Skip to content

IDA Pro Guide

Overview

IDA Pro is by far the industry standard tool for reverse engineering (and not just malicious code.) The commercial version includes support for a large number of processors, easy analysis of shellcode, and lots of other features.

Starting IDA Pro

To start IDA Pro double click the icon on your desktop. After accepting the user agreement, you will be presented with the quickstart menu. If you want open a file right away, click New. Otherwise click Go to get to an empty IDA Pro screen.

Opening a File

To open a file in IDA Pro, click File > Open and navigate to the file you want to open. Once you do this, you'll be selected with various different options. A description of these options can be found online, and is beyond the scope of this course. For now just go with the defaults by clicking Ok.

The Main IDA Display

The IDA Pro display is broken up into several different areas. The window on the left shows various different functions, and you can jump to any one by double-clicking on them.

The windows on the right show several different things, depending on the tabs that you click on. By default the disassembly (IDA View) display is shown. To display the imported functions, click on the Imports tab.

Jumping to an Address

To jump (go) to an address in IDA Pro hit the G key. In the pop up enter the address and click Ok.

Going Back

To go back to a previous address in IDA press the Esc key.

Renaming

To rename something, left-click on it and press N.

The pop up will ask you for a new name, and will give you several options. The more commonly used ones are:

  • An input box to rename the address
  • A checkbox if this name is local only to a given function
  • A checkbox if the name should be included in the global names list
  • A checkbox to automatically append a suffix if the name already exists

Once you've entered the new name (and selected any options) click Ok.

When you want to rename a variable, the pop up doesn't have any options. Justu enter the new name for the variable and click Ok.

Saving Your Work

IDA Pro stores its work in an IDA Pro database file, ending in .idb or .i64.

To save your work click File > Save (or File > Save as) or press Ctrl+W.

Database Files

Once IDA Pro has analyzed a file, all it needs is the database file (unless you want to run program through a debugger.) While usually not done in practice, you can delete the original executable if you'd like.

Closing a Database

When you exit IDA, open a new file, or close the database, you will be prompted on what to do.

Be default IDA Pro will save and compress the database. If you don't want to save the file click the DON'T SAVE the database checkbox at the bottom. Once you've selected what you want, click Ok.