Use this skill to reconstruct command flow, transport assumptions, message boundaries, field candidates, and encode/decode behavior from reverse-engineering evidence.
Use this skill when the analysis already has some strings, handler candidates, or decompiled code and the next goal is to reconstruct the wire protocol or command model.
Before reconstructing fields, gather at least:
If ida-pro-mcp is connected, the minimum MCP pass is:
find_regex for command words, verbs, framing strings, and JSON tagsxrefs_to on those strings or constantsdecompile the decode, dispatch, and encode candidatescallgraph from the receive path or top dispatcherexport_funcs when local diffing or field extraction is neededProduce:
Look for:
Try to isolate:
Do not infer a full protocol from only one function. Prefer at least one path on each side of dispatch.
For each command or message candidate, record:
Useful CLI pivots:
strings -a -n 4 sample.bin | rg -i 'json|msgpack|protobuf|grpc|http|ws|opcode|cmd|type|action|version|nonce|iv'
Summarize:
If protocol evidence now supports operator pivots, hand off to reverse-operator-attribution.
If the recovered control plane is mature enough for containment or takedown planning, hand off to reverse-botnet-dismantling.
[2-5 sentences]