Black Friday Discount: 10% on IDA Pro & 25% on IDA Home See conditions
State-of-the-art binary code analysis tools

Our flagship product IDA Pro is a popular yet sophisticated piece of software. We are often asked, what exactly is IDA used for? It’s a fair question, and it’s not so easy to answer. IDA has a very broad range of complex use cases that can’t be summarized with a catchy one-liner.

So rather than come up with a sales pitch to describe IDA, we decided to let our users do the talking. Below are samples from various security experts, malware analysts, and software engineers who used IDA to solve a critical problem in their workflow, and decided to publish their results. We collected a variety of links to such publications and grouped them into various subdivisions of the software industry. Hopefully this makes it easy to see exactly how IDA is applied toward real-world solutions in the field.

Digital Forensics

Challenge

Digital forensic investigations occur when a system is compromised by malicious software. In the event of a software-based attack, companies usually dispatch specialized Computer Emergency Response Teams (CERTs) to eliminate the threat, assess the extent of the damage, and understand how the attack was implemented in order to prevent similar incidents in the future. Such teams must collect digital evidence from computers, mobile devices, network appliances, and even distributed systems. Thus, they must be able to work with a large variety of binary code formats. In many cases the code is obfuscated with the goal of making the investigation harder and more time consuming. Forensic investigators need precise and versatile tools to help them with these tasks.

Approach

IDA Pro can analyze binary code that was collected during forensic investigation. It can handle virtually any code that runs on modern processors, and its functionality can be extended with custom scripts and plugins. This makes it especially useful when analyzing heavily obfuscated code. IDA has been relentlessly battle-tested in the field against real-world malware, which has made it the tool of choice for many CERT organizations.

Examples

Penetration Testing

Challenge

There is a strong incentive for software developers to attack their own software for the purpose of hardening security. The general philosophy is that it is better to proactively find security flaws yourself – before someone else does and uses it maliciously against your clients. Security audits can be performed by specialized teams within a company or by third-party consultants, but they almost always require the precision of a tool like IDA.

Approach

It is possible to use IDA more offensively to detect exploitable vulnerabilities in mission-critical software. Usually this involves identifying the logic that is responsible for processing user input, then aggressively analyzing it for logical errors. Often times it can be easier to spot such errors when decompiling the software from the raw machine code, because it is free of any bias or assumptions made by a lazy programmer when writing the original source code. Security auditors know what kind of bugs to look for, and they can be extremely harmful.

Examples

Intellectual Property

Challenge

Intellectual property is an essential asset of many companies. While intangible, quite often it represents the most significant property of a company. Intellectual property may be in many forms, including copyrights, patents, trademarks, and trade secrets. Any infringement or violation of IP rights is a severe threat to the very existence of many companies. For software IP, the task of finding and proving such violations represents a challenge. Our society needs not only manual but also automatic tools for this task.

Approach

IDA Pro perfectly fits the task because it can be used as a foundation to develop an automatic system to find copyright infringements, IP theft, and patent violations. Manual inspection remains available too.

Examples

Dynamic Analysis and Debugging

Challenge

Disassembling a computer program can reveal a great deal about its behavior, but there are many ways to limit the usefulness of the raw disassembly. Malware authors actively try to make their executable files appear harmless when being analyzed, then behave much differently when actually executing. Even well-engineered, non-malicious programs can malfunction at runtime due to unforeseen circumstances. Analysts and engineers depend on tools that allow them to observe the code while it is running. Often times this is the only way to understand and fix the problem.

Approach

IDA Pro can debug applications on all major desktop platforms (Windows, Linux, Mac), mobile platforms (iPhone, Android), and emulators (QEMU, Bochs). Even less known embedded systems based on MIPS or other processors, our debuggers can handle it. IDA Pro comes with ten different debuggers out of the box. Naturally they are all are configurable, programmable, and extensible.

Examples

Automotive Security

Challenge

Modern vehicles are rolling software ecosystems. They are now more reliant on firmware running on microcontrollers instead of pure hardware like in the past. Cars can now contain over 70 electronic control units (ECUs), each of them having their own dedicated firmware. ECUs can be responsible for the engine, driving control, infotainment, navigation, and tracking systems – some of which may be connected to a cellular network. All this code has potential bugs, vulnerabilities, or hidden/unwanted functionality. So the notion of a “Smart Car” is a nice idea, but to some individuals “Smart” just means “Hackable”. The automotive industry must have visibility over the software that drives its vehicles (literally), despite its growing complexity. Overlooked flaws can have severe consequences.

Approach

IDA can serve as an entry point into a modern vehicle’s logical infrastructure. In many cases the original ECU firmware can be reverse-engineered, for example to determine how sensors are being read or how the engine is controlled. IDA is the best tool for this task since it supports all the major processor families used in ECUs. IDA makes it possible to build a gradual understanding of the firmware behavior even without complete documentation, source code, or debug symbols.

Examples

Interoperability

Challenge

Information is rarely produced and consumed strictly inside an application. Modern computers exchange information with other computers, store information on the disk, or in the cloud. Quite often, the used data format is undocumented, but there may be the need to interact with the application or extract its data. For example, to extract data from an obsolete software we need to know the used format. Or to take down a botnet, we may need to know its network protocol in order to send commands to the zombie computers it infected.

Approach

To deal with exotic file formats, IDA Pro can be easily extended with custom-crafted “loaders” and make the data available from within the UI. When it comes to reverse-engineering network protocols, one will typically pair up IDA Pro with a packet capture tool (e.g., Wireshark). The discovery of the protocol will be sped up thanks to analyzing both the traffic, and matching its usage in the client-side or server-side code.

Software Assessment

Challenge

The inner workings of non-malicious software are sometimes worth investigating. Analysts need to have a clear understanding of the software used daily (operating systems, drivers, third-party applications, etc). Normally the internal details of commercial software are not documented, but there are legitimate reasons to examine them.

Approach

IDA supports all major architectures used in desktop, mobile, and embedded devices. It can be used to disassemble binaries with or without debug info. Using built-in features like FLIRT and Lumina, well-known or library functions can be identified. Third-party addons like BinDiff or Diaphora allow finding differences between binary versions to identify changes, fixes, or even backdoors.

Education

Challenge

Reverse-engineering requires a fair amount of experience, training, and even intuition. But without the right tool, even the most skilled reverse-engineer will spend a considerable amount of time performing the most tedious tasks or even fail to spot the crucial bits of information.

Approach

IDA Pro is the perfect tool to teach binary analysis: it is fast, powerful yet easy to use, supports most processors & file formats out-of-the-box, and is even available as educational free licenses for institutions. It’s not surprising then to find IDA Pro being used all over the world by universities, online-or-offline classes, trainings, and seminars alike.