MCP server by Torebtr
IDA Pro MCP Multi
Multi-instance IDA Pro MCP Server — simultaneous reverse engineering across multiple binaries with LLM-powered binary diffing, symbol porting, and patch discovery.
English
What is this?
IDA Pro MCP Multi is an enhanced fork of mrexodia/ida-pro-mcp that enables simultaneous analysis of multiple binaries through a single MCP (Model Context Protocol) connection. Connect Claude Code (or any MCP client) to two or more IDA Pro instances at once, and let the LLM cross-reference between them.
Why?
Reverse engineers frequently compare binary versions to:
- Port symbols & names from an older, symbolicated build to a newer, stripped one
- Discover patches between versions to understand what was fixed (or broken)
- Reproduce vulnerabilities by identifying the exact code changes in a security patch
- Diff malware variants to track evolution
Traditional Bindiff tools require manual inspection. With MCP Multi, Claude reads both binaries simultaneously and reasons about their differences in natural language.
Quick Start
# 1. Install
git clone https://github.com/Torebtr/ida-pro-mcp-multi.git
cd ida-pro-mcp-multi
pip install -e .
# 2. Install IDA plugin + configure Claude Code
python -m ida_pro_mcp --install claude-code
# 3. Open IDA #1 -> load binary v1 -> Ctrl+Alt+M
# 4. Open IDA #2 -> load binary v2 -> Ctrl+Alt+M
# 5. Restart Claude Code
In Claude Code:
# Enter multi-instance mode
multi_select(aliases=[
{"alias":"sym","host":"127.0.0.1","port":13337},
{"alias":"nosym","host":"127.0.0.1","port":13338}
])
# Use prefixed tools to target a specific instance
sym__decompile(addr="main")
nosym__decompile(addr="0x401000")
# Cross-instance analysis
multi_match_function(source_alias="sym", target_alias="nosym", addrs=["main"])
multi_port_names(source_alias="sym", target_alias="nosym", dry_run=False)
multi_diff_function(addr_a="main", addr_b="0x401000", alias_a="sym", alias_b="nosym")
multi_find_new_or_changed(reference_alias="sym", target_alias="nosym")
Multi-Instance Tools
| Tool | Description |
|------|-------------|
| multi_select(aliases, primary?) | Register 2+ IDA instances and activate multi-instance mode |
| multi_list_instances() | List registered aliases with reachability status |
| multi_match_function(source_alias, target_alias, addrs) | Match functions across instances by byte-level signatures |
| multi_port_names(source_alias, target_alias, addrs?, dry_run) | Copy function names from symbolicated to stripped binary |
| multi_diff_function(addr_a, addr_b, alias_a, alias_b) | Side-by-side decompilation diff between two instances |
| multi_find_new_or_changed(reference_alias, target_alias) | Find functions that are new or modified between versions |
After multi_select, all standard IDA tools are also available with <alias>__ prefix (e.g., sym__decompile, nosym__list_funcs), in addition to the unprefixed versions which route to the primary instance.
Architecture
Claude Code (stdio)
|
v
server.py (MCP proxy with multi-instance dispatch)
|
+-- tools/list -> fetches & prefixes tools from each instance (parallel)
+-- tools/call -> <alias>__<tool> routes to specific instance
|
+-- multi/manager.py -> per-session state (alias -> host:port)
+-- multi/router.py -> dispatch interception + parallel tool fetching
+-- multi/tools.py -> cross-instance analysis tools
|
+--> IDA #1 (127.0.0.1:13337) <- auto-discovered
+--> IDA #2 (127.0.0.1:13338) <- auto-discovered
Requirements
- Python 3.11+
- IDA Pro 8.3+ (9.0 recommended)
- IDA Free is not supported
Backward Compatibility
This fork is fully backward compatible with upstream ida-pro-mcp. If you never call multi_select, the server behaves exactly like the original -- single-instance mode with select_instance for switching.
Typical Workflows
Symbol Porting:
multi_select(aliases=[
{"alias":"old","host":"127.0.0.1","port":13337},
{"alias":"new","host":"127.0.0.1","port":13338}
])
# Preview first (no modifications)
multi_port_names(source_alias="old", target_alias="new", dry_run=True)
# Apply
multi_port_names(source_alias="old", target_alias="new", dry_run=False)
Patch Diffing:
# Find all changed functions
multi_find_new_or_changed(reference_alias="old", target_alias="new")
# Compare specific functions
multi_diff_function(addr_a="sub_1000", addr_b="0x401000", alias_a="old", alias_b="new")
Three-Way Diff:
multi_select(aliases=[
{"alias":"v1","host":"127.0.0.1","port":13337},
{"alias":"v2","host":"127.0.0.1","port":13338},
{"alias":"v3","host":"127.0.0.1","port":13339}
])
v1__decompile(addr="main")
v2__decompile(addr="0x401000")
v3__decompile(addr="0x402000")
multi_diff_function(addr_a="main", addr_b="0x401000", alias_a="v1", alias_b="v2")
multi_diff_function(addr_a="0x401000", addr_b="0x402000", alias_a="v2", alias_b="v3")
中文
这是什么?
IDA Pro MCP Multi 是 mrexodia/ida-pro-mcp 的增强分支,支持通过单个 MCP(模型上下文协议)连接同时分析多个二进制文件。将 Claude Code(或任意 MCP 客户端)同时接入两个或多个 IDA Pro 实例,让 LLM 在它们之间进行交叉推理。
解决什么问题?
逆向工程师经常需要比较同一程序的多个版本:
- 移植符号:将有符号表的旧版本中的函数名、注释移植到无符号的新版本
- 发现补丁:找到版本间的代码差异,理解修复了什么
- 漏洞复现:通过识别安全补丁中的具体代码变更来定位漏洞位置
- 恶意软件变种追踪:分析恶意软件的演化过程
传统 Bindiff 工具需要手动逐个对比。使用 MCP Multi,Claude 可以同时读取两个二进制文件,用自然语言推理它们的差异。
快速开始
# 1. 安装
git clone https://github.com/Torebtr/ida-pro-mcp-multi.git
cd ida-pro-mcp-multi
pip install -e .
# 2. 安装 IDA 插件 + 配置 Claude Code
python -m ida_pro_mcp --install claude-code
# 3. 打开 IDA #1 -> 加载二进制 v1(有符号)-> Ctrl+Alt+M
# 4. 打开 IDA #2 -> 加载二进制 v2(无符号)-> Ctrl+Alt+M
# 5. 重启 Claude Code
在 Claude Code 中输入:
# 进入多实例模式
multi_select(aliases=[
{"alias":"sym","host":"127.0.0.1","port":13337},
{"alias":"nosym","host":"127.0.0.1","port":13338}
])
# 前缀工具指定目标实例
sym__decompile(addr="main")
nosym__decompile(addr="0x401000")
# 交叉分析
multi_match_function(source_alias="sym", target_alias="nosym", addrs=["main"])
multi_port_names(source_alias="sym", target_alias="nosym", dry_run=False)
multi_diff_function(addr_a="main", addr_b="0x401000", alias_a="sym", alias_b="nosym")
multi_find_new_or_changed(reference_alias="sym", target_alias="nosym")
多实例工具
| 工具 | 说明 |
|------|------|
| multi_select(aliases, primary?) | 注册 2 个及以上 IDA 实例,激活多实例模式 |
| multi_list_instances() | 列出已注册的别名及连接状态 |
| multi_match_function(source_alias, target_alias, addrs) | 通过字节级签名在实例间匹配函数 |
| multi_port_names(source_alias, target_alias, addrs?, dry_run) | 将函数名从有符号版本移植到无符号版本 |
| multi_diff_function(addr_a, addr_b, alias_a, alias_b) | 并排对比两个实例中同一函数的反编译代码 |
| multi_find_new_or_changed(reference_alias, target_alias) | 发现版本间新增或被修改的函数 |
执行 multi_select 后,所有标准 IDA 工具同时以 <别名>__ 前缀形式可用(如 sym__decompile、nosym__list_funcs),不带前缀的工具路由到 primary 实例。
架构
Claude Code (stdio)
|
v
server.py (MCP 代理 + 多实例调度)
|
+-- tools/list -> 从每个实例并行获取工具列表并添加前缀
+-- tools/call -> <别名>__<工具名> 路由到指定实例
|
+-- multi/manager.py -> 会话级状态管理(别名 -> host:port)
+-- multi/router.py -> 调度拦截 + 并行工具获取
+-- multi/tools.py -> 交叉分析工具
|
+--> IDA #1 (127.0.0.1:13337) <- 自动发现
+--> IDA #2 (127.0.0.1:13338) <- 自动发现
环境要求
- Python 3.11+
- IDA Pro 8.3+(推荐 9.0)
- 不支持 IDA Free
向后兼容
本分支与上游 ida-pro-mcp 完全向后兼容。如果不调用 multi_select,服务器行为与原版完全一致——单实例模式,使用 select_instance 切换实例。
典型工作流
场景 1:符号移植
multi_select(aliases=[
{"alias":"old","host":"127.0.0.1","port":13337},
{"alias":"new","host":"127.0.0.1","port":13338}
])
# 先预览,不实际修改
multi_port_names(source_alias="old", target_alias="new", dry_run=True)
# 确认无误后执行
multi_port_names(source_alias="old", target_alias="new", dry_run=False)
场景 2:补丁差异分析
# 找出新版本中所有变化的函数
multi_find_new_or_changed(reference_alias="old", target_alias="new")
# 对感兴趣的函数逐一对比
multi_diff_function(addr_a="sub_1000", addr_b="0x401000", alias_a="old", alias_b="new")
场景 3:三路对比
multi_select(aliases=[
{"alias":"v1","host":"127.0.0.1","port":13337},
{"alias":"v2","host":"127.0.0.1","port":13338},
{"alias":"v3","host":"127.0.0.1","port":13339}
])
# 追踪函数在三个版本间的演化
v1__decompile(addr="main")
v2__decompile(addr="0x401000")
v3__decompile(addr="0x402000")
multi_diff_function(addr_a="main", addr_b="0x401000", alias_a="v1", alias_b="v2")
multi_diff_function(addr_a="0x401000", addr_b="0x402000", alias_a="v2", alias_b="v3")
致谢
基于 mrexodia/ida-pro-mcp 构建,原作者 Duncan Ogilvie (mrexodia)、can1357 及贡献者。
多实例扩展专为跨二进制分析工作流打造。
License: MIT