--- name: pyghidra-ghidra-ops description: MCP-only Python-backed Ghidra scripting workflow for Crusader edits and queries; use when live MCP Python/script capabilities are needed and never for the offline local CLI toolkit --- # PyGhidra Ghidra Ops Use this skill when the live Ghidra MCP session needs Python-backed inspection or scripted edits. Do not use the offline local PyGhidra CLI from this workspace. ## Use Cases - Run live MCP readonly Python-backed inspection when decompiler or xref work needs scripted help. - Run live MCP write-capable scripted edits for small verified rename, comment, function-boundary, or datatype batches. - Keep scripted Ghidra work inside the active GUI-backed MCP session so project locks do not matter. ## Workspace Defaults - Active authority: the live Ghidra MCP session - Default target unless stated otherwise: `CRUSADER.EXE` - Python-backed operations must run through MCP endpoints exposed by the active Ghidra session ## Constraints - Stay conservative. Use the same rename and batch-size rules as the main Ghidra workflow. - Prefer one focused plan or 1-5 direct edits at a time. - Never fall back to the offline/local CLI path from this workspace. - If MCP cannot do the needed Python-backed operation, document the gap in `ghidra_mcp_wishlist.md` rather than using the local toolkit. - Keep `crusader_decompilation_notes.md` updated after verified repair batches. For 16-bit NE decompiler failures after prototype edits or function recreation, inspect direct callees before assuming the caller frame is corrupt. In this repo a broken caller (`1420:1499`) was only fixed after repairing a shared callee (`1000:42e2`) whose pointer-return prototype had decompiled with a hidden `__return_storage_ptr__` and poisoned the caller stack model. ## MCP Usage Pattern - Prefer standard MCP endpoints first for decompilation, disassembly, xrefs, renames, comments, function creation/deletion, and datatype work. - Use live MCP Python/script endpoints only when the ordinary endpoint surface cannot express the needed operation. - Keep script batches small and evidence-driven, just like ordinary MCP edit plans. - When a live MCP Python/script batch succeeds, treat that as the canonical workflow; do not duplicate it through the local CLI. ## Implementation Notes - Address strings still accept raw `SSSS:OOOO` form or plain integers such as `0x75a90` when the underlying MCP endpoint supports them. - Keep the active-program context in mind; if the wrong Ghidra tab is active, fix that through the live MCP workflow rather than opening a second offline project handle. - If a missing live endpoint or script capability blocks work, update `ghidra_mcp_wishlist.md` so the gap stays visible instead of reintroducing the local CLI fallback.