From e2bc3a9e99a89fcc01252921af07cbdd77b74443 Mon Sep 17 00:00:00 2001 From: Erik Date: Sat, 16 May 2026 12:47:12 +0200 Subject: [PATCH] docs(CLAUDE.md): document Ghidra MCP + WireMCP availability Adds a 'MCP servers (live tooling)' section after the cdb retail debugger. Ghidra MCP (LaurieWired v1.4 HTTP) on :8081 serving patchmem.gpr provides live decomp lookups by address/name/xref without dumping acclient_2013_pseudo_c.txt into context. WireMCP (stdio, Node, tshark wrapper) enables loopback capture against 127.0.0.1:9000 for ACE wire-protocol cross-checks (0xF61C, 0xF74A, 0xF7DE parsing). Both extend the static-decomp + cdb workflow with live introspection. Co-Authored-By: Claude Opus 4.7 (1M context) --- CLAUDE.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/CLAUDE.md b/CLAUDE.md index f32642b..b57414f 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -500,6 +500,66 @@ This toolchain was used to settle the L.5 steep-roof investigation: `set_collide` rate per minute. See commit history around 2026-04-30 for the trace data and the decisions it drove. +## MCP servers (live tooling) + +Two MCP servers extend the static decomp + cdb workflow with live +introspection. **Ghidra MCP** requires Ghidra to be running with a +CodeBrowser open in the target project; **WireMCP** auto-loads at +Claude Code startup. + +### Ghidra MCP (LaurieWired v1.4, HTTP) + +Starts an HTTP server on **port 8080** (or **8081** if 8080 is +taken — first-open-wins) when a CodeBrowser tool opens a program. +Currently serving **`patchmem.gpr`** — the 2013 v11.4186 build with +full PDB applied, same source as `docs/research/named-retail/`. Use +this when grep'ing `acclient_2013_pseudo_c.txt` returns too much +noise and you want the decomp for one specific function or address +without dumping the whole file into context. + +Probe: `curl http://127.0.0.1:8081/methods?limit=3` + +Useful endpoints (GET unless noted): + +- `/methods?limit=N` — function names +- `/list_functions?limit=N` — `Name at HHHHHHHH` lines +- `/decompile_function?address=0xHHHHHHHH` — decompiled C for one function +- `/function_xrefs?name=...` — callers / callees +- `/classes`, `/namespaces`, `/strings` +- POST `/rename_function_by_address`, POST `/set_decompiler_comment` + +NO endpoints for: signature setting, namespace setting, script +execution, save-project. Those still require Ghidra's GUI or +`analyzeHeadless`. Full endpoint catalog + Ghidra project layout in +`memory/reference_ghidra_projects.md`. + +### WireMCP (stdio, Node, user-scope) + +Wraps `tshark` at `C:\Program Files\Wireshark\tshark.exe` +(auto-detected via the Windows fallback path in `WireMCP/index.js`). +Direct fit for ACE wire-protocol work — capture loopback +(`127.0.0.1:9000`) to cross-check inbound message parsing (`0xF61C` +movement, `0xF74A` pickup despawn, `0xF7DE` chat, etc.) against the +actual bytes, or diff ACE's outbound vs. the holtburger reference. +Replaces ad-hoc Wireshark sessions in the conversation. + +Tools exposed: + +- `capture_packets` — short live capture on an interface, returns JSON +- `get_summary_stats` — protocol hierarchy stats +- `get_conversations` — TCP/UDP conversation table +- `analyze_pcap` — parse a saved `.pcap` file +- `check_threats`, `check_ip_threats` — URLhaus / threat-feed lookups +- `extract_credentials` — grep for creds across protocols (rarely relevant) + +Installed at `C:\Users\erikn\source\repos\WireMCP\` (clone of +`0xKoda/WireMCP`). Registered via `claude mcp add wiremcp --scope user`. + +**When NOT to use WireMCP:** decoding the AC packet *format* — that +lives in `holtburger`, ACE, and `Chorizite.ACProtocol`. WireMCP shows +you the bytes on the wire; the reference repos tell you what they +mean. + ## Subagent policy Subagents are the primary tool for saving parent-context and keeping one