Cisco Talos Shows How to Turn vbdec Into an AI-Ready Reverse Engineering Tool via COM Object Model

Cisco Talos has published a detailed blog post demonstrating how to turn the VB6 disassembler vbdec into an AI-ready reverse engineering tool by exposing its internal data through a live COM object model. The technique allows AI agents, such as Anthropic's Claude Code, to query and automate analysis of VB6 binaries without modifying the core application. By leveraging Windows' Running Object Table (ROT), vbdec registers its parsed project objects, making them accessible to external scripts. This approach enables deep inspection of VB6 file format internals, including P-code and object tables, through iterative scripting.

The core of the technique lies in vbdec's ability to register its central CVBProject object and main form in the ROT under monikers like "vbdec.vbp" and "vbdec.frmMain" when remote scripting is enabled. Any process can then look up these objects and receive a reference to the running instance. From a script, a single line of code—Set o = GetObject("vbdec.vbp")—grants access to the entire parsed project: every form, class, module, declared API, P-code body, control, and string, presented as a navigable object graph. This effectively turns the disassembler into a persistent data server that can be queried repeatedly across multiple agent sessions.

To bridge the gap between the live model and the AI agent, vbdec now includes an AI agent support package. This consists of an operator briefing file (_claude_vbdec_ai_instructions.txt) that tells the agent what vbdec is, how to bind to the ROT, and how the object model is shaped. Additionally, a proto folder contains 90 auto-generated class definitions covering every public class and form vbdec exposes. The agent treats these as the authoritative reference for member names and types, enabling it to navigate the object graph accurately.

The third piece is the local agent itself. In the blog, Talos used Claude Code, run locally on the workstation. The user opens a terminal, points the AI at the briefing and prototypes, and describes what they would like analyzed. Claude Code then runs multiple .vbs files with cscript and explores the data through iterations. There is no preselected AI integration embedded in vbdec, no upload for the analyst's binary, and no glue to be maintained as a separate codebase. The agent and disassembler share a machine and file system; analysis occurs locally, with only model inference requests leaving the workstation.

Talos demonstrated the technique with two examples tested against a P-code version of PDFStreamDumper. In the first, the analyst named a function and asked for a source code reconstruction. The agent pulled the P-code, walked the VB-VM opcode stream, mapped each construct to its VB6 equivalent, and produced a source-level equivalent with inline comments. The reconstruction was not byte-identical, but the control flow was substantially recovered, with the AI even going into subfunctions on its own to determine their purpose and assign reasonable names. In the second example, the analyst asked for a call graph of a function as a Graphviz DOT file. The agent walked each CCodeBody.Disasm, picked out call opcodes, and emitted the DOT graph with depth tracking.

This approach represents a new working mode for reverse engineering tools. By exposing structured data rather than adding predefined AI features, users can extend a tool's capabilities through prompts, turning new analyses into workflows instead of product feature requests. The application becomes both an interactive viewer and a persistent data server, enabling local data to be parsed once and queried repeatedly across multiple agent sessions while keeping analyst-controlled data local. Whatever capability the agent adds next extends vbdec without any new code in the tool itself, and users are free to select whichever model they prefer.