Skip to content

REMnux/x64dbg-skills-opencode

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
.claude-plugin
.claude-plugin
 
 
commands
commands
 
 
skills
skills
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

x64dbg-skills

Claude Code plugin providing skills for x64dbg debugger automation.

REMnux / OpenCode fork. A fork of dariushoule/x64dbg-skills (MIT, by Darius Houle), adapted to run under OpenCode on REMnux driving a remote x64dbg on a separate Windows VM. The original Claude Code plugin (the skills/ directory) is preserved. See REMnux / OpenCode port below for what changed and how to install.

Skills

/state-snapshot

Captures a full debuggee state snapshot to disk for offline analysis:

  • All committed memory regions as raw binary files
  • Complete processor state (registers) as JSON

/state-diff

Compares two state snapshots to identify what changed between two points in time:

  • Register changes (instruction pointer advancement, stack movement, flags, etc.)
  • Memory region modifications (stack writes, heap mutations, code changes)
  • Synthesized narrative explaining what the program did between snapshots

/decompile

Decompiles a function to C-like pseudocode using angr:

  • Decompiles the function at the current instruction pointer if no address is specified
  • Accepts a specific address or symbol as an argument
  • Tries multiple decompiler strategies for best results
  • Suggests nearby functions if the specified address isn't a function entry

/yara-sigs

Scans snapshot memory dumps with YARA signatures from the x64dbg yarasigs database:

  • Automatically clones the yarasigs repo (including Yara-Rules and citizenlab submodules) on first use
  • Scan categories: packers & compilers, crypto constants, anti-debug / anti-VM, or all signatures
  • Builds on /state-snapshot — uses an existing snapshot or takes a fresh one
  • Reports matches grouped by rule with memory region addresses and metadata

/tracealyzer

Traces execution (into or over calls) for N steps or until a condition is met, then analyzes the recorded instruction log:

  • Configurable trace mode: step into calls or step over calls
  • Stop on a max instruction count, an x64dbg expression (e.g. cip == 0x401000), or both
  • Captures a full instruction log to traces/ with addresses, disassembly, labels, and comments
  • Summarizes execution flow, hot spots, API calls, loops, and notable patterns
  • Follow-up actions: annotate key addresses in x64dbg, deeper sub-region analysis, deobfuscation

/shellcode-analyzer

Loads, unpacks, and analyzes raw shellcode blobs in x64dbg:

  • Launches x64dbg with timeout.exe as a sacrificial process (supports 32-bit and 64-bit)
  • Allocates memory, writes shellcode, and redirects execution with optional NOP sled
  • Unpacking — identifies and executes decoder stubs (XOR loops, decompression routines, self-modifying code)
  • Static analysis — disassembly, YARA scanning (/yara-sigs), annotates key addresses with comments and labels
  • Dynamic analysis — steps through import resolvers, inspects decoded payloads/strings/C2 configs
  • Produces annotated shellcode in x64dbg and optional markdown reports

/find-oep

Smart trace-based OEP finder for packed/protected PE executables:

  • Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic detection (section transitions, stack restoration, compiler entry patterns, IAT population)
  • Handles common packers (UPX, ASPack, MPRESS, PECompact, Themida, VMProtect, Enigma) and unknown/custom packers
  • Detects and evades anti-debug techniques: PEB flags, timing checks, hardware BP detection, exception tricks, self-checksums
  • Leverages /yara-sigs for packer identification and /state-snapshot for memory capture at OEP
  • Leaves the debugger paused at the OEP with a state snapshot for downstream analysis or PE reconstruction

/vuln-hunter

Hunts for vulnerabilities in a running debuggee through systematic analysis:

  • Reconnaissance — enumerates imports/exports, categorizes I/O functions by attack context (network, file, registry, etc.), and finds cross-references to dangerous sinks
  • Triage — ranks code paths by attacker reachability and sink severity, presents a prioritized attack surface map
  • Bug hunting — iteratively analyzes target functions for buffer overflows, integer wraps, format strings, logic flaws; generates test inputs and observes behavior under the debugger
  • PoC development — builds proof-of-concept Python scripts that demonstrate impact (crash, info leak, code execution)
  • Leverages /decompile for complex functions and /tracealyzer for execution tracing
  • Produces annotated targets in x64dbg and optional markdown vulnerability reports

Prerequisites

  • x64dbg and x64dbg Automate installed
  • x64dbg MCP server configured in Claude Code
  • Python 3 with the x64dbg_automate pip package installed: 
    pip install x64dbg_automate[mcp] --upgrade
  • For the /decompile skill: angr (Python >= 3.10): 
    pip install angr
  • For the /yara-sigs skill: yara-python and Git: 
    pip install yara-python
  • For the /vuln-hunter skill: LIEF for static PE analysis: 
    pip install lief

Installation

Add the marketplace and install the plugin:

/plugin marketplace add dariushoule/x64dbg-skills
/plugin install x64dbg-skills

Updating

To update to the latest version:

/plugin install x64dbg-skills

Usage

A decent guide that gives good ideas on how to use these skills: Cooking with x64dbg and MCP

REMnux / OpenCode port

OpenCode cannot load Claude Code plugins, so this fork adds OpenCode command files alongside the original skills and ships them on REMnux.

What this fork adds

  • commands/x64dbg-*.md: the eight skills ported to OpenCode custom commands (invoked as /x64dbg-tracealyzer, /x64dbg-find-oep, and so on). The original skills/ plugin is left intact for Claude Code users.
  • A reworked skills/state-snapshot/state_snapshot.py. Upstream attaches to a local x64dbg by PID. This version connects to a remote x64dbg over the network with X64DbgClient.connect_remote(host, req_port, pub_port), so OpenCode on REMnux can pull a Windows debuggee's memory onto the REMnux host for offline analysis. The capture logic is unchanged.

Architecture

OpenCode runs on REMnux and drives x64dbg on a separate Windows VM through the x64dbg-automate-mcp stdio MCP server (Remote mode, ports 27066/27067). Live debugger work such as snapshots, tracing, and stepping happens over the network. Every offline analyzer (decompile, yara, diff, import enumeration) then runs on REMnux against the captured dumps or the sample on disk.

Install on REMnux

These commands ship with REMnux through the x64dbg-automate-mcp salt-states package. It installs the dependencies into /opt/x64dbg-automate-mcp-deps, lays this repo down at /opt/x64dbg-skills-opencode, drops the command files into ~/.config/opencode/commands/, and registers the x64dbg MCP server in OpenCode. The server ships disabled by default, since it only does anything once a remote Windows x64dbg VM is wired up.

Credit

All analytical content and the helper scripts are the work of Darius Houle in the original x64dbg-skills. This fork adapts only the packaging and the snapshot connection for REMnux. Licensed MIT, same as upstream.

License

MIT

About

Claude Code plugin providing skills for x64dbg debugger automation

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Python 100.0%