Say "yes" to IDA Pro MCP but not always
ida-export-mcp
IDA Pro plugin that exports decompiled code into AI-optimised chunk files, designed to work alongside ida-pro-mcp for a two-layer reverse engineering workflow.
English | 中文
Preface (Written by Humen, Translated by ChatGPT)
-
This project originated from a weekend when I was experimenting with automated reverse engineering in IDA and found the user experience of ida-pro-mcp and IDA-NO-MCP somewhat awkward. In short, ida-pro-mcp requires invoking tools for almost everything, while ida-no-mcp invokes nothing at all. As a result, it often ends up dumping hundreds of megabytes of memory, and each function is placed into a separate file.
-
The main body of this project was completed by Claude Code during Sunday lunch; I was only responsible for testing (Currently only tested on IDA 8.3). If you find it useful, it means my idea was good. If you find it inconvenient to use, then Claude is entirely to blame [doge].
-
When writing this project, I told Claude Code it could refer to ida-pro-mcp and ida-no-mcp. Judging from the actual results, it seems to have mainly referenced ida-no-mcp.
-
The name comes from the fact that I’m bad at naming things, so I just borrowed some popularity.
-
Pull requests are welcome. Alternatively, if someone thinks the functionality is decent and wants to merge it into another, more well-known project, that’s also perfectly fine.
Background
Two common approaches to AI-assisted reverse engineering each have drawbacks:
| Approach | Problem | | ---------------------------------------------- | ------------------------------------------------------------------------------------------- | | Dump everything to files (e.g. ida-no-mcp) | One file per function → thousands of files; raw memory dumps waste tokens; AI loses context | | MCP only (e.g. ida-pro-mcp) | Every piece of information requires a tool call → slow, high latency for broad analysis |
ida-export-mcp combines both: bulk-export the parts AI handles well (decompiled C, symbol tables), skip the parts it doesn't (raw memory), and leave real-time queries to MCP.
How It Works
┌─────────────────────────────────────────────────────────┐
│ Phase 1 — Static (this plugin) │
│ One-time export → AI reads files like source code │
│ │
│ CLAUDE.md / INDEX.md / SUMMARY.md │
│ strings.txt / imports.txt / exports.txt │
│ decompile/chunk_001.c … chunk_NNN.c │
└─────────────────────────────────────────────────────────┘
+
┌─────────────────────────────────────────────────────────┐
│ Phase 2 — Live (ida-pro-mcp) │
│ On-demand queries when static files aren't enough │
│ │
│ disasm() get_bytes() xrefs_to() │
│ infer_types() rename() set_comments() … │
└─────────────────────────────────────────────────────────┘
Key design decisions
- No memory hexdump — raw bytes are token-heavy and rarely useful at the source level; use
get_bytes()via MCP when needed - Chunked output — all functions packed into a small number of
~400 KBfiles (not one file per function), dramatically reducing AI tool calls - Precise line numbers — each chunk file has a
MINI-INDEXat the top mapping every function name/address to its exact line number; computed analytically before writing (no second pass) INDEX.md— single navigation file: every function → chunk file + line numberSUMMARY.md— binary overview: architecture, segments, imports grouped by module, exports, MCP tool referenceCLAUDE.md— auto-generated per binary; loaded automatically by Claude Code on startup- Resume support — re-running the export skips existing chunk files and recovers line maps from their MINI-INDEX
Output Structure
export-for-ai/
├── CLAUDE.md ← auto-loaded by Claude Code; binary snapshot + workflow guide
├── INDEX.md ← master navigation: all functions → chunk file + line number
├── SUMMARY.md ← binary overview + MCP tool reference table
├── strings.txt ← all string literals (address | length | type | content)
├── imports.txt ← imports grouped by module/DLL
├── exports.txt ← export table
├── decompile/
│ ├── chunk_001.c ← ~400 KB of decompiled C, with MINI-INDEX at top
│ ├── chunk_002.c
│ └── ...
├── decompile_failed.txt ← functions that could not be decompiled
└── decompile_skipped.txt ← library / invalid functions
Chunk file format
// =========================================================================
// CHUNK 003/012 | Functions: 84 | ~380 KB
// Binary: target.exe
// =========================================================================
// MINI-INDEX (function name -> line number in this file):
// [0x405000] parse_config -> line 8
// [0x405890] handle_request -> line 97
// ...
// =========================================================================
/* func: parse_config | addr: 0x405000
* callers (2): main(0x401000), reload_cfg(0x406200)
* callees (4): malloc, strcpy, sub_405500(0x405500), fopen
*/
char *parse_config(const char *path) {
...
}
Installation
-
Copy
plugin.pyand theexporter/directory into your IDA plugins folder:| Platform | Path | | ------------- | ------------------------------------- | | Windows |
%APPDATA%\Hex-Rays\IDA Pro\plugins\| | Linux / macOS |~/.idapro/plugins/| -
Restart IDA Pro.
No additional dependencies — uses only IDA's bundled Python.
Usage
Interactive
- Hotkey:
Ctrl-Shift-H - Menu:
Edit → Plugins → IDA-YES-MCP Export for AI
IDA will ask whether auto-analysis has finished (skip the wait if the IDB is already fully analysed), then confirm the output directory.
Batch / headless
idat64 -A -S"plugin.py /path/to/output 1" target.exe
# ^ 1 = skip auto-analysis wait
Tuning chunk size
Edit CHUNK_SIZE in plugin.py:
CHUNK_SIZE = 400 * 1024 # default: 400 KB per chunk
| Binary size | Suggested value |
| -------------------- | ---------------------- |
| < 500 functions | 200 * 1024 |
| 500 – 5000 functions | 400 * 1024 ← default |
| > 5000 functions | 600 * 1024 |
Recommended AI Workflow
1. cd export-for-ai && claude # CLAUDE.md loads automatically
2. Read SUMMARY.md # architecture, imports, exports
3. Grep strings.txt for keywords # find entry points by string
4. Read INDEX.md # locate functions → chunk + line
5. Read decompile/chunk_NNN.c # analyse decompiled C code
↓ when static files aren't enough ↓
6. MCP: disasm / get_bytes / xrefs_to # raw bytes, disassembly, xrefs
7. MCP: infer_types / rename # refine types, rename symbols
8. MCP: decompile # re-decompile with new names/types
Requirements
- IDA Pro 8.3+ with Hex-Rays decompiler (IDA Free is not supported)
- Python 3.x (bundled with IDA)
- For live MCP queries: ida-pro-mcp running alongside
Related Projects
- ida-pro-mcp — the MCP server this plugin is designed to complement
- ida-no-mcp — the original dump-everything approach that inspired this project
中文
IDA Pro 插件,将反编译代码导出为 AI 优化的分块文件,配合 ida-pro-mcp 实现双层逆向工程工作流。
写在前面(Written By Humen)
-
本工程来源于某个周末我尝试IDA自动化逆向时使用ida-pro-mcp和ida-no-mcp时比较别扭的使用体验,简单来说ida-pro-mcp什么都要调工具,ida-no-mcp什么都不调,所以动辄要dump几百MB的内存,而且每个函数都放到一个文件里
-
本工程的主体是在周日的午饭时我让Claude Code完成的,我只负责测试(目前只在IDA8.3上测试过)。如果你觉得好用说明我想法好,如果你觉得难用Claude全责 [doge]
-
撰写本工程时,我跟Claude Code说可以参考ida-pro-mcp和ida-no-mcp,从实际效果来看应该主要参考的是ida-no-mcp
-
这名字是因为我不会起名所以直接蹭个热度吧
-
欢迎PR,或者如果有人觉得功能还行合到其他更知名的项目里也没问题
项目介绍(Written By AI)
背景
AI 辅助逆向工程的两种常见方案各有缺陷:
| 方案 | 问题 | | --------------------------- | ---------------------------------------------- | | 全量文件导出(如 ida-no-mcp) | 每个函数一个文件 → 数千个文件;内存 dump 浪费大量 token;AI 容易丢失上下文 | | 纯 MCP 方案(如 ida-pro-mcp) | 每次获取信息都需要工具调用 → 速度慢,广泛分析时延迟高 |
ida-export-mcp 结合两者优点:批量导出 AI 擅长处理的内容(反编译 C 代码、符号表),跳过不适合的内容(原始内存),实时查询交给 MCP。
工作原理
┌─────────────────────────────────────────────────────────┐
│ 第一层 — 静态导出(本插件) │
│ 一次性导出 → AI 像读源码一样分析 │
│ │
│ CLAUDE.md / INDEX.md / SUMMARY.md │
│ strings.txt / imports.txt / exports.txt │
│ decompile/chunk_001.c … chunk_NNN.c │
└─────────────────────────────────────────────────────────┘
+
┌─────────────────────────────────────────────────────────┐
│ 第二层 — 实时查询(ida-pro-mcp) │
│ 静态文件不够用时按需调用 │
│ │
│ disasm() get_bytes() xrefs_to() │
│ infer_types() rename() set_comments() … │
└─────────────────────────────────────────────────────────┘
核心设计
- 不导出内存 dump — 原始字节 token 消耗大且在源码层面价值低;需要时通过 MCP 的
get_bytes()按需查询 - 分块输出 — 所有函数打包进少量
~400 KB文件(而非每函数一个文件),大幅减少 AI 工具调用次数 - 精确行号 — 每个 chunk 文件头部有
MINI-INDEX,将函数名/地址映射到文件内精确行号,写文件前解析计算(无二次扫描) INDEX.md— 单一导航文件:所有函数 → chunk 文件 + 行号SUMMARY.md— 二进制概览:架构、段表、按模块分组的导入表、导出表、MCP 工具参考CLAUDE.md— 每次导出自动生成,包含当前二进制的快照和工作流指南,Claude Code 启动时自动加载- 断点续传 — 重新导出时跳过已存在的 chunk 文件,从其 MINI-INDEX 恢复行号映射
输出结构
export-for-ai/
├── CLAUDE.md ← Claude Code 自动加载;二进制快照 + 工作流指南
├── INDEX.md ← 主导航:所有函数 → chunk 文件 + 行号
├── SUMMARY.md ← 二进制概览 + MCP 工具参考表
├── strings.txt ← 所有字符串(地址 | 长度 | 类型 | 内容)
├── imports.txt ← 按模块/DLL 分组的导入表
├── exports.txt ← 导出表
├── decompile/
│ ├── chunk_001.c ← ~400 KB 反编译 C 代码,头部含 MINI-INDEX
│ ├── chunk_002.c
│ └── ...
├── decompile_failed.txt ← 反编译失败的函数
└── decompile_skipped.txt ← 库函数 / 无效函数(已跳过)
安装
-
将
plugin.py和exporter/目录复制到 IDA plugins 目录:| 平台 | 路径 | | ------------- | ------------------------------------- | | Windows |
%APPDATA%\Hex-Rays\IDA Pro\plugins\| | Linux / macOS |~/.idapro/plugins/| -
重启 IDA Pro。
无额外依赖,仅使用 IDA 内置 Python。
使用方法
交互模式
- 热键:
Ctrl-Shift-H - 菜单:
Edit → Plugins → IDA-YES-MCP Export for AI
IDA 会询问自动分析是否已完成(IDB 已完整分析时选"是"跳过等待),然后确认输出目录。
批处理 / 无头模式
idat64 -A -S"plugin.py /path/to/output 1" target.exe
# ^ 1 = 跳过自动分析等待
调整分块大小
编辑 plugin.py 中的 CHUNK_SIZE:
CHUNK_SIZE = 400 * 1024 # 默认:每个 chunk 400 KB
| 二进制规模 | 建议值 |
| -------------- | ---------------- |
| < 500 个函数 | 200 * 1024 |
| 500 – 5000 个函数 | 400 * 1024(默认) |
| > 5000 个函数 | 600 * 1024 |
推荐 AI 分析流程
1. cd export-for-ai && claude # CLAUDE.md 自动加载
2. 读 SUMMARY.md # 了解架构、导入、导出
3. grep strings.txt 关键词 # 通过字符串定位入口
4. 读 INDEX.md # 找到目标函数 → chunk + 行号
5. 读 decompile/chunk_NNN.c # 分析反编译 C 代码
↓ 静态文件不够用时 ↓
6. MCP: disasm / get_bytes / xrefs_to # 原始字节、反汇编、交叉引用
7. MCP: infer_types / rename # 推断类型、重命名符号
8. MCP: decompile # 用新名称/类型重新反编译
环境要求
- IDA Pro 8.3+,带 Hex-Rays 反编译器(不支持 IDA Free)
- Python 3.x(IDA 内置)
- 实时 MCP 查询需要:ida-pro-mcp 同时运行
相关项目
- ida-pro-mcp — 本插件配套的 MCP 服务端
- ida-no-mcp — 启发本项目的原始全量导出方案