If IDA suspects that an operand can be represented as something different from a plain number, it will mark the operand as "suspicious" and display it in red/orange.
Two values control the definition of suspiciousness. An operand is 'suspicious' if it has an immediate value between low and high 'suspicious' limits. The comparison is always unsigned, i.e. in the instruction
mov ax,[bp-2]
the immediate operand is 0xFFFE, not -2.
IDA uses a simple heuristic to determine initial suspiciousness limits. You may change these limits any time you want.
This command changes the look of the disassembly. Here you can change the values of the following checkboxes/input fields:
Line prefixes
This checkbox enables or disables line prefixes display.
Line prefix is the address of the current byte:
3000:1000 mov ax, bx
^^^^^^^^^
IDA.CFG parameter: SHOW_LINEPREFIXES Number of opcode bytes
Opcode bytes are shown below:
3000:1000 55 push bp
^^^^^^^^^
The opcode is the operation code of the current instruction.
For the data items, the opcodes are elements of data directives.
Sometimes there is not enough place to display all bytes of an item
(of a large array, for example). In this case, IDA will display just
the few first bytes of the item. For the code items, IDA will try
to display all bytes of the instruction, even if it requires adding
more lines just for the opcode bytes. If this behavior is not desired,
the number of opcode bytes can be specified as a negative value.
A negative value -N means to display N opcode bytes on a line but
never display empty lines just for the opcode bytes.
By default, IDA does not display the opcodes.
This option controls the appearance of the line prefixes.
If it is enabled, the addresses will be displayed as offsets
from a function beginning. Example:
Enabled: somefunc+0x44
Disabled: cseg:0x4544
Right margin
This option controls the length of disassembly lines for data
directives.
You can change indention of disassembled instructions:
mov ax, bx
<-------------->
indention
IDA.CFG parameter: INDENTION Display bad instruction <BAD> marks
Some assemblers do not understand some instructions even if they
must. For example, the Z80 processor has several undocumented
instructions and many assemblers fail to recognize them. IDA knows
about this fact and tries to produce an output that can be compiled
without errors, so it replaces such instructions with data bytes.
The problem is more severe with Intel 80x86 processors: the same
instruction can be coded differently. There are 2 operation codes
for ADD instruction, etc. The worst thing is that the different
operation codes have different lengths. If the assembler used to
compile a file and your assembler produce different operation codes,
you may obtain completely different output files.
That is why IDA can mark such instructions as <BAD> and replace them
with data bytes. Example:
Enabled:
db 0Fh,86h,7Eh,0,0,0 ; <BAD> jbe loc_0_205
db 0Fh,82h,78h,0,0,0 ; <BAD> jb loc_0_205
db 0Fh,83h,72h,0,0,0 ; <BAD> jnb loc_0_205
Disabled:
jbe loc_0_205
jb loc_0_205
jnb loc_0_205
IDA.CFG parameter: SHOW_BAD_INSTRUCTIONS Use tabulations in output
You can disable the tab chars (0x09) in the output file if you do not
like them. By default, IDA produces output files with tab chars.
IDA.CFG parameter: USE_TABULATION low suspicious limit high suspicious limit Click here to get information about these fields. Display stack pointer
If this option is set, IDA will display the value of
the stack pointer in the line prefix.
This command changes the look of the disassembly comments. Here you can change the values of the following checkboxes/input fields:
Comment indention
You can change indention of comments:
mov ax, bx ; this is a comment
<-------------------------------------->
indention
IDA.CFG parameter: COMMENTS_INDENTION Display of 'suspicious' marks This option enables or disables suspicious marks display. Usually the suspicious marks are disabled because IDA displays the suspicious operands in red/orange anyway. IDA.CFG parameter: SHOW_SUSPICOUS Display of empty lines
This option enables or disables the presence of the autogenerated
empty lines in the disassembly. It could be useful to decrease
the number of the blank lines on the screen increasing amount
of information on it.
IDA.CFG parameter: SHOW_EMPTYLINES Display of basic blocks
This option enables or disables the presence of the autogenerated
empty lines at the end of basic blocks in the disassembly.
IDA.CFG parameter: SHOW_BASIC_BLOCKS Display borders between data/code
This command enables or disables the presence of the autogenerated
border lines in the disassembly. It could be useful to decrease
the number of the blank lines on the screen increasing amount
of information on it. A border line looks like this:
;---------------------------------------------------------
Note that you can hide a particular border by using hide border command. IDA.CFG parameter: SHOW_BORDERS Display comments
If this option is disabled, IDA will not show any comments.
Display repeatable comments This command enables or disables the repeatable comments display. IDA.CFG parameter: SHOW_REPEATABLE_COMMENTS Display auto comments
Autocomments are predefined comments for all instructions.
If you forgot the meaning of a certain instruction, you can use
this command to get comments to all lines of the screen.
IDA does not give comments to very simple instructions such as
'mov' instruction and does not override existing comments.
IDA maintains cross-references automatically. Of course, when IDA starts to disassemble a new file, the cross-references will not appear immediately; they will be collected during background analysis.
This command changes the representation of cross references.
Display segments in xrefs
This checkbox enables or disables segments in cross references:
Enabled: ; CODE XREF: 3000:1025
Disabled: ; CODE XREF: 1025
Display xref type mark
If this option is disabled, IDA will not display "CODE"
or "DATA" in the cross-references.
IDA.CFG parameter: SHOW_XREF_TYPES Display function offsets
This option controls the appearance of the cross-reference addresses.
If it is enabled, the addresses will be displayed as offsets
from a function beginning. Example:
Enabled: somefunc+0x44
Disabled: cseg:0x4544
This value "how many bytes of an object to look at to collect
cross references". For example we have an array:
A db 100 dup(0)
If some instruction refers to the 5-th element of the array:
mov al,A+5
with TD=3 we'll have no xrefs displayed
with TD=10 we'll have this xref
IDA.CFG parameter: MAX_TAIL Number of xrefs to display Determines the maximal number of the cross references to display. You may keep this value low because you can access all xrefs by using the Jump to cross reference command. IDA.CFG parameter: SHOW_XREFS
Disable undo
Action name: DisableUndo
This command completely disables the undo feature.
This command enables/disables the generation of some assembler directives, namely:
assume directive
origin directive
Sometimes (when you do not intend to assemble the output file), you may want to disable their generation.
Names Representation
Action name: SetNameType
Dummy names are automatically generated by IDA. They are used to denote subroutines, program locations and data.
Dummy names have various prefixes depending on the item type and value:
sub_ instruction, subroutine start
locret_ 'return' instruction
loc_ instruction
off_ data, contains offset value
seg_ data, contains segment address value
asc_ data, string literal
byte_ data, byte
word_ data, 16-bit
dword_ data, 32-bit
qword_ data, 64-bit
byte3_ data, 3 bytes
xmmword_ data, 128-bit
ymmword_ data, 256-bit
packreal_ data, packed real
flt_ floating point data, 32-bit
dbl_ floating point data, 64-bit
tbyte_ floating point data, 80-bit
stru_ structure
custdata_ custom data type
algn_ alignment directive
unk_ unexplored byte
You can change representation of dummy names. IDA supports several types of dummy names:
0 loc_0_1234 segment base address relative to program base address
& offset from the segment base
1 loc_1000_1234 segment base address & offset from the segment base
2 loc_dseg_1234 segment name & offset from the segment base
3 loc_0_11234 segment relative to base address & full address
4 loc_1000_11234 segment base address & full address
5 loc_dseg_11234 segment name & full address
6 loc_12 full address
7 loc_0012 full address (at least 4 digits)
8 loc_00000012 full address (at least 8 digits)
9 dseg_1234 the same as 2, but without data type specifier
10 loc_1 enumerated names (loc_1,loc_2,loc_3...)
If you have selected names type 10 (enumerated names), you may renumber them using a checkbox. The process is relatively fast, surprisingly.
The best representation for MS DOS programs is #0, for 16-bit processors - #7, and for 32-bit processors - #8. You can change dummy names type any time you want.
You can also set up types of names included in the name list. IDA knows about the following types of names:
- normal names
- public names
- weak public or extern names
- autogenerated (meaningful) names.
- dummy (meaningless) names.
Dummy names may be public or weak, but they never appear in the list of names. You can specify the type of a name when you create or modify it.
You can also set maximal length of new names. Old names will not be affected by this parameter.
IDA can demangle mangled C++ names of the most popular C++ compilers:
- Microsoft
- Borland
- Watcom
- Visual Age
- GNU
The demangled names are represented in two forms: short and long form. The short form is used when a name is used as a reference, the long form is used at the declaration.
You can set how demangled C++ names must be represented:
- as comments. this representation allows you to obtain
recompilable source text
- instead of mangled names. this representation makes the output
more readable. the disadvantage is that you cannot recompile the
output
- don't display demangled names.
You can setup short and long forms of demangled names. Short form is used when a reference to the name is made; long form is used at the declaration.
To make demangled names more readable, we introduce the possibility to suppress pointer modifiers (near/far/huge).
To demangle GNU C v3.x names, the "Assume GCC v3.x names" checkbox should be set, otherwise such names might not be demangled. furthermore, to make the demangled name more compact, unsigned types may be displayed as uchar, uint, ushort, ulong. The same with signed basic types.
If the "Override type info" checkbox is set, the demangled name overrides the type information if both are present.
This dialog box allows the user to specify the compiler used to create the program along with the memory model, default calling convention, ABI and other parameters.
Please note that while some combinations of the parameters are meaningless, IDA doesn't check them for validity. It is up to the user to specify a correct combination.
IDA tries to determine the correct values automatically.
The include directories are a list of directories that look for the standard C headers. This parameter is used during parsing C header files. The directories must be separated by ';' in MS Windows and ':' in Linux. The predefined macros field has the same format and is used similarly. Please note that IDA doesn't define any compiler-specific macros by default.
Customize Demangled Names
All your changes will be saved in the current database. If you want to change the form of demangled names for all new databases, then you need to edit the configuration file, variables 'ShortNameForm' and 'LongNameForm'. Below is the list of all checkboxes with examples (spaces are inserted only for the ease of understanding):
Only main name
on: func;
off: static void __pascal func(void) const;
No underscores in calling conventions
on: void pascal func(void);
off: void __pascal func(void);
No calling conventions for parameters and __based()
on: int a;
off: int __based(__segname("DATA")) a;
on: void __based(void) *b;
off: void *b;
on: int __based(__self) (*p)(void);
off: int (*p)(void);
No calling conventions
on: void func(void);
off: void __pascal func(void);
No postfix const
on: void aclass::func(void);
off: void aclass::func(void) const;
No access keywords
on: void func(void);
off: private void func(void);
No throw descriptions
on: void func(void);
off: void func(void) throw(Class::Member);
No static and virtual keywords
on: void aclass::func(void);
off: static virtual void aclass::func(void);
No UDT keywords
on: A & func( A *, B *);
off: class A & func(class A *, enum B *);
No const and volatile keywords
on: char * func(void);
off: char const * func(void);
No __closure keyword
Do not display '__closure'
No __unaligned keyword
Do not display '__unaligned'
No __pin/__box/__gc
Do not display '__pin', '__box', '_gc'
Suppress pointer modifiers
Selection 16Names Description
--------- ------- -----------
near Yes Do not display 'near'
near/__ptr64 Do not display 'near' and '__ptr64'
far Yes Do not display 'far'
all, 16bit Yes Do not display any modifiers
huge Yes Do not display 'huge'
__ptr64 Do not display '__ptr64'
Display all Yes Display all modifiers
Display none Auto Do not display any modifiers
16bit means that the demangler will assume that
names were generated by 16bit compilers. Otherwise,
it will assume names generated by 32/64 bit compilers.
Quash j_
This option allows IDA to demangle a name even if it was formed
by adding j_ prefix to a mangled name. The prefix j_ will simply
be thrown away.
Transfer j_
This option also allows IDA to demangle names with prefix j_.
Unlike the previous option, this one will show the prefix
in the demangled name.
Ignore postfix _nn
This option allows IDA to demangle names formed by adding
postfix _nn to a mangled name (n is any digit).
String literal style dialog
Action name: SetStrlitStyle
With this dialog you can setup string styles and also create a new string immediately at the current location.
If you select "character terminated" string style then you may specify up to 2 termination characters. The string will be terminated by any of these characters. If the second character is equal to 0, then it is ignored.
In IDA Qt you can also set a specific encoding to be used to display the string, or change the defaults for all strings. See string encodings.
String options
This dialog sets up the string literals options:
Generate names
If this option is set, IDA will give meaningful names to
newly created string literals.
Names prefix
This prefix will be used to form the string name.
Mark as autogenerated If a name is marked as autogenerated, it will be displayed in a different color and will be included in the list of names depending on the current setting. Generate serial names
IDA can generate serial names for string literals, i.e.
pref_001,pref_002,pref_003 etc...
To enable serial names generation, specify
prefix for names,starting serial number and number of leading zeroes.
Each time you create a string literal, IDA generates a new serial name and assigns it to the string. String literal next line char
This symbol, when encountered in the string, will make
IDA start a new line in the string representation in the
disassembly. Usually it is the line feed character ('\n').
Comment string literal references:
This option tells IDA to display the contents of the string
literal next to the instruction or offset that refers to the string.
String encodings
IDA Qt can display program strings using different encodings. You can specify default encodings for all strings or override the encoding of a specific string.
The following encodings can be used:
<default> - the default encoding for this string type (8-bit or 16-bit)
<no conversion> - the string bytes are printed using the current system encoding (after translating with XlatAsciiOutput array in the configuration file).
Windows codepages (e.g. 866, CP932, windows-1251)
Charset names (e.g. Shift-JIS, UTF-8, Big5)
You can add new encodings to the list using the context menu item Insert (Ins hotkey).
On Linux/OS X, you can run "iconv -l" to see the available encodings. Please note that some encodings are not supported on all systems.
Color configuration
This dialog allows you to customize the color settings.
GUI version:
------------
IDA keeps the color configuration in the registry. There are 3 predefined schemes. The user can modify the existing schemes or add his own schemes. New schemes should be added to the "themes" subdirectory in IDA.
Text version:
-------------
IDA keeps colors in file IDACOLOR.CF. This file may reside in the IDA directory or in the current directory. It is a binary file. IDA automatically saves all your changes into this file.
If the current item line prefix has "black on black" color, then the current item will not be highlighted. The same is with current line color - if it is "black on black", the current line will not be highlighted.
You can change the colors using the Customize button. You may have up to 4 different color palettes and switch between them on fly. The color palette is saved in IDACOLOR.CF file.
Each line prefix has its own color code depending on the current item: (the fourth color palette values are shown)
Line prefixes
Library function BRIGHT CYAN ON BLUE
Regular function WHITE ON BLUE
Instruction BROWN ON BLUE
Data WHITE ON BLUE
Unexplored WHITE ON BLACK
Externs BRIGHT MAGENTA ON BLUE
Current item BRIGHT BLUE ON BLUE
Current line YELLOW ON BLUE
Default BLACK ON BLACK (not used)
If the "current item" or "current line" are BLACK ON BLACK, then they will not be highlighted.
The rest of the line is colored with the following codes:
Keywords
Instruction WHITE ON BLUE
Directive YELLOW ON BLUE
Macro name MAGENTA ON BLUE
Register name WHITE ON BLUE
Other WHITE ON BLUE
Names
Dummy data WHITE ON BLUE
Dummy code WHITE ON BLUE
Dummy unexplored MAGENTA ON BLUE
Hidden GREY ON BLUE
Library function BRIGHT CYAN ON BLUE
Local variable GREEN ON BLUE
Regular data YELLOW ON BLUE
Regular code YELLOW ON BLUE
Regular unexplored RED ON BLUE
Demangled BRIGHT GREEN ON BRIGHT BLUE
Segment name YELLOW ON BLUE
Imported name LIGHT MAGENTA ON BLUE
Constants
Suspicious BRIGHT RED ON BLUE
Char in instruction BRIGHT CYAN ON BLUE
String in instruction BRIGHT CYAN ON BLUE
Number in instruction BRIGHT GREEN ON BLUE
Char in data BRIGHT GREEN ON BLUE
String in data BRIGHT GREEN ON BLUE
Number in data WHITE ON BLUE
Xrefs
Code GREEN ON BLUE
Data CYAN ON BLUE
Code to tail BRIGHT RED ON BLUE
Data to tail MAGENTA ON BLUE
Comments
Automatic BROWN ON BLUE
Regular BRIGHT WHITE ON BLUE
Repeatable BROWN ON BLUE
Extra line YELLOW ON BLUE
Other
Punctuation WHITE ON BLUE
Opcode bytes BRIGHT GREEN ON BLUE
Manual operand BRIGHT WHITE ON BLUE
Errors RED ON BLACK
Selected BLACK ON WHITE
Default YELLOW ON BLUE
(Other, Default) color code is used if a token has no color attached to it.
Dump/normal View
Action name: ToggleDump
This command switches the current disassembly window mode between dump mode and normal mode. Initially all disassembly windows are in normal mode so you can see instructions and data. When you are in dump mode, no instructions or data are displayed. All bytes of the program will be dumped on the screen as plain bytes and in ASCII. This command may be useful when you want to find something in the program visually. Do not forget that many commands continue to work in dump mode. For example, you can use binary search command.
The text version supports only paragraph aligned addressing in the view. Switching to the hex dump view and back may change the cursor position in the disassembly listing.
Setup data types
Action name: SetupData
This command allows you to select the data types used in the round-robin carousel in MakeData command.
Valid data types are:
- byte
- word (2 bytes)
- double word (4 bytes)
- float (4 bytes)
- quadro word (8 bytes)
- double (8 bytes)
- long double (10 or 12 bytes)
- packed real (10 or 12 bytes)
- octa word (16 bytes)
Naturally, not all data types are usable for all processors. For example, Intel 8051 processor doesn't have the 'double word' type.
Furthermore, this command allows you to select a data type for the current undefined item and convert it to data.
Please note that if the current processor does not support a data type, you cannot assign it even if you have selected it. If you unselect all data types, IDA will use the 'byte' type.
Processor modules can accept additional options that can be passed on the commandline with the -p switch. Currently only the ARM module supports it. For example, -parm:ARMv7-A will turn on options specific for the ARMv7-A architecture, such as NEON instruction set.
Please note that when you change the processor type, IDA may change the target assembler, so check it out.
You may get a message saying that IDA does not know the specified processor if IDA fails to load the corresponding processor module.
Windows IDA uses .dll file extension
Linux IDA uses .so file extension
Mac IDA uses .dylib file extension
Modules compiled with support for 64-bit address space, will feature a '64' suffix before the extension. E.g., 'pc64.dll'
Changing the processor type leads to reanalysis of the whole program. Sometimes this is useful.
When you load a new processor module, all analysis options are reset to the values specified in the configuration file.
IDA determines the default processor using the input file extension and the contents of the input file. The table which describes the input file extensions and the corresponding processor types is located in IDA.CFG file and looks like this:
DEFAULT_PROCESSOR = {
/* Extension Processor */
"com" : "8086" // IDA will try the specified
"exe" : "80386r" // extensions if no extension is
"dll" : "80386r" // given.
"drv" : "80386r"
"o" : "68000"
"prc" : "68000" // PalmPilot programs
"axf" : "arm"
"h68" : "68000" // MC68000 for *.H68 files
"i51" : "8051" // i8051 for *.I51 files
"sav" : "pdp11" // PDP-11 for *.SAV files
"rom" : "z80" // Z80 for *.ROM files
"cla" : "java" // Java classes
"class": "java" // Java classes
"s19": "6811"
"*": "80386p" // Default processor
}
If you want to change the default processor type, you need to change this table. You may add/delete rows in this table.
Since architecture version v4 (introduced in ARM7 cores), ARM processors have a new 16-bit instruction set called Thumb (the original 32-bit set is referred to as "ARM"). Since these two sets have different instruction encodings and can be mixed in one segment, we need a way to specify how to disassemble instructions. For this purpose, IDA uses a virtual segment register named 'T'. If its value is 0, then ARM mode is used. Otherwise, Thumb mode is used. ARM is the default mode. Please note that if you change the value of T register for a range, IDA will destroy all instructions in that range because their disassembly is no longer correct.
IDA use UAL (Unified Assembly Language) syntax by default which uses the same syntax for both ARM and Thumb mode. If necessary, legacy assembler syntax can be selected in Analysis options.
To decode Aarch64 (ARM64) instructions the segment with instructions must be set to 64-bit.
Processor options for ARM
Simplify instructions
If this option is on, IDA will simplify instructions and replace
them by clearer pseudo-instructions
For example,
MOV PC, LR
is replaced by
RET
Disable pointer dereferencing
If this option is on, IDA will not use =label syntax for
loads from literal pools.
For example,
LDR R1, =dst
...
off_0_1003C DCD dst
will be shown as
LDR R1, off_0_1003C
No automatic ARM-Thumb switch
If this option is on, IDA will not propagate
ARM-Thumb modes automatically when following jumps and calls.
Disable BL jumps detection
Some ARM compilers in Thumb mode use BL (branch-and-link)
instead of B (branch) for long jumps, since BL has more range.
By default, IDA tries to determine if BL is a jump or a call.
You can override IDA's decision using commands in Edit/Other menu
(Force BL call/Force BL jump).
If your target does not use this trick, you can set this option
and IDA will always treat BL as a call.
Scattered MOVT/MOVW pairs analysis A pair of MOVT and MOVW instructions can be used to load any 32-bit constant into a register without having to use the literal pool. For example: MOVW R1, #0xABA2 MOVT R1, #0x32AA is simplified by IDA into MOV R1, 0x32AAABA2 (unless macro creation is turned off)
However, if there is an unrelated instruction between them, such
simplification is not possible. If you enable the conversion, then IDA will try to
convert operands of even scattered instructions. The example above could be represented as:
MOVW R1, #:lower16:0x32AAABA2
[other instructions]
MOVT R1, #:upper16:0x32AAABA2
It is possible to select how aggressively IDA should try to handle such pairs:
leave them as is, convert only if the result a valid address, or try to
convert all pairs even if the result does not look like a valid address.
Edit ARM architecture options
This button allows you to edit various features of the ARM architecture.
This will affect the disassembly of some instructions depending on whether
the selected architecture supports them. For details, see the ARM Architecture Reference Manual.
Command-line options
You can configure the architecture options from the command line.
For that, use the -parm:<option1[;option2...]> switch.
The following options are accepted:
ARMv<N> - base ARM architecture version (e.g. ARMv4, ARMv4T,
ARMv5TE, ..., ARMv7-M, ARMv7-A)
or
<name> - ARM core name (e.g. ARM7TDMI, ARM926EJ-S, PXA270,
Cortex-M3, Cortex-A8)
Additionally, a special name "armmeta" can be used to enable decoding of all known instructions.
The options above will set some default values that can be adjusted further:
NoVFP/VFPv<N> - disable or enable support for VFP
instructions (e.g. VFPv3).
NoNEON/NEON/NEON-FMA - disable or enable support for NEON
(aka Advanced SIMD) instructions.
NoThumb/Thumb/Thumb-2 - disable or enable support for Thumb (16-bit)
or Thumb-2 (16/32-bit) instructions.
NoARM/ARM - disable or enable support for ARM
instructions.
XScale - support for XScale-specific instructions.
Implies ARMv5TE.
NoWMMX/WMMXv1/WMMXv2 - support for Intel Wireless MMX
extensions (v1 or v2). Implies XScale.
This command allows you to change the target assembler, i.e. the assembler for which the output is generated. You select the target assembler from a menu. The menu items depend on the current processor type.
Currently, IDA supports only a generic assembler for 80x86 processors. We recommend the use of Borland's TASM to compile the output assembler files.
Analysis options
Action name: SetAuto
This command allows you to disable and enable the autoanalysis and its indicator.
Usually, the auto analysis is enabled. Disable it if you are sure that it will help you.
Here you can change various kernel analysis options 1 and options 2 and options 3, change the processor type (if the processor module supports several types), or the assembler style. If the current processor has options, there will also be a button to change processor-specific options. If the current processor supports memory mapping, there will also be a button to change the memory mapping ranges.
The analysis indicator is located in the bottom left corner of the main IDA window (upper right corner in text version). Possible values of the indicator:
" " empty indicator means that the indicator is turned off.
AU: idle Autoanalysis is finished.
AU:disabled Autoanalysis is disabled.
FL:<address> execution flow is being traced
PR:<address> a function is being created
TL:<address> a function tail is being created
SP:<address> the stack pointer is being traced
AC:<address> the address is being analyzed
LL:<number> a signature file is being loaded
L1:<address> the first pass of FLIRT
L2:<address> the second pass of FLIRT
L3:<address> the third pass of FLIRT
TP:<address> type information is being applied
FI:<address> the final pass of autoanalysis
WF:<address> weak execution flow is being traced
??:<address> the address becomes unexplored
@:<number> indication of various activity
Hint: you can right-click the analysis indicator to quickly disable or enable it, or to reanalyze the program.
Trace execution flow This option allows IDA to trace execution flow and convert all references bytes to instructions. Mark typical code sequences as code
IDA knows some typical code sequences for each processor.
For example, it knows about typical sequence
push bp
mov bp, sp
If this option is enabled, IDA will search for all typical sequences
and convert them to instructions even if there are no references
to them. The search is performed at the loading time.
Locate and create jump tables
This option allows IDA to try to guess the address and size of jump
tables. Please note that disabling this option will not disable
the recognition of C-style typical switch constructs.
Control flow to data segment is ignored
If set, IDA will not analyze code reference targets in
pure data segments. Usually pure data segments have some
instructions (e.g. thunk functions), that's why this option
is set off by default. For Mach-O files, it is set on
because pure data segment do not contain instructions in them.
Analyze and create all xrefs
If this option is disabled, IDA will not thoroughly analyze the program: it
will simply trace execution flow, nothing more (no xrefs, no additional
checks, etc)
Delete instructions with no xrefs This option allows IDA to undefine instructions without any xrefs to them. For example, if you undefine an instruction at the start of a function, IDA will trace execution flow and delete all instructions that lose references to them. Create function if data xref data->code32 exists
If IDA encounters a data reference from DATA segment to 32bit
CODE segment, it will check for the presence of meaningful
(disassemblable) instruction at the target. If there is an
instruction, it will mark it as an instruction and will create
a function there.
Create functions if call is present This option allows IDA to create function (proc) if a call instruction is present. For example, the presence of:
call loc_1234
leads to creation of a function at label loc_1234
Create function tails
This option allows IDA to find and append separately located
function tails to function definitions.
Create stack variables
This option allows IDA to automatically create stack variables and
function parameters.
Propagate stack argument information
This option propagates the stack argument information
(the type and the name) to the caller's stack. If the caller is
called, then the information will be propagated further through
the whole program. Currently, the type propagation is really
simple and non-intelligent: the first encountered type for
a stack variable will be used.
Propagate register argument information
This option propagates the register argument information
(the type and the name) to the caller. If the caller is
also called, then the information will be propagated further through
the whole program.
Trace stack pointer This option allows IDA to trace the value of the SP register. Perform full stack pointer analysis
This option allows IDA to perform the stack pointer
analysis using the simplex method. This option is valid
only for the IBM PC processor.
Perform 'no-return' analysis
This option allows IDA to perform the control flow
analysis and determine functions which do not return to
their callers. The 'exit()' function, for example, does not
return to its caller.
Try to guess member function types
If set, IDA will guess member function types using the demangled
names. Please note that this rule may occasionally produce wrong
results, for example, for static member functions. IDA has no
means of distinguishing them from non-static member functions.
If clear, IDA will guess only types of non-member functions.
Truncate functions when the code at the function end gets deleted.
If this option is turned off, IDA does not modify function
definitions when code is deleted.
Create string literals if data xref exists If IDA encounters a data reference to an undefined item, it checks for the presence of the string literal at the target. If the length of the candidate string literal is big enough (more than 4 chars in 16bit or data segments; more than 16 chars otherwise), IDA will automatically create a string literal. Check for unicode strings This option allows IDA to check for the presence of the unicode strings in the program and creates them if necessary. IDA will check for the unicode strings only if the string style is set to "C-style (0 terminated)" or "Unicode". Create offsets and segments using fixup info
IDA will use relocation information to make the disassembly
nicer. More precisely, it will convert all data items with
relocation information to words or dwords like this:
dd offset label
dw seg seg000
If an instruction has a relocation information attached to it,
IDA will convert its immediate operand to an offset or segment:
mov eax, offset label
You can display the relocation information attached to the current item by using show internal flags command. Create offset if data xref to seg32 exists
If IDA encounters a data reference to 32bit segment and the target
contains 32bit value which can be represented as an offset expression,
IDA will convert it to an offset.
Convert 32bit instruction operand to offset
This option works only in 32bit and 64bit segments.
If an instruction has an immediate operand and the operand
can be represented as a meaningful offset expression, IDA will
convert it to an offset. However, the value of immediate operand
must be higher than 0x10000.
Automatically convert data to offsets
This option allows IDA to convert all newly created data items
to offsets if the following conditions are satisfied:
- the offset target is a valid address in the program
- the target address is higher than 0x20
- the target does not point into the middle of an item
- if the target is code, the execution does not flow to it
from the previous instruction
- the data is dword (4 bytes) in a 32-bit segment
or qword(8 bytes) in a 64-bit segment
- the segment type is not special (extern, communal, abs...)
Use flirt signatures
Allows usage of FLIRT technology
Comment anonymous library functions
This option appends a comment to anonymous library functions.
The comment consists of the description of the FLIRT signature
which has recognized the function and marked it as coming
from a library.
Multiple copy library function recognition
This option allows FLIRT to recognize several copies of the same
function in the program.
Automatically hide libary functions
This option hides the functions recognized by FLIRT.
It will have effect only from the time it is set.
Rename jump functions as j_...
This option allows IDA to rename simple functions containing only
jmp somewhere
instruction to "j_somewhere".
Rename empty functions as nullsub_...
This option allows IDA to rename empty functions containing only
a "return" instruction as "nullsub_..."
(... is replaced by a serial number: 0,1,2,3...)
Coagulate data at the final pass This option is meaningful only if "Make final analysis pass" is enabled. It allows IDA to convert unexplored bytes to data arrays in the non-code segments. Coagulate code at the final pass This option is meaningful only if "Make final analysis pass" is enabled. It allows IDA to convert unexplored bytes to data arrays in the code segments. Make final analysis pass This option allows IDA to coagulate all unexplored bytes by converting them to data or instructions. See also analysis options 1analysis options 3
Kernel analysis options 3
Enable EH analysis
If this option is set on, IDA uses EH information of the binary for
more detailed analysis.
Enable RTTI analysis
If this option is set on, IDA tries to detect C++ Run-Time Type
Identification and does additional analysis based on this information.
Enable macros
This option is disabled if the processor module does not support macros.
If this option is on, IDA will combine several instructions into one macro
instruction.
For example for the ARM processor,
ADRP Rx, label@PAGE
ADD Rx, Rx, label@PAGEOFF
will be replaced by
ADRL Rx, label
Merge strlits
if the analysis option "Create string literals if data xref exists" is set
and the target string literal ends at the existing one (without a
termination character), IDA will merge these strlits into one.