The architectural move that collapses every user feature request into "ask the agent" is publishing an analysis tool's internal object model through a live COM interface. vbdec does exactly that, and the result is a disassembler that works as both a GUI and a persistent data server for local AI agents.
The recipe: three pieces that turn a GUI into a service
vbdec registers its central CVBProject object and main form in the Windows Running Object Table (ROT) under monikers vbdec.vbp and vbdec.frmMain. Any process can grab a reference to the running instance with a single VBScript line: Set o = GetObject("vbdec.vbp"). That variable now exposes the entire parsed project - forms, classes, P-code bodies, strings, controls - as a navigable object graph.
Talos paired this with an operator briefing (_claude_vbdec_ai_instructions.txt) and a proto folder containing 90 auto-generated class definitions. Point Claude Code at these text files, describe what you want analyzed, and the agent runs multiple .vbs scripts with cscript, exploring the data through iterations. No preselected AI integration, no binary uploads, no glue code to maintain. Model inference requests leave the workstation; the binary stays local.
What the analyst actually does: decompile, graph, dump
Tested against a P-code version of PDFStreamDumper, the agent decompiled a named function by walking the VB-VM opcode stream and producing a source-level reconstruction with inline comments. Control flow was substantially recovered. The AI even went into subfunctions on its own, determined their purpose, and assigned reasonable names.
Building a call graph as a Graphviz DOT file took a single prompt. The agent walked each CCodeBody.Disasm, picked out call opcodes ( ImpAdCallI2, VCallHresult, LateMemCall ), and emitted the graph with depth tracking. Then the agent enumerated every function in the binary and dumped stats to a SQLite database: address, size, module, instruction count, callees, external API calls. For PDFStreamDumper the result was a 600+-row database. Now SELECT display_name FROM functions WHERE api_calls LIKE '%RtlMoveMemory%' replaces clicking through the GUI.
Talos also scaled this beyond single analyses. The agent built a complete opcode reference database for MSVBVM60.dll (1,165 dispatch slots) by coordinating vbdec over ROT with the idalib MCP server to read runtime handler functions. The result includes operand decoding, handler-verified semantics, alias relationships, corpus statistics, and written descriptions. Built in hours, not weeks.
Why this pattern generalizes beyond VB6
The contract between agent and tool is text files on a file system. Any analysis tool that publishes its internal model to the ROT and ships a briefing with prototypes becomes a substrate for local agentic automation. The interactive GUI stays for exploration; the agent handles everything that benefits from being repeatable, exhaustive, or fast. Plugin development used to be the answer - now the answer is publishing the model and handing the keys to the user.
Sensitive binaries never leave the analyst's machine. No API key baked into the product, no service that can be discontinued. The agent is whichever one the analyst already has. The disassembler stops being a place you look at a binary and becomes a service you ask questions of.
Source: Scripting the disassembler: Local agentic reverse engineering through vbdec's live COM object model
Domain: blog.talosintelligence.com
Comments load interactively on the live page.