Content
# IDA Pro MCP Plugin
[](https://opensource.org/licenses/MIT)
[](https://www.python.org/downloads/)
[](https://www.hex-rays.com/products/ida/)
## 1. Project Overview
IDA Pro MCP (Modding and Code Analysis Plugin) is a powerful IDA Pro plugin designed to provide rich code analysis, automation, and modification capabilities, helping reverse engineers and security researchers perform binary analysis more efficiently. This plugin implements the standard MCP protocol and supports interaction with various MCP clients.
This project is based on mrexodia/ida-pro-mcp ( https://github.com/mrexodia/ida-pro-mcp )
secondary development enhancement, retaining the original core functions and diy extending some functions by itself.
It is highly recommended that you download the original project. My original intention was to add some trace functions and optimize some operations for my own use based on the original project, but the original project is updating too fast and too powerful. If I want to update, either the function is far inferior, or it is basically a copy. .
### 1.1 Core Value
- **Automated Analysis Process**: Reduce repetitive work and improve analysis efficiency
- **Enhanced Function and Variable Analysis**: Provide deeper code insights
- **Batch Processing Capabilities**: Support large-scale code modification and analysis
- **Dynamic Analysis Assistance**: Generate Frida and Angr scripts to assist dynamic analysis
- **Obfuscation Detection**: Identify common code obfuscation techniques
- **Algorithm Recognition**: Automatically identify common encryption algorithms and hash functions
- **Standard MCP Protocol Compatibility**: Support interaction with various MCP clients
### 1.2 Technology Stack
| Technology/Dependency | Version Requirements | Purpose |
| --------------------- | -------------------- | ------------------------ |
| Python | >= 3.11 | Plugin development language |
| IDA Pro | >= 7.5 | Host environment |
| mcp | >= 1.6.0 | MCP protocol support |
| pydantic | >= 2.0.0 | Data validation and serialization |
| fastmcp | Latest version | MCP server implementation |
| frida-tools | Optional | Dynamic analysis support |
| angr | Optional | Symbolic execution support |
## 2. Directory Structure
```
ida-pro-mcp/
├── src/
│ └── ida_pro_mcp/
│ ├── __init__.py # Plugin entry
│ ├── idalib_server.py # IDA library server
│ ├── mcp-plugin.py # Main plugin file
│ ├── mcp_config.json # Plugin configuration
│ ├── script_utils.py # Script generation helper module
│ ├── server.py # MCP server
│ └── server_generated.py # Automatically generated server code
├── .gitignore # Git ignore configuration
├── CONTRIBUTING.md # Contribution guide
├── README.md # Project documentation
├── ida-plugin.json # IDA plugin configuration
├── pyproject.toml # Project configuration file
├── requirements.txt # Dependency list
├── test_script_utils.py # Test script
└── uv.lock # Dependency lock file
```
## 3. Core Functions
### 3.1 Batch Processing Functions
- **Batch Rename Functions**: Batch rename functions based on naming rules or patterns
- **Batch Add Comments**: Automatically add descriptive comments to functions and variables
- **Batch Set Variable Types**: Automatically set local variable types based on analysis results
- **Batch Set Function Prototypes**: Uniformly set the parameters and return types of functions
### 3.2 Obfuscation Detection Function
- **Control Flow Flattening Detection**: Identify control flow obfuscation
- **String Encryption Detection**: Detect string encryption and dynamic decryption patterns
- **Anti-Debugging Detection**: Identify common anti-debugging techniques
- **Dead Code Detection**: Discover useless code blocks
### 3.3 Algorithm Recognition Function
Automatically identify common encryption algorithms, hash functions, and encoding methods:
- **Encryption Algorithms**: AES, DES, RC4, TEA, XOR, etc.
- **Hash Functions**: MD5, SHA1, SHA256, CRC32, etc.
- **Encoding Methods**: Base64, Base32, Base58, Base85, Rot13, etc.
- **Compression Algorithms**: zlib, LZMA, etc.
- **Random Number Generation**: Mersenne Twister, etc.
### 3.4 Dynamic Analysis Assistance Function
- **Generate Angr Symbolic Execution Scripts**: Assist in symbolic execution and brute-forcing
- **Generate Frida Dynamic Analysis Scripts**: Support function Hook, memory monitoring, and string monitoring
- **Script Saving and Running**: Conveniently save and execute generated analysis scripts
- **Windows Platform Compatibility Optimization**: Especially optimized for use in Windows environments
### 3.5 Call Graph Analysis
Generate function call relationship diagrams, supporting visual display:
- Generate adjacency list format call graph
- Generate Mermaid format call graph, supporting visualization
- Recursive depth can be specified
### 3.6 script_utils Module
Provide a script generation auxiliary function library, including:
- **Address Detection**: Verify hexadecimal address format
- **Target Expression Generation**: Generate Frida expressions based on target types
- **Script Content Construction**: Generate standardized script templates
- **Environment Management**: Generate script environments based on application types
## 4. Installation Steps
### 4.1 System Requirements
- IDA Pro 7.5+ (supports Python 3.8+)
- Python 3.11 or higher
- Supports Windows, macOS, and Linux operating systems
### 4.2 Installation Method
#### Manual Installation
1. Clone or download the project code:
```bash
git clone https://github.com/namename333/idapromcp_333.git
cd idapromcp_333
```
2. Install dependencies:
```bash
pip install -e .
# Install additional dynamic analysis tools (recommended)
pip install angr frida-tools
```
3. Install the IDA plugin:
```bash
# Windows example
ida-pro-mcp --install
```
### 4.3 Verify Installation
1. Start IDA Pro
2. Start the MCP server in the following ways:
- Menu: `Edit -> Plugins -> MCP`
- Shortcut key: `Ctrl-Alt-M`
3. After the server starts, it will listen for JSON-RPC requests on port 13337
4. Use the following command to test the connection:
```python
import requests
import json
url = "http://localhost:13337/mcp"
headers = {"Content-Type": "application/json"}
payload = {
"jsonrpc": "2.0",
"method": "check_connection",
"params": [],
"id": 1
}
response = requests.post(url, data=json.dumps(payload), headers=headers)
print(response.json())
```
## 5. Usage Guide
### 5.1 Basic Usage
The MCP plugin provides an API through the JSON-RPC protocol, and you can interact with it using any tool or programming language that supports HTTP requests. Here is a basic request example:
```python
import requests
import json
url = "http://localhost:13337/jsonrpc"
headers = {"Content-Type": "application/json"}
payload = {
"jsonrpc": "2.0",
"method": "get_function",
"params": ["0x401000"],
"id": 1
}
response = requests.post(url, data=json.dumps(payload), headers=headers)
result = response.json()
print(result)
```
### 5.2 Script Generation Example
#### 5.2.1 Generate Frida Hook Script
```python
# Generate function Hook script
hook_script = ida_pro_mcp.generate_frida_script(
target="main", # Target function name
script_type="hook", # Script type is hook
options={
"app_type": "native", # Application type is native binary
"log_args": True, # Record function arguments
"log_return": True, # Record return value
"detailed_log": False # Concise log output
}
)
```
#### 5.2.2 Generate Memory Monitoring Script
```python
# Generate memory monitoring script
memory_script = ida_pro_mcp.generate_frida_script(
target="0x12345678", # Memory address to be monitored
script_type="memory_dump", # Script type is memory monitoring
options={
"size": 1024, # Monitoring memory size (bytes)
"interval": 100, # Monitoring interval (milliseconds)
"compare_before_after": True # Compare memory changes before and after
}
)
```
#### 5.2.3 Generate String Monitoring Script
```python
# Generate string monitoring script
string_script = ida_pro_mcp.generate_frida_script(
target="", # No specific target function required
script_type="string_hook", # Script type is string monitoring
options={
"string_functions": True, # Hook common string functions
"address_monitor": "0x10000000", # Monitor specific memory area
"capture_callstack": True # Capture call stack
}
)
```
## 6. API Documentation
### 6.1 Metadata and Basic Information Acquisition
#### `get_metadata()`
**Function**: Get the metadata information of the current IDB file
**Return**: A dictionary containing metadata
```python
{
"file_path": "", # File path
"file_size": 0, # File size (bytes)
"arch": "", # Architecture information
"bits": 0, # Number of bits (32/64)
"compiler": "" # Compiler information (if identifiable)
}
```
### 6.2 Function and Variable Analysis
#### `get_function(function_address)`
**Function**: Get detailed information about a function
**Parameters**:
- `function_address`: Function address (string format)
**Return**: A dictionary containing function information
```python
{
"name": "", # Function name
"address": "", # Function address
"size": 0, # Function size (bytes)
"prototype": "", # Function prototype
"is_imported": False, # Whether it is an imported function
"is_thunk": False, # Whether it is a thunk function
"callers": [], # List of functions that call this function
"callees": [] # List of functions called by this function
}
```
#### `list_functions()`
**Function**: List all functions in the database
**Return**: A list of function information (each element has the same format as `get_function` return)
### 6.3 Disassembly and Decompilation
#### `decompile_function(function_address)`
**Function**: Decompile a function and get pseudo-code
**Parameters**:
- `function_address`: Function address
**Return**: Pseudo-code string obtained by decompilation
#### `disassemble_function(function_address)`
**Function**: Get assembly code information of a function
**Parameters**:
- `function_address`: Function address
**Return**: A dictionary containing assembly code information
```python
{
"address": "", # Function address
"name": "", # Function name
"instructions": [ # Instruction list
{
"address": "", # Instruction address
"mnem": "", # Instruction mnemonic
"op_str": "", # Operand string
"bytes": "" # Instruction bytecode
}
# ...more instructions
]
}
```
### 6.4 Call Graph Analysis
#### `get_function_call_graph(start_address, depth=3, mermaid=False)`
**Function**: Generate a function call graph
**Parameters**:
- `start_address`: Starting function address
- `depth`: Recursive depth (default 3)
- `mermaid`: Whether to return the chart definition in mermaid format (default False)
**Return**: A dictionary containing call graph information
```python
{
"graph": {}, # Adjacency list or mermaid string
"nodes": [], # Node list (function address)
"edges": [] # Edge list (call relationship)
}
```
**Implementation Principle**:
The call graph analysis function traverses the function call relationship through depth-first search (DFS) to generate a call relationship graph between functions.
**Workflow**:
1. **Parse Start Address**: Convert the input address string to an integer
2. **Initialize Data Structures**: Create access set, node set, and edge set
3. **Depth-First Traversal**:
- Starting from the starting function, get all called functions
- Record call relationships (edges) and functions (nodes)
- Recursively process the called functions until the specified depth is reached or all functions are visited
4. **Generate Results**: Return the adjacency list or mermaid format call graph according to the parameters
**Core Implementation Code**:
```python
visited = set()
edges = set()
nodes = set()
def dfs(addr, d):
if d < 0 or addr in visited:
return
visited.add(addr)
func = idaapi.get_func(parse_address(addr))
if not func:
return
nodes.add(addr)
for ref in idautils.CodeRefsFrom(func.start_ea, 1):
callee_func = idaapi.get_func(ref)
if callee_func:
callee_addr = hex(callee_func.start_ea)
edges.add((addr, callee_addr))
dfs(callee_addr, d-1)
dfs(start_address, depth)
```
### 6.5 Obfuscation Detection
#### `detect_obfuscation(function_address)`
**Function**: Detect common obfuscation patterns
**Parameters**:
- `function_address`: Function address to detect obfuscation
**Return**: A dictionary containing obfuscation detection results
```python
{
"flattening": False, # Whether control flow flattening exists
"string_encryption": False, # Whether string encryption exists
"anti_debug": False, # Whether anti-debugging techniques exist
"dead_code": False, # Whether dead code exists
"details": "" # Detailed information
}
```
**Implementation Principle**:
The obfuscation detection function identifies common obfuscation techniques by analyzing the control flow, code structure, and characteristic patterns of functions.
**Detection Method**:
- **Control Flow Flattening Detection**: Analyze the control flow graph of the function to detect abnormal branch structures
- **String Encryption Detection**: Identify patterns and characteristics of dynamically decrypted strings
- **Anti-Debugging Detection**: Find common anti-debugging instructions and API calls
- **Dead Code Detection**: Identify non-executable code blocks
**Workflow**:
1. **Get Function Information**: Get basic information and decompiled code of the target function
2. **Control Flow Analysis**: Generate and analyze the control flow graph of the function
3. **Feature Matching**: Match known obfuscation patterns and features
4. **Statistical Analysis**: Analyze code complexity, number of branches, instruction distribution, and other statistical features
5. **Result Generation**: Return detection results and detailed information
**Core Implementation Logic**:
```python
# Analyze control flow graph
flowchart = ida_gdl.FlowChart(func)
branch_count = sum(len(list(block.succs())) for block in flowchart)
# Analyze decompiled code
code = decompile_function(function_address)
# Detect control flow flattening
flattening = branch_count > 100 # Example threshold detection
# Detect string encryption
string_encryption = "memcpy" in code and "xor" in code # Example feature matching
```
# Detect Anti-Debugging
anti_debug = any(kw in code for kw in ["IsDebuggerPresent", "CheckRemoteDebuggerPresent"])
```
### 6.6 Algorithm Identification
#### `get_algorithm_signature(function_address)`
**Function**: Automatically identify common algorithms
**Parameters**:
- `function_address`: The function address to identify the algorithm
**Returns**: A dictionary containing the algorithm identification results
```python
{
"algorithm": "unknown", # The identified algorithm name (separated by commas if multiple)
"confidence": 0.0 # Confidence level (0.0-1.0)
}
```
**Implementation Principle**:
The algorithm identification function identifies common encryption algorithms, hash functions, and encoding methods by analyzing the function's instruction sequence, constant features, and pattern matching.
**Identification Method**:
- **Feature Matching**: Match the instruction sequence and constant features of known algorithms
- **Algorithm Signature**: Match using predefined algorithm signatures
- **Statistical Analysis**: Analyze the function's instruction distribution, operand features, etc.
**Workflow**:
1. **Get Function Information**: Get the decompiled code and instruction sequence of the target function
2. **Feature Extraction**: Extract the function's instruction features, constants, operands, etc.
3. **Pattern Matching**: Match with predefined algorithm patterns
4. **Confidence Calculation**: Calculate the confidence level of the identification result
5. **Result Generation**: Return the identification result and confidence level
**Core Implementation Logic**:
```python
# Predefined algorithm features
algorithm_patterns = {
"MD5": ["0x67452301", "0xefcdab89", "0x98badcfe", "0x10325476"],
"SHA1": ["0x67452301", "0xefcdab89", "0x98badcfe", "0x10325476", "0xc3d2e1f0"],
"AES": ["sbox", "0x63", "0x7c", "0x77", "0x7b"],
"RC4": ["swap", "xor", "key"],
"Base64": ["A-Za-z0-9+/", "padding", "encode", "decode"]
}
# Match algorithm features
max_confidence = 0.0
best_algorithm = "unknown"
for algo, patterns in algorithm_patterns.items():
matched = 0
total = len(patterns)
for pattern in patterns:
if pattern in code:
matched += 1
confidence = matched / total
if confidence > max_confidence:
max_confidence = confidence
best_algorithm = algo
```
### 6.7 Dynamic Analysis Assistance
#### `generate_frida_script(target, script_type, options=None)`
**Function**: Generate a Frida dynamic analysis script
**Parameters**:
- `target`: Target function name or address
- `script_type`: Script type ('hook', 'memory_dump', 'string_hook')
- `options`: Optional configuration parameters
**Returns**: The generated JavaScript script code
#### `save_generated_script(script_content, script_type, file_name=None)`
**Function**: Save the generated script to a file
**Parameters**:
- `script_content`: Script content
- `script_type`: Script type ('angr' or 'frida')
- `file_name`: File name to save (optional, defaults to a timestamped file name)
**Returns**: Save result information, including file path and running command prompt
## 7. Typical Workflow
### 7.1 Basic Analysis Process
1. Load the binary file into IDA Pro
2. Start the MCP plugin server (Ctrl-Alt-M)
3. Use `get_metadata()` to get basic information
4. Use `list_functions()` to browse all functions
5. Use `get_function()` to analyze specific functions in depth
6. Use `decompile_function()` to get pseudo-code
7. Use `detect_obfuscation()` to detect obfuscation
8. Use `get_algorithm_signature()` to identify algorithms
### 7.2 Dynamic Analysis Process
1. Determine the target function to analyze
2. Use `generate_frida_script()` to generate a Hook script
3. Use `save_generated_script()` to save the script
4. Use `run_external_script()` to run the script and observe the results
5. Analyze the output results and adjust the script parameters
### 7.3 Batch Processing Process
1. Select the set of functions to be processed
2. Use `batch_rename_functions()` to unify naming conventions
3. Use `batch_set_local_variable_types()` to set variable types
4. Use `batch_set_function_prototypes()` to standardize function prototypes
5. Use `batch_add_comments()` to add descriptive comments
## 8. Advanced Usage
### 8.1 Analyzing with Call Graphs
1. Use `get_function_call_graph()` to generate a call graph
2. Analyze the call relationships of key functions
3. Identify the core components and data flow of the program
4. Use Mermaid to render the call graph and visualize the analysis results
### 8.2 Debugger Control
The MCP plugin provides basic debugger control functions that can be used to automate the debugging process:
- `dbg_continue_process()`: Continue process execution
- `dbg_run_to(address)`: Run to the specified address
- `dbg_set_breakpoint(address)`: Set a breakpoint
- `dbg_remove_breakpoint(address)`: Remove a breakpoint
### 8.3 Custom Script Generation
By extending the `script_utils.py` module, you can customize the script generation logic to meet specific analysis needs:
```python
# Example: Extend script_utils.py to add a custom script generation function
def _generate_custom_script(target, options):
# Custom script generation logic
pass
```
## 9. Troubleshooting
### 9.1 Common Issues
| Issue | Possible Cause | Solution |
| --------------------- | ----------------------------------- | --------------------------------------------- |
| Plugin loading failed | Incorrect plugin directory structure | Check that the plugin files are correctly placed in the IDA Pro plugin directory |
| Server failed to start | Port 13337 is already in use | Modify the port settings in `mcp-plugin.py` |
| Python version mismatch | The Python version used by IDA Pro is lower than 3.11 | Upgrade IDA Pro or use a compatible Python version |
| Dependency error | Missing required dependency packages | Re-run `pip install -r requirements.txt` |
| script_utils module error | The script_utils_path in the configuration file is incorrect | Check the script_utils_path configuration in config.json |
| Frida script generation failed | The target function name or address is invalid | Make sure the provided target is valid |
### 9.2 Logs and Debugging
- The MCP plugin outputs logs with the [MCP] prefix to the IDA console
- Checking these logs can help troubleshoot problems
- You can adjust the log level by modifying the log_level in `server.py`
## 10. Contribution Guide
We welcome community contributions! If you would like to contribute to the IDA Pro MCP plugin, please refer to the following guide:
### 10.1 Development Environment Setup
1. Clone the project repository
2. Install development dependencies: `pip install -r requirements.txt`
3. Install development tools: `pip install pytest black isort`
4. Run tests: `python test_script_utils.py`
### 10.2 Code Style
- Follow the PEP 8 code style
- Use Black for code formatting
- Use isort for import sorting
- Add docstrings to all functions
- Write unit tests
### 10.3 Submission Process
1. Fork the project repository
2. Create a new branch
3. Submit your changes
4. Run tests to ensure all tests pass
5. Create a Pull Request
### 10.4 Report Issues
If you find any issues or have suggestions, please report them in GitHub Issues:
https://github.com/namename333/idapromcp_333/issues
## 11. Version History
### v2.0 (Latest)
- **Added script_utils module** - Provides a script generation helper function library
- **Optimized Frida script generation** - Refactored the generate_frida_script function
- **Enhanced error handling** - Added comprehensive exception handling and fallback mechanisms
- **Improved installation script** - Supports more platforms and IDA versions
- **Added logging** - Optimized the logging system for easy debugging and troubleshooting
- **Extended feature support** - Enhanced support for Java applications, Windows platforms, and different architectures
### v1.x
- Initial version
- Basic MCP protocol support
- Core functionality implementation
## 12. License
This project is licensed under the MIT License, see the [LICENSE](LICENSE) file for details.
## 13. Contact Information
### Developers
- **name** - Developer (QQ: 1559820232)
- **grand** - Developer (QQ: 3527424707)
- **Britney** - Developer (QQ: 2855057900)
### Project Links
- GitHub Repository: https://github.com/namename333/idapromcp_333
- Original Project: https://github.com/mrexodia/ida-pro-mcp
## 14. Acknowledgments
- Thanks to mrexodia for providing the original IDA Pro MCP plugin
- Thanks to all the developers and users who contributed to this project
