CY 411 Reverse Software Engineering

Interactive Disassembler
The IDA Pro
Dr. Qasem Abu Al-Haija
Department of Cybersecurity
Faculty of Computer & Information Technology
Jordan University of Science and Technology

1 Dr. Qasem Abu Al-Haija Reverse Engineering

 IDA Pro Introduction
• The Interactive Disassembler (IDA) (Help Index).
– https://hex-rays.com/ida-free/#download

• Extremely powerful disassembler by HexRays.

• The disassembler of choice for:

– Malware analysts,
– Reverse engineers, and
– Vulnerability analysts.

Reverse Engineering Dr. Qasem Abu Al-Haija 2

 IDA Pro Introduction
• Supports several PE file formats and some others.
• Such as Executable and Linking Format (ELF).

• Disassembles an entire program and performs

several tasks such as:
• Function Discovery, Stack Analysis, Local Variable
Identification,… etc.

• Alternative: radare2
Reverse Engineering Dr. Qasem Abu Al-Haija 3
 IDA Pro Versions
• Two versions of IDA Pro are commercially available
– Full-featured pay version and Old free version

– Both support x86

– Pay version supports x64 and other processors, such as cell

phone processors.

– Both have code signatures for common library code in FLIRT

– FLIRT: Fast Library Identification and Recognition Technology

– This allows it to recognize and label a disassembled function,

especially library code added by a compiler.

Reverse Engineering Dr. Qasem Abu Al-Haija 4

 Loading an Executable
• When you load an executable on IDA Pro:

– IDA Pro will try to recognize the file’s

format and processor architecture.

– For example (Figure), the file is

recognized as having the PE format

with Intel x86 architecture.

Reverse Engineering Dr. Qasem Abu Al-Haija 5

 Loading an Executable
• When loading a file into IDA Pro (such as a PE file), the
program maps the file into memory
• as if the operating system loader had loaded it.

• To have IDA Pro disassemble the file as a raw binary, choose

the Binary File option in the top box

Reverse Engineering Dr. Qasem Abu Al-Haija

 IDA Pro - Interface
• Graph and Text
Mode

• Spacebar Switches
mode

Reverse Engineering Dr. Qasem Abu Al-Haija 7

 Graph Mode Interface
• Provides a control flow graph to help you understand how the
program works

• In graph mode, IDA Pro excludes certain information, such as line

numbers and operation codes (i.e., binary code)
– To change these options, select Options->General, and then select
Line prefixes and set the Number of Opcode Bytes to 6.

Reverse Engineering Dr. Qasem Abu Al-Haija 8

Default Graph Mode Display

Reverse Engineering Dr. Qasem Abu Al-Haija 9

 Options, General

Reverse Engineering Dr. Qasem Abu Al-Haija 10

Better Graph Mode Display

Reverse Engineering Dr. Qasem Abu Al-Haija 11

 Graph Mode: Notes
• The color and direction of the arrows help show
the program’s flow during analysis.

• The arrow’s color tells you whether the path is

based on a particular decision having been made:
– red if a conditional jump is not taken,
– green if the jump is taken, and
– blue for an unconditional jump.

• The arrow direction shows the program’s flow;

– upward arrows typically denote a loop situation.
Reverse Engineering Dr. Qasem Abu Al-Haija 12
Reverse Engineering Dr. Qasem Abu Al-Haija 13
 Arrow Color Example

Reverse Engineering Dr. Qasem Abu Al-Haija 14

 Highlighting
• Highlighting text in graph mode highlights every
instance of that text

Reverse Engineering Dr. Qasem Abu Al-Haija 15

 Text Mode Interface
• Text Mode – the traditional view
– Use it to view data regions of a binary

16
 Text Mode: Notes
• The left portion of the text-mode display is known
as the arrows window and shows the program’s
nonlinear flow.
– Solid lines mark unconditional jumps
– Dashed lines mark conditional jumps
– Arrows facing up indicate a loop

• A comment (beginning with a semicolon) that IDA

Pro automatically added
Reverse Engineering Dr. Qasem Abu Al-Haija 17
 Options, General

Reverse Engineering 18
Dr. Qasem Abu Al-Haija
Adds Comments to Each Instruction

Reverse Engineering Dr. Qasem Abu Al-Haija 19

Useful Windows for
Analysis

Reverse Engineering Dr. Qasem Abu Al-Haija 20

 Functions window
• Shows every function, its length, and flags.

• The most useful flag is L: indicates library functions.

• The L flag can save you time during analysis because you
can identify and skip these compiler-generated functions.

• Sortable: Large functions usually more important

Reverse Engineering Dr. Qasem Abu Al-Haija 21

 Names window
• Lists every address with a name, including:
– Functions, named code, named data, and strings.

Reverse Engineering Dr. Qasem Abu Al-Haija 22

 Strings window
• Shows all strings.
– Default: shows only ASCII strings longer than five characters.
– You can change this: by right-clicking in Strings window ➔ Setup.

Reverse Engineering Dr. Qasem Abu Al-Haija 23

 Imports & Exports
• Imports window
– Lists all imports for a file.
– This window is useful when you’re analyzing EXE.

• Exports window
– Lists all the exported functions for a file.
– This window is useful when you’re analyzing DLLs.

Reverse Engineering Dr. Qasem Abu Al-Haija 24

 Structures window
• Lists the layout of all active data structures.
• Hover to see a yellow pop-up window

Reverse Engineering Dr. Qasem Abu Al-Haija 25

Cross-References and Links

Links are function names, locations, and offsets.

Clicking a link and pressing [x] (key x) allows you to see
everywhere that link is referenced and jump around
 Function Call

• Parameters pushed onto the stack

• CALL to start the function

Reverse Engineering Dr. Qasem Abu Al-Haija 27

 Returning to the Default View

• Windows, Reset Desktop

- Restores GUI elements to their defaults

• Windows, Save Desktop

– To save a new view

Reverse Engineering Dr. Qasem Abu Al-Haija 28

 IDA Pro -
Navigation

Reverse Engineering Dr. Qasem Abu Al-Haija 29

 Imports or Strings

• Double-click any entry to display it in the

disassembly window

Reverse Engineering Dr. Qasem Abu Al-Haija 30

 Using Links
• Double-click any address in the disassembly
window to display that location

Reverse Engineering Dr. Qasem Abu Al-Haija 31

 Using Links
• Forward and Back buttons work like a Web
• browser

Reverse Engineering Dr. Qasem Abu Al-Haija 32

 Cross-References and Links
• Links are function names, locations, and offsets

• Clicking a link and pressing [x] (key x) allows

you to see everywhere that link is referenced
and jump around

Reverse Engineering Dr. Qasem Abu Al-Haija 33

 Common types of links
• Sub (subroutine) links are links to the start of functions
such as printf and sub_4010A0.

• Loc (location) links are links to jump destinations such as

loc_40107E and loc_401097.

• Offset links are links to an offset in memory.

Reverse Engineering Dr. Qasem Abu Al-Haija 34

 Navigation Band
• Color-coded linear view of the loaded binary’s address space
– Light blue is library code (recognized by FLIRT signatures)
– Red is compiler-generated code
– Dark blue is user-written code
– Pink is for imports
– Gray is for defined data
– Brown is for undefined data

• You should perform malware analysis in the dark-blue region.

Reverse Engineering Dr. Qasem Abu Al-Haija 35

Navigation Band
 Jump to Location
• The [g] key lets you jump to a specific
address or named location
– ex. sub_401730 or printf

Reverse Engineering Dr. Qasem Abu Al-Haija 37

 Searching
• You can also use the search option in the
toolbar
– Search → Next Code
– Search → Text
– Search → Sequence of Bytes

Reverse Engineering Dr. Qasem Abu Al-Haija 38

 Using Cross-
References
Reverse Engineering Dr. Qasem Abu Al-Haija 39
 Using Cross-References (xref)
• xref in IDA Pro can tell you
– where a function is called or
– where a string is used.

• If you identify a useful function and want to

know the parameters with which it is called,
– you can use xref to navigate quickly to the location
where the parameters are placed on the stack.
– Interesting graphs can also be generated based on
xref, which are helpful for performing analysis.
Reverse Engineering Dr. Qasem Abu Al-Haija 40
 Code Cross-References
• XREF comment shows where this function is called

• But it only shows a couple of XREF by default.

• Click function name and press X

Reverse Engineering Dr. Qasem Abu Al-Haija 41

 Code Cross-References
• A code XREF at ① tells us that this function (sub_401000) is called from
inside the main function at offset 0x3 into the main function.

• The code XREF for the jump at ② tells us which jump takes us to this
location, which in this example corresponds to the location marked at ③
 Data Cross-References
Data Cross-References (XREF)
– Start with strings
– Double-click an interesting string
– Hover over DATA XREF to see where that string is used
– X shows all references

Reverse Engineering Dr. Qasem Abu Al-Haija 43

 Data Cross-References
• Data XREF is used to track how data is accessed within a binary.
– Data references can be associated with any byte of data that is
referenced in code via a memory reference.

• For example, you can see the data XREF to DWORD 0x7F000001 at ①.
– The corresponding XREF tells us that this data is used in the function
located at 0x401020.

– The following line shows a data cross-reference for the string

<Hostname> <Port>.

Reverse Engineering Dr. Qasem Abu Al-Haija 44

 Analyzing
Functions

Reverse Engineering Dr. Qasem Abu Al-Haija 45

 Function and Argument Recognition
• One powerful aspect of IDA Pro is its ability to:
– recognize functions,
– label them (name them), and
– break down local variables and parameters (name them).
– It's not always correct

Reverse Engineering Dr. Qasem Abu Al-Haija 46

 Function and Argument Recognition
• IDA Pro says this is an
EBP-based stack frame
used in the function.

• This means the local

variables and parameters
will be referenced via the
EBP register throughout
the function.

Reverse Engineering 47
Dr. Qasem Abu Al-Haija
Local Variables and Argument Recognition

• IDA Pro has successfully discovered all local

variables and parameters in this function.

• It has labeled:
– Local variables with the prefix var_ and suffix
corresponding to their offset relative to EBP

– parameters with the prefix arg_, and suffix

corresponding to their offset relative to EBP
Reverse Engineering Dr. Qasem Abu Al-Haija 48
 Using Graph
Options

Reverse Engineering Dr. Qasem Abu Al-Haija 49

 Graphing Options
• IDA Pro can generate other graphs
– Flow chart of the current function
– Function calls for the entire program
– Xrefs to/from a currently selected xref
– User-specified xref graphs
 Graphing Options
• These are "Legacy Graphs" and cannot be
manipulated with IDA

• The first two seem obsolete

o Flow chart
▪ Create a flow chart of the current function
o Function calls
▪ Graph function calls for the entire program

Reverse Engineering
Dr. Qasem Abu Al-Haija
 Graphing Options
• Xrefs to
o Graphs XREFs to get to selected XREF

o Can show all the paths that get to a function

Reverse Engineering Dr. Qasem Abu Al-Haija 52

Windows Genuine Status in Calc.exe

Reverse Engineering Dr. Qasem Abu Al-Haija 53

 Graphing Options
• Xrefs from
o Graphs XREFs from
selected XREF
o Can show all the
paths that exit from
a function
 Graphing Options
• User xrefs chart...
▪ Customize graph's recursive depth, symbols
used, to or from symbol, etc.
▪ The only way to modify legacy graphs

Reverse Engineering Dr. Qasem Abu Al-Haija 55

Using Graphing Options
 Enhancing
Disassembly

Reverse Engineering Dr. Qasem Abu Al-Haija 57

 Warning

• There's no Undo, so if you make changes

and mess them up, you may be sorry

– But you manually change it back

Reverse Engineering Dr. Qasem Abu Al-Haija 58

 Renaming Locations
• Renaming functions & variables by pressing key [n]
– sub_401000 or arg_4 don’t tell you much

– Rename them to something more useful!

• Example: You can change a name like sub_401000 to

ReverseBackdoorThread
– Change it in one place; IDA will change it everywhere else

Reverse Engineering Dr. Qasem Abu Al-Haija 59

 Renaming Locations

Reverse Engineering Dr. Qasem Abu Al-Haija

60
 Comments

• You can add comments to lines too!

• Press the colon (:) to add a single comment

• Press semicolon (;) to echo this comment to

all Xrefs

Reverse Engineering Dr. Qasem Abu Al-Haija 61

 Formatting Operands
• Hexadecimal by default
• Right-click to use other formats
– You can change the format of the data
– ex. 0x61 → ‘a’ → 97
– Hex: [h/q]
– decimal: [h] ; key [h] toggles hex and decimal
– char: [r]
– binary: [b]

Reverse Engineering 62
Dr. Qasem Abu Al-Haija
 Using Named Constants
• Makes Windows API arguments clearer

Reverse Engineering Dr. Qasem Abu Al-Haija 63

 Using Named Constants
• Makes Windows API arguments clearer

Reverse Engineering Dr. Qasem Abu Al-Haija 64

 Extending IDA with Plug-ins
• IDA Pro has plenty of plugins
– Interface by using the IDA API
• IDC
• IDAPython (not available in IDA Free )

– Some Useful Plugins:

• Fentanyl - Patch Assembly in IDA
• Hex-Rays Decompiler (Costs fat stacks of cash)
• KANAL - Krypto Analyzer

Reverse Engineering Dr. Qasem Abu Al-Haija 65

 X-86 Assemble/Disassemble
• Online x86 / x64 Assembler and Disassembler
– https://defuse.ca/online-x86-assembler.htm#disassembly

• Online x86 / x64

Assembler and
Disassembler
– https://defuse.ca/online-x86-
assembler.htm#disassembly

Reverse Engineering 66
Dr. Qasem Abu Al-Haija
Main Sources for these slides
• Michael Sikorski and Andrew Honig, "Practical Malware
Analysis: The Hands-On Guide to Dissecting Malicious Software";
ISBN-10: 1593272901.

• Xinwen Fu, “Introduction to Malware Analysis,” University of

Central Florida

• Sam Bowne, “Practical Malware Analysis,” City College San

Francisco

• Abhijit Mohanta and Anoop Saldanha, “Malware Analysis and

Detection Engineering: A Comprehensive Approach to Detect and
Analyze Modern Malware,” ISBN: 1484261925.

Reverse Engineering Dr. Qasem Abu Al-Haija 67

 Thank you

Reverse Engineering Dr. Qasem Abu Al-Haija 68