The Interactive Disassembler (IDA) is a

disassembler A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler. The output of disassembly is typically formatted for human-readability rather than for input to an asse ...

for

computer software Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications. The history of software is closely tied to the development of digital comput ...

which generates

assembly language In computing, assembly language (alternatively assembler language or symbolic machine code), often referred to simply as assembly and commonly abbreviated as ASM or asm, is any low-level programming language with a very strong correspondence bet ...

source code In computing, source code, or simply code or source, is a plain text computer program written in a programming language. A programmer writes the human readable source code to control the behavior of a computer. Since a computer, at base, only ...

from machine-executable code. It supports a variety of executable formats for different processors and

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

s. It can also be used as a

debugger A debugger is a computer program used to test and debug other programs (the "target" programs). Common features of debuggers include the ability to run or halt the target program using breakpoints, step through code line by line, and display ...

for Windows PE, Mac OS X Mach-O, and

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

ELF An elf (: elves) is a type of humanoid supernatural being in Germanic peoples, Germanic folklore. Elves appear especially in Norse mythology, North Germanic mythology, being mentioned in the Icelandic ''Poetic Edda'' and the ''Prose Edda'' ...

executables. A

decompiler A decompiler is a computer program that translates an executable file back into high-level source code. Unlike a compiler, which converts high-level code into machine code, a decompiler performs the reverse process. While disassemblers translate e ...

plug-in, which generates a high level, C source code-like representation of the analysed program, is available at extra cost. IDA is used widely in software

reverse engineering Reverse engineering (also known as backwards engineering or back engineering) is a process or method through which one attempts to understand through deductive reasoning how a previously made device, process, system, or piece of software accompl ...

, including for malware analysis and

software vulnerability Vulnerabilities are flaws or weaknesses in a system's design, implementation, or management that can be exploited by a malicious actor to compromise its security. Despite a system administrator's best efforts to achieve complete correctness, vir ...

research. IDA's decompiler is one of the most popular and widely used decompilation frameworks, and IDA has been called the "de-facto industry standard" for program disassembly and static binary analysis.

History

Ilfak Guilfanov Ilfak Guilfanov (, born 12 November 1966) is a Russian software developer, computer security researcher and blogger. He became well known when he issued a free hotfix for the Windows Metafile vulnerability on 31 December 2005. His unofficial patc ...

began working on IDA in 1990, and initially distributed it as a

shareware Shareware is a type of proprietary software that is initially shared by the owner for trial use at little or no cost. Often the software has limited functionality or incomplete documentation until the user sends payment to the software developer. ...

application. In 1996, the Belgian company DataRescue took over the development of IDA and began to sell it as a commercial product, under the name IDA Pro. Initial versions of IDA did not have a graphical user interface (GUI), and ran as an extended DOS,

OS/2 OS/2 is a Proprietary software, proprietary computer operating system for x86 and PowerPC based personal computers. It was created and initially developed jointly by IBM and Microsoft, under the leadership of IBM software designer Ed Iacobucci, ...

, or Windows console application. In 1999, DataRescue released the first version of IDA Pro with a GUI, IDA Pro 4.0. In 2005, Guilfanov founded Hex-Rays to pursue the development of the Hex-Rays Decompiler IDA extension. In January 2008, Hex-Rays assumed the development and support of DataRescue's IDA Pro. In 2022, Hex-Rays was acquired by a group of investors led by Smartfin, a European

venture capital Venture capital (VC) is a form of private equity financing provided by firms or funds to start-up company, startup, early-stage, and emerging companies, that have been deemed to have high growth potential or that have demonstrated high growth in ...

and private equity investor. Co-investors in the acquisition included the Belgian public holding company , and the Walloon public investment firm Regional Investment Company of Wallonia (SRIW).

Features

IDA disassembles a compiled program back into an assembly language representation. In addition to performing basic disassembly, IDA also automatically annotates disassembled programs with information about: * cross-references between code and data in the program * function locations, function

stack frame In computer science, a call stack is a stack data structure that stores information about the active subroutines and inline blocks of a computer program. This type of stack is also known as an execution stack, program stack, control stack, run- ...

s, and function

calling convention In computer science, a calling convention is an implementation-level (low-level) scheme for how subroutines or functions receive parameters from their caller and how they return a result. When some code calls a function, design choices have been ...

s * reconstructed

data type In computer science and computer programming, a data type (or simply type) is a collection or grouping of data values, usually specified by a set of possible values, a set of allowed operations on these values, and/or a representation of these ...

s However, the nature of disassembly precludes total accuracy, and a great deal of human intervention is necessarily required; IDA has interactive functionality to aid in improving the disassembly. A typical IDA user will begin with an automatically generated disassembly listing and then convert sections from code to data and vice versa, rename, annotate, and otherwise add information to the listing, until its functionality becomes clear.

Scripting

"IDC scripts" make it possible to extend the operation of the disassembler. Some helpful scripts are provided, which can serve as the basis for user written scripts. Most frequently scripts are used for extra modification of the generated code. For example, external symbol tables can be loaded thereby using the function names of the original source code. Users have created plugins that allow other common scripting languages to be used instead of, or in addition to, IDC. IdaRUB supports

Ruby Ruby is a pinkish-red-to-blood-red-colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called sapph ...

and IDAPython adds support for Python. As of version 5.4, IDAPython (dependent on Python 2.5) comes preinstalled with IDA Pro.

Debugging

IDA Pro supports a number of debuggers, including: * Remote Windows, Linux, and Mac applications (provided by Hex-Rays) allow running an executable in its native environment (presumably using a virtual machine for malware) *

GNU Debugger The GNU Debugger (GDB) is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, Assembly, C, C++, D, Fortran, Haskell, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust, and par ...

(gdb) is supported on Linux and OS X, as well as the native Windows debugger * A

Bochs Bochs (pronounced "box") is a portable IA-32 and x86-64 IBM PC compatible emulator and debugger mostly written in C++ and distributed as free software under the GNU Lesser General Public License. It supports emulation of the processor(s) (includ ...

plugin is provided for debugging simple applications (i.e., damaged UPX or mpress compacted executables) * An Intel PIN-based debugger * A trace replayer

Versions

The latest full version of IDA Pro is available via paid annual subscription (version 9.0sp1 as of December 2024), while a less capable version (limited to x86), named IDA Free, is available for download free of cost.

Supported systems/processors/compilers

* System hosts **

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

x86 and ARM ** Linux x86 ** x86 * Recognized executable file formats **

COFF The Common Object File Format (COFF) is a format for executable, object code, and shared library computer files used on Unix systems. It was introduced in Unix System V, replaced the previously used a.out format, and formed the basis for ext ...

and derivatives, including Win32/64/generic PE **

and derivatives (generic) ** Mach-O (

Mach The Mach number (M or Ma), often only Mach, (; ) is a dimensionless quantity in fluid dynamics representing the ratio of flow velocity past a Boundary (thermodynamic), boundary to the local speed of sound. It is named after the Austrian physi ...

) ** NLM (

NetWare NetWare is a discontinued computer network operating system developed by Novell, Inc. It initially used cooperative multitasking to run various services on a personal computer, using the IPX network protocol. The final update release was ver ...

) ** LC/LE/LX (OS/2 2.x+ and various DOS extenders) ** NE (OS/2 1.x, Win16, and various DOS extenders) ** MZ (

MS-DOS MS-DOS ( ; acronym for Microsoft Disk Operating System, also known as Microsoft DOS) is an operating system for x86-based personal computers mostly developed by Microsoft. Collectively, MS-DOS, its rebranding as IBM PC DOS, and a few op ...

) ** OMF and derivatives (generic) ** AIM (generic) ** raw binary, such as a ROM image or a

COM file A COM file is a type of simple executable file. On the Digital Equipment Corporation (DEC) VAX operating systems of the 1970s, .COM was used as a filename extension for text files containing commands to be issued to the operating system (sim ...

* Instruction sets **

Intel Intel Corporation is an American multinational corporation and technology company headquartered in Santa Clara, California, and Delaware General Corporation Law, incorporated in Delaware. Intel designs, manufactures, and sells computer compo ...

80x86 family **

ARM architecture ARM (stylised in lowercase as arm, formerly an acronym for Advanced RISC Machines and originally Acorn RISC Machine) is a family of reduced instruction set computer, RISC instruction set architectures (ISAs) for central processing unit, com ...

** Motorola 68k and H8 **

Zilog Z80 The Zilog Z80 is an 8-bit computing, 8-bit microprocessor designed by Zilog that played an important role in the evolution of early personal computing. Launched in 1976, it was designed to be Backward compatibility, software-compatible with the ...

MOS 6502 The MOS Technology 6502 (typically pronounced "sixty-five-oh-two" or "six-five-oh-two") William Mensch and the moderator both pronounce the 6502 microprocessor as ''"sixty-five-oh-two"''. is an 8-bit microprocessor that was designed by a small ...

** Intel i860 **

DEC Alpha Alpha (original name Alpha AXP) is a 64-bit reduced instruction set computer (RISC) instruction set architecture (ISA) developed by Digital Equipment Corporation (DEC). Alpha was designed to replace 32-bit VAX complex instruction set computers ( ...

Analog Devices Analog Devices, Inc. (ADI), also known simply as Analog, is an American multinational corporation, multinational semiconductor company specializing in data conversion, signal processing, and power management technology, headquartered in Wilming ...

ADSP218x ** Angstrem KR1878 **

Atmel AVR AVR is a family of microcontrollers developed since 1996 by Atmel, acquired by Microchip Technology in 2016. They are 8-bit RISC single-chip microcontrollers based on a modified Harvard architecture. AVR was one of the first microcontroller ...

series ** DEC series PDP11 ** Fujitsu F2MC16L/F2MC16LX ** Fujitsu FR 32-bit Family ** Hitachi SH3/SH3B/ SH4/SH4B ** Hitachi H8: h8300/h8300a/h8s300/h8500 ** Intel 196 series: 80196/80196NP ** Intel 51 series: 8051/80251b/80251s/80930b/80930s **

Intel i960 Intel's i960 (or 80960) is a RISC-based microprocessor design that became popular during the early 1990s as an embedded system, embedded microcontroller. It became a best-selling CPU in that segment, along with the competing AMD 29000. In spite ...

series **

Intel Itanium Itanium (; ) is a discontinued family of 64-bit Intel microprocessors that implement the Intel Itanium architecture (formerly called IA-64). The Itanium architecture originated at Hewlett-Packard (HP), and was later jointly developed by HP and I ...

(ia64) series **

Java virtual machine A Java virtual machine (JVM) is a virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. The JVM is detailed by a specification that formally descr ...

** MIPS: mipsb/mipsl/mipsr/mipsrl/r5900b/r5900l ** Microchip PIC: PIC12Cxx/PIC16Cxx/PIC18Cxx ** MSIL ** Mitsubishi 7700 Family: m7700/m7750 ** Mitsubishi m32/m32rx ** Mitsubishi m740 ** Mitsubishi m7900 ** Motorola DSP 5600x Family: dsp561xx/dsp5663xx/dsp566xx/dsp56k **

Motorola ColdFire The NXP ColdFire is a microprocessor that derives from the Motorola 68000 family architecture, manufactured for embedded systems development by NXP Semiconductors. It was formerly manufactured by Freescale Semiconductor (formerly the semiconducto ...

** Motorola HCS12 ** NEC 78K0/78K0S **

PA-RISC Precision Architecture reduced instruction set computer, RISC (PA-RISC) or Hewlett Packard Precision Architecture (HP/PA or simply HPPA), is a computer, general purpose computer instruction set architecture (ISA) developed by Hewlett-Packard f ...

PowerPC PowerPC (with the backronym Performance Optimization With Enhanced RISC – Performance Computing, sometimes abbreviated as PPC) is a reduced instruction set computer (RISC) instruction set architecture (ISA) created by the 1991 Apple Inc., App ...

** Xenon PowerPC Family ** SGS-Thomson ST20/ST20c4/ST7 ** SPARC Family **

Samsung Samsung Group (; stylised as SΛMSUNG) is a South Korean Multinational corporation, multinational manufacturing Conglomerate (company), conglomerate headquartered in the Samsung Town office complex in Seoul. The group consists of numerous a ...

SAM8 ** Siemens C166 ** TMS320Cxxx series * Compiler/libraries (for automatic library function recognition) **

Borland Borland Software Corporation was a computing technology company founded in 1983 by Niels Jensen, Ole Henriksen, Mogens Glad, and Philippe Kahn. Its main business was developing and selling software development and software deployment products. B ...

C++ 5.x for DOS/Windows ** Borland C++ 3.1 ** Borland C Builder v4 for DOS/Windows ** GNU C++ for

Cygwin Cygwin ( ) is a free and open-source Unix-like environment and command-line interface (CLI) for Microsoft Windows. The project also provides a software repository containing open-source packages. Cygwin allows source code for Unix-like operati ...

Microsoft C Microsoft Visual C++ (MSVC) is a compiler for the C, C++, C++/CLI and C++/CX programming languages by Microsoft. MSVC is proprietary software; it was originally a standalone product but later became a part of Visual Studio and made available i ...

** Microsoft

QuickC Microsoft QuickC is a discontinued commercial integrated development environment (IDE) product engineered by Microsoft for the C programming language, superseded by Visual C++ Standard Edition. Its main competitor was Borland Turbo C. QuickC ...

** Microsoft

Visual C++ Microsoft Visual C++ (MSVC) is a compiler for the C, C++, C++/CLI and C++/CX programming languages by Microsoft. MSVC is proprietary software; it was originally a standalone product but later became a part of Visual Studio and made available ...

** Watcom C/C++ (16/32 bit) for DOS/ OS2 ** ARM C v1.2 ** GNU C++ for Unix/common

Logo

IDA Pro's logo is a cropped image of

Françoise d'Aubigné, Marquise de Maintenon Françoise d'Aubigné (27 November 1635 – 15 April 1719), known first as Madame Scarron and subsequently as Madame de Maintenon (), was a French nobility, French noblewoman and the second wife of Louis XIV, Louis XIV of France from 1683 until ...

. The logo image is similar to a miniature painting of Françoise d'Aubigné attested to a painter in the circle of Pierre Mignard. The original greyscale version of the logo was introduced in September 1999, with the release of IDA 4.0. Ilfak Guilfanov has stated that the logo is not a depiction of Saint Ida of Louvain.

References

External links

* * * {{cite web , url=http://www.openrce.org , website=Open Reverse Code Engineering (OpenRCE) , title=IDA plug-ins and scripts Disassemblers Debuggers Software for modeling software 1991 software