X64dbg MCP Server

x64dbg MCP Server

Drive x64dbg with your AI. Talk to Claude, Cursor, Windsurf, Cline, or any MCP client in plain English and it sets breakpoints, reads memory, disassembles, traces, dumps PEs, and bypasses anti-debug — live, inside the debugger.

23 mega-tools over 153 REST endpoints, fully typed with Zod. A C++ plugin runs inside x64dbg; a tiny TypeScript server bridges it to your client over stdio. Everything stays on 127.0.0.1 — nothing leaves your machine.

Latest — v2.3.0

• Hardened & crash-proof. A malformed HTTP request can no longer crash x64dbg; the plugin server drains connections cleanly on stop and ships an optional auth token (CORS is locked down).
• Real data from more tools. imports/exports, symbols search/list, patches list, and strings now return actual parsed results instead of pointing you at a GUI view.
• Live trace status. New /api/trace/status (+ tracing status) reports whether a trace is running, and the exception/trace tools now honor every parameter they accept.
• Plus the v2.2.x fixes: x32dbg loads on current snapshots, and requests no longer time out on long operations.

Download the v2.3.0 plugins →

---

What it looks like

"Set a breakpoint on CreateFileW and run the program"
"Disassemble the current function and explain what it does"
"Search for 48 8B ?? 48 85 C0 in the main module and disassemble the hits"
"Hide the debugger and bypass the anti-debug checks"
"Trace into the VM dispatcher and log every instruction to a file"
"Dump the main module to disk and fix the import table"

Real use: tracing VMProtect'd code, finding anti-cheat scanner threads, decoding XOR'd class names, mapping detection logic — all by asking, no manual scripting.

Install

1 · Plugin (inside x64dbg)

Download x64dbg_mcp.dp64 / .dp32 from the latest release and drop them in:

x64dbg/x64/plugins/x64dbg_mcp.dp64    ← 64-bit targets
x64dbg/x32/plugins/x64dbg_mcp.dp32    ← 32-bit targets

…or build + install it yourself (auto-detects your x64dbg — no path editing):

.\build.ps1 -Install

Start x64dbg; the log shows [MCP] x64dbg MCP Server started on 127.0.0.1:27042.

2 · Server (your AI client)

No install — just point your client at npx. Claude Code:

{
  "mcpServers": {
    "x64dbg": {
      "type": "stdio",
      "command": "cmd",
      "args": ["/c", "npx", "-y", "x64dbg-mcp-server"]
    }
  }
}

Claude Desktop / Cursor / Windsurf / Cline use the same block without the cmd /c wrapper: { "command": "npx", "args": ["-y", "x64dbg-mcp-server"] }. Full per-client paths are in the reference.

3 · Go

Open a target in x64dbg and start talking to your assistant.

Tools at a glance

23 action-based tools spanning the whole debugger:

• Control — run/step/pause, raw commands, scripts, expression eval
• CPU & memory — registers (incl. AVX-512), read/write/alloc/protect, memory map
• Stack — call stack, SEH chain, return addresses
• Code analysis — disassemble, assemble, xrefs, basic blocks, CFG, loops
• Breakpoints & tracing — software/hardware/memory/conditional/logging, batch, trace logs
• Symbols & search — labels, comments, bookmarks, AOB pattern + string scan
• Process & system — threads/TEB, handles, TCP, PEB, anti-debug hide
• Patching & dumping — byte patches, PE dump, IAT fix, patch export

Every tool, action, and endpoint is documented in docs/REFERENCE.md.

Links

• Full reference — tools, architecture, build, config, troubleshooting
• npm: x64dbg-mcp-server
• Releases — prebuilt plugin DLLs
• x64dbg — the debugger

Security

The plugin binds to 127.0.0.1 only; the server talks pure stdio. All traffic stays on localhost — no remote access, no telemetry, no data leaves your machine. For defense against other local processes, set a token in the plugin's Settings and pass it via X64DBG_MCP_TOKEN — every request must then carry it.

Author

bromo — GitHub. Built with Claude Code. MIT.