re-vtil

re-vtil

Lifts machine code to VTIL intermediate language and emits pseudo-C for VM handler characterization. Complements concrete execution tools with static IL analysis.

Category
Visit Server

README

re-vtil

MCP server for VTIL-Core (Virtual-machine Translation Intermediate Language, MIT). The "lift, optimize, emit pseudo-C" trio for VM handler characterization.

Why

The other RE-AI MCP servers handle byte-level binary analysis (re-lief, re-rizin, re-triton). They tell you what a handler does in machine code, but not what it means in a higher-level IL.

re-vtil fills that gap. You give it a function's machine code, it lifts to VTIL's IL, you run optimization passes, and you get a pseudo-C reading. The use case is the encrypted-VM handler characterization in re-encrypted-vm-tamper — once you know which bytes are a handler, re-vtil tells you what those bytes mean.

Architecture

The Python MCP server is a thin wrapper around a C++ vtil-cli helper built by install.sh from the vendored VTIL-Core source tree:

Claude Code (MCP stdio)
  │
  ▼
re-vtil server (Python, this directory)
  │  subprocess.run(...)
  ▼
vtil-cli (C++ single binary, built from src/re_vtil/cpp/VtilCli/)
  │
  └─ VTIL-Core (vendored as a git submodule)

The subprocess boundary is intentional: VTIL is a heavy C++ library with no first-class Python bindings. Process isolation is robust; the Python server always loads in degraded mode if the C++ helper is missing.

Tools

Tool What it does
check_vtil Health check — return VTIL version + supported archs
lift_handler Lift machine code (base64) at a given base address to VTIL IL
optimize Run VTIL optimization passes (dead-store-elim, branch-folding, mem-dep)
emit_pseudo_c Emit a C-like pseudocode reading of an IL tree

Install

./install.sh builds vtil-cli via cmake --build against the vendored VTIL-Core source tree, then copies the binary to servers/re-vtil/bin/.

To build standalone (requires VTIL-Core source + cmake):

cd servers/re-vtil/src/re_vtil/cpp/VtilCli
cmake -B build -S .
cmake --build build --config Release
cp build/vtil-cli ../../../../bin/

To run:

re-vtil                          # stdio transport (default for MCP)
python -m re_vtil                # equivalent

Requirements

  • VTIL-Core source tree (vendored as a submodule under src/re_vtil/cpp/)
  • CMake ≥ 3.16
  • A C++20 compiler (gcc-10+, clang-12+, MSVC 2019+)
  • capstone + z3 (the C++ helper links against the same deps as re-triton)

Degraded mode

If vtil-cli is not built, every tool returns {"status": "WARN", "error": "vtil-cli not built; run install.sh", ...}. The Python MCP server itself always loads so Claude Code can surface the install hint.

Pairing with re-triton

re-triton handles concrete + symbolic execution (Triton lifts to its own AST, evaluates with a concrete or symbolic state). re-vtil handles static IL (VTIL lifts to its own IL, runs IR-level optimization, emits pseudo-C). The two are complementary:

  • Use re-triton.solve_constraint for "what input reaches this branch?"
  • Use re-vtil.lift_handler + optimize + emit_pseudo_c for "what does this handler do in the abstract?"

For the encrypted-VM bytecode family: re-triton.emulate_function runs the encrypted handler under concrete inputs (decryption stub triggers, handler dispatches); re-vtil.lift_handler lifts the decrypted handler body to VTIL IL for the static read.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured