Welcome to Hex-Rays docs

Discover the core of Hex-Rays guides and manuals, guiding you through IDA features and real-life usage scenarios.

Getting Started

New to IDA? Explore our selection of documentation to guide you through the installation process and jumpstart your reverse engineering journey.

Our Guides

Delve into detailed guides to discover IDA features and maximize its capabilities.

What’s new in Docs?

Check the latest changes in the Hex-Rays documentation, including new tutorials and manuals, along with significant revisions to existing content.

November 2025

Introducing IDA Plugin Manager and Enhanced Plugin Ecosystem

With the rollout of the IDA Plugin Manager and a refined plugin ecosystem for discovering, installing and maintaining plugins we’re entering a new era of plugin management; for both plugin users and plugin authors.

For Plugin Users:

Plugin Manager transforms how you discover and install plugins. Browse available plugins via HCLI and install them in IDA with just a few clicks. Read the Plugin Manager docs for more.

For Plugin Developers:

Manual submissions via My Hex-Rays portal are a thing of the past. Publishing your plugin into new IDA Plugin Repository now follows a transparent, automated process that gets plugins into users’ hands faster. Ensure your plugin is compatible with HCLI and Plugin Manager, and it’s ready to be listed!

To ease the adoption, we’ve prepared a set of documents to make your plugin compatible with HCLI and Plugin Manager:

Repository Architecture | Packaging Format | Publishing guidelines | Testing checklist |

What’s Changed in a nutshell:

• ida.plugin.json file has new required and optional fields.
• Plugins need to be packed into ZIP Archive
• You should publish releases on GitHub

Migrating your existing plugins

Already submitted a plugin under the plugins.hex-rays.com? Check our FAQ for guidance on updating to the new ecosystem.

October 2025

Introducing HCLI Commands and Documentation Resources

With the release of HCLI - an extendable command-line interface for managing licenses, downloads, and more - the docs now include hint boxes showing HCLI commands as faster alternatives to certain actions. This is especially worth taking a glimpse at for admins who manage multiple license environments or plugin authors looking to automate their workflows.

Getting started:

• Check out the HCLI documentation for installation steps, usage examples, and guidance on creating extensions.

Automation workflow:

• Are you a plugin developer who wants to automate plugin testing and workflows? Take a look at the HCLI IDA GitHub Action for CI/CD integration that automatically installs IDA Pro and allows you to run tests across multiple platforms.

August 2025

Domain API Documentation Resources

The easy-to-use Domain API is our newly released, Pythonic interface for developing IDA plugins and scripts. To help you get up and running quickly with this open-source API, we’ve prepared a set of documentation resources:

• Getting Started Guide, including installation and first steps
• Real-life Code Examples
• Domain API Reference

Not sure if the Domain API is right for you?

If you’re new to the Domain API, start with our FAQ to see how it compares with existing approaches and whether it suits your needs.

June 2025

Revamped Subviews Overview

We refreshed and updated the Subviews listing and overview.

March 2025

Improved IDC Reference

We’ve refined the experience for the IDC Reference documentation. Starting now, you can explore it just like the IDAPython and C++ SDK references. To improve searchability and usability, we’ve moved the IDC function lists to a dedicated site. Meanwhile, conceptual documentation, such as core concepts, remains under the Developer Guide.

License Server on WSL – New Guide

We updated our Admin Guide with a step-by-step tutorial on how to configure the license server on WSL, making it easier for Windows users to set up and manage the Hex-Rays server for floating licenses.

February 2025

Debugger Tutorials – revamped and expanded

• The local Linux Debugger and WinDbg Debugger tutorials have been revamped for clarity and updated.
• A brand-new WinDbg Time Travel Debugging (TTD) tutorial has been added, covering installation, setup and essential commands.

License management command line options

The -Olicense command line switch is now documented as a part of the license manager.

January 2025

New Floating Licenses User Guide

We’ve introduced a Floating Licenses User Guide, that explains core concepts such as seats allocation, checking out, and borrowing licenses.

December 2024

Updated Porting Guides

With the recent changes to our API that came into life with SP1 for IDA 9.0, we updated Porting Guides for IDAPython and C++ SDK.

New IDAPython examples

With the new or reworked IDAPython examples that were added to our examples library, we revamped the examples categories to make the navigation among them more intuitive. Take a look at the new Working with types category for samples that utilize our updated Types endpoints.

Revamped IDAPython reference

We updated the UI layout of IDAPython Reference Documentation and improve cross-referencing.

November 2024

Other updates

• To reflect the current state of Local Types window as a one hub to all types-related operations, we updated the Subviews.

October 2024

With IDA 9.0, we changed how the Hex-Rays documentation is organized and added new guides and tutorials to kickstart your IDA journey and ease the migration from previous IDA versions.

New Structure

Our docs are divided into three main categories:

• User Guide, dedicated to individual users and covering whole IDA products (including add-ons, like Teams and Lumina). Most of the documentation regarding IDA, like manuals or tutorials, is currently accessible under the User Guide.
• Developer Guide, which focuses on developer’s needs, covers the reference and contextual documentation for IDAPython API and C++ SDK, as well as native IDC language. This part is mainly dedicated to plugin authors and devs interested in enhancing basic IDA capabilities with our development kit or scripting.
• Admin Guide mainly focuses on administrators installing and managing servers for Teams and Lumina or floating licenses.

In Archive, we gathered docs with rather historical value that some of you may still find interesting but focused on previous versions of IDA.

New Getting Started Guides

We prepared a Getting Started section for IDA newbies and also gathered additional materials to help you find your way around our IDAPython API or IDA SDK.

Migration and Porting Guides

For those familiar with previous versions of IDA, we prepared Porting Guides for IDAPython and C++ SDK. If you use the Flexera server for floating licenses, check our Migration Guide for new Hex-Rays license server.

New features described

We added installation and setup guides for IDA Feeds plugin and idalib.

Getting Started

First experience with IDA? Great, you are in the right place. Here you can find guides designed to quickly onboard you into IDA. We will walk you through license activation and IDA installation to the essential tasks you can perform in IDA.

Install IDA

By following the steps in this guide, you can successfully install your IDA instance on macOS, Linux, and Windows.

The installation steps are valid for all product versions: IDA Pro, IDA Home, or IDA Free.

This installation guide is dedicated to individual users.

Minimum system requirements

{% tabs %} {% tab title=“macOS” %} macOS 12 (Monterey) or later (x64 or ARM64) {% endtab %}

{% tab title=“Linux” %} x64 (x86_64) CentOS 7 or later, Ubuntu 16.04 or later. Other equivalent distributions may work but not guaranteed. {% endtab %}

{% tab title=“Windows” %} Windows 8 or later (x64) {% endtab %} {% endtabs %}

Pre-installation steps

Activate your named or computer license via My Hex-Rays portal.

Installation on macOS

Prerequisites:

• Ensure that you have activated your computer/named license and downloaded your license file (ida.hexlic) locally.
• Make sure Python 3 or later is installed on your computer for the IDAPython API to function properly.

Step 1: Download the installer

• Download the macOS version of IDA Pro from Download Center in My Hex-Rays portal.

Quick alternative
{% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli download {% endhint %}

Step 2: Run the installer

• Extract the .zip archive.
• Double-click on the extracted file to run the instalation wizard.
• Follow the wizard’s instructions to complete the installation:
  • accept the license agreement and installation directory;
  • copy your ida.hexlic file to IDA installation directory or to $HOME/.idapro directory before launching IDA.

Quick alternative {% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli ida install <path-to-installer> {% endhint %}

Step 3: Launch IDA Pro for the first time

• Double-click on the IDA Pro icon to launch the application.

Step 4: Point to your named/computer license

{% hint style=“info” %} The step below is valid for named and computer licenses for individual use. If you are going to use floating licenses, check this alternative step. {% endhint %}

• In the License manager pop-up window, specify the path of your license file and click OK.

{% hint style=“info” %} You won’t be asked about your license again unless the subscription period expires or you move your license file to a different location. {% endhint %}

Installation on Linux

Prerequisites:

• Ensure that you have activated your computer/named license and downloaded your license file (ida.hexlic) locally.
• Make sure Python 3 or later is installed on your computer for the IDAPython API to function properly.
• Verify that you have the required libraries installed. Use your package manager to install any missing dependencies. Common dependencies include libx11, libxext, libxrender, and libglib2.0.

Step 1: Download the installer

• Download the Linux version of IDA Pro from Download Center in My Hex-Rays portal.

Quick alternative
{% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli download {% endhint %}

Step 2: Run the installer

• Navigate to the directory containing your IDA installer, and make it executable.
• Run the installer by double-click it or enter ./<your_IDA_version_>linux.run in the terminal to execute it.
• Follow the wizard’s instructions to complete the installation:
  • accept the license agreement and installation directory;
  • copy your ida.hexlic file to IDA installation directory or to $HOME/.idapro directory before launching IDA.

Quick alternative {% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli ida install <path-to-installer> {% endhint %}

Step 3: Launch IDA Pro for the first time

• Go to the directory where IDA is installad and run the command: ./ida90

Step 4: Point to your named/computer license

{% hint style=“info” %} The step below is valid for named and computer licenses for individual use. If you are going to use floating licenses, check this alternative step. {% endhint %}

• In the License manager pop-up window, specify the path of your license file and click OK.

{% hint style=“info” %} You won’t be asked about your license again unless the subscription period expires or you move your license file to a different location. {% endhint %}

Installation on Windows

• Ensure that you have activated your computer/named license and downloaded your license file (ida.hexlic) locally.
• Make sure Python 3 or later is installed on your computer for the IDAPython API to function properly.

Step 1: Download the installer

• Download the Windows version of IDA Pro from Download Center in My Hex-Rays portal.

Quick alternative
{% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli download {% endhint %}

Step 2: Run the installer

• Locate the downloaded .exe file and double-click it to run the installer.
• Follow the installation wizard’s instructions to complete the installation:
  • accept the license agreement and installation directory;
  • copy your ida.hexlic file to IDA installation directory or to %APPDATA%/Hex-Rays/IDA Pro directory before launching IDA.

Quick alternative {% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli ida install <path-to-installer> {% endhint %}

Step 3: Launch IDA Pro for the first time

• Navigate to the Start Menu or desktop shortcut and launch IDA Pro.

Step 4: Point to your named/computer license

{% hint style=“info” %} The step below is valid for named and computer licenses for individual use. If you are going to use floating licenses, check this alternative step. {% endhint %}

• In the License Manager pop-up window, specify the path of your license file and click OK.

{% hint style=“info” %} You won’t be asked about your license again unless the subscription period expires or you move your license file to a different location. {% endhint %}

Use floating license server

Step 1: In the License manager pop-up window, select the option Use floating license server and then type a license server hostname provided by your administrator.

Step 2: Borrow one of the licenses visible under the available licenses list and click OK.

Note that you don’t need a license file stored on your machine locally while using floating licenses.

Common Post-Installation Steps

Step 1: Update IDA Pro

• After installation, check for any available updates. Hex-Rays often releases patches and updates for IDA Pro. You can check for updates within the application via Help -> Check for free update or download the latest version from My Hex-Rays portal.

Step 2: Configure environment (optional)

• Customize your IDA Pro environment settings to suit your preferences. This can include configuring hotkeys, and adjusting appearance settings.

Step 3: Install additional plugins (optional)

• You can extend the functionality of IDA Pro by installing additional plugins that can be found on the official Hex-Rays repository or other trusted sources in the reverse engineering community.

Licensing

In this document, we covered the fundamentals of our licensing model—including how to activate your license based on its type, check license’s details and share them with your team members.

Here, you can learn how to:

• Activate your licenses
  Named | Computer | Floating | In Bulk
• Add and activate servers
  Lumina | Teams | License server
• Check license details or modify them
• Download your license files
• Invite team members
• Change your current plan or renew your current plan

Licenses overview

License types

At Hex-Rays, we offer two basic license types for IDA products, which are suitable for individual users:

• Named licenses, that are assigned to specific individuals.
• Computer licenses that are assigned to specific devices.

There is also an additional type, called floating licenses, that allow a set number of concurrent users but are not assigned to specific individuals or devices.

{% hint style=“info” %} Floating licenses are available only for IDA Pro and dedicated to business/organization purposes. {% endhint %}

How many licenses should I have?

Beside the license for IDA product, you need also a separate active license for each server available in your subscription.

The components of your subscription that require their own license:

• Base IDA license (e.g., IDA PRO Expert 4)
• Teams server for Teams add-on
• Lumina server for Lumina add-on
• License server for floating licenses

Example: You’ve purchased IDA PRO Expert 4 Plan with Teams and Private Lumina, along with floating type of license with 6 seats. In this case, you’ll need to activate the following four licenses:

1. License server license
2. Private Lumina server license
3. Teams server license
4. IDA PRO Expert 4 license

What’s a license file?

The .hexlic license file contains your license ID and other data, and is required to make your IDA instance fully operative after installation (or your Lumina, Teams or License server). You can download your license files from My Hex-Rays portal, after their activation.

{% hint style=“info” %} Once you’ve downloaded your license, it cannot be modified. {% endhint %}

License activation

To complete the installation, you need an active IDA license with an assigned owner (for a named license) or a MAC address (for a computer/floating license). Without activation, you cannot download your license file.

What is needed to activate my license?

• for named licenses: the email address of the owner,
• for computer licenses: the MAC address of a specific device
• for floating licenses: the MAC address of the device where the license server will be running

{% hint style=“info” %} The license type (named/computer/floating) is selected when you purchase your subscription. {% endhint %}

Where can I activate my license?

From the License tab in My Hex-Rays portal, you can initiate the activation process and open the License activation dialog from several locations:

• In the table, locate your license and click Activate Now (1),
• Click on the desired license to open its detail view, then click Activate License (2), or
• Select multiple licenses of the same type by ticking their checkboxes, then click Bulk Activation (3).

Named licenses activation

1. Go to My Hex-Rays portal and navigate to the Licenses tab.
2. Locate the license ID you want to activate. Ensure it has the Pending activation status.

{% hint style=“info” %} If you haven’t completed the KYC procedure yet, you will need to do so for accessing paid products. A Pending KYC status indicates that your verification is still in progress and must be completed before you can activate your license. {% endhint %}

3. Open the License activation dialog, select decompilers and click Next.
4. Assign the ownership of the license: set the email address for this IDA instance user (it can be yours) and click Activate license.

Your license is now active.

You can check the license details and modify it if needed. If all details are correct, you can download your license key.

Computer licenses activation

1. Go to My Hex-Rays portal and navigate to the Licenses tab.
2. Locate the license ID you want to activate. Ensure it has the Pending activation status.

{% hint style=“info” %} If you haven’t completed the KYC procedure yet, you will need to do so for accessing paid products. A Pending KYC status indicates that your verification is still in progress and must be completed before you can activate your license. {% endhint %}

3. Open the License activation dialog, select decompilers and click Next.
4. Add the MAC address of the machine where this IDA instance will be installed and running (it can be yours) and click Activate license.

Your license is now active.

You can check the license details and modify it if needed. If all details are correct, you can download your license key.

Download the license files

If you are sure that all of the license details are correct, you can go ahead and download your license hexlic file. You will need it to complete the installation process.

{% hint style=“warning” %} Downloading the license locks the configuration and prevents further edits. {% endhint %}

1. Go to the Licenses tab in My Hex-Rays portal.
2. Under the Actions column, click the three dots and then Download hexlic from the dropdown menu (1), or, alternatively, in the license detail view, click Download hexlic.

3. To download multiple license files at once, select the desired licenses by ticking their checkboxes, or click Select all. Then, click Download License Files (2). You’ll receive an email with a link to download all license files and a CSV.

Download the floating license files

1. Go to the Servers tab in My Hex-Rays portal and locate your IDA License Server Plan.
2. Under the Actions column, click the three dots and then Download hexlic from the dropdown menu.

{% hint style=“info” %} In a floating license setup, you don’t need the individual hexlic files for the IDA clients installed on users’ machines. {% endhint %}

Quick alternative {% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli license get {% endhint %}

What’s next?

Now you are ready to install your IDA instance.

Floating licenses activation

To use floating licenses, you need to activate:

• A license for your license server
• A base IDA Pro license linked to that server

Both licenses can be activated and linked in a single step, as described below.

1. Navigate to the Licenses tab and look for your IDA license with Floating label. Ensure it has the Pending activation status.
2. Open the License activation dialog, select decompilers and click Next.
3. Assign a license server. If you added the license server before, select the Use existing server option and then tick the server from the list. If you haven’t done it yet, you can add and activate a license server now—select Add new server option, type the MAC address and click Add.

4. Add tags if needed, and click Activate license to finalize.
5. Your license(s) is now active.

You can check the license details and modify it if needed.

If all details are correct, you can download your license key and license files for the license server.

Bulk activation

If you have multiple licenses of the same type (for example, ten IDA PRO Expert 2 licenses), you can activate them all in a single batch operation. All licenses activated in bulk will share the same configuration details, decompilers set, and add-ons, while allowing for unique owner email addresses and MAC addresses.

1. Go to My Hex-Rays portal and navigate to the Licenses tab.
2. Locate the licenses you want to activate with the Pending activation status. Select all of them by ticking the checkboxes on their left side.
3. In the top menu that appears after selection, click Bulk Activation.

4. In the new dialog, select decompilers (this action is done for all licenses in a batch) and click Next.
5. Depending on your licenses type, assign the license user’s emails or set the MAC addresses. Optionally, you can add tags.
6. Click Activate Licenses.

You’ve noticed a mistake? No worries, you can still edit your selected licenses before downloading them.

Bulk download the license files

1. In the Licenses tab, select the licenses for bulk download and click Download License Files.
2. After confirmation, you’ll get an email with link to download all license files + CSV.

License details

The License Details card provides a complete overview of the license, including assigned decompilers and users it has been shared with. You can edit access permissions and tags at any time, even for active and already downloaded licenses.
To open the License Details view, go to the My Hex-Rays portal, open the License or Servers tab, and click the license you want to view.

License editing

When you activate your license using one of the methods shown above, you can still make changes—such as modifying the decompiler set—as long as you have not downloaded the license file(s). Once the license file(s) are downloaded, further modifications will no longer be possible.

To edit the license:

1. Go to My Hex-Rays portal and navigate to the Licenses or Servers tab.
2. Locate the licenses you want to edit with the Active status. Under the Actions column, click the three dots and then Edit from the dropdown menu, or alternatively, in the license detail view, click Edit. If the Edit option is not visible, it means the license has already been downloaded and can no longer be edited.

3. Make changes and click on Next/Activate license to confirm.

Server licenses

If your subscription includes a server (for Private Lumina, Teams or floating licenses), you’ll need to activate the corresponding server licenses to download the license files. To do so, make sure to add the relevant servers to your account.

{% hint style=“info” %} You can create and activate the license server simultaneously during the IDA floating license activation process. {% endhint %}

Add servers

1. In My Hex-Rays portal, go to the Servers tab and click + Add server.

2. Select the type of server(s) you want to add and click Next. You may add multiple servers at one go.

3. Assign MAC addresses and click Create servers to finalize.
4. After that, your servers will appear in the Servers list with an Active status, allowing you to download the server certificates (1) and hexlic files (2).

5. If you are using floating licenses, you can now go ahead and activate your IDA licenses that uses the server.

{% hint style=“info” %} Ensure all floating license plans associated with the license server are activated before downloading the license server hexlic file. {% endhint %}

Downloading the server license files

Once all IDA PRO licenses intended for use with your floating license server have been activated, you can proceed to download the server’s hexlic file and license certificate.
Maintaining this order is crucial—the hexlic file contains essential details about the linked licenses, which are properly embedded only when the IDA license is associated with the specific floating license server.

License server installation for admins

Server installation for floating licenses should be done by the administrator. Check our Admin Guide for details.

How can I start using IDA as a floating license user?

Once your administrator installs a license server, adds particular license seats to the pool, and hands over the credentials, you are ready to install your IDA instance.

You don’t need to download a license file/key to your local machine while using the floating licenses server.
New to the floating licenses? Check our Floating Licenses User Guide.

Floating licenses check-out

Every time you launch IDA, you’ll see the License Manager pop-up window. As long as there are free seats, you can check-out one of the available licenses and start using IDA.

{% hint style=“info” %} Note that some of the available licenses may have different decompilers and add-ons enabled. {% endhint %}

Add-ons servers’ licenses

Private Lumina server activation for admins

Each of our add-ons, Teams and Private Lumina, requires an active license to work properly. To proceed with Lumina installation and setup, an active server’s license is required.

1. Add server in your account (activate the license).
2. Locate your server license on the Servers tab and download the following files:

• lumina server certificate (1)
• .hexlic file (license key) (2)

You’ll need both files to continue with the server installation and setup.

Quick alternative {% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli license get {% endhint %}

Private Lumina server installation for admins

Server installation for Private Lumina should be done by the administrator. Check our Admin Guide for details.

Teams server activation for admins

Each of our add-ons, Teams and Private Lumina, requires an active license to work properly. To proceed with Teams installation and setup, an active server’s license is required.

1. Add server in your account (activate the license).
2. Locate your server license on the Servers tab and download the following files:

• teams server certificate (1)
• .hexlic file (license key) (2)

You’ll need both files to continue with the server installation and setup.

Quick alternative {% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli license get {% endhint %}

Teams server installation for admins

Server installation for Teams should be done by the administrator. Check our Admin Guide for details.

Grant access to manage licenses

You can invite your teammates to view and activate licenses via their own My Hex-Rays account. To grant access:

1. Select license(s) you want to share and click Grant Access (1).
2. Add the email address of your teammate and click Confirm (2).
3. Your team member will receive an email invitation to log in to the portal and access the shared licenses.

The License Details view allows you to review who currently has access to the license, remove users, or grant access to new ones.

Key points:

• Once a license has been downloaded, it cannot be modified.
• Multiple licenses of the same type can be activated in bulk.
• You can grant the access to manage licenses to other teammates, while the ownership of the license remains the same.

Change your plan

If you need additional decompilers or add-ons, you can upgrade your plan at any time through My Hex-Rays portal.

Steps to update your plan:

1. Go to the Licenses tab.
2. Find/select the IDA license plan you want to renew.
3. Click Renew/Change plan in the top panel or in the license’s row in the table.

4. Review the plan options. You can upgrade your plan, change the license type to floating, and add seats or add-ons.
5. Select Change plan (starts immediately) to apply the changes right after the upgrade. Click Continue to Payment to finalize.

6. The new plan will appear under the Licenses tab with a Pending Activation status. Activate the license to start using the updated plan.

{% hint style=“info” %}

Actions Required After Update

If you upgraded your plan (for example, from IDA PRO Expert 2 to IDA PRO Expert 4), you will need to activate your new license and download the new license files before you can use the updated plan. {% endhint %}

Renew your plan

You can renew your subscription and, if needed, change your plan(s) in one go through My Hex-Rays portal.

Steps to renew and change your plan:

1. Go to the Licenses tab.
2. Find/select the IDA license plan you want to renew.
3. Click Renew/Change plan in the top panel or in the license’s row in the table.

4. Select subscription duration and review the plan options. You can upgrade/downgrade your plan, change the license type, and add seats or add-ons.
5. Select one of the following options:

• Renew (starts after current period), if you want all changes to be applied at the renewal date, or
• Change plan (starts immediately), if you want the changes to take effect right away. Click Continue to Payment to finalize.

6. Based on your selection, follow the appropriate scenario:

• a. Renewal without plan change: The subscription validity is automatically extended. Re-download the license files and save them in your usual location (You can check and change the .hexlic location via Help → License Manager…).
• b. Renewal with plan change: The new plan will appear under the Licenses tab with a Pending Activation status. You need to activate it, then download and save the new license file locally.

{% hint style=“info” %} If you would like to downgrade your current plan, you can do that at your next renewal date only. {% endhint %}

{% hint style=“info” %}

Actions Required After Renewal With/Without Upgrade

If you upgraded your plan (for example, from IDA PRO Expert 2 to IDA PRO Expert 4), you will need to activate your new license and download the new license files before you can use the updated plan. If you renewed your existing plan without changes, re-download a license file to apply the extended validity period. {% endhint %}

License Renewal and Update FAQ

How can I change only my decompilers?

If you only want to change the type of decompilers (not the number of decompilers, and without upgrading or downgrading your plan), this can be done after your current plan expires. Instead of renewing the current plan, you will need to place a new order. A new license will then be generated, and during activation you will be able to choose different decompilers.

How can I add more decompilers to my current plan?

To add more decompilers to your active subscription, you’ll need to upgrade to a higher plan that includes the desired number of decompilers. You can upgrade your plan at any time through My Hex-Rays portal, and choose to apply the changes immediately.

What changes can I make during renewal?

You can apply the following changes during renewal via My Hex-Rays portal:

• Switch to a different license type
• Upgrade or downgrade your plan
• Add optional add-ons (Teams or Lumina)
• Add additional seats

Some changes, such as downgrading a plan or changing the license type from computer to named, can only take effect at the next term, not during the active subscription period.

For other modifications, such as changing an active license type from named to computer, contact our Sales team

What changes can I make to my active license?

During your current subscription period, you can:

• Upgrade to a higher plan
• Add seats or add-ons
• Switch to a floating license type

You can apply these changes immediately to your active license.

Can I change the license type of my active subscription plan?

During an active subscription period, the only license type change you can make yourself via My Hex-Rays portal is switching to a floating license. Other changes (e.g., switching between named and computer licenses) are only possible at renewal for the next term, or require assistance from our Sales team.

Can I downgrade my active license?

Downgrades are possible only for your next renewal date.

I have IDA Pro Essential and want to upgrade to IDA Pro Expert 4. How can I do this?

You can upgrade your plan at any time through the Customer Portal, and choose to apply the changes immediately, or at your next renewal date. Check the details on how to change your current plan.

I have named license, can I change the license type to computer?

You can change the license type (for example, from the named to computer) via customer portal only while renewing for the next term. In other words, you cannot change the license type for active subscription period. If you need to do that for some reason, contact our Sales team.

Why can’t I renew or change the license?

If the Renew/Change plan option is missing or greyed out, it means the license was shared with you and bought by someone else. Only the person who purchased the license can renew or modify the plan.

Basic Usage

Basic Usage

In this document, we’ll explore the essentials of IDA capabilities to kickstart your journey and disassemble your first binary file.

Prerequisites

Your IDA instance is installed and running.

Before you begin

What files and processors are supported?

IDA natively recognizes plenty of file formats and processors.

If you later realize that’s not enough, you can always use one of our community plugins that add additional formats or processor types or try to write your own with C++ SDK.

What are IDA database files?

IDA stores the analysis results in the IDA Database files (called IDB), with the extension .i64. This allows you to save your work and continue from the same point later. After loading a file at the beginning, IDA does not require access to the binary.

Any modifications you make are saved in the database and do not affect the original executable file.

Dive deeper

• Blog: :pencil: Check what exactly IDB contains in Igor’s tip of the week about IDA database.

What decompilers can I work with?

IDA provides decompilers designed to work with multiple processor architectures. The number of decompilers and their type (local or remote) available in your IDA instance depends on your chosen product and subscription plan and affects your ability to produce C-like pseudocode.

Where can I find exemplary binaries to work with?

Check CrackMe, from where you can download executable files to test your reverse engineering skills.

Part 1: Loading your file

When you launch IDA, you will see a Quick Start dialog that offers three ways to continue. For now, we’ll focus on loading a new file and proceeding to disassembly results.

1. Launch IDA and in the Quick start dialog (1), click New.
2. Specify the path for your binary file.
3. In the Load a new file dialog (2), IDA presents loaders that are suited to deal with a selected file. Accepting the loader default selection and then the processor type is a good strategy for beginners. Click OK to confirm your selection.

4. IDA begins autoanalysis of your binary file.

After completion, you will be present with the default IDA desktop layout, that we’ll describe in the next part.

Dive deeper

• Video: :video_camera: Watch different ways of loading files in our channel.

Part 2: UI overview

After autoanalysis is done, you’ll see the main IDA desktop with the initial results. Let’s examine the default desktop layout and commonly used UI elements.

1. Main menu bar (1)
2. Toolbar (2)
3. Navigation band (3)
4. Subviews (4)
5. Output (5)
6. Status bar (6)

Main menu bar

The main menu bar provides quick access to essential features. Moreover, almost all menu commands can be quickly accessible via customizable shortcuts.

For a handy cheatsheet of all commands and their hotkeys, check Options -> Show command palette….

Dive deeper

• Docs: :book: Check our User Guide for a comprehensive description of all menu items.

Toolbar

Below the main menu bar, you will see a toolbar with icons that give you quick access to common functionalities (available also via the main menu/shortcuts). It has just one line by default, but you can customize it by adding or rearranging your actions.

Dive deeper

• Video: :video_camera: Curious about practical ways to set up your toolbar? Watch our video tutorial.

Navigation band

The navigation band shows the graphical representation of the analyzed binary file and gives a short overview of its contents and which areas may need your attention. The yellow arrow (indicator) shows where the cursor is currently positioned in the disassembly view.

As you’ll soon recognize, the colors used in the nav band match those in other views.

Dive deeper

• Blog: :pencil: A detailed navigation band overview with the full colors legend you can found in Igor’s tip of the week.

Output

The output window is a place where various messages and logs are displaying, often describing what currently IDA is doing, like analyzing data or running a script. In the CLI box you can type commands in IDC language or IDAPython.

Status bar

At the bottom left corner of the IDA window, you can see the status bar, which contains:

• analysis indicator AU, which shows the actual status of autoanalysis (1). In our case, it is idle, which means the autoanalysis is already finished.
• search direction indicator (2)
• remaining free disk space (3)

Right-clicking on the status bar brings up a context menu that allows you to reanalyze the program.

Dive deeper

• Docs: :book: To check all possible values and their meaning, take a look at analysis options.

Subviews

The subviews are one of the most prominent parts of your everyday work with IDA. These additional views (behaving like tabs) give a different perspective and information on the binary file, but the number of native IDA subviews may be a bit overwhelming. Here, we will focus on the most versatile and common subviews for beginners, where you’ll spend most of the time, like:

• IDA View
• Pseudocode
• Hex Dump View
• Local Types
• Functions View

IDA View / Disassembly Window

When autoanalysis is done, you will see a graph view inside an IDA View by default. This flowchart graph should help you to understand the flow of the functions.

{% hint style=“info” %} The graph view is available only for the part of the binary that IDA has recognized as functions. {% endhint %}

IDA view has three modes:

• graph view (1), that shows instructions grouped in blocks,
• linear view (2), that lists all instructions and data in order of their addresses,
• and proximity view (3), which allows you to see relations between functions, global variables, and other parts of the program.

{% hint style=“info” %} Press Space to switch between graph and linear mode. Proximity view is available from the context menu in IDA view. {% endhint %}

Dive deeper

• Video: :video_camera: Check our video tutorial covering the basics of graph view.
• Blog: :pencil: Read the graph mode overview in Igor’s tip of the week.

Hex View Window

In hex view, you can see the raw bytes of the program’s instructions.

There are two ways of highlighting the data in this view:

1. Text match highlight, which shows matches of the selected text anywhere in the views.
2. Current item highlight, which shows the bytes group constituting the current item.

{% hint style=“info” %} The IDA view, pseudocode, and hex view can be synchronized, meaning that they highlight the same part of the analyzed program, and changes made inside one of the views are visible in the others. {% endhint %}

Dive deeper

• Video: :video_camera: Listen about hex view and others in our video tutorial.
• Blog: :pencil: Detailed overview of the hex view you can read in Igor’s tip of the week.

Pseudocode Window

Generated by the famous F5 shortcut, the pseudocode shows the assembly language translated into human-readable, C-like pseudocode. Click Tab to jump right into the Pseudocode view.

Local Types Window

This view shows the high-level types used in databases, like structs or enums.

Dive deeper

• Docs: :book: Check our manual giving an overview of Local Types window.

Functions Window

This window displays all the functions recognized by IDA, along with key details for each:

• Function name
• Segment the segment that contains the function
• Start: the function starting address
• Length: the size of the function in bytes
• Local: the amount of stack space taken by local variables
• Arguments: the amount of stack space taken by arguments

By default, the entire window is not visible, so you may scroll horizontally to see the hidden elements. As you probably noticed, the colors in Functions window match the colors in navigation band; in our example, green highlighting shows functions recognized by Lumina.

This view is read-only, but you can automatically synchronize the function list with the IDA view, pseudocode, or hex view. Click to open the context menu and select Turn on synchronization.

Dive deeper

• Docs: :book: Read the manual explaining all of the function window columns in detail.
• Video: :video_camera: Watch our video tutorial exploring the functions view.

Part 3: Basic navigation

A crucial step in mastering IDA is learning how to navigate quickly to specific locations in the output. To help you get started, we’ll cover essential commands and hotkeys commonly used for efficient navigation in IDA.

Double-click and jump to the location

When you double-click on an item, such as a name or address, IDA automatically jumps to that location and relocate the display.

Jump to address

1. Go to Jump -> Jump to address.. or press G hotkey
2. Enter the item name or hex address in the dialog box, then click OK.

To jump back to the previous position, press Esc. To jump to the next position, press Ctrl + Enter. You can also navigate using the arrows in the toolbar.

See the list of cross-references

1. Position the cursor on a function or instruction, then go to Jump -> Jump to xref to operand… or press X to see the dialog with listed all cross-references to this identifier.
2. Select an item from the list and click OK to jump to that location.

Dive deeper

• Video: :video_camera: Explore the rest of the jump commands in our video tutorial

Part 4: Manipulate your disassembly results

Now that the initial autoanalysis is done and you’ve mastered the basics of navigation, it’s time to explore the basic interactive operations that reveal the true power of IDA in transforming your analysis.

Rename a stack variable

One of the first steps you might take is to enhance readability by assigning meaningful names to local or global variables, but also functions, registers and other objects that IDA initially assigned a dummy name.

1. In the IDA View, right-click on the variable you want to rename and click Rename or press N when the variable is cursor-highlighted.
2. In the newly opened dialog, insert a new name and click OK.

If at any point you want to go back to the original dummy name given by IDA, leave the field blank and click OK. It will reset the name to the default one.

{% hint style=“info” %} Once you change the name, IDA will propagate the changes through the decompiler and Pseudocode view. {% endhint %}

Dive deeper

• Video: :video_camera: Watch our step-by-step tutorial on renaming techniques.
• Blog: :pencil: Check Igor’s tips of the week for expert advice on renaming.

Add a comment

Adding comments may be a useful way to annotate your work.

1. Highlight the line where you want to insert a comment and press :.
2. In the dialog box, type your comment (you can use multiple lines) and click OK. This will add a regular (non-repeatable) comment to the location.

{% hint style=“info” %} If you want to add a repeatable comment in every location that refers to the original comment, press ‘;’. {% endhint %}

Dive deeper

• Video: :video_camera: Watch our tutorial about commenting.

Part 5: Customizing IDA

Nearly every UI element is customizable, allowing you to rearrange and align widgets to suit your habits. You can save your personalized desktop layout by going to Windows -> Save desktop.

Most of the basic appearance you can change under Options menu.

• To change the colors or theme, go to Options -> Colors.
• To change the font, go to Options -> Fonts.

If you need more control over customization settings, you may check the IDA configuration files.

Part 6: Debug your file

If you are ready to delve into dynamic analysis and start debugging your programs, here are some key steps to get you started:

1. Select the right debugger and complete the setup: Go to Debugger -> Select debugger… and pick up one of the available debuggers. Under Debugger -> Debugger options, you can configure the setup in detail.
2. Add breakpoints: Right-click on the line where you want to stop the execution and select Add breakpoint from the context menu, or press F2.
3. Start the process: Run the debugging session by pressing F9 or click a green arrow on the tooltip.

Dive Deeper

• Docs: :book: Read our User Guide for local and remote debugging manuals, or check step-by-step tutorials for specific debuggers.

Part 7: Install a plugin

One of the most common way of extending IDA capabilities is to use one of our community-developed plugins.

Where can I find IDA plugins?

You can find a variety of plugins in the official Hex-Rays plugin repository, or via HCLI and Plugin Manager.

{% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli plugin search {% endhint %}

Installing your plugin

For this guide purposes, we’ll walk you through general installation steps.

{% hint style=“info” %} The installation process can vary depending on the plugin and some of them may required installing dependencies or further configuration. Don’t hesitate to refer to the specific instructions provided by the plugin author. {% endhint %}

Quick alternative
{% hint style=“success” %}

HCLI Commands | See HCLI Docs

hcli plugin install <plugin-name> {% endhint %}

Load your plugin

1. Copy your plugin folder to the plugins directory inside your IDA installation directory.
2. Alternatively, you can load the plugin from the command line in IDA by using File -> Script file… and selecting app.entry.py file.

Run your plugin

1. Navigate to Edit -> Plugins -> your_plugin_name or use the assigned hotkey.

{% hint style=“info” %} You may need to restart IDA to see your plugin in the list. {% endhint %}

Dive deeper

• Docs: :book: Want to learn about writing your own plugins?
  • For an easy entry point, check our Domain API.
  • Need more low-level control? Check our Developer Guide on how to create a plugin in IDAPython or with C++ SDK.

Key hotkeys cheatsheet

Here’s a handy list of all of the shortcuts we used so far.

• Space Switches between graph and linear mode in the IDA View
• F5 Generates pseudocode
• Tab Jumps into pseudocode View
• G Opens Jump to address dialog
• Esc Jumps back to the previous position
• Ctrl + Enter Jumps to the next position
• X Shows the list of all cross-references
• N Opens dialog to rename the current item
• ; Adds repeatable comment
• : Adds regular comment

Domain API: Beginner-friendly scripting and plugin development in IDA

Looking to extend IDA’s capabilities with your own scripts or plugins? Meet the Domain API—a high-level, Pythonic interface designed to simplify development and make interacting with IDA more intuitive.

• Check Getting Started with the Domain API, and
• Browse Real-life Domain API Examples to kickstart.

What’s next?

User Guide

Explore our in-depth guides, crafted to help you navigate through IDA features and master its advanced capabilities.

User Interface

Menu Bar

{% hint style=“info” %} The menu bar in IDA gives you access to whole range of commands. All menus are always available, but some adapt their content based on your current view and your cursor position. {% endhint %}

Context-Independent Menus

These menus provide the same options regardless of which view you’re working in:

• File: Handles opening and loading binaries, importing/exporting data, and producing output files.
• View: Provides fast access and options to show and organize views, graphs, and toolbars.
• Debugger: Provides controls for running, stepping through, and analyzing programs in real-time.
• Lumina: Connects to Private or Public Lumina service to share and retrieve function metadata across different binaries.
• Options: Configures IDA’s appearance, fonts, colors, disassembly preferences, and more.
• Windows: Opens various tool windows and manages desktops.
• Help: Your gateway to various help resources and license manager.

View-Dependent Menus

The following top-level menus (1) dynamically change their content based on your active view (2) and cursor location.

• Edit - Provides context-sensitive editing operations like patching bytes, modifying instructions, renaming symbols, and changing data types.
• Jump - Navigates to addresses, functions, cross-references, and other locations within the binary.
• Search - Search for strings, patterns, instructions, constants, and references in the disassembly.

Icon	Current View	Context-Sensitive Menu Actions
	Disassembly/IDA View	• Edit • Jump • Search
	Hex View	• Edit • Jump • Search
	Pseudocode	• Edit • Jump • Search
	Local Types	• Edit • Jump • Search
	Functions	• Edit • Jump • Search

File menu actions for Common

Below is an overview of all actions that can be accessed from this menu.

Reload the input file

Reload the input file. This command reloads the same input file into the database. IDA tries to retain as much information as possible in the database. All the names, comments, segmentation information and similar will be retained. Only the values of individual bytes will be changed. This command works for some input file types only: if the file was loaded into the database with special settings, this command may fail. In this case, use Dump database to IDC file command and reload the file manually.

Additional binary file…

Load additional binary file. The new file is added to the current database and all existing information is retained. The file content will appear as unexplored bytes in the program. This command only allows you to load binary files.

IDS/IDT file…

Load a symbol file (IDS). An IDS file contains information about well-known functions (such as functions from MS Windows API), namely:

• their names
• their ordinal number in the DLL
• an eventual informative comment
• the number of parameters passed on the stack
• the number of parameters purged when returning IDS files are automatically loaded if they are found in the IDS directory. This command allows you to load an IDS file from any directory, even after the main file has been loaded into the database.

PDB file…

Load a debug information file (PDB). If the program being disassembled has a companion PDB file, then this command may be used to load information from the PDB file into the database. By default IDA uses in-house code to parse and load PDB files. However, our code can not parse old v2.0 PDB files. For them, IDA can fall back to using Microsoft DLLs (the default is “do not fall back”). Please read more in cfg/pdb.cfg. Command line switch -Opdb:option1:option2 overrides for ida session the value in cfg/pdb.cfg.

DBG file…

Load a debug information file (DBG). This command loads a DBG file. If the program being disassembled has a companion DBG file, then this command may be used to load information from a DBG file into the database. IDA loads DBG files automatically if it can find them in the directory with the input file. The built-in debug information loader cannot load NB10 format files and PDB files. To load those files, please use a special plugin, PDB.DLL, which can be run manually using Edit → Plugins submenu. This plugin uses MS Windows DLLs to load the debug information and therefore has the following limitations:

• it works only under MS Windows
• it will load only PDBs compatible with the currently installed IMAGEHLP.DLL

TDS file…

Load a debug information file (TDS). If the program being disassembled has a companion TDS file, this command may be used to load information from the TDS file into the database. The TDS file must be placed in the same directory together with the input file. The LoadTdsFile command launches a special plugin TDS.DLL, which can be run manually using Edit → Plugins submenu.

FLIRT signature file…

Load a FLIRT signature file. This command allows you to apply an additional signature file to the program. A signature file contains patterns of standard runtime functions. With their help, IDA is able to recognize the standard functions and names them accordingly. IDA attempts to detect the necessary signature files automatically but unfortunately, this is not always possible. This command adds the specified signature file into the planned signature files queue. Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equivalent to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

There is another way to load a signature file: you may insert/delete signature files in the following way:

• open the signatures window
• press Ins to insert a signature file to the queue
• press Del to delete a signature file from the queue

This is a preferred way of applying signatures because useful information, such as the number of identified functions is displayed in the signature window.

{% hint style=“info” %} FLIRT works only for the processors with normal byte size. The byte size must be equal to 8 (processors with wide bytes like AVR or DSP56K are not supported) {% endhint %}

Parse C header file…

This command allows you to apply type declarations from a C header file to the program. IDA reads and parses the specified header file as a C compiler does. In other words, it mimics the front-end of a C compiler with some restrictions:

• Only type declarations are allowed. The function definitions in the input file are skipped.
• Not all C++ header files are not supported, only simple classes can be parsed.
• The compiler specific predefined macros are not defined, you have to define them manually in the header file.

Don’t forget to specify the compiler and memory model in the compiler setup dialog box (Options → Compiler…) before loading a header file. All type declarations found in the input file are stored in the current database in the form of a type library. These type declarations can be used to define new structure and enumeration definitions.

In the case of an error in the input file, the error messages appear in the message window. In any case, the function declarations that are already parsed are not deleted from the database. IDA stops parsing the input file when 20 errors occur. IDA 7.7 introduced an alternative header file parser based on libclang.

Create MAP file…

Create a map information file. Please enter a file name for the map. IDA will write the following information about this file:

• current segmentation
• list of names sorted by values

You may disable the generation of the segmentation information. You may also enable or disable dummy names (Options → Name representation…) in the output file. You can use this map file for your information, and also for debugging (for example, Periscope from Periscope Company or Borland’s Turbo Debugger can read this file).

Create ASM file…

Create an assembler file. Please enter a file name for the assembler text file. IDA will write the disassembled text to this file. If you have selected a range on the screen using the Begin selection command (action Anchor), IDA will write only the selected range (from the current address to the anchor). If some I/O problem (e.g., disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create INC file…

Create an include file. Please enter a file name for the assembler include file. IDA will write the information about the defined types (structures and enums) to this file. If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create LST file…

Create a listing file. Enter a file name for the assembler listing file. IDA will write the disassembled text to this file. If you’ve selected a range on the screen using the Begin selection command (action Anchor), IDA will write only the selected range (from the current address to the anchor). If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create EXE file…

Create an executable file. Enter a file name for the new executable file. Usually this command is used after patching (see actions PatchByte, PatchWord) to obtain a patched version of the file. IDA produces executable files only for:

• MS DOS .exe
• MS DOS .com
• MS DOS .drv
• MS DOS .sys
• general binary
• Intel Hex Object Format
• MOS Technology Hex Object Format

For other file formats please create a difference file (the Create DIFF file command; action ProduceDiff).

{% hint style=“info” %} Only Change byte… and Change word… commands (see actions PatchByte, PatchWord) affect the executable file contents, other commands (including the Manual… command) will not affect the content of the disassembled file. {% endhint %}

EXE files: Output files will have the same EXE-header and relocation table as the input file. IDA will fill unused ranges of the EXE file (e.g. between relocation table and loadable pages) with zeroes.

Create DIF file…

Create a difference file. This command will prompt you for a filename and then will create a plain text difference file of the following format:

 comment
 filename
 offset: oldval  newval 

Create HTML file…

Create a HTML file. Please enter a file name for the HTML file. IDA will write the disassembled text to this file. If you’ve selected a range on the screen using the Begin selection command (action Anchor), IDA will write only the selected range (from the current address to the anchor). If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created. This command is available only in the graphical version of IDA.

Create flow chart GDL…

Create flow chart GDL. This command creates a GDL (graph description file) with the flow chart of the current function. If there is an active selection, its flow chart will be generated. IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Create call graph GDL…

Create call graph GDL. This command creates a GDL (graph description file) with the graph of the function calls. IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Create C header file…

Creates a header file from local types. This command saves all definitions in the local types window into a C header file.

Dump database to IDC file…

Dump database to IDC file. This command saves current IDA database into a text file.

You can use it as a safety command:

• to protect your work from disasters
• to migrate information into new database formats of IDA.

This command is used when you want to switch to a new version of IDA. Usually each new version of IDA has its own database format. To create a new format database, you need:

1. to issue the ‘Dump…’ command for the old database (using old version of IDA). You will get an IDC file containing all information from your old database.
2. to reload your database using new IDA with switch -x.
3. to compile and execute the IDC file with command ‘Execute IDC file’ (usually F2)

Please note that this command does not save everything to text file. Any information about the local variables will be lost!

Dump typeinfo to IDC file…

Dump type information to IDC file. This command saves information about the user-defined types from the IDA database into a text file.

Information about enums, structure types and other user-defined types is saved in a text form as an IDC program.

You can use this command to migrate the type definitions from one database to another.

Take database snapshot…

Take database snapshot. The snapshot can be later restored from the database snapshot manager.

{% hint style=“info” %} Snapshots work only with regular databases. Unpacked databases do not support them. {% endhint %}

Edit

Edit menu actions for IDA View

{% hint style=“info” %} The options below appear when the Edit menu is opened from the IDA View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Begin selection

Begin selection. Some IDA commands such as selecting a portion of file to output or specifying a segment to move need an anchor.

To drop the anchor, you can either use the Alt + L key or the Shift + ↑, ←, →, ↓ combination, which is more convenient. You can also drop the anchor with the mouse by simply clicking and dragging it.

After you’ve dropped the anchor, you can navigate freely using arrows, etc. Any command that uses the anchor, raises it.

The anchored range is displayed with another color.

When you exit from IDA, the anchor value is lost.

Undo

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis.

Autoanalysis (Options → General… → Analysis) generates copious amounts of undo data. Also, please note that maintaining undo data during autoanalysis slows it down a bit. In practice, it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

Redo

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

Code

Convert to instruction. This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the Anchor action, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

Data

Convert to data. This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using the Setup data types… command (action SetupData).

If the target assembler (Options → General… → Analysis) does not support double words or another data type, it will be skipped. To create a structure variable, use the Struct var… command (action DeclareStructVar). To create an array, use the Array… command (action MakeArray). To convert back, use the Undefine command (action MakeUnknown).

Struct var…

Declare a structure variable. IDA will ask you to choose a structure type. You must have some structure types defined in order to use this command. If the target assembler supports it, IDA will display the structure in terse form (using just one line). To uncollapse a terse structure variable use the Unhide command. You can also use this command to declare a structure field in another structure (i.e., nested structures are supported too).

String

Convert to string. This command converts the current unexplored bytes to a string. The set of allowed characters is specified in the configuration file, parameter StrlitChars. Character ‘\0’ is not allowed in any case. If the current assembler (Options → General → Analysis → Target assembler) does not allow characters above 0x7F, characters with high bit set are not allowed. If the anchor has been dropped, IDA will take for the string all characters between the current cursor position and the anchor. Use the anchor if the string starts a disallowed character.

This command also generates a name for the string. In the configuration file, you can specify the characters allowed in names (NameChars). You can change the literal string length using Array… command (action MakeArray). The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Array…

Convert to array. This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

1. Create the first element of array using the data definition commands (data, string, structs)

2. Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:

• the address of the next item with a cross reference
• the address of the next user-defined name For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

• Items on a line (meaningless for string literals):

  • 0 - place maximal number of items on a line
  • other value - number of items on a line Please note that the margin parameter affects the number of items on a line too.

• Alignment (meaningless for string literals):

  • -1 - do not align items
  • 0 - align automatically
  • other value - width of each item

• Signed elements: if checked, IDA treats all elements as signed numbers. Only meaningful for numbers (not for offsets and segments and strings)

• Display indexes: if checked, IDA will display the indexes of array elements in the form of comments (0,1,2…)

• Create as array: if not checked, IDA will create a separate item for each array element. Useful for creating huge arrays. If the box is unchecked when this command is applied to string literals, IDA will create many string literals instead of one big string.

If applied to a variable-sized structure, this command is used to specify the overall size of the structure. You cannot create arrays of variable-sized structures.

Undefine

Convert to undefined. This command deletes the current instruction or data, converting it to ‘unexplored’ bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the Anchor action, all the bytes in this range will be converted into ‘unexplored’ bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

Rename

Rename the current location. This command gives name/renames/deletes name for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a dummy name (See Options → Name representation…).

List of available options:

• Local name: The name is considered to be defined only in the current function. Please note that IDA does not check the uniqueness of the local names in the whole program. However, it does verify that the name is unique for the function.

• Include in name list: Here you can also include/remove the name from the name list (see the Jump by name… command; action JumpName). If the name is hidden, you will not see it in the names window.

• Public name: You can declare a name as a public (global) name. If the current assembler supports the “public” directive, IDA will use it. Otherwise, the publicness of the name will be displayed as a comment.

• Autogenerated name: An autogenerated name will appear in a different color. If the item is indefined, it will disappear automatically.

• Weak name: You can declare a name as a weak name. If the current assembler supports the “weak” directive, IDA will use it. Otherwise, the weakness of the name will be displayed as a comment.

• Create name anyway: If this flag is on, and if the specified name already exists, IDA will try to variate the specified name by appending a suffix to it.

Offset (data segment)

Convert the current operand to an offset in the data segment. This command converts the immediate operand of the current instruction/data to an offset from the current data segment (DS). If the current DS value is unknown (or equal 0xFFFF) IDA will warn you - it will beep. In this case, you have to define DS register value for the current byte. The best way to do it is:

• jump to segment register change point (the Jump to segment register… command; action JumpSegmentRegister),
• change value of DS (the Change segment register value… command; action SetSegmentRegister)
• return (the Jump back command; action Return) or you can change default value of DS for the current segment (the Set default segment register value… command; action SetSegmentRegisterDefault).

If you want to delete offset definition, you can use this command again - it works as trigger. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset (current segment)

Convert the current operand to an offset in the current segment. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise, it will be left unmodified. If this command is applied to a structure member in the Local types window, then IDA will create an “automatic offset”. An automatic offset is an offset with the base equal to 0xFFFFFFFF. This base value means that the actual value of the base will be calculated by IDA when a structure instance is created. To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset by (any segment)…

Convert the current operand to an offset in any segment. This command converts the immediate operand of the current instruction/data to an offset from any segment. IDA will ask to choose a base segment for the offset. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. To create offsets to structure members use Offset (struct)… command (action OpStructOffset).

Offset (user-defined)…

Convert the current operand to an offset with any base. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If the offset base is specified as 0xFFFFFFFF, then IDA will create “an automatic offset”. Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

The offset expression is displayed in the following concise form: offset target - $ where “$” denotes the start of the element (and is assembler-dependent).

To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset (struct)…

Convert the current operand to a structure offset. This command permits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions. If no selection is active, IDA will simply permit to convert the current operand. In this case, it will display a simple dialog box the same way as the text version (see below). You can select the desired register in the drop-down list: all operands relative to this register will be added to the ‘Offsets’ list. A special empty line in the drop-down list is used to directly work on immediate values. Checkboxes in the ‘Offsets’ list allow you to select which operand you indeed want to modify. By default, IDA will select only undefined operands, to avoid overwriting previous type definitions. This list is sorted by operand value, by instruction address and finally by operand number. You can easily see the instructions related to the operand by moving the mouse over it, and wait for a hint to be displayed. The ‘Structures and Unions’ tree will contain all selectable structures, and sub unions. Once you select or move over a structure, the ‘Offsets’ list updates itself for each checked offset: the computed name of the operand is displayed, according to the selected structure in the tree. An icon is also drawn, to easily know if a specific structure matches the offset or not, or if the offset is too big for the selected structure. The structures who match the most offsets will be near the top of the tree. You can also move your mouse over structures in the tree to obtain an interesting hint. A ‘?’ icon can also appear, if the offset can be specialized by selecting an union member. In this case, if you expand the structure in the tree, you can select the adequate union member simply by checking the desired radio button. IDA automatically corrects the related name in the ‘Offsets’ list. The ‘Offset delta’ value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like “mystruct.field_6-2”, then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure. The ‘Hide sub structures without sub unions’ option (checked by default) avoids to add unnecessary sub structures to the tree, to keep it as small as possible. If you uncheck this option, all sub structures will be added to the tree. By default, IDA displays the structure member at offset 0. To change this behavior, you can directly disable the ‘Force zero offset field’ in the ‘Options’ frame. Later zero offsets can be forced using Edit → Structs → Force zero offset menu item.

Text version

This command converts immediate operand(s) type of the current instruction/data to an offset within the specified structure. Before using this command, you have to define a structure type. First of all, IDA will ask a so-called “struct offset delta”. This value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like “mystruct.field_6-2”, then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the an operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. When you use this command, IDA deletes the manually entered operand. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. By default IDA doesn’t display the structure member at offset 0. To change this behavior, use the Force zero offset field command. Moreover, if there are several possible representations (this can happen if unions are used), select the desired representation using the Select union member… command.

Number (default)

Convert the current operand to a number. That way, you can delete suspicious mark of the item. The number is represented in the default radix for the current processor (usually hex, but octal for PDP-11, for example). When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Hexadecimal

Convert the current operand to a hexadecimal number. This command converts the immediate operand(s) type of the current instruction/data to a hex number, so that you can delete the suspicious mark of the item. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Decimal

Convert the current operand to a decimal number. This command converts the immediate operand(s) type of the current instruction/data to decimal. Therefore, it becomes a ‘number’. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Octal

Convert the current operand to a octal number. IDA always uses 123o notation for octal numbers even if the current assembler does not support octal numbers. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Binary

Convert the current operand to a binary number. This command makes the current instruction or data operand type binary. IDA always uses 123b notation for binary numbers even if the current assembler does not support binary numbers. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Floating point

Convert to floating point. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Toggle leading zeroes

Toggle leading zeroes.

This command displays or hides the leading zeroes of the current operand. Example: if the instruction looked like this:

    and     ecx, 40h

then after applying the command it will look like this:

    and     ecx, 00000040h

If you prefer to see leading zeroes in all cases, then open the calculator and enter the following expression: set_inf_attr (INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) | INFFL_LZERO); This will toggle the default for the current database and all numbers without leading zeroes will become numbers with leading zeroes, and vice versa. See also Edit|Operand types submenu.

Manual…

Enter the current operand manually. You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you change operand representation using Edit → Operand types submenu.

{% hint style=“info” %} A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated. {% endhint %}

Enter comment…

Enter a regular comment. If you stand at the function start and your cursor is on a function name, IDA will ask you to enter a function comment. If you stand at the segment start and your cursor is on a segment name, IDA will ask you to enter a segment comment. If this command is issued in the Local types window, it allows you to change the comment of a structure/enum, or structure/enum member. If the cursor is on the structure/enum name, the structure/enum comment will be changed, otherwise the member comment will be changed. Otherwise, this command allows you to enter a normal indented comment for the current item. You can show/hide all comments in Options → General → Disassembly → Display disassembly line parts: Comments.

Enter repeatable comment…

Enter repeatable comment. A repeatable comment will appear attached to the current item and all other items referencing it. If you stand at the function start, IDA will ask you to enter a function comment. If this command is issued in the Local types window, it allows you to change the comment of a structure/enum, or structure/enum member. If the cursor is on the structure/enum name, the structure/enum comment will be changed, otherwise the member comment will be changed. Otherwise, this command allows you to enter a repeatable comment for the current item.

{% hint style=“info” %} You cannot enter repeatable segment comments. {% endhint %}

All items that refer to the current item will have this comment by default. Note that if you have defined both comment types (regular and repeatable), the regular comment will be displayed for the current item and the repeatable comment will be displayed for all items that refer to the current item, if they do not have their own comments. The repeatable comments may be used to describe subroutines, data items, etc., because all calls to the subroutine will have the repeatable comment. You can show/hide all comments in Options → General → Disassembly → Display disassembly line parts: Comments.

Enter anterior lines…

Enter lines preceding the generated lines. If you want to enter multi-line comments or additional instructions, you can use this feature of IDA.

There are two kinds of extra lines: the ones generated before the instruction line and the ones generated after the instruction line.

Do not forget that the maximal number of lines for an item is 500.

IDA does not insert a comment symbol at the beginning of the lines.

Create segment…

This command allows you to create a new segment.

If you select a range using the anchor, IDA will propose the start address and the end address of the selection as defaults for the segment bounds.

You need to specify at least:

• the segment start address
• the segment end address (excluded from the range)
• the segment base

Click here to learn about addressing model used in IDA.

If “sparse storage” is set, IDA will use special sparse storage method for the segment. This method is recommended for huge segments. Later, it is possible to change the storage method of any region using set_storage_type IDC function.

If another segment already exists at the specified address, the existing segment is truncated and the new segment lasts from the specified start address to the next segment (or specified end address, whichever is lower). If the old and the new segments have the same base address, instructions/data will not be discarded by IDA. Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

Edit segment…

Edit segment attributes. This command opens the Change segment attributes dialog.

Change segment attributes options

• How to change segment name
• How to change segment class
• How to change segment addressing mode (16/32)
• How to change segment alignment
• How to change segment combination

{% hint style=“info” %} Changing the segment class may change the segment type. {% endhint %}

• Move Adjacent Segments: means that the previous and next segments will be shrunk or expanded to fill gaps between segments. Click here for more information.

• Disable Addresses: if set, when a segment is shrunk, all information about bytes going out of the segment will be completely removed.. Otherwise, IDA will discard information about instructions/data, comments etc, but will retain byte values so that another segment can be created later and it will use the existing byte values.

If IDA creates 2 segments where only one segment must exist, you may try the following sequence:

• Delete one segment (action KillSegment). Choose one with bad segment base value. Do not disable addresses occupied by the segment being deleted.
• Change bounds of another segment. Note that the Create segment… command (action CreateSegment) changes the boundaries of the overlapping segment automatically.

Segments with the “debugger” attribute are the segments whose memory contents are not saved in the database. Usually, these segments are created by the debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently stay in the database after closing the debugger session. The database will reflect the state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and will be deleted at the end of the debugging session.

The debugger segment checbkox is available only during debugging sessions.

The “loader” segments are the segment created by the file loader. The segment having this attribute are considered to be part of the input file.

A segment with the “debugger” attribute set and the “loader” attribute not set is considered to be an ephemeral segment. Such segments are not analyzed automatically by IDA.

“Segment permissions” group box can be used to modify Segment access permissions (Read/Write/Execute)

Segment Name

Enter a new name for the segment. A segment name is up to 8 characters long. IDA does check if the length is ok. Try to give mnemonic names for the segments.

Class Name

The segment class name identifies the segment with a class name (such as CODE, FAR_DATA, or STACK). The linker places segments with the same class name into a contiguous range of memory in the runtime memory map.

Changing the segment class changes only the segment definition on the screen. There are the following predefined segment class names:

If you change segment class and the segment type is “Regular”, then the segment type will be changed accordingly.

In order to set the segment type “Regular”, you should change the segment class to “UNK”.

{% hint style=“info” %} Segment class names are never deleted. Once you define a segment class name, you cannot reuse it as a name of another object. {% endhint %}

Segment bitness

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment address is changed.

Never do it if you are not sure. It may have irreversible consequences, all instructions/data will be converted to undefined bytes.

Segment Alignment

You can specify the segment alignment for the selected segment. By default, IDA assumes ‘byte’ alignment.

Changing the alignment changes only the segment definition on the screen. Nothing else will happen.

Segment Combination

A field that describes how the linker can combine the segment with other segments. Under MS-DOS, segments with the same name and class can be combined in two ways: they can be concatenated to form one logical segment, or they can be overlapped. In the latter case, they have either the same start address or the same end address, and they describe a common range in memory. Values for the field are:

• Private: Do not combine with any other program segment.
• Public: Combine by appending at an offset that meets the alignment requirement.
• Stack: Combine as for Public. This combine type forces byte alignment.
• Common: Combine by overlay using maximum size.

Changing segment combination changes only the segment definition on the screen. Nothing else will happen.

Delete segment…

Delete segment. IDA will ask your the permission to disable the addresses occupied by the segment. If you allow this operation, all information about the segment will be deleted. In other words, IDA will discard the information about instructions or data, comments etc.

If you check the “disable addresses” checkbox, IDA will mark the addresses occupied by the segment as “nonexistent” in the program. You will lose ALL information, including byte values.

It is impossible to disassemble the content of addresses not located in any segment, therefore you must create a new segment if you want to resume the disassembly of that part of the code.

You can also edit an adjacent segment to expand it to those addresses (Edit → Segments → Edit segment…).

IDA will ask your the permission to disable addresses occupied by the segment. If you give your permission, information about the segment will be deleted, otherwise IDA will discard information about instruction/data, comments etc, but retain byte values so that you will be able to create another segment afterwards. To disassemble the addresses occupied by the segment, you need to create a new segment again (i.e. you cannot disassemble bytes without a segment). You can also expand another adjacent segment to these addresses.

Move current segment…

Change the current segment boundaries. This command open the Move segment dialog and allows you to move segment(s) to another address. Use it if the segment(s) are loaded at a wrong address. This command shifts (moves) the selected segments in the memory to the target address. There must be enough free space at the target address for the segments. All information in the segment will be moved to the new address, but since the addresses change, the disassembly might be not valid anymore (especially if the program is moved to the wrong addresses and the relocation information is not available).

Fix up the relocated segment

This option allows IDA to modify the references to/from the relocated segment(s). If it is turned off, the references might be wrong after the move.

Rebase program…

Rebase program. The whole program will be shifted by the specified amount of bytes in the memory. The following options are available (we strongly recommend to leave them turned on):

• Fix up relocations: This option allows IDA to modify the references to/from the relocated segment(s). If it is turned off, the references might be wrong after the move.
• Rebase the whole image: This option is accessible only if the whole program is selected. It allows IDA to adjust internal variables on the whole program.

Please note rebasing the program might remove user-defined xrefs.

Change segment register value…

Change segment register value. Relevant only for processors with the segment registers. Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors. This command creates or updates a segment register change point. See also the Jump to segment register… command (action JumpSegmentRegister) for more info.

Set default segment register value…

Set default segment register value. Relevant only for processors with the segment registers. You can specify a default value of a segment register for the current segment. When you change the default value, IDA will reanalyze the segment, taking the default value when it cannot determine the actual value of the register. This takes time, so do not be surprised if references are not corrected immediately.

To specify a value other than the default value of a segment register, you can use the Change segment register value… command (action SetSegmentRegister).

Struct var…

Declare a structure variable. IDA will ask you to choose a structure type. You must have some structure types defined in order to use this command. If the target assembler supports it, IDA will display the structure in terse form (using just one line). To uncollapse a terse structure variable use the Unhide command. You can also use this command to declare a structure field in another structure (i.e., nested structures are supported too).

Force zero offset field

Toggle display of the first field of a structure in an offset expression. This command forces IDA to display a full structure member name even if the offset of the member is equal to zero.

If used twice, the command cancels itself.

Example: Suppose we have the following structure:

    xxx     struc
    a       db ?
    b       db ?
    c       db ?
    xxx     ends

    dloc    xxx ?

Normally IDA displays references to it like this:

    mov     eax, offset dloc
    mov     eax, offset dloc.b

If you force IDA, then it displays member ‘a’:

    mov     eax, offset dloc.a
    mov     eax, offset dloc.b

Select union member…

Choose the representation of a union member. This command tells IDA how to display references to a union from the current cursor location.

Example: Suppose we have the following union:

        xxx     union
        a       db ?
        b       dw ?
        c       dd ?
        ends   xxx
        dloc    xxx ?

Normally, IDA displays references to “dloc” like this:

        mov     al,  byte ptr dloc
        mov     eax, word ptr dloc

After using this command, IDA can display the union members:

        mov     al,  dloc.b
        mov     eax, dloc.d 

Create struct from selection

This command defines a new structure from data already defined. The new structure is created with adequate data types, and each member uses the current data name if it is available.

This command is available only in the graphical version of IDA.

Copy field info to pointers

Copy field info to pointed addresses. This command scans the current struct variable and renames the locations pointed by offset expressions unless they already have a non-dummy name.

It also copies the type info from the struct members to pointed locations.

Create function…

Create a new function in the disassembly. You can specify function boundaries using the anchor. If you don’t specify any, IDA will try to find the boundaries automatically:

• function start point is equal to the current cursor position;
• function end point is calculated by IDA.

A function cannot contain references to undefined instructions. If a function has already been defined at the specified addresses, IDA will jump to its start address, showing you a warning message. A function must start with an instruction.

Edit function…

Edit function attributes - change function properties, including bounds, name, flags, and stack frame parameters. This command opens an Edit Function dialog, and allows you to modify function characteristics and stack frame structure. If the current address does not belong to any function, IDA will beep.

To change only the function end address, use the FunctionEnd command instead. This command allows you to change the function frame parameters too. You can change sizes of some parts of frame structure.

Stack Frame Structure

IDA represents the stack using the following structure:

{% hint style=“info” %} For some processors or functions, BP may equal SP, meaning it points to the bottom of the stack frame. {% endhint %}

You may specify the number of bytes in each part of the stack frame. The size of the return address is calculated by IDA (possibly depending on the far function flag).

           push    ebp
           lea     ebp, [esp-78h]
           sub     esp, 588h
           push    ebx
           push    esi
           lea     eax, [ebp+74h]

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- typical BP
      |                              |
      |                              |
      |                              |  <- actual BP
      | local variables              |
      |                              |
      |                              |
      |                              |
      +------------------------------+  <- SP

In our example, the saved registers area is empty (since EBP has been initialized before saving EBX and ESI). The difference between the ‘typical BP’ and ‘actual BP’ is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

           lea     eax, [ebp+78h+var_4]

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify the value manually.

If the value of the stack pointer is modified in an unpredictable way, (e.g. “and esp, -16”), then IDA marks the function as “fuzzy-sp”.

If this command is invoked for an imported function, then a simplified dialog box will appear on the screen.

See also:

• Igor’s Tip of the Week #126: Non-returning functions
• Igor’s tip of the week #106: Outlined functions

Configurable Parameters

• Stack Frame Sizes: You can specify the number of bytes in each part of the stack frame. The return address size is calculated automatically by IDA (may depend on the far function flag).
• Purged Bytes: Specifies the number of bytes added to SP upon function return. This value calculates SP changes at call sites (used in calling conventions such as __stdcall in Windows 32-bit programs).
• BP Based Frame: Enables IDA to automatically convert [BP+xxx] operands to stack variables.
• BP Equal to SP: Indicates that the frame pointer points to the bottom of the stack. Commonly used for processors that set up the stack frame with EBP and ESP both pointing to the bottom (e.g., MC6816, M32R).
• Reanalysis: Pressing Enter without changing any parameter will cause IDA to reanalyze the function.

Append function tail…

This command appends an arbitrary range of the program to a function definition. A range must be selected before applying this command. This range must not intersect with other function chunks (however, an existing tail can be added to multiple functions).

IDA will ask to select the parent function for the selection and will append the range to the function definition.

Remove function tail…

Remove function tail. This command removes the function tail at the cursor from a function definition. If there are several parent functions for the current function tail range, IDA will ask to select the parent function(s) to remove the tail from. After the confirmation, the current function tail range will be removed from the selected function definition. If the parent was the only owner of the current tail, then the tail will be destroyed. Otherwise it will still be present in the database. If the removed parent was the owner of the tail, then another function will be selected as the owner.

Change stack pointer…

Change stack pointer. This command allows you to specify how the stack pointer (SP) is modified by the current instruction.

You cannot use this command if the current instruction does not belong to any function.

You will need to use this command only if IDA was not able to trace the value of the SP register. Usually IDA can handle it but in some special cases it fails. An example of such a situation is an indirect call of a function that purges its parameters from the stack. In this case, IDA has no information about the function and cannot properly trace the value of SP.

Please note that you need to specify the difference between the old and new values of SP.

The value of SP is used if the current function accesses local variables by [ESP+xxx] notation.

See also how to convert to stack variable (Action OpStackVariable).

Rename register…

Rename a general processor register. This command allows you to rename a processor general register to some meaningful name. While this is not used very often on IBM PCs, it is especially useful on RISC processors with lots of registers. For example, a general register R9 is not very meaningful and a name like ‘CurrentTime’ is much better.

This command can be used to define a new register name as well as to remove it. Just move the cursor on the register name and press enter. If you enter the new register name as an empty string, then the definition will be deleted.

If you have selected a range before using this command, then the definition will be restricted to the selected range. But in any case, the definition cannot cross the function boundaries.

You cannot use this command if the current instruction does not belong to any function.

Set type…

Set type information for an item or current function. This command allows you to specify the type of the current item. If the cursor is located on a name, the type of the named item will be edited. Otherwise, the current function type (if there is a function) or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like ‘this’ pointer in C++) should be specified explicitly. IDA will use the type information to comment the disassembly with the information about function arguments. It can also be used by the Hex-Rays decompiler plugin for better decompilation. Here is an example of a function declaration:

    int main(int argc, const char *argv[]);

It is also possible to specify a function name coming from a type library. For example, if entering “LoadLibraryW” would yield its prototype:

    HMODULE __stdcall LoadLibraryW(LPCWSTR lpLibFileName);

provided that the corresponding type library is in memory. To delete a type declaration, just enter an empty string. IDA supports the user-defined calling convention. In this calling convention, the user can explicitly specify the locations of arguments and the return value. For example:

    int __usercall func@<ebx>(int x, int y@<esi>);

denotes a function with 2 arguments: the first argument is passed on the stack (IDA automatically calculates its offset) and the second argument is passed in the ESI register and the return value is stored in the EBX register. Stack locations can be specified explicitly:

    int __usercall runtime_memhash@<^12.4>(void *p@<^0.4>, int q@<^4.4>, int r@<^8.4>)

There is a restriction for a __usercall function type: all stack locations should be specified explicitly or all are automatically calculated by IDA. General rules for the user defined prototypes are:

• the return value must be in a register. Exception: stack locations are accepted for the __golang and __usercall calling conventions.

• if the return type is ‘void’, the return location must not be specified

• if the argument location is not specified, it is assumed to be on the stack; consequent stack locations are allocated for such arguments

• it is allowed to declare nested declarations, for example: int **__usercall func16@(int *(__usercall *x)@ (int, long@, int)@);

  Here the pointer “x” is passed in the ESI register; The pointed function is a usercall function and expects its second argument in the ECX register, its return value is in the EBX register. The rule of thumb to apply in such complex cases is to specify the the registers just before the opening brace for the parameter list.

• registers used for the location names must be valid for the current processor; some registers are unsupported (if the register name is generated on the fly, it is unsupported; inform us about such cases; we might improve the processor module if it is easy)

• register pairs can be specified with a colon like edx:eax

• for really complicated cases this syntax can be used. IDA also understands the “__userpurge” calling convention. It is the same thing as __usercall, the only difference is that the callee cleans the stack.

The name used in the declaration is ignored by IDA. If the default calling convention is __golang then explicit specification of stack offsets is permitted. For example:

  __attribute__((format(printf,2,3)))
  int myprnt(int id, const char *format, ...);

This declaration means that myprnt is a print-like function; the format string is the second argument and the variadic argument list starts at the third argument.

Below is the full list of attributes that can be handled by IDA.

Data Declaration Keywords

For data declarations, the following custom __attribute((annotate(X))) keywords have been added. The control the representation of numbers in the output:

Type Declaration Keywords

The following additional keywords can be used in type declarations:

Change byte…

Change program bytes. You can modify the executable file and eventually generate a new file (the Create EXE file… command; action ProduceExe). If you patch bytes, then you may enter multiple bytes (see also Binary string format). If this command is invoked when the debugger is active, then IDA will modify the memory and the database. If the database does not contain the patched bytes, then only the process memory will be modified. You can create a difference file too (the Create DIFF file… command; action ProduceDiff). See also How to Enter a Number.

Assemble…

This command allows you to assemble instructions. Currently, only the IBM PC processors provide an assembler, nonetheless, plugin writers can extend or totally replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets. For example:

        mov ax, [counter]

Also, the keyword ‘offset’ must not be used. Instead of

        mov eax, offset name

you must write

        mov eax, name

See also How to Enter a Number.

Patched bytes

Open the Patched bytes window. The Patched bytes view shows the list of the patched locations in the database. It also allows you to revert modifications selectively.

Reverting changes

Select location(s) and click Revert… from the context menu to revert this modification.

Patching bytes

You can change individual bytes via Edit → Patch program → Change byte….

Apply patches to input file…

Apply previously patched bytes back to the input file. If the “Restore” option is selected, then the original bytes will be applied to the input file.

See also ProduceDiff action.

Create alignment directive…

Create alignment directive. The alignment directive will replace a number of useless bytes inserted by the linker to align code and data to paragraph boundary or any other address which is equal to a power of two. You can select a range to be converted to an alignment directive. If you have selected a range, IDA will try to determine a correct alignment automatically.

There are at least two requirements for this command to work:

• There must be enough unexplored bytes at the current address.
• An alignment directive must always end at an address which is divisible by a power or two.

Manual instruction…

Specify alternate representation of the current instruction. Use it if IDA cannot represent the current instruction as desired. If the instruction itself is ok and only one operand is misrepresented, then use Manual… command (action ManualOperand). To delete the manual representation, specify an empty string.

Color instruction…

This command allows you to specify the background color for the current instruction or data item. Only GUI version supports different background colors. Specifying a non-defined custom color will reset the instruction color.

Toggle border

Toggle the display of a border between code and data. This command allows you to hide a thin border which is like the one generated automatically by IDA between instructions and data. If the border was already hidden, then it is displayed again.

Edit menu actions for Pseudocode View

{% hint style=“info” %} The options below appear when the Edit menu is opened from the Pseudocode View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Begin selection

Begin selection. Some IDA commands such as selecting a portion of file to output or specifying a segment to move need an anchor.

To drop the anchor, you can either use the Alt + L key or the Shift + ↑, ←, →, ↓ combination, which is more convenient. You can also drop the anchor with the mouse by simply clicking and dragging it.

After you’ve dropped the anchor, you can navigate freely using arrows, etc. Any command that uses the anchor, raises it.

The anchored range is displayed with another color.

When you exit from IDA, the anchor value is lost.

Undo

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis.

Autoanalysis (Options → General… → Analysis) generates copious amounts of undo data. Also, please note that maintaining undo data during autoanalysis slows it down a bit. In practice, it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

Redo

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

Code

Convert to instruction. This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the Anchor action, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

Data

Convert to data. This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using the Setup data types… command (action SetupData).

If the target assembler (Options → General… → Analysis) does not support double words or another data type, it will be skipped. To create a structure variable, use the Struct var… command (action DeclareStructVar). To create an array, use the Array… command (action MakeArray). To convert back, use the Undefine command (action MakeUnknown).

Struct var…

Declare a structure variable. IDA will ask you to choose a structure type. You must have some structure types defined in order to use this command. If the target assembler supports it, IDA will display the structure in terse form (using just one line). To uncollapse a terse structure variable use the Unhide command. You can also use this command to declare a structure field in another structure (i.e., nested structures are supported too).

String

Convert to string. This command converts the current unexplored bytes to a string. The set of allowed characters is specified in the configuration file, parameter StrlitChars. Character ‘\0’ is not allowed in any case. If the current assembler (Options → General → Analysis → Target assembler) does not allow characters above 0x7F, characters with high bit set are not allowed. If the anchor has been dropped, IDA will take for the string all characters between the current cursor position and the anchor. Use the anchor if the string starts a disallowed character.

This command also generates a name for the string. In the configuration file, you can specify the characters allowed in names (NameChars). You can change the literal string length using Array… command (action MakeArray). The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Array…

Convert to array. This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

1. Create the first element of array using the data definition commands (data, string, structs)

2. Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:

• the address of the next item with a cross reference
• the address of the next user-defined name For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

• Items on a line (meaningless for string literals):

  • 0 - place maximal number of items on a line
  • other value - number of items on a line Please note that the margin parameter affects the number of items on a line too.

• Alignment (meaningless for string literals):

  • -1 - do not align items
  • 0 - align automatically
  • other value - width of each item

• Signed elements: if checked, IDA treats all elements as signed numbers. Only meaningful for numbers (not for offsets and segments and strings)

• Display indexes: if checked, IDA will display the indexes of array elements in the form of comments (0,1,2…)

• Create as array: if not checked, IDA will create a separate item for each array element. Useful for creating huge arrays. If the box is unchecked when this command is applied to string literals, IDA will create many string literals instead of one big string.

If applied to a variable-sized structure, this command is used to specify the overall size of the structure. You cannot create arrays of variable-sized structures.

Undefine

Convert to undefined. This command deletes the current instruction or data, converting it to ‘unexplored’ bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the Anchor action, all the bytes in this range will be converted into ‘unexplored’ bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

Rename

Rename the current location. This command gives name/renames/deletes name for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a dummy name (See Options → Name representation…).

List of available options:

• Local name: The name is considered to be defined only in the current function. Please note that IDA does not check the uniqueness of the local names in the whole program. However, it does verify that the name is unique for the function.

• Include in name list: Here you can also include/remove the name from the name list (see the Jump by name… command; action JumpName). If the name is hidden, you will not see it in the names window.

• Public name: You can declare a name as a public (global) name. If the current assembler supports the “public” directive, IDA will use it. Otherwise, the publicness of the name will be displayed as a comment.

• Autogenerated name: An autogenerated name will appear in a different color. If the item is indefined, it will disappear automatically.

• Weak name: You can declare a name as a weak name. If the current assembler supports the “weak” directive, IDA will use it. Otherwise, the weakness of the name will be displayed as a comment.

• Create name anyway: If this flag is on, and if the specified name already exists, IDA will try to variate the specified name by appending a suffix to it.

Offset (data segment)

Convert the current operand to an offset in the data segment. This command converts the immediate operand of the current instruction/data to an offset from the current data segment (DS). If the current DS value is unknown (or equal 0xFFFF) IDA will warn you - it will beep. In this case, you have to define DS register value for the current byte. The best way to do it is:

• jump to segment register change point (the Jump to segment register… command; action JumpSegmentRegister),
• change value of DS (the Change segment register value… command; action SetSegmentRegister)
• return (the Jump back command; action Return) or you can change default value of DS for the current segment (the Set default segment register value… command; action SetSegmentRegisterDefault).

If you want to delete offset definition, you can use this command again - it works as trigger. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset (current segment)

Convert the current operand to an offset in the current segment. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise, it will be left unmodified. If this command is applied to a structure member in the Local types window, then IDA will create an “automatic offset”. An automatic offset is an offset with the base equal to 0xFFFFFFFF. This base value means that the actual value of the base will be calculated by IDA when a structure instance is created. To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset by (any segment)…

Convert the current operand to an offset in any segment. This command converts the immediate operand of the current instruction/data to an offset from any segment. IDA will ask to choose a base segment for the offset. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. To create offsets to structure members use Offset (struct)… command (action OpStructOffset).

Offset (user-defined)…

Convert the current operand to an offset with any base. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If the offset base is specified as 0xFFFFFFFF, then IDA will create “an automatic offset”. Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

The offset expression is displayed in the following concise form: offset target - $ where “$” denotes the start of the element (and is assembler-dependent).

To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset (struct)…

Convert the current operand to a structure offset. This command permits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions. If no selection is active, IDA will simply permit to convert the current operand. In this case, it will display a simple dialog box the same way as the text version (see below). You can select the desired register in the drop-down list: all operands relative to this register will be added to the ‘Offsets’ list. A special empty line in the drop-down list is used to directly work on immediate values. Checkboxes in the ‘Offsets’ list allow you to select which operand you indeed want to modify. By default, IDA will select only undefined operands, to avoid overwriting previous type definitions. This list is sorted by operand value, by instruction address and finally by operand number. You can easily see the instructions related to the operand by moving the mouse over it, and wait for a hint to be displayed. The ‘Structures and Unions’ tree will contain all selectable structures, and sub unions. Once you select or move over a structure, the ‘Offsets’ list updates itself for each checked offset: the computed name of the operand is displayed, according to the selected structure in the tree. An icon is also drawn, to easily know if a specific structure matches the offset or not, or if the offset is too big for the selected structure. The structures who match the most offsets will be near the top of the tree. You can also move your mouse over structures in the tree to obtain an interesting hint. A ‘?’ icon can also appear, if the offset can be specialized by selecting an union member. In this case, if you expand the structure in the tree, you can select the adequate union member simply by checking the desired radio button. IDA automatically corrects the related name in the ‘Offsets’ list. The ‘Offset delta’ value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like “mystruct.field_6-2”, then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure. The ‘Hide sub structures without sub unions’ option (checked by default) avoids to add unnecessary sub structures to the tree, to keep it as small as possible. If you uncheck this option, all sub structures will be added to the tree. By default, IDA displays the structure member at offset 0. To change this behavior, you can directly disable the ‘Force zero offset field’ in the ‘Options’ frame. Later zero offsets can be forced using Edit → Structs → Force zero offset menu item.

Text version

This command converts immediate operand(s) type of the current instruction/data to an offset within the specified structure. Before using this command, you have to define a structure type. First of all, IDA will ask a so-called “struct offset delta”. This value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like “mystruct.field_6-2”, then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the an operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. When you use this command, IDA deletes the manually entered operand. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. By default IDA doesn’t display the structure member at offset 0. To change this behavior, use the Force zero offset field command. Moreover, if there are several possible representations (this can happen if unions are used), select the desired representation using the Select union member… command.

Number (default)

Convert the current operand to a number. That way, you can delete suspicious mark of the item. The number is represented in the default radix for the current processor (usually hex, but octal for PDP-11, for example). When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Hexadecimal

Convert the current operand to a hexadecimal number. This command converts the immediate operand(s) type of the current instruction/data to a hex number, so that you can delete the suspicious mark of the item. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Decimal

Convert the current operand to a decimal number. This command converts the immediate operand(s) type of the current instruction/data to decimal. Therefore, it becomes a ‘number’. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Octal

Convert the current operand to a octal number. IDA always uses 123o notation for octal numbers even if the current assembler does not support octal numbers. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Binary

Convert the current operand to a binary number. This command makes the current instruction or data operand type binary. IDA always uses 123b notation for binary numbers even if the current assembler does not support binary numbers. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Floating point

Convert to floating point. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Toggle leading zeroes

Toggle leading zeroes.

This command displays or hides the leading zeroes of the current operand. Example: if the instruction looked like this:

    and     ecx, 40h

then after applying the command it will look like this:

    and     ecx, 00000040h

If you prefer to see leading zeroes in all cases, then open the calculator and enter the following expression: set_inf_attr (INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) | INFFL_LZERO); This will toggle the default for the current database and all numbers without leading zeroes will become numbers with leading zeroes, and vice versa. See also Edit|Operand types submenu.

Manual…

Enter the current operand manually. You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you change operand representation using Edit → Operand types submenu.

{% hint style=“info” %} A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated. {% endhint %}

Enter comment…

Enter a regular comment. If you stand at the function start and your cursor is on a function name, IDA will ask you to enter a function comment. If you stand at the segment start and your cursor is on a segment name, IDA will ask you to enter a segment comment. If this command is issued in the Local types window, it allows you to change the comment of a structure/enum, or structure/enum member. If the cursor is on the structure/enum name, the structure/enum comment will be changed, otherwise the member comment will be changed. Otherwise, this command allows you to enter a normal indented comment for the current item. You can show/hide all comments in Options → General → Disassembly → Display disassembly line parts: Comments.

Enter repeatable comment…

Enter repeatable comment. A repeatable comment will appear attached to the current item and all other items referencing it. If you stand at the function start, IDA will ask you to enter a function comment. If this command is issued in the Local types window, it allows you to change the comment of a structure/enum, or structure/enum member. If the cursor is on the structure/enum name, the structure/enum comment will be changed, otherwise the member comment will be changed. Otherwise, this command allows you to enter a repeatable comment for the current item.

{% hint style=“info” %} You cannot enter repeatable segment comments. {% endhint %}

All items that refer to the current item will have this comment by default. Note that if you have defined both comment types (regular and repeatable), the regular comment will be displayed for the current item and the repeatable comment will be displayed for all items that refer to the current item, if they do not have their own comments. The repeatable comments may be used to describe subroutines, data items, etc., because all calls to the subroutine will have the repeatable comment. You can show/hide all comments in Options → General → Disassembly → Display disassembly line parts: Comments.

Enter anterior lines…

Enter lines preceding the generated lines. If you want to enter multi-line comments or additional instructions, you can use this feature of IDA.

There are two kinds of extra lines: the ones generated before the instruction line and the ones generated after the instruction line.

Do not forget that the maximal number of lines for an item is 500.

IDA does not insert a comment symbol at the beginning of the lines.

Create segment…

This command allows you to create a new segment.

If you select a range using the anchor, IDA will propose the start address and the end address of the selection as defaults for the segment bounds.

You need to specify at least:

• the segment start address
• the segment end address (excluded from the range)
• the segment base

Click here to learn about addressing model used in IDA.

If “sparse storage” is set, IDA will use special sparse storage method for the segment. This method is recommended for huge segments. Later, it is possible to change the storage method of any region using set_storage_type IDC function.

If another segment already exists at the specified address, the existing segment is truncated and the new segment lasts from the specified start address to the next segment (or specified end address, whichever is lower). If the old and the new segments have the same base address, instructions/data will not be discarded by IDA. Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

Edit segment…

Edit segment attributes. This command opens the Change segment attributes dialog.

Change segment attributes options

• How to change segment name
• How to change segment class
• How to change segment addressing mode (16/32)
• How to change segment alignment
• How to change segment combination

{% hint style=“info” %} Changing the segment class may change the segment type. {% endhint %}

• Move Adjacent Segments: means that the previous and next segments will be shrunk or expanded to fill gaps between segments. Click here for more information.

• Disable Addresses: if set, when a segment is shrunk, all information about bytes going out of the segment will be completely removed.. Otherwise, IDA will discard information about instructions/data, comments etc, but will retain byte values so that another segment can be created later and it will use the existing byte values.

If IDA creates 2 segments where only one segment must exist, you may try the following sequence:

• Delete one segment (action KillSegment). Choose one with bad segment base value. Do not disable addresses occupied by the segment being deleted.
• Change bounds of another segment. Note that the Create segment… command (action CreateSegment) changes the boundaries of the overlapping segment automatically.

Segments with the “debugger” attribute are the segments whose memory contents are not saved in the database. Usually, these segments are created by the debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently stay in the database after closing the debugger session. The database will reflect the state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and will be deleted at the end of the debugging session.

The debugger segment checbkox is available only during debugging sessions.

The “loader” segments are the segment created by the file loader. The segment having this attribute are considered to be part of the input file.

A segment with the “debugger” attribute set and the “loader” attribute not set is considered to be an ephemeral segment. Such segments are not analyzed automatically by IDA.

“Segment permissions” group box can be used to modify Segment access permissions (Read/Write/Execute)

Segment Name

Enter a new name for the segment. A segment name is up to 8 characters long. IDA does check if the length is ok. Try to give mnemonic names for the segments.

Class Name

The segment class name identifies the segment with a class name (such as CODE, FAR_DATA, or STACK). The linker places segments with the same class name into a contiguous range of memory in the runtime memory map.

Changing the segment class changes only the segment definition on the screen. There are the following predefined segment class names:

If you change segment class and the segment type is “Regular”, then the segment type will be changed accordingly.

In order to set the segment type “Regular”, you should change the segment class to “UNK”.

{% hint style=“info” %} Segment class names are never deleted. Once you define a segment class name, you cannot reuse it as a name of another object. {% endhint %}

Segment bitness

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment address is changed.

Never do it if you are not sure. It may have irreversible consequences, all instructions/data will be converted to undefined bytes.

Segment Alignment

You can specify the segment alignment for the selected segment. By default, IDA assumes ‘byte’ alignment.

Changing the alignment changes only the segment definition on the screen. Nothing else will happen.

Segment Combination

A field that describes how the linker can combine the segment with other segments. Under MS-DOS, segments with the same name and class can be combined in two ways: they can be concatenated to form one logical segment, or they can be overlapped. In the latter case, they have either the same start address or the same end address, and they describe a common range in memory. Values for the field are:

• Private: Do not combine with any other program segment.
• Public: Combine by appending at an offset that meets the alignment requirement.
• Stack: Combine as for Public. This combine type forces byte alignment.
• Common: Combine by overlay using maximum size.

Changing segment combination changes only the segment definition on the screen. Nothing else will happen.

Delete segment…

Delete segment. IDA will ask your the permission to disable the addresses occupied by the segment. If you allow this operation, all information about the segment will be deleted. In other words, IDA will discard the information about instructions or data, comments etc.

If you check the “disable addresses” checkbox, IDA will mark the addresses occupied by the segment as “nonexistent” in the program. You will lose ALL information, including byte values.

It is impossible to disassemble the content of addresses not located in any segment, therefore you must create a new segment if you want to resume the disassembly of that part of the code.

You can also edit an adjacent segment to expand it to those addresses (Edit → Segments → Edit segment…).

IDA will ask your the permission to disable addresses occupied by the segment. If you give your permission, information about the segment will be deleted, otherwise IDA will discard information about instruction/data, comments etc, but retain byte values so that you will be able to create another segment afterwards. To disassemble the addresses occupied by the segment, you need to create a new segment again (i.e. you cannot disassemble bytes without a segment). You can also expand another adjacent segment to these addresses.

Move current segment…

Change the current segment boundaries. This command open the Move segment dialog and allows you to move segment(s) to another address. Use it if the segment(s) are loaded at a wrong address. This command shifts (moves) the selected segments in the memory to the target address. There must be enough free space at the target address for the segments. All information in the segment will be moved to the new address, but since the addresses change, the disassembly might be not valid anymore (especially if the program is moved to the wrong addresses and the relocation information is not available).

Fix up the relocated segment

This option allows IDA to modify the references to/from the relocated segment(s). If it is turned off, the references might be wrong after the move.

Rebase program…

Rebase program. The whole program will be shifted by the specified amount of bytes in the memory. The following options are available (we strongly recommend to leave them turned on):

• Fix up relocations: This option allows IDA to modify the references to/from the relocated segment(s). If it is turned off, the references might be wrong after the move.
• Rebase the whole image: This option is accessible only if the whole program is selected. It allows IDA to adjust internal variables on the whole program.

Please note rebasing the program might remove user-defined xrefs.

Change segment register value…

Change segment register value. Relevant only for processors with the segment registers. Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors. This command creates or updates a segment register change point. See also the Jump to segment register… command (action JumpSegmentRegister) for more info.

Set default segment register value…

Set default segment register value. Relevant only for processors with the segment registers. You can specify a default value of a segment register for the current segment. When you change the default value, IDA will reanalyze the segment, taking the default value when it cannot determine the actual value of the register. This takes time, so do not be surprised if references are not corrected immediately.

To specify a value other than the default value of a segment register, you can use the Change segment register value… command (action SetSegmentRegister).

Struct var…

Declare a structure variable. IDA will ask you to choose a structure type. You must have some structure types defined in order to use this command. If the target assembler supports it, IDA will display the structure in terse form (using just one line). To uncollapse a terse structure variable use the Unhide command. You can also use this command to declare a structure field in another structure (i.e., nested structures are supported too).

Force zero offset field

Toggle display of the first field of a structure in an offset expression. This command forces IDA to display a full structure member name even if the offset of the member is equal to zero.

If used twice, the command cancels itself.

Example: Suppose we have the following structure:

    xxx     struc
    a       db ?
    b       db ?
    c       db ?
    xxx     ends

    dloc    xxx ?

Normally IDA displays references to it like this:

    mov     eax, offset dloc
    mov     eax, offset dloc.b

If you force IDA, then it displays member ‘a’:

    mov     eax, offset dloc.a
    mov     eax, offset dloc.b

Select union member…

Choose the representation of a union member. This command tells IDA how to display references to a union from the current cursor location.

Example: Suppose we have the following union:

        xxx     union
        a       db ?
        b       dw ?
        c       dd ?
        ends   xxx
        dloc    xxx ?

Normally, IDA displays references to “dloc” like this:

        mov     al,  byte ptr dloc
        mov     eax, word ptr dloc

After using this command, IDA can display the union members:

        mov     al,  dloc.b
        mov     eax, dloc.d 

Create struct from selection

This command defines a new structure from data already defined. The new structure is created with adequate data types, and each member uses the current data name if it is available.

This command is available only in the graphical version of IDA.

Copy field info to pointers

Copy field info to pointed addresses. This command scans the current struct variable and renames the locations pointed by offset expressions unless they already have a non-dummy name.

It also copies the type info from the struct members to pointed locations.

Create function…

Create a new function in the disassembly. You can specify function boundaries using the anchor. If you don’t specify any, IDA will try to find the boundaries automatically:

• function start point is equal to the current cursor position;
• function end point is calculated by IDA.

A function cannot contain references to undefined instructions. If a function has already been defined at the specified addresses, IDA will jump to its start address, showing you a warning message. A function must start with an instruction.

Edit function…

Edit function attributes - change function properties, including bounds, name, flags, and stack frame parameters. This command opens an Edit Function dialog, and allows you to modify function characteristics and stack frame structure. If the current address does not belong to any function, IDA will beep.

To change only the function end address, use the FunctionEnd command instead. This command allows you to change the function frame parameters too. You can change sizes of some parts of frame structure.

Stack Frame Structure

IDA represents the stack using the following structure:

{% hint style=“info” %} For some processors or functions, BP may equal SP, meaning it points to the bottom of the stack frame. {% endhint %}

You may specify the number of bytes in each part of the stack frame. The size of the return address is calculated by IDA (possibly depending on the far function flag).

           push    ebp
           lea     ebp, [esp-78h]
           sub     esp, 588h
           push    ebx
           push    esi
           lea     eax, [ebp+74h]

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- typical BP
      |                              |
      |                              |
      |                              |  <- actual BP
      | local variables              |
      |                              |
      |                              |
      |                              |
      +------------------------------+  <- SP

In our example, the saved registers area is empty (since EBP has been initialized before saving EBX and ESI). The difference between the ‘typical BP’ and ‘actual BP’ is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

           lea     eax, [ebp+78h+var_4]

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify the value manually.

If the value of the stack pointer is modified in an unpredictable way, (e.g. “and esp, -16”), then IDA marks the function as “fuzzy-sp”.

If this command is invoked for an imported function, then a simplified dialog box will appear on the screen.

See also:

• Igor’s Tip of the Week #126: Non-returning functions
• Igor’s tip of the week #106: Outlined functions

Configurable Parameters

• Stack Frame Sizes: You can specify the number of bytes in each part of the stack frame. The return address size is calculated automatically by IDA (may depend on the far function flag).
• Purged Bytes: Specifies the number of bytes added to SP upon function return. This value calculates SP changes at call sites (used in calling conventions such as __stdcall in Windows 32-bit programs).
• BP Based Frame: Enables IDA to automatically convert [BP+xxx] operands to stack variables.
• BP Equal to SP: Indicates that the frame pointer points to the bottom of the stack. Commonly used for processors that set up the stack frame with EBP and ESP both pointing to the bottom (e.g., MC6816, M32R).
• Reanalysis: Pressing Enter without changing any parameter will cause IDA to reanalyze the function.

Append function tail…

This command appends an arbitrary range of the program to a function definition. A range must be selected before applying this command. This range must not intersect with other function chunks (however, an existing tail can be added to multiple functions).

IDA will ask to select the parent function for the selection and will append the range to the function definition.

Remove function tail…

Remove function tail. This command removes the function tail at the cursor from a function definition. If there are several parent functions for the current function tail range, IDA will ask to select the parent function(s) to remove the tail from. After the confirmation, the current function tail range will be removed from the selected function definition. If the parent was the only owner of the current tail, then the tail will be destroyed. Otherwise it will still be present in the database. If the removed parent was the owner of the tail, then another function will be selected as the owner.

Change stack pointer…

Change stack pointer. This command allows you to specify how the stack pointer (SP) is modified by the current instruction.

You cannot use this command if the current instruction does not belong to any function.

You will need to use this command only if IDA was not able to trace the value of the SP register. Usually IDA can handle it but in some special cases it fails. An example of such a situation is an indirect call of a function that purges its parameters from the stack. In this case, IDA has no information about the function and cannot properly trace the value of SP.

Please note that you need to specify the difference between the old and new values of SP.

The value of SP is used if the current function accesses local variables by [ESP+xxx] notation.

See also how to convert to stack variable (Action OpStackVariable).

Rename register…

Rename a general processor register. This command allows you to rename a processor general register to some meaningful name. While this is not used very often on IBM PCs, it is especially useful on RISC processors with lots of registers. For example, a general register R9 is not very meaningful and a name like ‘CurrentTime’ is much better.

This command can be used to define a new register name as well as to remove it. Just move the cursor on the register name and press enter. If you enter the new register name as an empty string, then the definition will be deleted.

If you have selected a range before using this command, then the definition will be restricted to the selected range. But in any case, the definition cannot cross the function boundaries.

You cannot use this command if the current instruction does not belong to any function.

Set type…

Set type information for an item or current function. This command allows you to specify the type of the current item. If the cursor is located on a name, the type of the named item will be edited. Otherwise, the current function type (if there is a function) or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like ‘this’ pointer in C++) should be specified explicitly. IDA will use the type information to comment the disassembly with the information about function arguments. It can also be used by the Hex-Rays decompiler plugin for better decompilation. Here is an example of a function declaration:

    int main(int argc, const char *argv[]);

It is also possible to specify a function name coming from a type library. For example, if entering “LoadLibraryW” would yield its prototype:

    HMODULE __stdcall LoadLibraryW(LPCWSTR lpLibFileName);

provided that the corresponding type library is in memory. To delete a type declaration, just enter an empty string. IDA supports the user-defined calling convention. In this calling convention, the user can explicitly specify the locations of arguments and the return value. For example:

    int __usercall func@<ebx>(int x, int y@<esi>);

denotes a function with 2 arguments: the first argument is passed on the stack (IDA automatically calculates its offset) and the second argument is passed in the ESI register and the return value is stored in the EBX register. Stack locations can be specified explicitly:

    int __usercall runtime_memhash@<^12.4>(void *p@<^0.4>, int q@<^4.4>, int r@<^8.4>)

There is a restriction for a __usercall function type: all stack locations should be specified explicitly or all are automatically calculated by IDA. General rules for the user defined prototypes are:

• the return value must be in a register. Exception: stack locations are accepted for the __golang and __usercall calling conventions.

• if the return type is ‘void’, the return location must not be specified

• if the argument location is not specified, it is assumed to be on the stack; consequent stack locations are allocated for such arguments

• it is allowed to declare nested declarations, for example: int **__usercall func16@(int *(__usercall *x)@ (int, long@, int)@);

  Here the pointer “x” is passed in the ESI register; The pointed function is a usercall function and expects its second argument in the ECX register, its return value is in the EBX register. The rule of thumb to apply in such complex cases is to specify the the registers just before the opening brace for the parameter list.

• registers used for the location names must be valid for the current processor; some registers are unsupported (if the register name is generated on the fly, it is unsupported; inform us about such cases; we might improve the processor module if it is easy)

• register pairs can be specified with a colon like edx:eax

• for really complicated cases this syntax can be used. IDA also understands the “__userpurge” calling convention. It is the same thing as __usercall, the only difference is that the callee cleans the stack.

The name used in the declaration is ignored by IDA. If the default calling convention is __golang then explicit specification of stack offsets is permitted. For example:

  __attribute__((format(printf,2,3)))
  int myprnt(int id, const char *format, ...);

This declaration means that myprnt is a print-like function; the format string is the second argument and the variadic argument list starts at the third argument.

Below is the full list of attributes that can be handled by IDA.

Data Declaration Keywords

For data declarations, the following custom __attribute((annotate(X))) keywords have been added. The control the representation of numbers in the output:

Type Declaration Keywords

The following additional keywords can be used in type declarations:

Change byte…

Change program bytes. You can modify the executable file and eventually generate a new file (the Create EXE file… command; action ProduceExe). If you patch bytes, then you may enter multiple bytes (see also Binary string format). If this command is invoked when the debugger is active, then IDA will modify the memory and the database. If the database does not contain the patched bytes, then only the process memory will be modified. You can create a difference file too (the Create DIFF file… command; action ProduceDiff). See also How to Enter a Number.

Assemble…

This command allows you to assemble instructions. Currently, only the IBM PC processors provide an assembler, nonetheless, plugin writers can extend or totally replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets. For example:

        mov ax, [counter]

Also, the keyword ‘offset’ must not be used. Instead of

        mov eax, offset name

you must write

        mov eax, name

See also How to Enter a Number.

Patched bytes

Open the Patched bytes window. The Patched bytes view shows the list of the patched locations in the database. It also allows you to revert modifications selectively.

Reverting changes

Select location(s) and click Revert… from the context menu to revert this modification.

Patching bytes

You can change individual bytes via Edit → Patch program → Change byte….

Apply patches to input file…

Apply previously patched bytes back to the input file. If the “Restore” option is selected, then the original bytes will be applied to the input file.

See also ProduceDiff action.

Create alignment directive…

Create alignment directive. The alignment directive will replace a number of useless bytes inserted by the linker to align code and data to paragraph boundary or any other address which is equal to a power of two. You can select a range to be converted to an alignment directive. If you have selected a range, IDA will try to determine a correct alignment automatically.

There are at least two requirements for this command to work:

• There must be enough unexplored bytes at the current address.
• An alignment directive must always end at an address which is divisible by a power or two.

Manual instruction…

Specify alternate representation of the current instruction. Use it if IDA cannot represent the current instruction as desired. If the instruction itself is ok and only one operand is misrepresented, then use Manual… command (action ManualOperand). To delete the manual representation, specify an empty string.

Color instruction…

This command allows you to specify the background color for the current instruction or data item. Only GUI version supports different background colors. Specifying a non-defined custom color will reset the instruction color.

Toggle border

Toggle the display of a border between code and data. This command allows you to hide a thin border which is like the one generated automatically by IDA between instructions and data. If the border was already hidden, then it is displayed again.

Edit menu actions for Hex View

{% hint style=“info” %} The options below appear when the Edit menu is opened from the Hex View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Begin selection

Begin selection. Some IDA commands such as selecting a portion of file to output or specifying a segment to move need an anchor.

To drop the anchor, you can either use the Alt + L key or the Shift + ↑, ←, →, ↓ combination, which is more convenient. You can also drop the anchor with the mouse by simply clicking and dragging it.

After you’ve dropped the anchor, you can navigate freely using arrows, etc. Any command that uses the anchor, raises it.

The anchored range is displayed with another color.

When you exit from IDA, the anchor value is lost.

Undo

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis.

Autoanalysis (Options → General… → Analysis) generates copious amounts of undo data. Also, please note that maintaining undo data during autoanalysis slows it down a bit. In practice, it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

Redo

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

Code

Convert to instruction. This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the Anchor action, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

Data

Convert to data. This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using the Setup data types… command (action SetupData).

If the target assembler (Options → General… → Analysis) does not support double words or another data type, it will be skipped. To create a structure variable, use the Struct var… command (action DeclareStructVar). To create an array, use the Array… command (action MakeArray). To convert back, use the Undefine command (action MakeUnknown).

Struct var…

Declare a structure variable. IDA will ask you to choose a structure type. You must have some structure types defined in order to use this command. If the target assembler supports it, IDA will display the structure in terse form (using just one line). To uncollapse a terse structure variable use the Unhide command. You can also use this command to declare a structure field in another structure (i.e., nested structures are supported too).

String

Convert to string. This command converts the current unexplored bytes to a string. The set of allowed characters is specified in the configuration file, parameter StrlitChars. Character ‘\0’ is not allowed in any case. If the current assembler (Options → General → Analysis → Target assembler) does not allow characters above 0x7F, characters with high bit set are not allowed. If the anchor has been dropped, IDA will take for the string all characters between the current cursor position and the anchor. Use the anchor if the string starts a disallowed character.

This command also generates a name for the string. In the configuration file, you can specify the characters allowed in names (NameChars). You can change the literal string length using Array… command (action MakeArray). The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Array…

Convert to array. This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

1. Create the first element of array using the data definition commands (data, string, structs)

2. Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:

• the address of the next item with a cross reference
• the address of the next user-defined name For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

• Items on a line (meaningless for string literals):

  • 0 - place maximal number of items on a line
  • other value - number of items on a line Please note that the margin parameter affects the number of items on a line too.

• Alignment (meaningless for string literals):

  • -1 - do not align items
  • 0 - align automatically
  • other value - width of each item

• Signed elements: if checked, IDA treats all elements as signed numbers. Only meaningful for numbers (not for offsets and segments and strings)

• Display indexes: if checked, IDA will display the indexes of array elements in the form of comments (0,1,2…)

• Create as array: if not checked, IDA will create a separate item for each array element. Useful for creating huge arrays. If the box is unchecked when this command is applied to string literals, IDA will create many string literals instead of one big string.

If applied to a variable-sized structure, this command is used to specify the overall size of the structure. You cannot create arrays of variable-sized structures.

Undefine

Convert to undefined. This command deletes the current instruction or data, converting it to ‘unexplored’ bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the Anchor action, all the bytes in this range will be converted into ‘unexplored’ bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

Rename

Rename the current location. This command gives name/renames/deletes name for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a dummy name (See Options → Name representation…).

List of available options:

• Local name: The name is considered to be defined only in the current function. Please note that IDA does not check the uniqueness of the local names in the whole program. However, it does verify that the name is unique for the function.

• Include in name list: Here you can also include/remove the name from the name list (see the Jump by name… command; action JumpName). If the name is hidden, you will not see it in the names window.

• Public name: You can declare a name as a public (global) name. If the current assembler supports the “public” directive, IDA will use it. Otherwise, the publicness of the name will be displayed as a comment.

• Autogenerated name: An autogenerated name will appear in a different color. If the item is indefined, it will disappear automatically.

• Weak name: You can declare a name as a weak name. If the current assembler supports the “weak” directive, IDA will use it. Otherwise, the weakness of the name will be displayed as a comment.

• Create name anyway: If this flag is on, and if the specified name already exists, IDA will try to variate the specified name by appending a suffix to it.

Offset (data segment)

Convert the current operand to an offset in the data segment. This command converts the immediate operand of the current instruction/data to an offset from the current data segment (DS). If the current DS value is unknown (or equal 0xFFFF) IDA will warn you - it will beep. In this case, you have to define DS register value for the current byte. The best way to do it is:

• jump to segment register change point (the Jump to segment register… command; action JumpSegmentRegister),
• change value of DS (the Change segment register value… command; action SetSegmentRegister)
• return (the Jump back command; action Return) or you can change default value of DS for the current segment (the Set default segment register value… command; action SetSegmentRegisterDefault).

If you want to delete offset definition, you can use this command again - it works as trigger. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset (current segment)

Convert the current operand to an offset in the current segment. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise, it will be left unmodified. If this command is applied to a structure member in the Local types window, then IDA will create an “automatic offset”. An automatic offset is an offset with the base equal to 0xFFFFFFFF. This base value means that the actual value of the base will be calculated by IDA when a structure instance is created. To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset by (any segment)…

Convert the current operand to an offset in any segment. This command converts the immediate operand of the current instruction/data to an offset from any segment. IDA will ask to choose a base segment for the offset. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. To create offsets to structure members use Offset (struct)… command (action OpStructOffset).

Offset (user-defined)…

Convert the current operand to an offset with any base. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. If the offset base is specified as 0xFFFFFFFF, then IDA will create “an automatic offset”. Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

The offset expression is displayed in the following concise form: offset target - $ where “$” denotes the start of the element (and is assembler-dependent).

To create offsets to structure members use the Offset (struct)… command (action OpStructOffset).

Offset (struct)…

Convert the current operand to a structure offset. This command permits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions. If no selection is active, IDA will simply permit to convert the current operand. In this case, it will display a simple dialog box the same way as the text version (see below). You can select the desired register in the drop-down list: all operands relative to this register will be added to the ‘Offsets’ list. A special empty line in the drop-down list is used to directly work on immediate values. Checkboxes in the ‘Offsets’ list allow you to select which operand you indeed want to modify. By default, IDA will select only undefined operands, to avoid overwriting previous type definitions. This list is sorted by operand value, by instruction address and finally by operand number. You can easily see the instructions related to the operand by moving the mouse over it, and wait for a hint to be displayed. The ‘Structures and Unions’ tree will contain all selectable structures, and sub unions. Once you select or move over a structure, the ‘Offsets’ list updates itself for each checked offset: the computed name of the operand is displayed, according to the selected structure in the tree. An icon is also drawn, to easily know if a specific structure matches the offset or not, or if the offset is too big for the selected structure. The structures who match the most offsets will be near the top of the tree. You can also move your mouse over structures in the tree to obtain an interesting hint. A ‘?’ icon can also appear, if the offset can be specialized by selecting an union member. In this case, if you expand the structure in the tree, you can select the adequate union member simply by checking the desired radio button. IDA automatically corrects the related name in the ‘Offsets’ list. The ‘Offset delta’ value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like “mystruct.field_6-2”, then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure. The ‘Hide sub structures without sub unions’ option (checked by default) avoids to add unnecessary sub structures to the tree, to keep it as small as possible. If you uncheck this option, all sub structures will be added to the tree. By default, IDA displays the structure member at offset 0. To change this behavior, you can directly disable the ‘Force zero offset field’ in the ‘Options’ frame. Later zero offsets can be forced using Edit → Structs → Force zero offset menu item.

Text version

This command converts immediate operand(s) type of the current instruction/data to an offset within the specified structure. Before using this command, you have to define a structure type. First of all, IDA will ask a so-called “struct offset delta”. This value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like “mystruct.field_6-2”, then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure. If a range is selected using the anchor, IDA will perform ‘en masse’ conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the an operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified. When you use this command, IDA deletes the manually entered operand. If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected. By default IDA doesn’t display the structure member at offset 0. To change this behavior, use the Force zero offset field command. Moreover, if there are several possible representations (this can happen if unions are used), select the desired representation using the Select union member… command.

Number (default)

Convert the current operand to a number. That way, you can delete suspicious mark of the item. The number is represented in the default radix for the current processor (usually hex, but octal for PDP-11, for example). When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Hexadecimal

Convert the current operand to a hexadecimal number. This command converts the immediate operand(s) type of the current instruction/data to a hex number, so that you can delete the suspicious mark of the item. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Decimal

Convert the current operand to a decimal number. This command converts the immediate operand(s) type of the current instruction/data to decimal. Therefore, it becomes a ‘number’. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Octal

Convert the current operand to a octal number. IDA always uses 123o notation for octal numbers even if the current assembler does not support octal numbers. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Binary

Convert the current operand to a binary number. This command makes the current instruction or data operand type binary. IDA always uses 123b notation for binary numbers even if the current assembler does not support binary numbers. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Floating point

Convert to floating point. When you use this command, IDA deletes the manually entered operand (via the Manual… command; action ManualOperand). If the cursor is on the first operand (the cursor is before ‘,’) then the first operand will be affected; otherwise, all other operands will be affected.

Toggle leading zeroes

Toggle leading zeroes.

This command displays or hides the leading zeroes of the current operand. Example: if the instruction looked like this:

    and     ecx, 40h

then after applying the command it will look like this:

    and     ecx, 00000040h

If you prefer to see leading zeroes in all cases, then open the calculator and enter the following expression: set_inf_attr (INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) | INFFL_LZERO); This will toggle the default for the current database and all numbers without leading zeroes will become numbers with leading zeroes, and vice versa. See also Edit|Operand types submenu.

Manual…

Enter the current operand manually. You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you change operand representation using Edit → Operand types submenu.

{% hint style=“info” %} A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated. {% endhint %}

Enter comment…

Enter a regular comment. If you stand at the function start and your cursor is on a function name, IDA will ask you to enter a function comment. If you stand at the segment start and your cursor is on a segment name, IDA will ask you to enter a segment comment. If this command is issued in the Local types window, it allows you to change the comment of a structure/enum, or structure/enum member. If the cursor is on the structure/enum name, the structure/enum comment will be changed, otherwise the member comment will be changed. Otherwise, this command allows you to enter a normal indented comment for the current item. You can show/hide all comments in Options → General → Disassembly → Display disassembly line parts: Comments.

Enter repeatable comment…

Enter repeatable comment. A repeatable comment will appear attached to the current item and all other items referencing it. If you stand at the function start, IDA will ask you to enter a function comment. If this command is issued in the Local types window, it allows you to change the comment of a structure/enum, or structure/enum member. If the cursor is on the structure/enum name, the structure/enum comment will be changed, otherwise the member comment will be changed. Otherwise, this command allows you to enter a repeatable comment for the current item.

{% hint style=“info” %} You cannot enter repeatable segment comments. {% endhint %}

All items that refer to the current item will have this comment by default. Note that if you have defined both comment types (regular and repeatable), the regular comment will be displayed for the current item and the repeatable comment will be displayed for all items that refer to the current item, if they do not have their own comments. The repeatable comments may be used to describe subroutines, data items, etc., because all calls to the subroutine will have the repeatable comment. You can show/hide all comments in Options → General → Disassembly → Display disassembly line parts: Comments.

Enter anterior lines…

Enter lines preceding the generated lines. If you want to enter multi-line comments or additional instructions, you can use this feature of IDA.

There are two kinds of extra lines: the ones generated before the instruction line and the ones generated after the instruction line.

Do not forget that the maximal number of lines for an item is 500.

IDA does not insert a comment symbol at the beginning of the lines.

Create segment…

This command allows you to create a new segment.

If you select a range using the anchor, IDA will propose the start address and the end address of the selection as defaults for the segment bounds.

You need to specify at least:

• the segment start address
• the segment end address (excluded from the range)
• the segment base

Click here to learn about addressing model used in IDA.

If “sparse storage” is set, IDA will use special sparse storage method for the segment. This method is recommended for huge segments. Later, it is possible to change the storage method of any region using set_storage_type IDC function.

If another segment already exists at the specified address, the existing segment is truncated and the new segment lasts from the specified start address to the next segment (or specified end address, whichever is lower). If the old and the new segments have the same base address, instructions/data will not be discarded by IDA. Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

Edit segment…

Edit segment attributes. This command opens the Change segment attributes dialog.

Change segment attributes options

• How to change segment name
• How to change segment class
• How to change segment addressing mode (16/32)
• How to change segment alignment
• How to change segment combination

{% hint style=“info” %} Changing the segment class may change the segment type. {% endhint %}

• Move Adjacent Segments: means that the previous and next segments will be shrunk or expanded to fill gaps between segments. Click here for more information.

• Disable Addresses: if set, when a segment is shrunk, all information about bytes going out of the segment will be completely removed.. Otherwise, IDA will discard information about instructions/data, comments etc, but will retain byte values so that another segment can be created later and it will use the existing byte values.

If IDA creates 2 segments where only one segment must exist, you may try the following sequence:

• Delete one segment (action KillSegment). Choose one with bad segment base value. Do not disable addresses occupied by the segment being deleted.
• Change bounds of another segment. Note that the Create segment… command (action CreateSegment) changes the boundaries of the overlapping segment automatically.

Segments with the “debugger” attribute are the segments whose memory contents are not saved in the database. Usually, these segments are created by the debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently stay in the database after closing the debugger session. The database will reflect the state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and will be deleted at the end of the debugging session.

The debugger segment checbkox is available only during debugging sessions.

The “loader” segments are the segment created by the file loader. The segment having this attribute are considered to be part of the input file.

A segment with the “debugger” attribute set and the “loader” attribute not set is considered to be an ephemeral segment. Such segments are not analyzed automatically by IDA.

“Segment permissions” group box can be used to modify Segment access permissions (Read/Write/Execute)

Segment Name

Enter a new name for the segment. A segment name is up to 8 characters long. IDA does check if the length is ok. Try to give mnemonic names for the segments.

Class Name

The segment class name identifies the segment with a class name (such as CODE, FAR_DATA, or STACK). The linker places segments with the same class name into a contiguous range of memory in the runtime memory map.

Changing the segment class changes only the segment definition on the screen. There are the following predefined segment class names:

If you change segment class and the segment type is “Regular”, then the segment type will be changed accordingly.

In order to set the segment type “Regular”, you should change the segment class to “UNK”.

{% hint style=“info” %} Segment class names are never deleted. Once you define a segment class name, you cannot reuse it as a name of another object. {% endhint %}

Segment bitness

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment address is changed.

Never do it if you are not sure. It may have irreversible consequences, all instructions/data will be converted to undefined bytes.

Segment Alignment

You can specify the segment alignment for the selected segment. By default, IDA assumes ‘byte’ alignment.

Changing the alignment changes only the segment definition on the screen. Nothing else will happen.

Segment Combination

A field that describes how the linker can combine the segment with other segments. Under MS-DOS, segments with the same name and class can be combined in two ways: they can be concatenated to form one logical segment, or they can be overlapped. In the latter case, they have either the same start address or the same end address, and they describe a common range in memory. Values for the field are:

• Private: Do not combine with any other program segment.
• Public: Combine by appending at an offset that meets the alignment requirement.
• Stack: Combine as for Public. This combine type forces byte alignment.
• Common: Combine by overlay using maximum size.

Changing segment combination changes only the segment definition on the screen. Nothing else will happen.

Delete segment…

Delete segment. IDA will ask your the permission to disable the addresses occupied by the segment. If you allow this operation, all information about the segment will be deleted. In other words, IDA will discard the information about instructions or data, comments etc.

If you check the “disable addresses” checkbox, IDA will mark the addresses occupied by the segment as “nonexistent” in the program. You will lose ALL information, including byte values.

It is impossible to disassemble the content of addresses not located in any segment, therefore you must create a new segment if you want to resume the disassembly of that part of the code.

You can also edit an adjacent segment to expand it to those addresses (Edit → Segments → Edit segment…).

IDA will ask your the permission to disable addresses occupied by the segment. If you give your permission, information about the segment will be deleted, otherwise IDA will discard information about instruction/data, comments etc, but retain byte values so that you will be able to create another segment afterwards. To disassemble the addresses occupied by the segment, you need to create a new segment again (i.e. you cannot disassemble bytes without a segment). You can also expand another adjacent segment to these addresses.

Move current segment…

Change the current segment boundaries. This command open the Move segment dialog and allows you to move segment(s) to another address. Use it if the segment(s) are loaded at a wrong address. This command shifts (moves) the selected segments in the memory to the target address. There must be enough free space at the target address for the segments. All information in the segment will be moved to the new address, but since the addresses change, the disassembly might be not valid anymore (especially if the program is moved to the wrong addresses and the relocation information is not available).

Fix up the relocated segment

This option allows IDA to modify the references to/from the relocated segment(s). If it is turned off, the references might be wrong after the move.

Rebase program…

Rebase program. The whole program will be shifted by the specified amount of bytes in the memory. The following options are available (we strongly recommend to leave them turned on):

• Fix up relocations: This option allows IDA to modify the references to/from the relocated segment(s). If it is turned off, the references might be wrong after the move.
• Rebase the whole image: This option is accessible only if the whole program is selected. It allows IDA to adjust internal variables on the whole program.

Please note rebasing the program might remove user-defined xrefs.

Change segment register value…

Change segment register value. Relevant only for processors with the segment registers. Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors. This command creates or updates a segment register change point. See also the Jump to segment register… command (action JumpSegmentRegister) for more info.

Set default segment register value…

Set default segment register value. Relevant only for processors with the segment registers. You can specify a default value of a segment register for the current segment. When you change the default value, IDA will reanalyze the segment, taking the default value when it cannot determine the actual value of the register. This takes time, so do not be surprised if references are not corrected immediately.

To specify a value other than the default value of a segment register, you can use the Change segment register value… command (action SetSegmentRegister).

Struct var…

Declare a structure variable. IDA will ask you to choose a structure type. You must have some structure types defined in order to use this command. If the target assembler supports it, IDA will display the structure in terse form (using just one line). To uncollapse a terse structure variable use the Unhide command. You can also use this command to declare a structure field in another structure (i.e., nested structures are supported too).

Force zero offset field

Toggle display of the first field of a structure in an offset expression. This command forces IDA to display a full structure member name even if the offset of the member is equal to zero.

If used twice, the command cancels itself.

Example: Suppose we have the following structure:

    xxx     struc
    a       db ?
    b       db ?
    c       db ?
    xxx     ends

    dloc    xxx ?

Normally IDA displays references to it like this:

    mov     eax, offset dloc
    mov     eax, offset dloc.b

If you force IDA, then it displays member ‘a’:

    mov     eax, offset dloc.a
    mov     eax, offset dloc.b

Select union member…

Choose the representation of a union member. This command tells IDA how to display references to a union from the current cursor location.

Example: Suppose we have the following union:

        xxx     union
        a       db ?
        b       dw ?
        c       dd ?
        ends   xxx
        dloc    xxx ?

Normally, IDA displays references to “dloc” like this:

        mov     al,  byte ptr dloc
        mov     eax, word ptr dloc

After using this command, IDA can display the union members:

        mov     al,  dloc.b
        mov     eax, dloc.d 

Create struct from selection

This command defines a new structure from data already defined. The new structure is created with adequate data types, and each member uses the current data name if it is available.

This command is available only in the graphical version of IDA.

Copy field info to pointers

Copy field info to pointed addresses. This command scans the current struct variable and renames the locations pointed by offset expressions unless they already have a non-dummy name.

It also copies the type info from the struct members to pointed locations.

Create function…

Create a new function in the disassembly. You can specify function boundaries using the anchor. If you don’t specify any, IDA will try to find the boundaries automatically:

• function start point is equal to the current cursor position;
• function end point is calculated by IDA.

A function cannot contain references to undefined instructions. If a function has already been defined at the specified addresses, IDA will jump to its start address, showing you a warning message. A function must start with an instruction.

Edit function…

Edit function attributes - change function properties, including bounds, name, flags, and stack frame parameters. This command opens an Edit Function dialog, and allows you to modify function characteristics and stack frame structure. If the current address does not belong to any function, IDA will beep.

To change only the function end address, use the FunctionEnd command instead. This command allows you to change the function frame parameters too. You can change sizes of some parts of frame structure.

Stack Frame Structure

IDA represents the stack using the following structure:

{% hint style=“info” %} For some processors or functions, BP may equal SP, meaning it points to the bottom of the stack frame. {% endhint %}

You may specify the number of bytes in each part of the stack frame. The size of the return address is calculated by IDA (possibly depending on the far function flag).

           push    ebp
           lea     ebp, [esp-78h]
           sub     esp, 588h
           push    ebx
           push    esi
           lea     eax, [ebp+74h]

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- typical BP
      |                              |
      |                              |
      |                              |  <- actual BP
      | local variables              |
      |                              |
      |                              |
      |                              |
      +------------------------------+  <- SP

In our example, the saved registers area is empty (since EBP has been initialized before saving EBX and ESI). The difference between the ‘typical BP’ and ‘actual BP’ is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

           lea     eax, [ebp+78h+var_4]

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify the value manually.

If the value of the stack pointer is modified in an unpredictable way, (e.g. “and esp, -16”), then IDA marks the function as “fuzzy-sp”.

If this command is invoked for an imported function, then a simplified dialog box will appear on the screen.

See also:

• Igor’s Tip of the Week #126: Non-returning functions
• Igor’s tip of the week #106: Outlined functions

Configurable Parameters

• Stack Frame Sizes: You can specify the number of bytes in each part of the stack frame. The return address size is calculated automatically by IDA (may depend on the far function flag).
• Purged Bytes: Specifies the number of bytes added to SP upon function return. This value calculates SP changes at call sites (used in calling conventions such as __stdcall in Windows 32-bit programs).
• BP Based Frame: Enables IDA to automatically convert [BP+xxx] operands to stack variables.
• BP Equal to SP: Indicates that the frame pointer points to the bottom of the stack. Commonly used for processors that set up the stack frame with EBP and ESP both pointing to the bottom (e.g., MC6816, M32R).
• Reanalysis: Pressing Enter without changing any parameter will cause IDA to reanalyze the function.

Append function tail…

This command appends an arbitrary range of the program to a function definition. A range must be selected before applying this command. This range must not intersect with other function chunks (however, an existing tail can be added to multiple functions).

IDA will ask to select the parent function for the selection and will append the range to the function definition.

Remove function tail…

Remove function tail. This command removes the function tail at the cursor from a function definition. If there are several parent functions for the current function tail range, IDA will ask to select the parent function(s) to remove the tail from. After the confirmation, the current function tail range will be removed from the selected function definition. If the parent was the only owner of the current tail, then the tail will be destroyed. Otherwise it will still be present in the database. If the removed parent was the owner of the tail, then another function will be selected as the owner.

Change stack pointer…

Change stack pointer. This command allows you to specify how the stack pointer (SP) is modified by the current instruction.

You cannot use this command if the current instruction does not belong to any function.

You will need to use this command only if IDA was not able to trace the value of the SP register. Usually IDA can handle it but in some special cases it fails. An example of such a situation is an indirect call of a function that purges its parameters from the stack. In this case, IDA has no information about the function and cannot properly trace the value of SP.

Please note that you need to specify the difference between the old and new values of SP.

The value of SP is used if the current function accesses local variables by [ESP+xxx] notation.

See also how to convert to stack variable (Action OpStackVariable).

Rename register…

Rename a general processor register. This command allows you to rename a processor general register to some meaningful name. While this is not used very often on IBM PCs, it is especially useful on RISC processors with lots of registers. For example, a general register R9 is not very meaningful and a name like ‘CurrentTime’ is much better.

This command can be used to define a new register name as well as to remove it. Just move the cursor on the register name and press enter. If you enter the new register name as an empty string, then the definition will be deleted.

If you have selected a range before using this command, then the definition will be restricted to the selected range. But in any case, the definition cannot cross the function boundaries.

You cannot use this command if the current instruction does not belong to any function.

Set type…

Set type information for an item or current function. This command allows you to specify the type of the current item. If the cursor is located on a name, the type of the named item will be edited. Otherwise, the current function type (if there is a function) or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like ‘this’ pointer in C++) should be specified explicitly. IDA will use the type information to comment the disassembly with the information about function arguments. It can also be used by the Hex-Rays decompiler plugin for better decompilation. Here is an example of a function declaration:

    int main(int argc, const char *argv[]);

It is also possible to specify a function name coming from a type library. For example, if entering “LoadLibraryW” would yield its prototype:

    HMODULE __stdcall LoadLibraryW(LPCWSTR lpLibFileName);

provided that the corresponding type library is in memory. To delete a type declaration, just enter an empty string. IDA supports the user-defined calling convention. In this calling convention, the user can explicitly specify the locations of arguments and the return value. For example:

    int __usercall func@<ebx>(int x, int y@<esi>);

denotes a function with 2 arguments: the first argument is passed on the stack (IDA automatically calculates its offset) and the second argument is passed in the ESI register and the return value is stored in the EBX register. Stack locations can be specified explicitly:

    int __usercall runtime_memhash@<^12.4>(void *p@<^0.4>, int q@<^4.4>, int r@<^8.4>)

There is a restriction for a __usercall function type: all stack locations should be specified explicitly or all are automatically calculated by IDA. General rules for the user defined prototypes are:

• the return value must be in a register. Exception: stack locations are accepted for the __golang and __usercall calling conventions.

• if the return type is ‘void’, the return location must not be specified

• if the argument location is not specified, it is assumed to be on the stack; consequent stack locations are allocated for such arguments

• it is allowed to declare nested declarations, for example: int **__usercall func16@(int *(__usercall *x)@ (int, long@, int)@);

  Here the pointer “x” is passed in the ESI register; The pointed function is a usercall function and expects its second argument in the ECX register, its return value is in the EBX register. The rule of thumb to apply in such complex cases is to specify the the registers just before the opening brace for the parameter list.

• registers used for the location names must be valid for the current processor; some registers are unsupported (if the register name is generated on the fly, it is unsupported; inform us about such cases; we might improve the processor module if it is easy)

• register pairs can be specified with a colon like edx:eax

• for really complicated cases this syntax can be used. IDA also understands the “__userpurge” calling convention. It is the same thing as __usercall, the only difference is that the callee cleans the stack.

The name used in the declaration is ignored by IDA. If the default calling convention is __golang then explicit specification of stack offsets is permitted. For example:

  __attribute__((format(printf,2,3)))
  int myprnt(int id, const char *format, ...);

This declaration means that myprnt is a print-like function; the format string is the second argument and the variadic argument list starts at the third argument.

Below is the full list of attributes that can be handled by IDA.

Data Declaration Keywords

For data declarations, the following custom __attribute((annotate(X))) keywords have been added. The control the representation of numbers in the output:

Type Declaration Keywords

The following additional keywords can be used in type declarations:

Change byte…

Change program bytes. You can modify the executable file and eventually generate a new file (the Create EXE file… command; action ProduceExe). If you patch bytes, then you may enter multiple bytes (see also Binary string format). If this command is invoked when the debugger is active, then IDA will modify the memory and the database. If the database does not contain the patched bytes, then only the process memory will be modified. You can create a difference file too (the Create DIFF file… command; action ProduceDiff). See also How to Enter a Number.

Assemble…

This command allows you to assemble instructions. Currently, only the IBM PC processors provide an assembler, nonetheless, plugin writers can extend or totally replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets. For example:

        mov ax, [counter]

Also, the keyword ‘offset’ must not be used. Instead of

        mov eax, offset name

you must write

        mov eax, name

See also How to Enter a Number.

Patched bytes

Open the Patched bytes window. The Patched bytes view shows the list of the patched locations in the database. It also allows you to revert modifications selectively.

Reverting changes

Select location(s) and click Revert… from the context menu to revert this modification.

Patching bytes

You can change individual bytes via Edit → Patch program → Change byte….

Apply patches to input file…

Apply previously patched bytes back to the input file. If the “Restore” option is selected, then the original bytes will be applied to the input file.

See also ProduceDiff action.

Create alignment directive…

Create alignment directive. The alignment directive will replace a number of useless bytes inserted by the linker to align code and data to paragraph boundary or any other address which is equal to a power of two. You can select a range to be converted to an alignment directive. If you have selected a range, IDA will try to determine a correct alignment automatically.

There are at least two requirements for this command to work:

• There must be enough unexplored bytes at the current address.
• An alignment directive must always end at an address which is divisible by a power or two.

Manual instruction…

Specify alternate representation of the current instruction. Use it if IDA cannot represent the current instruction as desired. If the instruction itself is ok and only one operand is misrepresented, then use Manual… command (action ManualOperand). To delete the manual representation, specify an empty string.

Color instruction…

This command allows you to specify the background color for the current instruction or data item. Only GUI version supports different background colors. Specifying a non-defined custom color will reset the instruction color.

Toggle border

Toggle the display of a border between code and data. This command allows you to hide a thin border which is like the one generated automatically by IDA between instructions and data. If the border was already hidden, then it is displayed again.

Edit menu actions for Functions View

{% hint style=“info” %} The options below appear when the Edit menu is opened from the Functions View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Undo

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis.

Autoanalysis (Options → General… → Analysis) generates copious amounts of undo data. Also, please note that maintaining undo data during autoanalysis slows it down a bit. In practice, it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

Redo

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

Edit menu actions for Local Types View

{% hint style=“info” %} The options below appear when the Edit menu is opened from the Local Types View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Undo

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis.

Autoanalysis (Options → General… → Analysis) generates copious amounts of undo data. Also, please note that maintaining undo data during autoanalysis slows it down a bit. In practice, it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

Redo

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

Add enum member…

Convert to data. This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using the Setup data types… command (action SetupData).

If the target assembler (Options → General… → Analysis) does not support double words or another data type, it will be skipped. To create a structure variable, use the Struct var… command (action DeclareStructVar). To create an array, use the Array… command (action MakeArray). To convert back, use the Undefine command (action MakeUnknown).

Rename

Rename the current location. This command gives name/renames/deletes name for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a dummy name (See Options → Name representation…).

List of available options:

• Local name: The name is considered to be defined only in the current function. Please note that IDA does not check the uniqueness of the local names in the whole program. However, it does verify that the name is unique for the function.

• Include in name list: Here you can also include/remove the name from the name list (see the Jump by name… command; action JumpName). If the name is hidden, you will not see it in the names window.

• Public name: You can declare a name as a public (global) name. If the current assembler supports the “public” directive, IDA will use it. Otherwise, the publicness of the name will be displayed as a comment.

• Autogenerated name: An autogenerated name will appear in a different color. If the item is indefined, it will disappear automatically.

• Weak name: You can declare a name as a weak name. If the current assembler supports the “weak” directive, IDA will use it. Otherwise, the weakness of the name will be displayed as a comment.

• Create name anyway: If this flag is on, and if the specified name already exists, IDA will try to variate the specified name by appending a suffix to it.

Toggle leading zeroes

Toggle leading zeroes.

This command displays or hides the leading zeroes of the current operand. Example: if the instruction looked like this:

    and     ecx, 40h

then after applying the command it will look like this:

    and     ecx, 00000040h

If you prefer to see leading zeroes in all cases, then open the calculator and enter the following expression: set_inf_attr (INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) | INFFL_LZERO); This will toggle the default for the current database and all numbers without leading zeroes will become numbers with leading zeroes, and vice versa. See also Edit|Operand types submenu.

Jump

Jump menu actions for IDA View

{% hint style=“info” %} The options below appear when the Jump menu is opened from the IDA View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Jump to operand

Jump to the specified address. By pressing Enter you navigate in the program in the same way as in a hypertext (the way the web browsers and help screens use). This is the easiest way to explore the program: just position the cursor at the desired name and press JumpEnter. Your current address is saved in the jump stack. The Jump to previous position command (action Return, usually Esc) will return you back. If the cursor is at a stack variable, a window with stack variables is opened and the definition of the stack variable is displayed.

Jump to previous position

Return to the previous saved position. It takes positions from Jumps Stack.

Jump to next position

Go to the next saved position. This command cancels the last Jump to previous position command.

Jump to address…

Jump to the specified address. This command jumps to the specified address in the program. IDA will ask you for the target address. You can enter a name or an address as a hexadecimal number with or without a segment. If you enter a valid address then:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

The Jump to previous position command ( action Return, usually Esc) will return you back. In the structure and enum views, the cursor will be moved to the corresponding offset in the current type.

See also How to enter an address

Jump by name…

Jump to the selected name. This command allows you to jump to a name definition by selecting it from the list of the names. IDA will display the list of the names (sorted by addresses) and you can choose a name. Dummy names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the Names representation dialog box (Action SetNameType, Options → Name representation…).

See also How to use the lister.

Jump to segment…

Jump to the selected segment. IDA will ask you to select the target segment. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. See also: How to choose a segment.

Jump to segment register…

Jump to the selected segment register change point. IDA will ask you to select a target change point, and after:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

Jump to problem…

Jump to the selected problematic location. IDA will display the Problems List and will allow you to select a problem. The Jump to previous position command (action Return, usually Esc)(usually Esc) will return you back.

Jump to xref to operand…

Jump to the selected cross reference to operand. This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter. See also the description of the cross references window.

Jump to entry point…

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time. It is not modified after that (for example, renaming an exported function does not change the list of entry points).

Jump to file offset…

Jump to file offset. IDA will ask you for a target file offset. This command jumps to the address corresponding to this specified file offset. If this file offset corresponds to a valid address then: the current address is saved in the jump stack. the cursor is positioned to the corresponding address. The Jump to previous position command (action Return, usually Esc) will return you back.

Mark position…

Remember the current position in the disassembly. You can mark certain locations of the file to be able to jump to them quickly (use the Jump to marked position… command). Text description of the location may help to find a desired location easily. First select a slot for the mark, then enter a description for the location.

Jump to marked position…

Jump to the selected marked position.

IDA will ask you to select a target position. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. You can mark the position using the Jump to marked position… command (action JumpPosition).

Jump menu actions for Pseudocode View

{% hint style=“info” %} The options below appear when the Jump menu is opened from the Pseudocode View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Jump to operand

Jump to the specified address. By pressing Enter you navigate in the program in the same way as in a hypertext (the way the web browsers and help screens use). This is the easiest way to explore the program: just position the cursor at the desired name and press JumpEnter. Your current address is saved in the jump stack. The Jump to previous position command (action Return, usually Esc) will return you back. If the cursor is at a stack variable, a window with stack variables is opened and the definition of the stack variable is displayed.

Jump to previous position

Return to the previous saved position. It takes positions from Jumps Stack.

Jump to next position

Go to the next saved position. This command cancels the last Jump to previous position command.

Jump to address…

Jump to the specified address. This command jumps to the specified address in the program. IDA will ask you for the target address. You can enter a name or an address as a hexadecimal number with or without a segment. If you enter a valid address then:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

The Jump to previous position command ( action Return, usually Esc) will return you back. In the structure and enum views, the cursor will be moved to the corresponding offset in the current type.

See also How to enter an address

Jump by name…

Jump to the selected name. This command allows you to jump to a name definition by selecting it from the list of the names. IDA will display the list of the names (sorted by addresses) and you can choose a name. Dummy names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the Names representation dialog box (Action SetNameType, Options → Name representation…).

See also How to use the lister.

Jump to segment…

Jump to the selected segment. IDA will ask you to select the target segment. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. See also: How to choose a segment.

Jump to segment register…

Jump to the selected segment register change point. IDA will ask you to select a target change point, and after:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

Jump to problem…

Jump to the selected problematic location. IDA will display the Problems List and will allow you to select a problem. The Jump to previous position command (action Return, usually Esc)(usually Esc) will return you back.

Jump to xref to operand…

Jump to the selected cross reference to operand. This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter. See also the description of the cross references window.

Jump to entry point…

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time. It is not modified after that (for example, renaming an exported function does not change the list of entry points).

Jump to file offset…

Jump to file offset. IDA will ask you for a target file offset. This command jumps to the address corresponding to this specified file offset. If this file offset corresponds to a valid address then: the current address is saved in the jump stack. the cursor is positioned to the corresponding address. The Jump to previous position command (action Return, usually Esc) will return you back.

Mark position…

Remember the current position in the disassembly. You can mark certain locations of the file to be able to jump to them quickly (use the Jump to marked position… command). Text description of the location may help to find a desired location easily. First select a slot for the mark, then enter a description for the location.

Jump to marked position…

Jump to the selected marked position.

IDA will ask you to select a target position. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. You can mark the position using the Jump to marked position… command (action JumpPosition).

Jump menu actions for Hex View

{% hint style=“info” %} The options below appear when the Jump menu is opened from the Hex View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Jump to operand

Jump to the specified address. By pressing Enter you navigate in the program in the same way as in a hypertext (the way the web browsers and help screens use). This is the easiest way to explore the program: just position the cursor at the desired name and press JumpEnter. Your current address is saved in the jump stack. The Jump to previous position command (action Return, usually Esc) will return you back. If the cursor is at a stack variable, a window with stack variables is opened and the definition of the stack variable is displayed.

Jump to previous position

Return to the previous saved position. It takes positions from Jumps Stack.

Jump to next position

Go to the next saved position. This command cancels the last Jump to previous position command.

Jump to address…

Jump to the specified address. This command jumps to the specified address in the program. IDA will ask you for the target address. You can enter a name or an address as a hexadecimal number with or without a segment. If you enter a valid address then:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

The Jump to previous position command ( action Return, usually Esc) will return you back. In the structure and enum views, the cursor will be moved to the corresponding offset in the current type.

See also How to enter an address

Jump by name…

Jump to the selected name. This command allows you to jump to a name definition by selecting it from the list of the names. IDA will display the list of the names (sorted by addresses) and you can choose a name. Dummy names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the Names representation dialog box (Action SetNameType, Options → Name representation…).

See also How to use the lister.

Jump to segment…

Jump to the selected segment. IDA will ask you to select the target segment. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. See also: How to choose a segment.

Jump to segment register…

Jump to the selected segment register change point. IDA will ask you to select a target change point, and after:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

Jump to problem…

Jump to the selected problematic location. IDA will display the Problems List and will allow you to select a problem. The Jump to previous position command (action Return, usually Esc)(usually Esc) will return you back.

Jump to xref to operand…

Jump to the selected cross reference to operand. This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter. See also the description of the cross references window.

Jump to entry point…

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time. It is not modified after that (for example, renaming an exported function does not change the list of entry points).

Jump to file offset…

Jump to file offset. IDA will ask you for a target file offset. This command jumps to the address corresponding to this specified file offset. If this file offset corresponds to a valid address then: the current address is saved in the jump stack. the cursor is positioned to the corresponding address. The Jump to previous position command (action Return, usually Esc) will return you back.

Mark position…

Remember the current position in the disassembly. You can mark certain locations of the file to be able to jump to them quickly (use the Jump to marked position… command). Text description of the location may help to find a desired location easily. First select a slot for the mark, then enter a description for the location.

Jump to marked position…

Jump to the selected marked position.

IDA will ask you to select a target position. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. You can mark the position using the Jump to marked position… command (action JumpPosition).

Jump menu actions for Functions View

{% hint style=“info” %} The options below appear when the Jump menu is opened from the Functions View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Jump to operand

Jump to the specified address. By pressing Enter you navigate in the program in the same way as in a hypertext (the way the web browsers and help screens use). This is the easiest way to explore the program: just position the cursor at the desired name and press JumpEnter. Your current address is saved in the jump stack. The Jump to previous position command (action Return, usually Esc) will return you back. If the cursor is at a stack variable, a window with stack variables is opened and the definition of the stack variable is displayed.

Jump to previous position

Return to the previous saved position. It takes positions from Jumps Stack.

Jump to next position

Go to the next saved position. This command cancels the last Jump to previous position command.

Jump to address…

Jump to the specified address. This command jumps to the specified address in the program. IDA will ask you for the target address. You can enter a name or an address as a hexadecimal number with or without a segment. If you enter a valid address then:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

The Jump to previous position command ( action Return, usually Esc) will return you back. In the structure and enum views, the cursor will be moved to the corresponding offset in the current type.

See also How to enter an address

Jump by name…

Jump to the selected name. This command allows you to jump to a name definition by selecting it from the list of the names. IDA will display the list of the names (sorted by addresses) and you can choose a name. Dummy names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the Names representation dialog box (Action SetNameType, Options → Name representation…).

See also How to use the lister.

Jump to segment…

Jump to the selected segment. IDA will ask you to select the target segment. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. See also: How to choose a segment.

Jump to segment register…

Jump to the selected segment register change point. IDA will ask you to select a target change point, and after:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address.

Jump to problem…

Jump to the selected problematic location. IDA will display the Problems List and will allow you to select a problem. The Jump to previous position command (action Return, usually Esc)(usually Esc) will return you back.

Jump to xref to operand…

Jump to the selected cross reference to operand. This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter. See also the description of the cross references window.

Jump to entry point…

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time. It is not modified after that (for example, renaming an exported function does not change the list of entry points).

Jump to file offset…

Jump to file offset. IDA will ask you for a target file offset. This command jumps to the address corresponding to this specified file offset. If this file offset corresponds to a valid address then: the current address is saved in the jump stack. the cursor is positioned to the corresponding address. The Jump to previous position command (action Return, usually Esc) will return you back.

Mark position…

Remember the current position in the disassembly. You can mark certain locations of the file to be able to jump to them quickly (use the Jump to marked position… command). Text description of the location may help to find a desired location easily. First select a slot for the mark, then enter a description for the location.

Jump to marked position…

Jump to the selected marked position.

IDA will ask you to select a target position. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. You can mark the position using the Jump to marked position… command (action JumpPosition).

Jump menu actions for Local Types View

{% hint style=“info” %} The options below appear when the Jump menu is opened from the Local Types View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Jump by name…

Jump to the selected name. This command allows you to jump to a name definition by selecting it from the list of the names. IDA will display the list of the names (sorted by addresses) and you can choose a name. Dummy names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the Names representation dialog box (Action SetNameType, Options → Name representation…).

See also How to use the lister.

Mark position…

Remember the current position in the disassembly. You can mark certain locations of the file to be able to jump to them quickly (use the Jump to marked position… command). Text description of the location may help to find a desired location easily. First select a slot for the mark, then enter a description for the location.

Jump to marked position…

Jump to the selected marked position.

IDA will ask you to select a target position. After:

• the current address is saved in the jump stack.
• the cursor is positioned to the specified address. The Jump to previous position command (action Return, usually Esc) will return you back. You can mark the position using the Jump to marked position… command (action JumpPosition).

Search

Search menu actions for IDA View

{% hint style=“info” %} The options below appear when the Search menu is opened from the IDA View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.

Immediate value…

This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.

If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.

If the checkbox “any untyped value” is checked, then the “value” field is ignored. IDA will look for all immediate values without type in this case.

Text…

This command searches for the specified substring in the text representation of the disassembly. This command is a slow command, because it disassembles each instruction to get the text representation. IDA will show its progress on the indicator (Options → General → Analysis). You can interrupt this command pressing Ctrl-Break.

You may search for regular expressions too.

If a range is selected using anchor (action Anchor), IDA will search for the specified substring in the range.

Note that this command searches the same as what you see on your screen (and not in binary image).

For binary search, look at AskBinaryText action.

Next void

Search for the next instruction with void operand. Suspicious operands are the operands that need your attention because they contain an immediate value that could be a number or an offset. IDA does not know about it, so it marks these instructions as ‘suspicious’. You can change the suspiciousness of the operands using set lower limit of suspicious operands and set upper limit of suspicious operands commands (Options → General → Disassembly). Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.

{% hint style=“info” %} We strongly recommend that before producing an ASM file you go through all ‘suspicious’ marks and get rid of them. After this, you have a certain level of confidence that the file has been disassembled correctly. {% endhint %}

Error operand

This command searches for the ‘error’ operands. Usually, these operands are displayed with a red color. Below is the list of probable causes of error operands:

• reference to an unexisting address
• illegal offset base
• unprintable character constant
• invalid structure or enum reference
• and so on…

All void operands

All void operands. This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.

See also JumpSuspicious action.

All error operands

All error operands. This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.

See also JumpError action.

Search direction

Change the search direction. The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display. See also Options top menu.

Search menu actions for Pseudocode View

{% hint style=“info” %} The options below appear when the Search menu is opened from the Pseudocode View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}

Below is an overview of all actions that can be accessed from this menu.