Search
Last updated
Was this helpful?
Last updated
Was this helpful?
In this menu, you can select a command to search for something in the disassembly. Searches are relatively slow and your previous position is saved in the .
You can search for:
suspicious operands (instructions that need your attention)
pictures (i.e., raster images) in both - directions (up and down).
See also
Suspicious operands are the operands that need your attention because they contain an immediate value that could be a number or an offset. IDA does not know about it, so it marks these instructions as 'suspicious'. You can change the suspiciousness of the operands using set lower limit of suspicious operands and set upper limit of suspicious operands commands.
Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.
This command searches for the first instruction in the current direction.
This command searches for the first defined data item in the current direction.
This command searches for the first unexplored byte in the current direction.
This command searches for the first defined byte (instruction or data) in the current direction.
This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.
If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:
will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.
If the checkbox "any untyped value" is checked, then the "value" field is ignored. IDA will look for all immediate values without type in this case.
This command repeats search for immediate command.
You may search for regular expressions too.
If a range is selected using anchor, IDA will search for the specified substring in the range.
Note that this command searches the same as what you see on your screen (and not in binary image).
For binary search, look at Search for substring in the file
This command repeats search for text command.
This command searches for the specified substring in the file being disassembled. This command can be used for fast lookups of text strings in the executable file or even to find references to a data. You can interrupt it pressing Ctrl-Break.
If a range is selected using anchor, IDA will search for the specified substring in the range.
The substring is specified like this:
i.e. in the double-quotes. Also you can specify individual byte values as numbers:
For example, if you want to find a reference to the following string:
you could search for number 106A in the file.
See also
search for text command.
This command repeats search for text in core command.
This command searches for the first byte not belonging to any function in the current direction.
The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display.
See also Options submenu.
This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.
See also
This commands searches for the 'error' operands. Usually, these operands are displayed with a red color.
Below is the list of probable causes of error operands:
This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.
See also
You can disable the display of the 'suspicious' marks in the .
This command searches for the specified substring in the text representation of the disassembly. This command is a slow command, because it disassembles each instruction to get the text representation. IDA will show its progress on the . You can interrupt this command pressing Ctrl-Break.
Follow this to learn more about the format of the input string.