Last changed: 28.07.2020
IDA Pro basics
Here you can find some of the most useful commands and shortcuts for IDA Pro.
navigation
g goto symbol/location
Enter step into selected location
ESC go back
Ctrl+Enter go forward
Numpad-/+ enter/leave proximity view
Ctrl+x/j show xrefs to/from
Ctrl+l search by label/namesearching
Alt+i search immediate value
Ctrl+i next immediate value
Alt+t search text
Ctrl+t next text
Alt+b search bytes (use '?' for wildcards)
Ctrl+b next bytesstrings
Shift+F12 show stringsRight click and open Setup... do choose which string types should be searched
for.
renaming
functions
n rename function/variable/argument
y edit function signature
p define function
e set function end
Alt+p change function characteristics (e.g. noreturn)data interpretation
h, q, r display operand as decimal/hex/string
_ toggle signed/unsigned
o interpret operand as data/memory location
c, a, t interpret as code/ascii string/struct
Alt+a select string style (e.g. 'unicode')
d interpret as raw data/data carousel
* create array
u undefinecomments
: local comment
; repeatable commentgraph view
w zoom to fit window
1 zoom to 100%grouping nodes
Hold Ctrl to select multiple nodes in graph view. Then use the context menu
to group them. Afterwards you can hide/collapse all groups from the context
menu to improve readability.
display settings
To temporarily change the configuration the menu inside IDA Pro can be used.
Options->General
Line prefixes
Number of Opcode bytes 8
Instruction Intendation 10Global settings can be changed in the config files IDA.CFG, IDATUI.CFG or
IDAGUI.CFG.
IDA.CFG
OPCODE_BYTES = 8
GRAPH_SHOW_LINEPREFIXES = YESIDAGUI.CFG
Depending on your filename policy it could be helpful to set the default file filter to all file types.
DEFAULT_FILE_FILTER = { ALL KNOWN IDB EXE DLL DRV OBJLIB JAVA NET DRV_NETWARE GEOS EXE_FLEX EXE_RT11 ARM EPOC SPSX EXE_PALM EXE_XBOX EXE_N64 EXE_SDC HEX MAS SBN RAW_BIN ROM_BIN DUMP_BIN }finding call paths with proximity view
In proximity view you can try to find a path between different functions.
Use the context menus to Collapse children, Collapse parents and
Add node by name to reduce the view to the functions you are interested in.
Then use Find path and Paths -> Func_A => Func_B -> Details to show a
list.
debug dll export with ida
Select the Windows Debugger in IDAs drop-down menu. Then configure the
Debugger -> Process options... as follows
| Application | C:\Windows\System\rundll32.exe (or SysWOW64 resp.) |
| Input File | <dll> |
| Directory | <directory> |
| Parameters | <dll>,<export> |
ida python
You can find information about the python API in the hex rays documentation or the source code on github.
IDA Pro supports both Python2 and Python3. To switch the language version
create an empty file called use_python2.
echo '' > 'C:\Program Files\IDA Pro 7.5\python\use_python2'
del 'C:\Program Files\IDA Pro 7.5\python\use_python2'debugging with ida
remote gdb debugger
gdbserver --once 0.0.0.0:23946 ./my_app < <(echo -e "input\n")Select Remote GDB debugger in IDA Pro and set the correct ip address in
Debugger -> Process options...
Alternatively there are some debugging server binaries in the dbgsrv folder
of IDA Pro.
export database to x64dbg
The plugin x64dbgida can be used to convert the ida database into a database for x64dbg.
In x64dbg you can use File -> Import database to load the database.
binary diffing
bindiff
The bindiff plugin can be downloaded from
zynamics.com. Make sure to give it
the correct IDA Pro installation path during installation.
To run it press Ctrl + 6 and select the IDA database to diff against. In the
new Matched Functions tab you can select View flow graphs from the context
menu for a graphical view.
diaphora
A free alternative is diaphora.
Just run the diaphora.py from a file you want to diff and create a sqlite
database from it. Then run the script again from the other file to diff and
select that database.
To show differences select the function you are interested in in the Partial matches tab and select Diff assembly from the context menu.