A quick overview of what makes IDA cool for those unfamiliar with it:
* It has one of the best decompilers available
* It supports a ridiculous number of platforms
* I trust its disassembler (especially for mainstream languages) more than almost any other disassembler
* Demangling of Swift names is a nice quality of life improvement, Swift moves fast and is hard to keep up with
* Still the best disassembler and machine code reversing tool out there
If you can't afford IDA, it is very expensive, there are a lot of great alternatives:
* Hopper (mac only). Its disassembler, is not so great, it gets confused and fails to find code in Swift apps pretty often. It is still generally good and with some encouragement you can get it to do a competent job.
* radare2. Works on a lot of more esoteric processors. Great for when working on small firmwares from less common processors. Not so great at big files. Slow. Very powerful regardless. Open source.
* ImmunityDbg still works for Win
* Other tools, just search.
The more time you spend looking at disassembled machine code the more valuable IDA gets. But you really have to do a lot of RCE. Most people first getting into RCE really think they need IDA when they haven't even cracked the docs for their target environment yet or lack fundamental knowledge about how CPUs work, which holds them back far more than a second class disassembler ever has.
You'd be remiss if you don't mention Binary Ninja[1]. A relative newcomer that's already extremely capable, has great scripting support and is under very active development.
> I trust its disassembler (especially for mainstream languages) more than almost any other disassembler
Might I suggest Christopher Domas' Black Hat talk "Breaking the x86 ISA", along the way of which he demonstrates the limitations of all disassemblers out there, including IDA's :)
If you're looking for a gui for radare2, https://github.com/hteso/iaito has worked well for me so far. Despite the warnings about it being highly unstable, I spent 4 hours in it reversing an arm binary and it worked perfectly fine.
x64dbg is great. It has enough features (such as visual charts) to make debugging much easier than on a classic debugger. That said, it makes mistakes and is not nearly as bulletproof as IDA.
I feel like they kind of lose money on IDA by not marketing some sort of hobby version. I offered the guy $100 to purchase a legit version of IDA for personal educational use and he declined (go figure). I am just a university student.
Between IDA Pro 5.0 (full functionality, legally free), IDA eval 7.0 (limited functionality, legally free), and IDA 6.8 (haxxed), the students are pretty well covered. I'd imagine Ilfak doesn't mind if you pirate it as a student, but giving you a 7.0 full binary is more about operational security than anything else. This is illustrated by the fact that you can literally go to buy IDA + HR for full retail at 5k and be denied a license if you're not affiliated with a reputable organization.
The reason why it's so difficult to get a pro license (even if you want to pay for it legally) is because one leak of the most current version and enterprise sales drop by about ~50%[1]. So, theoretically, if Ilfak were to give you that $100 most-recent copy and you were to share it with the wrong people, any the losses are way more than just what he lost on your sale. The legitimate corporate sales go down ~50%[1] the second a leak hits.
I'm not in rev-eng professionally, but I grew up (read: pirated it at 15) with it back when SoftICE and IDA were the only options on the market. Eventually I needed a license to side-step some legitimate licensed software for a client who's business depended on a dongle from a now defunct company. Since IDA is what I already knew, it's what I purchased. The time I would have spent learning another platform (there are lovely open source alternatives on the market now) would have exceeded the price of the software by quite a bit. For people who use IDA professionally, 1k a seat (5k w/ HR) is more than reasonable, especially with the whole ecosystem of plugins that exist around it[2].
But the times, they are a'changin. Now with all of the competitors on the market though, kids are growing up not pirating SoftICE and IDA but alternatives. 5 years down the line, when those kids have purchase influence and go to their manager with a request ("this is what I grew up with..I need a __ license"), IDA is going to have a real problem[4].
====
[1] Ilfak delineated the whole business model and decrease in sales as a result of leaks with real numbers on reddit. This was 3-4 years ago (maybe more, god I'm getting old) so I might be off by the 50%. I'm sure it's more than 1/3rd. This interestingly enough is why you see a version bump as soon as a shows up. Maybe purchasing departments are less likely to authorize a 5k license if the most recent version on piratebay? Not sure how that gets past legal and whoever is in charge of license compliance, but it happens. Pure speculation: When you bump a pirated 6.8 to a non-pirated 6.9, the engineer/manager can "legitimize" the purchase by telling purchasing "I need 6.9 and can't steal it- now, cut the purchase order, or it'll be your name coming up when we have a meeting as to why we lost Client Foo".
[2] The reason I keep paying for maintenance fees is because the extensive number of community-made/maintained plugins makes IDA basically like emacs. Powerful base-software, but when you get all your scripts setup with things like DIE[3] you can't imagine working in another setting.
[3] https://github.com/ynvb/DIE This alone is worth the cost of the base $1k IMO. Sidenote: The plugin contest was the greatest marketing idea ever. Get people to develop (or release the tools they've already developed for themselves to the public domain) extensible software that adds significant value to your software in exchange for a $1k? Absolutely brilliant.
[4] https://i.imgur.com/Qb7GSCL.png Here's a comment I made about a year ago when we saw Binary Ninja/Radare2/etc all coming of age.
A couple of years back I learned how to use IDA in a binary and malware analysis class. If you happen to study in The Netherlands, the VU University Amsterdam is where that class is at!
I'm fuzzy on my memory, but man! This was so much cooler and better than disassembling stuff on the commandline! The cool thing about IDA that I found out are:
- its scripting language (we used Python)
- its ability to show loops and branches by drawing arrows to other pieces of assembly (it's a special view you can use)
- really good search and code labeling features: if you change on register name somewhere, then that's propagated to where that register is used in the rest of the relevant code
- the ability to patch programs: you can overwrite processor instructions, mostly I used instruction 90 which is the nop instruction (meaning: no operation).
These features are not unique to IDA, but from a beginner perspective: I thought they were awesome! We used some kind of demo version for IDA.
Has anyone with IDA Pro had luck with mcsema (or anything similar)?
The idea of taking arbitrary x86/amd64 binaries and converting them to LLVM IR is a concept that fascinates me and I've always been curious what the optimization paths would be -- if you took a go binary output, converted it to LLVM IR, and then compiled with an optimizing LLVM pass how does the result compare, for instance.
McSema developer here. We have a few success stories with it, including lifting, instrumenting, and recompiling Apache web server. It has also been used for symbolic execution of various programs. We at Trail of Bits are working on version 2 of McSema (currently in the use_remill_semantics branch) and we hope to have that released in the coming months.
It's expensive, but it probably doesn't cost nearly enough. IDA is the Microsoft Word of software reverse engineering, and its low price relative to the bill rates of people who actually use it is a boat anchor for the entire reversing market. It's difficult to charge more than IDA charges for new products. Since the market for reversing products is always going to involve a relatively small number of people doing very high-value work, it's hard to build a sustainable business in it.
Now that IDA has very serious competition, from Binja and Hopper, it's unlikely that problem is going to resolve itself in the long term.
Disagree, most people who use IDA professionally only use it occasionally, when the job calls for it. I know many security professionals who only end up using it a few times a year, but when they need it they need it. Full time reverse engineers are the exception, but they are not the majority of IDA users. For everyone else, it's typically one of many pieces of expensive software.
Though it's unclear if we are discussing sticker shock over IDA Pro or over IDA Pro + Hex Rays decompilers, because there is a pretty huge increase in cost as you start needing those.
I have no first hand knowledge, but it is my understanding based on what others have told me that IDA Pro is actually kind of difficult to crack and pirate.
I don't know how true this is, but it makes logical sense - the developers of a reverse-engineering tool are likely far more clever at anti-piracy mitigations than your average programmer.
with a certain regularity ida pro versions leak, because companies who purchased ida pro get hacked. sometimes these ida pro versions are only available to a select few (the hacking crew, their friends etc.) but sometimes even those versions get leaked.
Wow, you could not be more wrong on that. They've gone to greater lengths than any other vendor I can think of to prevent piracy and punish those who do.
I would be afraid to use a pirated version of this. Certainly the authors are experts in cracking and countermeasures. They could do sneaky stuff like pretending to work and then breaking later, or silently produce wrong output.
I heard a rumor that the cracked version calls home with your identity and blacklists you for life. Don't think it is true though. (Edit: I think what they do is they embed your key into saved files, and if a key leaks, blacklist it such that later versions cannot open them.)
If a database was created using an instance of IDA that was running on a known blacklisted key you'll get a "Sorry, you can't open this database because it was created using a pirated version of IDA" message, and if you try to open a database that's missing the license info you'll get a "Database is corrupt." message. It's still pretty easy to patch out these messages and open the databases anyways though.
There's also a map [1] on the old IDA website showing geolocated IPs of users that tried to request updates using pirated keys.
It's my understanding that people who have previously pirated it are blacklisted from every using the sw legally thereby potentially making it impossible to get a job in the industry.
Pretty much. They took a run at us about 10 years ago. I wrote a sort of semi-popular blog post about figuring out what crypto an app uses by looking for constants for particular crypto algorithms using IDA, and they looked me up in their license database and freaked out publicly because I wasn't registered. We privately pointed out that we were using a letter-coded license on behalf of a client, and they called us liars because they could only think of a few clients they had with such a licensing arrangement (obviously, we weren't in a position to tell them which client it was).
This is, again, for a simple mention of IDA in a public blog post.
After Ilfak left DataRescue to do Hex-rays, his Hex-rays IDA pages kept the one blacklisting the dude they had caught pirating.
Amusingly, the DataRescue IDA page is basically only about piracy now:
They're very difficult to deal with. Renewing my license which was in my name, but at a company I didn't actively work with, was a pain. Even though I had a valid email address at the company in question (part owner). They wanted the company to verify I was allowed to pay them to buy the product. Took over a week IIRC for me to give them money.
Then, if you lose your downloads (in my case, corrupted file) and your contract expires, you're out of luck. Since they make a separate EXE for each customer, they don't provide any way of getting the software once your support contract ends. Seems silly, considering pirated copies are readily obtainable.
But, they're the best so they can act like this and get away with it.
Especially since there is no way I'm buying this as a hobbyist. I'd like to have it, but I don't need it and can't afford it - so I either pirate it or won't use it.
If I got access, by pirating, or having a free / subsidized / university version, I might be able to develop my skills such that I can use this professionally, and would certainly be able to buy a license (and ongoing support).
But like this, the only way I could "get into" IDA Pro is by using it at a company where the bought a license.
Also, the developers should really release a new demo/evaluation version, supporting 64 bit.
If someone else has a better idea of how to legally become familiar with the program without paying $739 for a Starter Edition license, I'd like to hear it.
If true, that would also scare me from using it legally. What if a glitch (perhaps due to a failing memory chip, or a bug on a modified kernel) makes it think I'm using a pirated version?
The Starter Edition license is $739, and is available on Linux. I've heard that it can take some work to get them to agree to sell you a copy (liability concerns, or something)
Reverse engineering. Basically, if you want to take a compiled binary apart to figure out how it works, IDA is the best tool that there is for that job.
I use a similar application to reverse binaries of proprietary software we legally purchase and use. The vendor is sometimes unable or unwilling to document how something actually works or how something could work if it was configured in a certain way.
* It has one of the best decompilers available
* It supports a ridiculous number of platforms
* I trust its disassembler (especially for mainstream languages) more than almost any other disassembler
* Demangling of Swift names is a nice quality of life improvement, Swift moves fast and is hard to keep up with
* Still the best disassembler and machine code reversing tool out there
If you can't afford IDA, it is very expensive, there are a lot of great alternatives:
* Hopper (mac only). Its disassembler, is not so great, it gets confused and fails to find code in Swift apps pretty often. It is still generally good and with some encouragement you can get it to do a competent job.
* radare2. Works on a lot of more esoteric processors. Great for when working on small firmwares from less common processors. Not so great at big files. Slow. Very powerful regardless. Open source.
* ImmunityDbg still works for Win
* Other tools, just search.
The more time you spend looking at disassembled machine code the more valuable IDA gets. But you really have to do a lot of RCE. Most people first getting into RCE really think they need IDA when they haven't even cracked the docs for their target environment yet or lack fundamental knowledge about how CPUs work, which holds them back far more than a second class disassembler ever has.