State-of-the-art binary code analysis tools

Today, IDA turns thirty years old. In commemoration of the anniversary we’ll describe the beginnings and major milestones of the epic journey.

Background

In the early 1990’s, DOS was the most popular OS for PCs which were majorly 8086 with occasional 80286 (80386 was still very expensive). Typical PC had at most 1MB of RAM leaving little space for intensive tasks. However, software development industry was growing quickly and there was a need for debugging and diagnostic tools. Aside from debuggers, disassemblers were mostly batch based (non-interactive). The most popular (and expensive) one was Sourcer by V Communications. It had limited interactivity in that it accepted a “definition file” with a list of starting disassembly points, possible function names and segmentation info. After each change to the definition file the disassembly of the whole file had to be redone from scratch which could take a long time on the machines available at the time. Most of the runtime data was kept in memory (at most 640KB in DOS) so it could fail on big files.

There were some debuggers which could be used for disassembly but they did not really offer RE features such as custom names or comments so deep RE was often done in a text editor or by marking up printouts.

IDA offered a new paradigm. It could disassemble a file piece by piece, loading only the fragment which the user was looking at, and did not need to load the whole file into memory. Renaming and commenting was done “just in time” instead of redoing the whole disassembly on every change. The database saved all changes so the work could be performed incrementally over time. However, it took time for this approach to be appreciated by the users.

Ilfak Guilfanov (from IDA 2.05 history file, circa 1994?):

First idea about IDA was born in the fall of 1990. It took half an year to screw up enough courage and to start implementing it. In the beginning of 1991, in January, first code line was written. In April 1991 the first program was fully disassembled with IDA. IDA grew up and new ideas appeared. I wanted to create a built-in C-style language to control analysis of the program, to add more processors, to disassemble object files, to handle UNIX COFF files, to add more intelligence to IDA e t c…

Alas, all of this was not implemented. In July 1991 I stopped working at IDA almost completely, working at IDA only for fun. It was time to learn more about other computers, networks and other nice things. Today I would implement something based on client-server architecture with network support (I have a crazy idea about X-windows implementation) working under various operating systems – but I won’t. Enough for the moment. I really think that disassemblers and all the staff like this are becoming obsolete. People work with GUIs, write in C++ (IDA is written in C++ too, about 40000 lines); they adore VisualBasic and they debug in source codes. Today’s programmer even doesn’t know assembler language – and doesn’t need to know it.

But…

I hope that this product will be a help for you. If so, I’m glad. Hope, there are some people who need a tool like this. And if there is a need to add a new processor type to IDA (the same was with Intel 8085), I can do it fast enough.

As we all know, disassemblers did not (yet?) get obsolete. Most of the planned features did get added to IDA eventually, not in the least thanks to the users who supported IDA during the early years and spread word about IDA, but also thanks to the early distributors and supporters such as DataRescue.

Pierre Vandevenne (DataRescue CEO), 2003:

When I discovered IDA, it was $30. I knew how to recognize a good deal and walked to my bank in the middle of the night to drop the wire order in their mailbox (pre-internet age stuff). Very very few, an unbelievably small number of people, did the same thing at that time.

[…]

Version 2.05 (which is the one I registered) was developed by Ilfak.

We starting distributing, supporting the development and advertising version 3.05 (which essentially was very close to 2.05). Then Ilfak joined our company, moved to Belgium and the GUI version saw the light of the day.

By 2008, the first commercial decompiler has been released, IDA’s development moved to a separate company, and first commercial plugins for IDA appeared. By now it is evident that binary analysis is far from a dying field and we hope that IDA will stay around to celebrate more anniversaries. And of course, we don’t plan to stop innovating.

The complete timeline

Late 1990
development starts
(one of the core source files mentions being created on 25-Oct-1990)
1991
IDA 0.1 (The program banner says “May 20” but it seems the actual release happened a day later)

Archive

ida01.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
    24708  18-02-91 18:55   COMPRESS.EXE
    11451  21-05-91 22:21   COMTYPES.DOC
    76048  21-05-91 22:24   IDA.EXE
    57344  21-05-91 22:23   IDA.INT
     3581  06-05-91 17:36   IDAE.DOC
     3795  06-05-91 16:22   IDAR.DOC
     5976  27-05-91 18:17   README
    25080  18-02-91 19:07   REPAIR.EXE
 --------                   -------
   207983                   8 files
 
May 22: Windows 3.0 released by Microsoft September 17: Linux release announcement by Linus Torvalds
1993
IDA 1.8 (16/09/93)
  • Turbo Vision instead of custom UI
1994
IDA 2.0
  • IDC scripting language added
  • start of shareware distribution (mainly via FidoNet and BBS, some FTPs)
  • support for additional processors (8080, 8085, Z80)
  • support for the NE file format (16-bit Windows and later OS/2)
1994
“Reverse Compilation Techniques” thesis by Cristina Cifuentes, dcc decompiler
1995
August 15: Windows 95 released
1999
IDA 3.84 (07/03/99)
  • Plugins support added in the SDK
IDA 4.0 (21/09/99)
  • Windows GUI version (text mode listing only). First appearance of now-classic IDA icon.
IDA Pro by Ilfak Guilfanov
2000
IDA 4.10 (19/06/2000)
  • Type System (standard function prototypes)
  • PIT (parameter identification and tracking)
2001
IDA 4.17 (22/03/2001)
  • Graphs and flowcharts using Wingraph
 
experiments with microcode
2002
April: Boomerang decompiler development starts http://boomerang.sourceforge.net/2004.php
June: Desquirr decompiler plug-in released http://desquirr.sourceforge.net/
2003

January: user-contributed Windows PE debugger plugin (Idbg)

IDA 4.5 (12/02/03)
  • Integrated debugger
IDA Win32 debugger
IDA 4.6 (27/10/03)
  • 64-bit address space support; AMD64 disassembly
 
May: first decompiler results on a real life trojan http://www.datarescue.com/laboratory/vd2.htm

2004
IDA 4.7 (30/08/04)
  • support for fragmented (chunked) functions
  • Linux console version
  • remote cross-patform debugging
IDAPython 0.5.0 (07/08/04) released by Gergely Erdelyi

 
September: IDAPython presented at the Virus Bulletin conference
2005
IDA 4.8 (15/03/05)
  • 64-bit remote debugger
 
Hex-Rays SA is registered.
Ilfak starts posting on hexblog.com
December 14: WMF vulnerability zero day attack
December 31: Ilfak’s unofficial vulnerability hotfix becomes very popular
2006
IDA 5.0 (03/06)
  • the built-in graph view
2007
IDA 5.1 Hex-Rays decompiler beta testing opens (11/05/07)
Hex-Rays Decompiler 1.0 (17/09/07) released
Hex-Rays Decompiler SDK (25/10/07) released

 
August 8: www.hex-rays.com opens
2008

January 1: Hex-Rays SA takes over development of IDA

IDA 5.3
  • Multithreaded debugging
  • iPhone, Symbian debuggers
IDAPython 1.0.0 released
  • development moves to Google Code
2009
IDA 5.4
  • Bochs, GDB, WinDbg debuggers
  • IDAPython included with IDA
IDA 5.5
  • dockable windows
  • arrival of the now classsic IDA layout with the functions list to the left of disassembly
IDA 5.6
  • IDAPython support for Linux and Mac
  • 64-bit Linux and Mac debuggers
  • ARM Linux remote debugger
  • Appcall feature
2010
IDA 5.7
  • Scripted plugins and processor modules
  • ARM decompiler
IDA 6.0
  • cross-platform Qt based GUI version for Windows, Linux & Mac
2011
Bug bounty program opens. First submissions and fixes for 6.0 and 5.7
2012
IDA 6.3
  • source-level debugging
2013
IDA 6.4
  • ARM64 disassembly
2014
IDA 6.6
  • x64 decompiler
IDA 6.7
  • Python bindings for the decompiler SDK
2015
IDA 6.9
  • ARM64 decompiler
  • ARM64 Android debugger
2016
IDA 6.95
  • iPhone debugger using official Apple debugserver
  • PPC decompiler
2017
IDA 7.0
  • IDA is a native 64-bit executable for all platforms
2018
IDA 7.1
  • decompiler microcode API opened
IDA 7.2
2019
IDA 7.3
  • PPC64 decompiler
  • UNDO feature
IDA 7.4
  • Python 3 support
2020
IDA 7.5
  • folder views
  • MIPS decompiler
2021
IDA 7.6
  • native ARM64 macOS build

See also detailed IDA changelists

Downloads