* It has one of the best decompilers available
* It supports a ridiculous number of platforms
* I trust its disassembler (especially for mainstream languages) more than almost any other disassembler
* Demangling of Swift names is a nice quality of life improvement, Swift moves fast and is hard to keep up with
* Still the best disassembler and machine code reversing tool out there
If you can't afford IDA, it is very expensive, there are a lot of great alternatives:
* Hopper (mac only). Its disassembler, is not so great, it gets confused and fails to find code in Swift apps pretty often. It is still generally good and with some encouragement you can get it to do a competent job.
* radare2. Works on a lot of more esoteric processors. Great for when working on small firmwares from less common processors. Not so great at big files. Slow. Very powerful regardless. Open source.
* ImmunityDbg still works for Win
* Other tools, just search.
The more time you spend looking at disassembled machine code the more valuable IDA gets. But you really have to do a lot of RCE. Most people first getting into RCE really think they need IDA when they haven't even cracked the docs for their target environment yet or lack fundamental knowledge about how CPUs work, which holds them back far more than a second class disassembler ever has.
Might I suggest Christopher Domas' Black Hat talk "Breaking the x86 ISA", along the way of which he demonstrates the limitations of all disassemblers out there, including IDA's :)
Talk: https://youtu.be/KrksBdWcZgQ
Slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Domas-Bre...
Paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Domas-Bre...
Hopper supports Linux since V3 :)
The reason why it's so difficult to get a pro license (even if you want to pay for it legally) is because one leak of the most current version and enterprise sales drop by about ~50%[1]. So, theoretically, if Ilfak were to give you that $100 most-recent copy and you were to share it with the wrong people, any the losses are way more than just what he lost on your sale. The legitimate corporate sales go down ~50%[1] the second a leak hits.
I'm not in rev-eng professionally, but I grew up (read: pirated it at 15) with it back when SoftICE and IDA were the only options on the market. Eventually I needed a license to side-step some legitimate licensed software for a client who's business depended on a dongle from a now defunct company. Since IDA is what I already knew, it's what I purchased. The time I would have spent learning another platform (there are lovely open source alternatives on the market now) would have exceeded the price of the software by quite a bit. For people who use IDA professionally, 1k a seat (5k w/ HR) is more than reasonable, especially with the whole ecosystem of plugins that exist around it[2].
But the times, they are a'changin. Now with all of the competitors on the market though, kids are growing up not pirating SoftICE and IDA but alternatives. 5 years down the line, when those kids have purchase influence and go to their manager with a request ("this is what I grew up with..I need a __ license"), IDA is going to have a real problem[4].
====
[1] Ilfak delineated the whole business model and decrease in sales as a result of leaks with real numbers on reddit. This was 3-4 years ago (maybe more, god I'm getting old) so I might be off by the 50%. I'm sure it's more than 1/3rd. This interestingly enough is why you see a version bump as soon as a shows up. Maybe purchasing departments are less likely to authorize a 5k license if the most recent version on piratebay? Not sure how that gets past legal and whoever is in charge of license compliance, but it happens. Pure speculation: When you bump a pirated 6.8 to a non-pirated 6.9, the engineer/manager can "legitimize" the purchase by telling purchasing "I need 6.9 and can't steal it- now, cut the purchase order, or it'll be your name coming up when we have a meeting as to why we lost Client Foo".
[2] The reason I keep paying for maintenance fees is because the extensive number of community-made/maintained plugins makes IDA basically like emacs. Powerful base-software, but when you get all your scripts setup with things like DIE[3] you can't imagine working in another setting.
[3] https://github.com/ynvb/DIE This alone is worth the cost of the base $1k IMO. Sidenote: The plugin contest was the greatest marketing idea ever. Get people to develop (or release the tools they've already developed for themselves to the public domain) extensible software that adds significant value to your software in exchange for a $1k? Absolutely brilliant.
[4] https://i.imgur.com/Qb7GSCL.png Here's a comment I made about a year ago when we saw Binary Ninja/Radare2/etc all coming of age.
I'm fuzzy on my memory, but man! This was so much cooler and better than disassembling stuff on the commandline! The cool thing about IDA that I found out are:
- its scripting language (we used Python)
- its ability to show loops and branches by drawing arrows to other pieces of assembly (it's a special view you can use)
- really good search and code labeling features: if you change on register name somewhere, then that's propagated to where that register is used in the rest of the relevant code
- the ability to patch programs: you can overwrite processor instructions, mostly I used instruction 90 which is the nop instruction (meaning: no operation).
These features are not unique to IDA, but from a beginner perspective: I thought they were awesome! We used some kind of demo version for IDA.
The idea of taking arbitrary x86/amd64 binaries and converting them to LLVM IR is a concept that fascinates me and I've always been curious what the optimization paths would be -- if you took a go binary output, converted it to LLVM IR, and then compiled with an optimizing LLVM pass how does the result compare, for instance.
Now that IDA has very serious competition, from Binja and Hopper, it's unlikely that problem is going to resolve itself in the long term.
Though it's unclear if we are discussing sticker shock over IDA Pro or over IDA Pro + Hex Rays decompilers, because there is a pretty huge increase in cost as you start needing those.
I don't know how true this is, but it makes logical sense - the developers of a reverse-engineering tool are likely far more clever at anti-piracy mitigations than your average programmer.
I heard a rumor that the cracked version calls home with your identity and blacklists you for life. Don't think it is true though. (Edit: I think what they do is they embed your key into saved files, and if a key leaks, blacklist it such that later versions cannot open them.)
Especially on my preferred platform. (Linux)
what are the common business usage for this, who uses this daily to do his work .. if this use case exist at all
for this price, i imagine there must be a very dedicate niche who needs this, who is this niche
