Menu
Decompile a function to C-like pseudocode using angr
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
Scan a state snapshot's memory dumps with YARA signatures to detect packers, crypto constants, malware, and more
Capture a full debuggee state snapshot (all committed memory regions + processor state) to disk for offline analysis
Smart trace-based OEP finder for packed/protected PE executables. Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic OEP detection, then captures a state snapshot at the original entry point.
Hunt for vulnerabilities in a running debuggee by analyzing imports/exports, triaging attack surface, and iteratively testing for bugs with PoC generation.
Load, unpack, and analyze shellcode in x64dbg. Use this skill when the user wants to analyze shellcode, load a shellcode blob into a debugger, unpack encoded/encrypted shellcode, or perform static/dynamic analysis of shellcode payloads.
Compare two state snapshots to identify register and memory changes between two points in time
| name | decompile |
| description | Decompile a function to C-like pseudocode using angr |
| allowed-tools | mcp__x64dbg__get_debugger_status, mcp__x64dbg__get_register, mcp__x64dbg__eval_expression, mcp__x64dbg__get_symbol, Bash, Read |
Decompile a function from the debugged binary into C-like pseudocode using angr.
If no address is specified, decompiles the function containing the current instruction pointer. Accepts an address or symbol name as an argument.
Follow these steps exactly:
Run pip show angr via Bash. If angr is not installed, tell the user:
angr is not installed. Install it with
pip install angr(requires Python >= 3.10). Note: angr is a large package (~500MB+).
Then stop.
Call mcp__x64dbg__get_debugger_status to confirm the debugger is connected and paused. If not debugging, tell the user and stop.
If the user provided an address or symbol as an argument:
mcp__x64dbg__eval_expressionIf no argument was provided:
mcp__x64dbg__get_register (register rip for 64-bit, eip for 32-bit)Call this resolved value target_addr.
Use mcp__x64dbg__eval_expression to evaluate:
mod.path(target_addr) — to get the on-disk path of the module containing the addressmod.base(target_addr) — to get the module's base addressCompute the RVA: target_addr - module_base
If mod.path fails, the address may not belong to a loaded module. Tell the user and stop.
Execute:
python "${CLAUDE_PLUGIN_ROOT}\skills\decompile\decompile.py" --binary "<module_path>" --address <rva_hex>
Where:
<module_path> is the on-disk path from step 4<rva_hex> is the RVA in hex (e.g. 0x1060)The script may take 10-30 seconds for large binaries (CFG generation is the bottleneck). Use a timeout of at least 120 seconds.
The script outputs decompiled C pseudocode to stdout and status messages to stderr.
Present the decompiled code to the user in a ```c code block. If the script failed, relay the error message from stderr (e.g., function not found, decompilation failed) and suggest nearby functions if listed.