--- name: investigate-module description: Master orchestration — full end-to-end investigation of an unknown module using all ARC Probe capabilities together (strings, RTTI, functions, xrefs, structs, bookmarks, GUI bridge) argument-hint: --- # /probe:investigate-module Full end-to-end investigation of an unknown module. This is the "master orchestration" skill — it ties together reconnaissance, string scanning, RTTI class discovery, cross-reference analysis, structure mapping, and GUI visualization into a single coherent workflow. Use this when you're dropped into a process and need to understand what a module does from scratch. By the end, you'll have named functions, mapped classes, bookmarked key addresses, and populated the GUI with all findings. **Key principle:** Use probe commands to GET data, use store commands to VISUALIZE it in the GUI. The bridge returns `{"ok":true,"data":null}` for store mutations (fire-and-forget). For actual data, use `{"action":"probe","command":"..."}` which returns the probe's JSON response. ## Arguments - `module` (required): Module name (e.g., "client.dll", "engine2.dll", "target.exe") ## Phase 1: Reconnaissance **Goal:** Understand the module's footprint — size, sections, API surface, dependencies. ### 1.1 Find and verify the module ``` probe.exe "modules list" ``` Find the target module. Record: - **Base address** - **Size** - **Full path** If the module is not found: - Try case variations (`Client.dll` vs `client.dll`) - Try with/without extension - The module may not be loaded yet (game on menu screen, DLL lazy-loaded) - Report available modules and stop ### 1.2 Get PE structure overview ``` probe.exe "modules info " probe.exe "pe sections " ``` Record the sections — this tells you where code vs data lives: - `.text` — executable code (functions live here) - `.rdata` — read-only data (strings, vtables, RTTI metadata) - `.data` — writable globals - `.pdata` — exception/unwind data (function boundaries) Note the `.text` section size — this is the total code area. The ratio of `.text` to `.rdata` tells you how code-heavy vs data-heavy the module is. ### 1.3 Analyze the export table ``` probe.exe "pe exports " ``` Exports are the module's public API. Group by naming pattern: - `CreateInterface` — Source 2 interface factory (critical entry point) - `DllMain` / `DllEntryPoint` — initialization - `Init*`, `Create*`, `Register*` — initialization functions - `Get*`, `Find*`, `Lookup*` — accessor functions - `Process*`, `Handle*`, `On*` — event handlers - `Shutdown*`, `Destroy*`, `Release*` — cleanup If exports are present, bookmark the most important ones immediately: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"activity","status":"working","message":"Phase 1: Reconnaissance..."}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","export: CreateInterface","blue",""]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","export: DllMain","blue",""]} ] }' ``` ### 1.4 Analyze the import table ``` probe.exe "pe imports " ``` Imports reveal what the module CAN DO. Group by DLL: | Import DLL | Reveals | |---|---| | `kernel32.dll` | File I/O, memory, threading, process management | | `user32.dll` | Window management, input handling, message pumps | | `ws2_32.dll` / `winhttp.dll` | Networking (sockets, HTTP) | | `d3d11.dll` / `dxgi.dll` | Graphics rendering | | `ntdll.dll` | Low-level OS functions, syscalls | | `advapi32.dll` | Registry, security, services | | `crypt32.dll` / `bcrypt.dll` | Cryptography | | `ole32.dll` / `oleaut32.dll` | COM, OLE automation | This gives you a capability profile of the module before diving into code. ### 1.5 Discover all functions and populate GUI ``` probe.exe "functions discover --limit 5000" ``` Then populate the GUI Functions tab: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"store","store":"functions","method":"discoverFunctions","args":[""]}, {"action":"navigate","tab":"functions"} ] }' ``` Record: - Total function count (from `.pdata`) - Named function count (exports + RTTI) - Unnamed function count (these will be identified in later phases) **Decision point:** Module size determines the depth of subsequent phases. | Module Size | Approach | |---|---| | Small (<1 MB) | Full analysis — scan everything, trace every string, map every class | | Medium (1-20 MB) | Targeted analysis — scan strings/RTTI, trace top 10-20 strings | | Large (>20 MB) | Focused analysis — search for specific strings/classes, skip full scans | ## Phase 2: String Discovery **Goal:** Find all printable strings and identify which ones reveal function purpose. ### 2.1 Scan for strings ``` probe.exe "strings scan " ``` Populate the GUI Strings sub-tab: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"activity","status":"working","message":"Phase 2: Scanning strings..."}, {"action":"store","store":"strings","method":"scanStrings","args":[""]} ] }' ``` ### 2.2 Categorize interesting strings Scan the results for high-value patterns: | Pattern | Why It Matters | Example | |---|---|---| | `"ClassName::MethodName"` | Direct function identification (assert/debug strings) | `"CBaseEntity::TakeDamage"` | | `"Failed..."`, `"Error..."`, `"Invalid..."` | Error handling functions | `"Failed to initialize %s"` | | `"[TAG] ..."`, `"DEBUG: ..."` | Logging infrastructure | `"[NET] Connection lost"` | | `"%s"`, `"%d"`, `"%f"` | Format strings reveal parameter types | `"Player %s (id=%d) spawned"` | | `".cfg"`, `".json"`, `".xml"` | File loading/parsing functions | `"configs/game.json"` | | `"http://"`, `"ws://"` | Network endpoints | `"http://api.example.com"` | | UI text (buttons, labels) | UI handler functions | `"Start Game"`, `"Settings"` | | SQL queries | Database access | `"SELECT * FROM players"` | | Registry paths | Configuration storage | `"SOFTWARE\\Company\\App"` | ### 2.3 Trace key strings to functions For the 5-10 most interesting strings, find what code references them: ``` probe.exe "strings find " ``` Note the string address, then find code references: ``` probe.exe "strings xref " ``` Each xref gives you a code address (LEA instruction) inside a function. Disassemble around it: ``` probe.exe "disasm 15" ``` Identify the enclosing function (look for prologue above the xref). The string context reveals the function's purpose: - `lea rcx, "CBaseEntity::TakeDamage"` then `call AssertFailed` --> this IS `CBaseEntity::TakeDamage` - `lea rcx, "Failed to connect to %s"` then `call LogError` --> this is a network connection function - `lea rcx, "HP: %d / %d"` then `call DrawText` --> this is a health bar renderer ### 2.4 Bookmark interesting strings ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","str: \"CBaseEntity::TakeDamage\"","green",""]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","str: \"Failed to connect\"","green",""]}, {"action":"store","store":"label","method":"setLabel","args":["0x","CBaseEntity::TakeDamage (from assert string)"]}, {"action":"store","store":"label","method":"setLabel","args":["0x","NetworkConnect (refs: \"Failed to connect\")"]}, {"action":"store","store":"functions","method":"setFunctionName","args":["0x","CBaseEntity::TakeDamage"]}, {"action":"store","store":"functions","method":"setFunctionName","args":["0x","NetworkConnect"]} ] }' ``` **Color convention for bookmarks:** - `"blue"` — functions, exports, entry points - `"green"` — data, strings, constants - `"orange"` — user-discovered / interesting / needs review - `"red"` — dangerous / write targets / hooks ## Phase 3: RTTI Class Discovery **Goal:** Map all C++ classes with virtual functions, understand inheritance hierarchies, and identify key classes. ### 3.1 Scan for RTTI classes ``` probe.exe "rtti scan " ``` Populate the GUI Classes sub-tab: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"activity","status":"working","message":"Phase 3: Scanning RTTI classes..."}, {"action":"store","store":"rtti","method":"scanModule","args":[""]} ] }' ``` ### 3.2 Categorize classes by role Group the discovered classes by naming patterns: | Pattern | Role | Priority | |---|---|---| | `*Manager`, `*System` | Singleton managers — central control points | High | | `*Controller`, `*Handler` | Event/input processing | High | | `*Factory`, `*Builder` | Object creation | Medium | | `*Component` | Component-based architecture pieces | Medium | | `C_*`, `CBase*` | Game entity classes | High (for games) | | `I*` (prefix) | Interface/abstract base classes | Medium | | `*Renderer`, `*View` | Visual/UI classes | Medium | | `*Cache`, `*Pool` | Resource management | Low | | `*Listener`, `*Observer` | Event observation | Low | ### 3.3 Explore key class hierarchies For the 3-5 most important classes (Managers, Controllers, main entity types): ``` probe.exe "rtti hierarchy " ``` Load the hierarchy into the GUI: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" \ -d '{"action":"store","store":"rtti","method":"loadHierarchy","args":["",""]}' ``` ### 3.4 Map vtables for key classes For each important class: ``` probe.exe "rtti vtable " ``` Load the vtable into the GUI: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" \ -d '{"action":"store","store":"rtti","method":"loadVtable","args":["",""]}' ``` ### 3.5 Analyze vtable entries For each vtable, categorize entries by disassembling the first few instructions: ``` probe.exe "disasm 8" ``` Recognize these patterns: - **Destructor** (index 0-1): complex function with `call operator_delete` - **Getter**: `mov eax, [rcx+0x??]; ret` — reveals a struct field at that offset - **Setter**: `mov [rcx+0x??], edx; ret` — reveals a writable field - **Boolean getter**: `movzx eax, byte ptr [rcx+0x??]; ret` - **Type check**: `xor eax, eax; ret` (returns false) or `mov eax, 1; ret` (returns true) - **Thunk**: `jmp ` — follow the jump - **Pure virtual**: `int3` or `call __purecall` — abstract, must be overridden Name functions based on vtable position + class name: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","vtable: ","blue",""]}, {"action":"store","store":"functions","method":"setFunctionName","args":["0x","::~"]}, {"action":"store","store":"functions","method":"setFunctionName","args":["0x","::GetHealth (getter +0x354)"]}, {"action":"store","store":"functions","method":"setFunctionName","args":["0x","::IsAlive (bool +0x103)"]}, {"action":"store","store":"label","method":"setLabel","args":["0x","vtable: "]} ] }' ``` ### 3.6 Build a field map from getters/setters Compile all getter/setter findings into a field map per class: ``` Known fields for ClassName: +0x000 pointer vtable +0x103 bool IsAlive (vf[5]) +0x330 pointer GameSceneNode* (vf[18]) +0x350 int32 MaxHealth (vf[22]) +0x354 int32 Health (vf[23]) +0x3F3 uint8 TeamNum (vf[31]) ``` This field map feeds directly into Phase 5 (Structure Mapping). ## Phase 4: Cross-Reference Analysis **Goal:** Build a call graph understanding by tracing connections between discovered functions. ### 4.1 Pick key functions to analyze From Phases 2-3, you should have a list of named functions. Prioritize: 1. Functions found via string references (Phase 2) — you know their purpose 2. Large vtable entries from important classes (Phase 3) — core logic 3. Exported functions (Phase 1) — the module's public API ### 4.2 Full disassembly of each key function ``` probe.exe "disasm func " ``` For each function, note: - **Size** (instruction count, byte length) - **Complexity** (branches, loops, nested calls) - **String references** (LEA instructions pointing to .rdata) - **CALL instructions** (callees) - **Field accesses** (`[rcx+offset]` patterns) ### 4.3 Find callers (who calls this function) ``` probe.exe "xref scan --type CALL --limit 20" ``` Load xrefs into the GUI: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" \ -d '{"action":"store","store":"xrefs","method":"loadXrefs","args":["0x"]}' ``` If zero callers found: - The function may be called **indirectly** via function pointer or vtable - Try `--type CALL,MOV` to catch indirect references - Try scanning other modules - The function may only be called from JIT-compiled code ### 4.4 Find callees (what this function calls) ``` probe.exe "xref scan --callees --limit 30" ``` For interesting callees, quick-identify them: ``` probe.exe "disasm 5" ``` Look for getters, known API functions, or functions with string references. ### 4.5 Build the call graph Connect the findings into a graph: ``` GameWorld::SpawnEntity -> CEntitySystem::InitEntity (refs: "Failed to initialize entity") -> EntityValidator::Check -> CBaseEntity::SetupFields -> FieldParser::ParseJSON (refs: "configs/entities.json") -> CBaseEntity::Activate -> CBaseEntity::TakeDamage (refs: assert string) ``` ### 4.6 Label call graph in GUI ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"activity","status":"working","message":"Phase 4: Labeling call graph..."}, {"action":"store","store":"functions","method":"setFunctionName","args":["0x","GameWorld::SpawnEntity"]}, {"action":"store","store":"functions","method":"setFunctionComment","args":["0x","Caller of InitEntity. 3 callees."]}, {"action":"store","store":"functions","method":"setFunctionName","args":["0x","CEntitySystem::InitEntity"]}, {"action":"store","store":"functions","method":"setFunctionComment","args":["0x","Refs: \"Failed to initialize entity\". Called by SpawnEntity."]}, {"action":"store","store":"label","method":"setLabel","args":["0x","GameWorld::SpawnEntity"]}, {"action":"store","store":"label","method":"setLabel","args":["0x","CEntitySystem::InitEntity"]}, {"action":"activity","status":"idle","message":"Phase 4 complete"} ] }' ``` Limit batch size to ~50 entries per request. ## Phase 5: Structure Mapping **Goal:** For classes with interesting data, map their struct layout and create interactive structs in the GUI. ### 5.1 Find live instances To create a struct in the GUI, you need a base address — a live instance of the class. Several approaches: **From a known pointer:** If earlier phases revealed a global pointer to a manager/system object: ``` probe.exe "read_ptr " ``` **From vtable pattern scan:** Search for the vtable pointer (first 8 bytes of every instance): ``` probe.exe "pattern " ``` Convert the vtable address to little-endian bytes. For `0x7FFB1A2B3C40`: ``` probe.exe "pattern 40 3C 2B 1A FB 7F 00 00" ``` **From known entity system:** If the target is a game, use entity list traversal. **From breakpoints:** Set a breakpoint on a constructor or getter, trigger it, read RCX: ``` probe.exe "bp set " # ... trigger the object creation ... probe.exe "bp log 0" # RCX from the log = this pointer = object instance probe.exe "bp remove 0" ``` ### 5.2 Hex dump the instance ``` probe.exe "dump 256" ``` Look for: - **Pointer-like values** — 8-byte aligned, in the `0x7FF...` range (code) or `0x000...` high range (heap) - **Small integers** — health, team, state values - **Float values** — positions, angles, scales - **Zero regions** — padding or uninitialized fields - **String pointers** — follow them with `read_string` ### 5.3 Validate fields with typed reads For each candidate field: ``` probe.exe "read_ptr " probe.exe "read_int " probe.exe "read_float " probe.exe "read_string " ``` Cross-reference with the field map from Phase 3.6 — the getter/setter offsets should match. ### 5.4 Create struct in GUI ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"activity","status":"working","message":"Phase 5: Building struct ..."}, {"action":"store","store":"struct","method":"createStruct","args":["","0x",1024]}, {"action":"store","store":"struct","method":"addField","args":["",0,"pointer","vtable"]}, {"action":"store","store":"struct","method":"addField","args":["",16,"pointer","m_pUnknown (+0x10)"]}, {"action":"store","store":"struct","method":"addField","args":["",259,"bool","m_bIsAlive (+0x103)"]}, {"action":"store","store":"struct","method":"addField","args":["",816,"pointer","m_pGameSceneNode (+0x330)"]}, {"action":"store","store":"struct","method":"addField","args":["",848,"int32","m_iMaxHealth (+0x350)"]}, {"action":"store","store":"struct","method":"addField","args":["",852,"int32","m_iHealth (+0x354)"]}, {"action":"store","store":"struct","method":"addField","args":["",860,"int32","m_lifeState (+0x35C)"]}, {"action":"store","store":"struct","method":"addField","args":["",1011,"uint8","m_iTeamNum (+0x3F3)"]}, {"action":"navigate","tab":"structs"}, {"action":"activity","status":"idle","message":"Struct created with N fields"} ] }' ``` **Important:** `addField` offsets are in **decimal**, not hex. Convert: `0x103 = 259`, `0x330 = 816`, `0x354 = 852`, etc. ### 5.5 Follow pointer fields For each pointer field in the struct, read where it points and recursively explore: ``` probe.exe "read_ptr " probe.exe "dump 128" probe.exe "rtti resolve " ``` If RTTI resolves, you know the pointed-to class. Create a child struct if it's interesting. ### 5.6 Label addresses ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"store","store":"label","method":"setLabel","args":["0x","instance: "]}, {"action":"store","store":"label","method":"setLabel","args":["0x","instance: GameSceneNode (owned by )"]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","live instance: ","orange",""]} ] }' ``` ## Phase 6: Documentation and Summary **Goal:** Bookmark all key findings, name all discovered functions, and produce a comprehensive report. ### 6.1 Final bookmarking pass Ensure all key addresses are bookmarked with consistent color coding: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"activity","status":"working","message":"Phase 6: Documenting findings..."}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","export: CreateInterface","blue",""]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","vtable: CEntitySystem","blue",""]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","fn: CEntitySystem::InitEntity","blue",""]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","str: \"Failed to initialize\"","green",""]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","obj: CEntitySystem instance","orange",""]}, {"action":"store","store":"bookmarks","method":"addBookmark","args":["0x","CAUTION: hooked function","red",""]}, {"action":"activity","status":"idle","message":"Investigation complete"} ] }' ``` ### 6.2 Generate signatures for key functions For each important discovered function: ``` probe.exe "sig 32 " ``` Test uniqueness: ``` probe.exe "pattern " ``` If not unique (>1 match), try longer: ``` probe.exe "sig 64 " ``` Record signatures so functions can be re-found after binary updates. ### 6.3 Comment functions with context ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"store","store":"functions","method":"setFunctionComment","args":["0x","Initializes entity system. Refs: \"Failed to initialize\". Called by GameWorld::SpawnEntity. Sig: 48 89 5C 24 08 57 48 83 EC 20..."]}, {"action":"store","store":"functions","method":"setFunctionComment","args":["0x","Health getter. Returns [rcx+0x354]. vtable[23] of C_BaseEntity."]} ] }' ``` ### 6.4 Final report Present a comprehensive structured summary: ``` Module Investigation: client.dll ================================= Base: 0x7FFB0A8D0000 Size: 0x3E00000 (62 MB) Path: C:\Program Files\Steam\steamapps\common\Game\bin\win64\client.dll Sections: .text 0x001000 0x2800000 (40 MB code) .rdata 0x2801000 0x0F00000 (15 MB read-only data) .data 0x3701000 0x0100000 (1 MB writable data) .pdata 0x3801000 0x0300000 (3 MB exception data) Capability Profile (from imports): - Networking (ws2_32.dll) — socket-based communication - Graphics (d3d11.dll) — rendering - File I/O (kernel32.dll) — file loading - Threading (kernel32.dll) — multi-threaded Functions: 98,432 total (.pdata) 47 exports (public API) 2,841 RTTI virtual functions across 412 classes 37 functions named via string references ~95,000 unnamed functions Key Exports: 0x7FFB0A8D1000 CreateInterface 0x7FFB0A8D2000 DllMain Top Classes (RTTI): CEntitySystem (31 vtable entries) - manages entity lifecycle - vtable: 0x7FFB0C8D4000 C_BaseEntity (42 vtable entries) - base class for all game entities - inheritance: C_BaseEntity <- CEntityInstance - vtable: 0x7FFB0C8D5000 - field map: +0x330 pGameSceneNode, +0x354 health, +0x3F3 team C_BasePlayerPawn (89 vtable entries) - player character - inheritance: <- C_BaseEntity <- CEntityInstance - vtable: 0x7FFB0C8D6000 Key Functions (from string + xref analysis): 0x7FFB0B1A4500 CBaseEntity::TakeDamage — refs assert string, sig: 48 89 5C... 0x7FFB0B2E7800 CEntitySystem::InitEntity — refs "Failed to initialize", sig: 40 53 48... 0x7FFB0B3C1200 NetworkConnect — refs "Connecting to %s:%d", sig: 48 89 74... Structs Created: C_BaseEntity at 0x055EA1C28000 — 8 fields mapped (+0x0 vtable, +0x330 scene node, +0x354 health, ...) CEntitySystem at 0x055EA2D10000 — 5 fields mapped Signatures (for binary update resilience): CBaseEntity::TakeDamage 48 89 5C 24 08 57 48 83 EC 20 48 8B D9 E8 ?? ?? ?? ?? CEntitySystem::InitEntity 40 53 48 83 EC 20 48 8B D9 48 8B 49 08 ?? ?? ?? ?? NetworkConnect 48 89 74 24 10 57 48 83 EC 30 48 8B FA ?? ?? ?? ?? Open Questions: - Function at 0x7FFB0B4A0000 (large, ~0x800 bytes, no string refs) — needs hwbp tracing - Unknown class "CSecretManager" — no instances found, constructor not identified - Import of ws2_32!connect but no visible connection string — may use encrypted config ``` ## Adapting to Module Size ### Small modules (<1 MB) Fully analyzable. Do everything: - `functions discover` with no limit - `strings scan` produces a manageable list - Trace EVERY interesting string to its function - Map EVERY RTTI class hierarchy and vtable - Disassemble the top 20 functions fully - Create structs for all discovered classes ### Medium modules (1-20 MB) Targeted analysis: - `functions discover --limit 5000` - `strings scan` then focus on the most interesting 20-30 strings - RTTI scan all classes but only deep-dive the top 5-10 - Xref analysis on the top 10 functions - Create structs only for classes where you found live instances ### Large modules (>20 MB) Focused analysis — don't try to catalog everything: - Skip full `functions discover` with pdata (use `--exports --rtti` only) - Use `strings find ` instead of `strings scan` (full scan takes too long) - Use `rtti find ` to search for specific classes - Limit xref scans — scanning a 40MB .text section takes several seconds per scan - Focus on one subsystem at a time ## Decision Trees ### "I found a string but no xrefs" ``` strings xref returned 0 results? | +-- Try broader xref: xref scan --type LEA,MOV --limit 20 | | | +-- Found results? --> Analyze those code locations | +-- Still nothing? | | | +-- Is the string in .data (writable)? | | | | | +-- Yes: Runtime-constructed string. Set hwbp on the string address | | | to catch what writes it: hwbp set r 8 | | +-- No (.rdata): The reference may be via a pointer table. | | Pattern scan for the address bytes in .rdata | | | +-- The string may be in a different module. Try without module filter. ``` ### "I found an RTTI class but no instances" ``` rtti vtable found, but pattern scan for vtable bytes returns 0? | +-- Object may be heap-allocated (pattern scan only covers loaded modules) | --> Set breakpoint on the constructor (find via vtable[0] destructor cross-refs) | --> Trigger object creation, read RCX from bp log | +-- Class may be abstract (pure virtual entries in vtable) | --> Look for derived classes: rtti find | --> Search for instances of derived classes instead | +-- Class may not be instantiated yet --> Try again after triggering more application behavior ``` ### "I found a function but don't know what it does" ``` No string references? No RTTI context? | +-- Check callers: xref scan --type CALL | | | +-- Found callers? --> Analyze the callers (they may have strings) | +-- No callers? --> Likely called indirectly (vtable or function pointer) | --> Check if the address appears in any vtable: rtti scan | +-- Check callees: xref scan --callees | | | +-- Callees have strings? --> The function's purpose relates to its callees | +-- Callees are all system API? --> Function is a wrapper/utility | +-- Set a breakpoint and observe: bp set | --> Trigger various actions in the application | --> bp log to see when it fires and with what arguments | +-- Hardware breakpoint on data it accesses: --> Find a field offset from the disassembly ([rcx+0x??]) --> hwbp set w 4 --> See what triggers the write ``` ## Example: Full Batch for Phase 1+2+3 Setup This single batch populates the GUI with all three discovery scans at once: ```bash curl -s -X POST http://localhost:9996 -H "Content-Type: application/json" -d '{ "action":"batch","actions":[ {"action":"activity","status":"working","message":"Investigating : discovering functions, strings, classes..."}, {"action":"store","store":"functions","method":"discoverFunctions","args":[""]}, {"action":"store","store":"strings","method":"scanStrings","args":[""]}, {"action":"store","store":"rtti","method":"scanModule","args":[""]}, {"action":"navigate","tab":"functions"}, {"action":"activity","status":"idle","message":"Discovery complete — review Functions tab"} ] }' ``` After this batch completes, the GUI has all three tabs populated and ready for interactive exploration. The LLM can then proceed with targeted analysis in Phases 2-5 based on what was discovered. ## Tips - **Start broad, narrow down.** Phase 1 gives you the big picture. Each subsequent phase drills deeper into specific areas of interest. - **Strings are your best friend.** In an unknown binary, string references are the most reliable and fastest way to understand function purpose. Always prioritize string analysis. - **RTTI class names are the second-best friend.** They reveal the module's object model and class hierarchy without any disassembly. - **Exports + imports = capability profile.** Before reading a single instruction, you can understand what a module does from its API surface and dependencies. - **Cross-reference analysis connects the dots.** Individual functions are points; xrefs are the lines that connect them into a graph. The graph reveals the system architecture. - **Label as you go.** Every address you understand should be labeled immediately. Don't wait until the end — you'll forget what you discovered. - **Use the GUI as your notebook.** Structs, bookmarks, labels, and function names all persist in the GUI session. Populate them continuously. - **Generate signatures for everything important.** Binary updates break addresses but not signatures. A good signature survives months of patches. - **Don't get lost in the weeds.** Large modules have tens of thousands of functions. You don't need to understand them all. Focus on the subsystem relevant to the user's goal. - **Use batch commands aggressively.** One batch with 30 label commands is better than 30 individual curl calls. Limit to ~50 actions per batch. - **After this skill, use targeted skills for deep dives.** Once the module map is built, use `/probe:analyze-function` for specific functions, `/probe:discover-class` for specific classes, `/probe:map-struct` for specific data structures, and `/probe:trace-writes` for dynamic analysis.