back to blog

10 February 2026

project: RE MCP

RE MCP

reverse-engineeringmcpai-toolingangelscriptperceptionunreal-engine

Building an MCP Server for Reverse Engineering

Perception MCP Bridge — an MCP server that connects Claude to Perception, a native reverse engineering IDE. Perception handles the hard part: memory access, pattern scanning, disassembly, emulation. The MCP bridge exposes 70+ RE primitives so Claude can chain them autonomously.

Architecture

Two pieces connected via HTTP polling:

Perception side: AngelScript script that attaches to a target process and exposes its full toolset — memory read/write, pattern scanning, Zydis disassembly, Unicorn emulation, PE parsing, cross-reference analysis, value scanning. The script runs an HTTP server on port 13340 and manages worker threads for heavy operations so the polling stays responsive.

Node.js side: Express server that implements the MCP protocol. It translates tool calls into HTTP requests to the Perception script, handles timeouts smartly (2 min for reads, 5 min for scans), and streams results back. Try/catch guards on all scan and xref commands prevent crashes.

The Toolset

70+ tools across memory operations (read, write, alloc, free), scanning (pattern, string, pointer, value, bool ranges, watch for changes), disassembly (Zydis with full operands, function boundaries, assemble, resolve RIP), PE analysis (sections, exports, imports, headers, vtables), cross-references (who calls/references what), Unreal Engine helpers (resolve globals, read FName/FString/TArray/UObject, walk class hierarchy, enumerate actors, read transforms), Source 2 analysis (interfaces, schema dumps), emulation (Unicorn x86-64 with process-backed memory), hooking (IAT patches), and live overlay drawing (labels, boxes, lines, 3D world markers, address watches, struct visualizers).

Most of these are composed from a handful of primitives, so adding new tools is just writing a new command handler.

Real Examples

UE struct discovery: Ask Claude "find the player entity list" and it chains re_ue_resolve_globalsre_ue_find_actorsre_read_uobjectre_ue_dump_propsre_ue_read_fname to build a full struct map in ~2 minutes. Manual pointer chasing in ReClass would take an hour.

Pattern hunting: Ask "where does the game read health?" and Claude runs re_scan_value (find candidates), re_watch_range (monitor them), re_xrefs_to (find code), re_disassemble_function (analyze), then re_scan_patternre_scan_all_patterns to verify it's stable. Working signature in ~5 minutes.

Live overlay: Ask "draw all actors on my screen" and Claude resolves GWorld, enumerates actors, reads their transforms, and calls re_draw_world_marker for each one. Real-time visualization updating every frame, no game mod required.

Design Decisions

HTTP polling over WebSocket: WebSocket had localhost binding issues. Polling every 50ms is negligible latency, simpler error handling, no state management.

Flat parameters (p0..p5): Perception's HTTP handler doesn't parse JSON, so commands use positional parameters. Bridge maps them transparently.

Smart timeouts: Quick reads get 2 minutes, scans get 5 minutes automatically. Prevents timeouts on large module scans (200MB+ can take minutes).

Worker threads: Heavy scans happen on background threads so the poll loop stays responsive and results come back async.

Physical memory access: Perception uses page table translation, so you can write .text sections without VirtualProtect. No protection changes needed.

Game-agnostic: Tools expose raw primitives only. All game knowledge lives in the Claude conversation. Same codebase works with anything: UE games, CS2, custom engines, system services.

What Works

MCP maps perfectly to RE tools. Structured parameters, clear descriptions, predictable outputs. Claude just gets it without hand-holding.

Claude is weirdly good at pattern recognition in memory dumps. Spots vtable pointers, FName indices, padding, flag fields, inheritance chains. What takes hours in ReClass takes minutes here.

The tedium is gone. Typing addresses, converting hex, chasing pointers manually — the AI does all that. I focus on understanding what code does, not the mechanics.

Perception's iteration loop is tight. Edit script, click Execute, test live without restarting the game or losing your process attachment. The IDE has built-in memory viewing, disassembly overlays, pattern scanner. The MCP bridge is just orchestration on top of that.

Files: bridge/index.js (MCP server), source/main.as (Perception script).

This tool is built for security research and educational purposes. The MCP bridge provides raw access to process memory.

© 2026 sinister.codes · all rights reserved