1 of 100

IDA 8.5

Welcome to Hex-Rays docs

This documentation is intended for IDA version 8.5. Check our Migration Guide to IDA 8.5 for upgrade process details.. For the up-to-date documentation covering all features and improvements, as well as the Release Notes and Archive, please refer to the documentation for the latest IDA release.

Discover the core of Hex-Rays guides and manuals, guiding you through IDA features and real-life usage scenarios.

Getting Started

New to IDA? Explore our selection of documentation to guide you through the installation process and jumpstart your reverse engineering journey.

Our Guides

Delve into detailed guides to discover IDA features and maximize its capabilities.

What's new?

Check the latest changes in the Hex-Rays documentation, including new tutorials and manuals, along with significant revisions to existing content.

December 2024

Updated Porting Guides

With the recent changes to our API that came into life with SP1 for IDA 9.0, we updated Porting Guides for and .

New IDAPython examples

With the new or reworked IDAPython examples that were added to our , we revamped the examples categories to make the navigation among them more intuitive. Take a look at the new category for samples that utilize our updated Types endpoints.

Revamped IDAPython reference

We updated the UI layout of and improve cross-referencing.

November 2024

Other updates

To reflect the current state of Local Types window as a one hub to all types-related operations, we updated the .

October 2024

With IDA 9.0, we changed how the Hex-Rays documentation is organized and added new guides and tutorials to kickstart your IDA journey and ease the migration from previous IDA versions.

New Structure

Our docs are divided into three main categories:

, dedicated to individual users and covering whole IDA products (including add-ons, like Teams and Lumina). Most of the documentation regarding IDA, like manuals or tutorials, is currently accessible under the User Guide.
, which focuses on developer's needs, covers the reference and contextual documentation for IDAPython API and C++ SDK, as well as native IDC language. This part is mainly dedicated to plugin authors and devs interested in enhancing basic IDA capabilities with our development kit or scripting.
mainly focuses on administrators installing and managing servers for Teams and Lumina or floating licenses.

In , we gathered docs with rather historical value that some of you may still find interesting but focused on previous versions of IDA.

New Getting Started Guides

We prepared a section for IDA newbies and also gathered additional materials to help you find your way around our or .

Migration and Porting Guides

For those familiar with previous versions of IDA, we prepared Porting Guides for and . If you use the Flexera server for floating licenses, check our .

New features described

We added installation and setup guides for plugin and .

Getting Started

First experience with IDA? Great, you are in the right place. Here you can find guides designed to quickly onboard you into IDA. We will walk you through license activation and IDA installation to the essential tasks you can perform in IDA.

What's next?

User Guide

Explore our in-depth guides, crafted to help you navigate through IDA features and master its advanced capabilities.

User Interface

Menu Bar

All IDA commands are available from the followings menus:

File

In this submenu you can:

Load file Load file
Script command Execute a script command
Produce output file Generate output file
Execute OS commands
Save database in packed form
Save database in packed form in another file
Take database snapshot
Abort - do not save changes
Quit to DOS - save changes

Script File

You can execute any script file supported by the built-in scripting engine ( or Python), or a scripting language added by a plugin. The scripting language to use is selected by the file name extension of the script.

Script command

You can enter and execute a small script written in the built-in IDC language or any other registered extlang.

Here is the list of functions.

Invoke OS Shell

 Action    name: Shell

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

See also other File... submenu commands.

Take database snapshot

This command takes a database snapshot. The snapshot can be later restored from the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

Save database

This command saves and packs the current database.

Save database as...

Abort IDA

 Action    name: Abort

This command terminates the current IDA session. The Abort command is not available if the database was not packed.

IDA will NOT save changes to the disk.

Exit IDA

 Action    name: Quit

This command terminates the current IDA session. IDA will write all changes to the disk and will close all databases.

You can enable/disable database packing. When the database is packed, it consists of one file with IDB extension. When the database is not packed, it consists of several files on the disk. If packing is disabled, in the next session you cannot abort IDA. We do not recommend to leave the database in the unpacked form because you will not have a backup copy.

You can also perform garbage collection on the database before packing it. The garbage collection removes the unused database pages, making it smaller. However, IDA needs some free database pages when it works,therefore it will allocate them again when you reuse the database. Removing and adding free pages takes time and, what is most important, it changes the database control blocks.

Use garbage collection only when you do not intend to work with the database in the near future.

IDA will remember all information about the screen, cursor position, jump stack, etc. The following information will be lost: keystroke macros, the anchor position To resume a disassembly session simply type: "ida file"

See also other File... submenu commands. Abort command.

Edit

This submenu allows the user to modify text representation and to patch the file. It also has the commands to control the analysis:

Anchor
Export data
Undo
submenu
submenu
submenu
submenu
submenu
submenu
submenu
submenu

Export data

Undo an action

 Action    name: Undo

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis. Autoanalysis generates copious amounts of undo data. Also please note that maintaining undo data during autoanalysis slows it down a bit. In practice it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

  UNDO_MAXSIZE  max size of undo buffers; default: 128MB
                once this limit is reached, the undo info about the oldest
                user action will be forgotten.

  UNDO_DEPTH    max number of user actions to remember; default: 1000000
                if set to 0, the undo feature will be unavailable.

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

See also

Redo an action

This command reverts the previously issued command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

See also

Clear undo history

This command clears the undo history. After it the Undo and Redo commands become unavailable. However, once the user performs a new action, IDA will again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user action to revert yet, IDA does not maintain undo buffers and this speeds up the analysis.

See also

Disable undo

This command completely disables the undo feature.

See also

Convert to instruction

This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the [anchor](../../../disassembler/navigation/anchor.md, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

See also submenu

Convert to data

This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

You may remove some items from this list using command.

If the does not support double words or another data type, it will be skipped. To create a structure variable, use command. To create an array, use command. To convert back, use command. See also submenu

Convert to string literal

 Action    name: MakeStrlit

This command converts the current unexplored bytes to a string.

The set of allowed characters is specified in the configuration file, parameter StrlitChars. Character '\0' is not allowed in any case. If the current assembler does not allow characters above 0x7F, characters with high bit set are not allowed.

If the anchor has been dropped, IDA will take for the string all characters between the current cursor position and the anchor.

Use the anchor if the string starts a disallowed character.

This command also generates a name for the string. In the file, you can specify the characters allowed in names (NameChars).

You can change the literal string length using command.

The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Pascal Strings

To create Pascal style strings (with first byte indicating string length) use command.

See also submenu

Convert to array

 Action    name: MakeArray

This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

Create the first element of array using the data definition commands (data, string, structs)
Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:
```
     - the address of the next item with a cross reference
     - the address of the next user-defined name
```

For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

Items on a line (meaningless for string literals):

Please note that the parameter affects the number of items on a line too.

Alignment (meaningless for string literals):

If applied to a variable-sized structure, this command is used to specify the overall size of the structure. You cannot create arrays of variable-sized structures.

Undefine a byte

 Action    name: MakeUnknown

This command deletes the current instruction or data, converting it to 'unexplored' bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the anchor, all the bytes in this range will be converted into 'unexplored' bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

Give Name to the Location

This command gives name/renames/deletes for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a name.

Local name

Include in name list

Here you can also include/remove the name from the . If the name is hidden, you will not see it in .

Public name

Autogenerated name

Weak name

Operand types

This submenu allows you to change the operand types to offsets, numbers, chars, etc. Use it to make disassembled text more understandable.

Convert operand to offset
Convert operand to number
Convert operand to character

If IDA suspects that an operand can be represented as something different from a plain number, it will mark the operand as "suspicious" and show it in red. Use these commands to delete marks.

Some of these commands can be applied to a selected range. Click to learn about the rules applied to such operations.

See also submenu.

Perform en masse operation

If you have selected a range before applying an operand conversion command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

 ALL OPERANDS
 -----------

The operation will be performed on all operands as a toggle. For example, if you ask to convert to a character, then all non-character operands will become characters, and all character operands will become non-chars.

 OPERAND VALUE RANGE
 -------------------

The operation will be performed on the void operands which contain immediate numbers in the specified range.

 ... OPERANDS
 ------------

This selection will convert all operands with the specified type to undefined operands. Example: all characters become non-characters.

 NOT ... OPERANDS
 ---------------

This selection allows to convert all operands that do not have the specified type to the specified type. Example: all non-characters to characters.

This selection allows to convert all operands without any type to the specified type. Example: all operands with no type to characters.

IDA will check whether an operand can be represented with the specified type (as a character constant, for example), and perform type conversion only if the check is successful.

Convert operand to character

This command converts immediate operand(s) type of the current instruction/data to character.

When you use this command, IDA deletes the entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also submenu.

Convert operand to segment

This command converts the immediate operand(s) type of the current instruction/data to segment base. The segment bases are usually displayed like this:

When you use this command, IDA deletes the entered operand.

If IDA cannot find a segment whose base is equal to the operand value, it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also submenu.

Complex Offset Expression

A complex offset expression looks like

        offset target + delta - offset base

It is specified by:

        - type (OFF16, OFF32, LOW16, etc.)
        - base
        - optional target
        - optional delta from target

The relationship between these parameters is (the formula is given for full offsets):

        operand_value = target + delta - base

  or (the same relationship in a different form):

        target = operand_value - delta + base

You always have to specify the offset type and base. Usually, the delta is equal to zero. For the full offset type you may omit the offset target, which is recommended. In this case, IDA will calculate it automatically. However, if you specify the offset target, make sure that the relationship between the parameters still holds. For the half offset types, you have to specify the target because there is no way to calculate it.

The offset types:

Convert operand to symbolic constant (enum)

 Action    name: OpEnum

This command converts immediate operand(s) type of the current instruction/data to an enum member. Before using this command, you have to define an enumeration type.

If the selected enum is a bitfield, IDA will try to build a bitfield expression to represent the constant. Please note that for bitfields having multiple constants with the same value some expressions won't be possible.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to symbolic constants. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

Convert operand to stack variable

 Action    name: OpStackVariable

This command converts immediate operand(s) type of the current instruction to an offset to stack variables, i.e. a local variable or function argument in the stack.

You need to define stack variables before using this command.

If the current operand is based on the value of the stack pointer ([ESP+xxx]) and the SP value is traced incorrectly, then you need to correct SP value using change stack pointer command.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to stack variables. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to stack variable, otherwise it will be left unmodified.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Define stack variables...

Change operand sign

 Action    name: ChangeSign

This command changes the sign of the current operand. Please note that not all operands can change their sign.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

Bitwise negate operand

This command bit-wisely negates the current operand. Please note that not all types of operands can be negated. It is not possible to negate and change of an operand simultaneously.

This command works only if the current supports the bitwise negation operation.

User-defined operand

You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you change operand representation using operand submenu.

NOTE: A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated.

See also submenu.

Set operand type

 Action    name: SetOpType

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin. Setting operand type is most useful in case of indirect calls: the decompiler will use the type information to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

        int (*func)(int param1, char param2);

To delete a type declaration, enter an empty string.

For details on possible calling conventions, see Set function/item type... menu item description.

Other

Create alignment directive...
Manual instruction...
Color instruction...
Hide/show border

See also submenu.

Create alignment directive

This command allows you to create an alignment directive. The alignment directive will replace a number of useless bytes inserted by the linker to align code and data to paragraph boundary or any other address which is equal to a power of two.

You can select a range to be converted to an alignment directive. If you have selected a range, IDA will try to determine a correct alignment automatically.

There are at least two requirements for this command to work:

there must be enough unexplored bytes at the current address.
an alignment directive must always end at an address which is divisible by a power or two.

See also

Specify instruction representation manually

This command allows you to specify the representation of an instruction or data in the program.

Use it if IDA cannot represent the current instruction as desired. If the instruction itself is ok and only one operand is misrepresented, then use command.

To delete the manual representation, specify an empty string.

Specify instruction color

This command allows you to specify the background color for the current instruction or data item.

Only GUI version supports different background colors. Specifying a non-defined custom color will reset the instruction color.

Hide/unhide a border

This command allows you to hide a thin border which is like the one generated automatically by IDA between instructions and data. If the border was already hidden, then it is displayed again.

Note that you can hide all borders at once in the .

Rename Any Address

 Action    name: MakeAnyName

This command gives name/renames/deletes name for the specified address. This is a more powerful variant of Rename command.

To delete a name, simply give an empty name.

If the specified address is referenced, you cannot delete its name. Even if you try it, IDA will generate a dummy name.

This command is available only from the name window.

For an explanation about the dialog box entries, please see the Rename current address command.

Plugins

Center current line in window

This command centers the cursor.

View

Here are commands to open various windows, display information etc.

Graphs

Here are commands to draw various graphs:

Arrows window

There is a small window with arrows on the left of the disassembly. These arrows represent the execution flow, namely the branch and jump instructions. The arrow color can be:

        - red: means that the arrow source and destination do not
        belong to the same function. Usually, the branches are
        within functions and the red color will conspicuously
        represent branches from or to different functions.
        - black: the currently selected arrow. The selection
        is made by moving to the beginning or the end of the
        arrow using the Up or Down keys or left-clicking on the arrow
        start or the arrow end. The selection is
        not changed by pressing the PageUp, PageDown, Home, End keys or using
        the scrollbar. This allows to trace the selected arrow far away.
        - grey: all other arrows

The arrow thickness can be:

        - thick: a backward arrow. Backward arrows usually represent
        loops. Thick arrows represent the loops in a clear and
        notable manner.
        - thin: forward arrows.

Finally, the arrows can be solid or dotted. The dotted arrows represent conditional branches when the solid arrows represent unconditional branches.

You can resize the arrows window using a vertical splitter or even fully hide it. If it is hidden, the arrows window will not be visible on the screen but you can reveal it by dragging the splitter to the right. IDA remembers the current arrow window size in the registry when you close the disassembly window.

Database snapshot manager

 Action    name: ShowSnapMan

This command shows the database snapshot manager. In this dialog, it is possible to restore previously saved snapshots, rename or delete them.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also Take database snapshot commands.

Highlighting identifiers

In the graphical version, IDA highlights the identifier under the cursor. For example, if the cursor is on the "EAX" register, then all occurrences of "EAX" will be displayed with the yellow background. This feature is meant to make the program analysis easier by highlighting the interesting parts of the disassembly. For example, if the user wants to see all references to "EAX", he just clicks on any "EAX" on the screen and all of them will be highlighted.

The selection is made by pressing the Up, Down, Left, Right keys or by simply clicking on the identifier.

The selection is not changed by pressing the PageUp, PageDown, Home, End keys, using the scrollbar, or pressing the Alt-Up, Alt-Down, Ctrl-Up, Ctrl-Down keys.

The Alt-Up and Alt-Down keys perform a search of the currently selected identifier backward or forward respectively.

The Ctrl-Up and Ctrl-Down keys scroll the disassembly text.

IDA does not highlight the segment names at the line prefix because it is not very useful.

It is possible to turn off the highlight. The appropriate checkbox is in the tab.

Browser options

This tab of IDA Options dialog allows for editing of hint and identifier highlight related settings. There are two groups of settings.

The first group is for hints that are displayed when the mouse is hovered over some text.

The second group is for highlighting.

Number of lines for identifier hints

        Specifies how tall the hint window will be initially.
        IDA may decide to display less lines than specified if the hint is
        small. The user can resize the hint window using the mouse wheel.

Delay for identifier hints

        Milliseconds that pass before the hint appears when the user
        hovers the mouse pointer over an identifier

Mouse wheel resizes hint window

        Permit to resize the hint window by using the mouse wheel.
        Can be turned off if the user does not want to resize the hints.

No hints if debugger is active

        Hints will be disabled when the debugger is active. This may be
        useful to speed of debugging: calculating hints for zero filled
        ranges can be very expensive

Auto highlight the current identifier

Unhide collapsed items automatically when jumping to them (gui only)

Lazy jumps (gui only)

Number of items in navigation stack drop-down menus

Number of lines for auto scroll

Caret blinking interval

Lumina options

Lumina dialog box options

This options tab allows for modification of Lumina credentials and use settings.

Use the public server

Assembler level and C level types

In order to provide intuitive yet powerful interface to types IDA introduces two kinds of types:

  - Assembler level types
  - C level types

Assembler level types are the ones defined by the user using the Struct or Types views.

Since the user has to specify manually the member offset and other attributes, IDA considers the member offsets to be fixed for them and never shifts members of such types. If a member of struct becomes too big and does not fit the struct anymore, IDA will delete it.

The types defined in the Local types window are considered as C level types. For them IDA automatically calculates the member offsets and if necessary may shift members and change the total struct size.

The user may change the type level by simply editing the type from the appropriate window. For example, if a C level type is edited from the Struct view, IDA will consider such a type as an Assembler level type in the future.

 In the struct/enum view:
  Assembler level types are displayed using regular colors.
  C level types are displayed in gray, as if they are disabled (but they are not).

 In the local types view:
  C level types are displayed using regular colors.
  Assembler level types are displayed in gray, as if they are disabled (but they are not).

Bookmarks window

This command opens the bookmarks window. This window lets the user jump to a specific place in the listing.

View segment registers

This command displays segment register contents in the .

You may use this command to refresh the disassembly window too.

View Internal Flags

This command displays the internal flag values for the current item. The information appears in the .

See also submenu.

Hide

This command allows you to hide a part of disassembly. You can hide a function, a segment, or create a special hidden range.

If a range is specified, a special hidden range is created on this range.

If the cursor is on the segment name at the start of the segment, the segment will be hidden. IDA will display only the header of the hidden segment.

If the cursor is on a structure variable and if the target assembler has the 'can display terse structures or the ' bit on, then the structure will be collapsed into one line and displayed in the terse form.

Otherwise, the current function will be hidden. IDA will display only the header of the hidden function.

If there is no current function then IDA will beep.

If you want to see hidden items on the screen, you may use command or the display of the hidden items. If you want to delete a previously created hidden range, you may use command.

See also submenu

Unhide

 Action    name: Unhide

This command allows you to unhide a hidden part of disassembly.

If the cursor is on the hidden function name, the function will be unhidden.

If the cursor is on the terse structure variable, the structure will be uncollapsed and displayed in the regular form.

If the cursor is on the hidden range, the hidden range will be unhidden.

If the cursor is on the hidden segment name, the segment will be unhidden.

See also hide command and setup hidden command.

Del hidden range

This command allows you to delete a hidden range of disassembly (previously defined by using the command).

See also command.

See also submenu

Hide all items

This command allows you to hide:

all functions and hidden ranges if invoked in the disassembly window

IDA will display only the header of the hidden items.

If you want to see hidden items on the screen, you may use command or the display of the hidden items.

See also command.

See also submenu

Unhide all items

This command allows you to unhide:

all segments, functions, and hidden ranges if invoked in the disassembly window

See also command.

See also submenu.

Setup hidden items

 Action    name: SetupHidden

This command allows you to toggle the display of hidden items.

Automatically hide library functions

        This option hides the functions recognized by FLIRT.
        If will have an effect only from the time when the option is set.

Display hidden instructions

        If this option is set, IDA will display all the instructions
        as unhidden even if they were hidden.

Display hidden functions

        If this options is set, IDA will display all the functions
        as unhidden even if they were hidden.

Display hidden segments

Debugger window

Opens the debugger window.

In this window, you can view the register values for the selected thread. The debugger always selects the thread where the latest debugging event occurred.

For most registers, we have two different boxes:

For a segment register, we only have one box indicating the current value.

For the flags register, we have one box indicating the current value, and small boxes indicating the status of the most important flags.

A popup menu is accessible everywhere in the window, which allows the user to show or hide different parts of the window: toolbar, thread list and available register classes.

See also .

Process Control

Start process

 Action    name: ProcessStart

This command starts the process in the debugger. If the process was suspended, it will continue its execution. See also

Attach to process...
Process options
Pause process

Process options

 Action    name: SetupProcess

This dialog box allows to specify different settings related to the process being debugged.

Application

Host application to launch. When the debugging target (== 'input file') is an executable file, this field is equal to the 'input file'. If this field is wrong, IDA will not be able to launch the program. For remoting debugging, this field denotes a remote file.

Input file

The input file used to create the database. For remoting debugging, this field denotes a remote file.

Pause process

This command pauses a running process. Please note that it is not always possible to pause a process executing the system code. See also

Terminate process

 Action    name: ProcessTerminate

This command terminates the debugged process. See also

Start process
Pause process
Detach from process
.

Step into

This command executes one assembler instruction at a time, stepping into functions. See also

Step over

 Action    name: ThreadStepOver

This command executes one assembler instruction at a time, stepping over procedures while executing them as a single unit.

Internally, in the case of a function call, IDA setups a temporary breakpoint on the instruction following this function call. See also

Step into
Run until return
Debugger submenu.

Run to cursor

This command executes instructions until the instruction under the cursor is reached.

Internally, IDA setups a temporary breakpoint on the instruction under the cursor. See also .

Run until return

 Action    name: ThreadRunUntilReturn

This command executes assembler instructions and stops on the instruction immediately following the instruction that called the current function.

Internally, IDA executes each instruction in the current function until a 'return from function' instruction is reached.

See also

Step into
Step over
.

Attach to process

This command displays running processes corresponding to the disassembled file in the database and allows the user to choose a process to attach to.

See also

Detach from process

This command detaches the debugger from the debugged process. Note: this command is only available on Windows XP or Windows 2003 Server !

See also

Set current ip

This command sets the instruction pointer of the current suspended thread to the current cursor location.

It is accessible only when the debugger is active and the process is suspended. See also .

Show application screen

This command displays the application screen.

It is useful for the text mode debugger.

When the debugged application runs in the same window as IDA itself, the application output is hidden by IDA windows. This command allows to see the application screen in this case.

To return to IDA display, press any key.

This command is available when the application is suspended or finished. See also .

Watches

Here are the commands to use the debugger watches (assembler level).

Watch list
Add watch
Del watch

See also

Watch list

Opens the assembler level watch list window.

In this window you can view memorized watches. A watch allows the user to continuously see the value of a defined item.

Add watch

This command adds a watch at the current address. The watch is visible in the .

Delete watch

This command deletes an existing watch.

Source code view

This window shows the contents of a source code file. IDA automatically opens source views provided that proper mapping of the source code paths is specified in "Options, Source paths".

This window may also display a decompilation result because it is considered as a source code. This can be useful if the source files are not available.

Watch view (source level)

In this window the user can view values of selected variables.

Global variables (data item names) as well as variables that are local to the current function can be added by pressing Ins.

Expressions can be added to the view as well, they will be considered as IDC expressions.

Watch view (source level)

In this window the user can view values of selected variables.

Global variables (data item names) as well as variables that are local to the current function can be added by pressing Ins.

Expressions can be added to the view as well, they will be considered as IDC expressions.

Expressions may have a type cast at the beginning. For example

(int)0x12345678

means that the contents of the memory at the address 0x12345678 should be displayed as an integer. Note: to display strings use "char[]" as the typo.

See also

Licensing

In this document, we covered the fundamentals of our licensing model—including how to activate your license based on its type, check license's details and share them with your team members.

Here, you can learn how to:

Activate your licenses Named | Computer | Floating | In Bulk
Add and activate servers Lumina | Teams | License server
or

Licenses overview

License types

In Hex-Rays, we offer two basic license types for IDA products, that are suitable for individual users:

Named licenses, that are assigned to specific individuals.
Computer licenses that are assigned to specific devices.

There is also an additional type, called floating licenses, that allow a set number of concurrent users but are not assigned to specific individuals or devices.

Floating licenses are available only for IDA Pro and dedicated to business/organization purposes.

How many licenses should I have?

Beside the license for IDA product, you need also a separate active license for each server available in your subscription.

The components of your subscription that require their own license:

Base IDA license (e.g., IDA PRO Expert 4)
Teams server for Teams add-on
Lumina server for Lumina add-on
License server for floating licenses

Example: You've purchased IDA PRO Expert 4 Plan with Teams and Private Lumina, along with floating type of license with 6 seats. In this case, you’ll need to activate the following four licenses:

License server license
Private Lumina server license
Teams server license
IDA PRO Expert 4 license

What's a license file?

The .hexlic license file contains your license ID and other data, and is required to make your IDA instance fully operative after installation (or your Lumina, Teams or License server). You can download your license files from , after their activation.

Once you've downloaded your license, it cannot be modified.

License activation

To complete the installation, you need an active IDA license with an assigned owner (for a named license) or a MAC address (for a computer/floating license). Without activation, you cannot download your license file.

What is needed to activate my license?

for named licenses: the email address of the owner,
for computer licenses: the MAC address of a specific device
for floating licenses: the MAC address of the device where the license server will be running

The license type (named/computer/floating) is selected when you purchase your subscription.

Where can I activate my license?

From the License tab in portal, you can initiate the activation process and open the License activation dialog from several locations:

Under the Actions column, click the three dots and then Activate License from the dropdown menu (1),
Click on the desired license to open its detail view, then click Activate License (2), or
Select multiple licenses of the same type by ticking their checkboxes, then click Bulk Activation (3).

Named licenses activation

Go to portal and navigate to the Licenses tab.
Locate the license ID you want to activate. Ensure it has the Pending activation status.

If you haven't completed the KYC procedure yet, you will need to do so for accessing paid products. If the "Activate License" option is not visible despite a Pending Activation status, it means your KYC process is still in progress.

Open the dialog, select decompilers and click Next.
Assign the ownership of the license: set the email address for this IDA instance user (it can be yours) and click Activate license.

Your license is now active.

You can check the license details and modify it if needed. If all details are correct, you can .

Computer licenses activation

Go to portal and navigate to the Licenses tab.
Locate the license ID you want to activate. Ensure it has the Pending activation status.

Open the dialog, select decompilers and click Next.
Add the MAC address of the machine where this IDA instance will be installed and running (it can be yours) and click Activate license.

Your license is now active.

You can check the license details and modify it if needed. If all details are correct, you can .

Download the license files

If you are sure that all of the license details are correct, you can go ahead and download your license hexlic file. You will need it to complete the installation process.

Downloading the license locks the configuration and prevents further edits.

Go to the License tab in portal.
Under the Actions column, click the three dots and then Download hexlic from the dropdown menu (1), or, alternatively, in the license detail view, click Download hexlic.

To download multiple license files at once, select the desired licenses by ticking their checkboxes, or click Select all. Then, click Download License Files (2). You’ll receive an email with a link to download all license files and a CSV.

What's next?

Now you are ready to .

Floating licenses activation

To use floating licenses, you need to activate:

A license for your license server
A base IDA Pro license linked to that server Both licenses can be activated and linked in a single step, as described below.

Navigate to the Licenses tab and look for your IDA license with Floating label. Ensure it has the Pending activation status.
Open the dialog, select decompilers and click Next.
Assign a license server. If you , select the Use existing server option and then tick the server from the list. If you haven't done it yet, you can add and activate a license server now—select Add new server option, type the MAC address and click Add.

Add tags if needed, and click Activate license to finalize.
Your license(s) is now active.

You can check the license details and modify it if needed.

If all details are correct, you can and license files for the license server.

Bulk activation

If you have multiple licenses of the same type (for example, ten IDA PRO Expert 2 licenses), you can activate them all in a single batch operation. All licenses activated in bulk will share the same configuration details, decompilers set, and add-ons, while allowing for unique owner email addresses and MAC addresses.

Go to portal and navigate to the Licenses tab.
Locate the licenses you want to activate with the Pending activation status. Select all of them by ticking the checkboxes on their left side.
In the top menu that appears after selection, click Bulk Activation.

In the new dialog, select decompilers (this action is done for all licenses in a batch) and click Next.
Depending on your licenses type, assign the license user's emails or set the MAC addresses. Optionally, you can add tags.
Click Activate Licenses.

You've noticed a mistake? No worries, you can still edit your selected licenses before downloading them.

Bulk download the license files

In the Licenses tab, select the licenses for bulk download and click Download License Files.
After confirmation, you'll get an email with link to download all license files + CSV.

License details

The License Details card provides a complete overview of the license, including assigned decompilers and users it has been shared with. You can edit access permissions and tags at any time, even for active and already downloaded licenses. To open the License Details view, in the License tab in portal, click on the desired license.

License editing

When you activate your license using one of the methods shown above, you can still make changes—such as modifying the decompiler set—as long as you have not downloaded the license file(s). Once the license file(s) are downloaded, further modifications will no longer be possible.

To edit the license:

Go to portal and navigate to the Licenses tab.
Locate the licenses you want to edit with the Active status. Under the Actions column, click the three dots and then Edit from the dropdown menu, or alternatively, in the license detail view, click Edit. If the Edit option is not visible, it means the license has already been downloaded and can no longer be edited.

Make changes and click on Next/Activate license to confirm.

Server licenses

If your subscription includes a server (for Private Lumina, Teams or floating licenses), you'll need to activate the corresponding server licenses to download the license files. To do so, make sure to add the relevant servers to your account.

You can create and activate the license server simultaneously during the process.

Add servers

In portal, go to the Licenses tab and click on +Add server.

Select the type of server(s) you want to add and click Next. You may add multiple servers at one go.

Assign MAC addresses and click Create servers to finalize.
After that, your servers will appear in the Licenses list with an Active status, allowing you to download the server certificates and hexlic files.

If you are using floating licenses, you can now go ahead and activate your IDA licenses that uses the server.

Ensure all floating license plans associated with the license server are activated before downloading the license server hexlic file.

Downloading the server license files

Once all IDA PRO licenses intended for use with your floating license server have been activated, you can proceed to download the server’s hexlic file and license certificate. Maintaining this order is crucial—the hexlic file contains essential details about the linked licenses, which are properly embedded only when the IDA license is associated with the specific floating license server.

License server installation for admins

Server installation for floating licenses should be done by the administrator. Check our for details.

How can I start using IDA as a floating license user?

Once your administrator installs a license server, adds particular license seats to the pool, and hands over the credentials, you are ready to .

You don't need to download a license file/key to your local machine while using the floating licenses server. New to the floating licenses? Check our .

Floating licenses check-out

Every time you launch IDA, you'll see the License Manager pop-up window. As long as there are free seats, you can check-out one of the available licenses and start using IDA.

Note that some of the available licenses may have different decompilers and add-ons enabled.

Add-ons servers' licenses

Private Lumina server activation for admins

Each of our add-ons, Teams and Private Lumina, requires an active license to work properly. To proceed with Lumina installation and setup, an active server's license is required.

in your account (activate the license).
Locate your server license on the Licenses tab and download the following files:

lumina server certificate
.hexlic file (license key)

You'll need both files to continue with the server installation and setup.

Private Lumina server installation for admins

Server installation for Private Lumina should be done by the administrator. Check our for details.

Teams server activation for admins

Each of our add-ons, Teams and Private Lumina, requires an active license to work properly. To proceed with Teams installation and setup, an active server's license is required.

in your account (activate the license).
Locate your server license on the Licenses tab and download the following files:

teams server certificate
.hexlic file (license key)

You'll need both files to continue with the server installation and setup.

Teams server installation for admins

Server installation for Teams should be done by the administrator. Check our for details.

Grant access to manage licenses

You can invite your teammates to view and activate licenses via their own My Hex-Rays account. To grant access:

Select license(s) you want to share and click Grant Access (1).
Add the email address of your teammate and click Confirm (2).
Your team member will receive an email invitation to log in to the portal and access the shared licenses.

The view allows you to review who currently has access to the license, remove users, or grant access to new ones.

Key points:

Once a license has been downloaded, it cannot be modified.
Multiple licenses of the same type can be activated in bulk.
You can grant the access to manage licenses to other teammates, while the ownership of the license remains the same.

Basic Usage

In this document, we'll explore the essentials of IDA capabilities to kickstart your journey and disassemble your first binary file.

Prerequisites

Your IDA instance is installed and running.

Before you begin

What files and processors are supported?

IDA natively recognizes plenty of and .

If you later realize that's not enough, you can always use one of our community plugins that add additional formats or processor types or try to write your own with .

What are IDA database files?

IDA stores the analysis results in the IDA Database files (called IDB), with the extension .i64. This allows you to save your work and continue from the same point later. After loading a file at the beginning, IDA does not require access to the binary.

Any modifications you make are saved in the database and do not affect the original executable file.

Dive deeper

Blog: 📝 Check what exactly IDB contains in about IDA database.

What decompilers can I work with?

IDA provides decompilers designed to work with multiple processor architectures. The number of decompilers and their type (local or remote) available in your IDA instance depends on your chosen product and subscription plan and affects your ability to produce C-like pseudocode.

Where can I find exemplary binaries to work with?

Check , from where you can download executable files to test your reverse engineering skills.

Part 1: Loading your file

When you launch IDA, you will see a Quick Start dialog that offers three ways to continue. For now, we'll focus on loading a new file and proceeding to disassembly results.

Launch IDA and in the Quick start dialog (1), click New.
Specify the path for your binary file.
In the Load a new file dialog (2), IDA presents loaders that are suited to deal with a selected file. Accepting the loader default selection and then the processor type is a good strategy for beginners. Click OK to confirm your selection.

IDA begins autoanalysis of your binary file.

After completion, you will be present with the default IDA desktop layout, that we'll describe in the .

Dive deeper

Video: 📹 Watch different ways of in our .

Part 2: UI overview

After autoanalysis is done, you'll see the main IDA desktop with the initial results. Let's examine the default desktop layout and commonly used UI elements.

Main menu bar (1)
Toolbar (2)
Navigation band (3)
Subviews (4)

The main menu bar provides quick access to essential features. Moreover, almost all menu commands can be quickly accessible via customizable .

For a handy cheatsheet of all commands and their hotkeys, check Options -> Show command palette....

Dive deeper

Docs: 📖 Check our for a comprehensive description of all menu items.

Below the main menu bar, you will see a toolbar with icons that give you quick access to common functionalities (available also via the main menu/shortcuts). It has just one line by default, but you can customize it by adding or rearranging your actions.

Dive deeper

Video: 📹 Curious about practical ways to set up your toolbar? Watch our .

The navigation band shows the graphical representation of the analyzed binary file and gives a short overview of its contents and which areas may need your attention. The yellow arrow (indicator) shows where the cursor is currently positioned in the disassembly view.

As you'll soon recognize, the colors used in the nav band match those in other views.

Dive deeper

Blog: 📝 A detailed navigation band overview with the full colors legend you can found in .

Output

The output window is a place where various messages and logs are displaying, often describing what currently IDA is doing, like analyzing data or running a script. In the CLI box you can type commands in or .

Status bar

At the bottom left corner of the IDA window, you can see the status bar, which contains:

analysis indicator AU, which shows the actual status of autoanalysis (1). In our case, it is idle, which means the autoanalysis is already finished.
search direction indicator (2)
remaining free disk space (3)

Right-clicking on the status bar brings up a context menu that allows you to reanalyze the program.

Dive deeper

Docs: 📖 To check all possible values and their meaning, take a look at .

Subviews

The subviews are one of the most prominent parts of your everyday work with IDA. These additional views (behaving like tabs) give a different perspective and information on the binary file, but the number of native IDA subviews may be a bit overwhelming. Here, we will focus on the most versatile and common subviews for beginners, where you'll spend most of the time, like:

IDA View
Pseudocode
Hex Dump View
Local Types

IDA View / Disassembly Window

When autoanalysis is done, you will see a graph view inside an IDA View by default. This flowchart graph should help you to understand the flow of the functions.

The graph view is available only for the part of the binary that IDA has recognized as functions.

IDA view has three modes:

graph view (1), that shows instructions grouped in blocks,
linear view (2), that lists all instructions and data in order of their addresses,
and proximity view (3), which allows you to see relations between functions, global variables, and other parts of the program.

Press Space to switch between graph and linear mode. Proximity view is available from the context menu in IDA view.

Dive deeper

Video: 📹 Check our covering the basics of graph view.
Blog: 📝 Read the in Igor's tip of the week.

Hex View Window

In hex view, you can see the raw bytes of the program's instructions.

There are two ways of highlighting the data in this view:

Text match highlight, which shows matches of the selected text anywhere in the views.
Current item highlight, which shows the bytes group constituting the current item.

The IDA view, pseudocode, and hex view can be synchronized, meaning that they highlight the same part of the analyzed program, and changes made inside one of the views are visible in the others.

Dive deeper

Video: 📹 Listen about hex view and others in our .
Blog: 📝 Detailed you can read in Igor's tip of the week.

Pseudocode Window

Generated by the famous F5 shortcut, the pseudocode shows the assembly language translated into human-readable, C-like pseudocode. Click Tab to jump right into the Pseudocode view.

Local Types Window

This view shows the high-level types used in databases, like structs or enums.

Dive deeper

Docs: 📖 Check our manual giving an overview of .

Functions Window

This window displays all the functions recognized by IDA, along with key details for each:

Function name
Segment the segment that contains the function
Start: the function starting address
Length: the size of the function in bytes

By default, the entire window is not visible, so you may scroll horizontally to see the hidden elements. As you probably noticed, the colors in Functions window match the colors in navigation band; in our example, green highlighting shows functions recognized by .

This view is read-only, but you can automatically synchronize the function list with the IDA view, pseudocode, or hex view. Click to open the context menu and select Turn on synchronization.

Dive deeper

Docs: 📖 Read the manual explaining all of the columns in detail.
Video: 📹 Watch our exploring the functions view.

A crucial step in mastering IDA is learning how to navigate quickly to specific locations in the output. To help you get started, we'll cover essential commands and hotkeys commonly used for efficient navigation in IDA.

Double-click and jump to the location

When you double-click on an item, such as a name or address, IDA automatically jumps to that location and relocate the display.

Jump to address

Go to Jump -> Jump to address.. or press G hotkey
Enter the item name or hex address in the dialog box, then click OK.

To jump back to the previous position, press Esc. To jump to the next position, press Ctrl + Enter. You can also navigate using the arrows in the toolbar.

See the list of cross-references

Position the cursor on a function or instruction, then go to Jump -> Jump to xref to operand... or press X to see the dialog with listed all cross-references to this identifier.
Select an item from the list and click OK to jump to that location.

Dive deeper

Video: 📹 Explore the rest of the jump commands in our

Part 4: Manipulate your disassembly results

Now that the initial autoanalysis is done and you’ve mastered the basics of navigation, it’s time to explore the basic interactive operations that reveal the true power of IDA in transforming your analysis.

Rename a stack variable

One of the first steps you might take is to enhance readability by assigning meaningful names to local or global variables, but also functions, registers and other objects that IDA initially assigned a dummy name.

In the IDA View, right-click on the variable you want to rename and click Rename or press N when the variable is cursor-highlighted.
In the newly opened dialog, insert a new name and click OK.

If at any point you want to go back to the original dummy name given by IDA, leave the field blank and click OK. It will reset the name to the default one.

Once you change the name, IDA will propagate the changes through the decompiler and Pseudocode view.

Dive deeper

Docs: 📖 Check the details on renaming items in the
Video: 📹 Watch our on renaming techniques.
Blog: 📝 Check for expert advice on renaming.

Add a comment

Adding comments may be a useful way to annotate your work.

Highlight the line where you want to insert a comment and press :.
In the dialog box, type your comment (you can use multiple lines) and click OK. This will add a regular (non-repeatable) comment to the location.

If you want to add a repeatable comment in every location that refers to the original comment, press ';'.

Dive deeper

Video: 📹 Watch our about commenting.

Part 5: Customizing IDA

Nearly every UI element is customizable, allowing you to rearrange and align widgets to suit your habits. You can save your personalized desktop layout by going to Windows -> Save desktop.

Most of the basic appearance you can change under Options menu.

To change the colors or theme, go to Options -> Colors.
To change the font, go to Options -> Fonts.

If you need more control over customization settings, you may check the .

Part 6: Debug your file

If you are ready to delve into dynamic analysis and start debugging your programs, here are some key steps to get you started:

Select the right debugger and complete the setup: Go to Debugger -> Select debugger... and pick up one of the available debuggers. Under Debugger -> Debugger options, you can configure the setup in detail.
Add breakpoints: Right-click on the line where you want to stop the execution and select Add breakpoint from the context menu, or press F2.
Start the process: Run the debugging session by pressing F9 or click a green arrow on the tooltip.

Dive Deeper

Docs: 📖 Read our User Guide for and debugging manuals, or check step-by-step tutorials for specific debuggers.

Part 7: Install a plugin

One of the most common way of extending IDA capabilities is to use one of our community-developed plugins.

Where can I find IDA plugins?

You can find a variety of plugins in the official Hex-Rays

Installing your plugin

For this guide purposes, we'll walk you through general installation steps.

The installation process can vary depending on the plugin and some of them may required installing dependencies or further configuration. Don't hesitate to refer to the specific instructions provided by the plugin author.

Load your plugin

Copy your plugin folder to the plugins directory inside your IDA installation directory.
Alternatively, you can load the plugin from the command line in IDA by using File -> Script file... and selecting app.entry.py file.

Run your plugin

Navigate to Edit -> Plugins -> your_plugin_name or use the assigned hotkey.

You may need to restart IDA to see your plugin in the list.

Dive deeper

Docs: 📖 Want to learn about writing your own plugins? Check our Developer Guide on how to create a plugin in or with .

Key hotkeys cheatsheet

Here's a handy list of all of the shortcuts we used so far.

Space Switches between graph and linear mode in the IDA View
F5 Generates pseudocode
Tab Jumps into pseudocode View

Open subviews

Here are commands to open various windows, display information etc.

Open disassembly window
Open exports window
Open imports window

Some windows allow you to manipulate the window contents by using the viewer commands.

See also submenu.

Disassembly window

The "WindowOpen" command opens a new window with the disassembly. IDA automatically opens one disassembly window at the start.

If the current location is an instruction belonging to a function, then the is available. You can toggle between the text and graph view using the Space key. You can also switch to proximity view by zooming out to the callgraph using the '-' key.

Use the disassembly commands to improve the listing.

Use Shift-<arrows> or Alt-L to drop . If you have a mouse, you can drop the anchor with it too.

A double click of the mouse is equivalent to the <Enter> key.

To the left of disassembly, there is an (GUI version). Also the GUI version the current identifier.

Exports window

This command opens the exports window.

You can use commands in this window.

Imports window

This command opens the imports window.

You can use commands in this window.

Functions window

A list of all functions in the program is displayed. You can , , functions using viewer commands.

Listed for each function are:

The last column of this window has the following format:

If a function has its color set, its line is colored using the specified color. Otherwise library and lumina functions are colored with the corresponding color. Otherwise the line is not colored.

A bold font is used for functions that have definite (user-specified) prototype. Also some plugins too may set this flag. Such prototypes are taken as is by the decompiler, while other prototypes are considered only as a starting point during decompilation.

It is possible to automatically synchronize the function list with the active disassembler, pseudocode, or hex view. For that right click on the function list and select "Turn on synchronization".

Names window

This command opens the window.

You can use commands in this window.

The GUI version displays a small icon for each name:

Signatures window

This command opens the signatures window.

For each signature, the following is displayed:

You can modify the planned signatures list here: add/delete library modules to be used during the disassembling.

You cannot delete an applied signature from the list.

To add a signature to the list for the application press <Ins>. You will see a list of signatures that can be applied to the program being disassembled.

Text version: Not all signature files will be displayed (for example, 32 bit signatures will not be shown for a 16 bit program). If you want to see the full list of signatures, select the first line of the list saying SWITCH TO FULL LIST OF SIGNATURES.

Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equal to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

Segments window

This command opens the segments window. The format of this window is explained .

You can use commands in this window.

In order to change the selector values, use window.

Segment registers window

This command opens the segment registers window. The window will contain segment register list.

You can use commands in this window.

Depending on the current processor type, you will see DS,ES,SS with or without FS,GS.

See also submenu.

Selectors window

This command opens the selector window. Here you can change the "selector to base" mapping. The selector table is used to look up the selector values when the addresses that are visible in the disassembly listing.

You can use commands in this window:

Cross references window

This command opens the cross-references window. This window contains all references to the current location.

You can use commands in this window.

You can add and delete cross references here too by pressing Ins or Del. Right clicking on the mouse will work too.

Add a cross reference: the from and to address, as well as the xref type should be specified.

Del a cross reference: if the 'undefine if no more xrefs' is check, then the instruction at the target address will be undefined upon the deletion of the last xref. IDA undefines instructions only if they do not start a function.

Local types window

Each database has a local type library embedded into it. This type library (til) is used to store types that are local to the current database. They are usually created by a header file.

As of IDA 9.0, the legacy Structure and Enums windows have been removed and their functionality consolidated by the Local Types window. This view serves as a centralized hub for all type-related actions. You can define new types here (enumerations, structures, and unions), edit existing ones, and import types from loaded type libraries.

This command opens the local types window. The user can manipulate local types here:

the existing types can be modified (the default hotkey is Ctrl-E, context menu Edit type...)
the existing types can be deleted (the default hotkey is Del, context menu Delete type...)
new types can be added (the default hotkey is Ins, context menu Add type...)

Please note that Ins can be used to add many types at once. For that the user just needs to enter multiple declarations, one after another in the dialog box.

However, Ctrl-E permits for editing of one type at a time. This may cause problems with complex structure types with nested types. Nested types will not be saved by Ctrl-E.

If the edited type corresponds to an idb type (struct or enum), then the corresponding type will be automatically synchronized.

Some types in this list are created automatically by IDA. They are copies of the types defined in the or views. Such types are displayed using in gray, as if they are disabled.

Types displayed in black are considered as C level types. Read .

Each type in the local type library has an ordinal number and may have a name.

Be careful when deleting existing types because if there are references to them, they will be invalidated.

A local type can be mapped to another type. Such an operation deletes the existing type and redirects all its references to the destination type. Circular dependencies are forbidden. In the case of a user mistake, a mapped type can be deleted and recreated with the correct information.

See also

Managing Structures**

Each structure must have a unique name. A field name must be unique in the structure. In order to create or delete a field, use data definitions commands (, , , , ). You may also define or comments.

In order to modify member types, use commands from the submenu. For example, to convert a structure member to an offset, use one of the following commands:

Structs-related commands available in the local types window:

Define a new structure

This command defines a new structure or a new union. The new structure is created with zero length. You will have to add structure members using manipulation commands.

If the entered structure name denotes a standard structure type from a loaded type library, then its definition will be automatically used. In this case, the value of the 'create union' checkbox will be ignored.

This command is available when you open a .

You can add new members to the structure using the following commands:

Command

Hotkey

You may also insert/delete undefined bytes into the middle of the structure by using and commands.

"Create before current structure" means that the new structure will be placed immediately before the current structure type. Otherwise, the new structure is placed after the current structure.

"Don't include in the list" means that the structure will not be included in the list of the structures which appears when the user applies the structure definition, for example, when he creates a variable of this structure type. We recommend to mark this checkbox when you have defined all variables of this structure type and want to reduce the number of choices in the list.

See also .

Duplicate a structure type

This command duplicate the current structure type. The new structure type will have the same members as the current one but its name will be autogenerated (something like struc_333)

By default the new structure type will be placed after the current structure type.

Delete a structure

This command deletes the current structure. Beware, when you delete a structure, all references to it will be destroyed as well. Even if you recreate it later, you'll have to specify again all references to it.

You may use this command to delete unions also.

This command is available when you open a .

Expand a structure

This command expands the current structure by inserting undefined bytes at the cursor location. The cursor must not be at the end of the structure. To define a member at the end of the structure, just use normal data definition commands.

This command is available when you open a .

Shrink a structure

This command shrinks the current structure by deleting undefined bytes at the cursor location. The cursor must be at an undefined byte. IDA will ask the user the number of bytes to remove.

This command is available when you open a .

Edit a structure

This command allows the user to change the structure alignment

Structure alignment is used to calculate the number of padding bytes at the end of the structure. For example, if alignment is 4 and the last field is a byte at offset 11h, IDA will add 3 bytes of padding so that the struct size is 14h (multiple of 4).

The alignment must be a power of 2. This command is available in the .

See also .

Managing Enums

Enums-related commands available in the local types window:

Add/Edit an enum

These commands allow you to define and to edit an enum type. You need to specify:

Each enum has its ID and a serial number. The ID is a number used to refer to the enum, while a serial number is used to order enums during output. Changing the serial number moves the enum to another place.

The serial number of an enum is displayed at the lower left corner of the window.

You can specify any number as a serial number, IDA will move the enum to the specified place.

You also need to specify representation of enum constants. You may choose from various number bases (hex,dec,oct,bin) and character constants.

You may specify the element width or leave it zero. Zero means the element width is not specified. The allowed widths are the powers of 2 in the range of 1..64.

Please note that you can create definitions here by checking the "bitfield" checkbox.

These command is available when you open the types .

See also .

Delete an enum type

This command deletes the current enum. Beware, when you delete an enum all references to it will be destroyed. Even if you recreate it later, you'll have to specify again all references to it.

This command is available when you open the types .

Define an enum member

This command allows you to define an enum member. An enum member is a symbolic constant. You have to specify its name and value. You cannot define more than 256 constants with the same value in an enum.

If the current enum is a bitfield, you need to specify the bitmask. To learn about bitmasks, read about .

Edit an enum member

This command allows you to rename an enum member. An enum member is a symbolic constant. Its name must be unique in the program.

To rename an enum type name, position the cursor over the name of the enum.

Delete an enum member

Please remember that deleting a member also deletes all the information about the member, including comments, member name etc.

Problems window

This command opens the problems window. The problem window contains the of all problems encountered by IDA during disassembling the program.

You can jump to a problem by pressing Enter. The selected problem will be deleted from the list.

Type libraries window

This command opens the type libraries window. Here the user can load and unload standard type libraries.

The standard type libraries contain type definitions from the standard C header supplied with compilers. Usually, IDA tries to determine the target compiler and its type libraries automatically but if it fails, this window allows you to load the appropriate type library.

Furthermore, don't forget to specify the compiler and memory model in the dialog box.

Inspecting a type library

Provide the ability to inspect the types present in a type library.

Local Types bookmarks

See:

Strings window

This command opens the string window.

The string window contains all strings in the program. However, if a range of addresses was selected before opening the window, only the selected range will be examined for strings.

You can setup the list parameters by right-clicking (or pressing Ctrl-U in the text version) on the list.

The list always contains strings defined in the program regardless of the settings in this dialog box, but the user can ask IDA to display strings not yet explicitly defined as strings.

The following parameters are available:

Display only defined strings If checked, IDA will display only strings explicitly marked as string items (using the command). In this case, the other checkboxes are ignored. Ignore instructions/data definitions

Strict ASCII (7-bit) strings If checked, only strings containing exclusively 7-bit characters (8th bit must be zero) will be added to the list. Please note that the user can specify which characters are accepted in the strings by modifying the StrlitChars parameter in the file. This setting is ignored if 'only defined strings' is on. Allowed string types

Minimal string length

Function calls window

This command opens the function calls window.

All functions who call the current function are displayed at the top of the window.

All functions called from the current function are displayed at the bottom of the window.

The list is automatically refreshed when the cursor is moved to another function.

Notepad

Opens a notepad window for the general notes about the current database. The entered notes will be saved in the current database.

Alt-T hotkey can be used to search for a text and Ctrl-T to repeat the last search.

The notepad is available only in the GUI version.

Show undo history

This command opens a window with the undo history. It is available from the Views, Open subviews submenu.

Double clicking on a line reverts the database to the state before the corresponding action.

It is possible to truncate the undo history by using the corresponding context menu command. The undo information for the selected action will be removed together with the information about all preceding actions.

The redoable user actions are displayed in italics. The current position in the undo buffers is displayed in bold, it usually denotes the first redoable user action.

See also

Functions

This submenu allows you to manipulate functions in the disassembly:

Create function...
Edit function...
Append function tail...

Create Function

This command defines a new function in the disassembly text.

You can specify function boundaries using the . If you don't specify any, IDA will try to find the boundaries automatically:

A function cannot contain references to undefined instructions. If a function has already been defined at the specified addresses, IDA will jump to its start address, showing you a warning message.

A function must start with an instruction.

Edit Function

Here you can change function bounds, its name and . In order to change only the function end address, you can use command.

If the current address does not belong to any function, IDA beeps.

This command allows you to change the function frame parameters too. You can change sizes of some parts of frame structure.

IDA considers the stack as the following structure:

For some processors or functions, BP may be equal to SP. In other words, it can point to the bottom of the stack frame.

You may specify the number of bytes in each part of the stack frame. The size of the return address is calculated by IDA (possibly depending on the far function ).

"Purged bytes" specifies the number of bytes added to SP upon function return. This value will be used to calculate the SP changes at call sites (used in some calling conventions, such as __stdcall in Windows 32-bit programs.)

"BP based frame" allows IDA to automatically convert [BP+xxx] operands to .

"BP equal to SP" means that the frame pointer points to the bottom of the stack. It is usually used for the processors which set up the stack frame with EBP and ESP both pointing to the bottom of the frame (for example MC6816, M32R).

If you press <Enter> even without changing any parameter,IDA will reanalyze the function.

Sometimes, EBP points to the middle of the stack frame. FPD (frame pointer delta) is used to handle such situations. FPD is the value substracted from the EBP before accessing variables. An example:

In our example, the saved registers area is empty (since EBP has been initialized before saving EBX and ESI). The difference between the 'typical BP' and 'actual BP' is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify the value manually.

If the value of the stack pointer is modified in an unpredictable way, (e.g. "and esp, -16"), then IDA marks the function as "fuzzy-sp".

If this command is invoked for an imported function, then a simplified dialog box will appear on the screen.

Function flags

The following flags can be set in function properties:

Does not return

The function does not return to caller (for example, calls a process exit function or has an infinite loop). If no-return analysis is enabled in , IDA will not analyze bytes following the calls to this function.

Far function

On processors which distinguish near and far functions (e.g. PC x86), mark the function as 'far'. This may affect the size of the special field reserved for the return address, as well as analysis of calls to this function.

Library func

Mark the function as part of compiler runtime library code. This flag is usually set when applying

Static func

Mark the function as static. Currently this flag is not used by IDA and is simply informational.

BP based frame

Inform IDA that the function uses a frame pointer (BP/EBP/RBP on PC) to access . The operands of the form [BP+xxx] will be automatically converted to .

BP equal to SP

Frame pointer points to the bottom of the stack instead of at the beginning of the local variables area as is typical.

Fuzzy SP

Function changes SP by an unknown value, for example: and esp, 0FFFFFFF0h

Outlined code

The function is not a real function but a fragment of multiple functions' common instruction sequence extracted by the compiler as a code size optimization (sometimes called "code factoring"). During decompilation, body of the function will be expanded at the call site.

Append Function Tail

This command appends an arbitrary range of the program to a function definition. A range must be selected before applying this command. This range must not intersect with other function chunks (however, an existing tail can be added to multiple functions).

IDA will ask to select the parent function for the selection and will append the range to the function definition.

Remove Function Tail

This command removes the function tail at the cursor from a function definition.

If there are several parent functions for the current function tail range, IDA will ask to select the parent function(s) to remove the tail from.

After the confirmation, the current function tail range will be removed from the selected function definition.

If the parent was the only owner of the current tail, then the tail will be destroyed. Otherwise it will still be present in the database. If the removed parent was the owner of the tail, then another function will be selected as the owner.

Delete Function

Deleting a function deletes only information about a function, such as information about stack variables, comments, function type, etc.

The instructions composing the function will remain intact.

Set Function End

This command changes the current or previous function bounds so that its end will be set at the cursor. If it is not possible, IDA beeps.

Edit the argument location

Allow to edit argument or return value location.

Stack Variables Window

This command opens the stack variables window for the current function.

The stack variables are internally represented as a structure. This structure consists of two parts: local variables and function arguments.

You can modify stack variable definitions here: add/delete/define stack variables, enter comments for them.

There may be two special fields in this window: " r" and " s". They represent the size of the function return address and of the saved registers in bytes. You cannot modify them directly. To change them, use command.

Offsets at the line prefixes represent offsets from the frame pointer register (BP). The window indicator at the lower left corner of the window displays offsets from the stack pointer.

In order to create or delete a stack variable, use data definitions commands (, , , , ). Also you may define or comments.

The defined stack variables may be used in the program by converting operands to .

Esc closes this window.

See also .

Change Stack Pointer

This command allows you to specify how the stack pointer (SP) is modified by the current instruction.

You cannot use this command if the current instruction does not belong to any .

You will need to use this command only if IDA was not able to trace the value of the SP register. Usually IDA can handle it but in some special cases it fails. An example of such a situation is an indirect call of a function that purges its parameters from the stack. In this case, IDA has no information about the function and cannot properly trace the value of SP.

Please note that you need to specify the difference between the old and new values of SP.

The value of SP is used if the current function accesses local variables by [ESP+xxx] notation.

See also .

Rename register

This command allows you to rename a processor general register to some meaningful name. While this is not used very often on IBM PCs, it is especially useful on RISC processors with lots of registers.

For example, a general register R9 is not very meaningful and a name like 'CurrentTime' is much better.

This command can be used to define a new register name as well as to remove it. Just move the cursor on the register name and press enter. If you enter the new register name as an empty string, then the definition will be deleted.

If you have selected a range before using this command, then the definition will be restricted to the selected range. But in any case, the definition cannot cross the function boundaries.

You cannot use this command if the current instruction does not belong to any .

Set function/item type

This command allows you to specify the type of the current item.

If the cursor is located on a name, the type of the named item will be edited. Otherwise, the current function type (if there is a function) or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like 'this' pointer in C++) should be specified explicitly. IDA will use the type information to comment the disassembly with the information about function arguments. It can also be used by the Hex-Rays decompiler plugin for better decompilation.

Here is an example of a function declaration:

To delete a type declaration, please enter an empty string.

IDA supports the user-defined calling convention. In this calling convention, the user can explicitly specify the locations of arguments and the return value. For example:

denotes a function with 2 arguments: the first argument is passed on the stack (IDA automatically calculates its offset) and the second argument is passed in the ESI register and the return value is stored in the EBX register. Stack locations can be specified explicitly:

There is a restriction for a __usercall function type: all stack locations should be specified explicitly or all are automatically calculated by IDA. General rules for the user defined prototypes are:

- for really complicated cases can be used. IDA also understands the "__userpurge" calling convention. It is the same thing as __usercall, the only difference is that the callee cleans the stack.

The name used in the declaration is ignored by IDA.

If the default calling convention is __golang then explicit specification of stack offsets is permitted. For example:

This declaration means that myprnt is a print-like function; the format string is the second argument and the variadic argument list starts at the third argument.

Below is the full list of attributes that can be handled by IDA. Please look up the details in the corresponding compiler help pages.

For data declarations, the following custom __attribute((annotate(X))) keywords have been added. The control the representation of numbers in the output:

__bin unsigned binary number

__oct unsigned octal number

__hex unsigned hexadecimal number

__dec signed decimal number

__sbin signed binary number

__soct signed octal number

__shex signed hexadecimal number

__udec unsigned decimal number

__float floating point

__char character

__segm segment name

__enum()

__off offset expression (a simpler version of __offset)

__offset()

__strlit() __stroff()

__custom()

__invsign inverted sign

__invbits inverted bitwise

__lzero add leading zeroes

__tabform()

The following additional keywords can be used in type declarations:

_BOOL1 a boolean type with explicit size specification (1 byte)

_BOOL2 a boolean type with explicit size specification (2 bytes)

_BOOL4 a boolean type with explicit size specification (4 bytes)

__int8 a integer with explicit size specification (1 byte)

__int16 a integer with explicit size specification (2 bytes)

__int32 a integer with explicit size specification (4 bytes)

__int64 a integer with explicit size specification (8 bytes)

__int128 a integer with explicit size specification (16 bytes)

_BYTE an unknown type; the only known info is its size: 1 byte

_WORD an unknown type; the only known info is its size: 2 bytes

_DWORD an unknown type; the only known info is its size: 4 bytes

_QWORD an unknown type; the only known info is its size: 8 bytes

_OWORD an unknown type; the only known info is its size: 16 bytes

_TBYTE 10-byte floating point value

_UNKNOWN no info is available

__pure pure function: always returns the same value and does not modify memory in a visible way

__noreturn function does not return

__usercall user-defined calling convention; see above

__userpurge user-defined calling convention; see above

__golang golang calling convention

__swiftcall swift calling convention

__spoils explicit spoiled-reg specification; see above

__hidden hidden function argument; this argument was hidden in the source code (e.g. 'this' argument in c++ methods is hidden)

__return_ptr pointer to return value; implies hidden

__struct_ptr was initially a structure value

__array_ptr was initially an array

__unused unused function argument __cppobj a c++ style struct; the struct layout depends on this keyword

__ptr32 explicit pointer size specification (32 bits)

__ptr64 explicit pointer size specification (64 bits)

__shifted declaration

__high high level prototype (does not explicitly specify hidden arguments like 'this', for example) this keyword may not be specified by the user but IDA may use it to describe high level prototypes

__bitmask a bitmask enum, a collection of bit groups

Shifted pointers

Sometimes in binary code we can encounter a pointer to the middle of a structure. Such pointers usually do not exist in the source code but an optimizing compiler may introduce them to make the code shorter or faster.

Such pointers can be described using shifted pointers. A shifted pointer is a regular pointer with additional information about the name of the parent structure and the offset from its beginning. For example:

The above declaration means that myptr is a pointer to 'int' and if we decrement it by 20 bytes, we will end up at the beginning of 'mystruct'.

Please note that IDA does not limit parents of shifted pointers to structures. A shifted pointer after the adjustment may point to any type except 'void'.

Also, negative offsets are supported too. They mean that the pointer points to the memory before the structure.

When a shifted pointer is used with an adjustment, it will be displayed with the 'ADJ' helper function. For example, if we refer to the memory 4 bytes further, it can be represented like this:

Shifted pointers are an improvement compared to the CONTAINING_RECORD macro because expressions with them are shorter and easier to read.

See also command.

Scattered argument locations

If we have this function prototype:

the 64bit GNU compiler will pass the structure like this:

Since compilers can use such complex calling conventions, IDA needs some mechanism to describe them. Scattered argument locations are used for that. The above calling convention can be described like this:

It reads:

In other words, the following syntax is used:

where

The regoff and size fields can be omitted if there is no ambiguity.

If the register is not specified, the expression describes a stack location:

where

Please note that while IDA checks the argument location specifiers for soundness, it cannot perform all checks and some wrong locations may be accepted. In particular, IDA in general does not know the register sizes and accepts any offsets within them and any sizes.

See also command.

Data representation: enum member

Syntax:

Instead of a plain number, a symbolic constant from the specified enum will be used. The enum can be a regular enum or a bitmask enum. For bitmask enums, a bitwise combination of symbolic constants will be printed. If the value to print cannot be represented using the specified enum, it will be displayed in red.

Example:

Another example:

This annotation is useful if the enum size is not equal to the variable size. Otherwise using the enum type for the declaration is better:

Data representation: offset expression

where

type is one of:

The type can also be the name of a custom refinfo.

It can be combined with the following keywords:

The base, target delta, and the target can be omitted. If the base is BADADDR, it can be omitted by combining the type with AUTO:

Zero based offsets without any additional attributes and having the size that corresponds the current application target (e.g. REF_OFF32 for a 32-bit bit application), the shoft __off form can be used.

Examples:

This annotation is useful the type of the pointed object is unknown or the variable size is different from the usual pointer size. Otherwise it is better to use a pointer:

Data representation: string

Syntax:

where strtype is one of:

It may be followed by two optional string termination characters (only for C). Finally, the string encoding may be specified, as the encoding name or "no_conversion" if the string encoding was not explicitly specified.

Example:

Data representation: structure offset

Syntax:

Instead of a plain number, the name of a struct or union member will be used. If delta is present, it will be subtracted from the value before converting it into a struct/union member name.

Example:

Another example:

Data representation: custom data type and format

Syntax:

where dtid is the name of a custom data type and fid is the name of a custom data format. The custom type and format must be registered by a plugin beforehand, at the database opening time. Otherwise, custom data type and format ids will be displayed instead of names.

Data representation: tabular form

Syntax:

This keyword is used to format arrays. The following flags are accepted:

It is possible to combine NODUPS with the index radix: NODUPS|HEX

The `lineitems` and `alignment` attributes have the meaning described for the command.

Example:

Without this annotation, the `dup` keyword is permitted, number of items on a line and the alignment are not defined.

See also submenu.