agentskills.codes
HE

HexCore Binary Analysis

Skill para analise de binarios com ferramentas HexCore integradas ao editor

Install

mkdir -p .claude/skills/hexcore-binary-analysis && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14853" && unzip -o skill.zip -d .claude/skills/hexcore-binary-analysis && rm skill.zip

Installs to .claude/skills/hexcore-binary-analysis

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Skill para analise de binarios com ferramentas HexCore integradas ao editor
75 charsno explicit “when” trigger

About this skill

HexCore Binary Analysis Skill — v3.7.1

Overview

HexCore is a VS Code fork for reverse engineering and binary analysis (HikariSystem HexCore). It includes 20+ extensions with 6 native engines (Capstone, Unicorn, Remill, LLVM MC, better-sqlite3, Helix) and a full automation pipeline with conditional branching.

Current version: v3.7.1 "Dynamic Intelligence + Pipeline Branching" (2026-03-14) Engine versions: capstone 1.3.2 | unicorn 1.2.1 | llvm-mc 1.0.0 | better-sqlite3 2.0.0 | remill 0.1.2 | helix 0.5.0 Deprecated: hexcore-rellic (superseded by Helix MLIR — removal planned for v3.8.0)


Extensions

Native Engines (no VS Code commands — pure API)

EngineVersionPurposeArchitectures
hexcore-capstone1.3.2Disassemblyx86, x64, ARM, ARM64, MIPS, PPC, SPARC, M68K, RISC-V
hexcore-unicorn1.2.1CPU emulationx86, x64, ARM, ARM64, MIPS, SPARC, PPC, RISC-V
hexcore-remill0.1.2LLVM IR liftingx86, x64, ARM64 only
hexcore-llvm-mc1.0.0Assembly/encodingx86, x64, ARM, ARM64, MIPS, RISC-V, PPC, SPARC
hexcore-better-sqlite32.0.0SQLite databaseN/A
hexcore-helix0.5.0MLIR decompiler (IR → pseudo-C)x86, x64
hexcore-rellicRellic decompiler (DEPRECATED — removal in v3.8.0)x86, x64

Disassembler (hexcore-disassembler v1.5.0)

Professional disassembler with Capstone engine, ELF/PE parsing, CFG, xrefs, patching, the pipeline runner, and advanced analysis (junk filtering, VM detection, PRNG detection).

Headless commands (pipeline-safe):

  • hexcore.disasm.analyzeAll — Deep analysis (prolog scan + xrefs). New args: filterJunk, detectVM, detectPRNG
  • hexcore.disasm.buildFormula — Symbolic expression extraction (x86/x64 only)
  • hexcore.disasm.checkConstants — Validate numeric annotations
  • hexcore.disasm.searchStringHeadless — Search string references
  • hexcore.disasm.exportASMHeadless — Export assembly to file
  • hexcore.disasm.disassembleAtHeadless — Disassemble N instructions at address. New args: filterJunk
  • hexcore.disasm.liftToIR — Lift to LLVM IR (Remill, x86/x64/ARM64)
  • hexcore.disasm.dumpAndDisassemble — Dump emulation memory + disassemble in one step (v3.7.1)
  • hexcore.pipeline.runJob — Run automation job (now with onResult conditional branching)
  • hexcore.pipeline.listCapabilities — Export capability map
  • hexcore.pipeline.validateJob — Preflight validation
  • hexcore.pipeline.validateWorkspace — Batch validation
  • hexcore.pipeline.createPresetJob — Generate job from preset
  • hexcore.pipeline.saveJobAsProfile — Save job as profile
  • hexcore.pipeline.doctor — Diagnose health

Analysis features (v3.7.1):

  • filterJunkInstructions() — Detect and remove 7 junk patterns (callfuscation, nop sleds, identity ops)
  • detectVM() — VM obfuscation heuristics (dispatcher, handler tables, operand stacks)
  • detectPRNG() — Static PRNG pattern detection (srand/rand call sites, seed extraction)
  • loadBuffer() — Accept raw buffer for disassembly without file on disk (runtime memory)

Interactive commands (need UI):

  • hexcore.disasm.openFile, analyzeFile, goToAddress, findXrefs, addComment, renameFunction, showCFG, searchString, exportASM, patchInstruction, nopInstruction, assemble, assembleMultiple, savePatchedFile, setSyntax, showLlvmVersion, nativeStatus

Experimental:

  • hexcore.disasm.liftToIR — Lift to LLVM IR (requires Remill, x86/x64/ARM64 only)

Architecture auto-detection: Reads ELF e_machine / PE Machine headers. Supports x86, x64, ARM, ARM64, MIPS. Defaults to x64 for raw files.

Debugger (hexcore-debugger v2.2.0)

Emulation-based debugger using Unicorn engine with PE/ELF loading, API hooking, syscall handling, API call tracing, faithful PRNG emulation, side-channel analysis, and breakpoint auto-snapshots.

Process isolation & Smart Sync: x64 ELF and ARM64 ELF emulation run in dedicated child processes (x64ElfWorker.js, arm64Worker.js) to prevent Unicorn heap corruption from crashing the VS Code extension host. The worker communicates via JSON-RPC over IPC. A unique Smart Sync architecture instantly synchronizes heap memory (e.g. dynamically allocated strings) from the Worker to the Host before evaluating any API hook (such as __printf_chk, getline, or puts), guaranteeing flawless validation of complex obfuscated VMs (like active advanced HTB CTFs). PE emulation and other architectures run in-process.

Headless commands (pipeline-safe):

  • hexcore.debug.emulateFullHeadlessUnified single-shot emulation (load → configure → run → collect → dispose). New v3.7.1 args: permissiveMemoryMapping, prngMode, prngSeed, collectSideChannels, memoryDumps, breakpointConfigs (with autoSnapshot). Aliases: hexcore.debug.emulate.full, hexcore.debug.run
  • hexcore.debug.writeMemoryHeadless — Write data to emulation memory
  • hexcore.debug.setRegisterHeadless — Set CPU register value
  • hexcore.debug.setStdinHeadless — Set STDIN buffer for emulation
  • hexcore.debug.disposeHeadless — Dispose emulation session (idempotent)
  • hexcore.debug.snapshotHeadless — Save emulation snapshot
  • hexcore.debug.restoreSnapshotHeadless — Restore emulation snapshot
  • hexcore.debug.exportTraceHeadless — Export API/libc call trace as JSON

v3.7.1 Emulation Features:

  • Permissive Memory MappingpermissiveMemoryMapping: true maps all segments with RWX permissions, allowing self-modifying VMs to jump to .rodata/.data without UC_ERR_FETCH_PROT
  • PRNG ModesprngMode: 'glibc' (344-state TYPE_3 algorithm), 'msvcrt' (LCG: seed * 214013 + 2531011), 'stub' (returns 0, default). Faithful implementations that match native rand() sequences for any seed.
  • Memory DumpsmemoryDumps: [{ address, size, trigger: 'breakpoint'|'end' }] captures arbitrary memory ranges during emulation
  • Breakpoint Auto-SnapshotsbreakpointConfigs: [{ address, autoSnapshot: true, dumpRanges? }] automatically captures registers, stack, and optional memory ranges at breakpoints, then continues execution
  • Side-Channel AnalysiscollectSideChannels: true installs instrumentation hooks to collect instruction counts per basic block, memory access patterns, and branch statistics
  • Runtime Memory DisassemblydumpAndDisassemble(address, size) combines memory reading and Capstone disassembly in one operation for analyzing runtime-decrypted code

Interactive commands (need UI):

  • hexcore.debug.emulate — Start emulation (auto-detect arch)
  • hexcore.debug.emulateWithArch — Start with manual arch selection
  • hexcore.debug.emulationStep — Step one instruction
  • hexcore.debug.emulationContinue — Continue to breakpoint/end
  • hexcore.debug.emulationBreakpoint — Set breakpoint
  • hexcore.debug.emulationReadMemory — Read memory region
  • hexcore.debug.setStdin — Set STDIN buffer for ELF emulation
  • hexcore.debug.saveSnapshot — Save emulation snapshot
  • hexcore.debug.restoreSnapshot — Restore snapshot
  • hexcore.debug.unicornStatus — Show Unicorn status

Internal engine capabilities (programmatic, not exposed as headless commands):

  • PE loading with import resolution and Windows API hooks
  • ELF loading with PLT stubs and Linux API hooks (libc emulation)
  • Linux syscall handler (x86/x64: int 0x80, syscall instruction; ARM64: SVC #0)
  • Architecture auto-detection from ELF/PE headers
  • Deterministic ELF continue (250K instruction budget)
  • STDIN buffer injection for scanf/read emulation
  • Snapshot save/restore via Unicorn context
  • x64 ELF worker process isolation with Smart Sync (prevents host heap corruption & guarantees dynamic string visibility)
  • ARM64 ELF worker process isolation (same pattern)

Architecture support in debugger:

Featurex86x64ARM64ARMMIPS
Unicorn initYesYesYesYesYes
Register read/writeYesYesYesNoNo
ELF loadingYesYesYesNoNo
PE loadingYesYesNoNoNo
Stack initializationYesYesYesNoNo
Syscall handlerYesYesYesNoNo
API hooks (Linux)YesYesYesNoNo
API hooks (Windows)YesYesNoNoNo
Worker process isolationNoYes (ELF)YesNoNo

Other Extensions

ExtensionVersionHeadlessCommands
hexcore-peanalyzerYespeanalyzer.analyze, peanalyzer.analyzeActive
hexcore-elfanalyzer1.0.0Yeselfanalyzer.analyze, elfanalyzer.analyzeActive
hexcore-hexviewerYeshexview.dumpHeadless, hexview.searchHeadless, openHexView, goToOffset, searchHex, copyAsHex, copyAsC, copyAsPython, addBookmark, applyTemplate, toggleEdit
hexcore-stringsYesstrings.extract, strings.extractAdvanced (now with multi-byte XOR, rolling XOR, increment XOR)
hexcore-entropyYesentropy.analyze
hexcore-filetypeYesfiletype.detect
hexcore-hashcalcYeshashcalc.calculate, hashcalc.quick, hashcalc.verify
hexcore-base64Yesbase64.decodeHeadless, base64.decode
hexcore-yaraPartialyara.scan (headless), yara.updateRules (headless), rest interactive
hexcore-iocYesioc.extract, ioc.extractActive
hexcore-minidumpYesminidump.parse, minidump.threads, minidump.modules, minidump.memory
hexcore-report-composer1.0.0Yespipeline.composeReport — aggregates reports into unified Markdown
hexcore-commonN/AUtility library (formatBytes, loadNativeModule, etc.)

Pipeline Automation

Creating Jobs

  1. From preset: Run hexcore.pipeline.createPresetJob — c

Content truncated.

Search skills

Search the agent skills registry