/tracealyzer

Traces execution (into or over calls) for N steps or until a condition is met, then analyzes the recorded instruction log:

• Configurable trace mode: step into calls or step over calls
• Stop on a max instruction count, an x64dbg expression (e.g. cip == 0x401000), or both
• Captures a full instruction log to traces/ with addresses, disassembly, labels, and comments
• Summarizes execution flow, hot spots, API calls, loops, and notable patterns
• Follow-up actions: annotate key addresses in x64dbg, deeper sub-region analysis, deobfuscation

/shellcode-analyzer

Loads, unpacks, and analyzes raw shellcode blobs in x64dbg:

• Launches x64dbg with timeout.exe as a sacrificial process (supports 32-bit and 64-bit)
• Allocates memory, writes shellcode, and redirects execution with optional NOP sled
• Unpacking — identifies and executes decoder stubs (XOR loops, decompression routines, self-modifying code)
• Static analysis — disassembly, YARA scanning (/yara-sigs), annotates key addresses with comments and labels
• Dynamic analysis — steps through import resolvers, inspects decoded payloads/strings/C2 configs
• Produces annotated shellcode in x64dbg and optional markdown reports

/find-oep

Smart trace-based OEP finder for packed/protected PE executables:

• Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic detection (section transitions, stack restoration, compiler entry patterns, IAT population)
• Handles common packers (UPX, ASPack, MPRESS, PECompact, Themida, VMProtect, Enigma) and unknown/custom packers
• Detects and evades anti-debug techniques: PEB flags, timing checks, hardware BP detection, exception tricks, self-checksums
• Leverages /yara-sigs for packer identification and /state-snapshot for memory capture at OEP
• Leaves the debugger paused at the OEP with a state snapshot for downstream analysis or PE reconstruction

/vuln-hunter

Hunts for vulnerabilities in a running debuggee through systematic analysis:

• Reconnaissance — enumerates imports/exports, categorizes I/O functions by attack context (network, file, registry, etc.), and finds cross-references to dangerous sinks
• Triage — ranks code paths by attacker reachability and sink severity, presents a prioritized attack surface map
• Bug hunting — iteratively analyzes target functions for buffer overflows, integer wraps, format strings, logic flaws; generates test inputs and observes behavior under the debugger
• PoC development — builds proof-of-concept Python scripts that demonstrate impact (crash, info leak, code execution)
• Leverages /decompile for complex functions and /tracealyzer for execution tracing
• Produces annotated targets in x64dbg and optional markdown vulnerability reports

Prerequisites

• x64dbg and x64dbg Automate installed
• x64dbg MCP server configured in Claude Code
• Python 3 with the x64dbg_automate pip package installed:

  pip install x64dbg_automate[mcp] --upgrade
  

• For the /decompile skill: angr (Python >= 3.10):

  pip install angr
  

• For the /yara-sigs skill: yara-python and Git:

  pip install yara-python
  

• For the /vuln-hunter skill: LIEF for static PE analysis:

  pip install lief
  

Installation

Add the marketplace and install the plugin:

/plugin marketplace add dariushoule/x64dbg-skills
/plugin install x64dbg-skills

Updating

To update to the latest version:

/plugin install x64dbg-skills

Usage

A decent guide that gives good ideas on how to use these skills: Cooking with x64dbg and MCP

License

MIT