pi: generic-ize ghidra skill (drop game-specific examples)

2026-05-04 20:30:07 -04:00
parent feae0f8002
commit 05b2741ec0
1 changed files with 29 additions and 30 deletions
--- a/home/progs/pi.nix
+++ b/home/progs/pi.nix
@@ -152,7 +152,8 @@ in
    # OMP discovers servers from this file at startup. The ghidra entry below
    # spawns pyghidra-mcp on stdio when the agent invokes any of its tools.
    ".omp/agent/mcp.json".text = builtins.toJSON {
-      "$schema" = "https://raw.githubusercontent.com/can1357/oh-my-pi/main/packages/coding-agent/src/config/mcp-schema.json";
+      "$schema" =
+        "https://raw.githubusercontent.com/can1357/oh-my-pi/main/packages/coding-agent/src/config/mcp-schema.json";
      mcpServers = {
        ghidra = {
          command = lib.getExe pyghidra-mcp;
@@ -297,57 +298,55 @@ in
      A headless MCP server is configured at `mcpServers.ghidra` in
      `~/.omp/agent/mcp.json` and binds Ghidra's analysis engine to MCP tools
      you can call directly. The Ghidra install lives at
-      `${pkgs.ghidra}/lib/ghidra`; pyghidra-mcp picks it up via the
+      `''${pkgs.ghidra}/lib/ghidra`; pyghidra-mcp picks it up via the
      GHIDRA_INSTALL_DIR env var that's wired into the binary's wrapper.

      ## When to use this

-      - Static analysis of any compiled binary you have on disk (or extract
-        from a game install, container image, firmware dump, etc.).
-      - Finding the decision logic behind a runtime behavior. E.g. where in
-        F1 23's executable the adaptive-trigger code lives and what params
-        it passes.
-      - Extracting embedded tuning tables from `.rdata`/`.data` sections.
-      - Discovering which Sony / Steam / Windows HID APIs a game calls.
+      - Static analysis of any compiled binary you have on disk.
+      - Finding the decision logic behind an observed runtime behavior, when
+        the source isn't available.
+      - Extracting embedded tables/constants from `.rdata`/`.data` sections.
+      - Discovering which APIs (libc, OS, vendor SDKs) a binary imports and
+        where it calls them.
+      - Recovering structures, function signatures, and type information
+        from a stripped binary.

      ## Workflow

      The first invocation imports a binary into a fresh Ghidra project and
      runs auto-analysis (10-90 minutes depending on size). Subsequent calls
-      are fast.
+      hit the cached project and are fast.

-      Typical exploration sequence for a stripped C++ game binary:
+      Typical exploration sequence for a stripped binary:

-      1. `list_strings(filter="DualSense")` (or other relevant substring) to
-         find string literals; Codemasters/Ubisoft typically don't strip these.
-      2. `list_imports()` filtered for HID / Sony / Steam APIs to find the
-         haptic call surface.
-      3. `get_xrefs_to(<address-of-string-or-import>)` to surface call sites.
+      1. `list_strings(filter="<substring>")` to find string literals
+         related to the behavior you're investigating.
+      2. `list_imports()` filtered for the API surface you care about
+         (e.g. HID, networking, crypto) to find call sites.
+      3. `get_xrefs_to(<address-of-string-or-import>)` to surface every
+         function that touches the symbol.
      4. `decompile_function_by_address(<addr>)` to read C-pseudocode.
      5. `set_decompiler_comment` and `rename_function` as you identify
         components, so the database remembers your findings across calls.

      ## Loading a binary

-      Drop the binary somewhere readable (don't commit to git — license + size)
-      and pass the absolute path to pyghidra-mcp's import tool:
-
-      ```
-      /tmp/games/f1_23/F1_23_dx12.exe
-      /tmp/games/cyberpunk/Cyberpunk2077.exe
-      ```
-
-      Auto-analysis runs once per binary; the project database persists in
+      Drop the binary somewhere readable (don't commit to git — size + often
+      proprietary) and pass the absolute path to pyghidra-mcp's import tool.
+      Auto-analysis runs once; the project database persists in
      `~/.cache/pyghidra-mcp/` so re-invocations are fast.

      ## What this is NOT for

-      - Dynamic capture — use usbmon + Wireshark for live HID traffic.
-      - PS5 binaries — encrypted, out of scope.
-      - Decoding live network traffic — separate tooling.
+      - Dynamic / runtime analysis — use a debugger, usbmon/strace, or a
+        protocol sniffer for that.
+      - Encrypted/DRM-protected binaries — out of scope without the keys.
+      - Network-traffic decoding on the wire — separate tooling.

-      Reverse engineering for interoperability is permitted under DMCA §1201(f)
-      and analogous EU provisions. Don't share decrypted/cracked binaries.
+      Reverse engineering for interoperability, security research, and
+      bug-fix purposes is permitted under DMCA §1201(f) and analogous EU
+      provisions. Don't share decrypted or cracked binaries.
    '';

  };