IDA Pro is a programmable, interactive, multi-processor disassembler combined with a local and remote debugger and augmented by a complete plugin programming environment.
IDA Pro is in many ways unique. Its interactivity allows you to improve disassemblies in real time. Its multi-processor support is unmatched. Yet, two of our technologies are truly unique, have never been implemented under any form in any real-life disassemblers and, more importantly, are incredible time savers.
IDA Pro is a disassembler.
As a disassembler, IDA Pro explores binary programs, for which source code isn't always available, to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are actually executed by the processor in a symbolic representation called assembly language. If the friendly screen saver you have just installed is spying on your e-banking session or logging your e-mails, a disassembler can reveal it. However, assembly language is hard to make sense of.
That's why advanced techniques have been implemented into IDA Pro to make that code more readable, in some cases, quite close to the original source code that produced the binary program. The map of the program's code then be postprocessed for further investigations. Some people have used it as the root of a genomic classification of viruses. (digital genome mapping advanced malware analysis)
IDA Pro is a debugger.
But, in real life, things aren't always simple. Hostile code usually does not cooperate with the analyst. Viruses, worms and trojans are often armoured and obfuscated. More powerful tools are required.
The debugger in IDA Pro complements the static analysis capabilities of the disassembler: by allowing to single step through the code being investigated, the debugger often bypasses the obfuscation and helps obtain
data that the more powerful static disassembler will be able to process in depth. IDA Pro can be used as a local and as a remote debugger on the 80x86 (typically Windows/Linux) and the ARM plaform (typically Windows CE PDAs). Remote debuggers are very useful when one wants to safely dissect potentially harmful programs.
IDA Pro is interactive.
Because no computer can currently beat the human brain when it comes to exploring the unknown, IDA Pro is fully interactive. In sharp contrast with its predecessors, IDA always allows the human analyst to override its decisions or to provide hints. Interactivity culminates in a built-in programming language and an open plugin architecture.
IDA Pro is programmable
IDA Pro contains a complete development environment that consists of a very powerful macro-like language that can be used to automate simple to medium complexity tasks. For more advanced tasks, our open plugin architecture puts no limits on what external developers can do to enhance IDA Pro's functionality. One could, for example, extend IDA Pro with a MP3 player and make malware sing. However, we suspect our governmental customers are involved in more serious projects.
Here are some key features of "IDA Pro":
· disassembler modules for a large number of processors. Our free SDK even allows you to roll your own custom disassembler.
· full interactivity and extendability
· direct, through keyboard interaction.
· through an internal programming language.
· through external plugins (unlimited power: our debuggers are plugins).
· as close as possible to the high level source code
· flirt technology (fast library identification and recognition technology).
· type system and parameter tracking and identification
· code graphing
· it only supports the 80x86 & ARM family : IDA Pro support a large number of other processors.
· it will only load file of PE/ELF/Macho-O formats. The full version of IDA Pro will accept virtually any file, from Atmel ROMs to iPhone executables. See our disassembly gallery for information about the additional processors, operating systems and file formats we support.
· the only compiler signatures included are the ones that can be used to produce Windows 32 PE files; the only type information included is for Visual C++ 6 and Borland C++ Builder.
· The MS Windows version contains a demo version of the ARM/Windows CE debugger.
· The MS Windows version contains a demo version of the Bochs debugger. Please note that the full version support Bochs debugger on all platforms.
· Check the debugger tutorial NEW!
· you will not be able to save your work, it will time out after some use, it will not disassemble itself.
What's New in This Release: [ read full changelog ]
· 6812: support an alternative memory layout for paged segments which allows to use short offsets inside the segment
· ARM: added a switch pattern that uses BX to jump to case labels
· ARM: display the optional operand of the MRC/MCR instructions, as preferred by the ARM documentation
· ARM: support another variation of GCC Thumb-2 switches
· PPC: added SPE (Signal Processing Engine) instructions, including floating-point and vector FP
· PPC: trace stack pointer for 64-bit code
· SuperH: added SH-4a instructions
· SuperH: display immediates loaded from literal pool in the instruction itself
· SuperH: trace stack pointer and create stack variables
· TMS320C54x: added register definitions for TI Calypso chipset (thanks to Sylvain Munaut)
· TMS320C54x: better handling of multi-section files (thanks to Sylvain Munaut)
· TMS320C54x: better handling of multi-section files (thanks to Sylvain Munaut) FILE
· Added loader for HP-UX core files (non-ELF), provided by Avi Cohen Stuart
· ELF: added support for more IA64 relocations
· LE: added support for bound DOS/4G executables KERNEL ------
· kernel: improved database loading and saving times (new crc32 algorithm)
· Configurable plugins can specify which platform they can operate on in plugins.cfg
· demangler: demangle GCC local names (_ZLxxx)
· FLIRT: added parser for Mach-O object files (pmacho)
· 'volatile' keyword is automatically removed from function return types
IDC & SDK:
· IDAPython: added auto completion support
· IDC: added ItemHead()
· IDC: added Exec() to execute IDC statement(s)
· SDK: added idb events for segment name/class modifications
· SDK: get_many_bytes_ex() to retrieve bytes and information about initialized and unitialized bytes from the database USER INTERFACE --------------
· it is now possible to jump to a structure cross-reference (default hotkey: Ctrl-X in the structures window)
· Added "Save to file" to save the trace window contents
· added a checkbox for sparse segments to the 'create segment' dialog box
· multiple segments can be selected and moved using the segments window
· debugger: added support for virtual modules (user-defined modules can be added from api)
· debugger: non-integer register values can be displayed as hints
· BUGFIX: 'analyze module' was failing on modules with unknown size; now it tries to estimate it
· BUGFIX: -B switch fails to generate ASM files if idb path contains the '.' character
· BUGFIX: a structure with pointers to functions with non-empty argument names was incorrectly converted to a local type
· BUGFIX: adding a segment could erroneously delete a selector (if the start address of the new segment was equal to the start address of an existing segment and the selector was used only by that segment and the selector of the new segment was equal to the selector of the existing segment)
· BUGFIX: after attaching to a linux process the names of the main process module were not available
· BUGFIX: arm relative-mode elf files were loaded incorrectly (thumb was not used when required)
· BUGFIX: ARM: LDMFD SP (no writeback) was incorrectly decoded as POP in Thumb-2 mode
· BUGFIX: binary search could return a result outside of the search region
· BUGFIX: Bochs could crash in some cases when setting a bp at data locations
· BUGFIX: bochs direct commands were not working under linux
· BUGFIX: calc_bare_name() could not handle gcc mangled names with '.' prefix
· BUGFIX: command line arguments with backslashes were parsed incorrectly under MS Windows: backslashes were escaped even without quotes
· BUGFIX: dummy_name_ea() was failing for dword_xxx dummy names
· BUGFIX: GDB debugger: resolved incompatibility with VMWare 7.x GDB stub
· BUGFIX: global idc variables of object type would crash ida if they were present at the exit time; now we get rid of them when we close the database
· BUGFIX: GUI: chooser window may be improperly resized if moved from a low resolution screen to a higher resolution screen
· BUGFIX: IDA could crash if an unsuccessful search backwards was done while the debugger was active
· BUGFIX: IDA could crash when trying to display custom data items bigger than 16 bytes in size on big-endian processors
· BUGFIX: IDA could endlessly loop on some x86 files
· BUGFIX: if a search was performed within a selected text, the screen was not redrawn correctly
· BUGFIX: if full stack analysis was turned off and a pdb file was loaded at the idb creation time, the decompiler would interr
· BUGFIX: it was not possible to create 64-bit segments from UI for PowerPC
· BUGFIX: kernel: user-defined offsets with non-zero bases were not adjusted properly during rebasing
· BUGFIX: linux debugger was processing 'detach from process' command not quite correctly
· BUGFIX: MIPS: basic block boundaries were determined incorrectly for MIPS16 code (MIPS16 branches do not have a delay slot)
· BUGFIX: modal recent script box would crash if no script was selected
· BUGFIX: moving the vertical scrollbar thumb in the disassembly listing was not handled correctly for 64-bit programs
· BUGFIX: MS DOS: rebasing EXE files was not properly adjusting relocations
· BUGFIX: PE loader: a bad load config directory can cause an infinite loop
· BUGFIX: qvector's insert/erase methods were moving vector elements incorrectly
· BUGFIX: replacing a type the comes from a til file might lead to a crash (if there were no defined local types yet)
· BUGFIX: script processor module could crash if 'codestart' and 'retcodes' fields were used under Linux/MAC
· BUGFIX: the 'switch debugger' command was available only when a disassembly window had focus
· BUGFIX: the disassembly text that was copied to clipboard could contain odd characters at the begining in some cases
· BUGFIX: the help subsystem of the text version was using memory allocation functions incorrectly
· BUGFIX: UI: indexes printed for array of structures were incorrect
· BUGFIX: UI: it was not possible to set the type of a structure member ('Y' key) if the cursor was on an undefined area in the disassembly view.
· BUGFIX: Windbg plugin now forbids starting a process in non-invasive mode. Only non-invasive attach is supported.