It's expensive, but it probably doesn't cost nearly enough. IDA is the Microsoft Word of software reverse engineering, and its low price relative to the bill rates of people who actually use it is a boat anchor for the entire reversing market. It's difficult to charge more than IDA charges for new products. Since the market for reversing products is always going to involve a relatively small number of people doing very high-value work, it's hard to build a sustainable business in it.
Now that IDA has very serious competition, from Binja and Hopper, it's unlikely that problem is going to resolve itself in the long term.
Disagree, most people who use IDA professionally only use it occasionally, when the job calls for it. I know many security professionals who only end up using it a few times a year, but when they need it they need it. Full time reverse engineers are the exception, but they are not the majority of IDA users. For everyone else, it's typically one of many pieces of expensive software.
Though it's unclear if we are discussing sticker shock over IDA Pro or over IDA Pro + Hex Rays decompilers, because there is a pretty huge increase in cost as you start needing those.
I have no first hand knowledge, but it is my understanding based on what others have told me that IDA Pro is actually kind of difficult to crack and pirate.
I don't know how true this is, but it makes logical sense - the developers of a reverse-engineering tool are likely far more clever at anti-piracy mitigations than your average programmer.
with a certain regularity ida pro versions leak, because companies who purchased ida pro get hacked. sometimes these ida pro versions are only available to a select few (the hacking crew, their friends etc.) but sometimes even those versions get leaked.
Wow, you could not be more wrong on that. They've gone to greater lengths than any other vendor I can think of to prevent piracy and punish those who do.
I would be afraid to use a pirated version of this. Certainly the authors are experts in cracking and countermeasures. They could do sneaky stuff like pretending to work and then breaking later, or silently produce wrong output.
I heard a rumor that the cracked version calls home with your identity and blacklists you for life. Don't think it is true though. (Edit: I think what they do is they embed your key into saved files, and if a key leaks, blacklist it such that later versions cannot open them.)
If a database was created using an instance of IDA that was running on a known blacklisted key you'll get a "Sorry, you can't open this database because it was created using a pirated version of IDA" message, and if you try to open a database that's missing the license info you'll get a "Database is corrupt." message. It's still pretty easy to patch out these messages and open the databases anyways though.
There's also a map [1] on the old IDA website showing geolocated IPs of users that tried to request updates using pirated keys.
It's my understanding that people who have previously pirated it are blacklisted from every using the sw legally thereby potentially making it impossible to get a job in the industry.
Pretty much. They took a run at us about 10 years ago. I wrote a sort of semi-popular blog post about figuring out what crypto an app uses by looking for constants for particular crypto algorithms using IDA, and they looked me up in their license database and freaked out publicly because I wasn't registered. We privately pointed out that we were using a letter-coded license on behalf of a client, and they called us liars because they could only think of a few clients they had with such a licensing arrangement (obviously, we weren't in a position to tell them which client it was).
This is, again, for a simple mention of IDA in a public blog post.
After Ilfak left DataRescue to do Hex-rays, his Hex-rays IDA pages kept the one blacklisting the dude they had caught pirating.
Amusingly, the DataRescue IDA page is basically only about piracy now:
They're very difficult to deal with. Renewing my license which was in my name, but at a company I didn't actively work with, was a pain. Even though I had a valid email address at the company in question (part owner). They wanted the company to verify I was allowed to pay them to buy the product. Took over a week IIRC for me to give them money.
Then, if you lose your downloads (in my case, corrupted file) and your contract expires, you're out of luck. Since they make a separate EXE for each customer, they don't provide any way of getting the software once your support contract ends. Seems silly, considering pirated copies are readily obtainable.
But, they're the best so they can act like this and get away with it.
Especially since there is no way I'm buying this as a hobbyist. I'd like to have it, but I don't need it and can't afford it - so I either pirate it or won't use it.
If I got access, by pirating, or having a free / subsidized / university version, I might be able to develop my skills such that I can use this professionally, and would certainly be able to buy a license (and ongoing support).
But like this, the only way I could "get into" IDA Pro is by using it at a company where the bought a license.
Also, the developers should really release a new demo/evaluation version, supporting 64 bit.
If someone else has a better idea of how to legally become familiar with the program without paying $739 for a Starter Edition license, I'd like to hear it.
If true, that would also scare me from using it legally. What if a glitch (perhaps due to a failing memory chip, or a bug on a modified kernel) makes it think I'm using a pirated version?
The Starter Edition license is $739, and is available on Linux. I've heard that it can take some work to get them to agree to sell you a copy (liability concerns, or something)
