AI-powered binary reverse engineering assistant.
Ghidra extracts ground truth. Claude reasons over it. You get named functions, identified vulnerabilities, testable hypotheses, and a structured report in minutes.
Static analysis runs first and produces ground truth. The LLM only sees verified facts. No hallucinated function names or addresses.
Tell REeve what you want to find in plain English. It builds a task dependency graph from your goal and executes only the passes that are relevant. No wasted compute on irrelevant analysis steps.
Every fact extracted from the binary lands in a queryable KnowledgeGraph with confidence scores, source provenance, and dirty-flag propagation. The LLM reads from this graph, not from raw bytes.
Haiku for fast classification. Sonnet for function naming and hypothesis formation. Opus for global synthesis and report generation. Each task is routed to the cheapest model capable of handling it.
Every analysis run produces an Obsidian-compatible vault: one note per function, component, and hypothesis. Notes have YAML frontmatter, [[wikilinks]] to callees and callers, tags, and embedded decompilation.
REeve runs Ghidra in-process via PyGhidra with no subprocess overhead. Decompilation, xrefs, imports, strings, and binary metadata are all extracted through the same Ghidra instance.
Reports export as Markdown, HTML, JSON (one key per section), or plain text. Every analysis session is saved to a JSON file containing the full function list, hypotheses, and report for later use.
Actual output from a CTF heap-exploitation binary. 76 functions. Under $0.05.
$ reeve analyze ./binary \
--goal "identify what it does and how to exploit it" \
--kb
Session b29c1b20
Functions : 76 total · 75 named · 16 resolved via signatures
Components: 2 Hypotheses: 2
Cost : $0.041
[✓] resolve_imports 22 imports resolved
[✓] build_call_graph 76 functions, 143 edges
[✓] match_signatures 16 stdlib matches
[✓] analyze_strings 31 strings categorized
[✓] infer_types 14 type annotations
[✓] cluster_components 2 components
[✓] analyze_function 75 functions named
[✓] form_hypothesis 2 hypotheses formed
[✓] global_synthesis done
[✓] generate_report 2,847 chars
Report saved -> ./binary.report.md
Knowledge base -> ./binary_kb/ (55 notes)Existing AI-RE tools pick one of two bad tradeoffs. REeve avoids both.
| REeve | Fixed pipelines (Kong) | Reactive LLM loops (Rikugan) | |
|---|---|---|---|
| Goal-driven task selection | |||
| Ground truth before LLM | |||
| No hallucinated addresses | |||
| Hypothesis formation + testing | |||
| Evidence-scored KnowledgeGraph | |||
| Obsidian knowledge base output | |||
| Multi-format report export | |||
| Cost tracking per model |
export JAVA_HOME=/path/to/jdk-21 export GHIDRA_INSTALL_DIR=/path/to/ghidra_PUBLIC export ANTHROPIC_API_KEY=sk-ant-...
git clone https://github.com/Kunull/REeve cd REeve && pip install -e .
reeve analyze ./binary \ --goal "identify vulnerabilities" \ --kb
REeve is fully open source under the MIT license. Pull requests, issues, and new host bridge implementations are welcome.