The following problems may occur:
NOOFFSET Cannot find offset base
NONAME Cannot find name
NOCMT
NOREF
INDIRJMP
NODISASM
ALREADY
BOUNDS
OVERFLOW
BADSTACK
LOOKHERE
DECISION
ROLLBACK
COLISION
SIGFNREF \
See also submenu.
What to do: Mark the operand again as an offset. Use one of the following commands:
Description: Two reasons can cause this problem: 1.Reference to an illegal address is made in the program being disassembled; 2.IDA couldn't find a name for the address but it must exist. What to do:
If this problem is caused by a reference to an illegal address
try to enter the operand
or make the illegal address legal by a new segment.
Otherwise, the database is corrupt.
What to do: Enter the operand manually again. Use one of the following commands:
What to do: Database is corrupt, the best thing to do is to the database.
Possible reason(s):
The specified bytes do not form an instruction.
The current type is incorrect. What to do: If you are sure that the specified bytes contain an instruction, you can try to change type and mark these bytes as an instruction using the following command:
Description: IDA cannot convert this byte(s) to an or because it would overlap another instruction. What to do: Make the following overlapping instruction or data 'unexplored' using command.
Description: IDA encountered a jump or call instruction to an illegal address. Namely:
jump/call beyond program segments
near jump/call beyond the current segment What to do:
Enter the operand
or Create a new making the illegal address legal
or Change the current segment bounds using one of the following:
What to do:
If the current item is an or , try to divide it. or
Delete or
Disable display or 4. Increase the limit in IDA.CFG, the parameter name is MAX_ITEM_LINES.
What to do:
Examine the value of at various locations of the function and try to find out why the stack tracing has failed. Usually, it fails because some called function changed the stack pointer (by purging the input parameters, for example)
If you have found the offending function, its attributes (namely, number of bytes purged upon return).
Another way is to specify manually how the stack pointer is modified. See command
Action name: CenterInWindow
This command centers the cursor.
Description:
The current item has an operand marked as an offset,
but IDA cannot find the offset base in the database.
Possible reason(s):
The database is probably corrupted.
This may occur if the database was corrupted and repaired. Description:
The current item has an operand marked as entered manually,
but IDA cannot find the manually entered string in the database.
Possible reason(s):
The database is corrupt.Should not happen!
Please inform the author if you encounter this problem.Description:
The current item is marked as referenced from other place(s) in the
program, but IDA cannot find any reference to it.
Possible reason(s):
The database is corrupt.Description:
Actually, this is not a problem. IDA warns you
that here it encountered an indirect jump and
couldn't follow the execution.
What to do:
Nothing, this entry is just for your informationDescription:
IDA cannot represent the specified bytes as an instruction. Description:
The current item (instruction or data) occupies more lines
on the screen than it is allowed by the current configuration.Description:
The value of the stack pointer at the end of the function is different
from its value at the start of the function. IDA checks for the
difference only if the function is ended by a "return" instruction.
The most probable cause is that stack tracing has failed.
This problem is displayed in the disassembly listing with
the "sp-analysis failed" comment.Description:
This is a generic problem message. IDA uses it when no more detailed
information is available or the problem is processor-specific. Description:
In fact, this is not exactly a problem: IDA collects all the locations
where it has decided to convert undefined bytes to
instructions or data even if they don't have
any references to them. We consider this decision as dangerous
and therefore we provide you with a way to examine all such places.
What to do:
Examine the result of conversion and modify the instructions
or data if IDA has made a wrong conversion.
Description:
This problem occurs when IDA has converted unexplored bytes to
instruction(s) and later found that the decision was wrong.
For example:
mov ax, bx
db 0FFh, 0FFh
0FFh, 0FFh cannot be converted to an instruction, therefore
the "mov" instruction cannot be here.
In this case, IDA automatically destroys the instruction(s)
and enlists the address as problematic.
What to do:
Examine the end result and modify it accordingly.Description:
It means that IDA recognized the function as coming
from a standard library but there already was another function
with the same name in the program.
What to do:
Examine the function and rename it as you wish. Description:
IDA matched code bytes against at least one
signature entry, but failed finding expected
cross-references at certain offsets in the code.
Consider the following .pat file contents:
5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _test ^000F _my_fun0
5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _smuk ^000F _my_fun1
Now, turn that .pat file into a signature (.sig) file, telling
sigmake to include function references into signature
(using the -r switch).
Then, apply that .sig file to a binary that you are
examining.
If IDA recognizes the 0x15-bytes long pattern in the binary, it
will check that, at offset 0xF from the start of the match,
a call to either "_my_fun0" or "_my_fun1" is performed.
If either one of the two is found, then that code will
be named "test", or "smuk", respectively.
Otherwise, a SIGFNREF problem will be signalled.
What to do:
Examine the code pointed to by the address at the given
offset (i.e., 0xF) and try and determine whether
that function could be "_my_fun0", or "_my_fun1".
If so, name it accordingly and re-apply the signature.
An alternative is to generate the signature (.sig)
file without the cross-references to functions
(i.e., dropping the '-r' switch).
But beware of collisions: a pattern like the
one above will inevitably create a collision, since the
pattern bytes are similar for the two entries.In this menu, you can select a command to jump to the specified location in the file. Jumps are very fast and your previous position is saved. This submenu contains the following items:
See also
menu for fast navigating.
concept.
submenus
By pressing <Enter> you navigate in the program in the same way as in a hypertext (the way the web browsers and help screens use).
This is the easiest way to explore the program: just position the cursor at the desired name and press "@<JumpEnter>".
Your current address is saved in the .
The command (usually Esc) will return you back.
If the cursor is at a stack variable, a window with is opened and the definition of the stack variable is displayed.
See also
command.
This command brings you back to the previous position in the history. It takes positions from .
See also
command
command.
This command cancels the last command.
See also
command.
This command clears the .
See also
command.
Each IDA Window has its own jump stack. This stack keeps the cursor locations. Many IDA commands use the jump stack, i.e. they save the old cursor position to the stack. For example, when you are at the address 3000:0100 and press the Ctrl-C key (find instruction), the 3000:0100 is saved into the jump stack and the search is started. Afterwards, you can return to the old position using command.
You can clear the jump stack using the menu command.
This command jumps to the specified address in the program. IDA will ask you for the target address. You can enter a name or an address as a hexadecimal number with or without a segment. If you enter a valid address then:
the current address is saved in the .
the cursor is positioned to the specified address. The command (usually Esc) will return you back.
In the structure and enum views, the cursor will be moved to the corresponding offset in the current type.
See also
.
IDA will ask you for a target file offset. This command jumps to the address corresponding to this specified file offset. If this file offset corresponds to a valid address then:
the current address is saved in the .
the cursor is positioned to the corresponding address. The command (usually Esc) will return you back.
This command allows you to jump to a name definition by selecting it from the list of the names.
IDA will display the list of the names (sorted by addresses) and you can choose a name. names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the dialog box.
See also .
This command jumps to the start of the selected segment. IDA will ask you to select the target segment. After:
the current address is saved in the .
the cursor is positioned to the specified address. The command (usually Esc) will return you back.
See also:
This command jumps to the selected . IDA will ask you to select a target change point. And after:
the current address is saved in the .
the cursor is positioned to the specified address. The command (usually Esc) will return you back.
This command allows you to jump to a problematic location. IDA will display the and will allow you to select a problem.
The command (usually Esc) will return you back.
You can mark certain locations of the file to be able to to them quickly. Text description of the location may help to find a desired location easily.
First select a slot for the mark, then enter a description for the location.
This command jumps to the selected position. IDA will ask you to select a target position. After:
the current address is saved in the .
the cursor is positioned to the specified address.
The command (usually Esc) will return you back.
You can mark the position using command.
This command shows you a list of cross-references to the current location: you can jump to the selected one by pressing Enter.
Click to see the description of the cross reference dialog box.
See also
The cross reference dialog displays a list of references to the various items. Each line has the following attributes:
Direction Up or Down. Meaningful for program address; denotes where the reference comes from, from the lower addresses than the reference target (down) or from higher addresses (up).
Type
Address
Text
This command shows you a list of cross-references from the current location: you can jump to the selected one by pressing Enter.
Click to see the description of the cross reference dialog box.
See also
This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter.
Click to see the description of the cross reference dialog box.
See also
This command shows you a list of functions: you can jump to the selected one by pressing Enter.
See also
This command searches the start of the next function and jumps to the found address.
This command searches the start of the previous function and jumps to the found address.
This command shows you a list of entry points: you can jump to the selected one by pressing Enter.
The list of entry points is created at the database creation time. It is not modified after that (for example, renaming an exported function does not change the list of entry points).
Action name: JumpEnter
Action name: Return
Action name: UndoReturn
Action name: EmptyStack
Action name: JumpAsk
Action name: JumpFileOffset
Action name: JumpName
Action name: JumpSegment
Action name: JumpSegmentRegister
Action name: JumpQ
Action name: MarkPosition
Action name: JumpPosition
The following types exist:
o - offset, the address of the item is taken
r - read access
w - write access
t - textual referenced (used for manually specified operands)
i - informational (e.g. a derived class refers to its base class)
J - far (intersegment) jump
j - near (intrasegment) jump
P - far (intersegment) call
p - near (intrasegment) call
^ - ordinary flow
s - xref from a structure
m - xref from a structure member
k - xref from a stack variable For 'xrefs to' dialogs: where the reference comes from (source)
For 'xrefs from' dialogs: where the reference goes to (destination) Additional info about the cross referenceAction name: JumpXrefFrom
Action name: JumpOpXref
Action name: JumpFunction
Action name: JumpNextFunc
Action name: JumpPrevFunc
Action name: JumpEntryPoint