If you've ever pasted a Hex-Rays decompilation into ChatGPT and asked "what does this function do?", you've probably seen the response: a paragraph of hedging, a polite refusal, maybe an offer to discuss "general principles of memory safety" instead. Same with Claude. Same with Gemini. The model itself almost certainly has the technical knowledge to answer — but a refusal layer in front of the model has decided your prompt is too risky.
The refusal layer is not the model
Mainstream chatbots run two separate components in series: the model that generates text, and a classifier that decides whether the generated text (or the user's input) crosses a policy line. The classifier is what flips the response from a real answer to "I'm sorry, but…". It triggers on keyword patterns (exploit, payload, bypass, anti-cheat, deobfuscate), on contextual signals (mention of specific products like EAC, BattlEye, Denuvo), and on outputs that pattern-match to operational instructions.
This classifier is tuned to over-refuse rather than under-refuse, because under-refusal is what makes the news. "AI refuses to help kid with chemistry homework" is an internal Slack message; "AI helps user generate working malware" is a Bloomberg story. The asymmetry of public-relations risk biases the classifier strongly toward false positives.
What this looks like in practice
Examples of prompts that mainstream chat AIs reliably refuse, even though every one of them is a legitimate RE question with a published-textbook answer:
- "Walk me through how Easy Anti-Cheat detects external memory reads." (refused — anti-cheat is in the keyword list)
- "Explain how this Obfuscator.io string-array decoder works." (refused — "obfuscator" + "decoder")
- "Identify the protection scheme from these strings and imports." (refused — "protection" + "bypass" cluster)
- "What's a working format-string exploit on a 64-bit binary with PIE?" (refused — "exploit" is a hard keyword)
- "Help me decompile and explain this WASM module." (refused — "decompile" near "WASM")
All five are answerable from public documentation, conference talks, blog posts, and textbooks. The model has read all of those. The refusal isn't a knowledge problem — it's a policy problem.
The pragmatic alternatives
If you actually need to do this work — and many people legitimately do, including malware analysts, pentesters, defensive engineers reverse-engineering threats, game-mod authors, security researchers, students learning the field — you have three options:
- Self-host an open-weight model. Models like Llama-3.1-70B or Qwen-2.5-72B will answer most RE questions when prompted directly. The cost: a GPU big enough to host a 70B model, or willingness to wait for slow CPU inference. The benefit: full control.
- Use a chat product without a refusal layer on top. There are a handful — Aether (this site), Venice, a couple of others. They route to commercially-licensed models that don't add the extra classifier. You give up the brand-name AI but you get direct answers.
- Jailbreak. Burns time, breaks every model update, occasionally trips account-suspension flags. Not a long-term solution.
Why we built Aether around this
Aether is option 2. We picked one strong base model (Aether Core, currently a 1M-context Venice-licensed model), wrote a system prompt that tells it to give direct technical answers without hedging, and we don't add a refusal classifier on top. The model still has its native trained behaviors — it won't generate CSAM or detailed weapons-of-mass-destruction instructions, those are in the model itself — but the everyday RE/security/dual-use questions that mainstream chatbots refuse get real, technical answers.
There's also an MCP server (`aether-mcp` on npm) that wires Aether into Claude Desktop, Cursor, Cline, and Zed. The pattern: stay in Claude for general chat, and when Claude refuses, the routing layer hands the prompt to Aether and shows you the answer in the same conversation tab.
Walk me through how Easy Anti-Cheat detects external memory reads. What signals does it actually monitor?Open this in Aether →
When does the refusal layer help anyone?
Honestly, very rarely. Determined bad actors have other options — open-weight models, dedicated leak forums, a stack of older techniques that don't need an AI at all. The refusal layer mostly affects the median user: a curious student, a working professional, a hobbyist learning RE. They're not going to commit a crime; they're going to bounce off the refusal and Google their way to the answer in fifteen minutes.
So the refusal mostly costs everyone a few minutes of their life and produces a worse experience for the legitimate use case, while doing nothing meaningful about the rare malicious use case. That's the case for the alternative architecture: trust the user, ship a model with calibrated native refusals (the actually-illegal stuff), and skip the corporate-policy classifier on top.
What to do next
If you're stuck on a real RE problem right now, the fastest path is: open Aether, paste the function or the disasm, and ask the question directly. The free tier (150 credits) is enough to feel out whether the answer quality matches your needs. If it does, the MCP server brings the same model into your existing IDE chat workflow. If it doesn't, no harm done — you've learned something about which AI front-end actually answers your specific kinds of questions.