DEV Community

Cover image for How I Explain Ghidra Output With AI
Dominik Michelitsch
Dominik Michelitsch

Posted on

How I Explain Ghidra Output With AI

#security #ai #assembly #discuss

A practical, experience-driven walkthrough of how I use AI to reason about reverse‑engineering output — not blindly trust it.

Why I Started Doing This

If you’ve ever opened a fresh binary in Ghidra, you know the feeling.

You’re staring at thousands of functions named FUN_00401a90, control flow that looks almost familiar, and a decompiler that’s clearly trying its best — yet somehow leaves you with more questions than answers.

When I first got serious about reverse engineering, I thought the hard part was learning assembly.

It wasn’t.

The real challenge is building a mental model of what the program is actually doing:

  • Which functions matter?
  • What is data vs. control logic?
  • Where does state live?
  • Which paths are real, and which are compiler noise?

That part takes time.

And that’s exactly where AI — used correctly — turned out to be useful.

Not as an oracle.
Not as an automated reverser.
But as a tool for explaining what I’m already looking at.

What AI Is Not Doing Here

Let’s clear this up early.

AI is not reversing binaries for me.

It does not:

  • Discover vulnerabilities automatically
  • Understand compiler artifacts magically
  • Know which functions are important
  • Replace static or dynamic analysis

If you paste raw Ghidra output into an AI and ask “what does this program do?”, you’re asking the wrong question.

That’s how people end up with confident nonsense.

The value comes from something much narrower — and much more controlled.

The Actual Problem: Cognitive Load

Reverse engineering is cognitively expensive.

At any given moment, you’re juggling:

  • Decompiled C‑like code that isn’t really C
  • Assembly that only sometimes aligns with the decompiler
  • Cross‑references, call graphs, and data flow
  • Compiler optimizations actively working against readability

What slows people down isn’t lack of knowledge.

It’s mental bandwidth.

You spend half your time just keeping context in your head.

This is where AI helps — not by deciding things for you, but by acting as an external reasoning surface.

My Core Workflow (High Level)

My tooling hasn’t changed much:

  • Ghidra for static analysis
  • A debugger when needed
  • Notes, diagrams, scratch files

What has changed is how I process intermediate understanding.

The loop looks like this:

  1. Identify a function or region I care about
  2. Shrink it to the smallest meaningful chunk
  3. Ask AI to explain what I’m seeing, not what it “is”
  4. Validate that explanation against reality
  5. Iterate

Step 2 is where most of the quality comes from.

Step 1: Shrink the Problem Aggressively

A common mistake is pasting entire functions into AI.

That’s a losing game.

Decompiler output is noisy:

  • Stack canaries
  • Error paths
  • Calling‑convention glue
  • Compiler‑generated helpers

Before AI ever sees anything, I manually:

  • Remove obvious boilerplate
  • Isolate the main logic path
  • Rename variables roughly based on usage

By the time AI is involved, the problem is already human‑sized.

This step alone improves results dramatically.

Step 2: Ask for Explanation, Not Authority

I never ask:

“What does this function do?”

Instead, I ask:

  • “Explain this control flow in plain English.”
  • “What state transitions are happening here?”
  • “What assumptions does this code make about its inputs?”
  • “Which parts look compiler‑generated vs. intentional?”

These questions force descriptive output, not declarative claims.

AI is far better at restating structure than discovering truth.

Step 3: Treat Every Answer as a Hypothesis

Every AI explanation is a hypothesis.

Nothing more.

If the model says:

“This function appears to validate input before dispatching to handlers.”

My next step is verification:

  • Where are those handlers?
  • What happens on failure paths?
  • Is the control flow actually enforcing anything?

AI gives me a candidate mental model.
I decide whether it survives contact with reality.

Where AI Is Surprisingly Good

Used carefully, AI excels at:

  • Explaining convoluted control flow
  • Summarizing repetitive patterns
  • Translating low‑level logic into higher‑level intent
  • Spotting symmetry across similar functions

It’s especially helpful for:

  • State machines
  • Serialization / deserialization logic
  • Protocol handling
  • Large switch‑driven dispatchers

These are areas where human attention degrades quickly.

Where AI Is Actively Dangerous

There are clear failure modes.

AI is bad at:

  • Precise calling‑convention reasoning
  • Undefined behavior
  • Distinguishing code from data without context
  • Inline or hand‑written assembly

The most dangerous failure mode is false confidence.

If you don’t already understand the code somewhat, you won’t know when the explanation is wrong.

That’s why AI cannot be your first step.

A Concrete (Conceptual) Example

Imagine a function that:

  • Parses a buffer
  • Updates internal state
  • Conditionally dispatches handlers

Ghidra may flatten this into unreadable output.

My process:

  • Identify buffer offsets
  • Tentatively rename fields
  • Collapse obvious bounds checks

Then I ask:

“Explain how this function transforms input buffer fields into internal state. Ignore error handling.”

The answer often tells me whether I’m looking at:

  • A parser
  • A dispatcher
  • A validator

That classification alone saves time.

AI as a Documentation Partner

Another underused angle: documentation.

As I reverse something, I keep notes.

I’ll ask AI to:

  • Rephrase rough observations
  • Structure findings
  • Surface missing assumptions

This improves the quality of my documentation without outsourcing understanding.

Why This Still Requires Real Skill

This workflow only works if:

  • You understand assembly
  • You understand compilers
  • You know what not to trust

AI doesn’t remove the need for expertise.

It rewards it.

People without fundamentals get faster at being wrong.
People with fundamentals get faster at being precise.

The Mental Model That Works

I think of AI as:

A junior analyst who is very good at explaining things — and very bad at knowing when it’s wrong.

That framing keeps expectations grounded.

I decide.
It explains.
I verify.

Final Thoughts

Reverse engineering has always been about patience, discipline, and systems thinking.

AI doesn’t change that.

What it does change is the cost of iteration.

Used carefully, it lets you:

  • Externalize mental load
  • Explore hypotheses faster
  • Maintain momentum without cutting corners

Used poorly, it gives you the illusion of understanding.

The difference isn’t the tool.

It’s how you think.

If this was useful, I’ll follow up with posts on AI during dynamic analysis, documenting RE work, and where I draw hard boundaries with agentic tools.

Top comments (0)