Skill

tracealyzer

Traces x64dbg execution into or over calls for N steps or until condition, logs full instruction trace, and analyzes it for debugging flows.

developer-tools

npx claudepluginhub dariushoule/x64dbg-skills

Tool Access

This skill is limited to using the following tools:

mcp__x64dbg__get_debugger_statusmcp__x64dbg__pausemcp__x64dbg__trace_intomcp__x64dbg__trace_overmcp__x64dbg__eval_expressionmcp__x64dbg__get_symbolmcp__x64dbg__disassemblemcp__x64dbg__get_all_registersmcp__x64dbg__set_commentmcp__x64dbg__set_labelReadBash

Preview

Trace debuggee execution — stepping into or over calls — for a specified number of instructions or until a condition is met. The full instruction log is captured to a file and then analyzed.

SKILL.md

Similar Skills

vuln-hunter

Hunts vulnerabilities in x64dbg debuggees: analyzes imports/exports, triages I/O attack surfaces, tests bugs like overflows/wraps, generates PoCs.

3 files39 tools

x64dbg-skills

trace-writes

Traces code reading or writing to a memory address via hardware watchpoints, breakpoint logs, and disassembly. For debugging memory access or reverse engineering x86 binaries.

arc-probe

debugger

Manages IDA Pro debugger operations: CRUD breakpoints with conditions, patch/revert bytes, maintain patch inventories for binary analysis.

1 file4 tools

idasql

Stats

Stars76

Forks9

Last CommitFeb 12, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

tracealyzer

Trace debuggee execution — stepping into or over calls — for a specified number of instructions or until a condition is met. The full instruction log is captured to a file and then analyzed.

Instructions

Follow these steps exactly:

1. Verify debugger connection

Call mcp__x64dbg__get_debugger_status to confirm the debugger is connected and a debuggee is loaded and paused. If it is running, call mcp__x64dbg__pause. If no debuggee is loaded, tell the user and stop.

2. Gather trace parameters

Ask the user for the following if not already provided:

Trace mode: trace into calls or trace over calls (default: over)
Stop condition — one of:
- A maximum number of instructions (e.g. 1000)
- An x64dbg expression that stops when true (e.g. cip == 0x7FF6A0001000, rax != 0)
- Both (whichever triggers first)

If the user provides a symbol or address for the stop condition, resolve it with mcp__x64dbg__eval_expression and build the break_condition expression (e.g. cip == <resolved_addr>).

When the user only specifies a step count N and no explicit break condition, use break_condition 0 (never true — the trace runs until max_steps is hit).

3. Capture starting context

Call mcp__x64dbg__get_all_registers and mcp__x64dbg__disassemble at the current instruction pointer to record the starting state. Note the starting address.

4. Run the trace

Prepare the output log path: ./traces/trace_<timestamp>.log (create the traces directory if it doesn't exist via Bash).

Call the appropriate trace tool (mcp__x64dbg__trace_into or mcp__x64dbg__trace_over) with:

Parameter	Value
`break_condition`	The user's condition, or `0` if only a step count was given
`max_steps`	The user's step count, or `50000` if only a condition was given
`log_text`	`{p:cip} {i:cip}
`log_file`	The output log path from above
`wait_timeout`	Scale with max_steps — use `max(60, max_steps // 500)` seconds

5. Read and analyze the trace log

Read the trace log file. The log contains one line per executed instruction in the format:

<address> <disassembly> | Label=<label> Comment=<comment>

Ignore when Labels or Comments say [Formatting Error], it just means there is no label or comment at that instruction.

Analyze the trace and present a summary to the user:

Trace overview: total instructions executed, start address → end address, trace mode used
Execution flow: describe the high-level behavior — what the code did, which functions were called, loops observed, and notable control-flow patterns
Hot spots: addresses or regions that appear most frequently (loops, repeated calls)
Key observations: interesting register manipulations, memory accesses, syscalls, API calls, string operations, or anything else that stands out

Use mcp__x64dbg__get_symbol to resolve notable addresses to symbol names where possible.

If the trace log is very large (>2000 lines), read it in chunks and summarize progressively.

6. Follow-up actions

After presenting the summary, ask the user if they would like any follow-up actions such as:

Annotate: add comments/labels in x64dbg at key addresses using mcp__x64dbg__set_comment / mcp__x64dbg__set_label
Deeper analysis: re-trace a specific sub-region, or focus on a particular function
Deobfuscation: identify and explain obfuscated patterns found in the trace
Export: the trace log is already saved to disk at the path from step 4