Skill

state-diff

Compares debuggee state snapshots to diff registers and memory, analyzes changes (e.g., stack growth, flag updates), and narrates program behavior between snapshots.

Python

Bash

developer-tools

Popularity

Stars

160

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/x64dbg-skills:state-diff

User invocable

Model invocable

Inline context

Default effort

Tool Access

This skill is limited to the following tools:

BashRead

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Compare two debuggee state snapshots and produce a detailed change analysis — which registers changed, which memory regions were modified, and what the changes mean.

Supporting Files

state_diff.py

SKILL.md

60 lines · ~594 tokens

Stats

LanguagePython

Stars160

Forks13

MaintenanceExcellent

Last CommitMar 13, 2026

Actions

View Source View Plugin View on GitHub View README

state-diff

Compare two debuggee state snapshots and produce a detailed change analysis — which registers changed, which memory regions were modified, and what the changes mean.

Instructions

Follow these steps exactly:

1. Identify snapshots

List the available snapshots:

dir "${CLAUDE_PLUGIN_ROOT}\snapshots"

If there are fewer than two snapshots, tell the user they need at least two snapshots (captured via /state-snapshot) and stop.

If the user specified two snapshot paths, use those directly. Otherwise, present the available snapshots and ask the user to pick the before (earlier) and after (later) snapshots.

2. Run the diff script

Execute the diff engine:

python "${CLAUDE_PLUGIN_ROOT}\skills\state-diff\state_diff.py" --before <before_snapshot_dir> --after <after_snapshot_dir>

The script writes diff_report.json into the after-snapshot directory by default. If the user specified a custom output path, pass --output <path>.

3. Read the report

Use Read to load the generated diff_report.json.

4. Analyze and reason

Interpret the diff report for the user:

Register changes: Explain what each changed register suggests. For example:
- RIP/EIP advanced → instructions were executed
- RSP/ESP changed → stack grew or shrank (function calls, local variables)
- RAX/EAX changed → likely a return value or computation result
- Flag changes → comparison or arithmetic results
Memory changes: Explain what modified regions likely represent:
- Stack region modifications → local variables written, function arguments pushed
- Heap regions → dynamic allocations or object mutations
- Image/module regions → self-modifying code or relocations
- Look at the actual byte patterns for clues (string data, pointers, counters)
Synthesize a narrative: Combine register and memory observations into a coherent explanation of what the program did between the two snapshots. For example: "The program called function X, which allocated Y bytes on the stack and wrote a string to a heap buffer."

Present the analysis in a clear, structured format with the raw evidence (hex values, addresses) supporting each conclusion.

state-diff

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

state-diff

Popularity

Invocation

Tool Access

Context Preview

Supporting Files

SKILL.md

state-diff

Instructions

1. Identify snapshots

2. Run the diff script

3. Read the report

4. Analyze and reason

Similar Skills

state-diff

Instructions

1. Identify snapshots

2. Run the diff script

3. Read the report

4. Analyze and reason

Similar Skills