indirect calls, switch tables, dataflow, CI

Author: Night1099

.claude/CLAUDE.md

@@ -5,6 +5,7 @@
 **Never run static analysis tools directly.** Delegate to a `static-analyzer` subagent. Only exceptions — run these inline:
 - `sigdb.py identify` / `fingerprint` (single-function ID, <5s)
 - `context.py assemble` / `postprocess` (context gathering, <5s)
+- `dataflow.py --constants` / `--slice` (single-function analysis, <5s)
 - `readmem.py` (single typed read from PE, <5s)
 - `asi_patcher.py build` (build step, not analysis)
 - `pyghidra_backend.py status` (project existence check, <1s)
@@ -75,5 +76,5 @@ Each file reads as if it was always designed this way. Comments guide the next d
 
 - **Tool catalog, decision guide, and caveats**: @.claude/rules/tool-catalog.md
 - **Subagent workflow and delegation rules**: @.claude/rules/subagent-workflow.md
-- **Project workspace and knowledge base format**: @.claude/rules/project-workspace.md
-- **DX9 FFP proxy porting for RTX Remix**: @.claude/rules/dx9-ffp-port.md
+- **DX9 FFP proxy porting for RTX Remix**: `/dx9-ffp-port` skill
+- **Frida-based dynamic analysis**: `/dynamic-analysis` skill

.claude/rules/subagent-workflow.md

@@ -41,6 +41,7 @@ When analyzing a binary for the first time (no existing or sparsely populated `p
 | Single function ID (`sigdb.py identify`, `fingerprint`) | Main agent -- fast (<5s) |
 | Context assembly (`context.py assemble`) | Main agent -- fast (<5s) |
 | Decompiler postprocess (`context.py postprocess`) | Main agent -- instant |
+| Dataflow: constants + backward slice (`dataflow.py`) | Main agent -- fast (<5s) |
 | File editing, patch specs, builds | Main agent — directly |
 | KB updates from subagent findings | `static-analyzer` writes to `kb.h`; main agent may refine |
 
@@ -82,15 +83,17 @@ For deep analysis tasks (finding subsystems, mapping call chains, understanding
 ## Examples
 
 **"Disable culling in game.exe"**
-1. Spawn `static-analyzer` #1 (r2ghidra): find `SetRenderState` calls with `D3DRS_CULLMODE`, string search for "cull", xrefs to render state functions. Uses `--backend pdg --types kb.h`. Writes to `findings_r2.md`.
+1. Spawn `static-analyzer` #1 (r2ghidra): find `SetRenderState` calls with `D3DRS_CULLMODE`, string search for "cull", xrefs --indirect to find vtable call sites. Uses `--backend pdg --types kb.h`. Writes to `findings_r2.md`.
 2. Spawn `static-analyzer` #2 (pyghidra): same search strategy but decompile with `pyghidra_backend.py decompile`. Writes to `findings.md`.
 3. Immediately tell the user: "Please launch the game — I'll need to attach with livetools to patch culling at runtime once I find the addresses"
-4. When both return, merge findings and use `livetools` to verify and patch: `mem write` to NOP the cull-enable instruction or force `D3DRS_CULLMODE` to `D3DCULL_NONE`
+4. While waiting, run `dataflow.py --constants` on any known render functions to see what cull mode constants flow in (e.g., `eax = 0x2` = D3DCULL_CW)
+5. When both return, merge findings and use `livetools` to verify and patch: `mem write` to NOP the cull-enable instruction or force `D3DRS_CULLMODE` to `D3DCULL_NONE`
 
 **"What does function 0x401000 do?"**
-1. Spawn `static-analyzer`: decompile with `--types kb.h`, get callgraph, xrefs
-2. Tell the user: "Static analysis is running. Want me to also trace this function live to see actual register values and call frequency?"
-3. If yes, attach with `livetools trace 0x401000 --count 20 --read`
+1. Spawn `static-analyzer`: decompile with `--types kb.h`, get callgraph --indirect, xrefs
+2. Run `dataflow.py 0x401000 --constants` inline — see what constants flow through
+3. Tell the user: "Static analysis is running. Want me to also trace this function live to see actual register values and call frequency?"
+4. If yes, attach with `livetools trace 0x401000 --count 20 --read`
 
 **"Find who writes to address 0x7A0000"**
 1. Spawn `static-analyzer`: `datarefs.py` for static references

.claude/rules/tool-catalog.md

@@ -23,15 +23,20 @@ These are fast (<5s) and allowed inline:
 - "Get full context before reasoning about a function" → `python -m retools.context assemble $B $VA --project $P`
 - "Clean up decompiler output with known names" → pipe through `python -m retools.context postprocess`
 - "Read a typed value from the PE file" → `python -m retools.readmem $B $VA $TYPE`
+- "What constant flows into this register?" → `python -m retools.dataflow $B $VA --constants`
+- "Trace where this value comes from" → `python -m retools.dataflow $B $VA --slice TARGET_VA:REG`
 - "Build an ASI patch DLL" → `python -m retools.asi_patcher build spec.json`
 
 ### Delegate to `static-analyzer` subagent
 
 Everything else. Tell the subagent WHAT you need, not HOW to run it — it has the full tool catalog.
 
-- "What does this function do?" → decompile + callgraph + xrefs
+- "What does this function do?" → decompile + callgraph + xrefs + dataflow --constants
 - "Who calls this function?" → xrefs or callgraph --up
-- "What does this function call?" → callgraph --down
+- "What does this function call?" → callgraph --down (add --indirect for vtable calls)
+- "Who calls this virtual method?" → xrefs --indirect + filter by vtable slot offset
+- "What constant reaches this call?" → dataflow --constants or --slice VA:REG
+- "Resolve a switch/jump table" → cfg (auto-resolves MSVC switch patterns)
 - "Find a string and who uses it" → string search with xrefs
 - "Where is this global read/written?" → datarefs
 - "Where is struct field +0x54 used?" → structrefs
@@ -69,9 +74,10 @@ Everything else. Tell the subagent WHAT you need, not HOW to run it — it has t
 | `pyghidra_backend.py decompile $B $VA --project $P` | Decompile via saved Ghidra project | `pyghidra_backend.py decompile game.exe 0x401000 --project patches/MyGame` |
 | `pyghidra_backend.py status $B --project $P` | Check if Ghidra project exists | `pyghidra_backend.py status game.exe --project patches/MyGame` |
 | `funcinfo.py $B $VA` | Find function start/end, rets, calling convention, callees | `funcinfo.py binary.exe 0x401000` |
-| `cfg.py $B $VA` | Control flow graph (basic blocks + edges, text or mermaid) | `cfg.py binary.exe 0x401000 --format mermaid` |
-| `callgraph.py $B $VA` | Caller/callee tree (multi-level, --up/--down N) | `callgraph.py binary.exe 0x401000 --up 3` |
-| `xrefs.py $B $VA` | Find all calls/jumps TO an address | `xrefs.py binary.exe 0x401000 -t call` |
+| `cfg.py $B $VA` | Control flow graph (basic blocks + edges, text or mermaid). Resolves MSVC switch/jump tables automatically. `--switch-details` shows table info | `cfg.py binary.exe 0x401000 --format mermaid` |
+| `callgraph.py $B $VA` | Caller/callee tree (multi-level, --up/--down N). `--indirect` adds vtable/fptr calls to --down trees | `callgraph.py binary.exe 0x401000 --down 2 --indirect` |
+| `xrefs.py $B $VA` | Find all calls/jumps TO an address. `--indirect` also scans for `call [reg+offset]`, `call [reg]`, `call [addr]` | `xrefs.py binary.exe 0x401000 --indirect` |
+| `dataflow.py $B $VA` | Forward constant propagation (`--constants`) or backward register slice (`--slice VA:REG`) within a function | `dataflow.py binary.exe 0x401000 --constants` |
 | `datarefs.py $B $VA` | Find instructions that reference a global address (mem deref + `--imm` for push/mov constants) | `datarefs.py binary.exe 0x7A0000 --imm` |
 | `structrefs.py $B $OFF` | Find all `[reg+offset]` accesses (struct field usage) | `structrefs.py binary.exe 0x54 --base esi` |
 | `structrefs.py $B --aggregate` | Reconstruct C struct from all field accesses in a function | `structrefs.py binary.exe --aggregate --fn 0x401000 --base esi` |
@@ -92,7 +98,7 @@ Everything else. Tell the subagent WHAT you need, not HOW to run it — it has t
 | `sigdb.py scan $B` | Bulk signature scan against DB | `sigdb.py scan game.exe` |
 | `sigdb.py identify $B $VA` | Single function signature lookup (multi-tier) | `sigdb.py identify game.exe 0x401200` |
 | `sigdb.py fingerprint $B` | Identify compiler version (Rich header + markers + imports) | `sigdb.py fingerprint game.exe` |
-| `context.py assemble $B $VA --project $P` | Gather full analysis context for a function | `context.py assemble game.exe 0x401500 --project Warband` |
+| `context.py assemble $B $VA --project $P` | Gather full analysis context for a function. Includes forward constant propagation by default (`--no-dataflow` to skip) | `context.py assemble game.exe 0x401500 --project Warband` |
 | `context.py postprocess $B $VA --project $P` | Mechanically rename/annotate decompiler output (pipe) | `decompiler.py ... \| context.py postprocess ...` |
 | `sigdb.py build $MANIFEST` | Build/extend signature DB from manifest | `sigdb.py build sources.json` |
 | `sigdb.py pull` | Download signature DB from HuggingFace | `sigdb.py pull` or `sigdb.py pull --sources` |

.cursor/rules/subagent-workflow.mdc

@@ -42,6 +42,7 @@ When analyzing a binary for the first time (no existing or sparsely populated `p
 | Single function ID (`sigdb.py identify`, `fingerprint`) | Main agent -- fast (<5s) |
 | Context assembly (`context.py assemble`) | Main agent -- fast (<5s) |
 | Decompiler postprocess (`context.py postprocess`) | Main agent -- instant |
+| Dataflow: constants + backward slice (`dataflow.py`) | Main agent -- fast (<5s) |
 | File editing, patch specs, builds | Main agent — directly |
 | KB updates from subagent findings | `static-analyzer` writes to `kb.h`; main agent may refine |
 
@@ -83,15 +84,17 @@ For deep analysis tasks (finding subsystems, mapping call chains, understanding
 ## Examples
 
 **"Disable culling in game.exe"**
-1. Spawn `static-analyzer` #1 (r2ghidra): find `SetRenderState` calls with `D3DRS_CULLMODE`, string search for "cull", xrefs to render state functions. Uses `--backend pdg --types kb.h`. Writes to `findings_r2.md`.
+1. Spawn `static-analyzer` #1 (r2ghidra): find `SetRenderState` calls with `D3DRS_CULLMODE`, string search for "cull", xrefs --indirect to find vtable call sites. Uses `--backend pdg --types kb.h`. Writes to `findings_r2.md`.
 2. Spawn `static-analyzer` #2 (pyghidra): same search strategy but decompile with `pyghidra_backend.py decompile`. Writes to `findings.md`.
 3. Immediately tell the user: "Please launch the game — I'll need to attach with livetools to patch culling at runtime once I find the addresses"
-4. When both return, merge findings and use `livetools` to verify and patch: `mem write` to NOP the cull-enable instruction or force `D3DRS_CULLMODE` to `D3DCULL_NONE`
+4. While waiting, run `dataflow.py --constants` on any known render functions to see what cull mode constants flow in (e.g., `eax = 0x2` = D3DCULL_CW)
+5. When both return, merge findings and use `livetools` to verify and patch: `mem write` to NOP the cull-enable instruction or force `D3DRS_CULLMODE` to `D3DCULL_NONE`
 
 **"What does function 0x401000 do?"**
-1. Spawn `static-analyzer`: decompile with `--types kb.h`, get callgraph, xrefs
-2. Tell the user: "Static analysis is running. Want me to also trace this function live to see actual register values and call frequency?"
-3. If yes, attach with `livetools trace 0x401000 --count 20 --read`
+1. Spawn `static-analyzer`: decompile with `--types kb.h`, get callgraph --indirect, xrefs
+2. Run `dataflow.py 0x401000 --constants` inline — see what constants flow through
+3. Tell the user: "Static analysis is running. Want me to also trace this function live to see actual register values and call frequency?"
+4. If yes, attach with `livetools trace 0x401000 --count 20 --read`
 
 **"Find who writes to address 0x7A0000"**
 1. Spawn `static-analyzer`: `datarefs.py` for static references

.cursor/rules/tool-catalog.mdc

@@ -24,15 +24,20 @@ These are fast (<5s) and allowed inline:
 - "Get full context before reasoning about a function" → `python -m retools.context assemble $B $VA --project $P`
 - "Clean up decompiler output with known names" → pipe through `python -m retools.context postprocess`
 - "Read a typed value from the PE file" → `python -m retools.readmem $B $VA $TYPE`
+- "What constant flows into this register?" → `python -m retools.dataflow $B $VA --constants`
+- "Trace where this value comes from" → `python -m retools.dataflow $B $VA --slice TARGET_VA:REG`
 - "Build an ASI patch DLL" → `python -m retools.asi_patcher build spec.json`
 
 ### Delegate to `static-analyzer` subagent
 
 Everything else. Tell the subagent WHAT you need, not HOW to run it — it has the full tool catalog.
 
-- "What does this function do?" → decompile + callgraph + xrefs
+- "What does this function do?" → decompile + callgraph + xrefs + dataflow --constants
 - "Who calls this function?" → xrefs or callgraph --up
-- "What does this function call?" → callgraph --down
+- "What does this function call?" → callgraph --down (add --indirect for vtable calls)
+- "Who calls this virtual method?" → xrefs --indirect + filter by vtable slot offset
+- "What constant reaches this call?" → dataflow --constants or --slice VA:REG
+- "Resolve a switch/jump table" → cfg (auto-resolves MSVC switch patterns)
 - "Find a string and who uses it" → string search with xrefs
 - "Where is this global read/written?" → datarefs
 - "Where is struct field +0x54 used?" → structrefs
@@ -70,9 +75,10 @@ Everything else. Tell the subagent WHAT you need, not HOW to run it — it has t
 | `pyghidra_backend.py decompile $B $VA --project $P` | Decompile via saved Ghidra project | `pyghidra_backend.py decompile game.exe 0x401000 --project patches/MyGame` |
 | `pyghidra_backend.py status $B --project $P` | Check if Ghidra project exists | `pyghidra_backend.py status game.exe --project patches/MyGame` |
 | `funcinfo.py $B $VA` | Find function start/end, rets, calling convention, callees | `funcinfo.py binary.exe 0x401000` |
-| `cfg.py $B $VA` | Control flow graph (basic blocks + edges, text or mermaid) | `cfg.py binary.exe 0x401000 --format mermaid` |
-| `callgraph.py $B $VA` | Caller/callee tree (multi-level, --up/--down N) | `callgraph.py binary.exe 0x401000 --up 3` |
-| `xrefs.py $B $VA` | Find all calls/jumps TO an address | `xrefs.py binary.exe 0x401000 -t call` |
+| `cfg.py $B $VA` | Control flow graph (basic blocks + edges, text or mermaid). Resolves MSVC switch/jump tables automatically. `--switch-details` shows table info | `cfg.py binary.exe 0x401000 --format mermaid` |
+| `callgraph.py $B $VA` | Caller/callee tree (multi-level, --up/--down N). `--indirect` adds vtable/fptr calls to --down trees | `callgraph.py binary.exe 0x401000 --down 2 --indirect` |
+| `xrefs.py $B $VA` | Find all calls/jumps TO an address. `--indirect` also scans for `call [reg+offset]`, `call [reg]`, `call [addr]` | `xrefs.py binary.exe 0x401000 --indirect` |
+| `dataflow.py $B $VA` | Forward constant propagation (`--constants`) or backward register slice (`--slice VA:REG`) within a function | `dataflow.py binary.exe 0x401000 --constants` |
 | `datarefs.py $B $VA` | Find instructions that reference a global address (mem deref + `--imm` for push/mov constants) | `datarefs.py binary.exe 0x7A0000 --imm` |
 | `structrefs.py $B $OFF` | Find all `[reg+offset]` accesses (struct field usage) | `structrefs.py binary.exe 0x54 --base esi` |
 | `structrefs.py $B --aggregate` | Reconstruct C struct from all field accesses in a function | `structrefs.py binary.exe --aggregate --fn 0x401000 --base esi` |
@@ -93,7 +99,7 @@ Everything else. Tell the subagent WHAT you need, not HOW to run it — it has t
 | `sigdb.py scan $B` | Bulk signature scan against DB | `sigdb.py scan game.exe` |
 | `sigdb.py identify $B $VA` | Single function signature lookup (multi-tier) | `sigdb.py identify game.exe 0x401200` |
 | `sigdb.py fingerprint $B` | Identify compiler version (Rich header + markers + imports) | `sigdb.py fingerprint game.exe` |
-| `context.py assemble $B $VA --project $P` | Gather full analysis context for a function | `context.py assemble game.exe 0x401500 --project Warband` |
+| `context.py assemble $B $VA --project $P` | Gather full analysis context for a function. Includes forward constant propagation by default (`--no-dataflow` to skip) | `context.py assemble game.exe 0x401500 --project Warband` |
 | `context.py postprocess $B $VA --project $P` | Mechanically rename/annotate decompiler output (pipe) | `decompiler.py ... \| context.py postprocess ...` |
 | `sigdb.py build $MANIFEST` | Build/extend signature DB from manifest | `sigdb.py build sources.json` |
 | `sigdb.py pull` | Download signature DB from HuggingFace | `sigdb.py pull` or `sigdb.py pull --sources` |

.github/copilot-instructions.md

@@ -18,7 +18,8 @@ Run `python verify_install.py` from the repo root before first use. If pyghidra/
 **Never run static analysis tools (`retools`) directly in sequence.** Delegate to the `static-analyzer` agent for all offline analysis. Exceptions — run these inline (all <5s):
 
 - `sigdb.py identify` / `fingerprint` — single-function ID or compiler detection
-- `context.py assemble` / `postprocess` — context gathering and decompiler annotation
+- `context.py assemble` / `postprocess` — context gathering and decompiler annotation (assemble now includes forward constant propagation by default; `--no-dataflow` to skip)
+- `dataflow.py --constants` / `--slice` — single-function constant propagation or backward register trace
 - `readmem.py` — single typed read from a PE file
 - `asi_patcher.py build` — build step, not analysis
 - `pyghidra_backend.py status` — project existence check (<1s)

.github/workflows/ci.yml

@@ -0,0 +1,24 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.12"]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: pip install -r requirements.txt pytest
+      - name: Run tests
+        run: pytest tests/ -v --tb=short