The IDA Pro Book

An anonymous reader writes "After attending DEFCON in August and seeing the overwhelming interest in this book, I was eager to dive into The IDA Pro Book by Chris Eagle. Chris Eagle's team, School of Root, won the 'Capture the Flag' event at DEFCON this year and Chris gave a presentation on CollabREate, a tool that integrates with IDA Pro to allow collaboration in reverse engineering (RE). All of that — together with the fact that the book sold out — screamed that this book should quickly make it to the top of my list." This review originally appeared on The Ethical Hacker Network.

The IDA Pro Book
author	Chris Eagle
pages	640
publisher	No Starch Press
rating	9/10
reviewer	Ryan Linn
ISBN	1593271786
summary	An information-packed guide to IDA

Once I had the book in-hand, the cover alone offered some insight into what was to come. The quote on the front of the book is an endorsement from the creator of IDA Pro. The image on the front is a throwback to the Operation game by Milton Bradley, which reminds me of how I felt when I got started doing reverse engineering. I am not a professional Reverse Engineer or Malware Analyst; however, my coding background and my current position as a security professional at SAS affords the opportunity to dabble. This puts me in the perfect middle ground of being able to understand the material as well as assess its ability to teach.

The IDA Pro Book is broken up into a number of different "Parts" each having several chapters and its own goal. Even if the content appears to be beyond your level of knowledge in a certain area, I highly recommend that you keep reading. It may also be handy to point out the fact that the book is 640 pages. So this lends itself to being more of a reference guide than a book read straight through from cover to cover.

I should also mention at this point that the book is about the 5.X tree of IDA Pro, and not the freeware version. There is a demo that you can download off of the IDA Pro Website if you aren't able to purchase the full version right away. In addition, there is a reference at the back discussing how the freeware version differs from the commercial version, so as long as you are ok with those restrictions while you are learning, this book still should be very handy.

One of the most important sections of Chris' book is found in "Introduction to IDA." The author discusses disassembly and the challenges that go with it, the tools involved with reverse engineering and disassembly, and a general breakdown of how these tools approach the binaries that they are analyzing. He also references other tools that are handy alongside IDA Pro, and outlines how they fit into the reverse engineering process. Finally information about IDA Pro licensing and installation is discussed, and the base information that you will need for the rest of your IDA Pro adventure is laid out.

Once the basics of RE have been covered, the author addresses the fundamentals of using IDA Pro. Unlike some other books, this book does a great job of letting you know where you should be looking when it lays out a block of assembly code. The references are well laid out as well. "Part II: Basic IDA Usage" progresses logically and eases you into the interface. It does a great job helping you figure out what all the new windows are doing, and how to get to the information that IDA Pro is providing. The content moves from basic skills such as finding the disassembly into manipulating the disassembly to be more meaningful then to optimizing the disassembly process. It shows you how to navigate the code, and how to incorporate other knowledge that you have about the binary you are disassembling, such as what headers or what libraries might have been used in order to obtain the most useful disassembly possible and facilitate the disassembly of the binary.

"Part III: Advanced IDA Usage" gets deeper into using IDA Pro, including utilizing the Fast Library Identification and Recognition Technology (FLIRT) signatures and custom files in order to suck the most information possible out of a binary before analysis. You also get a glimpse into how to modify the pieces of the application which can be modified only through config files. It concludes by explaining the patch capabilities of IDA Pro and discussing what the limitations and expectations should be. This Part provides insight into creating your own signatures for custom libraries that might not be available in IDA Pro, so, as you start working on real life applications, you can tailor IDA Pro to be able to recognize libraries that you frequently encounter.

After the basics of using the application have been covered, the author explains how to extend the capabilities of IDA Pro in Parts III and IV. He discusses in depth the scripting engine and how to build plug-ins and modules. Throughout this Part numerous examples are given of how the scripting and plug-ins fit into the application. Short detailed examples are used to illustrate how to accomplish some tasks that would be useful for a reverse engineer including listing out function information. The beginning of the chapter was great. As a beginning Reverse Engineer, I was able to clearly see how this information would apply. For the stuff that was beyond my current knowledge level, it was easy to see that as my knowledge progresses in the future, I would be back to re-visit this information.

Throughout the entire fifth Part are goodies focusing on the real-world applications of IDA Pro. It goes into the different types of binaries that you might encounter while doing reverse engineering. This chapter also goes into two large areas where IDA Pro is used such as obfuscated code analysis and vulnerability analysis. After reading this Part, you should have some handy scripts and a series of applications and plug-ins to aid in your RE adventures. The author discusses a number of those plug-ins in-depth including adding in bindings for Python and Ruby. At the end of this chapter, I hadn't learned an incredible amount more about IDA Pro; however I definitely knew more about how to approach the problems I might encounter and how to extend IDA Pro's capabilities in order to tackle real world tasks.

The final Part of the book is on the IDA Debugger. The debugging features of IDA Pro were an afterthought and aren't the primary focus of IDA Pro. Chris Eagle goes into what to expect from the debugger, how it's used, and then finally how to integrate the information obtained from the debugger into the overall RE process. He concludes with a discussion of how to automate debugging tasks with scripts and plug-ins and discusses some of the real-world problems that people might encounter, such as dealing with UPX packing that has been modified. This chapter also goes into remote debugging, where you can be running a binary on one machine and having it come back to a GUI on another. Knowing this information is especially useful if you are doing analysis across multiple platforms. The Windows GUI is the only non-console GUI in the IDA Pro supported platforms.

Chris Eagle's The IDA Pro Book provides a significantly better understanding not of just IDA Pro itself, but of the entire RE process. There are little gems littered throughout the book that bring in real-life experience and knowledge that you don't always get from other books instructing you in the use of an application. Although it is impossible to absorb everything in this book due to its size, it helped greatly in overcoming some of the initial hurdles of understanding a highly technical topic. As I continue down my reverse engineering path, I'm confident that I will use this book repeatedly as a reference.

If you are interested in getting deep into the assembly and figuring out what applications are doing when you don't have the source, then I would highly recommend this book to get you started with IDA Pro; it won't turn you into a reverse engineering expert, but it certainly will provide you with a major tool that will help you along the way.

You can purchase The IDA Pro Book from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Good book

[Anonymous Coward]

But my binding did break after a week.

Re:

[EasyComputer]

This is not the first book about IDA Pro. However, this is the first book I recommend to anyone using IDA Pro because of the following points: * Comprehensive: it describes all major IDA features by starting at the beginning and going all the way to the end. Experienced users may be tempted to skip the first few chapters; resist this temptation and you will discover something new (I did :) * Accurate: it is very difficult to be detailed and precise when describing such a complex product. Chris does

Re:Good book

[gnick]

That was part of the design.

Your binding didn't break - It was disassembled.

Re:

[Anonymous Coward]

If IDA Pro allowed you to edit the code

It does:

1. In cfg/idagui.cfg, set DISPLAY_PATCH_SUBMENU = YES
2. Use the newly found Edit->Patch program submenu to patch bytes or assemble new instructions. (IDC scripts can do the former as well, but not the latter, unfortunately.)
3. Once you're happy with the result, use File->Produce File->Create EXE File to save the changed executable to disk.

How about ORE IDA pro?

[i_want_you_to_throw_]

I can never get Tator Tots(tm) right.

I can m4ke w4rez n0w?

[kwabbles]

Will this b00k teach me to cr4ck Call of Duty 4?

Re:

[morgan_greywolf]

No. It will teach you how to reverse engineer stuff using the IDA Pro interactive disassembler.

Cracking DRM/copy protection/etc., is an art and a skill that may involve using reverse engineering techniques, but definitely requires a certain unique perspective.

Re:

[morgan_greywolf]

Well, that's okay, because I don't actually have a sense of humor.

Re:

[kwabbles]

My wife's always telling me I need to have surgery to get my tongue out of my cheek.

IDA is a dissassembler

[MarkusQ]

Since the review doesn't really make it clear, IDA is a dissassembler [wikipedia.org]. It allows you to take an executable for which you don't have source and construct a (generally partial) representation of what a program that would have produced that executable would look like. It can't of course give you back the actual source code (comments, variable names, etc. being lost forever) but it gives you a much, much better idea of what's going on than a hex dump would.

--MarkusQ

Re:IDA is a dissassembler

[whitehatnetizen]

Note that there is a distinction between dissassembler and decompiler - you seem to be describing it as a decompiler, which it is not. it is similar in function to OllyDbg, although quite superior in it's analysis of the file due to its in-built libraries etc. The graphical representation of the program flow is my favorite part - it saves a huge amount of time when reversing (for me anyway).

Decompiler vs. Disassembler

[MarkusQ]

Note that there is a distinction between dissassembler and decompiler - you seem to be describing it as a decompiler, which it is not.

*laugh* I think what's really going on is that I bounce between levels so much that I don't really honor the distinction. Asm, HLA, LLL, HLA, scripting languages, TILs, SPILs, DSLs, it all kind of blurs together if you step away from it just a short distance. Not that I don't see such distinctions, just that I don't always see them in the traditional places. For instance, I see a much bigger divide between pairs like Haskel v. C or SQL v. prolog than I do between C and Assembly.

But yes, I see your point, for people who aren't comfortable reading Assembly and expect it to give them C++ or something the distinction would be important. Effectively, the choice of source language is one of the things that gets lost along with procedure names, module structure, and the like. You may be able to infer it but IDA isn't going to hand it to you and there is no certainty you'll be correct.

--MarkusQ

Re:

[AndrewHowe]

I read and re-read MarkusQ's comment and he isn't describing IDA Pro as a decompiler at all, in fact he's explicity saying "It can't of course give you back the actual source code".
The decompiler is called Hex-Rays, it's built on top of IDA Pro and is available from the same guys at hex-rays.com. (Not advertising, just a long time happy IDA Pro customer).

Re:

[camcorder]

Better note that with Hex-Ray plugin [hex-rays.com] decompiler functionality can be added to IDA Pro.

Re:

[fm6]

Since the review doesn't really make it clear...

Someday, Slashdot editors and contributors that the first thing you do when talking about something is make it clear what you're talking about. That will also be the day I go to skiing in Hell.

what the hell is IDA

[cafn8ed]

It sure would be nice if "IDA" were defined somewhere in the lead blurb. It would have been almost as nice if it were defined anywhere in the full review text. Wikipedia says IDA can stand for many things [wikipedia.org]. It's likely that the book is about the Interactive Disassembler [wikipedia.org], but I may be wrong.

Re:

[dragonturtle69]

Here it is:

http://www.hex-rays.com/idapro/ [hex-rays.com]

Re:

[eclectro]

It sure would be nice if "IDA" were defined somewhere in the lead blurb.

And I suppose you don't have a collectiom of Star War/Trek toys either?? Or never played D&D - do you know what D&D is even?? Really, I don't know what brings you to slashdot. Please turn in your nerd card at the door as you leave. kthx.

Re:

[Jack9]

Never heard of IDA myself. Typing DnD, D&D, DandD, D and D...etc brings up Dungeons and Dragons. Typing IDA into Google doesn't come up with the disassembler. So we can determine that I have not been living under a rock, I've just been using Google. What a dolt?

Re:

[lysergic.acid]

since the review is titled "The IDA Pro Book," i typed "IDA Pro" into Wikipedia, and was immediately redirected to this page [wikipedia.org].

yes, it would have been more convenient if they'd said that IDA was a disassembler in the summary, but Wikipedia gave me a much better description of the application than the summary could have. and it isn't exactly hard to look something up on Wikipedia (if you type in the correct name).

Re:

[Jack9]

Perhaps the acronym should be appropriately named IDAP

Re:

[Jack9]

The comparison was IDA to D&D. Your turn.

Re:

[McNally]

It sure would be nice if "IDA" were defined somewhere in the lead blurb.

But in a sense you must be the target market for this product. 'Cause here you are reverse-engineering the book review..

Re:

[pantalanaga]

if you don't know what IDA Pro is, then move along. There is nothing for you to see here.

Original posting

[whitehatnetizen]

Originally posted here: http://www.ethicalhacker.net/content/view/210/2/ [ethicalhacker.net]

Re:

[ddonzal]

Thanks for giving proper credit. w00t to Ryan!!

Re:

[punkrokk]

Originally posted here: http://www.ethicalhacker.net/content/view/210/2/ [ethicalhacker.net]

I second that

Ida Red

[Urger]

Lights in the parlor, fires in the grate,
Clock on the mantle says it's a'gettin' late,
Curtains on the window, snowy white,
The parlor's pleasant on Sunday night.

Chorus:
Ida Red, Ida Red, I'm a plumb fool 'bout Ida Red,

Lamp on the table, picture on the wall,
There's a pretty sofa and that's not all,
If I'm not mistaken and I'm sure I'm right,
They's somebody else in the parlor tonight.

Repeat chorus:

Chicken in the bread pan peckin' out dough,
Granny will-ya dog bite, no chile no,
Hurr

Helpful Review

[valakas]

This is nice educated review of the book. There are a lot of guide books out there that over complicate instruction and this appears to focus on both new and experienced users.

640 pages

[PhrostyMcByte]

should be enough for anyone.

Excellent book

[Peter Bortas]

This is the only good book on IDA there is. There are several other books on RE that bring up IDA, but never dives in to any interesting details. That includes the book "Reverse Engineering Code with IDA Pro" which does a passable job of introducing you to RE, but doesn't tell you much about IDA that you couldn't get from spending an evening with it just experimenting.

So, to anyone interested in IDA: This is the book you should buy. Now. With express delivery.

Re:

[blincoln]

Would you make the same recommendation to someone whose primary interest isn't x86 disassembly? IDA Pro supports disassembly of executables for a lot of other architectures.

Re:

[Peter Bortas]

Yes, I would make this recommendation _especially_ if you are interested in other things than x86. None of the other books goes in to details on how to make processor modules.

The examples in all parts of the book where assembler examples are used are x86, but in contrast to other RE books it doesn't try to learn you to dissasemble x86. It shows how to use the tool in a general manner.

Does it show how to Ida Ida ?

[Anonymous Coward]

Who has a crack for ida? The full version! Anyone got a pdf of the book yet? With TOC, index. All code in binary form. Come on! Chop! Chop! I'm waiting here!

Re:

[zoward]

If you are truly worthy of owning IDA you should be able to use the trial version to crack itself.

...seems kinda obvious...

If you check the website, you'll find the trial version is unable to disassemble itself.

The End Purpose?

[brasspen]

I'm weening myself off an addiction to esoteric info in compsci to deepen a few areas. This would be great to learn how things work, but what are you going to build with it? I'm not so keen on learning for its sake these days. What is the reader going to build? I think just taking the work of others and stealing it to sell it is a bit feeble. Is there a constructive use here beyond knowledge for knowledge's sake?

Re:

[Nazlfrag]

Start slow. Avoid reverse engineering code as your first task. Get yourself a hex editor and try to dechipher a file format, say GIF by making a series of files with slightly different properties and examining them for the differences in the hex editor. You should be able to find the header structure and width and height parameters easily, other parameters will be harder to find. When you are confident, try to make a GIF yourself from scratch in the hex editor. Congratulations, you have reverse-engineered a

D'oh!

[LMacG]

"An anonymous reader writes "

[...]

"Read below for the rest of Ryan's review. "

hohum

[BigBadBus]

Sounds good, except that the cost of IDA Pro puts me off. I think I'll stick with OllyDbg; now what that needs is a "how to" book!

objdump

[savuporo]

meh, objdump -dCS, nm -C, readelf and binutils in general get the job done for me more often than not, and across various CPU architectures. fyr free.

Re:

[savuporo]

I have, a while back. I also have used tools like Lauterbach, Realview stuff, kd and windbg and various other lowlevel debugging gizmos.
More often than not, a simple objdump does the trick.

IDA Pro violates GPL

[CriticalHedonist]

While browsing IDA Pro product
pages at http://www.hex-rays.com/idapro/idadown.htm [hex-rays.com]
I noticed that there are downloads for two libraries that IDA seems to use:

Linux TVision port for the IDA Interface - source code (updated 20/11/2007)

This download is password protected, but seems it is a copy of
Linux TVision - http://tvision.sourceforge.net/ [sourceforge.net] which is under GPL.

Another and more obvious their problem is:

Wingraph v 1.03: source code the Wingraph we use and modified (GPL).
(updated 25/08/2004)

Which

Re:

[marcansoft]

WinGraph is used as a separate binary to view the graphs, so I don't think that's a problem. Don't know about TVision though.

Re:

[Anonymous Coward]

The version of tvision to which you point is not the version that IDA utilizes. Tvision was developed and released by Borland. It has been ported and modified by a number of different people over the years. IDA uses it as a shared library component. Hex-rays releases the tvision source code to anyone who purchases IDA, i.e. to anyone who they distribute tvision to, which is their obligation under the GPL. I believe they also distribute the source to wingraph32.

Re:

[PingXao]

Nobody cares about that stuff. Only the BusyBox project seems to take any notice when their licensing terms are violated. GPL Violations is swamped with a backlog of complaints.

Too Expensive these days

[kmahan]

I used to use IDAPro a lot -- but then they went to the new pricing model which increased the cost dramatically. So while it is a great product it really isn't affordable for people that don't have a corporate expense account.

Re:

[Sam Lowry]

AFAIR, they still have the basic version for free.

Re:

[kmahan]

The problem I have is that the eval version only has x86 and ARM support. I'm more interested in using it for 68k.

Re:

[_Shad0w_]

It lacks 64-bit support as well, iirc; I think only the Advanced version has that.

Mind you IDA Pro is cheap, compared the price of the Hex-Rays Decompiler...

Re:

[tlhIngan]

I used to use IDAPro a lot -- but then they went to the new pricing model which increased the cost dramatically. So while it is a great product it really isn't affordable for people that don't have a corporate expense account.

That, and when I was checking it out, they only sold to established companies - you couldn't buy it even if you wanted to... which is probably why it cost so much. I'd go with the free version, but that had a number of limitations.

It appears the only way to actually get full IDA Pro is

just curious

[NovaHorizon]

Why does this have an Idaho tag?

Ironicly..

[nawcom]

This is a well-distributed application (v5.3) on bittorrent. And you wonder which disassembler they used to fix it hehe :-P I've used it myself and it's amazing how many different processors are supported and the plugins that are made for them. A few I know of are the C decompiler plugin and the BinDiff plugin (helpful if you are interested in finding the main changes between an original and cracked app.) But of course you have to have enough free cash to buy the product and plugins because no one here woul

Re:

[nawcom]

I've also used it to check out the code in a lot of Apple's closed source drivers - so it's extremely compatible with many different object formats.

Re:Doesn't IDA come with a manual? - No.

[nicholasharbour]

It comes with a help file which describes some of its API functions for scripting and describes some of its windows. What is in this book is not just a top to bottom overview of a very complex application but extensive documentation on areas such as plugin development and internal data structures which absolutely are not documented anywhere. even on the series of tubes we call the internet. The book is also focused towards how to actually accomplish real world tasks with the program, which you would never