IDA Pro and IDA Free are industry-standard disassemblers for reverse engineering binaries across architectures. This guide covers navigation, analysis, IDAPython scripting, and debugging.
Installation
Windows
# Download IDA Pro from hex-rays.com or use free version
# IDA Free from: https://hex-rays.com/ida-free/
# Extract and run ida.exe or ida64.exe
macOS
# Download IDA Pro DMG from hex-rays.com
# Mount DMG and copy IDA Pro to Applications
open IDA\ Pro\ v8.x.dmg
cp -r IDA\ Pro.app /Applications/
Linux
# Download IDA Linux package
tar -xzf ida-8.x-linux.tar.gz
cd ida-8.x
./install.sh
Basic Navigation
Keyboard Shortcuts
| Shortcut | Action |
|---|
G | Go to address |
Ctrl+G | Go to file offset |
Space | Cycle between disassembly/graph/hex view |
T | Jump to function |
F5 | Decompile (Pro only) |
N | Rename symbol/variable |
Y | Set/view data type |
D | Convert data to defined type |
C | Convert to code |
X | Show cross-references to address |
Ctrl+X | Show cross-references from address |
; | Add comment |
: (colon) | Add repeatable comment |
Q | Exit IDA |
Navigation Commands
# Using command line
ida.exe -B binary_file # Batch analysis only (no GUI)
ida.exe -A binary_file # Auto-analysis, exit after completion
ida.exe -S"script.py" binary_file # Run IDAPython script
ida64.exe -p:elf binary_file # Specify processor (processor ID)
ida.exe -t binary_file # Generate .til (type info) file
Disassembly Analysis
Code Navigation
Click on addresses to jump to them
Follow cross-references with X key
View function graphs (Graph view)
Trace imported/exported symbols
View strings (View > Open Subviews > Strings)
Function Analysis
Function names appear in Functions window (View > Open Subviews > Functions)
Set function prologue: Place cursor, press P to create new function
View function boundaries (blue blocks in graph view)
Analyze recursion and call chains
Check stack frame layout (F5 in Pro, or View > Function frame)
Setting Data Types
| Task | Method |
|---|
| Convert to bytes | Select data, press D |
| Convert to word | Select data, press W |
| Convert to dword | Select data, press D then confirm |
| Define struct | Y key, select struct type |
| Create array | Y key, array type option |
| Set function signature | Edit > Function signature, or Press Y in Pro |
IDAPython Scripting
Basic Script Examples
# List all functions
import idaapi
for func_ea in idaapi.get_funcs():
func_name = idc.get_func_name(func_ea)
func_size = idc.find_func_end(func_ea) - func_ea
print(f"{hex(func_ea)}: {func_name} (size: {func_size})")
# Rename all functions matching pattern
import idaapi, idc
for func_ea in idaapi.get_funcs():
func_name = idc.get_func_name(func_ea)
if func_name.startswith("sub_"):
new_name = f"func_{hex(func_ea)}"
idc.set_name(func_ea, new_name)
# Find all string references
import idaapi, idc
for string_ea in idaapi.get_strlist_item(0):
string_value = idc.get_strlit_contents(string_ea).decode()
xrefs = list(idaapi.get_xrefs_to(string_ea))
print(f"String '{string_value}' at {hex(string_ea)}: {len(xrefs)} refs")
# Patch bytes in binary
idc.patch_byte(0x401000, 0x90) # NOP (x86)
idc.patch_word(0x401000, 0x9090) # Two NOPs
# Create comment at address
idc.set_cmt(0x401000, "Entry point", 1)
# Get instruction at address
addr = 0x401000
insn = idaapi.insn_t()
idaapi.decode_insn(insn, addr)
print(f"Instruction: {insn.mnemonic}")
# Find all calls to specific function
target = idc.get_name_ea_simple("malloc")
callers = idaapi.get_xrefs_to(target)
for caller_ea in callers:
print(f"Call from {hex(caller_ea)}")
Debugging Script
import idaapi, idc
def analyze_function(func_name):
"""Analyze a function and show details"""
func_ea = idc.get_name_ea_simple(func_name)
if func_ea == idaapi.BADADDR:
print(f"Function {func_name} not found")
return
func_end = idc.find_func_end(func_ea)
print(f"Function: {func_name} at {hex(func_ea)}")
print(f"Size: {func_end - func_ea} bytes")
# List all xrefs
for xref in idaapi.get_xrefs_from(func_ea):
print(f" Call at {hex(xref.from_ea)} -> {hex(xref.to_ea)}")
analyze_function("main")
Interactive Debugging
Setting Breakpoints
In IDA Pro debugger:
- Click on instruction, press F2 to set breakpoint
- View > Breakpoints window to manage
- Conditional breakpoints: right-click breakpoint, edit condition
Debugger Commands
| Action | Method |
|---|
| Start debugging | Debugger > Start process |
| Attach to process | Debugger > Attach to process |
| Step over | F10 |
| Step into | F11 |
| Continue | F9 |
| Stop debugging | Debugger > Terminate process |
| View registers | View > Open Subviews > Registers |
| View stack | View > Open Subviews > Stack |
| View memory | View > Open Subviews > Hex dump |
Analysis Features
Searching
| Search Type | Key |
|---|
| Search for bytes | Ctrl+H (hex patterns) |
| Search for text | Ctrl+F |
| Search for functions | Ctrl+P |
| Search for undefined code | Search > Dangerous bytes |
Code Patterns
Recognize common patterns:
- Stack canaries (GS)
- VTable references
- API imports and calls
- String references
- Constant pools
Cross-References
X key shows all references to current address:
- Code xrefs (calls, jumps)
- Data xrefs (memory read/write)
- Filter by type (code, data, read, write)
Program Segments
Viewing Segments
View > Open Subviews > Segments
Shows memory layout:
- .text (code)
- .data (initialized data)
- .bss (uninitialized data)
- Permissions (read, write, execute)
Segment Operations
- Click segment to jump there
- Right-click to edit segment properties
- Define new segments for remapped memory
- Set segment permissions for analysis
Dealing with Common Issues
Anti-Analysis Techniques
Packed binaries:
- Use external unpackers (UPX -d, etc)
- Or trace to OEP (Original Entry Point)
- Set up manual breakpoints and analyze
Obfuscated code:
- Look for string demangling hints
- Trace execution flow
- Use dynamic debugging
- Check cross-references
Virtualized code:
- Analyze virtual machine dispatcher
- Map VM instructions to native
- Use symbolic execution tools
Symbol Recovery
# Try to recover symbols from IDA database
# Load DWARF debug info (if present)
# Use FLIRT signatures (Ctrl+S for pattern matching)
# Apply type signatures from .h files
Advanced Workflows
Vulnerability Analysis
1. Identify dangerous functions:
- strcpy, sprintf, gets, scanf, etc
- Use Ctrl+F to find by name
- Check cross-references
2. Trace input flow:
- Start from entry (main)
- Follow argv processing
- Check if input reaches dangerous function
3. Check bounds checking:
- Look for length validation before copy
- Verify buffer size vs input size
- Check for integer overflows
Malware Analysis Workflow
1. Initial scan (Strings):
- Look for URLs, IP addresses, commands
- Check for encryption keys, certificates
- View > Strings (or Shift+F7)
2. Analyze imports:
- Identify suspicious APIs (CreateRemoteThread, etc)
- View all imported DLLs
3. Find entry point:
- Follow main/_main or entry point
- Identify initialization code
4. Track C&C communication:
- Find socket/network functions
- Trace argument passing
- Extract URLs/IPs
5. Identify malicious behavior:
- File operations (registry, filesystem)
- Process injection/creation
- Network connections
IDA supports:
- PE (Windows executables)
- ELF (Linux, Unix, Android)
- Mach-O (macOS, iOS)
- WebAssembly (.wasm)
- COFF, OMF
- Custom loaders
Loading Custom Loaders
IDA pro directory > loaders/
Place custom .py loaders there
IDA automatically discovers them
Select in File > Load file dialog
Tips and Best Practices
- Use meaningful names for variables and functions (N key)
- Add comments to document complex logic (;key)
- Use structures and types (Y key) for clarity
- Save work frequently (Ctrl+S saves .idb database)
- Use graph view to understand control flow
- Export findings: File > Produce file > various formats
- Color-code related functions/data for organization
- Use filters in windows to reduce clutter
Resources
- Hex-Rays official documentation: https://hex-rays.com/
- IDA Python API docs (idapython.com)
- ReversingLabs tutorials
- RPISEC training materials
Last updated: 2026-03-30
