Skill

decompile

Decompiles x64dbg-debugged binary functions to C-like pseudocode using angr. Specify address/symbol or uses current RIP/EIP.

Python

Bash

developer-tools

security

npx claudepluginhub dariushoule/x64dbg-skills

Tool Access

This skill is limited to using the following tools:

mcp__x64dbg__get_debugger_statusmcp__x64dbg__get_registermcp__x64dbg__eval_expressionmcp__x64dbg__get_symbolBashRead

Preview

Decompile a function from the debugged binary into C-like pseudocode using angr.

Supporting Assets

decompile.py

SKILL.md

Similar Skills

decompiler

Decompiles binary functions to C-like pseudocode using VulHunt tools. Analyze function logic, control flow, or prepare for code pattern matching.

vulhunt

decompiler

Decompiles and analyzes IDA Pro functions with Hex-Rays for pseudocode, ctree AST, local variables, labels, and decompiler-driven cleanup in reverse engineering.

4 files4 tools

idasql

rev-symbol - Symbol Recovery

Restores function symbols and names from IDA-NO-MCP decompiled C code by analyzing strings, constants (MD5, CRC32, AES), code patterns, and cross-references to callers/callees/imports.

reverse-engineering

Stats

Stars76

Forks9

Last CommitFeb 12, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

decompile

Decompile a function from the debugged binary into C-like pseudocode using angr.

If no address is specified, decompiles the function containing the current instruction pointer. Accepts an address or symbol name as an argument.

Instructions

Follow these steps exactly:

1. Check prerequisites

Run pip show angr via Bash. If angr is not installed, tell the user:

angr is not installed. Install it with pip install angr (requires Python >= 3.10). Note: angr is a large package (~500MB+).

Then stop.

2. Verify debugger connection

Call mcp__x64dbg__get_debugger_status to confirm the debugger is connected and paused. If not debugging, tell the user and stop.

3. Determine target function address

If the user provided an address or symbol as an argument:

If it looks like a hex address, use it directly
If it looks like a symbol name, resolve it via mcp__x64dbg__eval_expression

If no argument was provided:

Get the current instruction pointer via mcp__x64dbg__get_register (register rip for 64-bit, eip for 32-bit)
Use the current RIP/EIP value as the target address

Call this resolved value target_addr.

4. Resolve module path and compute RVA

Use mcp__x64dbg__eval_expression to evaluate:

mod.path(target_addr) — to get the on-disk path of the module containing the address
mod.base(target_addr) — to get the module's base address

Compute the RVA: target_addr - module_base

If mod.path fails, the address may not belong to a loaded module. Tell the user and stop.

5. Run the decompile script

Execute:

python "${CLAUDE_PLUGIN_ROOT}\skills\decompile\decompile.py" --binary "<module_path>" --address <rva_hex>

Where:

<module_path> is the on-disk path from step 4
<rva_hex> is the RVA in hex (e.g. 0x1060)

The script may take 10-30 seconds for large binaries (CFG generation is the bottleneck). Use a timeout of at least 120 seconds.

6. Present results

The script outputs decompiled C pseudocode to stdout and status messages to stderr.

Present the decompiled code to the user in a ```c code block. If the script failed, relay the error message from stderr (e.g., function not found, decompilation failed) and suggest nearby functions if listed.