One of the most wonderful instruments I ever used is IDA – interactive disassembler. If your job is connected with reversing, then IDA is a “must have” instrument.
It really helps saving a lot of time when there is a need to understand the logics implemented in 3rd party code. Since you don’t have the source code, the only thing in this case you can do is to use “debugger + disassembler” pair to clear things …
This also is a way for me to analyze different problematic situations that I meet during my work and my free time. A lot of questions from newsgroups tend me to start disassembling different windows components. I used to do that with wininet.dll, advapi32.dll, kernel.dll, ntdll.dll, ntoskrnl.exe and other modules.
There is a brilliant set of features in IDA which I really like:
– Graph representation
When you disassemble the binary, IDA forms a logical graph that can be viewed and easily navigated. Here is what I see in disassembly of my ntoskrnl.exe:
You can easily navigate through the nodes of graph, analyze the code of procedures and the interconnection between the different nodes. However, there is another possibility to view the graph. It allows you to see the nodes in a bit different manner, stretch them, etc:
– Comments and names for procedures
You can put your comments right in the disassembly. It helps in cases when you analyze a huge piece of code. You just put your comments in the code and next time you look at it everything becomes clear.
Also, you can rename procedures. IDA generates names for subroutines in the following way:
INIT:006166F5 E8 BB 9E FF FF call sub_6105B5
Clicking on the procedure name and choosing “rename” option allows renaming ‘sub_6105B5’ into whatever you want.
You can see the references to objects. A typical example: you have a procedure named ‘A’ and you want to see the code that invokes A. So, in A you see the XREFs string, which allows you to go to the place where A is invoked. Here is the screenshot:
As you can see, if you hover the ‘CODE XREF: start+59’ string the window appears that shows you code that invokes A.
IDA searches for occurrence of strings in module and form the table of strings. It allows to search the string declaration and the XREF’s to strings … Thus you can easily locate code which uses the strings.
You can search for specific byte, range of bytes.
– Flexibility and extensibility
IDA supports plugins. So you can easily create your own plugin that unpacks ‘on fly’ encrypted binary for example. A big amount of features of IDA is implemented as plugns. For example, graph view plugin, symbols plugin, etc.
There is so called IDA SDK – a set of instruments which allows developing extensions for IDA.
This list can be continued, because I listed only a few features of IDA …
The most interesting is that IDA was written by Russian (!) student (!) of Moscow State University – Ilfak Guilfanov. Here is an interview with him (in russian): http://www.fcenter.ru/online.shtml?articles/software/interview/6704
I can only thank him for such a great tool!