Reversecore MCP
AI-Powered Reverse Engineering & Security Analysis via Model Context Protocol
Enterprise-grade integrated static & dynamic analysis server — speak natural language, get expert-level reverse engineering, vulnerability triage, malware analysis, and forensics.
Table of Contents
- What is Reversecore MCP?
- Architecture
- Tool Catalog (50+ Tools)
- Guided Analysis Prompts
- Quick Start
- Connect to Your AI Client
- Configuration
- Security Model
- Development
- Project Structure
- Contributing
- License
What is Reversecore MCP?
Reversecore MCP is an enterprise-grade Model Context Protocol server that transforms AI assistants like Claude and Cursor into expert-level security research workstations.
It goes far beyond binary disassembly. Reversecore MCP integrates 50+ analysis tools spanning:
- 🔬 Static analysis — disassembly, decompilation, binary parsing
- 💥 Dynamic triage — GDB crash parsing, exploitability assessment
- 🦠 Malware analysis — capability detection, IOC extraction, threat hunting
- 🧬 Vulnerability research — symbolic execution, fuzzing, ROP gadget detection
- 🔏 SAST — source code auditing for Python, C, and C++
- 🕵️ Digital forensics — memory, disk, network, and artifact analysis
- 📊 Reporting — MITRE ATT&CK-mapped structured reports
Instead of learning complex tools by hand, you simply describe what you want in natural language:
"Decompile the main function of this malware sample, extract all network IOCs,
map the behavior to MITRE ATT&CK, and generate a triage report."
↓
Reversecore MCP automatically invokes r2_decompile → extract_iocs → add_session_mitre → create_analysis_report, returning structured analyst-grade output.
Architecture
AI Client (Claude / Cursor / any MCP-compatible client)
│ MCP Protocol (stdio or HTTP/SSE)
▼
┌──────────────────────────────────────────────────────┐
│ FastMCP Server │
│ 50+ registered tools · Async │
│ Python 3.10–3.12 │
├────────────────────┬─────────────────────────────────┤
│ Guided Prompts │ Dynamic Resources │
│ (5 expert modes) │ (workspace, metrics, health) │
├────────────────────┴─────────────────────────────────┤
│ Core Infrastructure │
│ Config · Security · Validators · Exception Hierarchy│
│ R2 Pool · Metrics · Memory (SQLite) · Task Queue │
│ MITRE Mapper · Evidence Engine · Resilience Layer │
├──────────────────────────────────────────────────────┤
│ Analysis Engines │
│ Radare2 + r2ghidra │ YARA · LIEF · Capstone │
│ CAPA (Mandiant) │ angr (Symbolic Execution) │
│ Volatility3 · Scapy │ DIE · Qiling · Binwalk │
└──────────────────────────────────────────────────────┘
Core Infrastructure Modules
| Module | Purpose |
|---|---|
core/config.py |
Centralized environment-aware configuration |
core/security.py |
Input sanitization & path validation |
core/validators.py |
File & binary path validators |
core/r2_pool.py |
Thread-safe Radare2 connection pool |
core/r2_helpers.py |
Structured Radare2 output utilities |
core/metrics.py |
Per-tool execution times & error rates |
core/memory.py |
Async SQLite AI memory store |
core/mitre_mapper.py |
MITRE ATT&CK technique mapping engine |
core/evidence.py |
Evidence classification (OBSERVED/INFERRED/POSSIBLE) |
core/resilience.py |
Retry, circuit-breaker, timeout patterns |
core/task_queue.py |
Background task queue (Redis + arq) |
core/extension_registry.py |
Plugin/extension registration system |
core/sast/ |
Python AST scanner + C/C++ regex scanner |
Tool Catalog
Reversecore MCP exposes 50+ tools across 7 categories. Every tool returns a structured
ToolResultwithstatus,content, and optionalerrorfields.
🔍 Static Analysis
| Tool | Backend | Description |
|---|---|---|
run_file |
file CLI |
File type, architecture, and compiler fingerprinting |
run_strings |
strings CLI |
ASCII/Unicode string extraction with configurable min-length and limits |
run_binwalk |
Binwalk | Firmware deep-scan: embedded signatures, filesystems, compressed blobs |
parse_binary_with_lief |
LIEF | Full PE / ELF / Mach-O header, section, import/export, and TLS parsing |
detect_compiler_and_packer |
DIE (diec) |
Compiler, linker, packer, and protector detection via Detect It Easy |
run_capa |
CAPA (Mandiant FLARE) | High-level capability detection — "encrypts data", "creates persistence", etc. |
audit_source_code |
AST + Regex SAST | Python AST scanner + C/C++ regex scanner for dangerous patterns |
⚙️ Disassembly & Decompilation
| Tool | Backend | Description |
|---|---|---|
run_radare2 |
r2pipe | Raw Radare2 command execution with connection pooling |
Radare2_disassemble |
Radare2 | Function disassembly with full auto-analysis (aaa) |
r2_decompile |
r2ghidra | High-quality C decompilation (Ghidra engine embedded in r2, no JVM) |
r2_recover_structures |
r2ghidra + SQLite | Auto-recover C structs and persist to annotation database |
r2_analyze_function |
Radare2 | Deep single-function analysis with type inference and variable tracking |
r2_get_call_graph |
Radare2 | Call graph extraction for a given function address |
r2_simulate_patch |
Radare2 | Preview binary patch effects before applying to disk |
r2_session |
Radare2 | Stateful multi-command analysis sessions |
disassemble_with_capstone |
Capstone | Multi-arch disassembly: x86/x64, ARM, MIPS, PPC, SPARC |
🔗 Cross-Reference & Binary Annotation
| Tool | Backend | Description |
|---|---|---|
analyze_xrefs |
Radare2 | Track function calls, data references, and control flow |
r2_read_memory |
Radare2 | Read raw bytes from a given virtual address |
r2_list_structures |
SQLite | List all annotated C structs from the persistent annotation DB |
r2_create_structure |
SQLite | Create and persist a new struct annotation |
r2_add_bookmark |
SQLite | Annotate an address with a persistent comment |
r2_list_bookmarks |
SQLite | List all address bookmarks across the workspace |
r2_list_types |
Radare2 | List all known types in the current binary analysis |
🧬 Dynamic & Symbolic Analysis
| Tool | Backend | Description |
|---|---|---|
emulate_machine_code |
Radare2 ESIL | Register/memory-traced code emulation without running the binary |
verify_path_and_get_args |
angr | Symbolic execution — prove path reachability and compute concrete inputs |
generate_fuzzing_harness |
Qiling + AFL++ | Auto-generate a Qiling-based fuzzing harness targeting a specific function |
diff_binaries |
Radare2 | Semantic binary diff to track patch changes between versions |
match_libraries |
Radare2 | Identify statically linked libraries by function fingerprint matching |
🦠 Malware Analysis & Threat Detection
| Tool | Backend | Description |
|---|---|---|
dormant_detector |
Radare2 + heuristics | Find hidden backdoors, orphan functions, time-bombs, and logic bombs |
extract_iocs |
Regex + LIEF | Extract IPs, URLs, domains, hashes, registry keys, crypto addresses |
run_yara |
YARA | YARA rule scanning with custom rule files and built-in rulesets |
adaptive_vaccine |
YARA + Radare2 | Generate detection YARA rules + binary patches to neutralize a threat |
vulnerability_hunter |
Radare2 + analysis | Detect dangerous API patterns (strcpy, sprintf) and ROP gadget chains |
📝 Session Tracking & Report Generation
| Tool | Description |
|---|---|
start_analysis_session |
Start a timed analysis session with unique session ID |
add_session_ioc |
Collect and tag IOCs during a live session |
add_session_mitre |
Document MITRE ATT&CK technique IDs during analysis |
end_analysis_session |
Finalize session: computes duration, locks IOC/ATT&CK lists |
create_analysis_report |
Render session report in 4 modes: full / triage / ioc_summary / executive |
generate_malware_submission |
One-shot standardized JSON submission report |
send_report_email |
Deliver rendered report via SMTP |
🕵️ Digital Forensics
| Tool | Backend | Description |
|---|---|---|
analyze_memory_dump |
Volatility3 | Full memory forensics: process list, network connections, injected code, handle |