A modern reverse engineering platform built from scratch with AI-powered natural language queries.
- Multi-format support: ELF, PE, Mach-O
- Multi-architecture: x86, x86_64, ARM32, ARM64, MIPS
- Natural language queries: Ask questions in plain English
- Pattern detection: Crypto, network, anti-debug, anti-VM
- Function detection: Symbol-based and heuristic detection
- AI Integration: Ollama/LLM integration for intelligent analysis
- Two interfaces: CLI and GUI
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
# Install Ollama (for AI features)
curl -fsSL https://ollama.com/install.sh | sh
ollama pull mistralgit clone https://github.com/iotwizz/re-ai.git
cd re-ai
cargo build --release./target/release/re-ai-guiGUI Features:
- π Overview Tab: Binary summary, sections, pattern summary
- π Disassembly Tab: Interactive disassembly with address navigation
- βοΈ Functions Tab: Detected functions list
- π Strings Tab: Found strings in binary
- π Patterns Tab: Crypto, network, anti-debug, anti-VM detection
- π Query Tab: Rule-based natural language queries
- π€ AI Tab: Ollama integration for intelligent analysis
# Load and analyze a binary
./target/release/re-ai load --file /bin/ls
# Get binary info
./target/release/re-ai info --file /bin/ls
# Disassemble at address
./target/release/re-ai disasm --file /bin/ls --address 0x401000 --count 50
# Interactive query session
./target/release/re-ai query --file /bin/lsThe GUI includes AI-powered analysis powered by Ollama:
- Install Ollama:
curl -fsSL https://ollama.com/install.sh | sh - Pull a model:
ollama pull mistral(orllama3,codellama) - Open the GUI and go to the AI Tab
- Click Connect to detect Ollama
- Select your model
- "Summarize this binary and its main functionality"
- "Analyze for security vulnerabilities"
- "What cryptographic algorithms are used?"
- "Find anti-debugging techniques"
- "Is this malware?"
The AI receives:
- File format and architecture
- Entry point
- Function count and imports
- Detected patterns (crypto, network, anti-debug counts)
- String references
| Query | Result |
|---|---|
find crypto functions |
Lists cryptographic imports and patterns |
find network operations |
Lists networking imports and patterns |
show strings |
Lists strings in binary |
show functions |
Lists detected functions |
what is at 0x401000 |
Shows function/symbol at address |
find suspicious patterns |
Lists anti-debug, anti-VM patterns |
overview |
Shows binary summary |
explain function sub_401000 |
Provides function details |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User Interface β
β (CLI + GUI with tabs: Overview, Disasm, Functions, etc.) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Natural Language Query Engine β
β - Intent classification β
β - Pattern matching β
β - Result ranking β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI/ML Layer β
β - Local LLM (Ollama) β
β - Query intent classification β
β - Result explanation β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Analysis Engine β
β - Function detection β
β - Pattern matching (50+ patterns) β
β - Control flow analysis β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Binary Processing Layer β
β - Format parsers (ELF, PE, Mach-O via goblin) β
β - Disassembler (Capstone) β
β - String extraction β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
re-ai/
βββ Cargo.toml
βββ README.md
βββ src/
βββ main.rs # CLI entry point
βββ gui_main.rs # GUI entry point
βββ binary/ # Binary parsing
β βββ mod.rs
β βββ parser.rs
βββ disasm/ # Disassembly engine
β βββ mod.rs
β βββ engine.rs
βββ analysis/ # Analysis modules
β βββ mod.rs
β βββ functions.rs
β βββ patterns.rs
β βββ cfg.rs
βββ ai/ # AI integration
β βββ mod.rs
β βββ llm.rs
β βββ queries.rs
βββ ir/ # Intermediate representation
β βββ mod.rs
β βββ representation.rs
βββ cli/ # CLI commands
β βββ mod.rs
β βββ commands.rs
βββ utils/ # Utilities
βββ mod.rs
Built-in detection for:
| Category | Patterns |
|---|---|
| Crypto | AES, DES, RSA, MD5, SHA, OpenSSL APIs, Windows CryptoAPI |
| Network | Socket APIs, HTTP, DNS, cURL, WinINet |
| FileSystem | File I/O, directory enumeration |
| Anti-Debug | IsDebuggerPresent, timing checks, debugger detection |
| Anti-VM | CPUID checks, VMware/VBox/QEMU detection |
| Process | Process creation, injection, memory manipulation |
Default: http://localhost:11434
Change in GUI at AI Tab β Ollama Endpoint field.
- mistral (recommended) - Fast, good for general analysis
- llama3 - Larger, more detailed responses
- codellama - Better for code understanding
- deepseek-coder - Good for reverse engineering
- Phase 1: Core binary parsing and disassembly
- Phase 1: Function detection
- Phase 1: Pattern matching
- Phase 2: CFG construction
- Phase 3: Natural language queries (rule-based)
- Phase 3: LLM integration (Ollama)
- Phase 4: GUI application
- Phase 5: Decompiler (IR β pseudocode)
- Phase 5: Cross-reference browser
- Phase 5: Hex view
- Phase 5: Plugin system
Contributions welcome! Areas of interest:
- Additional binary format parsers
- New pattern libraries
- LLM prompt engineering
- GUI improvements
- Test coverage
MIT License - see LICENSE file.