Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/mrexodia/ida-pro-mcp/llms.txt

Use this file to discover all available pages before exploring further.

The debugger tools let you start and control a live process, inspect CPU registers and memory, set breakpoints, and capture call stacks — all without leaving your MCP client. Because these operations interact with a running process and can modify state in irreversible ways, they are an extension that is hidden from the MCP tool list by default.
Debugger tools are marked unsafe and are excluded from the default tool list. They can terminate processes, overwrite live memory, and cause irreversible side effects. Use them deliberately and avoid automating sequences of writes or control-flow changes without explicit user confirmation.

Enabling the debugger extension

Add the ext=dbg query parameter to the MCP endpoint URL before connecting your client: 
http://127.0.0.1:13337/mcp?ext=dbg
Once connected, all dbg_* tools and py_eval appear in the tool list alongside the standard IDA tools.

Control tools

These tools manage the debugger lifecycle. The process must be suspended before you can inspect registers or memory; use dbg_continue or the step tools to advance execution.

dbg_start

Start a debugger session for the current target. IDA must already have a debugger selected (Debugger → Select debugger) and a target configured (executable path, arguments, remote host, etc.). 
dbg_start() → DebugControlResult
If the call fails, stop and ask the user to configure the debugger and dismiss any pending IDA dialogs (for example, “matching executable names”) before retrying. Do not retry in a tight loop.
started
boolean
Present and true when the debugger started successfully.
running
boolean
Present when the process is executing.
suspended
boolean
Present when the process is suspended and registers are readable.
ip
string
Instruction pointer as a hex string, available when suspended.
state
string
One of not_running, running, or suspended.

dbg_status

Return the current debugger lifecycle state without changing it. 
dbg_status() → DebugControlResult

dbg_exit

Terminate the active debugger session. 
dbg_exit() → DebugControlResult
Returns { exited: true, state: "not_running" } on success.

dbg_continue

Resume execution from a suspended state. 
dbg_continue() → DebugControlResult
Requires the process to be suspended. Returns { continued: true, state: "running" } on success.

dbg_run_to

Run until the process reaches a specific address, then suspend.
addr
string
required
Target address as a hex or decimal string (e.g., "0x401000" or "main").
dbg_run_to(addr) → DebugControlResult

dbg_step_into

Execute one instruction, stepping into any call. 
dbg_step_into() → DebugControlResult

dbg_step_over

Execute one instruction, stepping over any call. 
dbg_step_over() → DebugControlResult

Breakpoint tools

dbg_bps

List all current breakpoints with their address, enabled status, condition expression, and condition language. 
dbg_bps() → list[Breakpoint]
addr
string
Breakpoint address as a hex string.
enabled
boolean
Whether the breakpoint is currently active.
condition
string | null
Conditional expression, or null for unconditional breakpoints.
language
string | null
Condition language ("IDC", "Python", or null).

dbg_add_bp

Add software breakpoints at one or more addresses.
addrs
string | string[]
required
One address or a list of addresses (hex or decimal).
dbg_add_bp(addrs) → list[BreakpointResult]
Each result contains addr and either ok: true or an error string.

dbg_delete_bp

Delete breakpoints at one or more addresses.
addrs
string | string[]
required
One address or a list of addresses to remove.
dbg_delete_bp(addrs) → list[BreakpointResult]

dbg_toggle_bp

Enable or disable existing breakpoints in batch.
items
BreakpointOp | BreakpointOp[]
required
One or more objects with addr (string) and enabled (boolean).
# Example: disable a breakpoint at 0x401000
dbg_toggle_bp([{"addr": "0x401000", "enabled": False}])

Register tools

All register tools require the process to be suspended. Integer register values are returned as hex strings; floating-point and vector values are returned as hex byte strings.

dbg_regs

Return the full register set for the current thread. 
dbg_regs() → ThreadRegisters
thread_id
number
Thread ID.
registers
RegisterValue[]

dbg_regs_all

Return full register sets for all threads. 
dbg_regs_all() → list[ThreadRegisters]

dbg_regs_remote

Return full register sets for specific thread IDs.
tids
number | number[]
required
One thread ID or a list of thread IDs.
dbg_regs_remote(tids) → list[ThreadRegistersResult]

dbg_gpregs

Return only the general-purpose registers (RAX/EAX, RBX/EBX, RCX/ECX, RDX/EDX, RSI/ESI, RDI/EDI, RBP/EBP, RSP/ESP, RIP/EIP, R8–R15) for the current thread. 
dbg_gpregs() → ThreadRegisters

dbg_gpregs_remote

Return general-purpose registers for specific thread IDs.
tids
number | number[]
required
One thread ID or a list of thread IDs.
dbg_gpregs_remote(tids) → list[ThreadRegistersResult]

dbg_regs_named

Return only the named registers for the current thread.
register_names
string
required
Comma-separated register names, e.g. "RAX, RBX, RIP".
dbg_regs_named(register_names) → ThreadRegisters

dbg_regs_named_remote

Return specific named registers for a given thread ID.
thread_id
number
required
Target thread ID.
register_names
string
required
Comma-separated register names, e.g. "RAX, RSP, RIP".
dbg_regs_named_remote(thread_id, register_names) → ThreadRegisters

Stack and memory tools

dbg_stacktrace

Return the current call stack with module and symbol information. 
dbg_stacktrace() → list[StackFrameInfo]
addr
string
Frame return address as a hex string.
module
string
Module filename containing the address, or "<unknown>".
symbol
string
Nearest symbol name, or "<unnamed>".

dbg_read

Read raw bytes from one or more regions of debuggee memory. The process does not need to be suspended; memory can be read while running.
regions
MemoryRead | MemoryRead[]
required
One or more objects with addr (string) and size (number) fields.
dbg_read([{"addr": "0x7ff800001000", "size": 64}])
addr
string | null
Address that was read.
size
number
Number of bytes successfully read.
data
string | null
Hex-encoded bytes, or null on failure.
error
string | null
Error message if the read failed, otherwise null.

dbg_write

Write bytes to one or more regions of debuggee memory.
regions
MemoryPatch | MemoryPatch[]
required
One or more objects with addr (string) and data (hex string) fields.
dbg_write([{"addr": "0x401234", "data": "9090"}])  # NOP two bytes
dbg_write modifies live process memory. Changes are not saved to the IDB and cannot be undone while the process is running.

Python execution

py_eval

Execute arbitrary Python code in the IDA context and return the result, stdout, and stderr. This tool is available whenever the server is running — it does not require the debugger extension, but it is classified as unsafe.
code
string
required
Python source code to execute.
py_eval(code) → PythonExecResult
The evaluation follows Jupyter-style semantics: if the last statement is an expression, its value is captured as result. All IDA SDK modules (idaapi, idc, idautils, ida_dbg, ida_hexrays, etc.) are pre-imported in the execution context.
result
string
String representation of the last expression, or the result variable if set explicitly.
stdout
string
Captured standard output from print() calls.
stderr
string
Captured standard error, including tracebacks on exception.
# Returns {"result": "0x401000", "stdout": "", "stderr": ""}
py_eval("hex(idaapi.get_imagebase())")
For large scripts that would be unwieldy as inline code, use py_exec_file(file_path) instead. It runs the entire file with a shared globals dict so top-level definitions are visible everywhere in the script.

Build docs developers (and LLMs) love

Get started for freeTalk to us