IDA-MCP

wiki deepwiki

IDA-MCP (FastMCP + Multi-instance Coordinator)

• Each IDA instance starts a FastMCP server (/mcp)

• The first instance occupies 127.0.0.1:11337 as the coordinator, maintaining a memory registry and supporting tool forwarding

• Subsequent instances automatically register with the coordinator; no need to share files or manually configure ports

• Unified access / aggregation of instance tools via a process-based proxy (MCP clients can start it via command/args)

The tool philosophy is to minimize operations. Most IDEs do not support an excessive number of tools. Too many tools can lead to tool invocation failures and reduced accuracy.

Related MCP server: IDA Pro MCP Server

Current Tools

Plugin Built-in (server.py)

reverse-tools

• check_connection – Quick health check of plugin and coordinator (ok/count)

• list_instances – Returns raw list of registered instances

• list_functions(offset, count) – List functions with pagination (name, start_ea, end_ea)

• get_function_by_name(name) – Get start/end address of a single function by exact name match

• get_function_by_address(address) – Get function information via address (start or internal)

• convert_number(text, size) – Number conversion (decimal/hex/binary ↔ multiple representations, specified bit width)

• list_globals_filter(offset, count, filter?) – Paginated + fuzzy (substring) filtered global symbols list (excluding functions)

• list_globals(offset, count) – Paginated list of all global symbols (excluding functions)

• list_strings_filter(offset, count, filter?) – Paginated + fuzzy filtered strings list

• list_strings(offset, count) – Paginated list of all strings

• list_local_types() – List all Local Types (ordinal + truncated decl)

• decompile_function(address) – Decompile function (requires Hex-Rays)

• disassemble_function(start_address) – Output function disassembly (instructions/comments)

• get_xrefs_to(address) – Get cross-references to an address

• get_xrefs_to_field(struct_name, field_name) – Heuristically get instruction locations referencing struct fields

• set_comment(address, comment) – Set/clear address comment (syncs to pseudocode)

• rename_local_variable(function_address, old_name, new_name) – Rename function local variable (Hex-Rays)

• rename_global_variable(old_name, new_name) – Rename global variable

• set_global_variable_type(variable_name, new_type) – Set global variable type

• rename_function(function_address, new_name) – Rename function

• set_function_prototype(function_address, prototype) – Set function prototype

• set_local_variable_type(function_address, variable_name, new_type) – Set local variable type (Hex-Rays)

• declare_c_type(c_declaration) – Parse and declare/update a local type (struct/union/enum/typedef)

• get_entry_points() – Get all entry points (ordinal + address + name)

• get_metadata() - Get basic metadata of specified or current instance (hash/arch/bits etc.)

• linear_disassemble(start_address, size) - Linear disassembly of size instructions from specified address

• read_memory_bytes(memory_address, size) – Read memory bytes from specified address (1-4096 bytes)

dbg-tools

• dbg_get_registers() – Get current values of all registers

• dbg_get_call_stack() – Get current call stack

• dbg_list_breakpoints() – List all breakpoints

• dbg_start_process() – Start debugging (if not already started)

• dbg_exit_process() – Terminate debug process

• dbg_continue_process() – Continue execution (Resume)

• dbg_run_to(address) – Run to specified address

• dbg_set_breakpoint(address) – Set breakpoint

• dbg_delete_breakpoint(address) – Delete breakpoint (idempotent)

• dbg_enable_breakpoint(address, enable) – Enable/disable breakpoint (creates if doesn't exist and enabling)

• dbg_step_into() – Step into instruction (single step)

• dbg_step_over() – Step over instruction (call)

Directory Structure

Startup Steps

1. Copy ida_mcp.py + ida_mcp folder to IDA's plugins/.

2. Open target binary, wait for analysis to complete.

3. Trigger plugin via menu / shortcut: First launch will:

   • Select free port (starting from 8765) to run SSE service http://127.0.0.1:<port>/mcp/

   • If 11337 is free → start coordinator; otherwise register with existing coordinator

4. Trigger plugin again = stop and unregister instance.

Proxy Usage

Replace command and args in mcp.json, then copy it to claude client's mcp tool configuration file or other MCP client configuration files.

claude / cherry studio / cursor client example:

For claude, directly add the above configuration to the claude_desktop_config.json file in the installation directory.

cherry studio supports quick creation of mcp tools, import directly from json, then paste the above configuration example.

For cursor, simply import via model tools.

vscode mcp configuration example:

⚠️Note: Using vscode coploit may result in your account being banned.

1. Permanent addition: Set copilot to Agent mode, click Configure Tools -> Configure Toolset -> Enter toolset name -> Enter toolset filename -> OK -> Then directly paste the above configuration example.

2. Temporary addition: Create .vscode folder in project directory, create mcp.json file inside it, paste the above configuration file.

3. copilot also scans claude client configuration files and cursor configuration files.

Dependencies

Need to install using IDA's Python environment:

Future Plans

Add UI interface, support internal model calls, add multi-agent A2A automated reverse engineering functionality after langchain officially updates to 1.0.0.