From YobiWiki
Jump to navigation Jump to search


IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.

  • Official page
  • Windows, Linux, Mac OS X
  • x86-32, x86-64, ARM and many others
  • ELF, Java bytecode, Dalvik, ARM,...
  • disassembler, some debugger


PIN Tracer


Adapted from

apt-get install gcc-multilib g++-multilib
pushd pin-2.13-61206-gcc.4.4.7-linux/ia32/runtime
ln -s
pushd pin-2.13-61206-gcc.4.4.7-linux/intel64/runtime
ln -s
mkdir pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66
cd pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66
7z x
make TARGET=ia32e
make TARGET=ia32


In IDA select "PIN Tracer" and configure it.

  • Path to PIN: pin-2.13-61206-gcc.4.4.7-linux/pin
  • Path to tool: pin-2.13-61206-gcc.4.4.7-linux/source/tools/@idapin66/

See PIN tutorial


Based on idapython (shipped with IDA Pro)

Install for ida 6.5

Some require PySide as well
To install it on Linux for IDA Pro, see Hexblog, but let's install it locally in idapython instead of /
Download PySide 2011/12/30 for IDAPython 1.5+, Python 2.7 (2.6) and Qt 4.8.4 (IDA 6.5), Linux version

tar xvfz os_package_pyside_python27_package.tgz -C /path/to/ida

Install for ida 6.6

PySide is now also part of IDA Pro, nothing to do anymore :)


IDA Pro can natively patch code/data in its DB but not the original file, but you can do:

See also plugins Fentanyl and idapatcher here below




Make available in ida-6.6/plugins/

  • View->Open subviews->Patches


Easy patching!
See also here

File > Script file > Fentanyl/
Alt-N      Convert instructions to nops
Alt-X      Nop all xrefs to this function
Alt-J      Invert conditional jump
Alt-P      Patch instruction
Alt-Z      Undo modification (Won't always work. Should still be careful editing.)
Alt-Y      Redo modification (Won't always work. Should still be careful editing.)
Alt-S      Save file
Alt-C      Find Code Caves
Ctrl-Alt-F Make jump unconditional
Ctrl-Alt-N Neuter the binary (remove calls to fork, setuid, setgid, getpwnam, set groups, and chdir)


The most expensivepowerful IDA Pro plugin is the Hex-Rays decompiler

  • x86 and ARM
  • decompiler

Limitations specific to ARM:

  • floating point instructions are not supported
  • VFP/SIMD/Neon/... instructions are not supported
  • functions having an argument that is passed partially on registers and partially on the stack are not supported (e.g. int64 passed in R3 and on the stack)



Decompile small functions in IDA


Mainly for Thumb right now

IDA Pro ARM debugger

Support ARM code debugging via JTAG or software emulators

Garts: Get all referenced text strings

aka A Better String Viewer

File > Script file >

IDA toolbag

  • Under Linux put toolbag content under ~/.idapro
>>> import toolbag


Some bridges between IDA and Miasm:


A program diffing plugin, working with IDA 6.7 and 6.8
Doc here (pdf)
When running scritp I got this issue about importing md5.
To solve it I had to install manually libssl0.9.8:i386 from old Debian repo
As bonus, it exports IDA DBs in Sqlite format


What Would Capstone Decode - IDA plugin that implements a Capstone powered IDA view

To sort


IDA Pro has some debugging capabilities too.
Local debugging: win32, windbg Remote debugging:

gdbserver --multi <client_ip>:<port> # default IDA port: 23946

Then on IDA: select Remote GDB debugger, paths should be paths on the gdbserver host.

  • Debugger / options / Stop on process entry point
  • Compatible with lib preloading, cf below
  • from 6.4, can make use of Intel PIN tools for diff debugging, see tutorial (pdf)