LogoLogo
IDA 9.0
IDA 9.0
  • Welcome to Hex-Rays docs
    • What's new?
  • Getting Started
    • Install IDA
    • Licensing
    • Basic Usage
    • What's next?
  • User Guide
    • User Interface
      • Menu Bar
        • File
          • Load file
          • Script File
          • Script command
          • Produce output files
          • Invoke OS Shell
          • Take database snapshot
          • Save database
          • Save database as...
          • Abort IDA
          • Exit IDA
        • Edit
          • Export data
          • Undo an action
          • Redo an action
          • Clear undo history
          • Disable undo
          • Convert to instruction
          • Convert to data
          • Convert to string literal
          • Convert to array
          • Undefine a byte
          • Give Name to the Location
          • Operand types
            • Offset
            • Number
            • Perform en masse operation
            • Convert operand to character
            • Convert operand to segment
            • Complex Offset Expression
            • Convert operand to symbolic constant (enum)
            • Convert operand to stack variable
            • Change operand sign
            • Bitwise negate operand
            • User-defined operand
            • Set operand type
          • Comments
          • Functions
          • Structs
          • Segments
          • Patch core
          • Other
            • Rename Any Address
          • Plugins
        • Jump
          • Center current line in window
          • Problems List
        • Search
          • REGULAR EXPRESSION SYNTAX SUMMARY
        • View
          • Open subviews
          • Graphs
          • Message Window
          • Arrows window
          • Database snapshot manager
          • Highlighting identifiers
          • Browser options
          • Lumina options
          • Assembler level and C level types
          • C++ type details
          • Bookmarks window
          • Calculator
          • View segment registers
          • View Internal Flags
          • Hide
          • Unhide
          • Del hidden range
          • Hide all items
          • Unhide all items
          • Setup hidden items
        • Debugger
          • Debugger window
          • Process Control
            • Start process
            • Process options
            • Pause process
            • Terminate process
            • Step into
            • Step over
            • Run to cursor
            • Run until return
            • Attach to process
            • Detach from process
            • Set current ip
            • Show application screen
          • Breakpoints
          • Watches
          • Tracing
          • Source code view
            • Watch view (source level)
          • Process Memory
            • Take memory snapshot
            • Manual memory regions
            • Refresh memory
          • Thread list
          • Module list
          • Stack trace
          • Exceptions
          • Debugger options
          • Switch debugger
        • Lumina
        • Options
          • Low & High Suspicious Operand Limits
        • Windows
          • Rename a stack variable
          • Miscellanous Options
          • Environment variables
          • Reset Hidden Messages
          • Various dialog help messages
        • List of all menu options
      • Desktops
      • Command line
      • How To Use List Viewers in IDA
      • Licenses
        • Apache License for Ghidra
        • Apache License for LLVM
        • Common Public License Version 1.0
        • APPLE PUBLIC SOURCE LICENSE
        • PCRE2 LICENCE
        • GNU Lesser General Public License v2.1 for libiberty
      • Database conversion from idb to i64
    • Disassembler
      • Interactivity
      • Background Analysis
      • Graph view
        • Graphing tutorial
      • Proximity view
      • Navigation
        • Anchor
        • How to Enter a Segment Value
        • How to Enter a Number
        • How to Enter an Identifier
        • How to enter text
        • How to Enter an Address
      • Disassembly Gallery
        • Philips 51XA-G3
        • 6502 and 65C02 Disassembler
        • 6301, 6303, 6800, 6801 and 6803 Disassembler
        • 68040, Amiga
        • 6805 Disassembler
        • 6808 Disassembler
        • 6809 OS9 Flex Disassembler
        • 6809 Disassembler
        • 6811 Disassembler
        • 68HC12 Disassembler
        • 68HC16 Disassembler
        • 68k Amiga Disassembler
        • 68k Mac OS
        • 68k Palm Pilot
        • Unix COFF
        • NEC 78k0 and 78k0s Processor
        • 80196 Processor
        • 8051 Disassembler
        • Analog Devices 218x.
        • Alpha Processor – NT COFF
        • Alpha Processor – Unix ELF
        • Android ARM Executables (.elf)
        • ARC Processor
        • ARM Processor EPOC App
        • ARM Processor EPOC PE File
        • ARM Processor EPOC ROMFile
        • EPOC SIS File Handler
        • ARM Processor iOS (iPhone): Unlock
        • ARM Processor iOS (iPhone): Objective-C metadata
        • ARM Processor iOS (iPhone): Objective-C Instance variables
        • ARM Processor iOS (iPhone): Parameter Identification & Tracking (PIT)
        • ARM Processor iOS (iPhone): Start
        • ARM Processor iOS (iPhone): Switch statements
        • ARM Processor iOS (iPhone): C++ signatures
        • ARM Processor iOS (iPhone): Write
        • ARM Processor: Linux ELF
        • ARM Processor: AOF SDK
        • ARM Processor: Windows CE COFF Format
        • ARM Processor: Windows CE PE Format
        • ATMEL AVR Disassembler
        • C166 Processor
        • C166 Processor with ELF file
        • Rockwell C39
        • Microsoft .NET CLI Disassembler. VisualBasic library
        • CR16
        • Android Dalvik Executables (.dex)
        • Microsoft .NET CLI Disassembler
        • DSP56K
        • Fujitsu FR (.elf)
        • Gameboy
        • H8 300: COFF FILE Format
        • H8 300s: COFF FILE Format
        • H8 500
        • HPPA Risc Processor: HP-UX SOM
        • i51
        • i860
        • Intel i960
        • Intel IA-64 (Itanium)
        • Java Bytecode
        • Angstrem KR 1878
        • Renesas/Hitachi M16C
        • Renesas/Hitachi M32R
        • M740
        • M7700
        • M7900
        • MIPS Processor: Nintendo N64
        • MIPS R5900 Processor : Sony bin
        • MIPS Processor: Sony ELF
        • MIPS Processor: Sony PSX
        • MIPS Processor: Sony PSX
        • MIPS Processor: Unix COFF File Format
        • MIPS Processor: Unix ELF File Format
        • MIPS Processor: Windows CE PE File Format
        • MIPS Processor: Windows CE PE2 File Format
        • Panasonic MN102
        • Atmel OAK DSP
        • 80×86 Architecture: DOS Extender
        • 80×86 Architecture: Watcom Runtime
        • 80×86 Architecture: Geos APP
        • 80×86 Architecture: Geos DRV
        • 80×86 Architecture: Geos LIB
        • 80×86 Architecture: GNU COFF Format
        • 80×86 Architecture: OS/2 Linear Executable Format
        • 80×86 Architecture: Netware NLM
        • 80×86 Architecture: QNX Executable
        • 80×86 Architecture: Watcom Runtime
        • 80×86 Architecture: Windows OMF
        • 80×86 Architecture: Windows Portable Executable Format
        • 80×86 Architecture: Windows Virtual Device Driver
        • 80×86 Architecture: Windows 16 bits DLL
        • X-Box Disassembler
        • PDP 11: SAV File
        • PIC
        • PIC 12xx
        • Power PC AIF ECOFF file Format
        • Power PC Linux ELF
        • Mac OS PEF File
        • Mac OS X File
        • Windows NT PE File
        • Hitachi SH-1 Processor
        • Hitachi SH-3 Processor: Windows CE COFF format
        • Hitachi SH-3 Processor: Windows CE PE format
        • Hitachi SH-4 Processor: ELF File Format
        • Hitachi SH-4 Processor: Windows CE PE File Format
        • Super Nintendo Entertainement System (SNES)
        • SPARC Solaris COFF
        • SPARC Solaris ELF
        • SPARC Sun ELF
        • SPARC Sun ELF SO
        • ST 20C4
        • ST 7
        • ST 9
        • Toshiba TLCS 900
        • TMS 320c2 COFF
        • TMS 320c5
        • TMS 320c54
        • TMS 320c6 COFF File Format
        • TRICORE
        • SunPlus unSP
        • NEC V850
        • Z180 COFF File Format
        • Z380 COFF File Format
        • Z8
        • Z80
      • Supported processors
      • Supported file formats
        • Windmp file loader
      • Bitfields
        • Bit Fields tutorial
      • Structures tutorial
      • Union tutorial
      • Variable length structures tutorial
      • Data types, operands and constructs
      • Packed executables
    • Decompiler
      • Prerequisites
      • Quick primer
      • Exception handler
      • Introduction to Decompilation vs. Disassembly
        • Comparisons of ARM disassembly and decompilation
        • Comparisons of PowerPC disassembly and decompilation
        • Comparisons of MIPS disassembly and decompilation
        • Hex-Rays v7.4 vs. v7.3 Decompiler Comparison Page
        • Hex-Rays v7.3 vs. v7.2 Decompiler Comparison Page
        • Hex-Rays v7.2 vs. v7.1 Decompiler Comparison Page
      • Interactive operation
        • Rename
        • Set type
        • Set number representation
        • Edit indented comment
        • Edit block comment
        • Hide/unhide C statements
        • Split/unsplit expression
        • Force call type
        • Set call type
        • Add/del variadic arguments
        • Del function argument
        • Add/delete function return type
        • Jump to cross reference
        • Jump to cross reference globally
        • Generate HTML file
        • Mark/unmark as decompiled
        • Copy to assembly
        • Show/hide casts
        • Reset pointer type
        • Convert to struct *
        • Create new struct type
        • Split variable
        • Select union field
        • Jump to paired paren
        • Collapse/uncollapse item
        • Map to another variable
      • Batch operation
      • Configuration
      • Third party plugins
      • Floating point support
      • Support for intrinsic functions
      • Overlapped variables
      • gooMBA
      • Failures and troubleshooting
      • FAQ
      • Limitations
      • Tips and tricks
    • Debugger
      • Instant debugger
      • Remote debugging
        • Remote iOS Debugger
        • Android debugger
        • Dalvik debugger
        • Remote GDB Debugger
          • Remote GDB Debugger options
          • Debugging with gdbserver
          • Debugging with VMWare
          • Debugging with OpenOCD
          • Debugging with QEMU
          • External programs and GDB Debugger
          • Debugging code snippets with QEMU
        • PIN debugger
          • Building the PIN tool
          • Connecting a remote PIN tool instance from IDA
          • PIN support for MacOSX
        • Replayer debugger
        • Bochs debugger
          • Bochs Disk Image operation mode
          • Bochs IDB operation mode
          • Bochs PE operation mode
          • Bochs debugger FAQ
      • Local debugging
        • WinDbg Debugger
        • Linux debugger
        • Intel/ARM macOS debugger
      • Debugger tutorials
        • Debugging Dalvik Programs
        • IDA Win32 Local Debugging
        • IDA Linux Local Debugging
        • IDA Linux to Win64 Debugging
        • IDA Win32 to Linux Debugging
        • Debugging Mac OSX Applications with IDA Pro
        • Debugging iOS Applications using CoreDevice (iOS 17 and up)
        • Debugging iOS Applications with IDA Pro
        • Debugging Linux Applications locally
        • Debugging Linux/Windows Applications with PIN Tracer module
        • Debugging Windows Applications with IDA Bochs Plugin
        • Debugging Windows Applications with IDA WinDbg Plugin
        • Using the Bochs debugger plugin in Linux
        • Debugging Windows Kernel with VMWare and IDA WinDbg Plugin
        • Debugging Linux Kernel under VMWare using IDA GDB debugger
        • Windows Debugger Hub
        • Linux Debugger
        • Debugging a Windows executable locally and remotely
        • Debugging the XNU Kernel with IDA Pro
        • Remote debugging with IDA Pro
        • IDA Scriptable Debugger: overview
          • IDA Scriptable Debugger: scriptability
        • Debugging code snippets with QEMU debugger (a la IDA Bochs debugger)
        • Trace Replayer and managing traces
        • Using IDA Pro's tracing features
        • Working with PIN
        • Appcall
    • Creating Signatures
      • FLIRT
        • IDA F.L.I.R.T. Technology: In-Depth
        • Generate FLIRT signature file
        • Supported Compilers
          • Turbo Pascal
          • Delphi
      • Makesig
    • Creating Type Libraries
      • IDAClang
      • TILIB
    • Configuration
      • Configuration files
      • Command line switches
      • Keyboard macros
      • UI/Fonts/Themes
      • Shortcuts
      • Customizing IDA
      • CSS-based styling
    • Teams
      • IDA Teams Licenses
      • Diffing and Merging Databases with IDA Teams
      • Teams lc command reference manual
      • hv command reference manual
      • Hex-Rays Vault’s visual client user manual
    • Lumina
      • lc command reference manual
    • Plugins
      • Open Plugin Architecture
      • Plugin options
      • Plugins Shipped with IDA
        • Swift plugin
        • Golang plugin
        • Rust plugin
        • picture_search
        • Objective-C Analysis Plugin
        • DYLD Shared Cache Utils
        • Borland RTTI descriptors plugin
        • DWARF plugin
        • Patfind plugin
        • IDA Feeds
          • FLIRT Signature Bundle
      • Plugin Contest
      • How to write your own plugin?
    • Helper Tools
    • idalib
  • Developer Guide
    • C++ SDK
      • Getting Started with C++ SDK
      • C++ SDK Reference
      • Using the Decompiler SDK: Decompiler plugin
      • C++ SDK examples
      • How to create a plugin in C++?
      • C++ SDK Porting Guide from IDA 8.x to 9.0
    • IDAPython
      • Getting started with IDAPython
      • IDAPython API Reference
      • IDAPython examples
      • How to create a plugin in IDAPython?
      • IDAPython Porting Guide from IDA 8.x to 9.0
    • IDC
      • Core concepts
        • Expressions
        • Statements
        • Functions
        • Variables
        • Constants
        • Exceptions
        • Classes
        • Predefined symbols
        • loader_input_t class
        • Slices
      • IDC API Reference
        • Index of debugger related IDC functions
        • Alphabetical list of IDC functions
          • is_member_id
          • load_type
          • get_member_by_idx
          • get_ordinal_limit
          • set_selector
          • enable_tracing
          • get_prev_fixup_ea
          • del_segm
          • get_bmask_cmt
          • end_type_updating
          • Find
          • toggle_bnot
          • patch_byte
          • get_module_info
          • set_member_name
          • create_float
          • del_struc_member
          • read_dbg_memory
          • get_enum_width
          • getn_thread_name
          • del_struc
          • filelength
          • set_manual_insn
          • is_value...() functions
          • get_ip_val
          • del_extra_cmt
          • create_insn
          • op_offset_high16
          • get_cmt
          • expand_struc
          • get_idb_path
          • set_frame_size
          • get_file_ext
          • has_value
          • readshort
          • sanitize_file_name
          • get_member_flag
          • create_struct
          • ARM specific
          • set_enum_member_cmt
          • rename
          • set_ida_state
          • get_member_size
          • msg
          • qbasename
          • get_enum_member_enum
          • auto_mark_range
          • plan_to_apply_idasgn
          • set_named_type
          • op_offset
          • rename_entry
          • strlen
          • get_extra_cmt
          • get_enum_flag
          • fgetc
          • op_stkvar
          • get_last_index
          • get_field_ea
          • get_struc_id
          • select_thread
          • create_array
          • get_struc_cmt
          • set_array_string
          • set_func_attr
          • set_storage_type
          • get_struc_size
          • demangle_name
          • get_next_fixup_ea
          • get_next_bmask
          • delattr
          • gen_simple_call_chart
          • patch_qword
          • get_enum_name
          • loader_input_t.getc
          • get_debugger_event_cond
          • read_dbg_qword
          • define_local_var
          • generate_disasm_line
          • add_idc_hotkey
          • tolower
          • del_selector
          • set_debugger_event_cond
          • get_imagebase
          • gen_file
          • get_entry
          • find_custom_data_format
          • get_debug_name_ea
          • add_default_til
          • set_func_end
          • exit_process
          • delete_array
          • xtol
          • get_exception_code
          • detach_process
          • set_enum_cmt
          • get_wide_word
          • put_bookmark
          • is_loaded
          • add_enum_member
          • parse_decls
          • readstr
          • get_entry_qty
          • ord
          • sprintf
          • get_root_filename
          • get_enum_member_cmt
          • create_word
          • set_func_flags
          • loader_input_t.tell
          • create_align
          • read_dbg_dword
          • next_addr
          • get_bytes
          • batch
          • start_process
          • process_config_line
          • del_user_info
          • qmakefile
          • set_struc_name
          • print_decls
          • create_custom_data
          • del_enum_member
          • format_cdata
          • get_fixup_target_sel
          • get_item_size
          • loader_input_t.gets
          • get_last_bmask
          • Step Tracing Options
          • selector_by_name
          • get_enum_cmt
          • next_not_tail
          • prev_head
          • set_color
          • set_numbered_type
          • get_member_name
          • auto_wait
          • get_enum_member_bmask
          • fseek
          • get_segm_start
          • attach_process
          • Trace file functions
          • get_enum_member_value
          • op_stroff
          • get_next_offset
          • set_processor_type
          • get_bookmark_desc
          • create_data
          • lastattr
          • get_operand_value
          • collect_stack_trace
          • toupper
          • get_fixup_target_dis
          • set_cmt
          • add_entry
          • set_segm_addressing
          • qmake_full_path
          • get_source_linnum
          • fputc
          • resume_thread
          • get_func_attr
          • get_first_enum_member
          • add_sourcefile
          • get_first_bmask
          • read_selection_start
          • hasattr
          • get_member_cmt
          • gen_flow_graph
          • get_array_element
          • get_tinfo
          • loader_input_t
          • tinfo_errstr
          • TRUNC
          • add_segm_ex
          • Local types information and manipulation helpers
          • set_source_linnum
          • get_next_enum_member
          • loader_input_t.readbytes
          • set_array_params
          • jumpto
          • get_bookmark
          • set_enum_bf
          • prev_not_tail
          • toggle_sign
          • loader_input_t.size
          • Trace events functions
          • get_func_flags
          • get_gotea
          • set_segm_attr
          • get_item_head
          • set_default_sreg_value
          • print_insn_mnem
          • set_member_cmt
          • get_ordinal_qty
          • set_target_assembler
          • add_user_stkpnt
          • set_local_type
          • Hidden ranges
          • del_items
          • compile_idc_text
          • Dalvik debugger extension functions
          • byte_value
          • create_dword
          • is_code
          • del_func
          • get_enum
          • make_array
          • rotate_left
          • recalc_spd
          • search_path
          • CommonBits
          • get_processor_name
          • set_func_cmt
          • get_prev_bmask
          • Hashes
          • split_sreg_range
          • process_ui_action
          • set_fixup
          • get_fixup_target_type
          • create_oword
          • get_flags
          • get_func_name
          • create_strlit
          • add_struc
          • atol
          • load_debugger
          • mkdir
          • sizeof
          • get_enum_member_by_name
          • save_database
          • guess_type
          • get_segm_name
          • print_operand
          • qisabspath
          • get_member_qty
          • set_struc_cmt
          • get_fixup_target_flags
          • idadir
          • object.retrieve
          • add_auto_stkpnt
          • get_numbered_type_name
          • get_enum_member_name
          • get_next_index
          • prev_addr
          • get_name_ea
          • get_sp_delta
          • set_bmask_cmt
          • readlong
          • set_segm_name
          • get_prev_offset
          • set_segm_alignment
          • get_strlit_contents
          • forget_exception
          • get_item_end
          • add_func
          • get_name
          • Asks
          • get_spd
          • Debugger: control
          • get_wide_byte
          • plan_and_wait
          • set_enum_flag
          • RunPythonStatement
          • del_sourcefile
          • find_selector
          • get_frame_regs_size
          • op_num
          • define_exception
          • create_double
          • create_byte
          • read_selection_end
          • OpTypes
          • op_plain_offset
          • move_segm
          • get_member_id
          • set_segm_combination
          • get_current_thread
          • trim
          • Debugger: options
          • getn_thread
          • get_frame_id
          • typeinfo.print
          • to_ea
          • rebase_program
          • add_struc_member
          • get_exception_qty
          • get_first_index
          • import_type
          • set_segm_type
          • find_custom_data_type
          • get_next_seg
          • find_func_end
          • get_last_enum_member
          • getattr
          • get_frame_size
          • get_screen_ea
          • loader_input_t.read
          • set_reg_value
          • Debugger: modules
          • create_pack_real
          • writestr
          • exec_idc
          • get_enum_size
          • set_enum_name
          • create_tbyte
          • sel2para
          • atoa
          • loader_input_t.close
          • add_enum
          • ltoa
          • substr
          • del_idc_hotkey
          • Breakpoint handling functions
          • loader_input_t.seek
          • cleanup_appcall
          • object.store
          • get_type
          • qexit
          • get_debug_name
          • get_array_id
          • Can't Open File
          • suspend_process
          • process_config_directive
          • get_entry_name
          • get_last_member
          • get_struc_name
          • clear_selection
          • fclose
          • firstattr
          • create_yword
          • dbg_appcall
          • get_qword
          • patch_dword
          • begin_type_updating
          • read_dbg_byte
          • get_fpnum
          • qsleep
          • get_first_member
          • get_nsec_stamp
          • del_stkpnt
          • eval
          • savefile
          • eval_python
          • Xrefs
          • strstr
          • writeshort
          • get_sreg
          • get_segm_end
          • get_func_off_str
          • set_func_start
          • del_array_element
          • get_full_flags
          • set_exception_flags
          • rename_array
          • get_frame_args_size
          • op_flt
          • get_min_spd_ea
          • apply_type
          • get_prev_index
          • loadfile
          • retrieve_input_file_md5
          • get_wide_dword
          • patch_dbg_byte
          • Functions provided by the WinDbg debugger
          • get_original_byte
          • get_member_strid
          • call_system
          • writelong
          • get_thread_qty
          • nextattr
          • send_dbg_command
          • get_first_seg
          • get_processes
          • patch_word
          • get_manual_insn
          • ftell
          • get_entry_ordinal
          • set_array_long
          • delete_all_segments
          • TO_LONG
          • Function chunk related functions
          • Debugger: events
          • get_prev_func
          • op_seg
          • validate_idb_names
          • fprintf
          • fopen
          • strfill
          • del_fixup
          • get_bmask_name
          • inf_attr
          • is_bf
          • read_dbg_word
          • qdirname
          • get_segm_attr
          • func_contains
          • del_source_linnum
          • get_sourcefile
          • clr_database_flag
          • set_name
          • Refresh Screen
          • op_enum
          • getn_enum
          • get_db_byte
          • setattr
          • get_forced_operand
          • op_bin
          • Functions provided by the replayer debugger
          • prevattr
          • update_extra_cmt
          • get_str_type
          • op_man
          • choose_func
          • set_bmask_name
          • get_curline
          • decode_insn
          • set_segment_bounds
          • set_segm_class
          • write_dbg_memory
          • get_exception_name
          • get_enum_member
          • is_mapped
          • del_enum
          • get_frame_lvar_size
          • get_operand_type
          • set_root_filename
          • compile_idc_file
          • typeinfo.size
          • get_local_tinfo
          • get_fixup_target_off
          • is_union
          • unlink
          • get_segm_by_sel
          • set_enum_width
          • take_memory_snapshot
          • exec_python
          • get_next_func
          • get_member_offset
          • get_func_cmt
          • parse_decl
          • create_qword
          • next_head
          • suspend_thread
          • loader_input_t.getz
          • get_color
          • get_reg_value
          • load_and_run_plugin
          • set_database_flag
          • set_enum_member_name
          • set_member_type
          • get_prev_enum_member
      • IDC examples
        • Analyzing encrypted code
  • Admin Guide
    • Lumina server
    • Teams server
    • License server
      • Hex-Rays License Server Migration Guide
  • Release Notes
    • IDA 9.0
    • IDA 8.4sp2
    • IDA 8.4sp1
    • IDA 8.4
    • IDA 8.3
    • IDA 8.2sp1
    • IDA 8.2
    • IDA 8.1
    • IDA 8.0sp1
    • IDA 8.0
    • IDA 7.7sp1
    • IDA 7.7
    • IDA 7.6sp1
    • IDA 7.6
    • IDA 7.5sp3
    • IDA 7.5sp2
    • IDA 7.5sp1
    • IDA 7.5
    • IDA 7.4sp1
    • IDA 7.4
    • IDA 7.3
      • IDA 7.3 Undo: IDA can do it
    • IDA 7.2
      • IDA 7.2 The Mac Rundown
    • IDA 7.1
      • IDA 7.1 Debugger API 7.1 Porting Guide
    • IDA 7.0sp1
    • IDA 7.0
      • Internationalization (i18n)
      • Automatic discovery of string literals
      • API 7.0 Porting Guide
      • IDAPython backward compatibility
    • IDA 6.95
    • IDA 6.9
    • IDA 6.8
    • IDA 6.7
    • IDA 6.6
    • IDA 6.5
    • IDA 6.4
    • IDA 6.3
    • IDA 6.2
    • IDA 6.1
    • IDA 6.0
    • IDA 5.7
    • IDA 5.6
    • IDA 5.5
      • 5.5 Gallery
      • 5.5 Comparison
    • IDA 5.4
    • IDA 5.3
    • IDA 5.2
    • IDA 5.1
    • IDA 5.0
    • IDA 4.9SP
    • IDA 4.9
    • IDA 4.8
    • IDA 4.7
    • IDA 4.6
    • IDA 4.x
    • IDA 3.x
    • Cumulative bugfix for IDA
  • Archive
    • IDA’s Windbg plugin
    • IDA’s Bochs debugger plugin
    • IDA’s Bochs debugger plugin 2
    • DosWin32
    • Hex-Rays v1.1 vs. v1.0 Decompiler Comparison Page
    • Hex-Rays v1.2 vs. v1.1 Decompiler Comparison Page
    • Hex-Rays v1.3 vs. v1.2 Decompiler Comparison Page
    • Hex-Rays v1.6 vs. v1.5 Decompiler Comparison Page
    • Hex-Rays v1.7 vs. v1.6 Decompiler Comparison Page
    • Costly Greetings – An Adventure In Hostile Code Analysis
    • An Adventure In Hostile Code Analysis: Description
    • An Adventure In Hostile Code Analysis: Disassembly
    • Improved code flow analysis
    • Program Navigation Bar
    • IDA Home Contest
    • Pimp My IDA: vote results
    • Turning off IDA 6.x compatibility in IDAPython
    • Porting guide for IDA 7.4 turning off IDA 6.x API backwards-compatibility by default
    • Porting guide for IDA 7.4 IDAPython and Python 3
    • IDAPython and Python 3
    • Porting guide for changes in IDAPython-on-Python-3 APIs
    • Debugging iOS Applications With IDA
    • IDA Win32 to Win32 Debugging
    • IDA Win32 to Win64 Debugging
    • Legacy license server: Floating Licenses
      • Installing on Linux
      • Installing on Windows
      • Installing on OS X
    • Decompiler Installation
    • Enumerated types tutorial
  • Bug Bounty
Powered by GitBook
On this page
  • Debugging Mac OSX Applications with IDA Pro
  • Overview
  • Codesigning & Permissions
  • Using the Mac Debug Server
  • Using a Launch Agent
  • Debugging System Applications
  • Debugging System Libraries
  • Debugging Modules in dyld_shared_cache
  • Debugging Objective-C Applications
  • Decompiling Objective-C at Runtime
  • Debugging Over SSH
  • Dealing With Slow Connections
  • Debugging arm64 Applications on Apple Silicon
  • Debugging arm64e System Applications
  • Apple Silicon: TL;DR
  • Support

Was this helpful?

Export as PDF
  1. User Guide
  2. Debugger
  3. Debugger tutorials

Debugging Mac OSX Applications with IDA Pro

Last updated 7 months ago

Was this helpful?

LogoLogo

Need Help?

  • FAQs
  • Support

Community

  • Forum
  • Plugins

Resources

  • Blog
  • Download center

© 2025 Copyright Hex-Rays

Debugging Mac OSX Applications with IDA Pro

Last updated on March 6, 2021 — v2.0

Overview

IDA Pro fully supports debugging native macOS applications.

Intel x86/64 debugging has been supported since IDA 5.6 (during OSX 10.5 Leopard), but due to IDA’s use of libc++ we can only officially support debugging on OSX 10.9 Mavericks and later. Apple Silicon arm64 debugging for macOS11 is also supported since IDA 7.6.

Note that this task is riddled with gotchas, and often times it demands precise workarounds that are not required for other platforms. In this tutorial we will purposefully throw ourselves into the various pitfalls of debugging on a Mac, in the hopes that learning things the hard way will ultimately lead to a smoother experience overall.

Begin by downloading samples:

which contains the sample applications used in this writeup.

Codesigning & Permissions

It is important to note that a debugger running on macOS requires in order to function properly. This means that the debugger itself must be codesigned in such a way that MacOS allows it to inspect other processes.

The main IDA Pro application is not codesigned in this way. Later on we’ll discuss why.

To quickly demonstrate this, let’s open a binary in IDA Pro and try to debug it. In this example we’ll be debugging the helloworld app from samples.zip:

on MacOSX 10.15 Catalina using IDA 7.5. Begin by loading the file in IDA:

$ alias ida64="/Applications/IDA\ Pro\ 7.5/ida64.app/Contents/MacOS/ida64"
$ ida64 helloworld

Now go to menu Debugger>Select debugger and select Local Mac OS X Debugger:

Immediately IDA should print a warning message to the Output window:

This program must either be codesigned or run as root to debug mac applications.

This is because IDA is aware that it is not codesigned, and is warning you that attempting to debug the target application will likely fail. Try launching the application with shortcut F9. You will likely get this error message:

Codesigning IDA Pro might resolve this issue, but we have purposefully decided not to do this. Doing so would require refactoring IDA’s internal plugin directory structure so that it abides by Apple’s bundle structure guidelines. This would potentially break existing plugins as well as third-party plugins written by users. We have no plans to inconvenience our users in such a way.

Also note that running IDA as root will allow you to use the Local Mac OS X Debugger without issue, but this is not advisable.

A much better option is to use IDA’s mac debug server - discussed in detail in the next section.

Using the Mac Debug Server

A good workaround for the debugging restrictions on macOS is to use IDA’s debug server - even when debugging local apps on your mac machine. The mac debug server is a standalone application that communicates with IDA Pro via IPC, so we can ship it pre-codesigned and ready for debugging right out of the box:

$ codesign -dvv /Applications/IDA\ Pro\ 7.5/idabin/dbgsrv/mac_server64
Executable=/Applications/IDA Pro 7.5/ida.app/Contents/MacOS/dbgsrv/mac_server64
Identifier=com.hexrays.mac_serverx64
Format=Mach-O thin (x86_64)
CodeDirectory v=20100 size=6090 flags=0x0(none) hashes=186+2 location=embedded
Signature size=9002
Authority=Developer ID Application: Hex-Rays SA (ZP7XF62S2M)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=May 19, 2020 at 4:13:31 AM

Let’s try launching the server:

$ /Applications/IDA\ Pro\ 7.5/idabin/dbgsrv/mac_server64
IDA Mac OS X 64-bit remote debug server(MT) v7.5.26. Hex-Rays (c) 2004-2020
Listening on 0.0.0.0:23946...

Now go back to IDA and use menu Debugger>Switch debugger to switch to remote debugging:

Now use Debugger>Process options to set the Hostname and Port fields to localhost and 23946.

(Note that the port number was printed by mac_server64 after launching it):

Also be sure to check the option Save network settings as default so IDA will remember this configuration.

Now go to _main in the helloworld disassembly, press F2 to set a breakpoint, then F9 to launch the process. Upon launching the debugger you might receive this prompt from the OS:

After providing your credentials the debugger should start up without issue:

Using a Launch Agent

To simplify using the mac server, save the following XML as com.hexrays.mac_server64.plist in ~/Library/LaunchAgents/:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.hexrays.mac_server64</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Applications/IDA Pro 7.5/dbgsrv/mac_server64</string>
        <string>-i</string>
        <string>localhost</string>
    </array>
    <key>StandardOutPath</key>
    <string>/tmp/mac_server64.log</string>
    <key>StandardErrorPath</key>
    <string>/tmp/mac_server64.log</string>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

Now mac_server64 will be launched in the background whenever you log in. You can connect to it from IDA at any time using the Remote Mac OS X Debugger option. Hopefully this will make local debugging on macOS almost as easy as other platforms.

Debugging System Applications

There are some applications that macOS will refuse to allow IDA to debug.

For example, load /System/Applications/Calculator.app/Contents/MacOS/Calculator in IDA and try launching the debugger. You will likely get this error message:

Disabling SIP allows IDA to debug applications like Calculator without issue:

The effects of SIP are also apparent when attaching to an existing process. Try using menu Debugger>Attach to process, with SIP enabled there will likely only be a handful of apps that IDA can debug:

Disabling SIP makes all system apps available for attach:

It is unfortunate that such drastic measures are required to inspect system processes running on your own machine, but this is the reality of MacOS. We advise that you only disable System Integrity Protection when absolutely necessary, or use a virtual machine that can be compromised with impunity.

Debugging System Libraries

With IDA you can debug any system library in /usr/lib/ or any framework in /System/Library/.

This functionality is fully supported, but surprisingly it is one of the hardest problems the mac debugger must handle. To demonstrate this, let’s try debugging the _getaddrinfo function in libsystem_info.dylib.

Consider the getaddrinfo application from samples.zip:

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  if ( argc != 2 )
  {
    fprintf(stderr, "usage: %s <hostname>\n", argv[0]);
    return 1;
  }

  struct addrinfo hints;
  memset(&hints, 0, sizeof(hints));

  hints.ai_family = AF_INET;
  hints.ai_flags |= AI_CANONNAME;

  struct addrinfo *result;
  int code = getaddrinfo(argv[1], NULL, &hints, &result);
  if ( code != 0 )
  {
    fprintf(stderr, "failed: %d\n", code);
    return 2;
  }

  struct sockaddr_in *addr_in = (struct sockaddr_in *)result->ai_addr;
  char *ipstr = inet_ntoa(addr_in->sin_addr);
  printf("IP address: %s\n", ipstr);

  return 0;
}

Try testing it out with a few hostnames:

$ ./getaddrinfo localhost
IP address: 127.0.0.1
$ ./getaddrinfo hex-rays.com
IP address: 104.26.10.224
$ ./getaddrinfo foobar
failed: 8

Now load libsystem_info.dylib in IDA and set a breakpoint at _getaddrinfo:

$ ida64 -o/tmp/libsystem_info /usr/lib/system/libsystem_info.dylib

Choose Remote Mac OS X Debugger from the Debugger menu and under Debugger>Process options be sure to provide a hostname in the Parameters field. IDA will pass this argument to the executable when launching it:

Before launching the process, use Ctrl+S to pull up the segment list for libsystem_info.dylib. Pay special attention to the __eh_frame and __nl_symbol_ptr segments. Note that they appear to be next to each other in memory:

This will be important later.

Finally, use F9 to launch the debugger and wait for our breakpoint at _getaddrinfo to be hit. We can now start stepping through the logic:

Everything appears to be working normally, but use Ctrl+S to pull up the segment information again. We can still see __eh_frame, but it looks like __nl_symbol_ptr has gone missing:

It is actually still present, but we find it at a much higher address:

IDA was able to detect this situation and adjust the database so that it matches the layout in process memory. This functionality is fully supported, but it is not trivial. Essentially the debugger must split your database in half, rebase all code segments to one address, then rebase all data segments to a completely different address.

It is worth noting there is another approach that achieves the same result, but without so much complexity.

Debugging Modules in dyld_shared_cache

As an alternative for the above example, note that you can load any module directly from a dyld_shared_cache file and debug it. For example, open the shared cache in IDA:

$ ida64 -o/tmp/libsystem_info2 /var/db/dyld/dyld_shared_cache_x86_64h

When prompted, select the "single module" option:

Then choose the libsystem_info module:

Select the Remote Mac OS X Debugger and for Debugger>Process options use the exact same options as before:

Now set a breakpoint at _getaddrinfo and launch the process with F9.

After launching the debugger you might see this warning:

This is normal. Modules from the dyld_shared_cache will contain tagged pointers, and IDA patched the pointers when loading the file so that analysis would not be hindered by the tags. IDA is warning us that the patches might cause a discrepancy between the database and the process, but in this case we know it’s ok. Check Don’t display this message again and don’t worry about it.

Launching the process should work just like before, and we can start stepping through the function in the shared cache:

This time there was no special logic to map the database into process memory. Since we loaded the module directly from the cache, segment mappings already match what’s expected in the process. Thus only one rebasing operation was required (as apposed to the segment scattering discussed in the previous example).

Both techniques are perfectly viable and IDA goes out of its way to fully support both of them. In the end having multiple solutions to a complex problem is a good thing.

Debugging Objective-C Applications

When debugging macOS applications it is easy to get lost in some obscure Objective-C framework. IDA’s mac debugger provides tools to make debugging Objective-C code a bit less painful.

Consider the bluetooth application from samples.zip:

#import <IOBluetooth/IOBluetooth.h>

int main(void)
{
  NSArray *devices = [IOBluetoothDevice pairedDevices];
  int count = [devices count];
  for ( int i = 0; i < count; i++ )
  {
    IOBluetoothDevice *device = [devices objectAtIndex:i];
    NSLog(@"%@:\n", [device name]);
    NSLog(@"  paired:    %d\n", [device isPaired]);
    NSLog(@"  connected: %d\n", [device isConnected]);
  }
  return 0;
}

The app will print all devices that have been paired with your host via Bluetooth. Try running it:

$ ./bluetooth
2020-05-22 16:27:14.443 bluetooth[17025:15645888] Magic Keyboard:
2020-05-22 16:27:14.443 bluetooth[17025:15645888]   paired:    1
2020-05-22 16:27:14.443 bluetooth[17025:15645888]   connected: 1
2020-05-22 16:27:14.443 bluetooth[17025:15645888] Apple Magic Mouse:
2020-05-22 16:27:14.443 bluetooth[17025:15645888]   paired:    1
2020-05-22 16:27:14.443 bluetooth[17025:15645888]   connected: 1
2020-05-22 16:27:14.443 bluetooth[17025:15645888] iPhone SE:
2020-05-22 16:27:14.443 bluetooth[17025:15645888]   paired:    0
2020-05-22 16:27:14.443 bluetooth[17025:15645888]   connected: 0

Let’s try debugging this app. First consider the call to method +[IOBluetoothDevice pairedDevices]:

If we execute a regular instruction step with F7, IDA will step into the _objc_msgSend function in libobjc.A.dylib, which is probably not what we want here. Instead use shortcut Shift+O. IDA will automatically detect the address of the Objective-C method that is being invoked and break at it:

This module appears to be Objective-C heavy, so it might be a good idea to extract Objective-C type info from the module using right click -> Load debug symbols in the Modules window:

This operation will extract any Objective-C types encoded in the module, which should give us some nice prototypes for the methods we’re stepping in:

Let’s continue to another method call - but this time the code invokes a stub for _objc_msgSend that IDA has not analyzed yet, so its name has not been properly resolved:

In this case Shift+O should still work:

Shift+O is purposefully flexible so that it can be invoked at any point before a direct or indirect call to _objc_msgSend. It will simply intercept execution at the function in libobjc.A.dylib and use the arguments to calculate the target method address.

However, you must be careful. If you use this action in a process that does not call _objc_msgSend, you will lose control of the process. It is best to only use it when you’re certain the code is compiled from Objective-C and an _objc_msgSend call is imminent.

Decompiling Objective-C at Runtime

The Objective-C runtime analysis performed by Load debug symbols will also improve decompilation.

Consider the method -[IOBluetoothDevice isConnected]:

Before we start stepping through this method we might want to peek at the pseudocode to get a sense of how it works. Note that the Objective-C analysis created local types for the IOBluetoothDevice class, as well as many other classes:

This type info results in some sensible pseudocode:

We knew nothing about this method going in - but it’s immediately clear that device connectivity is determined by the state of an io_service_t handle in the IOBluetoothObject superclass, and we’re well on our way.

Debugging Over SSH

In this section we will discuss how to remotely debug an app on a mac machine using only an SSH connection. Naturally, this task introduces some unique complications.

To start, copy the mac_server binaries and the bluetooth app from samples.zip:

to the target machine:

$ scp <IDA install dir>/dbgsrv/mac_server* user@remote:
$ scp bluetooth user@remote:

Now ssh to the target machine and launch the mac_server:

$ ssh user@remote
user@remote:~$ ./mac_server64
IDA Mac OS X 64-bit remote debug server(MT) v7.5.26. Hex-Rays (c) 2004-2020
Listening on 0.0.0.0:23946...

Now open the bluetooth binary on the machine with your IDA installation, select Remote Mac OS X Debugger from the debugger menu, and for Debugger>Process options set the debugging parameters. Be sure to replace <remote user> and <remote ip> with the username and ip address of the target machine:

Try launching the debugger with F9. You might get the following error message:

But since we’re logged into the mac via SSH, the OS has no way of prompting you with the authentication window and thus debugging permissions are refused.

Note that mac_server64 might have printed this workaround:

WARNING: The debugger could not acquire the necessary permissions from the OS to
debug mac applications. You will likely have to specify the proper credentials at
process start. To avoid this, you can set the MAC_DEBMOD_USER and MAC_DEBMOD_PASS
environment variables.

But this is an extreme measure. As an absolute last resort you can launch the mac_server with your credentials in the environment variables, which should take care of authentication without requiring any interaction with the OS. However there is a more secure workaround.

In your SSH session, terminate the mac_server process and run the following command:

$ security authorizationdb read system.privilege.taskport > taskport.plist

Edit taskport.plist and change the authenticate-user option to false:

<key>authenticate-user</key>
<false/>

Then apply the changes:

$ sudo security authorizationdb write system.privilege.taskport < taskport.plist

This will completely disable the debugging authentication prompt (even across reboots), which should allow you to use the debug server over SSH without macOS bothering you about permissions.

Dealing With Slow Connections

When debugging over SSH you might experience some slowdowns. For example you might see this dialog appear for several seconds when starting the debugger:

During this operation IDA is fetching function names from the symbol tables for all dylibs that have been loaded in the target process. It is a critical task (after all we want our stack traces to look nice), but it is made complicated by the sheer volume of dylibs loaded in a typical macOS process due to the dyld_shared_cache. This results in several megabytes of raw symbol names that mac_server must transmit over the wire every time the debugger is launched.

$ scp ios_deploy user@remote:

Then SSH to the remote mac and run it:

$ ./ios_deploy symbols -c /var/db/dyld/dyld_shared_cache_x86_64h -d mac_symbols
Extracting symbols from /var/db/dyld/dyld_shared_cache_x86_64h => mac_symbols
Extracting symbol file: 1813/1813
mac_symbols: done
$ zip -r mac_symbols.zip mac_symbols

Copy mac_symbols.zip from the remote machine to your host machine and unzip it. Then open Debugger>Debugger options>Set specific options and set the Symbol path field:

Now try launching the debugger again, it should start up much faster.

Also keep the following in mind:

  • Use /var/db/dyld/dyld_shared_cache_i386 if debugging 32-bit apps

  • You must perform this operation after every macOS update. Updating the OS will update the dyld_shared_cache, which invalidates the extracted symbol files.

  • The ios_deploy utility simply invokes dyld_shared_cache_extract_dylibs_progress from the dsc_extractor.bundle library in Xcode. If you don’t want to use ios_deploy there are likely other third-party tools that do something similar.

Debugging arm64 Applications on Apple Silicon

IDA 7.6 introduced the ARM Mac Debugger, which can debug any application that runs natively on Apple Silicon.

Debugging arm64e System Applications

Similar to Intel Macs, IDA cannot debug system apps on Apple Silicon until System Integrity Protection is disabled.

But here macOS introduces another complication. All system apps shipped with macOS are built for arm64e - and thus have pointer authentication enabled. This is interesting because ptruath-enabled processes are treated much differently within the XNU kernel. All register values that typically contain pointers (PC, LR, SP, and FP) will be signed and authenticated by PAC.

Thus, if a debugger wants to modify the register state of an arm64e process, it must know how to properly sign the register values. Only arm64e applications are allowed to do this (canonically, at least).

You may have noticed that IDA 7.6 ships with two versions of the arm64 debug server:

mac_server_arm64e is built specifically for the arm64e architecture, and thus will be able to properly inspect other arm64e processes. We might want to try running this version right away, but by default macOS will refuse to run any third-party software built for arm64e:

$ sudo nvram boot-args=-arm64e_preview_abi

After rebooting you can finally run mac_server_arm64e:

This allows you to debug any system application (e.g. /System/Applications/Calculator.app) without issue:

Also note that the arm64e ABI limitation means you cannot use the Local ARM Mac Debugger to debug system arm64e apps, since IDA itself is not built for arm64e. It is likely that Apple will break the arm64e ABI in the future and IDA might cease to work. We want to avoid this scenario entirely.

Using the Remote ARM Mac Debugger with mac_server_arm64e is a nice workaround. It guarantees ida.app will continue to work normally regardless of any breakages in the arm64e ABI, and we can easily ship new arm64e builds of the server to anybody who needs it.

Apple Silicon: TL;DR

To summarize:

  • Use mac_server_arm64 if you’re debugging third-party arm64 apps that aren’t protected by SIP

  • Use mac_server_arm64e if you’re feeling frisky and want to debug macOS system internals. You must disable SIP and enable nvram boot-args=-arm64e_preview_abi, then you can debug any app you want (arm64/arm64e apps, system/non-system apps, shouldn’t matter).

Support

Our Mac support team has years of experience keeping the debugger functional through rapid changes in the Apple developer ecosystem. It is likely that we can resolve your issue quickly.

macOS is picky about debugging permissions, and despite the fact that mac_server is properly codesigned you still must explicitly grant it permission to take control of another process. Thankfully this only needs to be done once per login session, so macOS should shut up until the next time you log out (we discuss how to disable this prompt entirely in the section below).

Despite the fact that mac_server64 is codesigned, it still failed to retrieve permission from the OS to debug the target app. This is because Calculator.app and all other apps in /System/Applications/ are protected by and they cannot be debugged until SIP is . Note that the error message is a bit misleading because it implies that running mac_server64 as root will resolve the issue - it will not. Not even root can debug apps protected by SIP.

Recall that we opened the file directly from the filesystem (/usr/lib/system/libsystem_info.dylib). However this is actually not the file that macOS loaded into memory. The libsystem_info image in process memory was mapped in from the , and the library’s segment mappings were modified before it was inserted into the cache.

This happened because debugging requires manual authentication from the user for every login session (via the Take Control prompt discussed under , above).

We can fix this by using the same trick that IDA’s uses to speed up debugging - by extracting symbol files from the dyld cache and parsing them locally. Start by downloading the utility from our downloads page, and copy it to the remote mac:

On Apple Silicon, the same rules apply (see above). The Local ARM Mac Debugger can only be used when run as root, so it is better to use the Remote ARM Mac Debugger with the debug server (mac_server_arm64), which can debug any arm64 app out of the box (see ).

We have included arm64 versions of the used in the previous examples. We encourage you to go back and try them. They should work just as well on Apple Silicon.

, this is because the arm64e ABI is not stable enough to be used generically. In order to run third-party arm64e binaries you must enable the following boot arg:

If you have any questions about this writeup or encounter any issues with the debugger itself in your environment, don’t hesitate to contact us at .

System Integrity Protection
disabled
dyld_shared_cache
Remote iOS Debugger
ios_deploy
sample binaries
According to Apple
support@hex-rays.com
Debugging Over SSH
Using the Mac Debug Server
Codesigning & Permissions
Using the Mac Debug Server
special permissions
16KB
samples.zip
archive
16KB
samples.zip
archive
16KB
samples.zip
archive
16KB
samples.zip
archive
16KB
samples.zip
archive
choose mac debugger
elevated permissions
switch debugger
process options1
developer tools
helloworld
permission denied
calc
proclist1
proclist2
getaddrinfo bpt
process options2
segments1
getaddrinfo bpt2
segments2
segments3
dyld1
dyld2
process options2
dyld3
dyld4
objc1
objc2
objc3
objc4
objc5
objc6
objc8
objc7
objc9
process options3
permission denied
symbols1
symbols2
arm64e1
arm64e2
arm64e3
arm64e4
arm64e5