liminfo

IDA Pro Reference

Free reference guide: IDA Pro Reference

25 results

About IDA Pro Reference

This IDA Pro Reference is a searchable cheat sheet for the IDA Pro interactive disassembler and Hex-Rays decompiler. It covers essential disassembly shortcuts (Space for graph/text toggle, G for address jump, N for renaming symbols, X for cross-references, semicolon for comments), decompiler operations (F5 for pseudo-C generation, Y for type setting, T for struct member conversion), and view navigation.

The reference includes IDAPython scripting examples using idc module (get_bytes, set_name, get_func_name), idautils module (Functions iterator), ida_search module (binary pattern search), and idaapi (auto_wait for analysis completion). Structure management (Shift+F9, Alt+Q, D for data type cycling, A for string conversion) and patching workflows are also covered.

Designed for reverse engineers, malware analysts, vulnerability researchers, exploit developers, and CTF participants who need instant lookup of IDA Pro keyboard shortcuts, IDAPython code snippets, patching procedures, and plugin usage (Findcrypt for crypto constants, Class Informer for C++ RTTI, BinDiff for binary comparison).

Key Features

  • Essential IDA Pro shortcuts: Space (graph/text), G (jump), N (rename), X (xrefs), semicolon (comment)
  • Hex-Rays decompiler reference: F5 (decompile), Y (set type), T (struct member), Tab (toggle view)
  • IDAPython scripting with idc.get_bytes, idautils.Functions, ida_search.find_binary, and idc.set_name
  • Structure management: Shift+F9 (structures list), Alt+Q (apply struct), D (cycle data types), A (string)
  • Binary patching: Edit menu byte patching, assembly patching, apply to input file, Keypatch plugin
  • Plugin reference: Findcrypt (crypto detection), Class Informer (C++ RTTI/vtable), BinDiff (binary diff)
  • IDAPython auto-analysis wait with idaapi.auto_wait for batch scripting reliability
  • Filterable by category: Disassembly, Decompile, Scripting, Structures, Patching, Plugins

Frequently Asked Questions

What are the most important IDA Pro shortcuts?

The essential IDA Pro shortcuts are: Space (toggle graph/text view), G (jump to address or function name), N (rename symbol), X (show cross-references), semicolon (add repeatable comment), colon (regular comment), F5 (decompile with Hex-Rays), Y (set variable/function type), and Tab (toggle between assembly and decompiled view).

How do I use the Hex-Rays decompiler in IDA Pro?

Press F5 to generate pseudo-C code for the current function. Use Y to set variable or function types (e.g., int __cdecl main(int argc, char **argv)), N to rename variables (v1 to buffer_size), and T to convert offset access to struct member access (*(a1+8) becomes a1->field_8). Tab toggles between assembly and decompiled views.

What IDAPython scripting capabilities are covered?

The reference covers idc.get_bytes() for reading memory, idautils.Functions() for iterating all functions, idc.get_func_name() for getting function names, ida_search.find_binary() for byte pattern searching, idc.set_name() for setting symbol names, and idaapi.auto_wait() for waiting until auto-analysis completes in batch scripts.

How do I patch binaries in IDA Pro?

Go to Edit, Patch program, Change byte to directly modify bytes (e.g., 75 to 90 to convert jnz to nop). Use Edit, Patch program, Assemble to write assembly instructions. The Keypatch plugin (Ctrl+Alt+K) provides a more convenient interface. After patching, apply changes via Edit, Patch program, Apply patches to input file.

How do I work with structures in IDA Pro?

Press Shift+F9 to open the structures list, Insert to add new structures. Use Alt+Q to apply a structure type to a variable, converting offset access to named field access. Press D repeatedly to cycle through data types (db, dw, dd, dq), and A to interpret bytes as ASCII strings.

What IDA Pro plugins are included in this reference?

Three essential plugins are covered: Findcrypt automatically detects cryptographic constants (AES, DES, RSA) in binaries, Class Informer analyzes C++ vtables and RTTI information to reconstruct class hierarchies, and BinDiff compares two binaries to match functions and identify differences for patch analysis or variant detection.

How do I search for byte patterns with IDAPython?

Use ida_search.find_binary() with the starting address, ending address (idc.BADADDR for whole binary), the hex pattern string (e.g., "48 89 5C 24" for function prologues), radix 16, and idc.SEARCH_DOWN flag. The function returns the address of the first match or BADADDR if not found.

Is this IDA Pro reference free to use?

Yes, this IDA Pro cheat sheet is completely free with no account required. All shortcuts, IDAPython examples, patching procedures, and plugin guides are searchable and filterable by category in your browser. It is part of liminfo.com's collection of free reverse engineering and security reference tools.