Category Archives: IDA Pro

Posts involving the IDA Pro reverse engineering workbench

IDA Pro Freeware Update

Thanks to igorsk for informing me that DataRescue has made an updated version of IDA Pro available as freeware. No longer must we suffer the quirks of the old freeware version 4.3– we get to learn a whole new set of idiosyncrasies with 4.9.

DataRescue IDA Pro -- Improved version available

The sales folks at DataRescue told me that this freeware release was in the works– to pacify me when they refused to sell me a license for the full version of IDA Pro. Interesting business model.

Fun Graphs With IDA Pro

Pursuant to my last post on IDA Pro, Benjamin Larsson kindly pointed me to an older version of IDA Pro that has been released as freeware: IDA Pro v4.3. The version is uncrippled for what it can do so you can save your work and not have to worry about needing to RE an entire target in one sitting. This version is also reported to work beautifully under Wine, if that’s your thing. This version is supposed to have great support for Win32 PE files (the most common executable format you will find under Windows) but somewhat lacking in the area of Linux ELF files (apparently, it is not entirely correct when loading relocation tables).

I decided to take a step back and examine an old favorite target, xanlib.dll. This is the binary module responsible for decoding video data in the ‘Xxan’-fourcc format used in certain Origin games circa 1995. The format has remained a thorn in my side since it should be so simple yet I have never quite reverse engineered the entire thing.

Perhaps the most curious feature I see in IDA Pro is its graphing feature. Actually, IDA Pro subcontracts to a GPL’d graphing library named Visualization and Computer Graphics Lib to handle its graph display. The Win32 graph viewer features a number of fish eye perspective modes for warping the graph view. This is the “fixed radius polar fish eye perspective”:

fixed radius polar fish eye perspective

What is the reason for this feature? If I were a guessing man, I would probably have to guess: “Because they could.” Weird perspective aside, you can see how clearly IDA Pro + VCG illustrate the flow of the assembly language blocks (also called basic blocks in certain academic RE literature), as well as the way I am able to substitute my own identifiers (xan_1000_validate_struct as the function name and xan_last_error for a particular global variable). I am eager to explore more of IDA Pro’s legendary RE features as I finish tearing apart this ancient codec.

Jumping In With IDA Pro

This may come as a surprise to many hardcore reverse engineers out there but I have actually never used DataRescue’s IDA Pro disassembler tool. Chalk it up to a general aversion to non-free software as well as the chore of having to boot into Windows for the experiment (there is supposed to be a limited Linux version available as well). Add to that the fact that it’s always hard to get myself psyched about any RE-related task, necessary though it may be.

I finally tried the program tonight. It really is every bit as amazing as I have heard about. Recognizing that the computer can not be smart enough to completely reverse engineer as program, IDA’s guiding principle is to give the reverse engineer a powerful workbench of tools to apply towards the craft. One tool maps functions in blocks of ASM instructions grouped by code branches. Another tool allows you to edit a function’s prototype, which is then taken into account in the function’s analysis. Another tool allows you to create new structure definitions to be used as functions parameters.

Fortunately, a trial version of the software that can analyze Windows PE and Linux ELF files is free for download. Unfortunately, it is set to expire after an unspecified period of time. Further, it will not allow you to save your work. The full version of the software will set you back several hundred dollars or euros. Alternatively, you could put a fresh installation of the program on a reliable computer plugged into a UPS and do as much as you can with it. I suppose another workaround is virtualization– set up a virtual environment to save and load the entire machine state.

I had no idea that IDA Pro (full version) can even process console executable files from Nintendo GameBoy and N64 games, Sony Playstation games, Sega Dreamcast games, and Microsoft Xbox games. Makes me wish there were some interesting targets there.