maddo/Crusader_Decomp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Crusader_Decomp/.github/skills/pyghidra-ghidra-ops/SKILL.md
MaddoScientisto a9153546ae Research
2026-04-12 14:45:08 +02:00

2.7 KiB
Raw Blame History

name description
pyghidra-ghidra-ops MCP-only Python-backed Ghidra scripting workflow for Crusader edits and queries; use when live MCP Python/script capabilities are needed and never for the offline local CLI toolkit

PyGhidra Ghidra Ops

Use this skill when the live Ghidra MCP session needs Python-backed inspection or scripted edits. Do not use the offline local PyGhidra CLI from this workspace.

Use Cases

  • Run live MCP readonly Python-backed inspection when decompiler or xref work needs scripted help.
  • Run live MCP write-capable scripted edits for small verified rename, comment, function-boundary, or datatype batches.
  • Keep scripted Ghidra work inside the active GUI-backed MCP session so project locks do not matter.

Workspace Defaults

  • Active authority: the live Ghidra MCP session
  • Default target unless stated otherwise: CRUSADER.EXE
  • Python-backed operations must run through MCP endpoints exposed by the active Ghidra session

Constraints

  • Stay conservative. Use the same rename and batch-size rules as the main Ghidra workflow.
  • Prefer one focused plan or 1-5 direct edits at a time.
  • Never fall back to the offline/local CLI path from this workspace.
  • If MCP cannot do the needed Python-backed operation, document the gap in ghidra_mcp_wishlist.md rather than using the local toolkit.
  • Keep crusader_decompilation_notes.md updated after verified repair batches.

For 16-bit NE decompiler failures after prototype edits or function recreation, inspect direct callees before assuming the caller frame is corrupt. In this repo a broken caller (1420:1499) was only fixed after repairing a shared callee (1000:42e2) whose pointer-return prototype had decompiled with a hidden __return_storage_ptr__ and poisoned the caller stack model.

MCP Usage Pattern

  • Prefer standard MCP endpoints first for decompilation, disassembly, xrefs, renames, comments, function creation/deletion, and datatype work.
  • Use live MCP Python/script endpoints only when the ordinary endpoint surface cannot express the needed operation.
  • Keep script batches small and evidence-driven, just like ordinary MCP edit plans.
  • When a live MCP Python/script batch succeeds, treat that as the canonical workflow; do not duplicate it through the local CLI.

Implementation Notes

  • Address strings still accept raw SSSS:OOOO form or plain integers such as 0x75a90 when the underlying MCP endpoint supports them.
  • Keep the active-program context in mind; if the wrong Ghidra tab is active, fix that through the live MCP workflow rather than opening a second offline project handle.
  • If a missing live endpoint or script capability blocks work, update ghidra_mcp_wishlist.md so the gap stays visible instead of reintroducing the local CLI fallback.