Mastodawn

pyghidra-mcp v0.2.0 is out with new --gui mode. 👀

Your local LLM drives a real Ghidra CodeBrowser, not a plugin.

New blog post shows firmware RE of the CVE-2024-3273 RCE chain with Gemma4.

https://clearbluejar.github.io/posts/pyghidra-mcp-meets-ghidra-gui-drive-project-wide-re-with-local-ai/

pyghidra-mcp Meets Ghidra GUI: Drive Project-Wide RE with Local AI

pyghidra-mcp v0.2.0 ships a GUI-backed mode that lets a local LLM drive a live Ghidra CodeBrowser at full project scope. Renames, plate comments, and cross-binary pivots land in real time, with every edit tagged in Ghidra’s undo history while the session is alive.

clearbluejar

clearbluejar Feb 4

Rick O Feb 4

I've been actively avoiding using generative AI tools. After a recent conversation with some friends about their positive experiences with AI tools, I walked away feeling a bit grumpy. After some reflection, I came to the realization that I was afraid of AI tools. But then after writing down all the reasons I was afraid of AI tools, I discovered I'm actually afraid of something else.

https://www.richardosgood.com/posts/am-i-afraid-of-ai/

Am I Afraid of AI?

Am I Afraid of AI?I'm not afraid AI is going to take over the world and enslave us all. But recently I realized that I'm afraid to use AI tools. And I'm simultaneously afraid I'm missing the boat. I h…

Am I Afraid of AI?

clearbluejar Feb 3

Patch diffing + RCA for clfs.sys can take awhile.

I gave the diff + binary to a local LLM.

It mapped the UAF path, race condition, all IOCTLs in <20 min

LLMs don't replace the work, they are momentum.

New blog post following the UAF trail of CVE-2025-29824:

https://clearbluejar.github.io/posts/how-llms-feed-your-re-habit-following-the-uaf-trail-in-clfs/

How LLMs Feed Your RE Habit: Following the Use-After-Free Trail in CLFS

Dive into how LLMs and pyghidra-mcp accelerate reverse engineering by tracing a UAF vulnerability in CLFS through a patch diff.

clearbluejar

clearbluejar Aug 19, 2025

Clément Labro Aug 19, 2025

🆕 PrivescCheck update!

New features:
- NTLM downgrade detection - Base
- Named Kernel device DACL check - Extended
- DPAPI enumeration rewritten (similar to WinPEAS implementation) - Extended
- BIOS install/update date check - Audit
- ClickOnce trust prompt behavior check - Audit

Note that PrivescCheck remains my main project. As such it is the only one I actively maintain (feature dev, bug fixing). :)

clearbluejar Aug 19, 2025

new blog post, new tool 👀

Unlock project-wide, multi-binary analysis with pyghidra-mcp, a headless Ghidra MCP server for automated, LLM-assisted reverse engineering.

https://clearbluejar.github.io/posts/pyghidra-mcp-headless-ghidra-mcp-server-for-project-wide-multi-binary-analysis/

pyghidra-mcp: Headless Ghidra MCP Server for Project-Wide, Multi-Binary Analysis

Unlock project-wide, multi-binary analysis with pyghidra-mcp, a headless Ghidra MCP server for automated, LLM-assisted reverse engineering.

clearbluejar

clearbluejar Aug 17, 2025

Been testing local LLM tool calling with openai/gpt-oss-20b (even at 4-bit) using pyghidra-mcp. It made 22 tool calls in a one-shot run to analyze multiple binaries and traced the call chain from user-mode through kernelbase.dll to the final syscall in ntdll! 🤯

clearbluejar Aug 14, 2025

📢 Incoming release: pyghidra‑mcp

🛠️ Meet your new RE best friend. Harness frontier models or a local gpt-oss-20b llm brain to power Ghidra multi‑binary, project‑wide analysis. You’ll be slicing through code like butter 🧈😆

ETA: imminent. Keep your shells warm 🔥🐙⚡🐉

clearbluejar May 6, 2025

New blog post! 🚀 Learn how to leverage a Ghidra AI assisted workflow by integrating local LLMs using GhidraMCP, Ollama, and OpenWebUI.

Supercharging Ghidra: Using Local LLMs with GhidraMCP via Ollama and OpenWeb-UI

Reverse engineering binaries often resembles digital archaeology: excavating layers of compiled code, interpreting obscured logic, and painstakingly naming countless functions and variables. While…

Medium

clearbluejar Apr 28, 2025

New #ghidriff release! v0.9.0

- Set custom analysis options
- Set custom base address (bootloaders, etc)

https://github.com/clearbluejar/ghidriff/releases/tag/v0.9.0

Release v0.9.0 - Program Options Support · clearbluejar/ghidriff

What's Changed Use hash tables for FullName:Param matching in SimpleDiff by @v-p-b in #107 Support custom base address + program options by @clearbluejar in #113 New Contributors @v-p-b made the...

GitHub

clearbluejar Apr 14, 2025

Recon Apr 14, 2025

Recon CFP ends in less than 2 weeks on April 28. Prices for the training and conference increase on May 1st. Register now to save with early bird price. We have already announced a few talks and workshops, and more videos from last year have been released. https://recon.cx #reverseengineering #cybersecurity #offensivesecurity #hardwarehacking @hackingump1 @mr_phrazer @nicolodev @SinSinology @hunterbr72 @clearbluejar @phLaul @oryair1999 @hookgab @TheQueenofELF @So11Deo6loria @i0n1c @pedrib1337 @MalachiJonesPhD @Pat_Ventuzelo @KB_Intel @pinkflawd @Reverse_Tactics @OnlyTheDuck @t0nvi @drch40s @BrunoPujos @mhoste1 @andreyknvl @texplained_RE @jsmnsr @pulsoid @SpecterDev @richinseattle @yarden_shafir @aionescu @hackerschoice @SinSinology @sergeybratus @SpecterOps @oryair1999 @phLaul @trailofbits @HexRaysSA @nostarch

REcon - Home

REcon # Montreal Security Conference # Reverse Engineering Training

twitter	https://twitter.com/clearbluejar
blog	https://clearbluejar.github.io/