Skip to content

kirkderp/rbinr2

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github/workflows
.github/workflows
 
 
crates
crates
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
rust-toolchain.toml
rust-toolchain.toml
 
 

Repository files navigation

rbinr2

License Rust radare2

MCP server for radare2-based binary analysis.

rbinr2 manages persistent r2pipe sessions, runs radare2 analysis on binaries, and exposes 39 tools as named Model Context Protocol tools over stdio.

Tools

Session Management

  • r2_open / r2_close / r2_sessions -- open/close/list persistent r2 sessions

Metadata & Discovery

  • r2_metadata -- mode-driven view: info, headers, version_info, entry_points, sections, relocations, resources, libraries, imports, exports, symbols, strings, or functions (with name filtering and pagination)
  • r2_classes -- list classes or inspect one class with methods/fields
  • r2_vtables -- bounded native vtable discovery with pagination
  • r2_types -- type-system views, function signatures, struct/enum lists, and type casts
  • r2_imports_grouped -- imports grouped by semantic usage with calling functions
  • r2_plugins -- installed r2 asm, analysis, binary, hash, and decompiler capabilities
  • r2_flags -- flags, demangled names, and flagspaces with pagination
  • r2_lookup_address -- resolve an address to flags, symbols, enclosing function
  • r2_address_info -- r2 address classification metadata from aij
  • r2_calculate -- evaluate a math expression (?v), returns hex/decimal/binary

Disassembly & Decompilation

  • r2_disassemble -- bounded instruction window (json or text); function mode available
  • r2_opcodes -- structured opcode-analysis rows from aoj
  • r2_decompile -- pseudocode via an installed r2 decompiler plugin (code or meta mode)
  • r2_function_view -- mode-driven: analyze, info, signature, vars, profile, strings, constants, callees, refs, or cfg
  • r2_graph -- native r2 graph exports for CFGs, callgraphs, imports, refs, xrefs, and data refs

Bytes & Extraction

  • r2_get_bytes -- raw hex bytes from an address
  • r2_extract_bytes -- bounded byte range with SHA256, previews, section mapping, and optional write-out
  • r2_block_hash -- bounded ph hash or entropy value at an address
  • r2_pointer_scan -- bounded pointer/reference-like memory scan from pxrj
  • r2_string_at -- decode strings at an address as auto/ascii/utf16/utf32/pascal

Search

  • r2_find -- unified search across functions (glob), strings, imports, or bytes (hex)
  • r2_semantic_search -- opcode-type, disasm-text, wide-string, value, reference, ROP, or hex search
  • r2_find_xrefs -- search and immediately resolve cross-references to each hit

Cross-References & Flow

  • r2_xrefs -- cross-references to or from an address
  • r2_global_xrefs -- paginated global xref inventory
  • r2_trace_data_flow -- BFS over xrefs (forward/backward) with configurable depth
  • r2_var_xrefs -- function variable read/write xrefs

ESIL Analysis

  • r2_esil_accesses -- register and memory access summaries (instructions, bytes, block, or function scope)

Advanced Analysis

  • r2_security -- checksec-style hardening fields and per-section entropy
  • r2_value_trace -- trace a seeded register value through a disassembly window
  • r2_path_digest -- macro path digest over a function or raw address range
  • r2_artifact_summary -- decode branch artifacts (strings, callsites, unsupported branches)
  • r2_field_xrefs -- map raw memory field references with symbolic tracking
  • r2_jump_table_slices -- summarize computed jump-table targets
  • r2_windows_driver_dispatch -- recover DRIVER_OBJECT dispatch and notify callback anchors

Power-User

  • r2_cmd -- run a single radare2 query command with guarded output

Requirements

  • radare2 5.9+ on PATH
  • Rust stable toolchain
  • Optional for r2_decompile mode=code: r2ghidra (r2pm -ci r2ghidra) or r2dec (r2pm -ci r2dec). Without a decompiler plugin, use mode=meta for compact pdgj metadata.

Quick Start

cargo build --workspace
cargo test --workspace

# Run the MCP server
RBM_CACHE_DIR=./cache cargo run -p rbm-server

The server speaks the MCP protocol over stdio. Configure your MCP client to use it as a stdio subprocess:

{
  "mcpServers": {
    "rbinr2": {
      "command": "/path/to/rbinr2",
      "args": [],
      "env": {
        "RBM_CACHE_DIR": "/path/to/cache"
      }
    }
  }
}

Configuration

Variable Default Description
RBM_CACHE_DIR ./rbinr2-cache Cache root (relative CWD)
RBM_R2_OPEN_TIMEOUT 120 r2 session open timeout (seconds)
RBM_TOOL_TIMEOUT_SECS 30 per-tool r2 command timeout (seconds)

Architecture

MCP Client
  -> stdio JSON-RPC
  -> rbinr2 server
  -> persistent r2pipe session per binary
  -> r2 commands with JSON projection

Binaries are opened once and cached in a per-binary r2pipe session. Subsequent queries reuse the open session, enabling sub-second response times for most operations after initial analysis.

Project Structure

crates/
  rbm-core/      Cache paths, config, environment, error types
  rbm-r2/        r2pipe session management and r2 command wrappers
  rbm-server/    MCP server binary (rbinr2)

License

MIT - see LICENSE.

About

MCP server for radare2-based binary analysis

Topics

mcp malware-analysis radare2 reverse-engineering-tools

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages