원클릭으로 Manus에서 모든 스킬 실행

시작하기

$pwd:

decompile

Name: Decompile
Author: dariushoule

// Decompile a function to C-like pseudocode using angr

Manus에서 실행

$ git log --oneline --stat

stars:175

forks:14

updated:2026년 2월 12일 21:30

파일 탐색기

2 개 파일

SKILL.md

readonly

name	decompile
description	Decompile a function to C-like pseudocode using angr
allowed-tools	mcp__x64dbg__get_debugger_status, mcp__x64dbg__get_register, mcp__x64dbg__eval_expression, mcp__x64dbg__get_symbol, Bash, Read

decompile

Decompile a function from the debugged binary into C-like pseudocode using angr.

If no address is specified, decompiles the function containing the current instruction pointer. Accepts an address or symbol name as an argument.

Instructions

Follow these steps exactly:

1. Check prerequisites

Run pip show angr via Bash. If angr is not installed, tell the user:

angr is not installed. Install it with pip install angr (requires Python >= 3.10). Note: angr is a large package (~500MB+).

Then stop.

2. Verify debugger connection

Call mcp__x64dbg__get_debugger_status to confirm the debugger is connected and paused. If not debugging, tell the user and stop.

3. Determine target function address

If the user provided an address or symbol as an argument:

If it looks like a hex address, use it directly
If it looks like a symbol name, resolve it via mcp__x64dbg__eval_expression

If no argument was provided:

Get the current instruction pointer via mcp__x64dbg__get_register (register rip for 64-bit, eip for 32-bit)
Use the current RIP/EIP value as the target address

Call this resolved value target_addr.

4. Resolve module path and compute RVA

Use mcp__x64dbg__eval_expression to evaluate:

mod.path(target_addr) — to get the on-disk path of the module containing the address
mod.base(target_addr) — to get the module's base address

Compute the RVA: target_addr - module_base

If mod.path fails, the address may not belong to a loaded module. Tell the user and stop.

5. Run the decompile script

Execute:

python "${CLAUDE_PLUGIN_ROOT}\skills\decompile\decompile.py" --binary "<module_path>" --address <rva_hex>

Where:

<module_path> is the on-disk path from step 4
<rva_hex> is the RVA in hex (e.g. 0x1060)

The script may take 10-30 seconds for large binaries (CFG generation is the bottleneck). Use a timeout of at least 120 seconds.

6. Present results

The script outputs decompiled C pseudocode to stdout and status messages to stderr.

Present the decompiled code to the user in a ```c code block. If the script failed, relay the error message from stderr (e.g., function not found, decompilation failed) and suggest nearby functions if listed.

related-skills.json

같은 저장소

yara-sigs.md

from "dariushoule/x64dbg-skills"

Scan a state snapshot's memory dumps with YARA signatures to detect packers, crypto constants, malware, and more

2026-03-13175

state-snapshot.md

from "dariushoule/x64dbg-skills"

Capture a full debuggee state snapshot (all committed memory regions + processor state) to disk for offline analysis

2026-03-13175

find-oep.md

from "dariushoule/x64dbg-skills"

Smart trace-based OEP finder for packed/protected PE executables. Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic OEP detection, then captures a state snapshot at the original entry point.

2026-03-11175

vuln-hunter.md

from "dariushoule/x64dbg-skills"

Hunt for vulnerabilities in a running debuggee by analyzing imports/exports, triaging attack surface, and iteratively testing for bugs with PoC generation.

2026-03-11175

shellcode-analyzer.md

from "dariushoule/x64dbg-skills"

Load, unpack, and analyze shellcode in x64dbg. Use this skill when the user wants to analyze shellcode, load a shellcode blob into a debugger, unpack encoded/encrypted shellcode, or perform static/dynamic analysis of shellcode payloads.

2026-03-05175

state-diff.md

from "dariushoule/x64dbg-skills"

Compare two state snapshots to identify register and memory changes between two points in time

2026-02-12175

package.json

"author": "dariushoule"

"repository": "dariushoule/x64dbg-skills"

GitHub 저장소 열기 Creator 저장소 보기

$ install --global

$ download --local

Manus에서 실행

$ useful --forSOC

기타 컴퓨터 관련 직업컴퓨터 및 수학직15-1299L4

name	decompile
description	Decompile a function to C-like pseudocode using angr
allowed-tools	mcp__x64dbg__get_debugger_status, mcp__x64dbg__get_register, mcp__x64dbg__eval_expression, mcp__x64dbg__get_symbol, Bash, Read

decompile

Decompile a function from the debugged binary into C-like pseudocode using angr.

If no address is specified, decompiles the function containing the current instruction pointer. Accepts an address or symbol name as an argument.

Instructions

Follow these steps exactly:

1. Check prerequisites

Run pip show angr via Bash. If angr is not installed, tell the user:

angr is not installed. Install it with pip install angr (requires Python >= 3.10). Note: angr is a large package (~500MB+).

Then stop.

2. Verify debugger connection

Call mcp__x64dbg__get_debugger_status to confirm the debugger is connected and paused. If not debugging, tell the user and stop.

3. Determine target function address

If the user provided an address or symbol as an argument:

If it looks like a hex address, use it directly
If it looks like a symbol name, resolve it via mcp__x64dbg__eval_expression

If no argument was provided:

Get the current instruction pointer via mcp__x64dbg__get_register (register rip for 64-bit, eip for 32-bit)
Use the current RIP/EIP value as the target address

Call this resolved value target_addr.

4. Resolve module path and compute RVA

Use mcp__x64dbg__eval_expression to evaluate:

mod.path(target_addr) — to get the on-disk path of the module containing the address
mod.base(target_addr) — to get the module's base address

Compute the RVA: target_addr - module_base

If mod.path fails, the address may not belong to a loaded module. Tell the user and stop.

5. Run the decompile script

Execute:

python "${CLAUDE_PLUGIN_ROOT}\skills\decompile\decompile.py" --binary "<module_path>" --address <rva_hex>

Where:

<module_path> is the on-disk path from step 4
<rva_hex> is the RVA in hex (e.g. 0x1060)

The script may take 10-30 seconds for large binaries (CFG generation is the bottleneck). Use a timeout of at least 120 seconds.

6. Present results

The script outputs decompiled C pseudocode to stdout and status messages to stderr.

decompile

decompile

Instructions

1. Check prerequisites

2. Verify debugger connection

3. Determine target function address

4. Resolve module path and compute RVA

5. Run the decompile script

6. Present results

이 저장소의 다른 Skills

이 저장소의 다른 Skills

decompile

Instructions

1. Check prerequisites

2. Verify debugger connection

3. Determine target function address

4. Resolve module path and compute RVA

5. Run the decompile script

6. Present results