Hex-Rays IDA Pro is the most powerful and popular commercial disassembler/debugger (https://www.hex-rays.com/products/ida/index.shtml); it is used by reverse engineers, malware analysts, and vulnerability researchers. IDA can run on various platforms (Windows, Linux, and macOS) and supports analysis of various file formats, including the PE/ELF/Macho-O formats. Apart from the commercial version, IDA is distributed in two other versions: IDA demo version (evaluation version) and IDA Freeware version; both these versions have certain limitations. You can download the freeware version of IDA for non-commercial use from https://www.hex-rays.com/products/ida/support/download_freeware.shtml. At the time of writing this book, the distributed freeware version is IDA 7.0; it lets you disassemble both 32-bit and 64-bit Windows binary but you will not be able to debug the binary, using the free version. The demo version (evaluation version) of IDA can be requested by filling in a form (https://out7.hex-rays.com/demo/request); it lets you disassemble both 32-bit and 64-bit Windows binary, and you can debug 32-bit binary (but not 64-bit binary) with it. Another restriction in the demo version is that you will not able to save the database (covered later in this chapter). Both demo and freeware version lacks IDAPython support. The commercial version of IDA does not lack any functionality and comes with full-year free email support and upgrades.

In this section and later sections, we will look at various features of IDA Pro, and you will learn how to use IDA to perform static code analysis (disassembly). It is not possible to cover all the features of IDA; only those features that are relevant to malware analysis will be covered in this chapter. If you are interested in gaining a deeper understanding of IDA Pro, it is recommended to the read the book, The IDA Pro Book (2nd Edition) by Chris Eagle. To get a better understanding of IDA, just load a binary and explore various features of IDA while you are reading this section and later sections. Remember the restrictions in various versions of IDA, if you are using the commercial version of IDA, you will be able to explore all the features covered in this book. If you are using the demo version you will be able to explore only the disassembly and debugging (32-bit binary only) features, but you will not be able to test IDAPython scripting capabilities. If you are using the freeware version, you will only be able to try out the disassembly features (no debugging and no IDAPython scripting). I highly recommend using either the commercial version or the demo version of IDA, using these versions you will be able to try out all/most of the features covered in this book. If you wish to look at an alternate tool for debugging 32-bit and 64-bit binary, you can use x64dbg (an open source x64/x86 debugger), which is covered in the next chapter. With an understanding of different versions of IDA, let'us, now explore its features, and you will understand how it can speed up your reverse engineering and malware analysis tasks.