{"slug": "show-hn-a-mcp-for-agents-to-reverse-engineer-binary-code", "title": "Show HN: A MCP for Agents to reverse engineer binary code", "summary": "REA, a new open-source tool, enables AI agents to reverse engineer binary code from apps without source code, allowing them to understand and recreate features. The tool provides 68 investigation tools and integrates with agents via CLI and MCP, running locally on Mac.", "body_md": "**English** · [简体中文](/morluto/rea/blob/main/README_zh.md) · [日本語](/morluto/rea/blob/main/README_ja.md) · [한국어](/morluto/rea/blob/main/README_ko.md) · [العربية](/morluto/rea/blob/main/README_ar.md)\n\n**See a feature you like. Understand how it works, down to the binary level.**\n\n[Quick start](#quick-start) · [Current status](#current-status) · [Investigation model](#the-investigation-model) · [68 tools](#68-tools-for-investigation) · [Roadmap](#roadmap) · [How it works](#how-it-works)\n\n`npm install --global rea-agents && rea setup`\n\nSee a feature in an app that you want in your own product? Give the app to your agent—even without its source code. With REA, the agent can investigate the feature, explain how it works, show its evidence, and build a version adapted to your stack and requirements.\n\nREA gives agents one consistent way to investigate software. Today that includes deep native analysis through Hopper, complete function dossiers, reproducible Evidence v2 records, and controlled process capture. The longer-term toolkit extends the same agent workflow to packaged apps, JavaScript bundles, websites, APIs, protocols, mobile artifacts, firmware, runtime behavior, and differences between versions.\n\nReverse engineering normally makes the operator choose a tool, learn its API, move evidence between programs, and decide what to inspect next. REA gives that work to the agent through commands, skills, structured results, and repeatable investigation workflows.\n\nInstall the REA skill:\n\n```\nnpx skills add morluto/rea\n```\n\nThen ask:\n\n```\nUse REA to understand how search works in the Notes app, show me the\nevidence, and build a similar feature for my project.\n```\n\nNotes is only an example. Name any app you want to understand, or ask the agent to start with an overview.\n\nDecompileOpen an app and recover readable code, strings, names, and other clues about how it works. |\nUnderstandFollow the code from one part of the app to another until the agent can explain how a feature actually works. |\nRecreateTurn what the agent learned into a feature for your own product, adapted to your stack, interface, and requirements. |\n\nREA shows how it reached its conclusions. It does not claim to recover original source code or automatically clone an application.\n\nBuilt for agents |\nAsk what an app does and let your agent inspect it instead of guessing. |\nCLI and MCP |\nRun the same reverse-engineering capabilities from your terminal or agent. |\nComplexity handled |\nREA installs and manages the reverse-engineering tools behind the scenes. |\nFrom insight to code |\nUnderstand a feature, then build your own version in the same coding session. |\nLocal by design |\nAnalysis runs on your Mac. REA does not upload the app to a hosted analysis service. |\nKeeps context |\nInvestigate several apps without starting over for every question. |\n\n```\nnpm install --global rea-agents\nrea setup\n```\n\nInstalling the CLI does not update Homebrew, Node.js, npm, Hopper, or agent configuration. `rea setup`\n\ndetects what is already present, prints every proposed change, and asks before applying it.\n\nREA detects Claude Code, Claude Desktop, Codex, Cursor, Gemini CLI, Windsurf, and Devin. Registrations are additive, backup-first, and read back after writing. You can safely rerun setup.\n\nAn optional curl wrapper installs the same CLI package and starts setup only when a terminal is available:\n\n```\ncurl -fsSL https://raw.githubusercontent.com/morluto/rea/main/install.sh | bash\n```\n\nPass installer options after `bash -s --`\n\n, for example `--dry-run`\n\n, `--no-setup`\n\n, or `--version 1.0.0`\n\n. The curl wrapper never installs prerequisites or configures integrations itself. See [Installation and setup](/morluto/rea/blob/main/docs/installation.md) for its exact mutation boundary.\n\n```\nnpx skills add morluto/rea\n```\n\nAsk your agent to set up REA. It will check your Mac, explain anything it needs to install, ask for approval, and guide you through system prompts. After setup, restart the agent if it asks you to load the full REA toolset.\n\nReview the setup plan, approve it if appropriate, then describe the app or feature you want to understand. Hopper can run in its free demo mode; if it shows a first-run prompt, choose the demo or enter an existing license.\n\n```\nnpx -y rea-agents setup\nnpx -y rea-agents doctor\nnpx -y rea-agents analyze /Applications/Notes.app\n```\n\nReview the setup plan before confirming it. Restart a configured agent so it loads REA.\n\n```\nnpm install --global rea-agents\nrea setup\nrea doctor\nrea analyze /Applications/Notes.app\n```\n\nUpdate that global installation in place:\n\n```\nrea upgrade\n```\n\nREA checks npm for the latest release and verifies that the running package is\nthe global installation it will replace. Source, local, and `npx`\n\ncopies report\nthe manual `npm install --global rea-agents@latest`\n\ncommand instead of updating\nan unrelated global package.\n\nChoose either the no-install commands or the global installation. You do not need both.\n\n- macOS 12 or newer\n- Ubuntu 24.04+, Fedora 41+, or 64-bit Arch Linux\n- Node.js 22.19+ or 24.11+ (including newer releases)\n- npm; REA does not require or install a particular npm version\n\nDeep binary analysis currently uses [Hopper](https://www.hopperapp.com/), a separate desktop application with its own license. Setup reuses an existing installation. If Hopper is missing, interactive setup proposes the official package and includes it in the confirmation plan. Unattended installation requires `rea setup --yes --install-hopper`\n\n.\n\nIf something is not working, run:\n\n```\nnpx -y rea-agents doctor\n```\n\n`rea doctor --json`\n\nis read-only and distinguishes unsupported hosts, missing dependencies, a missing local analysis engine, configuration drift, and healthy checks. Paid-license activation is optional: on Linux, REA runs the supported Hopper demo build on a private Xvfb display and selects Hopper's offered demo mode for each analysis session.\n\nOn macOS, approved setup downloads Hopper's official DMG, verifies it, and installs the app into `~/Applications`\n\nwithout Homebrew or administrator privileges. Hopper may show its demo or license prompt when first opened; no manual drag-and-drop is required.\n\nOn Ubuntu 24.04+, Fedora 41+, and 64-bit Arch Linux, approved setup downloads the pinned official Hopper 6.4.2 package, restricts downloads to Hopper's public origin, verifies the published size and checksum, and invokes `apt-get`\n\n, `dnf`\n\n, or `pacman`\n\nto install Hopper and the Xvfb, Python, X11, and XTEST packages used by demo sessions. When REA is not already running as root, `pkexec`\n\npresents the system authorization prompt. REA never invokes `sudo`\n\n. Demo sessions run on an isolated 1280×1024 Xvfb display. REA verifies the exact supported Hopper binary, its owned process ancestry, the expected dialog geometry, and bridge state before selecting `Try the Demo`\n\n; any mismatch fails closed.\n\nThe normal Linux launcher is `/opt/hopper/bin/Hopper`\n\n. If Hopper was installed elsewhere:\n\n```\nexport HOPPER_LAUNCHER_PATH=/absolute/path/to/Hopper\nrea doctor --json\n```\n\nIf doctor reports a missing analysis engine even though the file exists, inspect shared-library resolution with:\n\n```\nldd /opt/hopper/bin/Hopper | grep 'not found'\n```\n\nInstall the missing distribution packages and rerun `rea setup`\n\n. Linux demo automation requires `Xvfb`\n\n, Python 3, `libX11.so.6`\n\n, and `libXtst.so.6`\n\n; approved setup installs those direct runtime dependencies and does not interact with the user's desktop display. Hopper's free demo supports analysis with vendor-defined limits, and a paid license is optional. The curl installer places the `rea`\n\ncommand in `~/.local/bin`\n\non Linux; add that directory to future shell `PATH`\n\nvalues if it is not already present.\n\nREA defaults `HOPPER_LAUNCHER_PATH`\n\nto `/Applications/Hopper Disassembler.app/Contents/MacOS/hopper`\n\non macOS and `/opt/hopper/bin/Hopper`\n\non Linux. Explicit configuration always takes precedence.\n\nTo remove only REA-owned MCP registrations and the managed skill:\n\n```\nrea uninstall\nrea uninstall --purge-data # also removes only ~/.rea/cache and ~/.rea/state\n```\n\nUninstall preserves Hopper, Node.js, evidence, captures, external evidence roots, unrelated skills, and other MCP servers. It refuses malformed client configuration and never follows purge-data symlinks.\n\n| If you want to… | Use |\n|---|---|\n| Ask an agent to investigate an app and build a feature | Install the skill, then talk to your agent |\n| Inspect or decompile one part of an app from the Terminal | `rea analyze` or `rea decompile` |\n| Validate, canonicalize, or compare Evidence v2 bundles | `rea evidence-import` , `rea evidence-export` , or `rea compare` |\n| Run or resume a persistent two-version artifact analysis | `rea investigate-versions` |\n| Reuse immutable analysis results without relaunching a provider | Pass `--snapshot /approved/path/analysis.json` to a deep-analysis command |\n| Import source as historical reference | `rea import-reference-source` |\n| Capture or compare controlled process behavior | `rea capture-process` or `rea compare-process-captures` |\n\nFilesystem evidence commands and MCP file tools are disabled until the operator approves absolute roots:\n\n```\nexport REA_EVIDENCE_ROOTS_JSON='[\"/absolute/path/to/evidence\"]'\nexport REA_INVESTIGATION_INPUT_ROOTS_JSON='[\"/absolute/path/to/releases\"]'\nrea evidence-import /absolute/path/to/evidence/bundle.json\nrea evidence-export /absolute/path/to/evidence/bundle.json /absolute/path/to/evidence/canonical.json\nrea compare /absolute/path/to/evidence/left.json /absolute/path/to/evidence/right.json\nrea investigate-versions /absolute/path/to/releases/v1 /absolute/path/to/releases/v2 /absolute/path/to/evidence/releases.json --yes --workspace-name releases\n```\n\n`investigate-versions`\n\ninventories both versions, checkpoints their observed\nEvidence, derives an artifact comparison, and records a changed-behavior report.\nBoth input paths must resolve beneath `REA_INVESTIGATION_INPUT_ROOTS_JSON`\n\n;\nworkspace files remain independently restricted by `REA_EVIDENCE_ROOTS_JSON`\n\n.\nThe workspace uses deterministic content identities and monotonic CAS-linked\nrevisions, so the same request resumes an interrupted run or reuses a completed\nrun without replacing earlier investigations. It currently compares static\nartifact structure only; it does not execute either version, and its report\nkeeps every difference labeled as a behavior candidate. See\n[Persistent investigation workspaces](/morluto/rea/blob/main/docs/investigation-workspaces.md).\n\nHistorical source import requires a separate allowlist and never treats source as current behavioral authority:\n\n```\nexport REA_REFERENCE_ROOTS_JSON='[\"/absolute/path/to/source\"]'\nrea import-reference-source /absolute/path/to/source\n```\n\nExports never replace an existing file unless `--overwrite`\n\nis explicit. Imports are size/depth bounded, validate every Evidence v2 ID and manifest, and never execute bundle content.\n\nProvider-neutral analysis snapshots persist successful, immutable REA calls and their Evidence v2 records. They are exact caches rather than Hopper databases: REA reuses an entry only when the binary digest, format, architecture, operation parameters, loader arguments, and provider identity match. Custom Hopper loader overrides disable snapshots because their provider configuration cannot be replayed safely. Cursor-dependent and mutating calls are never cached. Snapshot files can contain proprietary analysis results and local paths, so REA keeps them local, writes them with owner-only permissions, and requires a separate approved root:\n\n```\nexport REA_ANALYSIS_SNAPSHOT_ROOTS_JSON='[\"/absolute/path/to/analysis\"]'\nrea analyze /absolute/path/to/app --snapshot /absolute/path/to/analysis/app.json\n# The same exact query can now be answered from the snapshot.\nrea analyze /absolute/path/to/app --snapshot /absolute/path/to/analysis/app.json\n```\n\nExact CLI evidence replays happen before any provider starts. In MCP sessions,\npass `snapshot_path`\n\nto `open_binary`\n\nto import a snapshot atomically while\nopening its matching target; MCP providers may still start before a cached call\nis replayed. Pass `snapshot_path`\n\nand, when required, `overwrite: true`\n\nto\n`close_binary`\n\nto save atomically before Hopper resources are released. If the\nsave fails, REA deliberately leaves the session open.\n\n```\nReverse engineer the Notes app. Find how offline search works, explain it,\nand build a version for my project using TypeScript and SQLite.\n```\n\nREA gives the agent a clear path from that request to working code:\n\n| Step | What the agent does | REA tools |\n|---|---|---|\n| 1 | Opens and identifies the binary | `open_binary` , `binary_overview` |\n| 2 | Finds likely offline-search clues | `search_strings` , `search_procedures` , `list_names` |\n| 3 | Connects those clues to executable code | `find_xrefs_to_name` , `xrefs` , `procedure_callers` |\n| 4 | Reconstructs the relevant control flow | `get_call_graph` , `procedure_callees` , `procedure_info` |\n| 5 | Decompiles the relevant routines | `procedure_pseudo_code` , `procedure_assembly` , `batch_decompile` |\n| 6 | Builds the feature in your project | code adapted to your stack, product, and requirements |\n\nREA handles the app analysis in steps 1–5. The agent performs step 6 with its normal file-editing and test tools, using what it learned about the app.\n\n- Investigate a feature you like and build a version tailored to your own product.\n- Explain how a feature works when its source code is unavailable.\n- Reconstruct an app's authentication, storage, update, or networking flow.\n- Recover enough structure to document an undocumented format or interface.\n- Trace a suspicious behavior from a string or symbol to the code that implements it.\n- Run, checkpoint, resume, and reuse a content-addressed artifact investigation across two versions.\n- Turn recovered behavior into product features, tests, migration notes, ports, or interoperable replacements.\n- Analyze Swift and Objective-C metadata without manually untangling every mangled symbol.\n- Leave names, comments, and bookmarks in Hopper so human and agent analysis reinforce each other.\n\n| Tool family | Count | Examples |\n|---|---|---|\n| Native inspection | 33 | procedures, pseudocode, assembly, strings, names, segments, callers, callees, xrefs, annotations |\n| Investigation workflows | 10 | `binary_overview` , `analyze_function` , `batch_decompile` , `trace_feature` , call graphs, Swift and Objective-C discovery |\n| Native macOS utilities | 5 | Mach-O metadata, code signatures, plists, architectures, Swift demangling; Hopper-free and provenance-bearing |\n| Artifact graph | 2 | deterministic directory, ZIP/APK/IPA, and ASAR inventory; explicitly selected extraction into an absent owned tree |\n| Workspace and observation | 18 | target lifecycle, Evidence v2 bundles, process/artifact/function comparison, evidence-linked residual-unknown lifecycle |\n\nThe public interface describes what the agent is trying to learn. Providers decide how to answer. macOS utilities handle common semantic inspection without launching Hopper; Hopper handles deeper native analysis; the process harness implements controlled behavioral capture.\n\nREA is already useful for native application investigation on macOS:\n\n- Open Mach-O, ELF, PE,\n`.app`\n\n, ZIP, APK, IPA, ASAR, plist, JavaScript, source-map, and Hopper database targets. - Traverse content-addressed artifact graphs without extraction; on macOS, read-only DMG traversal additionally requires\n`native_mount_approved: true`\n\nand`REA_ARTIFACT_NATIVE_MOUNT_ENABLED=true`\n\n. Materialize only approved occurrences into absent output roots. - Build bounded function dossiers with pseudocode, assembly, CFG edges, comments, calls, references, strings, and names.\n- Search and trace features across symbols, strings, metadata, references, and call paths.\n- Record every successful result as deterministic Evidence v2 with artifact and provider identity, confidence, authority, limitations, and locations.\n- Export and import evidence bundles across sessions.\n- Persist automatic cross-version artifact runs as canonical, lock-protected workspaces with tamper-evident revision commitments.\n- Capture approved PTY scenarios as Process Capture v4 Evidence, including committed run manifests, raw and rendered terminal frames, scripted interactions, descendant settlement, named filesystem checkpoints, deterministic command shims, and loopback HTTP/WebSocket exchanges.\n- Compare complete artifact inventories by stable path, content, metadata, and relations; incomplete evidence never implies equivalence.\n- Compare explicit function dossiers across text, calls, references, strings, and address-normalized CFG topology with per-facet unknowns.\n- Compare canonical Evidence bundles by exact membership, explicit observation pairs, and residual-unknown histories without turning omissions into behavioral absence.\n- Aggregate runtime comparisons into observed behavior changes while keeping static artifact/function differences labeled as candidates.\n- Build bounded, Evidence-cited direct call paths by exact address without treating missing dossiers as graph leaves.\n- Correlate exact static/runtime findings through explicit hypotheses without claiming causality from cochange.\n- Verify finite behavioral and structural reconstruction specifications with pass, fail, and unknown kept distinct.\n- Track residual unknowns through immutable CAS revisions, evidence-qualified resolution, contradictions, probes, and validated dependency relationships.\n- With explicit\n`unknown_registry_approved: true`\n\n, record bounded trace/capture residuals, typed provider unavailability, and capture disagreements automatically. - Start six\n[guided MCP workflows](/morluto/rea/blob/main/docs/mcp-prompts.md)with live, session-aware completion for documents, procedures, providers, evidence, captures, artifact IDs, and active unknowns.\n\nHopper is the first provider, not the boundary of the project. Some current workflows still require Hopper and macOS; every evidence record identifies the provider and limitations behind its result.\n\nREA is growing into a toolkit for understanding software across static artifacts and observed behavior. The next capability families are:\n\n**Artifact decomposition**— DMG, ASAR, ZIP, packages, universal-binary slices, application resources, embedded frameworks, mobile packages, and artifact graphs.**Web and Electron investigation**— Playwright/CDP capture of DOM, accessibility trees, screenshots, storage, console, IPC, HTTP, WebSocket, routes, and visual or structural differences.**Deterministic behavior harnesses**— stronger process-tree ownership, protocol fixtures, network policy, filesystem tracing, signals, reconnects, and cross-version comparison.**JavaScript and source recovery**— bundle indexing, AST/module reconstruction, source-map discovery, historical-source matching, and CodeDB-backed cross-references.**Runtime observation**— approval-gated LLDB, Frida, system logs, process and filesystem observers, and native API tracing.** More static-analysis providers**— native platform utilities first, followed by Ghidra, IDA/Hex-Rays, Binary Ninja, Rizin, LIEF, and other engines behind provider-neutral capabilities.**More targets and platforms**— Windows-native providers and ConPTY verification, Linux parity, websites and APIs, mobile artifacts, firmware, document formats, and other software-defined systems.**Differential reconstruction expansion**— add automatic function matching, protocol/UI comparison, controlled replay, residual-unknown planning, and reconstruction verification to persistent version runs.\n\nRoadmap items describe direction, not shipped support. New providers must produce the same evidence and safety metadata as existing capabilities before they become part of the public workflow. Once REA has multiple optional toolchains, setup can become capability-selective; the consent rules for that future work are recorded in the [installation roadmap](/morluto/rea/blob/main/docs/roadmap.md).\n\nSee the [static-analysis provider evaluation](/morluto/rea/blob/main/docs/provider-evaluation.md) for the current research matrix and admission gate.\n\nSetup currently configures Claude Desktop and Cursor automatically. Any agent that supports local MCP servers can use REA with the configuration below.\n\n```\n{\n  \"mcpServers\": {\n    \"rea\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"rea-agents\", \"mcp\"]\n    }\n  }\n}\n```\n\nMCP clients that support prompts can also discover six ordered investigation\nworkflows through `prompts/list`\n\n. Their optional identifier arguments use the\ncurrent session for bounded `completion/complete`\n\nsuggestions; see\n[Guided MCP prompts and completion](/morluto/rea/blob/main/docs/mcp-prompts.md).\n\n``` php\nflowchart LR\n    Agent[\"Agent\"] --> REA[\"REA<br/>CLI + MCP\"]\n    Terminal --> REA\n    REA --> Workspace[\"Investigation workspace<br/>evidence + artifacts + captures\"]\n    Workspace --> Router[\"Capability router\"]\n    Router --> Hopper[\"Hopper provider\"]\n    Router --> Native[\"Native macOS provider\"]\n    Router --> Artifact[\"Artifact graph provider\"]\n    Router --> Process[\"Process capture provider\"]\n    Router -. roadmap .-> More[\"Browser, dynamic,<br/>and additional static providers\"]\n    Hopper --> Target[\"Target software\"]\n    Process --> Target\n    Native --> Target\n    Artifact --> Target\n```\n\nThe CLI and MCP server use the same application workflows and evidence contracts. A provider declares which capabilities it supports and the side effects those capabilities may have. Terminal commands are short-lived; an MCP session can retain an active target and evidence ledger across an investigation. Approved persistent workspaces keep canonical Evidence and resumable run checkpoints across both process and session lifetimes.\n\nThe agent workflow above is the easiest way to use REA. For a one-off overview from the Terminal:\n\n```\nnpx -y rea-agents analyze /Applications/Notes.app\nnpx -y rea-agents inspect /Applications/Notes.app\nnpx -y rea-agents inspect /Applications/Notes.app --detail detailed --limit 20\nnpx -y rea-agents search /Applications/Notes.app \"offline\"\nnpx -y rea-agents function /Applications/Notes.app 0x1000\nnpx -y rea-agents xrefs /Applications/Notes.app 0x1000\nnpx -y rea-agents trace /Applications/Notes.app \"offline\"\nnpx -y rea-agents compare /absolute/path/to/left-evidence.json /absolute/path/to/right-evidence.json\nnpx -y rea-agents investigate-versions /path/to/v1 /path/to/v2 /absolute/path/to/evidence/releases.json --yes\nnpx -y rea-agents capabilities\nnpx -y rea-agents providers\n```\n\nRun `npx -y rea-agents --help`\n\nfor direct decompilation, bounded search and\nother options. `analyze`\n\nand `inspect`\n\nshare the same overview workflow;\n`function`\n\n, `xrefs`\n\n, and `trace`\n\nreturn the same Evidence v2 envelopes as MCP.\n\nOr install the `rea`\n\ncommand globally:\n\n```\nnpm install --global rea-agents\nrea --help\nrea upgrade\nrea mcp\n```\n\nREA accepts a Mac `.app`\n\nfolder directly. If an agent cannot find an app by name, tell it where the app is installed.\n\n| Status | Meaning |\n|---|---|\n`0` |\nThe requested operation completed. Truthful unknowns, warnings, and bounded or truncated evidence remain successful results. |\n`1` |\nArguments, policy, permission, provider analysis, integrity checking, cancellation, timeout, setup, diagnostics, update, uninstall, output encoding, or output writing prevented completion. Structured output identifies the failure category when REA could encode it. |\n`128 + N` |\nThe process ended from signal `N` , where the shell or runtime preserves the conventional signal-derived status. |\n\n`setup`\n\nreturns `1`\n\nfor `planned`\n\n, `needs_confirmation`\n\n, or `needs_human`\n\nbecause configuration is not ready; rerun it after approval or remediation.\n`doctor`\n\nreturns `1`\n\nwhen any check is unhealthy. Output format, full envelopes,\nfilters, and token controls never change the operation status.\n\nWhen REA feeds a shell pipeline, enable `pipefail`\n\nso a downstream formatter\ncannot hide its failure:\n\n```\nset -o pipefail\nrea inventory-artifact ./app.asar --json | jq . > inventory.json\n```\n\nREA starts Hopper when needed; Hopper does not need to be running first. Hopper's launcher internally activates the application, so opening a target may bring Hopper to the foreground. REA asks macOS to start Hopper hidden and in the background when possible, but cannot guarantee that it will remain behind the current application.\n\nREA derives explicit format and architecture arguments to prevent common FAT and ARM selection dialogs. Other Hopper or macOS dialogs may still require a person. REA reports timeouts and remediation through CLI or MCP results instead of attempting to answer UI prompts.\n\nClosing a REA session shuts down its bridge and removes its private socket directory. It does not quit a Hopper application the user may be using.\n\nProcess capture is disabled by default. Enabling it requires\n`REA_PROCESS_CAPTURE_ENABLED=true`\n\n, approved executable and working roots in\n`REA_PROCESS_EXECUTABLE_ROOTS_JSON`\n\nand `REA_PROCESS_WORKING_ROOTS_JSON`\n\n, and an\nenvironment allowlist in `REA_PROCESS_ALLOWED_ENV_JSON`\n\n. Because the current PTY\nadapter uses host networking, it also requires\n`REA_PROCESS_ALLOW_EXTERNAL_NETWORK=true`\n\n.\n\nCapture a scenario or compare two saved Process Capture v4 Evidence records:\n\n```\nrea capture-process ./scenario.json > authority.json\nrea capture-process ./reconstruction.json > reconstruction.json\nrea compare-process-captures authority.json reconstruction.json\n```\n\nThe comparison reports each observed dimension separately and identifies the\nfirst terminal, interaction, exit, filesystem, protocol, process, or shim\ndivergence. See [Process Capture v4](/morluto/rea/blob/main/docs/process-capture.md) for scenario\nfields, command-shim replay, checkpoint triggers, limits, and safety behavior.\n\nIf the native PTY backend is unavailable, install Xcode command-line tools and\nrun `npm run rebuild:native`\n\n. Linux source builds require Python, `make`\n\n, and a\nC++ toolchain. Compatible packaged binaries do not require this rebuild.\n\nASAR inventory verifies Electron integrity metadata for both archive entries\nand `.asar.unpacked`\n\ncompanion files. Integrity failures identify the logical\npath, declared and calculated SHA-256 values, and whether the entry was\nunpacked; REA does not silently accept the mismatched artifact.\n\nREA does not provide a hosted analysis service. Hopper communication uses an authenticated private local socket. Dynamic capabilities are disabled by default and require both operator policy and explicit per-call approval. REA is not a security sandbox: providers and launched targets run with the current user's permissions, and each capability reports its side effects and limitations. Report vulnerabilities through the private process in [SECURITY.md](/morluto/rea/blob/main/SECURITY.md).\n\n**Does Hopper need to be running before I start REA?**\n\nNo. REA starts Hopper when an operation needs it. An already-running Hopper application is also supported.\n\n**Why did Hopper appear in front of my other windows?**\n\nHopper's launcher internally activates the application. REA requests background startup, but macOS and Hopper may still bring a window or dialog forward. See [Hopper application behavior](#hopper-application-behavior).\n\n**Does REA include Hopper?**\n\nNo. Setup can install Hopper for you, but Hopper remains separate software with its own license. REA supplies the CLI, MCP server, and workflows that make it usable by agents.\n\n**Does REA upload the app?**\n\nREA has no hosted analysis service. Current providers analyze artifacts and capture behavior locally. Your agent or model provider may have its own data policy, so review that separately.\n\n**Can REA recover the original source code?**\n\nNo decompiler can guarantee the original source. REA gives an agent pseudocode, assembly, symbols, strings, metadata, and relationships that it can use to explain or compatibly recreate observed behavior.\n\n**Which agents can use REA?**\n\nAny agent that can run a local MCP server can use the manual configuration. Setup currently detects and configures Claude Desktop and Cursor automatically.\n\nSee [CONTRIBUTING.md](/morluto/rea/blob/main/CONTRIBUTING.md) for setup, architecture, tests, and release instructions. Generated API documentation is available under [ docs/api](/morluto/rea/blob/main/docs/api/index.html).\n\n[npm](https://www.npmjs.com/package/rea-agents) · [Issues](https://github.com/morluto/rea/issues) · [Security](/morluto/rea/blob/main/SECURITY.md) · [Contributing](/morluto/rea/blob/main/CONTRIBUTING.md) · [Hopper](https://www.hopperapp.com/)", "url": "https://wpnews.pro/news/show-hn-a-mcp-for-agents-to-reverse-engineer-binary-code", "canonical_source": "https://github.com/morluto/rea", "published_at": "2026-07-14 03:00:01+00:00", "updated_at": "2026-07-14 03:18:39.822362+00:00", "lang": "en", "topics": ["ai-agents", "developer-tools"], "entities": ["REA", "Hopper", "Claude Code", "Claude Desktop", "Codex", "Cursor", "Gemini CLI", "Windsurf"], "alternates": {"html": "https://wpnews.pro/news/show-hn-a-mcp-for-agents-to-reverse-engineer-binary-code", "markdown": "https://wpnews.pro/news/show-hn-a-mcp-for-agents-to-reverse-engineer-binary-code.md", "text": "https://wpnews.pro/news/show-hn-a-mcp-for-agents-to-reverse-engineer-binary-code.txt", "jsonld": "https://wpnews.pro/news/show-hn-a-mcp-for-agents-to-reverse-engineer-binary-code.jsonld"}}