All IDA commands are available from the followings menus:

• File

• Edit

• Jump

• Search

• View

• Debugger

• Lumina

• Options

• Windows

 Action    name: Execute
 

You can execute any script file supported by the built-in scripting engine (IDC or Python), or a scripting language added by a plugin. The scripting language to use is selected by the file name extension of the script.

See also Immediate execution of script commands, Load... submenu commands.

In this submenu you can:

• Load file Load file

• Script command Execute a script command

• Produce output file Generate output file

• OS shell Execute OS commands

• Save database Save database in packed form

• Save database as... Save database in packed form in another file

• Take database snapshot Take database snapshot

• Abort Abort - do not save changes

• Quit Quit to DOS - save changes

See also Menu Bar submenus.

Explore our in-depth guides, crafted to help you navigate through IDA features and master its advanced capabilities.

This command takes a database snapshot. The snapshot can be later restored from the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also commands.

This command saves and packs the current database.

See also commands. command.

This command terminates the current IDA session. IDA will write all changes to the disk and will close all databases.

You can enable/disable database packing. When the database is packed, it consists of one file with IDB extension. When the database is not packed, it consists of several files on the disk. If packing is disabled, in the next session you cannot IDA. We do not recommend to leave the database in the unpacked form because you will not have a backup copy.

You can also perform garbage collection on the database before packing it. The garbage collection removes the unused database pages, making it smaller. However, IDA needs some free database pages when it works,therefore it will allocate them again when you reuse the database. Removing and adding free pages takes time and, what is most important, it changes the database control blocks.

Use garbage collection only when you do not intend to work with the database in the near future.

IDA will remember all information about the screen, cursor position, jump stack, etc. The following information will be lost: , the position To resume a disassembly session simply type: "ida file"

See also commands. command.

You can enter and execute a small script written in the built-in IDC language or any other registered extlang.

Here is the list of functions.

See also:

• language overview

• Execute command

• commands

• How to use .

This submenu allows you to load additional files into the database.

Reload the input file

This command reloads the same input file into the database. IDA tries to retain as much information as possible in the database. All the names, comments, segmentation information and similar will be retained.

Only the values of individual bytes will be changed.

This command works for some input file types only: if the file was loaded into the database with special settings, this command may fail. In this case, use command and reload the file manually.

See also commands.

Load additional file

This command loads a binary file. The new file is added to the current database and all existing information is retained.

The file content will appear as unexplored bytes in the program.

This command only allows you to load binary files.

Load IDS file

This command loads an IDS file.

An IDS file contains information about well-known functions (such as functions from MS Windows API), namely:

IDS files are automatically loaded if they are found in the IDS directory. This command allows you to load an IDS file from any directory, even after the main file has been loaded into the database.

Load debug information file

This command loads a DBG file.

If the program being disassembled has a companion DBG file, then this command may be used to load information from a DBG file into the database. IDA loads DBG files automatically if it can find them in the directory with the input file.

The built-in debug information loader cannot load NB10 format files and PDB files. To load those files, please use a special plugin, PDB.DLL, which can be run manually using Edit->Plugins submenu. This plugin uses MS Windows DLLs to load the debug information and therefore has the following limitations:

Load PDB debug information file

This command loads a PDB file.

If the program being disassembled has a companion PDB file, then this command may be used to load information from the PDB file into the database.

By default IDA uses in-house code to parse and load PDB files. However, our code can not parse old v2.0 PDB files. For them, IDA can fall back to using Microsoft DLLs (the default is "do not fall back"). Please read more in cfg/pdb.cfg.

Command line switch '-Opdb:option1:option2' overrides for ida session the value in cfg/pdb.cfg.

List of options

Example

Ida will not load PDB plugin for this session.

Load TDS debug information file

This command loads a TDS file.

If the program being disassembled has a companion TDS file, this command may be used to load information from the TDS file into the database.

The TDS file must be placed in the same directory together with the input file.

The LoadTdsFile command launches a special plugin TDS.DLL which can be run manually using Edit->Plugins submenu.

Load FLIRT signature file

This command allows you to apply an additional signature file to the program.

A signature file contains patterns of standard runtime functions. With their help, IDA is able to recognize the standard functions and names them accordingly.

IDA attempts to detect the necessary signature files automatically but unfortunately, this is not always possible. This command adds the specified signature file into the planned signature files queue.

Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equivalent to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

There is another way to load a signature file: you may insert/delete signature files in the following way:

This is a preferred way of applying signatures because useful information, such as the number of identified functions is displayed in the signature window.

Load C header

This command allows you to apply type declarations from a C header file to the program.

IDA reads and parses the specified header file as a C compiler does. In other words, it mimics the front-end of a C compiler with some restrictions:

In the case of an error in the input file, the error messages appear in the message window. In any case, the function declarations that are already parsed are not deleted from the database. IDA stops parsing the input file when 20 errors occur.

See also

IDAClang plugin

To enable the IDAClang parser, go to Options>Compiler>Source parser, and select "clang". Then use 'File>Load file>Parse C header file' to invoke the parser on a given source file.

Since IDAClang is based on the third-party libclang parser, it can only parse standalone source files that contain valid C/C++/Objective-C syntax.

This submenu allows the user to modify text representation and to patch the file. It also has the commands to control the analysis:

• Anchor

• Export data

• Undo

• Redo

• Convert to instruction

• Convert to data

• Convert to STRLIT string

• Convert to array

• Undefine

• Rename

• Operand types submenu

• Comments submenu

• Functions submenu

• Structures submenu

• Enums submenu

• Segments submenu

• Patch program submenu

• Other submenu

• Plugins submenu

See also Menu Bar submenus.

 Action    name: ResetUndo
 

This command clears the undo history. After it the Undo and Redo commands become unavailable. However, once the user performs a new action, IDA will again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user action to revert yet, IDA does not maintain undo buffers and this speeds up the analysis.

See also

• Undo

• Redo

• Disable Undo

• Open undo history

 Action    name: Shell
 

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

See also other File... submenu commands.

Abort IDA

 Action    name: Abort
 

This command terminates the current IDA session. The Abort command is not available if the database was not packed.

IDA will NOT save changes to the disk.

See also other File... submenu commands. Quit command.

 Action    name: DisableUndo
 

This command completely disables the undo feature.

See also

• Undo

• Redo

• Reset Undo

• Open undo history

 Action    name: Redo
 

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

See also

• Undo

• Reset Undo

• Disable Undo

• Open undo history

This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

You may remove some items from this list using command.

If the does not support double words or another data type, it will be skipped. To create a structure variable, use command. To create an array, use command. To convert back, use command. See also submenu

Convert to string literal

This command converts the current unexplored bytes to a string.

The set of allowed characters is specified in the file, parameter StrlitChars. Character '\0' is not allowed in any case. If the current does not allow characters above 0x7F, characters with high bit set are not allowed.

If the has been dropped, IDA will take for the string all characters between the current cursor position and the anchor.

Use the if the string starts a disallowed character.

This command also generates a for the string. In the file, you can specify the characters allowed in names (NameChars).

You can change the literal string length using command.

The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Pascal Strings

To create Pascal style strings (with first byte indicating string length) use command.

See also submenu

This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the , all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

See also submenu

This submenu allows you to produce various output files. It also allows you to unload the database.

The text file-producing operations below will make use of

• for output files.

Create MAP File

Please enter a file name for the map. IDA will write the following information about this file:

You can use this map file for your information, and also for debugging (for example, Periscope from Periscope Company or Borland's Turbo Debugger can read this file).

Create ASM File

Please enter a file name for the assembler text file. IDA will write the disassembled text to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create INC File

Please enter a file name for the assembler include file. IDA will write the information about the defined types (structures and enums) to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create LST File

Enter a file name for the assembler listing file. IDA will write the disassembled text to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create Executable File

IDA produces executable files only for:

EXE files: Output files will have the same EXE-header and relocation table as the input file. IDA will fill unused ranges of the EXE file (e.g. between relocation table and loadable pages) with zeroes.

Create Difference File

This command will prompt you for a filename and then will create a plain text difference file of the following format:

Create HTML File

Please enter a file name for the HTML file. IDA will write the disassembled text to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

This command is available only in the graphical version of IDA.

Produce flow chart GDL file

This command creates a GDL (graph description file) with the flow chart of the current function.

If there is an active selection, its flow chart will be generated.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Produce call graph GDL file

This command creates a GDL (graph description file) with the graph of the function calls.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Dump database to IDC file

This command saves current IDA database into a text file.

You can use it as a safety command:

This command is used when you want to switch to a new version of IDA. Usually each new version of IDA has its own database format. To create a new format database, you need:

Please note that this command does not save everything to text file. Any information about the local variables will be lost!

Create C header file

This command saves all definitions in the local types window into a C header file

Please note that that types created in the structures window will not be saved unless they are synchronized with the local types.

Dump typeinfo to IDC file

This command saves information about the user-defined types from the IDA database into a text file.

Information about enums, structure types and other user-defined types is saved in a text form as an IDC program.

You can use this command to migrate the type definitions from one database to another.

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis. generates copious amounts of undo data. Also please note that maintaining undo data during autoanalysis slows it down a bit. In practice it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in .

The configuration file has 2 more undo-related parameters:

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

See also

This command deletes the current instruction or data, converting it to 'unexplored' bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the , all the bytes in this range will be converted into 'unexplored' bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

See also submenu

This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

1. Create the first element of array using the data definition commands (, , )

2. Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:

For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

Items on a line (meaningless for string literals):

Please note that the parameter affects the number of items on a line too.

Alignment (meaningless for string literals):

If applied to a variable-sized structure, this command is used to specify the overall size of the structure. You cannot create arrays of variable-sized structures.

See also:

Convert operand to offset (data segment)

This command converts the immediate operand of the current instruction/data to an offset from the current data segment (DS).

If current DS value is unknown (or equal 0xFFFF) IDA will warn you -- it will beep. In this case, you have to define DS register value for the current byte. The best way to do it is:

• or you can of DS for the current segment.

If you want to delete offset definition, you can use this command again - it works as trigger.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If a range is selected using the , IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

To create offsets to structure members use command.

See also:

Convert operand to offset (code segment)

This command converts the immediate operand of the current instruction/data to an offset from the current segment (CS).

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also:

Convert operand to offset (any segment)

This command converts the immediate operand of the current instruction/data to an offset from any segment.

IDA will ask to choose a base segment for the offset.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also:

Convert operand to offset (user-defined base)

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If the offset base is specified as 0xFFFFFFFF, then IDA will create "an automatic offset". Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

The offset base is dynamically calculated and is equal to the address of the current element:

• for standalone items: their start address

• for arrays: the start of the array element

See also:

Convert operand to structure offset

The 'Hide sub structures without sub unions' option (checked by default) avoids to add unnecessary sub structures to the tree, to keep it as small as possible. If you uncheck this option, all sub structures will be added to the tree.

First of all, IDA will ask a so-called "struct offset delta". This value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like "mystruct.field_6-2", then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also:

This command gives name/renames/deletes for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a name.

Local name

Include in name list

Here you can also include/remove the name from the . If the name is hidden, you will not see it in .

Public name

Autogenerated name

Weak name

Create name anyway

This submenu allows you to change the operand types to offsets, numbers, chars, etc. Use it to make disassembled text more understandable.

If IDA suspects that an operand can be represented as something different from a plain number, it will mark the operand as "suspicious" and show it in red. Use these commands to delete marks.

Some of these commands can be applied to a selected range. Click to learn about the rules applied to such operations.

See also submenu.

Convert operand to number

This command converts immediate operand(s) type of the current instruction/data to a number. That way, you can delete mark of the item.

The number is represented in the default radix for the current processor (usually hex, but octal for PDP-11, for example).

When you use this command, IDA deletes the entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Convert operand to hexadecimal number

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Convert operand to decimal number

This command converts the immediate operand(s) type of the current instruction/data to decimal. Therefore, it becomes a 'number'.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Convert operand to octal number

This command makes the current instruction or data operand type octal. IDA always uses 123o notation for octal numbers even if the current assembler does not support octal numbers.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Convert operand to binary number

This command makes the current instruction or data operand type binary. IDA always uses 123b notation for binary numbers even if the current assembler does not support binary numbers.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Convert operand to floating point number

This command makes the current operand type floating point.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Toggle leading zeroes

This command displays or hides the leading zeroes of the current operand. Example: if the instruction looked like this:

then after applying the command it will look like this:

This command converts immediate operand(s) type of the current instruction/data to character.

When you use this command, IDA deletes the entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also submenu.

A complex offset expression looks like

It is specified by:

The relationship between these parameters is (the formula is given for full offsets):

You always have to specify the offset type and base. Usually, the delta is equal to zero. For the full offset type you may omit the offset target, which is recommended. In this case, IDA will calculate it automatically. However, if you specify the offset target, make sure that the relationship between the parameters still holds. For the half offset types, you have to specify the target because there is no way to calculate it.

The offset types:

 Action    name: ChangeSign
 

This command changes the sign of the current operand. Please note that not all operands can change their sign.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

If you have selected a range before applying an operand conversion command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

 ALL OPERANDS
 -----------

The operation will be performed on all operands as a toggle. For example, if you ask to convert to a character, then all non-character operands will become characters, and all character operands will become non-chars.

 OPERAND VALUE RANGE
 -------------------

The operation will be performed on the void operands which contain immediate numbers in the specified range.

 ... OPERANDS
 ------------

This selection will convert all operands with the specified type to undefined operands. Example: all characters become non-characters.

 NOT ... OPERANDS
 ---------------

This selection allows to convert all operands that do not have the specified type to the specified type. Example: all non-characters to characters.

 NOT TYPED OPERANDS
 -----------------

This selection allows to convert all operands without any type to the specified type. Example: all operands with no type to characters.

 APPLY ONLY IF POSSIBLE
 ---------------------

IDA will check whether an operand can be represented with the specified type (as a character constant, for example), and perform type conversion only if the check is successful.

 Action    name: BitwiseNegate
 

This command bit-wisely negates the current operand. Please note that not all types of operands can be negated. It is not possible to negate and change sign of an operand simultaneously.

This command works only if the current assembler supports the bitwise negation operation.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

 Action    name: OpSegment
 

This command converts the immediate operand(s) type of the current instruction/data to segment base. The segment bases are usually displayed like this:

        mov     ax, seg dseg

When you use this command, IDA deletes the manually entered operand.

If IDA cannot find a segment whose base is equal to the operand value, it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also Edit|Operand types submenu.

 Action    name: OpEnum
 

This command converts immediate operand(s) type of the current instruction/data to an enum member. Before using this command, you have to define an enumeration type.

If the selected enum is a bitfield, IDA will try to build a bitfield expression to represent the constant. Please note that for bitfields having multiple constants with the same value some expressions won't be possible.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to symbolic constants. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

 Action    name: OpStackVariable
 

This command converts immediate operand(s) type of the current instruction to an offset to stack variables, i.e. a local variable or function argument in the stack.

You need to define stack variables before using this command.

If the current operand is based on the value of the stack pointer ([ESP+xxx]) and the SP value is traced incorrectly, then you need to correct SP value using change stack pointer command.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to stack variables. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to stack variable, otherwise it will be left unmodified.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Define stack variables...

This submenu allows you to manipulate different kinds of comments. Use them to make the disassembled text more understandable.

• Create a regular comment

• Create repeatable comments

• Create additional comment lines

Create a regular comment

 Action    name: MakeComment
 

If you stand at the function start and your cursor is on a function name, IDA will ask you to enter a function comment.

If you stand at the segment start and your cursor is on a segment name, IDA will ask you to enter a segment comment.

If this command is issued in the structures window, it allows you to change the comment of a structure, or structure member. If the cursor is on the structure name, it will be changed, otherwise the member name will be changed. Otherwise, this command allows you to enter a normal indented comment for the current item.

You can show/hide all comments in Comments Dialog.

See also

• How to use the notepad

• Edit|Comments submenu, Repeatable comments

Create a repeatable comment

 Action    name: MakeRptCmt
 

This command allows you to enter a repeatable comment. A repeatable comment will appear attached to the current item and all other items referencing it.

If you stand at the function start, IDA will ask you to enter a function comment.

If this command is issued in the structures window, it allows you to change the comment of a structure or structure member. If the cursor is on the structure name, the structure comment will be changed, otherwise the member comment will be changed.

Otherwise, this command allows you to enter a repeatable comment for the current item.

You cannot enter repeatable segment comments.

All items that refer to the current item will have this comment by default.

Note that if you have defined both comment types (regular and repeatable), the regular comment will be displayed for the current item and the repeatable comment will be displayed for all items that refer to the current item, if they do not have their own comments.

The repeatable comments may be used to describe subroutines, data items, etc., because all calls to the subroutine will have the repeatable comment.

You can show/hide all comments in the Comments Dialog.

You can show and hide repeatable comments in the Comments Dialog.

See also "How to use the notepad".

Create additional comment lines

Action                 Name
 ------                 ----
 edit anterior lines    MakeExtraLineA
 edit posterior lines   MakeExtraLineB

If you want to enter multi-line comments or additional instructions, you can use this feature of IDA.

There are two kinds of extra lines: the ones generated before the instruction line and the ones generated after the instruction line.

Do not forget that the maximal number of lines for an item is 500.

IDA does not insert a comment symbol at the beginning of the lines.

See also "How to use the notepad".

Related topics: Edit submenu.

 Action    name: SetOpType
 

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin. Setting operand type is most useful in case of indirect calls: the decompiler will use the type information to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

        int (*func)(int param1, char param2);

To delete a type declaration, enter an empty string.

For details on possible calling conventions, see Set function/item type... menu item description.

See also Set function/item type...

This submenu allows you to patch the image of the input file. More precisely, IDA never modifies the input file. The image of the input file which was loaded to the database will be modified.

You can modify the image of the input file:

IDA will display the original value, the current value and file offset. If the file offset is equal to 0xFFFFFFFF then the current byte comes from a compressed page (LX/LE/NE iterated pages, for example) and/or it is not possible to tell the file position.

You can create a file and use an external tool to apply the patches or you can apply the directly to the file using IDA.

The following commands are available:

See also:

• submenu.

Patching the Image

If this command is invoked when the debugger is active, then IDA will modify the memory and the database. If the database does not contain the patched bytes, then only the process memory will be modified.

Apply patches to input file

Apply previously patched bytes back to the input file. If the "Restore" option is selected then the original bytes will be applied to the input file.

Binary string format

The sequence must be separated by a space or a comma.

An entered number will occupy the minimal number of bytes it fits in with the restriction that the number of bytes is a power of 2 (1, 2, or 4 bytes).

Two question marks without a space between them are the same as one question mark. One question mark corresponds to one CPU byte. One CPU byte may consist of multiple octets for a wide-byte CPU, like TMS320C28.

Example:

Assemble an instruction

This command allows you to assemble instructions. Currently, only the IBM PC processors provide an assembler, nonetheless, plugin writers can extend or totally replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets. For example:

Also, the keyword 'offset' must not be used. Instead of

you must write

This submenu allows you to manipulate segments of the program:

See also:

• submenu.

Create a new segment

This command allows you to create a new segment.

You need to specify at least:

If another segment already exists at the specified address, the existing segment is truncated and the new segment lasts from the specified start address to the next segment (or specified end address, whichever is lower). If the old and the new segments have the same base address, instructions/data will not be discarded by IDA. Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

IDA address space concepts

nternally, IDA has 32-bit linear address space (IDA64 uses 64-bit address space). The internal addresses are called "linear addresses". The input program is loaded into this linear address space.

Please note that usually the linear addresses are not used in the program directly. During disassembling, we use so-called "virtual addresses", which are calculated by the following formula:

We see that the SegmentBase determines what addresses will be displayed on the screen. More than that, IDA allows to create several segments with the same virtual address in them. For this, you just need to create segments with correct segment base values.

There are some address restrictions in IDA.

There is a range of addresses that are used for internal housekeeping. This range can be specified by the configuration variable PRIVRANGE (start address and size). It is not recommended to use these addresses for other purposes.

There is also one address which must never be used in the disassembly. It is the 'all ones' address, or -1. Internally, it is used as a BADADDR (bad address). No address or address range can include BADADDR.

Related topics:

Create segment - simple case (PC)

IBM PC case -----------

Suppose we need to create a segment occupying addresses F000:1000..F000:2000 Let's calculate linear addresses:

The segment base must be selected so that the first offset in our segment will be 0x1000. Let's find it using the following equation:

After solving this equation, we see that the segment base is equal to 0xF000. (you see, this is really a very simple case :) )

Now, we can create a segment entering:

Please note that the end address never belongs to the segment in IDA.

Create segment - simple case (Z80)

Suppose we need to create a segment occupying virtual addresses 8000-C000. Since we are free to place our segment anywhere in the linear address space, we choose the linear addresses at our convenience. Let's say we choose a linear address 0x20000:

The segment base must be selected so that the virtual address in our segment will be 0x8000. Let's find it using the following equation:

After solving this equation, we see that the segment base is equal to 0x1800.

Now we can create a segment entering:

Please note that the end address never belongs to the segment in IDA.

Create segment - automatically chosen selector case

Suppose we need to create a segment occupying linear addresses 200000-200C00 and the virtual addresses must have be 0000..0C00. If we simply enter

Then IDA will notice that the segment base is too big and does not fit into 16bits. Because of this IDA will find a free selector (let's say it has found selector number 5), define it to point at paragraph 0x20000 and create a segment. After all this we will have:

The first virtual address in the segment will be 0:

Please note that the end address never belongs to the segment in IDA.

Create segment - user-defined selector case

2. Create a segment. Specify the selector number as the segment base.

Delete a segment

This command allows you to delete a segment.

IDA will ask your the permission to disable the addresses occupied by the segment. If you allow this operation, all information about the segment will be deleted. In other words, IDA will discard the information about instructions or data, comments etc.

If you check the "disable addresses" checkbox, IDA will mark the addresses occupied by the segment as "nonexistent" in the program. You will lose *ALL* information, including byte values.

It is impossible to disassemble the content of addresses not located in any segment, therefore you must create a new segment if you want to resume the disassembly of that part of the code.

IDA will ask your the permission to disable addresses occupied by the segment. If you give your permission, information about the segment will be deleted, otherwise IDA will discard information about instruction/data, comments etc, but retain byte values so that you will be able to create another segment afterwards.

Change segment attributes

Changing the segment class may change the segment type.

DISABLE ADDRESSES: if set, when a segment is shrunk, all information about bytes going out of the segment will be completely removed.. Otherwise, IDA will discard information about instructions/data, comments etc, but will retain byte values so that another segment can be created later and it will use the existing byte values.

If IDA creates 2 segments where only one segment must exist, you may try the following sequence:

Segments with the 'debugger' attribute are the segments whose memory contents are not saved in the database. Usually, these segments are created by the debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently stay in the database after closing the debugger session. The database will reflect the state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and will be deleted at the end of the debugging session.

The "debugger segment" checbkox is available only during debugging sessions.

The 'loader' segments are the segment created by the file loader. The segment having this attribute are considered to be part of the input file.

A segment with the 'debugger' attribute set and the 'loader' attribute not set is considered to be an ephemeral segment. Such segments are not analyzed automatically by IDA.

"Segment permissions" group box can be used to modify Segment access permissions (Read/Write/Execute)

Change Segment Name

Enter a new name for the segment. A segment name is up to 8 characters long. IDA does check if the length is ok. Try to give mnemonic names for the segments.

Segment Class Name

The segment class name identifies the segment with a class name (such as CODE, FAR_DATA, or STACK). The linker places segments with the same class name into a contiguous range of memory in the runtime memory map.

Changing the segment class changes only the segment definition on the screen. There are the following predefined segment class names:

If you change segment class and the segment type is "Regular", then the segment type will be changed accordingly.

In order to set the segment type "Regular", you should change the segment class to "UNK".

Change Segment Addressing

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment address is changed.

Never do it if you are not sure. It may have irreversible consequences, all instructions/data will be converted to undefined bytes.

Change Segment Alignment

Alignment: select between abs,byte,word,dword,para,page

You can specify the segment alignment for the selected segment. By default, IDA assumes 'byte' alignment.

Changing the alignment changes only the segment definition on the screen. Nothing else will happen.

Change Segment Combination

Combination

A field that describes how the linker can combine the segment with other segments. Under MS-DOS, segments with the same name and class can be combined in two ways: they can be concatenated to form one logical segment, or they can be overlapped. In the latter case, they have either the same start address or the same end address, and they describe a common range in memory. Values for the field are:

Changing segment combination changes only the segment definition on the screen. Nothing else will happen.

Move a segment

This command allows you to move segment(s) to another address. Use it if the segment(s) are loaded at a wrong address.

This command shifts (moves) the selected segments in the memory to the target address. There must be enough free space at the target address for the segments.

All information in the segment will be moved to the new address, but since the addresses change, the disassembly might be not valid anymore (especially if the program is moved to the wrong addresses and the relocation information is not available).

Rebase program

The whole program will be shifted by the specified amount of bytes in the memory. The following options are available (we strongly recommend to leave them turned on):

Please note rebasing the program might remove user-defined xrefs.

Change segment translation

in the segment C obviously refers to the segment B while the instruction

refers to the segment A.

However, IDA does not try to link these references unless you tell it to do so: include the segments A and B into a translation list of the segment C. It means that you have to create a translation list

for the segment C.

Below is a more complicated example:

translations

allow you to emulate overlays (the first set is A B D, the second A C E)

See also

Set Default Segment Register Value

Relevant only for processors with the segment registers.

You can specify a default value of a segment register for the current segment. When you change the default value, IDA will reanalyze the segment, taking the default value when it cannot determine the actual value of the register. This takes time, so do not be surprised if references are not corrected immediately.

Change Segment Register Value

Relevant only for processors with the segment registers. Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors.

ALPHA DISASSEMBLY

For Alpha processors, the user must enter the difference between the real GP value and the start of the GOT (global offset table). For example:

If you want to specify that a register points to "label", you must calculate and enter the difference "label-.got" as the register value.

ARM DISASSEMBLY

The ARM processor module has a virtual segment register T which reflects the state of the T bit of the processor state register (PSR). Therefore, the value of this register controls THUMB/ARM mode. If its value is not zero, then the disassembly will be in the thumb mode.

POWER PC DISASSEMBLY

For PowerPC processors, the user must enter an offset from the beginning of the TOC to the TOC entry which contains the address of the target. An example:

If you want to specify that a register points to "datachunk", you must calculate and enter the difference "sometc-TOC" as the register value. You can change the TOC value in the processor specific options (which is accessible from the analysis options).

INTEL 80196 DISASSEMBLY

For Intel 80196NP/NU processors, the user must enter the value of WSR or WSR1 register. IDA will automatically take the new value into account.

See also:

Segment Register Change Points

IDA classifies the change points. In the list of the change points, you can see the following postfixes after the register values:

Choose segment

IDA can display a list of the program segments. Each segment is represented by a line in the list. Please note that the end address of the segment never belongs to the segment in IDA.

The following segment attributes are visible:

The rest of the columns display the default values of the segment registers for the segment.

By default, the cursor is located on the current segment.

You can use normal cursor movement keys and the mouse. You can also search for the segment by pressing Alt-T, or directly jump to the desired line by typing in its number.

Press <Enter> to select line, <Esc> to cancel the selection.

You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you change operand representation using operand submenu.

NOTE: A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated.

See also submenu.

Commands of this submenu are available in the enums window:

• Add an enum

• Delete an enum

• Edit an enum

• Define an enum member

• Edit an enum member

• Delete an enum member

• All enum members names must be unique in the program. You cannot define more than 256 enum members (symbolic constants) with the same value.

Please note that you can create bitfield definitions here.

You can also add a comment for the enum and for each enum member. In order to specify an enum comment, you must stand at the enum name. Comments are set using regular commands:

• Regular comments

• Repeatable comments

See also Edit submenu.

Add/Edit an enum

Action    name: AddEnum
 

 Action    name: EditEnum
 

These commands allow you to define and to edit an enum type. You need to specify:

        - name of enum
        - its serial number (1,2...)
        - representation of enum members

Each enum has its ID and a serial number. The ID is a number used to refer to the enum, while a serial number is used to order enums during output. Changing the serial number moves the enum to another place.

The serial number of an enum is displayed at the lower left corner of the window.

You can specify any number as a serial number, IDA will move the enum to the specified place.

        1 - the current enum becomes the first enum
        2 - the current enum becomes the second enum
        ...

You also need to specify representation of enum constants. You may choose from various number bases (hex,dec,oct,bin) and character constants.

You may specify the element width or leave it zero. Zero means the element width is not specified. The allowed widths are the powers of 2 in the range of 1..64.

Please note that you can create bitfield definitions here by checking the "bitfield" checkbox.

These command is available when you open the enums window.

See also How to Enter a Number.

Delete an enum type

 Action    name: DelEnum
 

This command deletes the current enum. Beware, when you delete an enum all references to it will be destroyed. Even if you recreate it later, you'll have to specify again all references to it.

This command is available when you open the enums window.

Define an enum member

Action    name: AddConst
 

This command allows you to define an enum member. An enum member is a symbolic constant. You have to specify its name and value. You cannot define more than 256 constants with the same value in an enum.

If the current enum is a bitfield, you need to specify the bitmask. To learn about bitmasks, read about bitfields.

Edit an enum member

Action    name: EditConst
 

This command allows you to rename an enum member. An enum member is a symbolic constant. Its name must be unique in the program.

To rename an enum type name, position the cursor over the name of the enum.

Delete an enum member

 Action    name: DelConst
 

Please remember that deleting a member also deletes all the information about the member, including comments, member name etc.

Bitfields

There is a special kind of enums: bitfields. A bitfield is an enum divided into bit groups. When you define a new symbolic constant in a bitfield, you need to specify the group to which the constant will belong to. By default, IDA proposes groups containing one bit each. If a group is not defined yet, it is automatically created when the first constant in the group is defined. For example:

        name    CONST1
        value   0x1
        mask    0x1

will define a constant named CONST1 with value 1 and will create a group containing only one bit. Another example. Let's consider the following definitions:

 #define OOF_SIGNMASK    0x0003
 #define   OOFS_IFSIGN   0x0000
 #define   OOFS_NOSIGN   0x0001
 #define   OOFS_NEEDSIGN 0x0002
 #define OOF_SIGNED      0x0004
 #define OOF_NUMBER      0x0008
 #define OOF_WIDTHMASK   0x0030
 #define   OOFW_IMM      0x0000
 #define   OOFW_16       0x0010
 #define   OOFW_32       0x0020
 #define   OOFW_8        0x0030
 #define OOF_ADDR        0x0040
 #define OOF_OUTER       0x0080
 #define OOF_ZSTROFF     0x0100

How do we describe this?

   name           value    mask   maskname

   OOFS_IFSIGN   0x0000   0x0003 OOF_SIGNMASK
   OOFS_NOSIGN   0x0001   0x0003 OOF_SIGNMASK
   OOFS_NEEDSIGN 0x0002   0x0003 OOF_SIGNMASK
 OOF_SIGNED      0x0004   0x0004
 OOF_NUMBER      0x0008   0x0008
   OOFW_IMM      0x0000   0x0030 OOF_WIDTHMASK
   OOFW_16       0x0010   0x0030 OOF_WIDTHMASK
   OOFW_32       0x0020   0x0030 OOF_WIDTHMASK
   OOFW_8        0x0030   0x0030 OOF_WIDTHMASK
 OOF_ADDR        0x0040   0x0040
 OOF_OUTER       0x0080   0x0080
 OOF_ZSTROFF     0x0100   0x0100

If a mask consists of more than one bit, it can have a name and a comment. A mask name can be set when a constant with the mask is being defined. IDA will display the mask names in a different color.

In order to use a bitfield in the program, just convert an instruction operand to enum. IDA will display the operand like this:

        mov     ax, 70h

will be replaced by

        mov     ax, OOFS_IFSIGN or OOFW_8 or OOF_ADDR

See also Enum window and Bitfields tutorial

In this menu, you can select a command to jump to the specified location in the file. Jumps are very fast and your previous position is saved. This submenu contains the following items:

• Jump immediate

• Jump back

• Undo last jump back

• Empty navigation stack

• Jump to address

• Jump to named location

• Jump to segment start

• Jump to segment register change point

• Jump to problematic location

• Mark location

• Jump to marked position

• Jump to cross reference

• Jump to cross reference to operand

• Jump to function

• Jump to entry point

• Jump to file offset

See also

• Search menu for fast navigating.

• Jumps Stack concept.

• Menu Bar submenus

Jump immediate

 Action    name: JumpEnter
 

By pressing <Enter> you navigate in the program in the same way as in a hypertext (the way the web browsers and help screens use).

This is the easiest way to explore the program: just position the cursor at the desired name and press "@<JumpEnter>".

Your current address is saved in the jump stack.

The Jump back command (usually Esc) will return you back.

If the cursor is at a stack variable, a window with stack variables is opened and the definition of the stack variable is displayed.

See also

• Empty Stack command.

Jump back

 Action    name: Return
 

This command brings you back to the previous position in the history. It takes positions from Jumps Stack.

See also

• Undo "jump back" command

• Empty Stack command.

Undo the last 'Return' Command

 Action    name: UndoReturn
 

This command cancels the last Jump back command.

See also

• Empty navigation stack command.

Empty navigation stack

 Action    name: EmptyStack
 

This command clears the jump stack.

See also

• Jump back command.

Jump stack

Each IDA Window has its own jump stack. This stack keeps the cursor locations. Many IDA commands use the jump stack, i.e. they save the old cursor position to the stack. For example, when you are at the address 3000:0100 and press the Ctrl-C key (find instruction), the 3000:0100 is saved into the jump stack and the search is started. Afterwards, you can return to the old position using Jump back command.

You can clear the jump stack using the Empty stack menu command.

Jump to the specified address

Action    name: JumpAsk
 

This command jumps to the specified address in the program. IDA will ask you for the target address. You can enter a name or an address as a hexadecimal number with or without a segment. If you enter a valid address then:

• the current address is saved in the jump stack.

• the cursor is positioned to the specified address. The Jump back command (usually Esc) will return you back.

In the structure and enum views, the cursor will be moved to the corresponding offset in the current type.

See also

• How to Enter an Address.

Jump to the specified file offset

Action    name: JumpFileOffset
 

IDA will ask you for a target file offset. This command jumps to the address corresponding to this specified file offset. If this file offset corresponds to a valid address then:

• the current address is saved in the jump stack.

• the cursor is positioned to the corresponding address. The Jump back command (usually Esc) will return you back.

Jump to the named location

Action    name: JumpName
 

This command allows you to jump to a name definition by selecting it from the list of the names.

IDA will display the list of the names (sorted by addresses) and you can choose a name. Dummy names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the Names representation dialog box.

See also How to use the lister.

Jump to the specified segment

Action    name: JumpSegment
 

This command jumps to the start of the selected segment. IDA will ask you to select the target segment. After:

• the current address is saved in the jump stack.

• the cursor is positioned to the specified address. The Jump back command (usually Esc) will return you back.

See also:

• How to choose a segment

• Other segment related commands

Jump to the specified segment register change point

Action    name: JumpSegmentRegister
 

This command jumps to the selected Segment Register Change Point. IDA will ask you to select a target change point. And after:

• the current address is saved in the jump stack.

• the cursor is positioned to the specified address. The Jump back command (usually Esc) will return you back.

Jump to a problematic location

Action    name: JumpQ
 

This command allows you to jump to a problematic location. IDA will display the Problems List and will allow you to select a problem.

The Jump back command (usually Esc) will return you back.

Mark Position

 Action    name: MarkPosition
 

You can mark certain locations of the file to be able to jump to them quickly. Text description of the location may help to find a desired location easily.

First select a slot for the mark, then enter a description for the location.

Jump to previously marked position

Action    name: JumpPosition
 

This command jumps to the selected position. IDA will ask you to select a target position. After:

• the current address is saved in the jump stack.

• the cursor is positioned to the specified address.

The Jump back command (usually Esc) will return you back.

You can mark the position using Mark Position command.

Jump to cross reference

This command shows you a list of cross-references to the current location: you can jump to the selected one by pressing Enter.

Click here to see the description of the cross reference dialog box.

See also

• Jump to Cross Reference From

• Jump to Cross References to Operand

Cross reference attributes

The cross reference dialog displays a list of references to the various items. Each line has the following attributes:

Direction Up or Down. Meaningful for program address; denotes where the reference comes from, from the lower addresses than the reference target (down) or from higher addresses (up).

Type

        The following types exist:

          o - offset, the address of the item is taken
          r - read access
          w - write access
          t - textual referenced (used for manually specified operands)
          i - informational (e.g. a derived class refers to its base class)
          J - far (intersegment) jump
          j - near (intrasegment) jump
          P - far (intersegment) call
          p - near (intrasegment) call
          ^ - ordinary flow
          s - xref from a structure
          m - xref from a structure member
          k - xref from a stack variable

Address

        For 'xrefs to' dialogs: where the reference comes from (source)
        For 'xrefs from' dialogs: where the reference goes to (destination)

Text

        Additional info about the cross reference

Jump to cross reference from current location

Action    name: JumpXrefFrom
 

This command shows you a list of cross-references from the current location: you can jump to the selected one by pressing Enter.

Click here to see the description of the cross reference dialog box.

See also

• Jump to Cross References

• Jump to Cross References to Operand

Jump to cross references to operand

 Action    name: JumpOpXref
 

This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter.

Click here to see the description of the cross reference dialog box.

See also

• Jump to Cross References

• Jump to Cross Reference From

Jump to function

 Action    name: JumpFunction
 

This command shows you a list of functions: you can jump to the selected one by pressing Enter.

See also

• Jump to next function

• Jump to previous function

• How to choose a function

Jump to next function

Action    name: JumpNextFunc
 

This command searches the start of the next function and jumps to the found address.

Jump to previous function

 Action    name: JumpPrevFunc
 

This command searches the start of the previous function and jumps to the found address.

Jump to Entry Point

 Action    name: JumpEntryPoint

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time. It is not modified after that (for example, renaming an exported function does not change the list of entry points).

 Action    name: MakeAnyName
 

This command gives name/renames/deletes name for the specified address. This is a more powerful variant of Rename command.

To delete a name, simply give an empty name.

If the specified address is referenced, you cannot delete its name. Even if you try it, IDA will generate a dummy name.

This command is available only from the name window.

For an explanation about the dialog box entries, please see the Rename current address command.

See also Edit|Other submenu. How to Enter an Identifier. Names representation.

• Create alignment directive...

• Manual instruction...

• Color instruction...

• Hide/show border

See also Edit submenu.

Create alignment directive

Action    name: MakeAlignment
 

This command allows you to create an alignment directive. The alignment directive will replace a number of useless bytes inserted by the linker to align code and data to paragraph boundary or any other address which is equal to a power of two.

You can select a range to be converted to an alignment directive. If you have selected a range, IDA will try to determine a correct alignment automatically.

There are at least two requirements for this command to work:

• there must be enough unexplored bytes at the current address.

• an alignment directive must always end at an address which is divisible by a power or two.

See also

• How to Enter an Address.

Specify instruction representation manually

Action    name: ManualInstruction
 

This command allows you to specify the representation of an instruction or data in the program.

Use it if IDA cannot represent the current instruction as desired. If the instruction itself is ok and only one operand is misrepresented, then use Enter operand manually command.

To delete the manual representation, specify an empty string.

Specify instruction color

Action    name: ColorInstruction
 

This command allows you to specify the background color for the current instruction or data item.

Only GUI version supports different background colors. Specifying a non-defined custom color will reset the instruction color.

Hide/unhide a border

Action    name: ToggleBorder
 

This command allows you to hide a thin border which is like the one generated automatically by IDA between instructions and data. If the border was already hidden, then it is displayed again.

Note that you can hide all borders at once in the Comments Dialog.

The full syntax and semantics of the regular expressions that are supported by PCRE2 are described in the pcre2pattern documentation. This document contains a quick-reference summary of the syntax.

QUOTING

  \x         where x is non-alphanumeric is a literal x
  \Q...\E    treat enclosed characters as literal

ESCAPED CHARACTERS

This table applies to ASCII and Unicode environments.

  \a         alarm, that is, the BEL character (hex 07)
  \cx        "control-x", where x is any ASCII printing character
  \e         escape (hex 1B)
  \f         form feed (hex 0C)
  \n         newline (hex 0A)
  \r         carriage return (hex 0D)
  \t         tab (hex 09)
  \0dd       character with octal code 0dd
  \ddd       character with octal code ddd, or backreference
  \o{ddd..}  character with octal code ddd..
  \U         "U" if PCRE2_ALT_BSUX is set (otherwise is an error)
  \uhhhh     character with hex code hhhh (if PCRE2_ALT_BSUX is set)
  \xhh       character with hex code hh
  \x{hhh..}  character with hex code hhh..

Note that \0dd is always an octal code. The treatment of backslash followed by a non-zero digit is complicated; for details see the section "Non-printing characters" in the pcre2pattern documentation, where details of escape processing in EBCDIC environments are also given.

When \x is not followed by {, from zero to two hexadecimal digits are read, but if PCRE2_ALT_BSUX is set, \x must be followed by two hexadecimal digits to be recognized as a hexadecimal escape; otherwise it matches a literal "x". Likewise, if \u (in ALT_BSUX mode) is not followed by four hexadecimal digits, it matches a literal "u".

CHARACTER TYPES

  .          any character except newline;
               in dotall mode, any character whatsoever
  \C         one code unit, even in UTF mode (best avoided)
  \d         a decimal digit
  \D         a character that is not a decimal digit
  \h         a horizontal white space character
  \H         a character that is not a horizontal white space character
  \N         a character that is not a newline
  \p{xx}     a character with the xx property
  \P{xx}     a character without the xx property
  \R         a newline sequence
  \s         a white space character
  \S         a character that is not a white space character
  \v         a vertical white space character
  \V         a character that is not a vertical white space character
  \w         a "word" character
  \W         a "non-word" character
  \X         a Unicode extended grapheme cluster

\C is dangerous because it may leave the current matching point in the middle of a UTF-8 or UTF-16 character. The application can lock out the use of \C by setting the PCRE2_NEVER_BACKSLASH_C option. It is also possible to build PCRE2 with the use of \C permanently disabled.

By default, \d, \s, and \w match only ASCII characters, even in UTF-8 mode or in the 16-bit and 32-bit libraries. However, if locale-specific matching is happening, \s and \w may also match characters with code points in the range 128-255. If the PCRE2_UCP option is set, the behaviour of these escape sequences is changed to use Unicode properties and they match many more characters.

GENERAL CATEGORY PROPERTIES FOR \p and \P

  C          Other
  Cc         Control
  Cf         Format
  Cn         Unassigned
  Co         Private use
  Cs         Surrogate

  L          Letter
  Ll         Lower case letter
  Lm         Modifier letter
  Lo         Other letter
  Lt         Title case letter
  Lu         Upper case letter
  L&         Ll, Lu, or Lt

  M          Mark
  Mc         Spacing mark
  Me         Enclosing mark
  Mn         Non-spacing mark

  N          Number
  Nd         Decimal number
  Nl         Letter number
  No         Other number

  P          Punctuation
  Pc         Connector punctuation
  Pd         Dash punctuation
  Pe         Close punctuation
  Pf         Final punctuation
  Pi         Initial punctuation
  Po         Other punctuation
  Ps         Open punctuation

  S          Symbol
  Sc         Currency symbol
  Sk         Modifier symbol
  Sm         Mathematical symbol
  So         Other symbol

  Z          Separator
  Zl         Line separator
  Zp         Paragraph separator
  Zs         Space separator

PCRE2 SPECIAL CATEGORY PROPERTIES FOR \p and \P

  Xan        Alphanumeric: union of properties L and N
  Xps        POSIX space: property Z or tab, NL, VT, FF, CR
  Xsp        Perl space: property Z or tab, NL, VT, FF, CR
  Xuc        Univerally-named character: one that can be
               represented by a Universal Character Name
  Xwd        Perl word: property Xan or underscore

Perl and POSIX space are now the same. Perl added VT to its space character set at release 5.18.

SCRIPT NAMES FOR \p AND \P

Ahom, Anatolian_Hieroglyphs, Arabic, Armenian, Avestan, Balinese, Bamum, Bassa_Vah, Batak, Bengali, Bopomofo, Brahmi, Braille, Buginese, Buhid, Canadian_Aboriginal, Carian, Caucasian_Albanian, Chakma, Cham, Cherokee, Common, Coptic, Cuneiform, Cypriot, Cyrillic, Deseret, Devanagari, Duployan, Egyptian_Hieroglyphs, Elbasan, Ethiopic, Georgian, Glagolitic, Gothic, Grantha, Greek, Gujarati, Gurmukhi, Han, Hangul, Hanunoo, Hatran, Hebrew, Hiragana, Imperial_Aramaic, Inherited, Inscriptional_Pahlavi, Inscriptional_Parthian, Javanese, Kaithi, Kannada, Katakana, Kayah_Li, Kharoshthi, Khmer, Khojki, Khudawadi, Lao, Latin, Lepcha, Limbu, Linear_A, Linear_B, Lisu, Lycian, Lydian, Mahajani, Malayalam, Mandaic, Manichaean, Meetei_Mayek, Mende_Kikakui, Meroitic_Cursive, Meroitic_Hieroglyphs, Miao, Modi, Mongolian, Mro, Multani, Myanmar, Nabataean, New_Tai_Lue, Nko, Ogham, Ol_Chiki, Old_Hungarian, Old_Italic, Old_North_Arabian, Old_Permic, Old_Persian, Old_South_Arabian, Old_Turkic, Oriya, Osmanya, Pahawh_Hmong, Palmyrene, Pau_Cin_Hau, Phags_Pa, Phoenician, Psalter_Pahlavi, Rejang, Runic, Samaritan, Saurashtra, Sharada, Shavian, Siddham, SignWriting, Sinhala, Sora_Sompeng, Sundanese, Syloti_Nagri, Syriac, Tagalog, Tagbanwa, Tai_Le, Tai_Tham, Tai_Viet, Takri, Tamil, Telugu, Thaana, Thai, Tibetan, Tifinagh, Tirhuta, Ugaritic, Vai, Warang_Citi, Yi.

CHARACTER CLASSES

  [...]       positive character class
  [^...]      negative character class
  [x-y]       range (can be used for hex characters)
  [[:xxx:]]   positive POSIX named set
  [[:^xxx:]]  negative POSIX named set

  alnum       alphanumeric
  alpha       alphabetic
  ascii       0-127
  blank       space or tab
  cntrl       control character
  digit       decimal digit
  graph       printing, excluding space
  lower       lower case letter
  print       printing, including space
  punct       printing, excluding alphanumeric
  space       white space
  upper       upper case letter
  word        same as \w
  xdigit      hexadecimal digit

In PCRE2, POSIX character set names recognize only ASCII characters by default, but some of them use Unicode properties if PCRE2_UCP is set. You can use \Q...\E inside a character class.

QUANTIFIERS

  ?           0 or 1, greedy
  ?+          0 or 1, possessive
  ??          0 or 1, lazy
  *           0 or more, greedy
  *+          0 or more, possessive
  *?          0 or more, lazy
  +           1 or more, greedy
  ++          1 or more, possessive
  +?          1 or more, lazy
  {n}         exactly n
  {n,m}       at least n, no more than m, greedy
  {n,m}+      at least n, no more than m, possessive
  {n,m}?      at least n, no more than m, lazy
  {n,}        n or more, greedy
  {n,}+       n or more, possessive
  {n,}?       n or more, lazy

ANCHORS AND SIMPLE ASSERTIONS

  \b          word boundary
  \B          not a word boundary
  ^           start of subject
                also after an internal newline in multiline mode
                (after any newline if PCRE2_ALT_CIRCUMFLEX is set)
  \A          start of subject
  $           end of subject
                also before newline at end of subject
                also before internal newline in multiline mode
  \Z          end of subject
                also before newline at end of subject
  \z          end of subject
  \G          first matching position in subject

MATCH POINT RESET

  \K          reset start of match

\K is honoured in positive assertions, but ignored in negative ones.

ALTERNATION

  expr|expr|expr...

CAPTURING

  (...)           capturing group
  (?<name>...)    named capturing group (Perl)
  (?'name'...)    named capturing group (Perl)
  (?P<name>...)   named capturing group (Python)
  (?:...)         non-capturing group
  (?|...)         non-capturing group; reset group numbers for
                   capturing groups in each alternative

ATOMIC GROUPS

  (?>...)         atomic, non-capturing group

COMMENT

  (?#....)        comment (not nestable)

OPTION SETTING

  (?i)            caseless
  (?J)            allow duplicate names
  (?m)            multiline
  (?s)            single line (dotall)
  (?U)            default ungreedy (lazy)
  (?x)            extended (ignore white space)
  (?-...)         unset option(s)

The following are recognized only at the very start of a pattern or after one of the newline or \R options with similar syntax. More than one of them may appear. (*LIMIT_MATCH=d) set the match limit to d (decimal number)

  (*LIMIT_RECURSION=d) set the recursion limit to d (decimal number)
  (*NOTEMPTY)     set PCRE2_NOTEMPTY when matching
  (*NOTEMPTY_ATSTART) set PCRE2_NOTEMPTY_ATSTART when matching
  (*NO_AUTO_POSSESS) no auto-possessification (PCRE2_NO_AUTO_POSSESS)
  (*NO_DOTSTAR_ANCHOR) no .* anchoring (PCRE2_NO_DOTSTAR_ANCHOR)
  (*NO_JIT)       disable JIT optimization
  (*NO_START_OPT) no start-match optimization (PCRE2_NO_START_OPTIMIZE)
  (*UTF)          set appropriate UTF mode for the library in use
  (*UCP)          set PCRE2_UCP (use Unicode properties for \d etc)

Note that LIMIT_MATCH and LIMIT_RECURSION can only reduce the value of the limits set by the caller of pcre2_match(), not increase them. The application can lock out the use of (*UTF) and (*UCP) by setting the PCRE2_NEVER_UTF or PCRE2_NEVER_UCP options, respectively, at compile time.

NEWLINE CONVENTION

These are recognized only at the very start of the pattern or after option settings with a similar syntax.

  (*CR)           carriage return only
  (*LF)           linefeed only
  (*CRLF)         carriage return followed by linefeed
  (*ANYCRLF)      all three of the above
  (*ANY)          any Unicode newline sequence

WHAT \R MATCHES

These are recognized only at the very start of the pattern or after option setting with a similar syntax.

  (*BSR_ANYCRLF)  CR, LF, or CRLF
  (*BSR_UNICODE)  any Unicode newline sequence

LOOKAHEAD AND LOOKBEHIND ASSERTIONS

  (?=...)         positive look ahead
  (?!...)         negative look ahead
  (?<=...)        positive look behind
  (?<!...)        negative look behind

Each top-level branch of a look behind must be of a fixed length.

BACKREFERENCES

  \n              reference by number (can be ambiguous)
  \gn             reference by number
  \g{n}           reference by number
  \g{-n}          relative reference by number
  \k<name>        reference by name (Perl)
  \k'name'        reference by name (Perl)
  \g{name}        reference by name (Perl)
  \k{name}        reference by name (.NET)
  (?P=name)       reference by name (Python)

SUBROUTINE REFERENCES (POSSIBLY RECURSIVE)

  (?R)            recurse whole pattern
  (?n)            call subpattern by absolute number
  (?+n)           call subpattern by relative number
  (?-n)           call subpattern by relative number
  (?&name)        call subpattern by name (Perl)
  (?P>name)       call subpattern by name (Python)
  \g<name>        call subpattern by name (Oniguruma)
  \g'name'        call subpattern by name (Oniguruma)
  \g<n>           call subpattern by absolute number (Oniguruma)
  \g'n'           call subpattern by absolute number (Oniguruma)
  \g<+n>          call subpattern by relative number (PCRE2 extension)
  \g'+n'          call subpattern by relative number (PCRE2 extension)
  \g<-n>          call subpattern by relative number (PCRE2 extension)
  \g'-n'          call subpattern by relative number (PCRE2 extension)

CONDITIONAL PATTERNS

  (?(condition)yes-pattern)
  (?(condition)yes-pattern|no-pattern)

  (?(n)               absolute reference condition
  (?(+n)              relative reference condition
  (?(-n)              relative reference condition
  (?(<name>)          named reference condition (Perl)
  (?('name')          named reference condition (Perl)
  (?(name)            named reference condition (PCRE2)
  (?(R)               overall recursion condition
  (?(Rn)              specific group recursion condition
  (?(R&name)          specific recursion condition
  (?(DEFINE)          define subpattern for reference
  (?(VERSION[>]=n.m)  test PCRE2 version
  (?(assert)          assertion condition

BACKTRACKING CONTROL

The following act immediately they are reached:

  (*ACCEPT)       force successful match
  (*FAIL)         force backtrack; synonym (*F)
  (*MARK:NAME)    set name to be passed back; synonym (*:NAME)

The following act only when a subsequent match failure causes a backtrack to reach them. They all force a match failure, but they differ in what happens afterwards. Those that advance the start-of-match point do so only if the pattern is not anchored. (*COMMIT) overall failure, no advance of starting point

  (*PRUNE)        advance to next starting character
  (*PRUNE:NAME)   equivalent to (*MARK:NAME)(*PRUNE)
  (*SKIP)         advance to current matching position
  (*SKIP:NAME)    advance to position corresponding to an earlier
                  (*MARK:NAME); if not found, the (*SKIP) is ignored
  (*THEN)         local failure, backtrack to next alternation
  (*THEN:NAME)    equivalent to (*MARK:NAME)(*THEN)

CALLOUTS

  (?C)            callout (assumed number 0)
  (?Cn)           callout with numerical data n
  (?C"text")      callout with string data

The allowed string delimiters are ` ' " ^ % # $ (which are the same for the start and the end), and the starting delimiter { matched with the ending delimiter }. To encode the ending delimiter within the string, double it.

In this menu, you can select a command to search for something in the disassembly. Searches are relatively slow and your previous position is saved in the jump stack.

You can search for:

• suspicious operands (instructions that need your attention)

• instructions

• data bytes

• unexplored bytes

• explored bytes

• immediate operand values

• substring in the text representation

• substring in the binary image of the file

• bytes not belonging to any function

• find all suspicious operands

• string with error

• find all errors

• pictures (i.e., raster images) in both - directions (up and down).

See also

• Jump menu for fast navigating.

• Menu Bar submenus

Search for next suspicious operand

Action    name: JumpSuspicious
 

Suspicious operands are the operands that need your attention because they contain an immediate value that could be a number or an offset. IDA does not know about it, so it marks these instructions as 'suspicious'. You can change the suspiciousness of the operands using set lower limit of suspicious operands and set upper limit of suspicious operands commands.

Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.

You can disable the display of the 'suspicious' marks in the Comments Dialog.

Search for next code

Action    name: JumpCode
 

This command searches for the first instruction in the current direction.

Search for next data

Action    name: JumpData
 

This command searches for the first defined data item in the current direction.

Search for next unexplored byte

Action    name: JumpUnknown
 

This command searches for the first unexplored byte in the current direction.

Search for next explored byte

 Action    name: JumpExplored
 

This command searches for the first defined byte (instruction or data in the current direction.

Search for next instruction/data with the specified operand

 Action    name: AskNextImmediate
 

This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.

If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored. IDA will look for all immediate values without type in this case.

Repeat search for instruction/data with the specified operand

 Action    name: JumpImmediate
 

This command repeats search for immediate command.

Search for substring in the disassembly

 Action    name: AskNextText

This command searches for the specified substring in the text representation of the disassembly. This command is a slow command, because it disassembles each instruction to get the text representation. IDA will show its progress on the indicator. You can interrupt this command pressing Ctrl-Break.

You may search for regular expressions too.

If a range is selected using anchor, IDA will search for the specified substring in the range.

Note that this command searches the same as what you see on your screen (and not in binary image).

For binary search, look at Search for substring in the file

Repeat search for substring in the disassembly

Action    name: JumpText
 

This command repeats search for text command.

Search for substring in the file

Action    name: AskBinaryText
 

This command searches for the specified substring in the file being disassembled. This command can be used for fast lookups of text strings in the executable file or even to find references to a data. You can interrupt it pressing Ctrl-Break.

If a range is selected using anchor, IDA will search for the specified substring in the range.

The substring is specified like this:

        "This is substring to search"

i.e. in the double-quotes. Also you can specify individual byte values as numbers:

        6A 10

Follow this link to learn more about the format of the input string.

For example, if you want to find a reference to the following string:

 35F2:106A      db 'Hello',0

you could search for number 106A in the file.

See also

• the input string format

• search for text command.

Repeat search for substring in the file

Action    name: JumpBinaryText
 

This command repeats search for text in core command.

Search for bytes not belonging to any function

Action    name: JumpNotFunction
 

This command searches for the first byte not belonging to any function in the current direction.

Set Direction for Searches

 Action    name: SetDirection
 

The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display.

See also Options submenu.

Find all suspicious operands

Action    name: FindAllSuspicious
 

This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.

See also

• suspicious operands

Search for next string with error

Action    name: JumpError
 

This commands searches for the 'error' operands. Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

        - reference to an unexisting address
        - illegal offset base
        - unprintable character constant
        - invalid structure or enum reference
        - and so on...

Find all errors

Action    name: FindAllErrors
 

This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.

See also

• string with error

Commands of this submenu are available in the structures window. Only Declare struct var... is available in the disassembly window.

• Add struct type...

• Copy struct type...

• Delete struct type...

• Insert gap...

• Delete gap...

• Edit struct type...

• Declare struct var...

• Force zero field offset

• Select union member...

• Create struct type from data...

• Copy field info to pointers...

Use regular commands to specify struct and union members, their types, comments, etc.

A union is a special kind of structure. Use structure definition commands to manipulate unions.

See also Edit submenu.

Define a new structure

 Action    name: AddStruct
 

This command defines a new structure or a new union. The new structure is created with zero length. You will have to add structure members using structure manipulation commands.

If the entered structure name denotes a standard structure type from a loaded type library, then its definition will be automatically used. In this case, the value of the 'create union' checkbox will be ignored.

This command is available when you open a structures window.

You can add new members to the structure using the following commands: command hotkey ------- ------ make data D make strlit A make array * rename N You may also insert/delete undefined bytes into the middle of the structure by using expand and shrink commands.

"Create before current structure" means that the new structure will be placed immediately before the current structure type. Otherwise, the new structure is placed after the current structure.

"Don't include in the list" means that the structure will not be included in the list of the structures which appears when the user applies the structure definition, for example, when he creates a variable of this structure type. We recommend to mark this checkbox when you have defined all variables of this structure type and want to reduce the number of choices in the list.

See also How to Enter an Identifier.

Copy a structure type

Action    name: CopyStruct
 

This command makes a copy of the current structure type. The new structure type will have the same members as the current one but its name will be autogenerated (something like struc_333)

By default the new structure type will be placed after the current structure type.

Delete a structure

 Action    name: DelStruct
 

This command deletes the current structure. Beware, when you delete a structure, all references to it will be destroyed as well. Even if you recreate it later, you'll have to specify again all references to it.

You may use this command to delete unions also.

This command is available when you open a structures window.

Expand a structure

 Action    name: ExpandStruct
 

This command expands the current structure by inserting undefined bytes at the cursor location. The cursor must not be at the end of the structure. To define a member at the end of the structure, just use normal data definition commands.

This command is available when you open a structure window.

Shrink a structure

 Action    name: ShrinkStruct
 

This command shrinks the current structure by deleting undefined bytes at the cursor location. The cursor must be at an undefined byte. IDA will ask the user the number of bytes to remove.

This command is available when you open a structure window.

Edit a structure

 Action    name: EditStruct
 

This command allows the user to change the structure alignment

Structure alignment is used to calculate the number of padding bytes at the end of the structure. For example, if alignment is 4 and the last field is a byte at offset 11h, IDA will add 3 bytes of padding so that the struct size is 14h (multiple of 4).

The alignment must be a power of 2.

This command is available in the Structures window.

See also How to Enter a Number.

Declare a structure variable

 Action    name: MakeStructVar
 

This command declares a variable of the specified structure type.

IDA will ask you to choose a structure type. You must have some structure types defined in order to use this command.

If the target assembler supports it, IDA will display the structure in terse form (using just one line). To uncollapse a terse structure variable use the Unhide command.

You can also use this command to declare a structure field in another structure (i.e. nested structures are supported too).

Force zero field offset

 Action    name: ZeroStructOffset
 

This command forces IDA to display a full structure member name even if the offset of the member is equal to zero.

If used twice, the command cancels itself.

Example: Suppose we have the following structure:

        xxx     struc
        a       db ?
        b       db ?
        c       db ?
        xxx     ends

        dloc    xxx ?

  Normally IDA displays references to it like this:

        mov     eax, offset dloc
        mov     eax, offset dloc.b

  If you force IDA, then it displays member 'a':

        mov     eax, offset dloc.a
        mov     eax, offset dloc.b

Select union member

 Action    name: SelectUnionMember
 

This command tells IDA how to display references to a union from the current cursor location.

Example: Suppose we have the following union:

        xxx     union
        a       db ?
        b       dw ?
        c       dd ?
        ends   xxx

        dloc    xxx ?

  Normally, IDA displays references to "dloc" like this:

        mov     al,  byte ptr dloc
        mov     eax, word ptr dloc

  After using this command, IDA can display the union members:

        mov     al,  dloc.b
        mov     eax, dloc.d

Create a new structure from current data

Action    name: CreateStructFromData
 

This command defines a new structure from data already defined. The new structure is created with adequate data types, and each member uses the current data name if it is available.

This command is available only in the graphical version of IDA.

Copy field info to pointers

 Action    name: CopyFieldsToPointers
 

This command scans the current struct variable and renames the locations pointed by offset expressions unless they already have a non-dummy name.

It also copies the type info from the struct members to pointed locations.

The following problems may occur:

• NOOFFSET Cannot find offset base

• NONAME Cannot find name

• NOFORCED Cannot find alternative string for an operand

• NOCMT Cannot find comment

• NOREF Cannot find references

• INDIRJMP Indirect execution flow

• NODISASM Cannot disassemble

• ALREADY Already data or code

• BOUNDS Execution flows beyond limits

• OVERFLOW Too many lines

• BADSTACK Failed to trace the value of the stack pointer

• LOOKHERE Attention! Probably erroneous situation

• DECISION Decision to convert to instruction/data is made by IDA

• ROLLBACK The decision made by IDA was wrong and rolled back

• COLISION FLIRT collision: the function with the given name already exists

• SIGFNREF FLIRT match indecision: reference to function expected\

See also Jump submenu.

Problem: Cannot find offset base

Description:
        The current item has an operand marked as an offset,
        but IDA cannot find the offset base in the database.

 Possible reason(s):
        The database is probably corrupted.
        This may occur if the database was corrupted and repaired.

What to do: Mark the operand again as an offset. Use one of the following commands:

• Convert to offset (DS)

• Convert to offset (CS)

• Convert to offset by any segment

• Convert to offset by any user-specified base

Problem: Cannot find name

Description: Two reasons can cause this problem: 1.Reference to an illegal address is made in the program being disassembled; 2.IDA couldn't find a name for the address but it must exist. What to do:

1. If this problem is caused by a reference to an illegal address

• try to enter the operand manually

• or make the illegal address legal by creating a new segment.

1. Otherwise, the database is corrupt.

Problem: Cannot find alternative string for an operand

 Description:
        The current item has an operand marked as entered manually,
        but IDA cannot find the manually entered string in the database.

 Possible reason(s):
        The database is corrupt.