Listen to this Post

Introduction:
The cybersecurity industry is drowning in tool fragmentation. When an AI agent encounters an APK file, it doesn’t know whether to reach for jadx, Frida, or IDA — so it guesses, wastes cycles, and often gets it wrong. The reverse-skill project, authored by ZhaoXu and championed by security researcher Mohit Soni (CRTO, OSCP, OSWP, CRTP), solves this with an AI-powered routing engine that dynamically directs agents to the right toolchain for any reverse engineering or penetration testing task. This isn’t just another GitHub repo — it’s a self-evolving knowledge base that turns AI coding clients into disciplined, methodical security practitioners.
Learning Objectives:
- Understand the architecture of AI-powered skill routing and how it eliminates guesswork in reverse engineering workflows.
- Master the installation and bootstrap process for the reverse-skill package across Kali Linux, Ubuntu, macOS, and Windows.
- Learn to navigate the routing matrix to correctly dispatch APK, binary, JavaScript, firmware, and CTF tasks to the appropriate toolchains.
- Execute platform-specific deployment scripts and verify toolchain dependencies (JDK, Node.js 22.12+, Python 3.x).
- Implement the self-evolving feedback loop that captures experience and prevents repeated mistakes.
1. The Core Philosophy: Route First, Execute Second
The fundamental problem reverse-skill addresses is that AI agents (Claude Code, Codex CLI, Cursor, Cline, etc.) lack situational awareness. When presented with a binary, they often hallucinate commands or default to generic analysis. Reverse-skill imposes a strict routing protocol: user task → RULES.md → Skill Router → target Skill → tools/MCP/scripts → report + knowledge沉淀.
Before any tool is invoked, the agent must read `RULES.md` and consult the routing matrix (skills/routing.md). This matrix maps tasks by three dimensions: target type (APK, ELF, JS, PCAP), user intent (decompile, dynamic hook, network capture), and available toolchain. Only after a match is confirmed does the agent enter the designated skill directory and read its `SKILL.md` for execution. This protocol prevents the all-too-common pattern of “do first, route later” — a habit that wastes time and produces unreliable results.
Step‑by‑step guide:
1. Clone the repository:
git clone https://github.com/zhaoxuya520/reverse-skill.git cd reverse-skill
2. For AI agents only: Read `README_AI.md` immediately. This file contains the bootstrap instructions that the agent must execute.
3. Generate the local tool index (this file is gitignored and does not exist in the cloned repo):
– Linux/macOS/Kali: `bash skills/scripts/refresh-tool-index.sh`
– Windows: `powershell -ExecutionPolicy Bypass -File skills/scripts/refresh-tool-index.ps1`
– Kali-specific: `bash kali/scripts/refresh-tool-index.sh`
This step produces `skills/tool-index.md` and skills/tool-index.json, which are critical for routing.
4. Let the AI detect your platform and follow the appropriate deployment document:
– Kali Linux → `kali/README-kali.md`
– Ubuntu/Debian → `docs/platforms/linux.md`
– macOS → `docs/platforms/macos.md`
– Windows → continue with `README_AI.md`
5. Run the bootstrap entry (preferred for Bash-capable systems):
bash skills/scripts/bootstrap-reverse.sh
This checks toolchains, configures MCP services, and sets up script entry points.
6. The AI then reads RULES.md, executes the CRITICAL immediate-action block, and proceeds to the appropriate skill.
- The Routing Matrix: Your Map Through the Reverse Engineering Jungle
The routing matrix is the brain of reverse-skill. It categorizes targets and directs the agent to the correct skill module. Below is a condensed version of the matrix:
| Target Type | Recommended Entry | Alternative |
|-|-|-|
| APK / Android app | `apk-reverse/` — jadx decompile + apktool unpack | If core is in .so → `ida-reverse/` or `radare2/` |
| Binary (exe/dll/so/elf) | `ida-reverse/` — IDA Pro decompile | `radare2/` — CLI analysis, or GDB/Unicorn |
| JavaScript / Web frontend | `js-reverse/` — 5-stage workflow | anything-analyzer MCP browser tools, or jshookmcp CDP/Hook |
| HTTP capture / request replay | anything-analyzer MCP (port 23816) | js-reverse/, jshookmcp, or `competition-web-runtime/` |
| Firmware / IoT | `reverse-engineering/platforms.md` — binwalk/ARM/MIPS | Ghidra headless |
| WASM / Python bytecode | `reverse-engineering/languages.md` | Check specific language section |
| .NET / C (ConfuserEx/SmartAssembly) | `dotnet-reverse/SKILL.md` — dnSpyEx + de4dot | IL2CPP/NativeAOT → `reverse-engineering/` |
| macOS / iOS | `reverse-engineering/platforms.md` — Mach-O/ObjC/Swift | `mobile-reverse/` for iOS-specific |
| Game (Unity) | `reverse-engineering/` — engine reverse, anti-cheat, IL2CPP/Mono | `ida-reverse/` deep analysis |
| Malware / virus sample | `reverse-engineering/` — YARA/sandbox/behavior analysis | `ida-reverse/` deep analysis |
| OLLVM-obfuscated binary | `reverse-engineering/references/ollvm-deobfuscation.md` | obpo-plugin / d810-1g / ollvm-unflattener / angr |
| Cryptography / encryption | `reverse-engineering/patterns.md` — crypto patterns | `js-reverse/` (if frontend crypto) |
Step‑by‑step guide to using the matrix:
- Identify the target type — Is it an APK? An ELF binary? A JavaScript encrypted parameter?
- Determine the user intent — Decompilation? Dynamic hooking? Network capture? Protocol reverse?
- Check available toolchain — Does the local machine have IDA Pro? radare2? Ghidra? Frida?
- Consult `skills/routing.md` — Match all three dimensions before proceeding.
- If no match exists, propose a new skill rather than force-fitting an inappropriate one.
- For cross-module tasks, combine skills per the “Path Crossing” section of the routing document.
3. Platform Deployment: Kali, Ubuntu, macOS, and Windows
Reverse-skill is platform-aware. The AI automatically detects the operating system and follows the appropriate deployment path. Here’s what each platform requires:
Prerequisites (all platforms):
- Java / JDK — for jadx and apktool
- Node.js 22.12+ — for JS toolchain and MCP services
- Python 3.x — for Frida and辅助 scripts
- An AI coding client — Claude Code, Codex CLI, Cursor, etc.
Kali Linux:
Kali is the preferred platform for offensive security. The deployment document is at kali/README-kali.md. The bootstrap script:
bash kali/scripts/bootstrap-reverse.sh
And the index refresh:
bash kali/scripts/refresh-tool-index.sh
Ubuntu/Debian:
Generic Linux deployment is covered in docs/platforms/linux.md. Use the common scripts:
bash skills/scripts/bootstrap-reverse.sh bash skills/scripts/refresh-tool-index.sh
macOS:
Darwin-based systems use docs/platforms/macos.md. The same Bash scripts apply:
bash skills/scripts/bootstrap-reverse.sh bash skills/scripts/refresh-tool-index.sh
Windows:
Windows requires PowerShell. The deployment is handled within README_AI.md. Key commands:
powershell -ExecutionPolicy Bypass -File skills/scripts/refresh-tool-index.ps1
Step‑by‑step platform deployment:
- Detect OS — The AI reads `/etc/os-release` (Linux) or `uname -s` (macOS) or `$env:OS` (Windows).
- Read the corresponding platform document — This ensures toolchain paths, MCP configurations, and script entry points are correct.
- Run the bootstrap script — This checks dependencies and sets up the environment.
- Verify toolchain — Ensure jadx, apktool, Frida, Node.js, and Python are accessible.
- Proceed to RULES.md — The AI now enters the routing phase.
-
The Self-Evolving Knowledge Base: Why This Project Matters
Reverse-skill isn’t static. It’s designed to evolve with each engagement. The project’s tagline — “破暗而行,逆水为舟” (breaking through darkness, sailing against the current) — reflects its commitment to continuous improvement.
Why this project exists:
- AI agents face APK, ELF, JS, and PCAP files without knowing which tool to use (jadx, Frida, or IDA).
- Tool paths, MCP services, and script entry points are scattered across different machines, making migration difficult.
- The same problems are re-solved from scratch each time, with no reusable经验.
Reverse-skill solves these by:
- AI-powered routing — The agent consults a structured matrix before acting.
- On-demand toolchain bootstrapping — The system checks and configures tools dynamically.
- Self-evolving knowledge base — Each engagement produces a report and沉淀 (accumulated experience) that feeds back into the system.
Step‑by‑step guide to contributing and evolving:
- After completing a task, the agent generates a report.
- Identify patterns — Was the routing correct? Were there missing tools?
- Update the routing matrix — Propose new entries or refine existing ones.
- Add new skills — If a new tool or technique is discovered, create a new skill directory with a
SKILL.md. - Submit a pull request — The community benefits from your experience.
-
Toolchain Deep Dive: IDA Pro, radare2, Ghidra, and Beyond
The technical stack of reverse-skill is anchored in industry-standard reverse engineering tools:
- IDA Pro — The gold standard for binary decompilation. Used for deep analysis of ELF, PE, and Mach-O binaries.
- radare2 — A CLI-based alternative for those who prefer terminal workflows or lack IDA licenses.
- Ghidra — The NSA’s open-source reverse engineering framework, particularly useful for headless analysis.
But the toolchain extends far beyond these three:
- jadx and apktool — For Android APK decompilation and unpacking.
- Frida — For dynamic instrumentation and hooking.
- dnSpyEx and de4dot — For .NET reverse engineering and deobfuscation.
- anything-analyzer MCP — For HTTP capture and request replay (port 23816).
- binwalk — For firmware analysis and extraction.
- YARA — For malware pattern matching.
Step‑by‑step guide to verifying and using the toolchain:
1. Check JDK installation:
java -version
2. Check Node.js version (must be 22.12+):
node -v
3. Check Python:
python3 --version
4. Verify jadx:
jadx --version
5. Verify apktool:
apktool --version
6. Verify Frida:
frida --version
7. If any tool is missing, install it via the platform’s package manager (apt, brew, or manual download).
6. MCP Integration: Bridging AI and Local Tools
Reverse-skill leverages the Model Context Protocol (MCP) to connect AI agents with local tools and services. The `anything-analyzer` MCP server runs on port 23816 and handles HTTP capture, request replay, and browser sampling. The `jshookmcp` provides CDP (Chrome DevTools Protocol) and hooking capabilities for JavaScript reverse engineering.
Step‑by‑step guide to MCP configuration:
- Ensure Node.js 22.12+ is installed — MCP services are Node-based.
- Navigate to the MCP configuration directory (typically within the skill’s folder).
3. Start the MCP server (example for anything-analyzer):
npx anything-analyzer --port 23816
4. Verify the server is running — Check that the port is listening:
netstat -tulpn | grep 23816 Linux netstat -an | findstr 23816 Windows
5. Configure the AI client to connect to the MCP server — This varies by client (Claude Code, Cursor, etc.).
6. Test with a sample request — Capture an HTTP request and replay it through the MCP.
7. CTF and Competition Workloads: The Sandbox Orchestrator
Reverse-skill includes a dedicated CTF module: `CTF-Sandbox-Orchestrator/` with over 40 sub-skills. This is designed for capture-the-flag competitions and penetration testing challenges. The orchestrator provides a structured environment for:
– Binary exploitation
– Web application security
– Cryptography challenges
– Forensics
– Reverse engineering puzzles
Step‑by‑step guide to using the CTF module:
1. Navigate to the CTF directory:
cd CTF-Sandbox-Orchestrator/
2. List available sub-skills:
ls -la
3. Read the SKILL.md of the relevant sub-skill for instructions.
4. Execute the provided scripts — Each sub-skill includes tooling and automation.
5. Document your approach — This feeds back into the knowledge base.
What Undercode Say:
- Key Takeaway 1: Reverse-skill transforms AI agents from guessing machines into disciplined security practitioners by enforcing a “route-first, execute-second” protocol. This eliminates the most common failure mode in AI-assisted reverse engineering.
-
Key Takeaway 2: The self-evolving knowledge base is the project’s killer feature. Every engagement produces a report that can be fed back into the system, ensuring that the same mistakes are never repeated and that the toolchain improves over time.
Analysis: The reverse-skill project represents a paradigm shift in how AI interacts with security tooling. Rather than treating AI as a replacement for human expertise, it positions AI as an orchestrator that follows established methodologies. The routing matrix is particularly powerful — it’s essentially a decision tree that encodes years of reverse engineering wisdom into a machine-readable format. For organizations that rely on AI coding clients for security tasks, adopting reverse-skill could reduce analysis time by 50-70% and dramatically improve accuracy. However, the project’s success depends on community contributions; without active maintenance of the routing matrix and skill modules, it will stagnate. The use of MCP for local tool integration is forward-thinking, as it aligns with the broader industry trend toward standardized AI-tool interfaces.
Prediction:
- +1 The reverse-skill model will be adopted by major security vendors within 18 months, leading to integrated AI routing engines in commercial penetration testing platforms.
- +1 Community-driven skill modules will proliferate, creating a de facto standard for AI-assisted reverse engineering that rivals OWASP in scope.
- -1 Without sustained maintenance, the routing matrix will become outdated as new obfuscation techniques and tools emerge, reducing its effectiveness over time.
- +1 The project’s emphasis on self-evolution will inspire similar initiatives in other domains, such as cloud security hardening and API security testing.
- -1 Adoption may be hindered by the learning curve — security teams must invest time in understanding the routing matrix and customizing it for their specific toolchains.
- +1 MCP integration will accelerate as more AI clients adopt the protocol, making reverse-skill a blueprint for future AI-tool interactions.
- +1 The CTF orchestrator will become a go-to resource for security training, bridging the gap between theoretical knowledge and practical application.
- -1 Proprietary tools like IDA Pro may limit adoption in cost-sensitive environments, though alternatives like Ghidra and radare2 mitigate this.
- +1 The project’s open-source nature and community-driven evolution will ensure it remains relevant, provided the maintainers can sustain momentum.
- +1 In the long term, reverse-skill could evolve into a fully autonomous security agent that not only routes tasks but also executes complex multi-step engagements with minimal human oversight.
▶️ Related Video (88% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: 0xfrost Reverse – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


