecosystem":0.46,"match_graph":0.25,"freshness":0.6,"weights":{"adoption":0.25,"quality":0.25,"ecosystem":0.15,"match_graph":0.23,"freshness":0.12}},"observed_outcomes":{"matches":0,"success_rate":0,"avg_confidence":0,"top_intents":[],"last_matched_at":null},"maintenance":{"status":"active","updated_at":"2026-06-17T09:51:04.691Z","last_scraped_at":"2026-05-04T08:10:01.171Z","last_commit":null},"community":{"stars":null,"forks":null,"weekly_downloads":null,"model_downloads":null,"model_likes":null}},"distribution":{"claim_url":"https://unfragile.ai/submit?claim=ghidra-mcp-server-110-tools-for-ai-assisted-revers","compare_url":"https://unfragile.ai/compare?artifact=ghidra-mcp-server-110-tools-for-ai-assisted-revers"}},"signature":"uu/5N40ay4Cm7RwNtIZMWK9crzVxgiydOFDM41am3GGle/cYJ4Cy5Gxr1tykDUHUSHaDcvJ3sancb1NlqgXsCQ==","signedAt":"2026-06-21T01:53:48.052Z","signedBy":"unfragile.ai","version":1},"_links":{"self":"https://unfragile.ai/api/v1/passport/ghidra-mcp-server-110-tools-for-ai-assisted-revers","artifact":"https://unfragile.ai/ghidra-mcp-server-110-tools-for-ai-assisted-revers","verify":"https://unfragile.ai/api/v1/verify?slug=ghidra-mcp-server-110-tools-for-ai-assisted-revers","publicKey":"https://unfragile.ai/api/v1/trust-passport-public-key","spec":"https://unfragile.ai/trust","schema":"https://unfragile.ai/schema.json","docs":"https://unfragile.ai/docs"}}