Search menu actions for Hex View
{% hint style=“info” %} The options below appear when the Search menu is opened from the Hex View. In other views, the menu adapts dynamically and may show a different set of options. {% endhint %}
Below is an overview of all actions that can be accessed from this menu.
| UI Action Name | Action Name | Description |
|---|---|---|
| Next code | JumpCode | Search for the next instruction in the current direction |
| Next data | JumpData | Search for the next defined data item in the current direction |
| Next explored | JumpExplored | Search for the next instruction or data (first defined byte) in the current direction |
| Next unexplored | JumpUnknown | Search for the next unexplored byte |
| Immediate value… | AskNextImmediate | This command searches for the first instruction or data byte that contains the specified immediate value. More… |
| Next immediate value | JumpImmediate | Repeat search for immediate value |
| Text… | AskNextText | This command searches for the specified substring in the text representation of the disassembly. More… |
| Next text | JumpText | Repeat search for text |
| Sequence of bytes… | AskBinaryText | |
| Next sequence of bytes | JumpBinaryText | Repeat search for sequence of bytes. This command repeats search for text in core command. |
| Not function | JumpNotFunction | Search for instruction not belonging to any function |
| Next void | JumpSuspicious | Search for the next instruction with void operand. More… |
| Error operand | JumpError | This command searches for the ‘error’ operands. Usually, these operands are displayed with a red color. More… |
| All void operands | FindAllSuspicious | All void operands. This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed. More… |
| All error operands | FindAllErrors | All error operands. This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed. More… |
| Search for pictures | picture_search:search_for_pictures | Search for pictures |
| Search direction | SetDirection | Change the search direction. More… |
| Search highlight up | SearchHighlightUp | Search highlight up |
| Search highlight down | SearchHighlightDown | Search highlight down |
| Lock highlight | `` | |
| … (unassigned) | LockHighlight_0 | Lock/unlock highlight color 1 |
| … (unassigned) | LockHighlight_1 | Lock/unlock highlight color 2 |
| … (unassigned) | LockHighlight_2 | Lock/unlock highlight color 3 |
| … (unassigned) | LockHighlight_3 | Lock/unlock highlight color 4 |
| … (unassigned) | LockHighlight_4 | Lock/unlock highlight color 5 |
| … (unassigned) | LockHighlight_5 | Lock/unlock highlight color 6 |
| … (unassigned) | LockHighlight_6 | Lock/unlock highlight color 7 |
| … (unassigned) | LockHighlight_7 | Lock highlight color 8 |
| Find register definition | FindRegisterDefinition | Find register definition |
| Find register use | FindRegisterUse | Find register use |
Immediate value…
This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.
If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:
mov al, -2
will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.
If the checkbox “any untyped value” is checked, then the “value” field is ignored. IDA will look for all immediate values without type in this case.
Text…
This command searches for the specified substring in the text representation of the disassembly. This command is a slow command, because it disassembles each instruction to get the text representation. IDA will show its progress on the indicator (Options → General → Analysis). You can interrupt this command pressing Ctrl-Break.
You may search for regular expressions too.
If a range is selected using anchor (action Anchor), IDA will search for the specified substring in the range.
Note that this command searches the same as what you see on your screen (and not in binary image).
For binary search, look at AskBinaryText action.
Next void
Search for the next instruction with void operand. Suspicious operands are the operands that need your attention because they contain an immediate value that could be a number or an offset. IDA does not know about it, so it marks these instructions as ‘suspicious’. You can change the suspiciousness of the operands using set lower limit of suspicious operands and set upper limit of suspicious operands commands (Options → General → Disassembly). Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.
{% hint style=“info” %} We strongly recommend that before producing an ASM file you go through all ‘suspicious’ marks and get rid of them. After this, you have a certain level of confidence that the file has been disassembled correctly. {% endhint %}
Error operand
This command searches for the ‘error’ operands. Usually, these operands are displayed with a red color. Below is the list of probable causes of error operands:
- reference to an unexisting address
- illegal offset base
- unprintable character constant
- invalid structure or enum reference
- and so on…
All void operands
All void operands. This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.
See also JumpSuspicious action.
All error operands
All error operands. This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.
See also JumpError action.
Search direction
Change the search direction. The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display. See also Options top menu.