IDA Pro, Hex Rays Software

[Lexter]

Please, Log in or Register to view URLs content!

is one of the best and most popular reverse engineering software tools. It’s an interactive disassembler that has a built-in command language (

Please, Log in or Register to view URLs content!

) and supports a number of executable formats for various processors and operating systems. IDA Pro also has a great number of plugins that can extend the disassembler’s functionality even further.

The main advantage of IDA Pro is that it allows you to interactively change any element of the displayed data:

• Give names to functions, variables, data structures, etc.
• Change data representation (as numbers, strings in various encodings, data structures)
• Build diagrams and code flow graphs to simplify the understanding of disassembled code
• Use type information about function arguments and structure definitions from C++ so that arguments and variables are automatically named
• Automatically recognize and name standard library functions in assembler code
• And much more

Screenshot 1. IDA Pro interface
Aside from the disassembler itself, let’s also look closer at some IDA plugins.

Hex-Rays Decompiler​

This plugin can turn native processor code into a more readable, C-like version. The Hex-Rays Decompiler produces rather accurate C code comparable to that produced by a human reverse engineer. It correctly decompiles code produced by various C++ compilers, no matter the architecture. However, Hex-Rays Decompiler might have issues with processing complex assembler code, where the original code was specifically modified by adding the inline assembler or some manual optimization was made.

Lighthouse​

This plugin enables you to mark the execution path within the disassembler. As a result, you can understand which pieces of code are taking part in the execution and if they are involved in some algorithm or feature.

Basically, this plugin loads reports of code coverage tools into the IDA database and marks pieces of code depending on how many times they were executed. This makes it clear which part of the code is worth your attention while browsing the disassembly.

ClassInformer​

This plugin is intended to be used on binaries built by Visual Studio and searches for RTTI information stored in the data section of the executable file. RTTI information allows the plugin to find the class names and virtual methods of C++ classes and name them for the user. Also, ClassInformer can present you with a list of found classes.

BinDiff by zynamix​

This tool uses the IDA engine to compare binaries as assembler code instead of a stream of bytes. BinDiff can pinpoint differences in the code of two versions of the same program (down to changes in a specific function) as a list of instructions which were added, removed, or replaced. Changes can also be represented as code flow graphs.

IDA-Function-Tagger​

This plugin analyzes imported functions and functions that call them and then groups them by tags: cryptography-related, registry-related, network-related, etc. Such grouping makes it easier to find the part of the code responsible for specific operations.

ida-x86emu​

This plugin emulates the execution of disassembled code without the need to run the application under analysis in a debugger. Using this plugin, you can emulate the result of executing any piece of code without the risk of modifying something in the system. All you need to do is specify the start values of CPU registers. Then you can do a step-by-step execution.

 

[Xhing]

Great job! Can you make an advanced tutorial what means what and showing us these on crackme's or programs.

 

[hil3m]

thank you bro, it has been a successful and supported topic with pictures.

 

[ArronStone]

Good and helpful topic thx