1 of 2

Search

In this menu, you can select a command to search for something in the disassembly. Searches are relatively slow and your previous position is saved in the jump stack.

You can search for:

suspicious operands (instructions that need your attention)
instructions
data bytes
unexplored bytes
explored bytes
immediate operand values
substring in the text representation
substring in the binary image of the file
bytes not belonging to any function
find all suspicious operands
string with error
find all errors
pictures (i.e., raster images) in both - directions (up and down).

See also

Jump menu for fast navigating.
Menu Bar submenus

Search for next suspicious operand

Action    name: JumpSuspicious

Suspicious operands are the operands that need your attention because they contain an immediate value that could be a number or an offset. IDA does not know about it, so it marks these instructions as 'suspicious'. You can change the suspiciousness of the operands using set lower limit of suspicious operands and set upper limit of suspicious operands commands.

Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.

You can disable the display of the 'suspicious' marks in the Comments Dialog.

NOTE: We strongly recommend that before producing an ASM file you go through all 'suspicious' marks and get rid of them. After this you have a certain level of confidence that the file has been disassembled correctly.

Search for next code

Action    name: JumpCode

This command searches for the first instruction in the current direction.

Search for next data

Action    name: JumpData

This command searches for the first defined data item in the current direction.

Search for next unexplored byte

Action    name: JumpUnknown

This command searches for the first unexplored byte in the current direction.

Search for next explored byte

 Action    name: JumpExplored

This command searches for the first defined byte (instruction or data in the current direction.

Search for next instruction/data with the specified operand

 Action    name: AskNextImmediate

This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.

If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored. IDA will look for all immediate values without type in this case.

Repeat search for instruction/data with the specified operand

 Action    name: JumpImmediate

This command repeats search for immediate command.

Search for substring in the disassembly

 Action    name: AskNextText

This command searches for the specified substring in the text representation of the disassembly. This command is a slow command, because it disassembles each instruction to get the text representation. IDA will show its progress on the indicator. You can interrupt this command pressing Ctrl-Break.

You may search for regular expressions too.

If a range is selected using anchor, IDA will search for the specified substring in the range.

Note that this command searches the same as what you see on your screen (and not in binary image).

For binary search, look at Search for substring in the file

Repeat search for substring in the disassembly

Action    name: JumpText

This command repeats search for text command.

Search for substring in the file

Action    name: AskBinaryText

This command searches for the specified substring in the file being disassembled. This command can be used for fast lookups of text strings in the executable file or even to find references to a data. You can interrupt it pressing Ctrl-Break.

If a range is selected using anchor, IDA will search for the specified substring in the range.

The substring is specified like this:

        "This is substring to search"

i.e. in the double-quotes. Also you can specify individual byte values as numbers:

        6A 10

Follow this link to learn more about the format of the input string.

For example, if you want to find a reference to the following string:

 35F2:106A      db 'Hello',0

you could search for number 106A in the file.

See also

the input string format
search for text command.

Repeat search for substring in the file

Action    name: JumpBinaryText

This command repeats search for text in core command.

Search for bytes not belonging to any function

Action    name: JumpNotFunction

This command searches for the first byte not belonging to any function in the current direction.

Set Direction for Searches

 Action    name: SetDirection

The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display.

Find all suspicious operands

Action    name: FindAllSuspicious

This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.

See also

suspicious operands

Search for next string with error

Action    name: JumpError

This commands searches for the 'error' operands. Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

        - reference to an unexisting address
        - illegal offset base
        - unprintable character constant
        - invalid structure or enum reference
        - and so on...

Find all errors

Action    name: FindAllErrors

This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.

See also

string with error

REGULAR EXPRESSION SYNTAX SUMMARY

The full syntax and semantics of the regular expressions that are supported by PCRE2 are described in the pcre2pattern documentation. This document contains a quick-reference summary of the syntax.

QUOTING

  \x         where x is non-alphanumeric is a literal x
  \Q...\E    treat enclosed characters as literal

ESCAPED CHARACTERS

This table applies to ASCII and Unicode environments.

  \a         alarm, that is, the BEL character (hex 07)
  \cx        "control-x", where x is any ASCII printing character
  \e         escape (hex 1B)
  \f         form feed (hex 0C)
  \n         newline (hex 0A)
  \r         carriage return (hex 0D)
  \t         tab (hex 09)
  \0dd       character with octal code 0dd
  \ddd       character with octal code ddd, or backreference
  \o{ddd..}  character with octal code ddd..
  \U         "U" if PCRE2_ALT_BSUX is set (otherwise is an error)
  \uhhhh     character with hex code hhhh (if PCRE2_ALT_BSUX is set)
  \xhh       character with hex code hh
  \x{hhh..}  character with hex code hhh..

Note that \0dd is always an octal code. The treatment of backslash followed by a non-zero digit is complicated; for details see the section "Non-printing characters" in the pcre2pattern documentation, where details of escape processing in EBCDIC environments are also given.

When \x is not followed by {, from zero to two hexadecimal digits are read, but if PCRE2_ALT_BSUX is set, \x must be followed by two hexadecimal digits to be recognized as a hexadecimal escape; otherwise it matches a literal "x". Likewise, if \u (in ALT_BSUX mode) is not followed by four hexadecimal digits, it matches a literal "u".

CHARACTER TYPES

  .          any character except newline;
               in dotall mode, any character whatsoever
  \C         one code unit, even in UTF mode (best avoided)
  \d         a decimal digit
  \D         a character that is not a decimal digit
  \h         a horizontal white space character
  \H         a character that is not a horizontal white space character
  \N         a character that is not a newline
  \p{xx}     a character with the xx property
  \P{xx}     a character without the xx property
  \R         a newline sequence
  \s         a white space character
  \S         a character that is not a white space character
  \v         a vertical white space character
  \V         a character that is not a vertical white space character
  \w         a "word" character
  \W         a "non-word" character
  \X         a Unicode extended grapheme cluster

\C is dangerous because it may leave the current matching point in the middle of a UTF-8 or UTF-16 character. The application can lock out the use of \C by setting the PCRE2_NEVER_BACKSLASH_C option. It is also possible to build PCRE2 with the use of \C permanently disabled.

By default, \d, \s, and \w match only ASCII characters, even in UTF-8 mode or in the 16-bit and 32-bit libraries. However, if locale-specific matching is happening, \s and \w may also match characters with code points in the range 128-255. If the PCRE2_UCP option is set, the behaviour of these escape sequences is changed to use Unicode properties and they match many more characters.

GENERAL CATEGORY PROPERTIES FOR \p and \P

  C          Other
  Cc         Control
  Cf         Format
  Cn         Unassigned
  Co         Private use
  Cs         Surrogate

  L          Letter
  Ll         Lower case letter
  Lm         Modifier letter
  Lo         Other letter
  Lt         Title case letter
  Lu         Upper case letter
  L&         Ll, Lu, or Lt

  M          Mark
  Mc         Spacing mark
  Me         Enclosing mark
  Mn         Non-spacing mark

  N          Number
  Nd         Decimal number
  Nl         Letter number
  No         Other number

  P          Punctuation
  Pc         Connector punctuation
  Pd         Dash punctuation
  Pe         Close punctuation
  Pf         Final punctuation
  Pi         Initial punctuation
  Po         Other punctuation
  Ps         Open punctuation

  S          Symbol
  Sc         Currency symbol
  Sk         Modifier symbol
  Sm         Mathematical symbol
  So         Other symbol

  Z          Separator
  Zl         Line separator
  Zp         Paragraph separator
  Zs         Space separator

PCRE2 SPECIAL CATEGORY PROPERTIES FOR \p and \P

  Xan        Alphanumeric: union of properties L and N
  Xps        POSIX space: property Z or tab, NL, VT, FF, CR
  Xsp        Perl space: property Z or tab, NL, VT, FF, CR
  Xuc        Univerally-named character: one that can be
               represented by a Universal Character Name
  Xwd        Perl word: property Xan or underscore

Perl and POSIX space are now the same. Perl added VT to its space character set at release 5.18.

SCRIPT NAMES FOR \p AND \P

Ahom, Anatolian_Hieroglyphs, Arabic, Armenian, Avestan, Balinese, Bamum, Bassa_Vah, Batak, Bengali, Bopomofo, Brahmi, Braille, Buginese, Buhid, Canadian_Aboriginal, Carian, Caucasian_Albanian, Chakma, Cham, Cherokee, Common, Coptic, Cuneiform, Cypriot, Cyrillic, Deseret, Devanagari, Duployan, Egyptian_Hieroglyphs, Elbasan, Ethiopic, Georgian, Glagolitic, Gothic, Grantha, Greek, Gujarati, Gurmukhi, Han, Hangul, Hanunoo, Hatran, Hebrew, Hiragana, Imperial_Aramaic, Inherited, Inscriptional_Pahlavi, Inscriptional_Parthian, Javanese, Kaithi, Kannada, Katakana, Kayah_Li, Kharoshthi, Khmer, Khojki, Khudawadi, Lao, Latin, Lepcha, Limbu, Linear_A, Linear_B, Lisu, Lycian, Lydian, Mahajani, Malayalam, Mandaic, Manichaean, Meetei_Mayek, Mende_Kikakui, Meroitic_Cursive, Meroitic_Hieroglyphs, Miao, Modi, Mongolian, Mro, Multani, Myanmar, Nabataean, New_Tai_Lue, Nko, Ogham, Ol_Chiki, Old_Hungarian, Old_Italic, Old_North_Arabian, Old_Permic, Old_Persian, Old_South_Arabian, Old_Turkic, Oriya, Osmanya, Pahawh_Hmong, Palmyrene, Pau_Cin_Hau, Phags_Pa, Phoenician, Psalter_Pahlavi, Rejang, Runic, Samaritan, Saurashtra, Sharada, Shavian, Siddham, SignWriting, Sinhala, Sora_Sompeng, Sundanese, Syloti_Nagri, Syriac, Tagalog, Tagbanwa, Tai_Le, Tai_Tham, Tai_Viet, Takri, Tamil, Telugu, Thaana, Thai, Tibetan, Tifinagh, Tirhuta, Ugaritic, Vai, Warang_Citi, Yi.

CHARACTER CLASSES

  [...]       positive character class
  [^...]      negative character class
  [x-y]       range (can be used for hex characters)
  [[:xxx:]]   positive POSIX named set
  [[:^xxx:]]  negative POSIX named set

  alnum       alphanumeric
  alpha       alphabetic
  ascii       0-127
  blank       space or tab
  cntrl       control character
  digit       decimal digit
  graph       printing, excluding space
  lower       lower case letter
  print       printing, including space
  punct       printing, excluding alphanumeric
  space       white space
  upper       upper case letter
  word        same as \w
  xdigit      hexadecimal digit

In PCRE2, POSIX character set names recognize only ASCII characters by default, but some of them use Unicode properties if PCRE2_UCP is set. You can use \Q...\E inside a character class.

QUANTIFIERS

  ?           0 or 1, greedy
  ?+          0 or 1, possessive
  ??          0 or 1, lazy
  *           0 or more, greedy
  *+          0 or more, possessive
  *?          0 or more, lazy
  +           1 or more, greedy
  ++          1 or more, possessive
  +?          1 or more, lazy
  {n}         exactly n
  {n,m}       at least n, no more than m, greedy
  {n,m}+      at least n, no more than m, possessive
  {n,m}?      at least n, no more than m, lazy
  {n,}        n or more, greedy
  {n,}+       n or more, possessive
  {n,}?       n or more, lazy

ANCHORS AND SIMPLE ASSERTIONS

  \b          word boundary
  \B          not a word boundary
  ^           start of subject
                also after an internal newline in multiline mode
                (after any newline if PCRE2_ALT_CIRCUMFLEX is set)
  \A          start of subject
  $           end of subject
                also before newline at end of subject
                also before internal newline in multiline mode
  \Z          end of subject
                also before newline at end of subject
  \z          end of subject
  \G          first matching position in subject

MATCH POINT RESET

  \K          reset start of match

\K is honoured in positive assertions, but ignored in negative ones.

ALTERNATION

  expr|expr|expr...

CAPTURING

  (...)           capturing group
  (?<name>...)    named capturing group (Perl)
  (?'name'...)    named capturing group (Perl)
  (?P<name>...)   named capturing group (Python)
  (?:...)         non-capturing group
  (?|...)         non-capturing group; reset group numbers for
                   capturing groups in each alternative

ATOMIC GROUPS

  (?>...)         atomic, non-capturing group

COMMENT

  (?#....)        comment (not nestable)

OPTION SETTING

  (?i)            caseless
  (?J)            allow duplicate names
  (?m)            multiline
  (?s)            single line (dotall)
  (?U)            default ungreedy (lazy)
  (?x)            extended (ignore white space)
  (?-...)         unset option(s)

The following are recognized only at the very start of a pattern or after one of the newline or \R options with similar syntax. More than one of them may appear. (*LIMIT_MATCH=d) set the match limit to d (decimal number)

  (*LIMIT_RECURSION=d) set the recursion limit to d (decimal number)
  (*NOTEMPTY)     set PCRE2_NOTEMPTY when matching
  (*NOTEMPTY_ATSTART) set PCRE2_NOTEMPTY_ATSTART when matching
  (*NO_AUTO_POSSESS) no auto-possessification (PCRE2_NO_AUTO_POSSESS)
  (*NO_DOTSTAR_ANCHOR) no .* anchoring (PCRE2_NO_DOTSTAR_ANCHOR)
  (*NO_JIT)       disable JIT optimization
  (*NO_START_OPT) no start-match optimization (PCRE2_NO_START_OPTIMIZE)
  (*UTF)          set appropriate UTF mode for the library in use
  (*UCP)          set PCRE2_UCP (use Unicode properties for \d etc)

Note that LIMIT_MATCH and LIMIT_RECURSION can only reduce the value of the limits set by the caller of pcre2_match(), not increase them. The application can lock out the use of (*UTF) and (*UCP) by setting the PCRE2_NEVER_UTF or PCRE2_NEVER_UCP options, respectively, at compile time.

NEWLINE CONVENTION

These are recognized only at the very start of the pattern or after option settings with a similar syntax.

  (*CR)           carriage return only
  (*LF)           linefeed only
  (*CRLF)         carriage return followed by linefeed
  (*ANYCRLF)      all three of the above
  (*ANY)          any Unicode newline sequence

WHAT \R MATCHES

These are recognized only at the very start of the pattern or after option setting with a similar syntax.

  (*BSR_ANYCRLF)  CR, LF, or CRLF
  (*BSR_UNICODE)  any Unicode newline sequence

LOOKAHEAD AND LOOKBEHIND ASSERTIONS

  (?=...)         positive look ahead
  (?!...)         negative look ahead
  (?<=...)        positive look behind
  (?<!...)        negative look behind

Each top-level branch of a look behind must be of a fixed length.

BACKREFERENCES

  \n              reference by number (can be ambiguous)
  \gn             reference by number
  \g{n}           reference by number
  \g{-n}          relative reference by number
  \k<name>        reference by name (Perl)
  \k'name'        reference by name (Perl)
  \g{name}        reference by name (Perl)
  \k{name}        reference by name (.NET)
  (?P=name)       reference by name (Python)

SUBROUTINE REFERENCES (POSSIBLY RECURSIVE)

  (?R)            recurse whole pattern
  (?n)            call subpattern by absolute number
  (?+n)           call subpattern by relative number
  (?-n)           call subpattern by relative number
  (?&name)        call subpattern by name (Perl)
  (?P>name)       call subpattern by name (Python)
  \g<name>        call subpattern by name (Oniguruma)
  \g'name'        call subpattern by name (Oniguruma)
  \g<n>           call subpattern by absolute number (Oniguruma)
  \g'n'           call subpattern by absolute number (Oniguruma)
  \g<+n>          call subpattern by relative number (PCRE2 extension)
  \g'+n'          call subpattern by relative number (PCRE2 extension)
  \g<-n>          call subpattern by relative number (PCRE2 extension)
  \g'-n'          call subpattern by relative number (PCRE2 extension)

CONDITIONAL PATTERNS

  (?(condition)yes-pattern)
  (?(condition)yes-pattern|no-pattern)

  (?(n)               absolute reference condition
  (?(+n)              relative reference condition
  (?(-n)              relative reference condition
  (?(<name>)          named reference condition (Perl)
  (?('name')          named reference condition (Perl)
  (?(name)            named reference condition (PCRE2)
  (?(R)               overall recursion condition
  (?(Rn)              specific group recursion condition
  (?(R&name)          specific recursion condition
  (?(DEFINE)          define subpattern for reference
  (?(VERSION[>]=n.m)  test PCRE2 version
  (?(assert)          assertion condition

BACKTRACKING CONTROL

The following act immediately they are reached:

  (*ACCEPT)       force successful match
  (*FAIL)         force backtrack; synonym (*F)
  (*MARK:NAME)    set name to be passed back; synonym (*:NAME)

The following act only when a subsequent match failure causes a backtrack to reach them. They all force a match failure, but they differ in what happens afterwards. Those that advance the start-of-match point do so only if the pattern is not anchored. (*COMMIT) overall failure, no advance of starting point

  (*PRUNE)        advance to next starting character
  (*PRUNE:NAME)   equivalent to (*MARK:NAME)(*PRUNE)
  (*SKIP)         advance to current matching position
  (*SKIP:NAME)    advance to position corresponding to an earlier
                  (*MARK:NAME); if not found, the (*SKIP) is ignored
  (*THEN)         local failure, backtrack to next alternation
  (*THEN:NAME)    equivalent to (*MARK:NAME)(*THEN)

CALLOUTS

  (?C)            callout (assumed number 0)
  (?Cn)           callout with numerical data n
  (?C"text")      callout with string data

The allowed string delimiters are ` ' " ^ % # $ (which are the same for the start and the end), and the starting delimiter { matched with the ending delimiter }. To encode the ending delimiter within the string, double it.

REGULAR EXPRESSION SYNTAX SUMMARY

The full syntax and semantics of the regular expressions that are supported by PCRE2 are described in the pcre2pattern documentation. This document contains a quick-reference summary of the syntax.

QUOTING

  \x         where x is non-alphanumeric is a literal x
  \Q...\E    treat enclosed characters as literal

ESCAPED CHARACTERS

This table applies to ASCII and Unicode environments.

  \a         alarm, that is, the BEL character (hex 07)
  \cx        "control-x", where x is any ASCII printing character
  \e         escape (hex 1B)
  \f         form feed (hex 0C)
  \n         newline (hex 0A)
  \r         carriage return (hex 0D)
  \t         tab (hex 09)
  \0dd       character with octal code 0dd
  \ddd       character with octal code ddd, or backreference
  \o{ddd..}  character with octal code ddd..
  \U         "U" if PCRE2_ALT_BSUX is set (otherwise is an error)
  \uhhhh     character with hex code hhhh (if PCRE2_ALT_BSUX is set)
  \xhh       character with hex code hh
  \x{hhh..}  character with hex code hhh..

CHARACTER TYPES

  .          any character except newline;
               in dotall mode, any character whatsoever
  \C         one code unit, even in UTF mode (best avoided)
  \d         a decimal digit
  \D         a character that is not a decimal digit
  \h         a horizontal white space character
  \H         a character that is not a horizontal white space character
  \N         a character that is not a newline
  \p{xx}     a character with the xx property
  \P{xx}     a character without the xx property
  \R         a newline sequence
  \s         a white space character
  \S         a character that is not a white space character
  \v         a vertical white space character
  \V         a character that is not a vertical white space character
  \w         a "word" character
  \W         a "non-word" character
  \X         a Unicode extended grapheme cluster

GENERAL CATEGORY PROPERTIES FOR \p and \P

  C          Other
  Cc         Control
  Cf         Format
  Cn         Unassigned
  Co         Private use
  Cs         Surrogate

  L          Letter
  Ll         Lower case letter
  Lm         Modifier letter
  Lo         Other letter
  Lt         Title case letter
  Lu         Upper case letter
  L&         Ll, Lu, or Lt

  M          Mark
  Mc         Spacing mark
  Me         Enclosing mark
  Mn         Non-spacing mark

  N          Number
  Nd         Decimal number
  Nl         Letter number
  No         Other number

  P          Punctuation
  Pc         Connector punctuation
  Pd         Dash punctuation
  Pe         Close punctuation
  Pf         Final punctuation
  Pi         Initial punctuation
  Po         Other punctuation
  Ps         Open punctuation

  S          Symbol
  Sc         Currency symbol
  Sk         Modifier symbol
  Sm         Mathematical symbol
  So         Other symbol

  Z          Separator
  Zl         Line separator
  Zp         Paragraph separator
  Zs         Space separator

PCRE2 SPECIAL CATEGORY PROPERTIES FOR \p and \P

  Xan        Alphanumeric: union of properties L and N
  Xps        POSIX space: property Z or tab, NL, VT, FF, CR
  Xsp        Perl space: property Z or tab, NL, VT, FF, CR
  Xuc        Univerally-named character: one that can be
               represented by a Universal Character Name
  Xwd        Perl word: property Xan or underscore

Perl and POSIX space are now the same. Perl added VT to its space character set at release 5.18.

SCRIPT NAMES FOR \p AND \P

CHARACTER CLASSES

  [...]       positive character class
  [^...]      negative character class
  [x-y]       range (can be used for hex characters)
  [[:xxx:]]   positive POSIX named set
  [[:^xxx:]]  negative POSIX named set

  alnum       alphanumeric
  alpha       alphabetic
  ascii       0-127
  blank       space or tab
  cntrl       control character
  digit       decimal digit
  graph       printing, excluding space
  lower       lower case letter
  print       printing, including space
  punct       printing, excluding alphanumeric
  space       white space
  upper       upper case letter
  word        same as \w
  xdigit      hexadecimal digit

In PCRE2, POSIX character set names recognize only ASCII characters by default, but some of them use Unicode properties if PCRE2_UCP is set. You can use \Q...\E inside a character class.

QUANTIFIERS

  ?           0 or 1, greedy
  ?+          0 or 1, possessive
  ??          0 or 1, lazy
  *           0 or more, greedy
  *+          0 or more, possessive
  *?          0 or more, lazy
  +           1 or more, greedy
  ++          1 or more, possessive
  +?          1 or more, lazy
  {n}         exactly n
  {n,m}       at least n, no more than m, greedy
  {n,m}+      at least n, no more than m, possessive
  {n,m}?      at least n, no more than m, lazy
  {n,}        n or more, greedy
  {n,}+       n or more, possessive
  {n,}?       n or more, lazy

ANCHORS AND SIMPLE ASSERTIONS

  \b          word boundary
  \B          not a word boundary
  ^           start of subject
                also after an internal newline in multiline mode
                (after any newline if PCRE2_ALT_CIRCUMFLEX is set)
  \A          start of subject
  $           end of subject
                also before newline at end of subject
                also before internal newline in multiline mode
  \Z          end of subject
                also before newline at end of subject
  \z          end of subject
  \G          first matching position in subject

MATCH POINT RESET

  \K          reset start of match

\K is honoured in positive assertions, but ignored in negative ones.

ALTERNATION

  expr|expr|expr...

CAPTURING

  (...)           capturing group
  (?<name>...)    named capturing group (Perl)
  (?'name'...)    named capturing group (Perl)
  (?P<name>...)   named capturing group (Python)
  (?:...)         non-capturing group
  (?|...)         non-capturing group; reset group numbers for
                   capturing groups in each alternative

ATOMIC GROUPS

  (?>...)         atomic, non-capturing group

COMMENT

  (?#....)        comment (not nestable)

OPTION SETTING

  (?i)            caseless
  (?J)            allow duplicate names
  (?m)            multiline
  (?s)            single line (dotall)
  (?U)            default ungreedy (lazy)
  (?x)            extended (ignore white space)
  (?-...)         unset option(s)

  (*LIMIT_RECURSION=d) set the recursion limit to d (decimal number)
  (*NOTEMPTY)     set PCRE2_NOTEMPTY when matching
  (*NOTEMPTY_ATSTART) set PCRE2_NOTEMPTY_ATSTART when matching
  (*NO_AUTO_POSSESS) no auto-possessification (PCRE2_NO_AUTO_POSSESS)
  (*NO_DOTSTAR_ANCHOR) no .* anchoring (PCRE2_NO_DOTSTAR_ANCHOR)
  (*NO_JIT)       disable JIT optimization
  (*NO_START_OPT) no start-match optimization (PCRE2_NO_START_OPTIMIZE)
  (*UTF)          set appropriate UTF mode for the library in use
  (*UCP)          set PCRE2_UCP (use Unicode properties for \d etc)

NEWLINE CONVENTION

These are recognized only at the very start of the pattern or after option settings with a similar syntax.

  (*CR)           carriage return only
  (*LF)           linefeed only
  (*CRLF)         carriage return followed by linefeed
  (*ANYCRLF)      all three of the above
  (*ANY)          any Unicode newline sequence

WHAT \R MATCHES

These are recognized only at the very start of the pattern or after option setting with a similar syntax.

  (*BSR_ANYCRLF)  CR, LF, or CRLF
  (*BSR_UNICODE)  any Unicode newline sequence

LOOKAHEAD AND LOOKBEHIND ASSERTIONS

  (?=...)         positive look ahead
  (?!...)         negative look ahead
  (?<=...)        positive look behind
  (?<!...)        negative look behind

Each top-level branch of a look behind must be of a fixed length.

BACKREFERENCES

  \n              reference by number (can be ambiguous)
  \gn             reference by number
  \g{n}           reference by number
  \g{-n}          relative reference by number
  \k<name>        reference by name (Perl)
  \k'name'        reference by name (Perl)
  \g{name}        reference by name (Perl)
  \k{name}        reference by name (.NET)
  (?P=name)       reference by name (Python)

SUBROUTINE REFERENCES (POSSIBLY RECURSIVE)

  (?R)            recurse whole pattern
  (?n)            call subpattern by absolute number
  (?+n)           call subpattern by relative number
  (?-n)           call subpattern by relative number
  (?&name)        call subpattern by name (Perl)
  (?P>name)       call subpattern by name (Python)
  \g<name>        call subpattern by name (Oniguruma)
  \g'name'        call subpattern by name (Oniguruma)
  \g<n>           call subpattern by absolute number (Oniguruma)
  \g'n'           call subpattern by absolute number (Oniguruma)
  \g<+n>          call subpattern by relative number (PCRE2 extension)
  \g'+n'          call subpattern by relative number (PCRE2 extension)
  \g<-n>          call subpattern by relative number (PCRE2 extension)
  \g'-n'          call subpattern by relative number (PCRE2 extension)

CONDITIONAL PATTERNS

  (?(condition)yes-pattern)
  (?(condition)yes-pattern|no-pattern)

  (?(n)               absolute reference condition
  (?(+n)              relative reference condition
  (?(-n)              relative reference condition
  (?(<name>)          named reference condition (Perl)
  (?('name')          named reference condition (Perl)
  (?(name)            named reference condition (PCRE2)
  (?(R)               overall recursion condition
  (?(Rn)              specific group recursion condition
  (?(R&name)          specific recursion condition
  (?(DEFINE)          define subpattern for reference
  (?(VERSION[>]=n.m)  test PCRE2 version
  (?(assert)          assertion condition

BACKTRACKING CONTROL

The following act immediately they are reached:

  (*ACCEPT)       force successful match
  (*FAIL)         force backtrack; synonym (*F)
  (*MARK:NAME)    set name to be passed back; synonym (*:NAME)

  (*PRUNE)        advance to next starting character
  (*PRUNE:NAME)   equivalent to (*MARK:NAME)(*PRUNE)
  (*SKIP)         advance to current matching position
  (*SKIP:NAME)    advance to position corresponding to an earlier
                  (*MARK:NAME); if not found, the (*SKIP) is ignored
  (*THEN)         local failure, backtrack to next alternation
  (*THEN:NAME)    equivalent to (*MARK:NAME)(*THEN)

CALLOUTS

  (?C)            callout (assumed number 0)
  (?Cn)           callout with numerical data n
  (?C"text")      callout with string data

Search

In this menu, you can select a command to search for something in the disassembly. Searches are relatively slow and your previous position is saved in the jump stack.

You can search for:

suspicious operands (instructions that need your attention)
instructions
data bytes
unexplored bytes
explored bytes
immediate operand values
substring in the text representation
substring in the binary image of the file
bytes not belonging to any function
find all suspicious operands
string with error
find all errors
pictures (i.e., raster images) in both - directions (up and down).

See also

Jump menu for fast navigating.
Menu Bar submenus

Search for next suspicious operand

Action    name: JumpSuspicious

Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.

You can disable the display of the 'suspicious' marks in the Comments Dialog.

Search for next code

Action    name: JumpCode

This command searches for the first instruction in the current direction.

Search for next data

Action    name: JumpData

This command searches for the first defined data item in the current direction.

Search for next unexplored byte

Action    name: JumpUnknown

This command searches for the first unexplored byte in the current direction.

Search for next explored byte

 Action    name: JumpExplored

This command searches for the first defined byte (instruction or data in the current direction.

Search for next instruction/data with the specified operand

 Action    name: AskNextImmediate

If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored. IDA will look for all immediate values without type in this case.

Repeat search for instruction/data with the specified operand

 Action    name: JumpImmediate

This command repeats search for immediate command.

Search for substring in the disassembly

 Action    name: AskNextText

You may search for regular expressions too.

If a range is selected using anchor, IDA will search for the specified substring in the range.

Note that this command searches the same as what you see on your screen (and not in binary image).

For binary search, look at Search for substring in the file

Repeat search for substring in the disassembly

Action    name: JumpText

This command repeats search for text command.

Search for substring in the file

Action    name: AskBinaryText

If a range is selected using anchor, IDA will search for the specified substring in the range.

The substring is specified like this:

        "This is substring to search"

i.e. in the double-quotes. Also you can specify individual byte values as numbers:

        6A 10

Follow this link to learn more about the format of the input string.

For example, if you want to find a reference to the following string:

 35F2:106A      db 'Hello',0

you could search for number 106A in the file.

See also

the input string format
search for text command.

Repeat search for substring in the file

Action    name: JumpBinaryText

This command repeats search for text in core command.

Search for bytes not belonging to any function

Action    name: JumpNotFunction

This command searches for the first byte not belonging to any function in the current direction.

Set Direction for Searches

 Action    name: SetDirection

The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display.

Find all suspicious operands

Action    name: FindAllSuspicious

This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.

See also

suspicious operands

Search for next string with error

Action    name: JumpError

This commands searches for the 'error' operands. Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

        - reference to an unexisting address
        - illegal offset base
        - unprintable character constant
        - invalid structure or enum reference
        - and so on...

Find all errors

Action    name: FindAllErrors

This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.

See also

string with error