Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From x64dbg-skills
Decompiles x64dbg-debugged binary functions to C-like pseudocode using angr. Specify address/symbol or uses current RIP/EIP.
How this skill is triggered — by the user, by Claude, or both
Slash command
/x64dbg-skills:decompileThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Decompile a function from the debugged binary into C-like pseudocode using angr.
Decompile a function from the debugged binary into C-like pseudocode using angr.
If no address is specified, decompiles the function containing the current instruction pointer. Accepts an address or symbol name as an argument.
Follow these steps exactly:
Run pip show angr via Bash. If angr is not installed, tell the user:
angr is not installed. Install it with
pip install angr(requires Python >= 3.10). Note: angr is a large package (~500MB+).
Then stop.
Call mcp__x64dbg__get_debugger_status to confirm the debugger is connected and paused. If not debugging, tell the user and stop.
If the user provided an address or symbol as an argument:
mcp__x64dbg__eval_expressionIf no argument was provided:
mcp__x64dbg__get_register (register rip for 64-bit, eip for 32-bit)Call this resolved value target_addr.
Use mcp__x64dbg__eval_expression to evaluate:
mod.path(target_addr) — to get the on-disk path of the module containing the addressmod.base(target_addr) — to get the module's base addressCompute the RVA: target_addr - module_base
If mod.path fails, the address may not belong to a loaded module. Tell the user and stop.
Execute:
python "${CLAUDE_PLUGIN_ROOT}\skills\decompile\decompile.py" --binary "<module_path>" --address <rva_hex>
Where:
<module_path> is the on-disk path from step 4<rva_hex> is the RVA in hex (e.g. 0x1060)The script may take 10-30 seconds for large binaries (CFG generation is the bottleneck). Use a timeout of at least 120 seconds.
The script outputs decompiled C pseudocode to stdout and status messages to stderr.
Present the decompiled code to the user in a ```c code block. If the script failed, relay the error message from stderr (e.g., function not found, decompilation failed) and suggest nearby functions if listed.
npx claudepluginhub dariushoule/x64dbg-skillsDecompiles binary functions to C-like pseudocode using VulHunt tools. Analyze function logic, control flow, or prepare for code pattern matching.
Decompile functions using ghidrasql queries to inspect pseudocode, local variables, parameters, and ctree AST patterns.
Decompiles and analyzes IDA Pro functions with Hex-Rays for pseudocode, ctree AST, local variables, labels, and decompiler-driven cleanup in reverse engineering.