43 lines
No EOL
2.7 KiB
Markdown
43 lines
No EOL
2.7 KiB
Markdown
---
|
|
name: pyghidra-ghidra-ops
|
|
description: MCP-only Python-backed Ghidra scripting workflow for Crusader edits and queries; use when live MCP Python/script capabilities are needed and never for the offline local CLI toolkit
|
|
---
|
|
|
|
# PyGhidra Ghidra Ops
|
|
|
|
Use this skill when the live Ghidra MCP session needs Python-backed inspection or scripted edits. Do not use the offline local PyGhidra CLI from this workspace.
|
|
|
|
## Use Cases
|
|
|
|
- Run live MCP readonly Python-backed inspection when decompiler or xref work needs scripted help.
|
|
- Run live MCP write-capable scripted edits for small verified rename, comment, function-boundary, or datatype batches.
|
|
- Keep scripted Ghidra work inside the active GUI-backed MCP session so project locks do not matter.
|
|
|
|
## Workspace Defaults
|
|
|
|
- Active authority: the live Ghidra MCP session
|
|
- Default target unless stated otherwise: `CRUSADER.EXE`
|
|
- Python-backed operations must run through MCP endpoints exposed by the active Ghidra session
|
|
|
|
## Constraints
|
|
|
|
- Stay conservative. Use the same rename and batch-size rules as the main Ghidra workflow.
|
|
- Prefer one focused plan or 1-5 direct edits at a time.
|
|
- Never fall back to the offline/local CLI path from this workspace.
|
|
- If MCP cannot do the needed Python-backed operation, document the gap in `ghidra_mcp_wishlist.md` rather than using the local toolkit.
|
|
- Keep `crusader_decompilation_notes.md` updated after verified repair batches.
|
|
|
|
For 16-bit NE decompiler failures after prototype edits or function recreation, inspect direct callees before assuming the caller frame is corrupt. In this repo a broken caller (`1420:1499`) was only fixed after repairing a shared callee (`1000:42e2`) whose pointer-return prototype had decompiled with a hidden `__return_storage_ptr__` and poisoned the caller stack model.
|
|
|
|
## MCP Usage Pattern
|
|
|
|
- Prefer standard MCP endpoints first for decompilation, disassembly, xrefs, renames, comments, function creation/deletion, and datatype work.
|
|
- Use live MCP Python/script endpoints only when the ordinary endpoint surface cannot express the needed operation.
|
|
- Keep script batches small and evidence-driven, just like ordinary MCP edit plans.
|
|
- When a live MCP Python/script batch succeeds, treat that as the canonical workflow; do not duplicate it through the local CLI.
|
|
|
|
## Implementation Notes
|
|
|
|
- Address strings still accept raw `SSSS:OOOO` form or plain integers such as `0x75a90` when the underlying MCP endpoint supports them.
|
|
- Keep the active-program context in mind; if the wrong Ghidra tab is active, fix that through the live MCP workflow rather than opening a second offline project handle.
|
|
- If a missing live endpoint or script capability blocks work, update `ghidra_mcp_wishlist.md` so the gap stays visible instead of reintroducing the local CLI fallback. |