Skill

state-diff

Compares debuggee state snapshots to diff registers and memory, analyzes changes (e.g., stack growth, flag updates), and narrates program behavior between snapshots.

Python

Bash

developer-tools

npx claudepluginhub dariushoule/x64dbg-skills

Tool Access

This skill is limited to using the following tools:

BashRead

Preview

Compare two debuggee state snapshots and produce a detailed change analysis — which registers changed, which memory regions were modified, and what the changes mean.

Supporting Assets

state_diff.py

SKILL.md

Similar Skills

function-diff

Compares function disassembly between binary sessions: generates byte signatures to relocate functions after updates, disassembles, and reports changes. Useful for tracking patches.

arc-probe

differential-session-runner

Runs or continues differential debugging sessions between implementations, traces, captures, or outputs. Records artifact identities, commands, mismatches, findings, validation, and next probes in durable session logs.

4 tools

harness-engineering

state-snapshot

Captures full x64dbg debuggee state snapshot—all committed memory regions as binaries + processor state as JSON—to disk for offline analysis.

1 file6 tools

x64dbg-skills

Stats

Stars76

Forks9

Last CommitFeb 12, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

state-diff

Compare two debuggee state snapshots and produce a detailed change analysis — which registers changed, which memory regions were modified, and what the changes mean.

Instructions

Follow these steps exactly:

1. Identify snapshots

List the available snapshots:

dir "${CLAUDE_PLUGIN_ROOT}\snapshots"

If there are fewer than two snapshots, tell the user they need at least two snapshots (captured via /state-snapshot) and stop.

If the user specified two snapshot paths, use those directly. Otherwise, present the available snapshots and ask the user to pick the before (earlier) and after (later) snapshots.

2. Run the diff script

Execute the diff engine:

python "${CLAUDE_PLUGIN_ROOT}\skills\state-diff\state_diff.py" --before <before_snapshot_dir> --after <after_snapshot_dir>

The script writes diff_report.json into the after-snapshot directory by default. If the user specified a custom output path, pass --output <path>.

3. Read the report

Use Read to load the generated diff_report.json.

4. Analyze and reason

Interpret the diff report for the user:

Register changes: Explain what each changed register suggests. For example:
- RIP/EIP advanced → instructions were executed
- RSP/ESP changed → stack grew or shrank (function calls, local variables)
- RAX/EAX changed → likely a return value or computation result
- Flag changes → comparison or arithmetic results
Memory changes: Explain what modified regions likely represent:
- Stack region modifications → local variables written, function arguments pushed
- Heap regions → dynamic allocations or object mutations
- Image/module regions → self-modifying code or relocations
- Look at the actual byte patterns for clues (string data, pointers, counters)
Synthesize a narrative: Combine register and memory observations into a coherent explanation of what the program did between the two snapshots. For example: "The program called function X, which allocated Y bytes on the stack and wrote a string to a heap buffer."

Present the analysis in a clear, structured format with the raw evidence (hex values, addresses) supporting each conclusion.