Ida Reverse
Operate IDA Pro through the idapro MCP tool suite so an agent can survey binaries, list functions, and drive reverse-engineering sessions from PowerShell scripts.
Overview
IDA Reverse is an agent skill most often used in Ship security (also Operate monitoring) that documents 72 idapro MCP tools and PowerShell flows to open binaries and survey them in IDA Pro.
Install
npx skills add https://github.com/zhaoxuya520/reverse-skill --skill ida-reverseWhat is this skill?
- Documents 72 idapro_* MCP tools grouped by workflow: startup, sessions, survey, functions, and deeper analysis
- PowerShell helpers start.ps1, open.ps1 with OK:72 readiness signal and session_id binding
- survey_binary with minimal, standard, and full detail_level for architecture, imports, and hot xrefs
- Session management via idalib_list, switch, close, save, health, and server_warmup
- open.ps1 supports TimeoutSeconds and NoAutoAnalysis for large binaries
- 72 MCP tools documented for server idapro
- survey_binary supports 3 detail_level options: minimal, standard, full
Adoption & trust: 1 installs on skills.sh; 1.3k GitHub stars; trending (+100% hot-view momentum).
What problem does it solve?
You need to reverse or audit a binary with IDA but cannot keep 70+ MCP tool names, session rules, and open flags straight in chat.
Who is it for?
Advanced solo builders or indie security researchers automating IDA Pro via MCP on Windows with existing licenses and target executables.
Skip if: Beginners seeking source-level debugging only, teams without IDA Pro, or builders who cannot run PowerShell and local IDA workers.
When should I use this skill?
You are automating IDA Pro analysis via the idapro MCP HTTP server and need tool names, session steps, or open.ps1 parameters.
What do I get? / Deliverables
You get a structured survey and function listing workflow—start server, open target, survey_binary, list_funcs—with session hygiene and save paths spelled out.
- Running idapro session with survey_binary overview
- Paginated function lists with optional name filters
- Saved IDA database via idalib_save when analysis pauses
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Binary review and malware-style analysis map to Ship security work before you trust unknown executables in production or release pipelines. Reverse engineering and IDA session control are application security and audit activities, not greenfield feature coding.
Where it fits
Survey an unfamiliar installer before it ships in your Electron updater channel.
Cross-check hot xref functions flagged during a dependency vendor binary audit.
Attach IDA to a crash dump executable to locate crypt or network import clusters quickly.
Estimate analysis cost on a large sys file using open.ps1 with NoAutoAnalysis before committing calendar time.
How it compares
This is an IDA MCP procedural catalog, not a generic static-analysis linter or a cloud-only malware sandbox.
Common Questions / FAQ
Who is ida-reverse for?
Experienced builders and reverse engineers who want Claude or Cursor to call idapro_* tools with correct session and survey_binary sequencing.
When should I use ida-reverse?
During Ship security reviews of suspicious binaries, before release signing decisions, and in Operate when investigating unexpected production executables or drivers.
Is ida-reverse safe to install?
It drives powerful local disassembly and file access; review the Security Audits panel on this page and only analyze binaries you are authorized to handle.
SKILL.md
READMESKILL.md - Ida Reverse
# IDA Pro MCP 工具速查 > 72 个 MCP 工具按功能分类,附常用参数和典型用法。 > 服务器名:`idapro`,工具前缀:`idapro_*`,HTTP 模式运行。 --- ## 启动与会话管理 ### 服务器启动 ```powershell # 启动 MCP HTTP 服务器(后台静默) powershell -File "scripts/start.ps1" # 输出 OK:72 表示就绪 # 打开目标文件(绕过 schema 校验) powershell -File "scripts/open.ps1" -Path "C:\target.exe" # 输出 OK:filename:session_id # 大文件/GUI 程序建议加超时 powershell -File "scripts/open.ps1" -Path "C:\big.exe" -TimeoutSeconds 600 # 跳过自动分析(快速打开) powershell -File "scripts/open.ps1" -Path "C:\huge.sys" -NoAutoAnalysis ``` ### 会话工具 | 工具 | 用途 | 示例 | |------|------|------| | `idapro_idalib_list()` | 列出所有 session | — | | `idapro_idalib_current()` | 当前绑定的 session | — | | `idapro_idalib_switch(session_id)` | 切换 session | 多文件对比时 | | `idapro_idalib_close(session_id)` | 关闭 session | 释放资源 | | `idapro_idalib_save(path)` | 保存数据库 | 保存分析进度 | | `idapro_idalib_health(session_id)` | 检查 worker 状态 | 排查卡死 | | `idapro_server_health()` | 服务器健康检查 | — | | `idapro_server_warmup()` | 预热子系统 | 首次使用前 | --- ## 第一步:全局概览 ### survey_binary — 快速概况 ``` idapro_survey_binary(detail_level="minimal") ``` 返回: - 架构(x86/x64/ARM/MIPS) - 入口点 - 函数总数 - 字符串统计 - 段信息 - 导入分类(加密/网络/文件IO/注册表) - 高 xref 热门函数 **detail_level 选项**: - `"minimal"` — 快速概况(推荐首选) - `"standard"` — 包含更多细节 - `"full"` — 完整信息 ### 函数列表 ``` # 列出所有函数(分页) idapro_list_funcs(queries=[{"offset": 0, "limit": 50}]) # 按名称过滤 idapro_list_funcs(queries=[{"filter": "crypt", "offset": 0, "limit": 20}]) idapro_list_funcs(queries=[{"filter": "main", "offset": 0, "limit": 10}]) ``` ### 统一查询 ``` # 查询导入函数 idapro_entity_query(kind="imports", filter="Create") # 查询字符串 idapro_entity_query(kind="strings", filter="http") # 查询所有命名符号 idapro_entity_query(kind="names", filter="") ``` --- ## 反编译与反汇编 ### 反编译(伪代码) ``` # 按函数名 idapro_decompile(addr="main") idapro_decompile(addr="sub_140001000") # 按地址 idapro_decompile(addr="0x140001000") ``` ### 反汇编 ``` # 默认指令数 idapro_disasm(addr="main") # 指定指令数量 idapro_disasm(addr="0x401000", max_instructions=100) ``` ### 综合分析(推荐) ``` # 一次性获取:伪代码 + 字符串 + 常量 + 调用者 + 被调用者 + 基本块 idapro_analyze_function(addr="main", include_asm=false) # 包含汇编 idapro_analyze_function(addr="sub_401000", include_asm=true) ``` ### 函数概要 ``` # 批量获取函数指标(大小、块数、xref 数) idapro_func_profile(queries=["main", "sub_401000", "sub_402000"]) ``` --- ## 交叉引用与调用图 ### 谁引用了目标 ``` # 查看谁调用了某函数 idapro_xrefs_to(addrs=["sub_401000"]) # 查看谁引用了某字符串/数据 idapro_xrefs_to(addrs=["0x404000"]) # 批量查询 idapro_xrefs_to(addrs=["CreateFileW", "ReadFile", "WriteFile"]) ``` ### 高级 xref 查询 ``` # 指定方向和类型 idapro_xref_query(addr="0x401000", direction="to") # 谁引用我 idapro_xref_query(addr="0x401000", direction="from") # 我引用谁 ``` ### 被调用函数列表 ``` idapro_callees(addrs=["main"]) ``` ### 调用图 ``` # 从 main 开始,深度 3 idapro_callgraph(roots=["main"], max_depth=3) # 多个起点 idapro_callgraph(roots=["sub_401000", "sub_402000"], max_depth=2) ``` ### 数据流追踪 ``` # 向后追踪:这个值从哪来 idapro_trace_data_flow(addr="0x401050", direction="backward", max_depth=5) # 向前追踪:这个值流向哪里 idapro_trace_data_flow(addr="0x401050", direction="forward", max_depth=5) ``` --- ## 搜索 ### 字符串搜索(正则) ``` # 搜索 URL idapro_find_regex(pattern="https?://", limit=20) # 搜索文件路径 idapro_find_regex(pattern="C:\\\\", limit=20) # 搜索错误信息 idapro_find_regex(pattern="error|fail|invalid", limit=30) # 搜索密钥/密码相关 idapro_find_regex(pattern="key|password|secret|token", limit=20) ``` ### 反汇编文本搜索 ``` # 在反汇编列表中搜索 idapro_search_text(pattern="call sub_") idapro_search_text(pattern="xor eax, eax") ``` ### 字节模式搜索 ``` # 精确字节 idapro_find_bytes(patterns=["48 8B 05"], limit=10) # 带通配符 idapro_find_bytes(patterns=["48 89 ?? 24 ??"], limit=10) # 多个模式 idapro_find_bytes(patterns=["CC CC CC CC", "90 90 90 90"], limit=5) ``` ### 高级搜索 ``` # 搜索立即数 idapro_find(type="immediate", targets=["0xDEADBEEF"]) # 搜索字符串引用 idapro_find(type="string", targets=["password"]) ``` --- ## 内存与数据读取 ### 读原始字节 ``` idapro_get_bytes(addrs=[{"addr": "0x401000", "size": 64}]) ``` ### 读字符串 ``` idapro_get_string(addrs=["0x404000", "0x404100"]) ``` #