Skip to content

IDA-Pro-Cheat-Sheet.md

Latest commit

 

History

History
349 lines (283 loc) · 9.14 KB

IDA-Pro-Cheat-Sheet.md

File metadata and controls

349 lines (283 loc) · 9.14 KB

IDA Pro Cheat Sheet

Quick Reference for Commands, Shortcuts & Usage

🚀 Quick Start

Action Method
Start New Analysis Launch IDA → New → Select file
Load Previous Work Launch IDA → Previous → Select .idb file
Save Work File → Close → Pack database (Store) ✓
Exit Without Saving File → Close → DON'T SAVE the database

⌨️ Essential Keyboard Shortcuts

Navigation

Key Function
Space Toggle Graph ↔ Text view
G Jump to address
Ctrl+E Jump to entry point
Ctrl+L Jump to return address
Esc Go back
Ctrl+Enter Go forward
Alt+← Previous position
Alt+→ Next position

Analysis & Editing

Key Function
N Rename function/variable
: (colon) Add comment
; (semicolon) Add repeatable comment
X Show cross-references (xref)
D Convert to data
C Convert to code
U Undefine
P Create function

Search Operations

Key Function
Alt+T Search text/string
Alt+I Search immediate value
Alt+B Search byte sequence
Ctrl+F Find text in disassembly

Bookmarks

Key Function
Alt+M Mark position (create bookmark)
Ctrl+M Jump to mark (select bookmark)

Display Options

Key Function
T Switch to text view
F5 Generate pseudocode (if decompiler available)
Tab Switch between disassembly views

🎯 View Modes

Graph View (Default)

┌─────────────┐
│  Block 1    │
│ instructions │
│   here      │ ──┐
└─────────────┘   │
        │         │
        ▼         ▼
┌─────────────┐ ┌─────────────┐
│  Block 2    │ │  Block 3    │
│(true branch)│ │(false branch)│
└─────────────┘ └─────────────┘
  • Access: Default view or press Space
  • Features: Visual code flow, basic blocks, conditional branches
  • Colors: Green (true), Red (false), Blue (unconditional)

Text View

.text:004014A4    public start
.text:004014A4    start proc near
.text:004014A4    call    sub_401CD3
.text:004014A9    jmp     $+5
.text:004014AA    ; ---------------------
  • Access: Press Space to toggle
  • Features: Linear disassembly, addresses visible

Proximity View

  • Access: View → Open subviews → Proximity browser
  • Purpose: Relationships between functions and variables

🔍 Search Commands & Techniques

Text Search

Method Access Usage
Menu Search Search → Text General text search
Quick Find Ctrl+F Find in current view
String Search Alt+T Search for strings

Advanced Search

Type Shortcut Purpose
Immediate Value Alt+I Find hardcoded values
Byte Sequence Alt+B Find byte patterns
Binary Pattern Search → Sequence of bytes Complex patterns

Function Search

# Method 1: Functions Window
Right-click Functions → Quick filter → Enter name

# Method 2: Jump Menu  
Jump → Jump to function  Filter by name

Cross-Reference Analysis

# Steps:
1. Click on function/variable name
2. Press 'X'
3. View all references in dialog

🛠️ Analysis Tools

Color Coding

Action Method
Color Block Click color palette icon on basic block
Strategic Colors Green (good path), Red (bad path)

Comments

Type Shortcut Description
Regular Comment : Single location comment
Repeatable Comment ; Appears at all references

Function Management

Action Method
Rename Function Right-click Functions window → Edit function
Quick Rename Click function name → Press N
Create Function Select code → Press P

📊 Windows & Panels

Essential Windows

Window Access Purpose
Functions View → Open subviews → Functions List all functions
Imports View → Open subviews → Imports Imported functions
Exports View → Open subviews → Exports Exported functions
Strings View → Open subviews → Strings String constants
Graph Overview View → Graph overview Navigate large functions

Window Management

Action Method
Reset Layout Windows → Reset desktop
Dock Window Drag title bar to dock position
Close Window Click X or right-click → Close

🔧 File Operations

Supported File Types

Type Description
PE (32-bit) Portable executable for 80386
PE (64-bit) Portable executable for AMD64
ELF Linux executables
Mach-O macOS executables

Database Management

# Saving Options:
✓ Pack database (Store)     # Recommended for saving
○ Pack database (Deflate)   # Compressed saving  
○ Don't pack database       # Quick save
● DON'T SAVE the database   # Discard changes

🎨 Customization

Display Options

Setting Location Purpose
Line Prefixes Options → General Show addresses in graph view
Auto Comments Options → General Automatic API comments
Syntax Highlighting Options → Colors Code highlighting

Graph Appearance

Option Effect
Node Spacing Adjust block spacing
Edge Style Arrow appearance
Font Size Text readability

🔄 Static-Dynamic Analysis Integration

Synchronizing with Debuggers

# WinDbg Integration:
1. Find base address in debugger: lm m notepad
2. IDA: Edit → Segments → Rebase program
3. Enter new base address
4. Use G command to jump to debugger addresses

Address Translation

Tool Command Purpose
WinDbg lm m module Get module base
IDA G → address Jump to address
IDA Edit → Segments → Rebase Sync addresses

🚨 Common Workflows

Basic Analysis Workflow

1. Load File → Select appropriate processor type
2. Wait for auto-analysis to complete  
3. Navigate to entry point
4. Use Graph view for code flow understanding
5. Add comments and rename functions
6. Use cross-references to trace function usage
7. Save work with "Pack database"

Vulnerability Research Workflow

1. Identify target functions (imports/strings)
2. Cross-reference critical functions
3. Analyze input validation routines
4. Look for buffer operations
5. Trace data flow paths
6. Document findings with comments/colors

Malware Analysis Workflow

1. Start with strings analysis
2. Examine import table
3. Locate main execution path
4. Identify obfuscation techniques  
5. Trace network/file operations
6. Document IOCs and behavior

📋 Useful Code Patterns

Function Prologue/Epilogue

; Standard function prologue
push    ebp
mov     ebp, esp
sub     esp, XX        ; Local variables

; Standard function epilogue  
mov     esp, ebp
pop     ebp
ret

API Call Pattern

push    arg3           ; Push arguments (right to left)
push    arg2
push    arg1  
call    ds:ApiFunction ; Call API
add     esp, 0Ch       ; Clean up stack (3 args × 4 bytes)

⚠️ Important Notes

Symbols & Debugging Info

  • Windows: Can download symbols automatically
  • Linux: Limited symbol support in Freeware
  • Recommendation: Use files with debug info when possible

Performance Tips

  • Large Files: Disable auto-analysis for initial load
  • Complex Code: Use proximity view for overview
  • Memory Usage: Close unused windows/tabs

Best Practices

  • Regular Saves: Pack database frequently
  • Documentation: Use comments liberally
  • Organization: Use consistent naming conventions
  • Backup: Keep copies of important .idb files

🔗 Quick Reference URLs

Resource URL
IDA Freeware https://www.hex-rays.com/products/ida/support/download_freeware/
Documentation https://www.hex-rays.com/products/ida/support/idadoc/
Tutorials https://www.hex-rays.com/products/ida/support/tutorials/

🎓 Learning Path

Beginner Levelation (G, Space, X)

  • Practice with simple executables (notepad.exe)
  • Learn to add comments and rename functions
  • Understand Graph vs Text view

Intermediate Level

  • Cross-reference analysis workflows
  • Import/Export table analysis
  • String and constant analysis
  • Basic static-dynamic synchronization

Advanced Level

  • Complex malware analysis
  • Vulnerability research techniques
  • Custom IDA scripting (IDAPython)
  • Advanced processor modules
  • Master basic navig