|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 28.07.2020

IDA Pro basics


Here you can find some of the most useful commands and shortcuts for IDA Pro.

navigation


g           goto symbol/location
Enter       step into selected location
ESC         go back
Ctrl+Enter  go forward
Numpad-/+   enter/leave proximity view
Ctrl+x/j    show xrefs to/from
Ctrl+l      search by label/name

searching


Alt+i       search immediate value
Ctrl+i      next immediate value
Alt+t       search text
Ctrl+t      next text
Alt+b       search bytes (use '?' for wildcards)
Ctrl+b      next bytes

strings


Shift+F12   show strings

Right click and open Setup... do choose which string types should be searched for.

renaming


functions

n           rename function/variable/argument
y           edit function signature
p           define function
e           set function end
Alt+p       change function characteristics (e.g. noreturn)

data interpretation

h, q, r     display operand as decimal/hex/string
_           toggle signed/unsigned
o           interpret operand as data/memory location
c, a, t     interpret as code/ascii string/struct
Alt+a       select string style (e.g. 'unicode')
d           interpret as raw data/data carousel
*           create array
u           undefine

comments

:           local comment
;           repeatable comment

graph view


w           zoom to fit window
1           zoom to 100%

grouping nodes

Hold Ctrl to select multiple nodes in graph view. Then use the context menu to group them. Afterwards you can hide/collapse all groups from the context menu to improve readability.

display settings


To temporarily change the configuration the menu inside IDA Pro can be used.

Options->General 
    Line prefixes
    Number of Opcode bytes 8
    Instruction Intendation 10

Global settings can be changed in the config files IDA.CFG, IDATUI.CFG or IDAGUI.CFG.

IDA.CFG

OPCODE_BYTES            = 8
GRAPH_SHOW_LINEPREFIXES     = YES

IDAGUI.CFG

Depending on your filename policy it could be helpful to set the default file filter to all file types.

DEFAULT_FILE_FILTER = { ALL KNOWN IDB EXE DLL DRV OBJLIB JAVA NET DRV_NETWARE GEOS EXE_FLEX EXE_RT11 ARM EPOC SPSX EXE_PALM EXE_XBOX EXE_N64 EXE_SDC HEX MAS SBN RAW_BIN ROM_BIN DUMP_BIN }

finding call paths with proximity view


In proximity view you can try to find a path between different functions. Use the context menus to Collapse children, Collapse parents and Add node by name to reduce the view to the functions you are interested in. Then use Find path and Paths -> Func_A => Func_B -> Details to show a list.

debug dll export with ida


Select the Windows Debugger in IDAs drop-down menu. Then configure the Debugger -> Process options... as follows

Application C:\Windows\System\rundll32.exe (or SysWOW64 resp.)
Input File <dll>
Directory <directory>
Parameters <dll>,<export>

ida python


You can find information about the python API in the hex rays documentation or the source code on github.

IDA Pro supports both Python2 and Python3. To switch the language version create an empty file called use_python2.

echo '' >  'C:\Program Files\IDA Pro 7.5\python\use_python2'
del 'C:\Program Files\IDA Pro 7.5\python\use_python2'

debugging with ida


remote gdb debugger

gdbserver --once 0.0.0.0:23946 ./my_app < <(echo -e "input\n")

Select Remote GDB debugger in IDA Pro and set the correct ip address in Debugger -> Process options...

Alternatively there are some debugging server binaries in the dbgsrv folder of IDA Pro.

binary diffing


bindiff

The bindiff plugin can be downloaded from zynamics.com. Make sure to give it the correct IDA Pro installation path during installation.

To run it press Ctrl + 6 and select the IDA database to diff against. In the new Matched Functions tab you can select View flow graphs from the context menu for a graphical view.

diaphora

A free alternative is diaphora. Just run the diaphora.py from a file you want to diff and create a sqlite database from it. Then run the script again from the other file to diff and select that database.

To show differences select the function you are interested in in the Partial matches tab and select Diff assembly from the context menu.