Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/mrexodia/ida-pro-mcp/llms.txt

Use this file to discover all available pages before exploring further.

The analysis tools are the core of AI-assisted reverse engineering. They give you decompiled pseudocode, annotated disassembly, cross-reference graphs, call hierarchies, and basic-block control flow — individually or in bulk. All tools that accept multiple addresses take either a comma-separated string or a JSON array.

decompile

Decompiles a single function using Hex-Rays and returns pseudocode with optional per-line address markers. When Hex-Rays is unavailable or the function cannot be decompiled, the error field is set and code is null.
addr
string
required
Function address (hex) or name (e.g. "main", "0x401000").
include_addresses
boolean
default:"true"
Append /*0xNNNN*/ address markers to each pseudocode line. Set to false to reduce token usage.
Returns: DecompileResult
addr
string
required
The input address/name as provided.
code
string | null
required
Decompiled pseudocode, or null on failure.
refs
array
Named references (globals, strings, functions) found in the pseudocode ctree. Each entry has addr, name, and optionally string.
error
string
Present when decompilation fails.
result = mcp.call_tool("decompile", {"addr": "main"})
if result["code"]:
    print(result["code"])
else:
    print("Failed:", result["error"])
Run server_warmup with init_hexrays=True before calling decompile to avoid transient initialisation failures.

disasm

Disassembles a function or a raw address range and returns structured output including arguments, return type, stack frame variables, and per-instruction labels, comments, and references. Supports offset/count pagination for very large functions.
addr
string
required
Function address or name to disassemble.
max_instructions
integer
default:"5000"
Maximum number of instructions to return per call. Hard-capped at 50 000.
offset
integer
default:"0"
Skip the first N instructions (for pagination).
include_total
boolean
default:"false"
Compute the total instruction count for the function (adds latency for large functions).
Returns: DisasmResult
addr
string
required
Input address as provided.
asm
object | null
required
A DisassemblyFunction record (see below), or null on error.
instruction_count
integer
required
Number of instructions returned in this page.
total_instructions
integer | null
Total instruction count if include_total was true.
cursor
object
required
Pagination cursor: {"next": N} when more instructions remain, {"done": true} at the end.
error
string
Present when disassembly fails.
DisassemblyFunction fields:
name
string
required
Function name.
start_ea
string
required
Start address in hex.
segment
string
Segment name.
return_type
string
Return type string from type information.
arguments
array
List of {name, type} argument records.
stack_frame
array
List of {name, offset, size, type} stack frame variables.
lines
array
required
Instruction lines, each with addr, instruction, and optional label, comments, and refs.
result = mcp.call_tool("disasm", {"addr": "0x401000"})
asm = result["asm"]
print(asm["name"], asm["return_type"])
for line in asm["lines"]:
    print(line["addr"], line["instruction"])

xrefs_to

Returns all cross-references pointing to one or more addresses or named symbols. Results are capped per target; when the cap is reached more is set to true.
addrs
string | list[string]
required
Addresses or names to look up (e.g. "0x11a9", "check_pw", ["main", "0x401000"]).
limit
integer
default:"100"
Maximum cross-references per address. Hard-capped at 1 000.
Returns: list[XrefsToResult]
addr
string
required
Input address/name.
xrefs
array | null
required
List of Xref records: {addr, type, fn}. type is "code" or "data". fn is the enclosing Function or null.
more
boolean
true when more cross-references exist beyond the limit.
error
string
Present on failure.
results = mcp.call_tool("xrefs_to", {"addrs": ["check_password", "0x401000"]})
for r in results:
    for xref in r["xrefs"] or []:
        print(f"{xref['type']} ref from {xref['addr']}")
    if r.get("more"):
        print("(truncated)")

xref_query

Structured cross-reference queries with direction, type, deduplication, sorting, and pagination. More capable than xrefs_to when you need to filter or page through large xref sets.
queries
XrefQuery | list[XrefQuery]
required
One or more query objects.
Returns: list[XrefQueryResult] — each result has target, resolved_addr, direction, xref_type, data (list of XrefQueryRow), next_offset, total, and optional error. 
results = mcp.call_tool("xref_query", {
    "queries": [{"addr": "main", "direction": "from", "xref_type": "code"}]
})
for row in results[0]["data"]:
    print(row["to"], row["type"])

xrefs_to_field

Returns cross-references to a specific field within a named structure. Useful for finding all code that accesses a particular struct member.
queries
StructFieldQuery | list[StructFieldQuery]
required
One or more {struct, field} query objects.
Returns: list[StructFieldXrefsResult] — each result has struct, field, xrefs (list of Xref), and optional error. 
results = mcp.call_tool("xrefs_to_field", {
    "queries": [{"struct": "FILE", "field": "_ptr"}]
})
for xref in results[0]["xrefs"]:
    print(xref["addr"], xref["type"])

callees

Returns the unique set of functions called by one or more functions. Each result is capped by limit; more is set when additional callees exist.
addrs
string | list[string]
required
Function addresses or names (e.g. "main", ["0x1234", "sub_5678"]).
limit
integer
default:"200"
Maximum callees per function. Hard-capped at 500.
Returns: list[CalleesResult]
addr
string
required
Input address.
callees
array | null
required
List of {addr, name, type} records. type is "internal" or "external".
more
boolean
true when results were capped.
error
string
Present on failure.
results = mcp.call_tool("callees", {"addrs": "main"})
for callee in results[0]["callees"] or []:
    print(callee["name"], callee["type"])

basic_blocks

Returns the control-flow graph (CFG) basic blocks for one or more functions, including successor and predecessor addresses for each block.
addrs
string | list[string]
required
Function addresses or names.
max_blocks
integer
default:"1000"
Maximum blocks per function per page. Hard-capped at 10 000.
offset
integer
default:"0"
Pagination offset (blocks to skip).
Returns: list[BasicBlocksResult]
addr
string
required
Input address.
blocks
array
required
List of BasicBlock records: {start, end, size, type, successors, predecessors}.
count
integer
required
Number of blocks returned.
total_blocks
integer
required
Total blocks in the function.
cursor
object
required
{"next": N} when more blocks remain, {"done": true} at the end.
error
string
Present on failure.
results = mcp.call_tool("basic_blocks", {"addrs": "main"})
r = results[0]
print(f"{r['total_blocks']} blocks total")
for bb in r["blocks"]:
    print(f"  {bb['start']}{bb['end']}: succs={bb['successors']}")

callgraph

Builds a bounded call graph starting from one or more root functions. The graph is returned as a flat node+edge list; traversal stops when any configured limit is reached.
roots
string | list[string]
required
Root function addresses to start traversal from.
max_depth
integer
default:"5"
Maximum call depth from each root.
max_nodes
integer
default:"1000"
Maximum total nodes. Hard-capped at 100 000.
max_edges
integer
default:"5000"
Maximum total edges. Hard-capped at 200 000.
max_edges_per_func
integer
default:"200"
Maximum edges emitted from any single function. Hard-capped at 5 000.
Returns: list[CallGraphResult]
root
string
required
The root address as provided.
nodes
array
required
List of {addr, name, depth} node records.
edges
array
required
List of {from, to, type} edge records. type is always "call".
max_depth
integer
required
The effective depth limit used.
truncated
boolean
required
true when a node, edge, or per-function limit was hit.
limit_reason
string | null
"nodes", "edges", or null when truncated.
result = mcp.call_tool("callgraph", {"roots": "main", "max_depth": 3})[0]
print(f"{len(result['nodes'])} nodes, {len(result['edges'])} edges")
for edge in result["edges"]:
    print(edge["from"], "->", edge["to"])
For large programs, set max_depth to 2–3 and increase it only when you need deeper coverage. Use max_edges_per_func to tame highly connected dispatch functions.

analyze_function

Compact single-function analysis: pseudocode, strings, constants, callers, callees, cross-references, and basic-block summary — all in one call.
addr
string
required
Function address or name.
include_asm
boolean
default:"false"
Include full disassembly text. Omit when you only need the pseudocode to save tokens.
Returns: AnalyzeFunctionResult — a single dict with addr, name, prototype, size, decompiled, assembly, strings, constants, callees, callers, xrefs, comments, basic_blocks, and error. 
result = mcp.call_tool("analyze_function", {"addr": "main"})
print(result["prototype"])
print(result["decompiled"])
print("Strings:", result["strings"])

analyze_batch

Comprehensive per-function analysis with individually selectable sections. Each query in the batch can enable or disable decompilation, disassembly, cross-references, callers, callees, strings, constants, and basic blocks independently.
queries
AnalyzeBatchQuery | list[AnalyzeBatchQuery]
required
One or more analysis requests.
Returns: list[AnalyzeBatchResult] — each result has target, addr, name, analysis (an AnalyzeBatchDetails object), and optional error. 
results = mcp.call_tool("analyze_batch", {
    "queries": [
        {"addr": "main", "include_decompile": True, "include_disasm": False},
        {"addr": "sub_401234", "include_decompile": False, "include_disasm": True},
    ]
})
for r in results:
    if r["error"]:
        print(r["target"], "ERROR:", r["error"])
    else:
        print(r["name"], r["analysis"]["prototype"])

func_profile

Lightweight function profiling that returns summary metrics — instruction count, basic block count, caller/callee counts, string/constant counts — without performing decompilation. Supports batch queries and pagination across the entire function database.
queries
FuncProfileQuery | list[FuncProfileQuery]
required
One or more profiling queries.
Returns: list[FuncProfileResult] — each result has target, data (list of FuncProfileItem), next_offset, and optional error. 
# Top 10 most complex functions by instruction count
results = mcp.call_tool("func_profile", {
    "queries": [{"sort_by": "size", "descending": True, "count": 10}]
})
for fn in results[0]["data"]:
    print(fn["name"], fn["instruction_count"], fn["basic_block_count"])

export_funcs

Exports one or more functions in a structured format suitable for further processing or documentation.
addrs
string | list[string]
required
Function addresses or names to export.
format
string
default:"json"
Export format:
  • "json" — full record with address, name, prototype, size, assembly, pseudocode, comments, and cross-references.
  • "c_header" — a C header file string with all function prototypes.
  • "prototypes" — a list of {name, prototype} pairs.
Returns: Depends on format:
  • json{format: "json", functions: [...]} where each function has addr, name, prototype, size, comments, asm, code, xrefs.
  • c_header{format: "c_header", content: "// Auto-generated...\nfunc1(...);\n..."}.
  • prototypes{format: "prototypes", functions: [{name, prototype}, ...]}.
# Export a C header for all public functions
header = mcp.call_tool("export_funcs", {
    "addrs": ["main", "sub_401234", "parse_input"],
    "format": "c_header",
})
print(header["content"])

Build docs developers (and LLMs) love

Get started for freeTalk to us