ida-no-mcp-decompiler-exporter
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseIDA NO MCP Decompiler Exporter
IDA NO MCP Decompiler Exporter
Skill by ara.so — MCP Skills collection.
IDA-NO-MCP is a plugin for IDA Pro that exports decompiled code, disassembly, strings, imports, exports, and memory dumps into AI-friendly formats. Instead of complex MCP integrations, it generates organized source files that can be directly analyzed by AI IDEs like Cursor or Claude Code.
由ara.so开发的Skill——属于MCP Skills合集。
IDA-NO-MCP是一款IDA Pro插件,可将反编译代码、汇编代码、字符串、导入表、导出表以及内存转储导出为AI易处理的格式。无需复杂的MCP集成,它就能生成结构化的源文件,可直接被Cursor或Claude Code等AI IDE分析。
What It Does
功能介绍
- Exports decompiled C code: Each function as a separate file with metadata (address, callers, callees)
.c - Automatic fallback: Falls back to disassembly () when decompilation fails
.asm - Memory dumps: Exports all memory segments as hexdump files (1MB chunks)
- Metadata extraction: Strings, imports, exports tables
- Smart filtering: Skips library functions and invalid functions automatically
- Detailed logging: Tracks successes, fallbacks, failures, and skipped functions
- 导出反编译C代码:每个函数作为单独的文件,附带元数据(地址、调用者、被调用者)
.c - 自动降级处理:反编译失败时自动切换为导出汇编代码()
.asm - 内存转储:将所有内存段导出为十六进制转储文件(按1MB分块)
- 元数据提取:提取字符串、导入表、导出表
- 智能过滤:自动跳过库函数与无效函数
- 详细日志:记录成功导出、降级处理、导出失败及跳过的函数
Installation
安装方法
Plugin Mode (Recommended)
插件模式(推荐)
-
Copyto your IDA plugins directory:
INP.py- Windows:
%APPDATA%\Hex-Rays\IDA Pro\plugins\ - Linux/macOS:
~/.idapro/plugins/
- Windows:
-
Restart IDA Pro
-
Use the plugin:
- Shortcut: (quick export)
Ctrl-Shift-E - Menu: →
Edit→PluginsExport for AI
- Shortcut:
-
将复制到IDA插件目录:
INP.py- Windows:
%APPDATA%\Hex-Rays\IDA Pro\plugins\ - Linux/macOS:
~/.idapro/plugins/
- Windows:
-
重启IDA Pro
-
使用插件:
- 快捷键:(快速导出)
Ctrl-Shift-E - 菜单路径:→
Edit→PluginsExport for AI
- 快捷键:
Script Mode
脚本模式
Run directly from IDA's script window () or via command line:
INP.pyAlt-F7python
undefined直接从IDA脚本窗口()或命令行运行:
Alt-F7INP.pypython
undefinedFrom IDA script window
From IDA script window
execfile('/path/to/INP.py')
undefinedexecfile('/path/to/INP.py')
undefinedOutput Structure
输出结构
After export, the IDB directory contains:
your_binary.idb/
├── decompile/ # Decompiled C code (.c files)
├── disassembly/ # Fallback assembly (.asm files)
├── memory/ # Memory dumps (hexdump format)
├── strings.txt # All strings with addresses
├── imports.txt # Import table
├── exports.txt # Export table
├── disassembly_fallback.txt # List of fallback functions
├── decompile_failed.txt # Complete failures
└── decompile_skipped.txt # Skipped library/invalid functions导出完成后,IDB目录将包含以下内容:
your_binary.idb/
├── decompile/ # 反编译C代码(.c文件)
├── disassembly/ # 降级导出的汇编代码(.asm文件)
├── memory/ # 内存转储(十六进制格式)
├── strings.txt # 带地址的所有字符串
├── imports.txt # 导入表
├── exports.txt # 导出表
├── disassembly_fallback.txt # 降级处理的函数列表
├── decompile_failed.txt # 完全导出失败的函数
└── decompile_skipped.txt # 跳过的库/无效函数Function Export Format
函数导出格式
Each exported function includes metadata headers:
c
/*
* func-name: sub_401000
* func-address: 0x401000
* export-type: decompile
* callers: 0x402000, 0x403000
* callees: 0x404000, 0x405000
*/
__int64 __fastcall sub_401000(__int64 a1, int a2)
{
// Decompiled code here
return result;
}For disassembly fallback ( files):
.asmasm
/*
* func-name: sub_401000
* func-address: 0x401000
* export-type: disassembly
* callers: 0x402000, 0x403000
* callees: 0x404000, 0x405000
*/
sub_401000 proc near
push rbp
mov rbp, rsp
; ... assembly code
ret
sub_401000 endp每个导出的函数都包含元数据头部:
c
/*
* func-name: sub_401000
* func-address: 0x401000
* export-type: decompile
* callers: 0x402000, 0x403000
* callees: 0x404000, 0x405000
*/
__int64 __fastcall sub_401000(__int64 a1, int a2)
{
// Decompiled code here
return result;
}对于降级导出的汇编代码(文件):
.asmasm
/*
* func-name: sub_401000
* func-address: 0x401000
* export-type: disassembly
* callers: 0x402000, 0x403000
* callees: 0x404000, 0x405000
*/
sub_401000 proc near
push rbp
mov rbp, rsp
; ... assembly code
ret
sub_401000 endpKey Plugin Components
插件核心组件
Core Export Logic
核心导出逻辑
python
import idaapi
import idc
import idautils
import ida_hexrays
import ida_funcs
import os
def export_decompiled_code(func_ea):
"""Export decompiled code for a function"""
try:
# Get function name
func_name = idc.get_func_name(func_ea)
# Get callers and callees
callers = [hex(xref.frm) for xref in idautils.XrefsTo(func_ea, 0)]
callees = []
for item_ea in idautils.FuncItems(func_ea):
for xref in idautils.XrefsFrom(item_ea, 0):
if xref.type in [ida_xref.fl_CN, ida_xref.fl_CF]:
callees.append(hex(xref.to))
# Try decompilation
cfunc = idaapi.decompile(func_ea)
if cfunc:
decompiled = str(cfunc)
# Build metadata header
header = f"""/*
* func-name: {func_name}
* func-address: {hex(func_ea)}
* export-type: decompile
* callers: {', '.join(callers) if callers else 'none'}
* callees: {', '.join(callees) if callees else 'none'}
*/
"""
return header + decompiled
except Exception as e:
print(f"Decompilation failed for {hex(func_ea)}: {e}")
return Nonepython
import idaapi
import idc
import idautils
import ida_hexrays
import ida_funcs
import os
def export_decompiled_code(func_ea):
"""Export decompiled code for a function"""
try:
# Get function name
func_name = idc.get_func_name(func_ea)
# Get callers and callees
callers = [hex(xref.frm) for xref in idautils.XrefsTo(func_ea, 0)]
callees = []
for item_ea in idautils.FuncItems(func_ea):
for xref in idautils.XrefsFrom(item_ea, 0):
if xref.type in [ida_xref.fl_CN, ida_xref.fl_CF]:
callees.append(hex(xref.to))
# Try decompilation
cfunc = idaapi.decompile(func_ea)
if cfunc:
decompiled = str(cfunc)
# Build metadata header
header = f"""/*
* func-name: {func_name}
* func-address: {hex(func_ea)}
* export-type: decompile
* callers: {', '.join(callers) if callers else 'none'}
* callees: {', '.join(callees) if callees else 'none'}
*/
"""
return header + decompiled
except Exception as e:
print(f"Decompilation failed for {hex(func_ea)}: {e}")
return NoneMemory Export
内存导出
python
def export_memory_segment(seg_ea, output_dir):
"""Export memory segment as hexdump"""
seg = idaapi.getseg(seg_ea)
if not seg:
return
seg_start = seg.start_ea
seg_end = seg.end_ea
seg_size = seg_end - seg_start
max_size = 1024 * 1024 # 1MB chunks
chunk_num = 0
while seg_start < seg_end:
chunk_end = min(seg_start + max_size, seg_end)
filename = f"{hex(seg_start)}--{hex(chunk_end)}.txt"
with open(os.path.join(output_dir, filename), 'w') as f:
addr = seg_start
while addr < chunk_end:
# Read 16 bytes per line
line_bytes = []
ascii_chars = []
for i in range(16):
if addr + i >= chunk_end:
break
byte = idc.get_wide_byte(addr + i)
line_bytes.append(f"{byte:02X}")
ascii_chars.append(chr(byte) if 32 <= byte <= 126 else '.')
# Format: ADDRESS | HEX BYTES | ASCII
hex_part = ' '.join(line_bytes).ljust(48)
ascii_part = ''.join(ascii_chars)
f.write(f"{hex(addr)} | {hex_part} | {ascii_part}\n")
addr += 16
seg_start = chunk_end
chunk_num += 1python
def export_memory_segment(seg_ea, output_dir):
"""Export memory segment as hexdump"""
seg = idaapi.getseg(seg_ea)
if not seg:
return
seg_start = seg.start_ea
seg_end = seg.end_ea
seg_size = seg_end - seg_start
max_size = 1024 * 1024 # 1MB chunks
chunk_num = 0
while seg_start < seg_end:
chunk_end = min(seg_start + max_size, seg_end)
filename = f"{hex(seg_start)}--{hex(chunk_end)}.txt"
with open(os.path.join(output_dir, filename), 'w') as f:
addr = seg_start
while addr < chunk_end:
# Read 16 bytes per line
line_bytes = []
ascii_chars = []
for i in range(16):
if addr + i >= chunk_end:
break
byte = idc.get_wide_byte(addr + i)
line_bytes.append(f"{byte:02X}")
ascii_chars.append(chr(byte) if 32 <= byte <= 126 else '.')
# Format: ADDRESS | HEX BYTES | ASCII
hex_part = ' '.join(line_bytes).ljust(48)
ascii_part = ''.join(ascii_chars)
f.write(f"{hex(addr)} | {hex_part} | {ascii_part}\n")
addr += 16
seg_start = chunk_end
chunk_num += 1String Extraction
字符串提取
python
def export_strings(output_file):
"""Export all strings with metadata"""
with open(output_file, 'w', encoding='utf-8') as f:
strings = idautils.Strings()
for s in strings:
# Format: address, length, type, content
str_type = {
0: "ASCII",
1: "UTF-16LE",
2: "UTF-32LE"
}.get(s.strtype, "UNKNOWN")
f.write(f"{hex(s.ea)} | len={s.length} | {str_type} | {str(s)}\n")python
def export_strings(output_file):
"""Export all strings with metadata"""
with open(output_file, 'w', encoding='utf-8') as f:
strings = idautils.Strings()
for s in strings:
# Format: address, length, type, content
str_type = {
0: "ASCII",
1: "UTF-16LE",
2: "UTF-32LE"
}.get(s.strtype, "UNKNOWN")
f.write(f"{hex(s.ea)} | len={s.length} | {str_type} | {str(s)}\n")Common Usage Patterns
常见使用场景
Analyzing Exported Code with AI
用AI分析导出的代码
After exporting, open the IDB directory in your AI IDE:
- Context-aware analysis: AI can read all files and understand function relationships via caller/callee metadata
.c - Vulnerability hunting: Ask AI to find buffer overflows, use-after-free, etc.
- Crypto detection: Identify cryptographic functions and constants
- Protocol analysis: Understand network protocol parsing logic
导出完成后,在AI IDE中打开IDB目录:
- 上下文感知分析:AI可读取所有文件,并通过调用者/被调用者元数据理解函数关系
.c - 漏洞挖掘:让AI查找缓冲区溢出、释放后使用等漏洞
- 加密算法识别:识别加密函数与常量
- 协议分析:理解网络协议解析逻辑
Adding Extra Context
添加额外上下文
Create additional directories alongside exports:
your_binary.idb/
├── decompile/ # Auto-generated
├── docs/ # Your reverse engineering notes
├── codes/ # Frida scripts, exploits, tools
└── apk/ # APK decompilation (for Android)AI tools will index all content for comprehensive analysis.
在导出目录旁创建额外目录:
your_binary.idb/
├── decompile/ # 自动生成
├── docs/ # 你的逆向工程笔记
├── codes/ # Frida脚本、漏洞利用工具
└── apk/ # APK反编译内容(针对Android)AI工具会索引所有内容,进行全面分析。
Programmatic Integration
程序化集成
python
undefinedpython
undefinedRun export from IDA Python script
Run export from IDA Python script
import INP
import INP
Trigger export programmatically
Trigger export programmatically
INP.main() # Runs the full export process
INP.main() # Runs the full export process
Or customize export paths
Or customize export paths
output_dir = "/custom/path/output"
INP.export_all(output_dir)
undefinedoutput_dir = "/custom/path/output"
INP.export_all(output_dir)
undefinedConfiguration
配置说明
The plugin works out-of-the-box with defaults but can be customized by editing :
INP.pypython
undefined插件默认即可使用,也可通过编辑自定义配置:
INP.pypython
undefinedSkip library functions (default: True)
Skip library functions (default: True)
SKIP_LIB_FUNCS = True
SKIP_LIB_FUNCS = True
Maximum memory chunk size in bytes
Maximum memory chunk size in bytes
MAX_CHUNK_SIZE = 1024 * 1024 # 1MB
MAX_CHUNK_SIZE = 1024 * 1024 # 1MB
Progress reporting interval
Progress reporting interval
PROGRESS_INTERVAL = 100 # Report every 100 functions
PROGRESS_INTERVAL = 100 # Report every 100 functions
Export types to include
Export types to include
EXPORT_DECOMPILE = True
EXPORT_DISASM_FALLBACK = True
EXPORT_MEMORY = True
EXPORT_STRINGS = True
EXPORT_IMPORTS = True
EXPORT_EXPORTS = True
undefinedEXPORT_DECOMPILE = True
EXPORT_DISASM_FALLBACK = True
EXPORT_MEMORY = True
EXPORT_STRINGS = True
EXPORT_IMPORTS = True
EXPORT_EXPORTS = True
undefinedTroubleshooting
故障排查
Plugin doesn't appear in menu
插件未出现在菜单中
- Verify is in the correct plugins directory
INP.py - Check IDA output window for Python errors
- Ensure IDA has Hex-Rays Decompiler installed (for decompilation feature)
- 确认已放入正确的插件目录
INP.py - 检查IDA输出窗口的Python错误信息
- 确保IDA已安装Hex-Rays Decompiler(反编译功能依赖此组件)
Decompilation fails for all functions
所有函数反编译失败
- Check if Hex-Rays Decompiler is licensed and active
- Some architectures may not support decompilation (will auto-fallback to disassembly)
- Check for specific error messages
decompile_failed.txt
- 检查Hex-Rays Decompiler是否已授权并激活
- 部分架构可能不支持反编译(会自动降级为汇编导出)
- 查看获取具体错误信息
decompile_failed.txt
Out of memory during export
导出时内存不足
- Large binaries may need chunked processing
- Reduce in the script
MAX_CHUNK_SIZE - Export specific function ranges instead of entire binary
- 大型二进制文件可能需要分块处理
- 减小脚本中的值
MAX_CHUNK_SIZE - 导出特定函数范围而非整个二进制文件
Special characters in function names
函数名称包含特殊字符
The plugin automatically sanitizes filenames:
- Replaces with underscores
/\:*?"<>| - Appends address suffix for duplicate names (e.g., )
main_401000.c
插件会自动清理文件名:
- 将替换为下划线
/\:*?"<>| - 重名函数会添加地址后缀(例如:)
main_401000.c
Missing callers/callees data
调用者/被调用者数据缺失
- Ensure IDA has completed auto-analysis (Wait for "AU: idle" in status bar)
- Run "Reanalyze program" from Edit menu if needed
- Check if functions are properly recognized (Edit → Functions → Reanalyze program)
- 确保IDA已完成自动分析(等待状态栏显示"AU: idle")
- 若需要,从Edit菜单运行"Reanalyze program"
- 检查函数是否被正确识别(Edit → Functions → Reanalyze program)
Integration with AI Workflows
AI工作流集成
Example: Finding vulnerabilities
示例:漏洞查找
bash
undefinedbash
undefinedAfter export, ask AI in your IDE:
After export, ask AI in your IDE:
"Analyze all functions in decompile/ for buffer overflow vulnerabilities"
"Find all memcpy/strcpy calls and check bounds validation"
undefined"Analyze all functions in decompile/ for buffer overflow vulnerabilities"
"Find all memcpy/strcpy calls and check bounds validation"
undefinedExample: Understanding malware behavior
示例:恶意软件行为分析
bash
"Trace the execution flow starting from entry point at 0x401000"
"Identify anti-debugging checks and obfuscation techniques"
"Extract C2 communication URLs from strings.txt and related functions"bash
"Trace the execution flow starting from entry point at 0x401000"
"Identify anti-debugging checks and obfuscation techniques"
"Extract C2 communication URLs from strings.txt and related functions"Example: Protocol reverse engineering
示例:协议逆向工程
bash
"Find packet parsing functions using imports.txt and decompiled code"
"Document the binary protocol structure based on recv/send call patterns"bash
"Find packet parsing functions using imports.txt and decompiled code"
"Document the binary protocol structure based on recv/send call patterns"Advanced Tips
进阶技巧
- Incremental analysis: Export once, iterate with AI on specific function subsets
- Version control: Commit exports to track understanding evolution
- Cross-reference: Combine with dynamic analysis (Frida logs, traces)
- Custom scripts: Write Python scripts that parse the exported metadata for automated analysis
- 增量分析:导出一次后,针对特定函数子集与AI迭代分析
- 版本控制:将导出内容提交到版本库,跟踪理解过程的演变
- 交叉引用:结合动态分析结果(Frida日志、跟踪数据)
- 自定义脚本:编写Python脚本解析导出的元数据,实现自动化分析