1 of 100

IDA 9.0

Welcome to Hex-Rays docs

Discover the core of Hex-Rays guides and manuals, guiding you through IDA features and real-life usage scenarios.

Getting Started

New to IDA? Explore our selection of documentation to guide you through the installation process and jumpstart your reverse engineering journey.

Our Guides

Delve into detailed guides to discover IDA features and maximize its capabilities.

What's new?

With IDA 9.0, we changed how the Hex-Rays documentation is organized and added new guides and tutorials to kickstart your IDA journey and ease the migration from previous IDA versions.

New Structure

Our docs are divided into three main categories:

User Guide, dedicated to individual users and covering whole IDA products (including add-ons, like Teams and Lumina). Most of the documentation regarding IDA, like manuals or tutorials, is currently accessible under the User Guide.
Developer Guide, which focuses on developer's needs, covers the reference and contextual documentation for IDAPython API and C++ SDK, as well as native IDC language. This part is mainly dedicated to plugin authors and devs interested in enhancing basic IDA capabilities with our development kit or scripting.
Admin Guide mainly focuses on administrators installing and managing servers for Teams and Lumina or floating licenses.

In Archive, we gathered docs with rather historical value that some of you may still find interesting but focused on previous versions of IDA.

New Getting Started Guides

We prepared a Getting Started section for IDA newbies and also gathered additional materials to help you find your way around our IDAPython API or IDA SDK.

Migration and Porting Guides

For those familiar with previous versions of IDA, we prepared Porting Guides for IDAPython and C++ SDK. If you use the Flexera server for floating licenses, check our Migration Guide for new Hex-Rays license server.

Getting Started

First experience with IDA? Great, you are in the right place. Here you can find guides designed to quickly onboard you into IDA. We will walk you through license activation and IDA installation to the essential tasks you can perform in IDA.

What's next?

User Interface

Menu Bar

All IDA commands are available from the followings menus:

File

In this submenu you can:

Load file Load file
Script command Execute a script command
Produce output file Generate output file
OS shell Execute OS commands
Save database Save database in packed form
Save database as... Save database in packed form in another file
Take database snapshot Take database snapshot
Abort Abort - do not save changes
Quit Quit to DOS - save changes

Script File

Script command

You can enter and execute a small script written in the built-in IDC language or any other registered extlang.

See also:

Invoke OS Shell

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

Take database snapshot

This command takes a database snapshot. The snapshot can be later restored from the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

Save database

This command saves and packs the current database.

Save database as...

Abort IDA

 Action    name: Abort

This command terminates the current IDA session. The Abort command is not available if the database was not packed.

IDA will NOT save changes to the disk.

See also other File... submenu commands. Quit command.

Exit IDA

This command terminates the current IDA session. IDA will write all changes to the disk and will close all databases.

You can also perform garbage collection on the database before packing it. The garbage collection removes the unused database pages, making it smaller. However, IDA needs some free database pages when it works,therefore it will allocate them again when you reuse the database. Removing and adding free pages takes time and, what is most important, it changes the database control blocks.

Use garbage collection only when you do not intend to work with the database in the near future.

Export data

  "Export data" dialog can export binary data into different formats.

Undo an action

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

See also

Redo an action

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

See also

Clear undo history

This command clears the undo history. After it the Undo and Redo commands become unavailable. However, once the user performs a new action, IDA will again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user action to revert yet, IDA does not maintain undo buffers and this speeds up the analysis.

See also

Disable undo

This command completely disables the undo feature.

See also

Convert to instruction

This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the [anchor](../../../disassembler/navigation/anchor.md, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

Convert to data

This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

Convert to string literal

This command converts the current unexplored bytes to a string.

The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Pascal Strings

Undefine a byte

 Action    name: MakeUnknown

This command deletes the current instruction or data, converting it to 'unexplored' bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the anchor, all the bytes in this range will be converted into 'unexplored' bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

Perform en masse operation

If you have selected a range before applying an operand conversion command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

The operation will be performed on all operands as a toggle. For example, if you ask to convert to a character, then all non-character operands will become characters, and all character operands will become non-chars.

This selection will convert all operands with the specified type to undefined operands. Example: all characters become non-characters.

This selection allows to convert all operands that do not have the specified type to the specified type. Example: all non-characters to characters.

This selection allows to convert all operands without any type to the specified type. Example: all operands with no type to characters.

IDA will check whether an operand can be represented with the specified type (as a character constant, for example), and perform type conversion only if the check is successful.

Convert operand to character

This command converts immediate operand(s) type of the current instruction/data to character.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Convert operand to segment

This command converts the immediate operand(s) type of the current instruction/data to segment base. The segment bases are usually displayed like this:

If IDA cannot find a segment whose base is equal to the operand value, it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

Complex Offset Expression

A complex offset expression looks like

It is specified by:

The relationship between these parameters is (the formula is given for full offsets):

You always have to specify the offset type and base. Usually, the delta is equal to zero. For the full offset type you may omit the offset target, which is recommended. In this case, IDA will calculate it automatically. However, if you specify the offset target, make sure that the relationship between the parameters still holds. For the half offset types, you have to specify the target because there is no way to calculate it.

The offset types:

Convert operand to symbolic constant (enum)

If the selected enum is a bitfield, IDA will try to build a bitfield expression to represent the constant. Please note that for bitfields having multiple constants with the same value some expressions won't be possible.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

Convert operand to stack variable

This command converts immediate operand(s) type of the current instruction to an offset to stack variables, i.e. a local variable or function argument in the stack.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

Change operand sign

 Action    name: ChangeSign

This command changes the sign of the current operand. Please note that not all operands can change their sign.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

Bitwise negate operand

User-defined operand

You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

NOTE: A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated.

Set operand type

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin. Setting operand type is most useful in case of indirect calls: the decompiler will use the type information to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

To delete a type declaration, enter an empty string.

Rename Any Address

 Action    name: MakeAnyName

This command gives name/renames/deletes name for the specified address. This is a more powerful variant of Rename command.

To delete a name, simply give an empty name.

If the specified address is referenced, you cannot delete its name. Even if you try it, IDA will generate a dummy name.

This command is available only from the name window.

For an explanation about the dialog box entries, please see the Rename current address command.

Plugins

Center current line in window

 Action    name: CenterInWindow

This command centers the cursor.

View

Here are commands to open various windows, display information etc.

Graphs

Here are commands to draw various graphs:

IDA uses an external program to display graphs. The program name is wingraph32.exe and it is located in the current directory.

The user can zoom the graph and move it around the window.

Display function flow-chart

This command displays the flow chart of the current function.

The colored edges of the flow chart represent the outcome of conditional jump instructions. Green means that the condition is satisfied, red means not satisfied.

Display function call graph

This command displays the graph of all function calls in the program.

The functions are represented as nodes. The calls are represented as edges between nodes. Instructions outside functions are ignored.

Display chart of xrefs to addresses

This command displays the graph of code and data xrefs to current address/range of selected addresses in the program.

The addresses are represented as nodes. The xrefs are represented as edges between nodes.

Display chart of xrefs from addresses

This command displays the graph of code xrefs from the current address/range of selected addresses in the program.

In this direction, data xrefs aren't analyzed to avoid overloaded graphs.

The addresses are represented as nodes. The xrefs are represented as edges between nodes.

Display used-defined chart of xrefs

This command displays a user-defined graph of xrefs from/to the current address/range of selected addresses in the program.

The direction of the xrefs to analyze can be chosen. If the Recursive flag is checked, all found xrefs are themselves analyzed to find new xrefs. You can choose to search for xrefs to new referenced addresses only in the current direction. Only External, data xrefs, xrefs from library functions and to library functions can possibly be ignored.

A recursion depth can be specified. If 'Print recursion dots' is checked, and a function has others xrefs outside of the range defined by the 'recursion depth' setting, small nodes containing dots are printed.

The 'Print comments' flag causes the generated function node to also contain the function comment.

The addresses are represented as nodes. The xrefs are represented as edges between nodes. The used colors are the same as in IDA.

Message Window

IDA opens a special non-closable window at the start. This window is called "message window". In this window you see various IDA messages.

If the message window is hidden behind other windows, you will not see the IDA messages.

You can duplicate all messages appearing in this window to a file. For this, you have to define an environment variable:

        set IDALOG=logfile

Arrows window

In the graphical version, there is a small window with arrows on the left of the disassembly. These arrows represent the execution flow, namely the branch and jump instructions. The arrow color can be:

The arrow thickness can be:

Finally, the arrows can be solid or dotted. The dotted arrows represent conditional branches when the solid arrows represent unconditional branches.

You can resize the arrows window using a vertical splitter or even fully hide it. If it is hidden, the arrows window will not be visible on the screen but you can reveal it by dragging the splitter to the right. IDA remembers the current arrow window size in the registry when you close the disassembly window.

Database snapshot manager

 Action    name: ShowSnapMan

This command shows the database snapshot manager. In this dialog, it is possible to restore previously saved snapshots, rename or delete them.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also Take database snapshot commands.

Highlighting identifiers

In the graphical version, IDA highlights the identifier under the cursor. For example, if the cursor is on the "EAX" register, then all occurrences of "EAX" will be displayed with the yellow background. This feature is meant to make the program analysis easier by highlighting the interesting parts of the disassembly. For example, if the user wants to see all references to "EAX", he just clicks on any "EAX" on the screen and all of them will be highlighted.

The selection is made by pressing the Up, Down, Left, Right keys or by simply clicking on the identifier.

The selection is not changed by pressing the PageUp, PageDown, Home, End keys, using the scrollbar, or pressing the Alt-Up, Alt-Down, Ctrl-Up, Ctrl-Down keys.

The Alt-Up and Alt-Down keys perform a search of the currently selected identifier backward or forward respectively.

The Ctrl-Up and Ctrl-Down keys scroll the disassembly text.

IDA does not highlight the segment names at the line prefix because it is not very useful.

It is possible to turn off the highlight. The appropriate checkbox is in the Options, General, Browser tab.

Browser options

This tab of IDA Options dialog allows for editing of hint and identifier highlight related settings. There are two groups of settings.

The first group is for hints that are displayed when the mouse is hovered over some text.

The second group is for highlighting.

Number of lines for identifier hints

Delay for identifier hints

Mouse wheel resizes hint window

No hints if debugger is active

Auto highlight the current identifier

Unhide collapsed items automatically when jumping to them (gui only)

Lazy jumps (gui only)

Number of items in navigation stack drop-down menus

Number of lines for auto scroll

Caret blinking interval

Lumina options

Lumina dialog box options

This options tab allows for modification of Lumina credentials and use settings.

Use the public server

Use a private server

Automatically use Lumina server for analysis

Lumina command line options

Command line switch '-Olumina' overrides for ida session the primary server and '-Osecondary_lumina' the secondary one.

List of options

Example

Use the public lumina as secondary server for this ida session

Assembler level and C level types

In order to provide intuitive yet powerful interface to types IDA introduces two kinds of types:

Since the user has to specify manually the member offset and other attributes, IDA considers the member offsets to be fixed for them and never shifts members of such types. If a member of struct becomes too big and does not fit the struct anymore, IDA will delete it.

C++ type details

IDA can parse and handle simple C++ class declarations. It cannot parse templates and other complex constructs but simple standard cases can be parsed.

If a C++ class contains virtual functions, IDA will try to rebuild the virtual function table (VFT) for the class. The VFT will be linked to the class by the name: if the class is called "A", the VFT type will be "A_vtbl".

Let us consider the following class hierarchy:

IDA will create the following structures:

Please note that the VFT pointer in the class A has a special name: "__vftable". This name allows IDA to recognize the pointer as a VFT pointer and treat it accordingly.

Another example of more complex class hierarchy:

Compiling in 32-bit Visual Studio mode yields the following layout:

IDA will generate the following types:

The 'derived' class will use 2 VFTs:

IDA and Decompiler can use both VFTs and produce nice code for virtual calls.

Please note that the VFT layout will be different in g++ mode and IDA can handle it too. Therefore it is important to have the target compiler set correctly.

It is possible to build the class hierarchy manually. Just abide by the following rules:

C++ classes are marked with "__cppobj" keyword, it influences the class layout. However, this keyword is not required for VFT types.

In the case of a multiple inheritance it is possible to override a virtual table for a secondary base class by declaring a type with the following name: "CLASSNAME_XXXX_vtbl" where XXXX is the offset to the virtual table inside the derived (CLASSNAME) class.

Example: if in the above example we add one more function

Bookmarks window

This command opens the bookmarks window. This window lets the user jump to a specific place in the listing.

View segment registers

 Action    name: ShowRegisters

This command displays segment register contents in the message window.

You may use this command to refresh the disassembly window too.

See also Edit|Segments submenu. View submenu.

View Internal Flags

Hide

 Action    name: Hide

This command allows you to hide a part of disassembly. You can hide a function, a segment, or create a special hidden range.

If a range is specified, a special hidden range is created on this range.

If the cursor is on the segment name at the start of the segment, the segment will be hidden. IDA will display only the header of the hidden segment.

If the cursor is on a structure variable and if the target assembler has the 'can display terse structures or the INFFL_ALLASM' bit on, then the structure will be collapsed into one line and displayed in the terse form.

Otherwise, the current function will be hidden. IDA will display only the header of the hidden function.

If there is no current function then IDA will beep.

If you want to see hidden items on the screen, you may use unhide command or enable the display of the hidden items. If you want to delete a previously created hidden range, you may use del hidden range command.

Del hidden range

 Action    name: DelHiddenRange

This command allows you to delete a hidden range of disassembly (previously defined by using the hide command).

Hide all items

This command allows you to hide:

all functions and hidden ranges if invoked in the disassembly window

IDA will display only the header of the hidden items.

Unhide all items

 Action    name: UnhideAll

This command allows you to unhide:

all segments, functions, and hidden ranges if invoked in the disassembly window

Setup hidden items

 Action    name: SetupHidden

This command allows you to toggle the display of hidden items.

Automatically hide library functions

        This option hides the functions recognized by FLIRT.
        If will have an effect only from the time when the option is set.

Display hidden instructions

        If this option is set, IDA will display all the instructions
        as unhidden even if they were hidden.

Display hidden functions

        If this options is set, IDA will display all the functions
        as unhidden even if they were hidden.

Display hidden segments

        If this options is set, IDA will display all the segments
        as unhidden even if they were hidden.

Debugger window

Opens the debugger window.

In this window, you can view the register values for the selected thread. The debugger always selects the thread where the latest debugging event occurred.

For most registers, we have two different boxes:

For a segment register, we only have one box indicating the current value.

For the flags register, we have one box indicating the current value, and small boxes indicating the status of the most important flags.

A popup menu is accessible everywhere in the window, which allows the user to show or hide different parts of the window: toolbar, thread list and available register classes.

Process Control

Start process

 Action    name: ProcessStart

This command starts the process in the debugger. If the process was suspended, it will continue its execution. See also

Attach to process...
Process options
Pause process
Terminate process
Detach from process
Debugger submenu

Pause process

 Action    name: ProcessPause

This command pauses a running process. Please note that it is not always possible to pause a process executing the system code. See also

Start process
Terminate process
Debugger submenu.

Terminate process

 Action    name: ProcessTerminate

This command terminates the debugged process. See also

Start process
Pause process
Detach from process
Debugger submenu.

Step into

This command executes one assembler instruction at a time, stepping into functions. See also

Step over

This command executes one assembler instruction at a time, stepping over procedures while executing them as a single unit.

Internally, in the case of a function call, IDA setups a temporary breakpoint on the instruction following this function call. See also

Run to cursor

This command executes instructions until the instruction under the cursor is reached.

Set current ip

This command sets the instruction pointer of the current suspended thread to the current cursor location.

Show application screen

This command displays the application screen.

It is useful for the text mode debugger.

When the debugged application runs in the same window as IDA itself, the application output is hidden by IDA windows. This command allows to see the application screen in this case.

To return to IDA display, press any key.

Source code view

This window shows the contents of a source code file. IDA automatically opens source views provided that proper mapping of the source code paths is specified in "Options, Source paths".

This window may also display a decompilation result because it is considered as a source code. This can be useful if the source files are not available.

Watch view (source level)

In this window the user can view values of selected variables.

Global variables (data item names) as well as variables that are local to the current function can be added by pressing Ins.

Expressions can be added to the view as well, they will be considered as IDC expressions.

Expressions may have a type cast at the beginning. For example

(int)0x12345678

means that the contents of the memory at the address 0x12345678 should be displayed as an integer. Note: to display strings use "char[]" as the typo.

Locals view (source level)

This window displays the values of the variables that are local to the current functions (register and stack based).

Licensing

In this document, we covered the basics regarding our licensing model: you can check how to activate your license depending on the license type, what to do with the downloaded license files, and how to finalize license settings while running IDA. This guide is dedicated to individual users.

Licenses overview

License types

In Hex-Rays, we offer two basic license types for IDA products, that are suitable for individual users:

Named licenses, that are assigned to specific individuals.
Computer licenses that are assigned to specific devices.

There is also an additional type, called floating licenses, that allow a set number of concurrent users but are not assigned to specific individuals or devices.

Floating licenses are available only for IDA Pro and dedicated to business/organization purposes.

What are license files, and where can I find them?

The license file contains your license ID and other data and is required to make your IDA instance fully operative after installation.

You can download your license file from My Hex-Rays portal, after its activation.

License Activation

To complete the installation, you need an active IDA license with an assigned owner or a MAC address. Without activation, you cannot download your license file.

What is needed to assign my license?

for named licenses: the email address of the owner,
for computer licenses: the MAC address of a specific device
for floating licenses: the MAC address of the device where the license server will be running

The license type (named/computer) is selected when you purchase your subscription.

Named licenses activation

Go to My Hex-Rays portal. On the left menu, select a customer to see licenses assigned to it.

Navigate to Licenses -> Subscriptions. On the list, find the license ID and product for which you want to activate the license. Under Actions column, click on the three dots, and then in the dropdown menu, click Activate license.

Your product's license needs to be in a Pending activation status to activate. If you haven't done so before, you'll need to undergo the KYC procedure for paid products.

In the new dialog, assign the ownership of the license: set the email address for this IDA instance user (it can be yours) and select decompilers. Optionally, select a Lumina and Teams server and tick the checkbox to send your license via email.

Click Assign button and then Click to confirm to finalize the assignment.
In the main subscriptions view, click on the three dots under Actions column, and in the dropdown menu, click Download license key to save it locally. You will need it to complete the installation process.

Navigate to the Download center on the left-side menu, locate your IDA product and base on your operating system, select an installer to download.

What's next?

Now you are ready to install your IDA instance.

Computer licenses activation

Go to My Hex-Rays portal. On the left menu, select a customer to see licenses assigned to it.

Navigate to Licenses -> Subscriptions. On the list, find the license ID and product for which you want to activate the license. Under Actions column, click on the three dots, and then in the dropdown menu, click Activate license.

Your product's license needs to be in a Pending activation status to activate. If you haven't done so before, you'll need to undergo the KYC procedure for paid products.

In the new dialog, assign the ownership of the license: set the MAC address of the machine where this IDA instance will be installed and running (it can be yours) and select decompilers. Optionally, select a Lumina and Teams server and tick the checkbox to send your license via email.

Click Assign button and then Click to confirm to finalize the assignment.
In the main subscriptions view, click on the three dots under Actions column, and in the dropdown menu, click Download license key to save it locally. You will need it to complete the installation process.

Navigate to the Download center on the left-side menu, locate your IDA product and base on your operating system, select an installer to download.

What's next?

Now you are ready to install your IDA instance.

Server licenses for businesses and organizations

In this part, we cover the basics of license activation for floating license servers, Teams and Private Lumina servers, and the floating license server.

The Admin Guide covers the comprehensive manual regarding installation and server management.

The server installers and license files are available via My Hex-Rays portal.

License server licenses

Floating licenses are managed by administrators and require a license server to work. If you purchase the floating licenses, you will see an additional license for the license server in your Hex-Rays portal.

License server activation for admins

Similar to named and computer licenses, license server licenses need to be activated in the My Hex-Rays portal.

Go to My Hex-Rays portal. On the left menu, select a customer to see licenses assigned to it.
Navigate to Licenses -> Subscriptions. On the list, find the license server ID for which you want to activate the license. Under Actions column, click on the three dots, and then in the dropdown menu, click Activate license.
In the new dialog, assign the ownership to the license server and provide the MAC address of the device where the license server will be running.
Click Assign button and then Click to confirm to finalize the assignment.
In the main subscriptions view, click on the three dots under Actions column, and in the dropdown menu, click Download license key to save it locally. You will need it to complete the installation process.
Navigate to the Download center on the left-side menu, and select a license server installer to download.

License server installation for admins

Server installation for floating licenses should be done by the administrator. Check our Admin Guide for details.

How can I start using IDA as a floating license user?

Once your administrator installs a license server, adds particular license seats to the pool, and hands over the credentials, you are ready to install your IDA instance.

You don't need to download a license file/key to your local machine while using the floating licenses server.

Floating licenses borrowing

Every time you launch IDA, you'll see the License Manager pop-up window. As long as there are free seats, you can borrow one of the available licenses and start using IDA.

Note that some of the available licenses may have different decompilers and add-ons enabled.

Add-ons servers' licenses

Each of our add-ons, Teams and Private Lumina, requires a separate server to work. The server license is provided with the first IDA instance/plan with the specific add-on enabled.

Teams server activation for admins

Similar to named/computer licenses and floating license server, the Teams server license needs to be activated in My Hex-Rays portal.

Teams server installation for admins

Server installation for Teams should be done by the administrator. Check our Admin Guide for details.

Private Lumina server activation for admins

Similar to named/computer licenses and floating license server, the Private Lumina server license needs to be activated in the My Hex-Rays portal.

Private Lumina server installation for admins

Server installation for Private Lumina should be done by the administrator. Check our Admin Guide for details.

Load file

This submenu allows you to load additional files into the database.

Reload input file
Script file
Binary file
IDS file
Debug information file
PDB debug information file
TDS debug information file
FLIRT signature file
C header file

Reload the input file

Action    name: ReloadFile

This command reloads the same input file into the database. IDA tries to retain as much information as possible in the database. All the names, comments, segmentation information and similar will be retained.

Only the values of individual bytes will be changed.

This command works for some input file types only: if the file was loaded into the database with special settings, this command may fail. In this case, use Dump database to IDC file command and reload the file manually.

See also Load... submenu commands.

Load additional file

 Action    name: LoadFile

This command loads a binary file. The new file is added to the current database and all existing information is retained.

The file content will appear as unexplored bytes in the program.

This command only allows you to load binary files.

See also Load... submenu commands.

Load IDS file

 Action    name: LoadIdsFile

This command loads an IDS file.

An IDS file contains information about well-known functions (such as functions from MS Windows API), namely:

        - their names
        - their ordinal number in the DLL
        - an eventual informative comment
        - the number of parameters passed on the stack
        - the number of parameters purged when returning

IDS files are automatically loaded if they are found in the IDS directory. This command allows you to load an IDS file from any directory, even after the main file has been loaded into the database.

See also Load... submenu commands.

Load debug information file

 Action    name: LoadDbgFile

This command loads a DBG file.

If the program being disassembled has a companion DBG file, then this command may be used to load information from a DBG file into the database. IDA loads DBG files automatically if it can find them in the directory with the input file.

The built-in debug information loader cannot load NB10 format files and PDB files. To load those files, please use a special plugin, PDB.DLL, which can be run manually using Edit->Plugins submenu. This plugin uses MS Windows DLLs to load the debug information and therefore has the following limitations:

        - it works only under MS Windows
        - it will load only PDBs compatible with the currently
          installed IMAGEHLP.DLL

See also Load... submenu commands.

Load PDB debug information file

 Action    name: LoadPdbFile

This command loads a PDB file.

If the program being disassembled has a companion PDB file, then this command may be used to load information from the PDB file into the database.

By default IDA uses in-house code to parse and load PDB files. However, our code can not parse old v2.0 PDB files. For them, IDA can fall back to using Microsoft DLLs (the default is "do not fall back"). Please read more in cfg/pdb.cfg.

Command line switch '-Opdb:option1:option2' overrides for ida session the value in cfg/pdb.cfg.

List of options

  off    : disable PDB
  pdbida : uses Hex-rays in-house code to parse and load PDB files.
  msdia  : uses Microsoft DLLs to parse and load PDB files.
           only available on Windows, for Linux/Macos you need to configure
           win32_remote.exe or win64_remote64.exe server in cfg/pdb.cfg
  fallback   : fallback from pdbida to msdia for the old 2.0 format
  nofallback : no fallback to msdia

Example

  -Opdb:off

Ida will not load PDB plugin for this session.

Load TDS debug information file

 Action    name: LoadTdsFile

This command loads a TDS file.

If the program being disassembled has a companion TDS file, this command may be used to load information from the TDS file into the database.

The TDS file must be placed in the same directory together with the input file.

The LoadTdsFile command launches a special plugin TDS.DLL which can be run manually using Edit->Plugins submenu.

See also Load... submenu commands.

Load FLIRT signature file

 Action    name: LoadSigFile

This command allows you to apply an additional signature file to the program.

A signature file contains patterns of standard runtime functions. With their help, IDA is able to recognize the standard functions and names them accordingly.

IDA attempts to detect the necessary signature files automatically but unfortunately, this is not always possible. This command adds the specified signature file into the planned signature files queue.

Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equivalent to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

There is another way to load a signature file: you may insert/delete signature files in the following way:

        - open the signatures window
        - press Ins to insert a signature file to the queue
        - press Del to delete a signature file from the queue

This is a preferred way of applying signatures because useful information, such as the number of identified functions is displayed in the signature window.

FLIRT works only for the processors with normal byte size. The byte size must be equal to 8 (processors with wide bytes like AVR or DSP56K are not supported)

See also Load... submenu commands.

Load C header

 Action    name: LoadHeaderFile

This command allows you to apply type declarations from a C header file to the program.

IDA reads and parses the specified header file as a C compiler does. In other words, it mimics the front-end of a C compiler with some restrictions:

        - only type declarations are allowed. The function definitions
          in the input file are skipped
        - not all C++ header files are not supported, only simple classes can
          be parsed
        - the compiler specific predefined macros are not defined,
          you have to define them manually in the header file

Don't forget to specify the compiler and memory model in the compiler setup dialog box before loading a header file.

All type declarations found in the input file are stored in the current database in the form of a type library. These type declarations can be used to define new structure and enumeration definitions by pressing "Add standard structure" or "Add standard enum" buttons in the Add enum type... and Add struct type... dialog boxes.

In the case of an error in the input file, the error messages appear in the message window. In any case, the function declarations that are already parsed are not deleted from the database. IDA stops parsing the input file when 20 errors occur.

IDA 7.7 introduced an alternative header file parser based on libclang.

See also

Load... submenu commands.
Local types window
IDAClang plugin

IDAClang plugin

The IDAClang plugin is shipped with IDA, and it provides the ability to parse header files that contain arbitrarily complex C/C++/Objective-C source code using the Load C header action.

To enable the IDAClang parser, go to Options>Compiler>Source parser, and select "clang". Then use 'File>Load file>Parse C header file' to invoke the parser on a given source file.

Since IDAClang is based on the third-party libclang parser, it can only parse standalone source files that contain valid C/C++/Objective-C syntax.

Search

In this menu, you can select a command to search for something in the disassembly. Searches are relatively slow and your previous position is saved in the jump stack.

You can search for:

suspicious operands (instructions that need your attention)
instructions
data bytes
unexplored bytes
explored bytes
immediate operand values
substring in the text representation
substring in the binary image of the file
bytes not belonging to any function
find all suspicious operands
string with error
find all errors
pictures (i.e., raster images) in both - directions (up and down).

See also

Jump menu for fast navigating.
Menu Bar submenus

Search for next suspicious operand

Action    name: JumpSuspicious

Suspicious operands are the operands that need your attention because they contain an immediate value that could be a number or an offset. IDA does not know about it, so it marks these instructions as 'suspicious'. You can change the suspiciousness of the operands using set lower limit of suspicious operands and set upper limit of suspicious operands commands.

Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.

You can disable the display of the 'suspicious' marks in the Comments Dialog.

NOTE: We strongly recommend that before producing an ASM file you go through all 'suspicious' marks and get rid of them. After this you have a certain level of confidence that the file has been disassembled correctly.

Search for next code

Action    name: JumpCode

This command searches for the first instruction in the current direction.

Search for next data

Action    name: JumpData

This command searches for the first defined data item in the current direction.

Search for next unexplored byte

Action    name: JumpUnknown

This command searches for the first unexplored byte in the current direction.

Search for next explored byte

 Action    name: JumpExplored

This command searches for the first defined byte (instruction or data) in the current direction.

Search for next instruction/data with the specified operand

 Action    name: AskNextImmediate

This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.

If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored. IDA will look for all immediate values without type in this case.

Repeat search for instruction/data with the specified operand

 Action    name: JumpImmediate

This command repeats search for immediate command.

Search for substring in the disassembly

 Action    name: AskNextText

This command searches for the specified substring in the text representation of the disassembly. This command is a slow command, because it disassembles each instruction to get the text representation. IDA will show its progress on the indicator. You can interrupt this command pressing Ctrl-Break.

You may search for regular expressions too.

If a range is selected using anchor, IDA will search for the specified substring in the range.

Note that this command searches the same as what you see on your screen (and not in binary image).

For binary search, look at Search for substring in the file

Repeat search for substring in the disassembly

Action    name: JumpText

This command repeats search for text command.

Search for substring in the file

Action    name: AskBinaryText

This command searches for the specified substring in the file being disassembled. This command can be used for fast lookups of text strings in the executable file or even to find references to a data. You can interrupt it pressing Ctrl-Break.

If a range is selected using anchor, IDA will search for the specified substring in the range.

The substring is specified like this:

        "This is substring to search"

i.e. in the double-quotes. Also you can specify individual byte values as numbers:

        6A 10

Follow this link to learn more about the format of the input string.

For example, if you want to find a reference to the following string:

 35F2:106A      db 'Hello',0

you could search for number 106A in the file.

See also

the input string format
search for text command.

Repeat search for substring in the file

Action    name: JumpBinaryText

This command repeats search for text in core command.

Search for bytes not belonging to any function

Action    name: JumpNotFunction

This command searches for the first byte not belonging to any function in the current direction.

Set Direction for Searches

 Action    name: SetDirection

The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display.

Find all suspicious operands

Action    name: FindAllSuspicious

This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.

See also

suspicious operands

Search for next string with error

Action    name: JumpError

This commands searches for the 'error' operands. Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

        - reference to an unexisting address
        - illegal offset base
        - unprintable character constant
        - invalid structure or enum reference
        - and so on...

Find all errors

Action    name: FindAllErrors

This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.

See also

string with error

Offset

Convert operand to offset (data segment)
Convert operand to offset (code segment)
Convert operand to offset (any segment)
Convert operand to offset (user-defined base)
Convert operand to struct offset

Convert operand to offset (data segment)

 Action    name: OpOffset

This command converts the immediate operand of the current instruction/data to an offset from the current data segment (DS).

If current DS value is unknown (or equal 0xFFFF) IDA will warn you -- it will beep. In this case, you have to define DS register value for the current byte. The best way to do it is:

jump to segment register change point
change value of DS
return or you can change default value of DS for the current segment.

If you want to delete offset definition, you can use this command again - it works as trigger.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

To create offsets to structure members use Convert to struct offset command.

See also:

Enter the operand manually command.
Set operand type

Convert operand to offset (code segment)

 Action    name: OpOffsetCs

This command converts the immediate operand of the current instruction/data to an offset from the current segment (CS).

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If this command is applied to a structure member in the local types window, then IDA will create an "automatic offset". An automatic offset is an offset with the base equal to 0xFFFFFFFF. This base value means that the actual value of the base will be calculated by IDA when a structure instance is created.

To create offsets to structure members, use Convert to struct offset command.

See also:

Enter #th operand manually commands.
Set operand type

Convert operand to offset (any segment)

 Action    name: OpAnyOffset

This command converts the immediate operand of the current instruction/data to an offset from any segment.

IDA will ask to choose a base segment for the offset.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

To create offsets to structure members use Convert to struct offset command.

See also:

Enter #th operand manually commands.
Set operand type

Convert operand to offset (user-defined base)

Action    name: OpUserOffset

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If the offset base is specified as 0xFFFFFFFF, then IDA will create "an automatic offset". Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

  Treat the base address as a plain number

        if checked, IDA will treat the base address as a number.
        In this case, IDA will not create a cross-reference to it
        and the base address will be printed as a number,
        not as an offset expression.

  Offset points past the main object

        Offsets of this type point past an object end.
        They do not cause an object created/deletion.

  Use image base as offset base

        These offsets are based on the image base.
        There is no need to explicitly specify the offset base.
        These offsets are displayed in a concise form:
          rva func
        instead of
          offset func - imagebase
        If you intend to reassemble the output file, execute the
        following IDC statement:
        set_inf_attr(INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) & ~INFFL_ALLASM);

  Subtract operand value

        Use this option when the operand value should be substracted
        from the base to get the target address. In this case the displayed
        expression will be displayed as
          offset base - target
        instead of the usual
          offset target - base

  Signed operand

        Use this option if the operand should be interpreted
        as a signed value. This option is only available for OFF_REF8,
        OFF_REF16, OFF_REF32 and OFF_REF64 offset types.

  Operand value of 0 is invalid

        If the operand value is 0, the value will be highlighted in red.

  Operand value of NOT 0 is invalid

        If the operand value is zero's complement (i.e. all bits are set),
        the value will be highlighted in red.
        For example a OFF_REF16 with an operand value of 0xFFFF would be invalid.

  Use the current address as the offset base

The offset base is dynamically calculated and is equal to the address of the current element:

for standalone items: their start address
for arrays: the start of the array element
for structures: the start of the structure field The offset expression is displayed in the following concise form: offset target - $ where "$" denotes the start of the element (and is assembler-dependent). To create offsets to structure members use Convert to struct offset command.

See also:

Enter #th operand manually commands.
Set operand type

Convert operand to structure offset

 Action    name: OpStructOffset
 

 GUI version:
 ------------

This command permits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions. If no selection is active, IDA will simply permit to convert the current operand. In this case, it will display a simple dialog box the same way as the text version (see below).

You can select the desired register in the drop-down list: all operands relative to this register will be added to the 'Offsets' list. A special empty line in the drop-down list is used to directly work on immediate values. Checkboxes in the 'Offsets' list allow you to select which operand you indeed want to modify. By default, IDA will select only undefined operands, to avoid overwriting previous type definitions. This list is sorted by operand value, by instruction address and finally by operand number. You can easily see the instructions related to the operand by moving the mouse over it, and wait for a hint to be displayed.

The 'Structures and Unions' tree will contain all selectable structures, and sub unions. Once you select or move over a structure, the 'Offsets' list updates itself for each checked offset: the computed name of the operand is displayed, according to the selected structure in the tree. An icon is also drawn, to easily know if a specific structure matchs the offset or not, or if the offset is too big for the selected structure. The structures who match the most offsets will be near the top of the tree. You can also move your mouse over structures in the tree to obtain an interesting hint.

A '?' icon can also appear, if the offset can be specialized by selecting an union member. In this case, if you expand the structure in the tree, you can select the adequate union member simply by checking the desired radio button. IDA automatically corrects the related name in the 'Offsets' list.

The 'Offset delta' value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like "mystruct.field_6-2", then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure.

The 'Hide sub structures without sub unions' option (checked by default) avoids to add unnecessary sub structures to the tree, to keep it as small as possible. If you uncheck this option, all sub structures will be added to the tree.

By default, IDA displays the structure member at offset 0. To change this behaviour, you can directly disable the 'Force zero offset field' in the 'Options' frame. Later zero offsets can be forced using Edit, Structs, Force zero offset menu item.

 Text version:
 -------------

This command converts immediate operand(s) type of the current instruction/data to an offset within the specified structure. Before using this command, you have to define a structure type.

First of all, IDA will ask a so-called "struct offset delta". This value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like "mystruct.field_6-2", then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the an operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

By default IDA doesn't display the structure member at offset 0. To change this behaviour, use Force zero field offset command.

Moreover, if there are several possible representations (this can happen if unions are used), select the desired representation using the Select union member... command.

See also:

Enter #th operand manually command.
Set operand type

Related topics: Edit|Operand types submenu.

Jump

In this menu, you can select a command to jump to the specified location in the file. Jumps are very fast and your previous position is saved. This submenu contains the following items:

Jump immediate
Jump back
Undo last jump back
Empty navigation stack
Jump to address
Jump to named location
Jump to segment start
Jump to segment register change point
Jump to problematic location
Mark location
Jump to marked position
Jump to cross reference
Jump to cross reference to operand
Jump to function
Jump to entry point
Jump to file offset

See also

Search menu for fast navigating.
Jumps Stack concept.
Menu Bar submenus

Jump immediate

 Action    name: JumpEnter

By pressing <Enter> you navigate in the program in the same way as in a hypertext (the way the web browsers and help screens use).

This is the easiest way to explore the program: just position the cursor at the desired name and press "@<JumpEnter>".

Your current address is saved in the jump stack.

The Jump back command (usually Esc) will return you back.

If the cursor is at a stack variable, a window with stack variables is opened and the definition of the stack variable is displayed.

See also

Empty Stack command.

Jump back

 Action    name: Return

This command brings you back to the previous position in the history. It takes positions from Jumps Stack.

See also

Undo "jump back" command
Empty Stack command.

Undo the last 'Return' Command

 Action    name: UndoReturn

This command cancels the last Jump back command.

See also

Empty navigation stack command.

 Action    name: EmptyStack

This command clears the jump stack.

See also

Jump back command.

Jump stack

Each IDA Window has its own jump stack. This stack keeps the cursor locations. Many IDA commands use the jump stack, i.e. they save the old cursor position to the stack. For example, when you are at the address 3000:0100 and press the Ctrl-C key (find instruction), the 3000:0100 is saved into the jump stack and the search is started. Afterwards, you can return to the old position using Jump back command.

You can clear the jump stack using the Empty stack menu command.

Jump to the specified address

Action    name: JumpAsk

This command jumps to the specified address in the program. IDA will ask you for the target address. You can enter a name or an address as a hexadecimal number with or without a segment. If you enter a valid address then:

the current address is saved in the jump stack.
the cursor is positioned to the specified address. The Jump back command (usually Esc) will return you back.

In the structure and enum views, the cursor will be moved to the corresponding offset in the current type.

See also

How to Enter an Address.

Jump to the specified file offset

Action    name: JumpFileOffset

IDA will ask you for a target file offset. This command jumps to the address corresponding to this specified file offset. If this file offset corresponds to a valid address then:

the current address is saved in the jump stack.
the cursor is positioned to the corresponding address. The Jump back command (usually Esc) will return you back.

Jump to the named location

Action    name: JumpName

This command allows you to jump to a name definition by selecting it from the list of the names.

IDA will display the list of the names (sorted by addresses) and you can choose a name. Dummy names (generated by IDA) are not listed. Hidden names are not listed either. You can control which names are listed in the Names representation dialog box.

Jump to the specified segment

Action    name: JumpSegment

This command jumps to the start of the selected segment. IDA will ask you to select the target segment. After:

the current address is saved in the jump stack.
the cursor is positioned to the specified address. The Jump back command (usually Esc) will return you back.

See also:

How to choose a segment
Other segment related commands

Jump to the specified segment register change point

Action    name: JumpSegmentRegister

This command jumps to the selected Segment Register Change Point. IDA will ask you to select a target change point. And after:

the current address is saved in the jump stack.
the cursor is positioned to the specified address. The Jump back command (usually Esc) will return you back.

Jump to a problematic location

Action    name: JumpQ

This command allows you to jump to a problematic location. IDA will display the Problems List and will allow you to select a problem.

The Jump back command (usually Esc) will return you back.

Mark Position

 Action    name: MarkPosition

You can mark certain locations of the file to be able to jump to them quickly. Text description of the location may help to find a desired location easily.

First select a slot for the mark, then enter a description for the location.

Jump to previously marked position

Action    name: JumpPosition

This command jumps to the selected position. IDA will ask you to select a target position. After:

the current address is saved in the jump stack.
the cursor is positioned to the specified address.

The Jump back command (usually Esc) will return you back.

You can mark the position using Mark Position command.

Jump to cross reference

This command shows you a list of cross-references to the current location: you can jump to the selected one by pressing Enter.

Click here to see the description of the cross reference dialog box.

See also

Jump to Cross Reference From
Jump to Cross References to Operand

Cross reference attributes

The cross reference dialog displays a list of references to the various items. Each line has the following attributes:

Direction Up or Down. Meaningful for program address; denotes where the reference comes from, from the lower addresses than the reference target (down) or from higher addresses (up).

Type

        The following types exist:

          o - offset, the address of the item is taken
          r - read access
          w - write access
          t - textual referenced (used for manually specified operands)
          i - informational (e.g. a derived class refers to its base class)
          J - far (intersegment) jump
          j - near (intrasegment) jump
          P - far (intersegment) call
          p - near (intrasegment) call
          ^ - ordinary flow
          s - xref from a structure
          m - xref from a structure member
          k - xref from a stack variable

Address

        For 'xrefs to' dialogs: where the reference comes from (source)
        For 'xrefs from' dialogs: where the reference goes to (destination)

Text

        Additional info about the cross reference

Jump to cross reference from current location

Action    name: JumpXrefFrom

This command shows you a list of cross-references from the current location: you can jump to the selected one by pressing Enter.

Click here to see the description of the cross reference dialog box.

See also

Jump to Cross References
Jump to Cross References to Operand

Jump to cross references to operand

 Action    name: JumpOpXref

This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter.

Click here to see the description of the cross reference dialog box.

See also

Jump to Cross References
Jump to Cross Reference From

Jump to function

 Action    name: JumpFunction

This command shows you a list of functions: you can jump to the selected one by pressing Enter.

See also

Jump to next function
Jump to previous function
How to choose a function

Jump to next function

Action    name: JumpNextFunc

This command searches the start of the next function and jumps to the found address.

Jump to previous function

 Action    name: JumpPrevFunc

This command searches the start of the previous function and jumps to the found address.

Jump to Entry Point

 Action    name: JumpEntryPoint

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time. It is not modified after that (for example, renaming an exported function does not change the list of entry points).

Breakpoints

Here are the commands to use the debugger breakpoints.

Breakpoints list
Add breakpoint
Edit breakpoint
Delete breakpoint

Breakpoints list

Action    name: Breakpoints

Opens the breakpoints window.

In this window, you can view information related to existing breakpoints. Breakpoints are saved in the database, and restored as soon as possible (once the memory becomes writeable).

The 'Pass count' column indicates how many times the program needs to hit the breakpoint before being suspended (0 means "always suspend").

Add breakpoint

Action    name: BreakpointAdd

This command adds a breakpoint at the current address. If an instruction exists at this address, an instruction breakpoint is created. Otherwise, IDA offers to create a hardware breakpoint and allows the user to edit breakpoint settings. Hardware breakpoints can be either real hardware breakpoints or page breakpoints.

Edit breakpoint

Action    name: BreakpointEdit

This command opens a dialog box to edit an existing breakpoint.

Location

  The breakpoint location: either an absolute address, a symbol name,
  a module+offset combination, or a source file name and a line number.
  The exact location syntax depends on the breakpoint kind: absolute, module
  relative, symbolic, or source code.

Condition This IDC expression will be evaluated each time the breakpoint is reached. If the expression returns true (non-zero), the debugger will execute the selected actions. Please note that you can use the register names in the IDC scripts when the debugger is active. Tests like this are allowed, for example: EAX == EBX+5 or get_wide_dword(ESP+0x10) == 34 You can also use the "..." button to enter a multiline condition, or specify another scripting language to use. See here for more info.

Settings

  Enabled:
        If the breakpoint is enabled or disabled. Disabled breakpoints
        are not written to the debugged process.

  Hardware:
        If enabled, IDA will use a hardware breakpoint. The breakpoint
        mode and size must be specified for them (see below).

  Module relative:
        The breakpoint location is stored as a combination of a module
        name and an offset. This kind of breakpoint is useful for
        DLLs that are loaded to various addresses because their addresses
        cannot be calculated in advance. Example: kernel32+0x1234

  Symbolic:
        The breakpoint location is stored as a combination of a symbol
        name and a possible offset. This kind of breakpoint is useful for
        symbols that can be imported from different DLLs because their addresses
        cannot be calculated in advance. Example: myfunc+44

  Source code:
        The breakpoint location is stored as a combination of a source file
        name and a line number. Can be used only if the source code of the
        debugged application is available. Example: myfile.cpp:55

Low level condition: Evaluate the condition on the remote computer. Such conditions are faster, especially during remote debugging, because there is no network traffic between IDA and the remote computer on each breakpoint hit. More details

Actions

  Break:
        Suspend the debugged application

  Trace:
        Add a new entry to the trace log

Refresh debugger memory: By default IDA does not refresh the memory config before evaluating a breakpoint condition. This option enables the refresh. To refresh it manually, call refresh_debugger_memory

  Enable tracing:
        Enable tracing when the breakpoint hits. This is different from trace
        breakpoints (where only a new entry is added to the trace log).

  Disable tracing:
        Disable tracing when the breakpoint fires.

Tracing type: Instruction, Function and Basic block level tracing types can be selected for breakpoints where enable/disable tracing have been selected. Hardware breakpoint size Number of bytes to watch: 1, 2 or 4 bytes for normal hardware breakpoints. Any size for page breakpoints. Hardware breakpoint mode

        The access type the breakpoint will react: read/write, write, execute.

In the case of Intel hardware breakpoints, some limitations are enforced (in contrast with page breakpoints). It is impossible to create more than 4 hardware breakpoints. The address of the breakpoint must be aligned appropriately:

  - 2-byte breakpoints must be word-aligned.
  - 4-byte breakpoints must be dword-aligned.

Please note that hardware breakpoints occur AFTER the instruction execution while software breakpoints occur BEFORE the instruction.

Usually, it is easier to use software breakpoints, except if:

  - we want to be sure the memory is not modified by the debugger
  (instruction breakpoints modify the debugged process memory).

  - we want to detect accesses to data bytes.

  - the specified address is write protected (really rare!).

See also

Index of IDC functions

Delete breakpoint

Action    name: BreakpointDel

This command deletes an existing breakpoint at the current address.

Page breakpoints

Page breakpoints are memory access breakpoints that can be set to detect when the application reads, writes, or executes code/data in a specific memory range. Page breakpoints are very similar to hardware breakpoints but there is no limitation on the number of page breakpoints that can be set or their size, in contrast with normal hardware breakpoints.

Memory access breakpoints are implemented by removing page permissions according to the specified type of the page breakpoint to be added (for example, for a write page breakpoint, the write permission will be removed from the page). When the access violation exception occurs because the application tries to access the specific memory region, IDA reports a breakpoint hit.

As page breakpoints can be set for a small part of a memory page but the permissions of the whole page must be changed, page breakpoints can slow down the debugger because many access violation exceptions may be generated. If the application accesses memory outside of the desired range but on the same page, the generated exception must be silently handled and the application resumed. Specifically, page breakpoints in the code segment can slow down the debugger very much.

Memory access breakpoints are supported since IDA version 6.3 for the following debuggers:

Win32

  Page breakpoints are supported for both local and remote debugging
  of 32 and 64bit applications.

WinDbg

  Page breakpoints are supported only for local debugging of 32-bit applications.

Bochs

  Page breakpoints are supported for both of 32 and 64bit applications.
  Page breakpoints in the bochs debugger are just like normal hardware
  breakpoints but with no limit on the number of breakpoints or their size.
  Please note that hardware breakpoints in the bochs debugger occur AFTER the
  instruction is executed while regular page breakpoints occur BEFORE the
  instruction is actually executed.

Find breakpoint

Action    name: BreakpointFind

Open the breakpoints window if needed, then find current breakpoint in it.

Breakpoint conditions

You can use the "Condition" field of the breakpoint properties to enter an expression which is evaluated when the breakpoint is hit. It can be either an actual condition or just any valid code in IDC or another supported scripting language syntax. By using the "..." button, you can open a multi-line editor for the condition and switch the scripting language used for evaluating it.

Expressions

  If you enter an expression, the result will be used to determine whether
  the selected actions are executed. Some examples of IDC expressions:

  Check if EAX is equal to 5:

    EAX==5

  Check if the first argument to the function is 1:

    get_wide_dword(ESP)==1

  Interpret the second argument to the function as a pointer to Unicode string, print it,
  and return 0 (so that the execution continues immediately):

    msg("Filename: %s\n", get_strlit_contents(get_wide_dword(ESP+4), -1, STRTYPE_UNICODE)), 0

  Set EAX to 0 and continue:

    EAX=0,0

Statements

  You can enter several statements in the multi-line editor. If the last one is a 'return' statement,
  it is used as the result of the condition. Otherwise the condition is assumed to return 0.

See also

Index of IDC functions

Low level breakpoint conditions

Low level breakpoint conditions can be used to speed up the debugger. They are evaluated like this:

  - in case of remote debugging, the condition is evaluated on the remote
    computer. The following actions are bypassed:
      - sending of the breakpoint event to the local computer
      - switching from debthread to the main thread
      - updating internal IDA structures and caches
      - updating the screen

  - in case of local debugging, the condition is evaluated at low level.
    The following actions are bypassed:
      - switching from debthread to the main thread
      - updating internal IDA structures and caches
      - updating the screen

In both cases, there is a significant speed up. This improvement imposes some limitations on the breakpoint condition:

only IDC expressions can be used for low level conditions
only functions marked as 'thread-safe' may be called

only entire registers can be accessed (e.g. EAX is ok but AL is not) Essentially this means that the only available functions are:

- read/write process registers
- read/write process memory
- file i/o
- auxiliary string and object functions
- msg() function (for debugging the breakpoint conditions)

Low level breakpoint conditions are available only for Win32, Linux, Mac, and Android debuggers.

Segments

This submenu allows you to manipulate segments of the program:

Create a new segment...
Delete a segment...
Change segment attributes...
Move a segment...
Rebase program...
Change segment translation...
Set default segment register value...
Change segment register value...

See also:

Create a new segment

Action    name: CreateSegment

This command allows you to create a new segment.

If you select a range using the anchor, IDA will propose the start address and the end address of the selection as defaults for the segment bounds.

You need to specify at least:

    - the segment start address
    - the segment end address (excluded from the range)
    - the segment base

Click here to learn about addressing model used in IDA.

If "sparse storage" is set, IDA will use special sparse storage method for the segment. This method is recommended for huge segments. Later, it is possible to change the storage method of any region using set_storage_type IDC function.

If another segment already exists at the specified address, the existing segment is truncated and the new segment lasts from the specified start address to the next segment (or specified end address, whichever is lower). If the old and the new segments have the same base address, instructions/data will not be discarded by IDA. Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

IDA address space concepts

nternally, IDA has 32-bit linear address space (IDA64 uses 64-bit address space). The internal addresses are called "linear addresses". The input program is loaded into this linear address space.

Please note that usually the linear addresses are not used in the program directly. During disassembling, we use so-called "virtual addresses", which are calculated by the following formula:

        VirtualAddress = LinearAddress - (SegmentBase << 4);

We see that the SegmentBase determines what addresses will be displayed on the screen. More than that, IDA allows to create several segments with the same virtual address in them. For this, you just need to create segments with correct segment base values.

Normally a SegmentBase is a 16bit quantity. To create a segment with base >= 0x10000, you need to use selectors. However, if you try to create a segment with a segment base >= 0x10000, IDA will automatically choose appropriately a free selector and setup for the new segment.

All SegmentBases are looked up in the selector table.

There are some address restrictions in IDA.

There is a range of addresses that are used for internal housekeeping. This range can be specified by the configuration variable PRIVRANGE (start address and size). It is not recommended to use these addresses for other purposes.

There is also one address which must never be used in the disassembly. It is the 'all ones' address, or -1. Internally, it is used as a BADADDR (bad address). No address or address range can include BADADDR.

Create segment - simple case (PC)

IBM PC case -----------

Suppose we need to create a segment occupying addresses F000:1000..F000:2000 Let's calculate linear addresses:

        start = (0xF000 << 4) + 0x1000 = 0xF1000
        end   = (0xF000 << 4) + 0x2000 = 0xF2000

The segment base must be selected so that the first offset in our segment will be 0x1000. Let's find it using the following equation:

        VirtualAddress = LinearAddress - (SegmentBase << 4);
        0x1000         = 0xF1000 - (base << 4);

After solving this equation, we see that the segment base is equal to 0xF000. (you see, this is really a very simple case :) )

Now, we can create a segment entering:

        segment start address:  0xF1000
        segment end address:    0xF2000
        segment base:           0xF000

Please note that the end address never belongs to the segment in IDA.

Create segment - simple case (Z80)

Z80 case
 --------

Suppose we need to create a segment occupying virtual addresses 8000-C000. Since we are free to place our segment anywhere in the linear address space, we choose the linear addresses at our convenience. Let's say we choose a linear address 0x20000:

        start = 0x20000
        end   = start + 0x4000 = 0x24000

The segment base must be selected so that the virtual address in our segment will be 0x8000. Let's find it using the following equation:

        VirtualAddress = LinearAddress - (SegmentBase << 4);
        0x8000         = 0x20000 - (base << 4);
        base << 4      = 0x20000 - 0x8000
        base << 4      = 0x18000
        base           = 0x1800

After solving this equation, we see that the segment base is equal to 0x1800.

Now we can create a segment entering:

        segment start address:  0x20000
        segment end address:    0x24000
        segment base:           0x1800

Please note that the end address never belongs to the segment in IDA.

Create segment - automatically chosen selector case

Suppose we need to create a segment occupying linear addresses 200000-200C00 and the virtual addresses must have be 0000..0C00. If we simply enter

        segment start address:  0x200000
        segment end address:    0x200C00
        segment base:           0x20000

Then IDA will notice that the segment base is too big and does not fit into 16bits. Because of this IDA will find a free selector (let's say it has found selector number 5), define it to point at paragraph 0x20000 and create a segment. After all this we will have:

        - a new selector is defined (5 -> 0x20000)
        - a new segment is created. Its attributes:
                start = 0x200000
                end   = 0x200C00
                base  = 5

The first virtual address in the segment will be 0:

        VirtualAddress = LinearAddress - (SelectorValue(SegmentBase) << 4)
                       = 0x200000      - (SelectorValue(5) << 4)
                       = 0x200000      - (0x20000 << 4)
                       = 0x200000      - 0x200000
                       = 0

Please note that the end address never belongs to the segment in IDA.

Create segment - user-defined selector case

If the previous example we saw how IDA allocates a selector automatically. You could make it yourself:

1. Create a selector. For this, open the selectors window and press Ins. Enter a selector number and its value.

2. Create a segment. Specify the selector number as the segment base.

Delete a segment

Action    name: KillSegment

This command allows you to delete a segment.

IDA will ask your the permission to disable the addresses occupied by the segment. If you allow this operation, all information about the segment will be deleted. In other words, IDA will discard the information about instructions or data, comments etc.

If you check the "disable addresses" checkbox, IDA will mark the addresses occupied by the segment as "nonexistent" in the program. You will lose *ALL* information, including byte values.

It is impossible to disassemble the content of addresses not located in any segment, therefore you must create a new segment if you want to resume the disassembly of that part of the code.

You can also edit (see below) an adjacent segment to expand it to those addresses.

IDA will ask your the permission to disable addresses occupied by the segment. If you give your permission, information about the segment will be deleted, otherwise IDA will discard information about instruction/data, comments etc, but retain byte values so that you will be able to create another segment afterwards.

To disassemble the addresses occupied by the segment, you need to create a new segment again (i.e. you cannot disassemble bytes without a segment). You can also expand another adjacent segment to these addresses.

Change segment attributes

How to change segment name
How to change segment class
How to change segment addressing mode (16/32)
How to change segment alignment
How to change segment combination

Changing the segment class may change the segment type.

MOVE ADJACENT SEGMENTS: means that the previous and next segments will be shrunk or expanded to fill gaps between segments. Click here for more information.

DISABLE ADDRESSES: if set, when a segment is shrunk, all information about bytes going out of the segment will be completely removed.. Otherwise, IDA will discard information about instructions/data, comments etc, but will retain byte values so that another segment can be created later and it will use the existing byte values.

If IDA creates 2 segments where only one segment must exist, you may try the following sequence:

delete one segment. Choose one with bad segment base value. Do not disable addresses occupied by the segment being deleted.
change bounds of another segment. Note that the create segment command changes the boundaries of the overlapping segment automatically.

Segments with the 'debugger' attribute are the segments whose memory contents are not saved in the database. Usually, these segments are created by the debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently stay in the database after closing the debugger session. The database will reflect the state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and will be deleted at the end of the debugging session.

The "debugger segment" checbkox is available only during debugging sessions.

The 'loader' segments are the segment created by the file loader. The segment having this attribute are considered to be part of the input file.

A segment with the 'debugger' attribute set and the 'loader' attribute not set is considered to be an ephemeral segment. Such segments are not analyzed automatically by IDA.

"Segment permissions" group box can be used to modify Segment access permissions (Read/Write/Execute)

Change Segment Name

Enter a new name for the segment. A segment name is up to 8 characters long. IDA does check if the length is ok. Try to give mnemonic names for the segments.

Segment Class Name

The segment class name identifies the segment with a class name (such as CODE, FAR_DATA, or STACK). The linker places segments with the same class name into a contiguous range of memory in the runtime memory map.

Changing the segment class changes only the segment definition on the screen. There are the following predefined segment class names:

        CODE    -       Pure code
        DATA    -       Pure data
        CONST   -       Pure data
        BSS     -       Uninitialized data
        STACK   -       Uninitialized data
        XTRN    -       Extern definitions segment

If you change segment class and the segment type is "Regular", then the segment type will be changed accordingly.

In order to set the segment type "Regular", you should change the segment class to "UNK".

Segment class names are never deleted. Once you define a segment class name, you cannot reuse it as a name of another object.

Change Segment Addressing

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment address is changed.

Never do it if you are not sure. It may have irreversible consequences, all instructions/data will be converted to undefined bytes.

Change Segment Alignment

Alignment: select between abs,byte,word,dword,para,page

You can specify the segment alignment for the selected segment. By default, IDA assumes 'byte' alignment.

Changing the alignment changes only the segment definition on the screen. Nothing else will happen.

Change Segment Combination

Combination

A field that describes how the linker can combine the segment with other segments. Under MS-DOS, segments with the same name and class can be combined in two ways: they can be concatenated to form one logical segment, or they can be overlapped. In the latter case, they have either the same start address or the same end address, and they describe a common range in memory. Values for the field are:

  Private. Do not combine with any
           other program segment.
  Public.  Combine by appending at
           an offset that meets the
           alignment requirement.

  Stack.   Combine as for Public.
           This combine type forces
           byte alignment.

  Common.  Combine by overlay using
           maximum size.

Changing segment combination changes only the segment definition on the screen. Nothing else will happen.

Move a segment

Action    name: MoveSegment

This command allows you to move segment(s) to another address. Use it if the segment(s) are loaded at a wrong address.

This command shifts (moves) the selected segments in the memory to the target address. There must be enough free space at the target address for the segments.

All information in the segment will be moved to the new address, but since the addresses change, the disassembly might be not valid anymore (especially if the program is moved to the wrong addresses and the relocation information is not available).

 Fix up relocations

        This option allows IDA to modify the references
        to/from the relocated segment(s). If it is turned
        off, the references might be wrong after the move.

Rebase program

Action    name: Rebase program

The whole program will be shifted by the specified amount of bytes in the memory. The following options are available (we strongly recommend to leave them turned on):

 Fix up relocations

        This option allows IDA to modify the references
        to/from the relocated segment(s). If it is turned
        off, the references might be wrong after the move.

 Rebase the whole image

        This option is accessible only if the whole program
        is selected. It allows IDA to adjust internal
        variables on the whole program.

Please note rebasing the program might remove user-defined xrefs.

Change segment translation

        call    1000

in the segment C obviously refers to the segment B while the instruction

        call    500

refers to the segment A.

However, IDA does not try to link these references unless you tell it to do so: include the segments A and B into a translation list of the segment C. It means that you have to create a translation list

A B

for the segment C.

Below is a more complicated example:

                start   end
        A       0000    1000
        B       1000    2000
        C       1000    2000
        D       3000    4000
        E       3000    4000

translations

        B:      A
        C:      A
        D:      A B
        E:      A C

allow you to emulate overlays (the first set is A B D, the second A C E)

IMPORTANT NOTE1: If you use the segment translations, make sure that all segments have unique segment bases. If two segments are placed in the linear address space so that they must have the same segment base, you may assign different selectors with equal values to them.

IMPORTANT NOTE2: IDA supports only one translation list per segment. This translation is applied by default to all instruction in the segment. If the segment uses other mappings, then these individual mappings can be specified for each instruction separately by using the make offset commands.

IMPORTANT NOTE3: Since only code references are affected by the segment translations, try to create the RAM segment at its usual place (i.e. its linear address in IDA corresponds to its address in the processor memory). This will make all data references to it to be correct without any segment translation. For the data references to other segments you'll need to use the make offset command for each such reference.

See also

addressing space concepts

Set Default Segment Register Value

Action    name: SetSegmentRegisterDefault

Relevant only for processors with the segment registers.

You can specify a default value of a segment register for the current segment. When you change the default value, IDA will reanalyze the segment, taking the default value when it cannot determine the actual value of the register. This takes time, so do not be surprised if references are not corrected immediately.

To specify a value other than the default value of a segment register, you can use change segment register value command.

Change Segment Register Value

 Action    name: SetSegmentRegister

Relevant only for processors with the segment registers. Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors.

This command creates or updates a segment register change point.

See jump to segment register change point for more info.

ALPHA DISASSEMBLY

For Alpha processors, the user must enter the difference between the real GP value and the start of the GOT (global offset table). For example:

         .got
         ....
         ; gp points here
 label:

If you want to specify that a register points to "label", you must calculate and enter the difference "label-.got" as the register value.

ARM DISASSEMBLY

The ARM processor module has a virtual segment register T which reflects the state of the T bit of the processor state register (PSR). Therefore, the value of this register controls THUMB/ARM mode. If its value is not zero, then the disassembly will be in the thumb mode.

POWER PC DISASSEMBLY

For PowerPC processors, the user must enter an offset from the beginning of the TOC to the TOC entry which contains the address of the target. An example:

 TOC:    .toc
         ....
 sometc: .tc sometc[tc], datachunk

If you want to specify that a register points to "datachunk", you must calculate and enter the difference "sometc-TOC" as the register value. You can change the TOC value in the processor specific options (which is accessible from the analysis options).

INTEL 80196 DISASSEMBLY

For Intel 80196NP/NU processors, the user must enter the value of WSR or WSR1 register. IDA will automatically take the new value into account.

See also:

Segment Register Change Points

When IDA encounters an instruction which changes a segment register, it creates a segment register change point. So, mostly change points are maintained by IDA itself. IDA assumes that the segment registers do not change their values between change points. If you find out that IDA failed to locate a segment register change, or if you want to change a register value, you can create a change point using Change Segment Register command. You can change the value of a segment register using Set default segment register value command too.

IDA classifies the change points. In the list of the change points, you can see the following postfixes after the register values:

 a (auto)     - Created by IDA. May be changed by IDA afterwards.
 u (by user)  - Created by user. IDA will not change it.

IDA generates the appropriate 'assume' instructions for the change points if it was not disabled by the corresponding command.

Choose segment

IDA can display a list of the program segments. Each segment is represented by a line in the list. Please note that the end address of the segment never belongs to the segment in IDA.

The following segment attributes are visible:

  Name          Segment name
  Start         Virtual start address
  End           Virtual end address (address past the end of the segment)
  R             'R': readable,      '.': not readable,   '?':unknown
  W             'W': writable,      '.': not writable,   '?':unknown
  X             'X': executable,    '.': not executable, '?':unknown
  D             'D': debugger only, '.': regular
  L             'L': created by loader, '.': no
  Align         Segment alignment
  Base          Segment base selector or address
  Type          Segment type
  Class         Segment class
  AD            Segment addressing width

The rest of the columns display the default values of the segment registers for the segment.

By default, the cursor is located on the current segment.

You can use normal cursor movement keys and the mouse. You can also search for the segment by pressing Alt-T, or directly jump to the desired line by typing in its number.

Press <Enter> to select line, <Esc> to cancel the selection.

Basic Usage

In this document, we'll explore the essentials of IDA capabilities to kickstart your journey and disassemble your first binary file.

Prerequisites

Before you begin

What files and processors are supported?

What are IDA database files?

IDA stores the analysis results in the IDA Database files (called IDB), with the extension .i64. This allows you to save your work and continue from the same point later. After loading a file at the beginning, IDA does not require access to the binary.

Any modifications you make are saved in the database and do not affect the original executable file.

Dive deeper

What decompilers can I work with?

IDA provides decompilers designed to work with multiple processor architectures. The number of decompilers and their type (local or remote) available in your IDA instance depends on your chosen product and subscription plan and affects your ability to produce C-like pseudocode.

Where can I find exemplary binaries to work with?

Part 1: Loading your file

When you launch IDA, you will see a Quick Start dialog that offers three ways to continue. For now, we'll focus on loading a new file and proceeding to disassembly results.

Launch IDA and in the Quick start dialog (1), click New.
Specify the path for your binary file.
In the Load a new file dialog (2), IDA presents loaders that are suited to deal with a selected file. Accepting the loader default selection and then the processor type is a good strategy for beginners. Click OK to confirm your selection.

IDA begins autoanalysis of your binary file.

Dive deeper

Part 2: UI overview

After autoanalysis is done, you'll see the main IDA desktop with the initial results. Let's examine the default desktop layout and commonly used UI elements.

Main menu bar (1)
Toolbar (2)
Navigation band (3)
Subviews (4)
Output (5)
Status bar (6)

For a handy cheatsheet of all commands and their hotkeys, check Options -> Show command palette....

Dive deeper

Below the main menu bar, you will see a toolbar with icons that give you quick access to common functionalities (available also via the main menu/shortcuts). It has just one line by default, but you can customize it by adding or rearranging your actions.

Dive deeper

The navigation band shows the graphical representation of the analyzed binary file and gives a short overview of its contents and which areas may need your attention. The yellow arrow (indicator) shows where the cursor is currently positioned in the disassembly view.

As you'll soon recognize, the colors used in the nav band match those in other views.

Dive deeper

Output

Status bar

At the bottom left corner of the IDA window, you can see the status bar, which contains:

analysis indicator AU, which shows the actual status of autoanalysis (1). In our case, it is idle, which means the autoanalysis is already finished.
search direction indicator (2)
remaining free disk space (3)

Right-clicking on the status bar brings up a context menu that allows you to reanalyze the program.

Dive deeper

Subviews

The subviews are one of the most prominent parts of your everyday work with IDA. These additional views (behaving like tabs) give a different perspective and information on the binary file, but the number of native IDA subviews may be a bit overwhelming. Here, we will focus on the most versatile and common subviews for beginners, where you'll spend most of the time, like:

IDA View
Pseudocode
Hex Dump View
Local Types
Functions View

IDA View / Disassembly Window

When autoanalysis is done, you will see a graph view inside an IDA View by default. This flowchart graph should help you to understand the flow of the functions.

The graph view is available only for the part of the binary that IDA has recognized as functions.

IDA view has three modes:

graph view (1), that shows instructions grouped in blocks,
linear view (2), that lists all instructions and data in order of their addresses,
and proximity view (3), which allows you to see relations between functions, global variables, and other parts of the program.

Press Space to switch between graph and linear mode. Provimity view is available from the context menu in IDA view.

Dive deeper

Hex View Window

In hex view, you can see the raw bytes of the program's instructions.

There are two ways of highlighting the data in this view:

Text match highlight, which shows matches of the selected text anywhere in the views.
Current item highlight, which shows the bytes group constituting the current item.

The IDA view, pseudocode, and hex view can be synchronized, meaning that they highlight the same part of the analyzed program, and changes made inside one of the views are visible in the others.

Dive deeper

Pseudocode Window

Generated by the famous F5 shortcut, the pseudocode shows the assembly language translated into human-readable, C-like pseudocode. Click Tab to jump right into the Pseudocode view.

Local Types Window

This view shows the high-level types used in databases, like structs or enums.

Dive deeper

Functions Window

This window displays all the functions recognized by IDA, along with key details for each:

Function name
Segment the segment that contains the function
Start: the function starting address
Length: the size of the function in bytes
Local: the amount of stack space taken by local variables
Arguments: the amount of stack space taken by arguments

This view is read-only, but you can automatically synchronize the function list with the IDA view, pseudocode, or hex view. Click to open the context menu and select Turn on synchronization.

Dive deeper

A crucial step in mastering IDA is learning how to navigate quickly to specific locations in the output. To help you get started, we'll cover essential commands and hotkeys commonly used for efficient navigation in IDA.

Double-click and jump to the location

When you double-click on an item, such as a name or address, IDA automatically jumps to that location and relocate the display.

Jump to address

Go to Jump -> Jump to address.. or press G hotkey
Enter the item name or hex address in the dialog box, then click OK.

To jump back to the previous position, press Esc. To jump to the next position, press Ctrl + Enter. You can also navigate using the arrows in the toolbar.

See the list of cross-references

Position the cursor on a function or instruction, then go to Jump -> Jump to xref to operand... or press X to see the dialog with listed all cross-references to this identifier.
Select an item from the list and click OK to jump to that location.

Dive deeper

Part 4: Manipulate your disassembly results

Now that the initial autoanalysis is done and you’ve mastered the basics of navigation, it’s time to explore the basic interactive operations that reveal the true power of IDA in transforming your analysis.

Rename a stack variable

One of the first steps you might take is to enhance readability by assigning meaningful names to local or global variables, but also functions, registers and other objects that IDA initially assigned a dummy name.

In the IDA View, right-click on the variable you want to rename and click Rename or press N when the variable is cursor-highlighted.
In the newly opened dialog, insert a new name and click OK.

If at any point you want to go back to the original dummy name given by IDA, leave the field blank and click OK. It will reset the name to the default one.

Once you change the name, IDA will propagate the changes through the decompiler and Pseudocode view.

Dive deeper

Add a comment

Adding comments may be a useful way to annotate your work.

Highlight the line where you want to insert a comment and press :.
In the dialog box, type your comment (you can use multiple lines) and click OK. This will add a regular (non-repeatable) comment to the location.

If you want to add a repeatable comment in every location that refers to the original comment, press ';'.

Dive deeper

Part 5: Customizing IDA

Nearly every UI element is customizable, allowing you to rearrange and align widgets to suit your habits. You can save your personalized desktop layout by going to Windows -> Save desktop.

Most of the basic appearance you can change under Options menu.

To change the colors or theme, go to Options -> Colors.
To change the font, go to Options -> Fonts.

Part 6: Debug your file

If you are ready to delve into dynamic analysis and start debugging your programs, here are some key steps to get you started:

Select the right debugger and complete the setup: Go to Debugger -> Select debugger... and pick up one of the avaliable debuggers. Under Debugger -> Debugger options, you can configure the setup in detail.
Add breakpoints: Right-click on the line where you want to stop the execution and select Add breakpoint from the context menu, or press F2.
Start the process: Run the debuggin session by pressing F9 or click a green arrow on the tooltip.

Dive Deeper

Part 7: Install a plugin

One of the most common way of extanding IDA capabilities is to use on of our community-developed plugins.

Where can I find IDA plugins?

Installing your plugin

For this guide purposes, we'll walk you through general installation steps.

The installation process can vary depending on the plugin and some of them may required installing dependencies or further configuration. Don't hesitate to refer to the specific instructions provided by the plugin author.

Load your plugin

Copy your plugin folder to the plugins directory inside your IDA installation directory.
Alternatively, you can load the plugin from the command line in IDA by using File -> Script file... and selecting app.entry.py file.

Run your plugin

Navigate to Edit -> Plugins -> your_plugin_name or use the assigned hotkey.

You may need to restart IDA to see your plugin in the list.

Dive deeper

Key hotkeys cheatsheet

Here's a handy list of all of the shortcuts we used so far.

Space Switches between graph and linear mode in the IDA View
F5 Generates pseudocode
Tab Jumps into pseudocode View
G Opens Jump to address dialog
Esc Jumps back to the previous position
Ctrl + Enter Jumps to the next position
X Shows the list of all cross-references
N Opens dialog to rename the current item
; Adds repeatable comment
: Adds regular comment

Open subviews

Here are commands to open various windows, display information etc.

Open disassembly window
Open exports window
Open imports window
Open functions window
Open names window
Open signatures window
Open segments window
Open segment registers window
Open selectors window
Open cross references window
Open local types window
Open problems window
Open type libraries window
Open strings window
Open function calls window
Open notepad
Open undo history

Some windows allow you to manipulate the window contents by using the list viewer commands.

Disassembly window

Action    name: WindowOpen

The "WindowOpen" command opens a new window with the disassembly. IDA automatically opens one disassembly window at the start.

If the current location is an instruction belonging to a function, then the graph view is available. You can toggle between the text and graph view using the Space key. You can also switch to proximity view by zooming out to the callgraph using the '-' key.

Use the disassembly editing commands to improve the listing.

Use Shift-<arrows> or Alt-L to drop anchor. If you have a mouse, you can drop the anchor with it too.

A double click of the mouse is equivalent to the <Enter> key.

To the left of disassembly, there is an arrows window (GUI version). Also the GUI version highlights the current identifier.

Exports window

Action    name: OpenExports

This command opens the exports window.

You can use list viewer commands in this window.

Imports window

Action    name: OpenImports

This command opens the imports window.

You can use list viewer commands in this window.

Functions window

 Action    name: OpenFunctions

A list of all functions in the program is displayed. You can add, delete, modify functions using list viewer commands.

Listed for each function are:

        - function name
        - segment that contains the function
        - offset of the function within the segment
        - function length in bytes
        - size (in bytes) of local variables + saved registers
        - size (in bytes) of arguments passed to the function

The last column of this window has the following format:

        R - function returns to the caller
        F - far function
        L - library function
        S - static function
        B - BP based frame. IDA will automatically convert
            all frame pointer [BP+xxx] operands to stack
            variables.
        T - function has type information
        = - Frame pointer is equal to the initial stack pointer
            In this case the frame pointer points to the bottom of the frame
        M - reserved
        S - reserved
        I - reserved
        C - reserved
        D - reserved
        V - reserved

If a function has its color set, its line is colored using the specified color. Otherwise library and lumina functions are colored with the corresponding color. Otherwise the line is not colored.

A bold font is used for functions that have definite (user-specified) prototype. Also some plugins too may set this flag. Such prototypes are taken as is by the decompiler, while other prototypes are considered only as a starting point during decompilation.

It is possible to automatically synchronize the function list with the active disassembler, pseudocode, or hex view. For that right click on the function list and select "Turn on synchronization".

Names window

Action    name: OpenNames

This command opens the names window.

You can use list viewer commands in this window.

The GUI version displays a small icon for each name:

        L (dark blue)   - library function
        F (dark blue)   - regular function
        C (light blue)  - instruction
        A (dark green)  - string literal
        D (light green) - data
        I (purple)      - imported name

Signatures window

 Action    name: OpenSignatures

This command opens the signatures window.

For each signature, the following is displayed:

        - name of file with the signature
        - state of signature:
                - Planned: the signature will be applied
                - Current: the signature is being applied
                - Applied: the signature has been applied
        - number of functions found using the signature
        - description of the signature

You can modify the planned signatures list here: add/delete library modules to be used during the disassembling.

You cannot delete an applied signature from the list.

To add a signature to the list for the application press <Ins>. You will see a list of signatures that can be applied to the program being disassembled.

Text version: Not all signature files will be displayed (for example, 32 bit signatures will not be shown for a 16 bit program). If you want to see the full list of signatures, select the first line of the list saying SWITCH TO FULL LIST OF SIGNATURES.

Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equal to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

Segments window

Action    name: ShowSegments

This command opens the segments window. The format of this window is explained here.

You can use list viewer commands in this window.

In order to change the selector values, use selectors window.

Segment registers window

Action    name: ShowSegmentRegisters

This command opens the segment registers window. The window will contain segment register change points list.

You can use list viewer commands in this window.

Depending on the current processor type, you will see DS,ES,SS with or without FS,GS.

Selectors window

 Action    name: ShowSelectors

This command opens the selector window. Here you can change the "selector to base" mapping. The selector table is used to look up the selector values when calculating the addresses that are visible in the disassembly listing.

You can use list viewer commands in this window:

        - jump to the paragraph pointed by the selector
        - add a new selector
        - delete selector (if it is not used by any segment)
        - change selector value (this leads to reanalysis of all program)

Cross references window

Action    name: OpenXrefs

This command opens the cross-references window. This window contains all references to the current location.

You can use list viewer commands in this window.

You can add and delete cross references here too by pressing Ins or Del. Right clicking on the mouse will work too.

Add a cross reference: the from and to address, as well as the xref type should be specified.

Del a cross reference: if the 'undefine if no more xrefs' is check, then the instruction at the target address will be undefined upon the deletion of the last xref. IDA undefines instructions only if they do not start a function.

Local types window

Action    name: OpenLocalTypes

Each database has a local type library embedded into it. This type library (til) is used to store types that are local to the current database. They are usually created by parsing a header file.

As of IDA 9.0, the legacy Structure and Enums windows have been removed and their functionality consolidated by the Local Types window. This view serves as a centralized hub for all type-related actions. You can define new types here (enumerations, structures, and unions), edit existing ones, and import types from loaded type libraries.

This command opens the local types window. The user can manipulate local types here:

the existing types can be modified (the default hotkey is Ctrl-E, context menu Edit type...)
the existing types can be deleted (the default hotkey is Del, context menu Delete type...)
new types can be added (the default hotkey is Ins, context menu Add type...)

Please note that Ins can be used to add many types at once. For that the user just needs to enter multiple declarations, one after another in the dialog box.

However, Ctrl-E permits for editing of one type at a time. This may cause problems with complex structure types with nested types. Nested types will not be saved by Ctrl-E.

If the edited type corresponds to an idb type (struct or enum), then the corresponding type will be automatically synchronized.

Some types in this list are created automatically by IDA. They are copies of the types defined in the or Types views. Such types are displayed using in gray, as if they are disabled.

Types displayed in black are considered as C level types. Read more.

Each type in the local type library has an ordinal number and may have a name.

Be careful when deleting existing types because if there are references to them, they will be invalidated.

A local type can be mapped to another type. Such an operation deletes the existing type and redirects all its references to the destination type. Circular dependencies are forbidden. In the case of a user mistake, a mapped type can be deleted and recreated with the correct information.

See also

Type libraries window
C++ type details

Managing Structures**

Each structure must have a unique name. A field name must be unique in the structure. In order to create or delete a field, use data definitions commands (data, string literal, array, undefine, Rename). You may also define regular or repeatable comments.

In order to modify member types, use commands from the Edit|Operand types... submenu. For example, to convert a structure member to an offset, use one of the following commands:

Structs-related commands available in the local types window:

Add struct type...
Duplicate a struct type...
Delete struct type...
Insert gap...
Delete gap...
Edit struct type...

Define a new structure

 Action    name: AddStruct

This command defines a new structure or a new union. The new structure is created with zero length. You will have to add structure members using structure manipulation commands.

If the entered structure name denotes a standard structure type from a loaded type library, then its definition will be automatically used. In this case, the value of the 'create union' checkbox will be ignored.

This command is available when you open a Local Types window.

You can add new members to the structure using the following commands:

Command

Hotkey

You may also insert/delete undefined bytes into the middle of the structure by using Expand and Shrink commands.

"Create before current structure" means that the new structure will be placed immediately before the current structure type. Otherwise, the new structure is placed after the current structure.

"Don't include in the list" means that the structure will not be included in the list of the structures which appears when the user applies the structure definition, for example, when he creates a variable of this structure type. We recommend to mark this checkbox when you have defined all variables of this structure type and want to reduce the number of choices in the list.

Duplicate a structure type

Action    name: CopyStruct

This command duplicate the current structure type. The new structure type will have the same members as the current one but its name will be autogenerated (something like struc_333)

By default the new structure type will be placed after the current structure type.

Delete a structure

 Action    name: DelStruct

This command deletes the current structure. Beware, when you delete a structure, all references to it will be destroyed as well. Even if you recreate it later, you'll have to specify again all references to it.

You may use this command to delete unions also.

This command is available when you open a Local Types window.

Expand a structure

 Action    name: ExpandStruct

This command expands the current structure by inserting undefined bytes at the cursor location. The cursor must not be at the end of the structure. To define a member at the end of the structure, just use normal data definition commands.

This command is available when you open a Local Types window.

Shrink a structure

 Action    name: ShrinkStruct

This command shrinks the current structure by deleting undefined bytes at the cursor location. The cursor must be at an undefined byte. IDA will ask the user the number of bytes to remove.

This command is available when you open a Local Types window.

Edit a structure

 Action    name: EditStruct

This command allows the user to change the structure alignment

Structure alignment is used to calculate the number of padding bytes at the end of the structure. For example, if alignment is 4 and the last field is a byte at offset 11h, IDA will add 3 bytes of padding so that the struct size is 14h (multiple of 4).

The alignment must be a power of 2. This command is available in the Local Types window.

Managing Enums

Enums-related commands available in the local types window:

Add an enum
Delete an enum
Edit an enum
Define an enum member
Edit an enum member
Delete an enum member

Add/Edit an enum

Action    name: AddEnum
 

Action    name: EditEnum

These commands allow you to define and to edit an enum type. You need to specify:

        - name of enum
        - its serial number (1,2...)
        - representation of enum members

Each enum has its ID and a serial number. The ID is a number used to refer to the enum, while a serial number is used to order enums during output. Changing the serial number moves the enum to another place.

The serial number of an enum is displayed at the lower left corner of the window.

You can specify any number as a serial number, IDA will move the enum to the specified place.

        1 - the current enum becomes the first enum
        2 - the current enum becomes the second enum
        ...

You also need to specify representation of enum constants. You may choose from various number bases (hex,dec,oct,bin) and character constants.

You may specify the element width or leave it zero. Zero means the element width is not specified. The allowed widths are the powers of 2 in the range of 1..64.

Please note that you can create bitfield definitions here by checking the "bitfield" checkbox.

These command is available when you open the types window.

Delete an enum type

 Action    name: DelEnum

This command deletes the current enum. Beware, when you delete an enum all references to it will be destroyed. Even if you recreate it later, you'll have to specify again all references to it.

This command is available when you open the types window.

Define an enum member

Action    name: AddConst

This command allows you to define an enum member. An enum member is a symbolic constant. You have to specify its name and value. You cannot define more than 256 constants with the same value in an enum.

If the current enum is a bitfield, you need to specify the bitmask. To learn about bitmasks, read about bitfields.

Edit an enum member

Action    name: EditConst

This command allows you to rename an enum member. An enum member is a symbolic constant. Its name must be unique in the program.

To rename an enum type name, position the cursor over the name of the enum.

Delete an enum member

 Action    name: DelConst

Please remember that deleting a member also deletes all the information about the member, including comments, member name etc.

Problems window

Action    name: OpenProblems

This command opens the problems window. The problem window contains the list of all problems encountered by IDA during disassembling the program.

You can jump to a problem by pressing Enter. The selected problem will be deleted from the list.

Type libraries window

Action    name: OpenTypeLibraries

This command opens the type libraries window. Here the user can load and unload standard type libraries.

The standard type libraries contain type definitions from the standard C header supplied with compilers. Usually, IDA tries to determine the target compiler and its type libraries automatically but if it fails, this window allows you to load the appropriate type library.

Furthermore, don't forget to specify the compiler and memory model in the compiler setup dialog box.

Inspecting a type library

Provide the ability to inspect the types present in a type library.

Local Types bookmarks

See: Choose marked location

Strings window

Action    name: OpenStrings

This command opens the string window.

The string window contains all strings in the program. However, if a range of addresses was selected before opening the window, only the selected range will be examined for strings.

You can setup the list parameters by right-clicking (or pressing Ctrl-U in the text version) on the list.

The list always contains strings defined in the program regardless of the settings in this dialog box, but the user can ask IDA to display strings not yet explicitly defined as strings.

The following parameters are available:

Display only defined strings If checked, IDA will display only strings explicitly marked as string items (using the create string literal command). In this case, the other checkboxes are ignored. Ignore instructions/data definitions

        If checked, IDA will ignore instruction/data definitions
        and will try to treat them as strings. If it can build a string
        with the length greater than the minimal length, the string
        will be displayed in the list.
        This setting is ignored if 'only defined strings' is on.

Strict ASCII (7-bit) strings If checked, only strings containing exclusively 7-bit characters (8th bit must be zero) will be added to the list. Please note that the user can specify which characters are accepted in the strings by modifying the StrlitChars parameter in the ida.cfg file. This setting is ignored if 'only defined strings' is on. Allowed string types

        Allows the user to specify the string types included in the list.
        This setting is ignored if 'only defined strings' is on.

Minimal string length

        The minimal length the string must have to be added to the list.

Function calls window

Action    name: OpenCallers

This command opens the function calls window.

All functions who call the current function are displayed at the top of the window.

All functions called from the current function are displayed at the bottom of the window.

The list is automatically refreshed when the cursor is moved to another function.

Notepad

Action    name: OpenNotepad

Opens a notepad window for the general notes about the current database. The entered notes will be saved in the current database.

Alt-T hotkey can be used to search for a text and Ctrl-T to repeat the last search.

The notepad is available only in the GUI version.

Show undo history

Action    name: ShowUndoHistory

This command opens a window with the undo history. It is available from the Views, Open subviews submenu.

Double clicking on a line reverts the database to the state before the corresponding action.

It is possible to truncate the undo history by using the corresponding context menu command. The undo information for the selected action will be removed together with the information about all preceding actions.

The redoable user actions are displayed in italics. The current position in the undo buffers is displayed in bold, it usually denotes the first redoable user action.

See also

Undo
Redo
Reset Undo
Disable Undo

Functions

This submenu allows you to manipulate functions in the disassembly:

Create function...
Edit function...
Append function tail...
Remove function tail...
Delete function...
Set function end
Define stack variables...
Change stack pointer...
Rename register...
Set function/item type...

Create Function

Action    name: MakeFunction

This command defines a new function in the disassembly text.

You can specify function boundaries using the anchor. If you don't specify any, IDA will try to find the boundaries automatically:

   - function start point is equal to the current cursor position;
   - function end point is calculated by IDA.

A function cannot contain references to undefined instructions. If a function has already been defined at the specified addresses, IDA will jump to its start address, showing you a warning message.

A function must start with an instruction.

Edit Function

 Action    name: EditFunction

Here you can change function bounds, its name and flags. In order to change only the function end address, you can use FunctionEnd command.

If the current address does not belong to any function, IDA beeps.

This command allows you to change the function frame parameters too. You can change sizes of some parts of frame structure.

IDA considers the stack as the following structure:

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- BP
      | local variables              |
      +------------------------------+  <- SP

For some processors or functions, BP may be equal to SP. In other words, it can point to the bottom of the stack frame.

You may specify the number of bytes in each part of the stack frame. The size of the return address is calculated by IDA (possibly depending on the far function flag).

"Purged bytes" specifies the number of bytes added to SP upon function return. This value will be used to calculate the SP changes at call sites (used in some calling conventions, such as __stdcall in Windows 32-bit programs.)

"BP based frame" allows IDA to automatically convert [BP+xxx] operands to stack variables.

"BP equal to SP" means that the frame pointer points to the bottom of the stack. It is usually used for the processors which set up the stack frame with EBP and ESP both pointing to the bottom of the frame (for example MC6816, M32R).

If you press <Enter> even without changing any parameter,IDA will reanalyze the function.

Sometimes, EBP points to the middle of the stack frame. FPD (frame pointer delta) is used to handle such situations. FPD is the value substracted from the EBP before accessing variables. An example:

           push    ebp
           lea     ebp, [esp-78h]
           sub     esp, 588h
           push    ebx
           push    esi
           lea     eax, [ebp+74h]

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- typical BP
      |                              |
      |                              |
      |                              |  <- actual BP
      | local variables              |
      |                              |
      |                              |
      |                              |
      +------------------------------+  <- SP

In our example, the saved registers area is empty (since EBP has been initialized before saving EBX and ESI). The difference between the 'typical BP' and 'actual BP' is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

           lea     eax, [ebp+78h+var_4]

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify the value manually.

If the value of the stack pointer is modified in an unpredictable way, (e.g. "and esp, -16"), then IDA marks the function as "fuzzy-sp".

If this command is invoked for an imported function, then a simplified dialog box will appear on the screen.

Function flags

The following flags can be set in function properties:

Does not return

The function does not return to caller (for example, calls a process exit function or has an infinite loop). If no-return analysis is enabled in Kernel Options, IDA will not analyze bytes following the calls to this function.

Far function

On processors which distinguish near and far functions (e.g. PC x86), mark the function as 'far'. This may affect the size of the special stack frame field reserved for the return address, as well as analysis of calls to this function.

Library func

Mark the function as part of compiler runtime library code. This flag is usually set when applying FLIRT signatures

Static func

Mark the function as static. Currently this flag is not used by IDA and is simply informational.

BP based frame

Inform IDA that the function uses a frame pointer (BP/EBP/RBP on PC) to access local variables. The operands of the form [BP+xxx] will be automatically converted to stack variables.

BP equal to SP

Frame pointer points to the bottom of the stack instead of at the beginning of the local variables area as is typical.

Fuzzy SP

Function changes SP by an unknown value, for example: and esp, 0FFFFFFF0h

Outlined code

The function is not a real function but a fragment of multiple functions' common instruction sequence extracted by the compiler as a code size optimization (sometimes called "code factoring"). During decompilation, body of the function will be expanded at the call site.

Append Function Tail

 Action    name: AppendFunctionTail

This command appends an arbitrary range of the program to a function definition. A range must be selected before applying this command. This range must not intersect with other function chunks (however, an existing tail can be added to multiple functions).

IDA will ask to select the parent function for the selection and will append the range to the function definition.

Remove Function Tail

 Action    name: RemoveFunctionTail

This command removes the function tail at the cursor from a function definition.

If there are several parent functions for the current function tail range, IDA will ask to select the parent function(s) to remove the tail from.

After the confirmation, the current function tail range will be removed from the selected function definition.

If the parent was the only owner of the current tail, then the tail will be destroyed. Otherwise it will still be present in the database. If the removed parent was the owner of the tail, then another function will be selected as the owner.

Delete Function

 Action    name: DelFunction

Deleting a function deletes only information about a function, such as information about stack variables, comments, function type, etc.

The instructions composing the function will remain intact.

Set Function End

 Action    name: FunctionEnd

This command changes the current or previous function bounds so that its end will be set at the cursor. If it is not possible, IDA beeps.

Edit the argument location

Allow to edit argument or return value location.

Stack Variables Window

 Action    name: OpenStackVariables

This command opens the stack variables window for the current function.

The stack variables are internally represented as a structure. This structure consists of two parts: local variables and function arguments.

You can modify stack variable definitions here: add/delete/define stack variables, enter comments for them.

There may be two special fields in this window: " r" and " s". They represent the size of the function return address and of the saved registers in bytes. You cannot modify them directly. To change them, use edit function command.

Offsets at the line prefixes represent offsets from the frame pointer register (BP). The window indicator at the lower left corner of the window displays offsets from the stack pointer.

In order to create or delete a stack variable, use data definitions commands (data, strlit, array, undefine, Rename). Also you may define regular or repeatable comments.

The defined stack variables may be used in the program by converting operands to stack variables.

Esc closes this window.

Change Stack Pointer

Action    name: ChangeStackPointer

This command allows you to specify how the stack pointer (SP) is modified by the current instruction.

You cannot use this command if the current instruction does not belong to any function.

You will need to use this command only if IDA was not able to trace the value of the SP register. Usually IDA can handle it but in some special cases it fails. An example of such a situation is an indirect call of a function that purges its parameters from the stack. In this case, IDA has no information about the function and cannot properly trace the value of SP.

Please note that you need to specify the difference between the old and new values of SP.

The value of SP is used if the current function accesses local variables by [ESP+xxx] notation.

Rename register

 Action    name: RenameRegister

This command allows you to rename a processor general register to some meaningful name. While this is not used very often on IBM PCs, it is especially useful on RISC processors with lots of registers.

For example, a general register R9 is not very meaningful and a name like 'CurrentTime' is much better.

This command can be used to define a new register name as well as to remove it. Just move the cursor on the register name and press enter. If you enter the new register name as an empty string, then the definition will be deleted.

If you have selected a range before using this command, then the definition will be restricted to the selected range. But in any case, the definition cannot cross the function boundaries.

You cannot use this command if the current instruction does not belong to any function.

Set function/item type

 Action    name: SetType

This command allows you to specify the type of the current item.

If the cursor is located on a name, the type of the named item will be edited. Otherwise, the current function type (if there is a function) or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like 'this' pointer in C++) should be specified explicitly. IDA will use the type information to comment the disassembly with the information about function arguments. It can also be used by the Hex-Rays decompiler plugin for better decompilation.

Here is an example of a function declaration:

        int main(int argc, const char *argv[]);

To delete a type declaration, please enter an empty string.

IDA supports the user-defined calling convention. In this calling convention, the user can explicitly specify the locations of arguments and the return value. For example:

        int __usercall func@<ebx>(int x, int y@<esi>);

denotes a function with 2 arguments: the first argument is passed on the stack (IDA automatically calculates its offset) and the second argument is passed in the ESI register and the return value is stored in the EBX register. Stack locations can be specified explicitly:

        int __usercall runtime_memhash@<^12.4>(void *p@<^0.4>, int q@<^4.4>, int r@<^8.4>)

There is a restriction for a __usercall function type: all stack locations should be specified explicitly or all are automatically calculated by IDA. General rules for the user defined prototypes are:

  - the return value must be in a register.
    Exception: stack locations are accepted for the __golang and __usercall calling conventions.

  - if the return type is 'void', the return location must not be specified

  - if the argument location is not specified, it is assumed to be
    on the stack; consequent stack locations are allocated for such arguments

  - it is allowed to declare nested declarations, for example:
    int **__usercall func16@<eax>(int *(__usercall *x)@<ebx>
                                             (int, long@<ecx>, int)@<esi>);
    Here the pointer "x" is passed in the ESI register;
    The pointed function is a usercall function and expects its second
    argument in the ECX register, its return value is in the EBX register.
    The rule of thumb to apply in such complex cases is to specify the
    the registers just before the opening brace for the parameter list.

  - registers used for the location names must be valid for the current
    processor; some registers are unsupported (if the register name is
    generated on the fly, it is unsupported; inform us about such cases;
    we might improve the processor module if it is easy)

  - register pairs can be specified with a colon like <edx:eax>

- for really complicated cases this syntax can be used. IDA also understands the "__userpurge" calling convention. It is the same thing as __usercall, the only difference is that the callee cleans the stack.

The name used in the declaration is ignored by IDA.

If the default calling convention is __golang then explicit specification of stack offsets is permitted. For example:

  __attribute__((format(printf,2,3)))
  int myprnt(int id, const char *format, ...);

This declaration means that myprnt is a print-like function; the format string is the second argument and the variadic argument list starts at the third argument.

Below is the full list of attributes that can be handled by IDA. Please look up the details in the corresponding compiler help pages.

  packed        pack structure/union fields tightly, without gaps
  aligned       specify the alignment
  noreturn      declare as not returning function
  ms_struct     use microsoft layout for the structure/union
  format        possible formats: printf, scanf, strftime, strfmon

For data declarations, the following custom __attribute((annotate(X))) keywords have been added. The control the representation of numbers in the output:

__bin unsigned binary number

__oct unsigned octal number

__hex unsigned hexadecimal number

__dec signed decimal number

__sbin signed binary number

__soct signed octal number

__shex signed hexadecimal number

__udec unsigned decimal number

__float floating point

__char character

__segm segment name

__enum() enumeration member (symbolic constant)

__off offset expression (a simpler version of __offset)

__offset() offset expression

__strlit() string __stroff() structure offset

__custom() custom data type and format

__invsign inverted sign

__invbits inverted bitwise

__lzero add leading zeroes

__tabform() tabular form

The following additional keywords can be used in type declarations:

_BOOL1 a boolean type with explicit size specification (1 byte)

_BOOL2 a boolean type with explicit size specification (2 bytes)

_BOOL4 a boolean type with explicit size specification (4 bytes)

__int8 a integer with explicit size specification (1 byte)

__int16 a integer with explicit size specification (2 bytes)

__int32 a integer with explicit size specification (4 bytes)

__int64 a integer with explicit size specification (8 bytes)

__int128 a integer with explicit size specification (16 bytes)

_BYTE an unknown type; the only known info is its size: 1 byte

_WORD an unknown type; the only known info is its size: 2 bytes

_DWORD an unknown type; the only known info is its size: 4 bytes

_QWORD an unknown type; the only known info is its size: 8 bytes

_OWORD an unknown type; the only known info is its size: 16 bytes

_TBYTE 10-byte floating point value

_UNKNOWN no info is available

__pure pure function: always returns the same value and does not modify memory in a visible way

__noreturn function does not return

__usercall user-defined calling convention; see above

__userpurge user-defined calling convention; see above

__golang golang calling convention

__swiftcall swift calling convention

__spoils explicit spoiled-reg specification; see above

__hidden hidden function argument; this argument was hidden in the source code (e.g. 'this' argument in c++ methods is hidden)

__return_ptr pointer to return value; implies hidden

__struct_ptr was initially a structure value

__array_ptr was initially an array

__unused unused function argument __cppobj a c++ style struct; the struct layout depends on this keyword

__ptr32 explicit pointer size specification (32 bits)

__ptr64 explicit pointer size specification (64 bits)

__shifted shifted pointer declaration

__high high level prototype (does not explicitly specify hidden arguments like 'this', for example) this keyword may not be specified by the user but IDA may use it to describe high level prototypes

__bitmask a bitmask enum, a collection of bit groups

Shifted pointers

Sometimes in binary code we can encounter a pointer to the middle of a structure. Such pointers usually do not exist in the source code but an optimizing compiler may introduce them to make the code shorter or faster.

Such pointers can be described using shifted pointers. A shifted pointer is a regular pointer with additional information about the name of the parent structure and the offset from its beginning. For example:

        struct mystruct
        {
          char buf[16];
          int dummy;
          int value;            // <- myptr points here
          double fval;
        };
        int *__shifted(mystruct,20) myptr;

The above declaration means that myptr is a pointer to 'int' and if we decrement it by 20 bytes, we will end up at the beginning of 'mystruct'.

Please note that IDA does not limit parents of shifted pointers to structures. A shifted pointer after the adjustment may point to any type except 'void'.

Also, negative offsets are supported too. They mean that the pointer points to the memory before the structure.

When a shifted pointer is used with an adjustment, it will be displayed with the 'ADJ' helper function. For example, if we refer to the memory 4 bytes further, it can be represented like this:

        ADJ(myptr)->fval

Shifted pointers are an improvement compared to the CONTAINING_RECORD macro because expressions with them are shorter and easier to read.

Scattered argument locations

  00000000 struc_1         struc ; (sizeof=0xC)
  00000000 c1              db ?
  00000001                 db ? ; undefined
  00000002 s2              dw ?
  00000004 c3              db ?
  00000005                 db ? ; undefined
  00000006                 db ? ; undefined
  00000007                 db ? ; undefined
  00000008 i4              dd ?
  0000000C struc_1         ends

If we have this function prototype:

  void myfunc(struc_1 s);

the 64bit GNU compiler will pass the structure like this:

  RDI: c1, s2, and c3
  RSI: i4

Since compilers can use such complex calling conventions, IDA needs some mechanism to describe them. Scattered argument locations are used for that. The above calling convention can be described like this:

  void __usercall myfunc(struc_1 s@<0:rdi.1, 2:rdi^2.2, 4:rdi^4.1, 8:rsi.4>);

It reads:

  1 byte  at offset 0 of the argument is  passed in the byte 0 of RDI
  2 bytes at offset 2 of the argument are passed in the byte 1,2 of RDI
  1 byte  at offset 4 of the argument is  passed in the byte 3 of RDI
  4 bytes at offset 8 of the argument are passed starting from the byte 0 of RSI

In other words, the following syntax is used:

  argoff:register^regoff.size

where

  argoff - offset within the argument
  register - register name used to pass part of the argument
  regoff - offset within the register
  size - number of bytes

The regoff and size fields can be omitted if there is no ambiguity.

If the register is not specified, the expression describes a stack location:

  argoff:^stkoff.size

where

  argoff - offset within the argument
  stkoff - offset in the stack frame (the first stack argument is at offset 0)
  size - number of bytes

Please note that while IDA checks the argument location specifiers for soundness, it cannot perform all checks and some wrong locations may be accepted. In particular, IDA in general does not know the register sizes and accepts any offsets within them and any sizes.

Data representation: enum member

Syntax:

  __enum(enum_name)

Instead of a plain number, a symbolic constant from the specified enum will be used. The enum can be a regular enum or a bitmask enum. For bitmask enums, a bitwise combination of symbolic constants will be printed. If the value to print cannot be represented using the specified enum, it will be displayed in red.

Example:

   enum myenum { A=0, B=1, C=3 };
   short var __enum(myenum);

   If `var` is equal to 1, it will be represented as "B"

Another example:

   enum mybits __bitmask { INITED=1, STARTED=2, DONE=4 };
   short var __enum(mybits);

   If `var` is equal to 3, it will be represented as "INITED|STARTED"

This annotation is useful if the enum size is not equal to the variable size. Otherwise using the enum type for the declaration is better:

   myenum var;  // is 4 bytes, not 2 as above

Data representation: offset expression

Syntax:

  __offset(type, base, tdelta, target)
  __offset(type, base, tdelta)
  __offset(type, base)
  __offset(type|AUTO, tdelta)
  __offset(type)
  __off

where

type is one of:

  OFF8       8-bit full offset
  OFF16      16-bit full offset
  OFF32      32-bit full offset
  OFF64      64-bit full offset
  LOW8       low 8 bits of 16-bit offset
  LOW16      low 16 bits of 32-bit offset
  HIGH8      high 8 bits of 16-bit offset
  HIGH16     high 16 bits of 32-bit offset

The type can also be the name of a custom refinfo.

It can be combined with the following keywords:

  RVAOFF     based reference (rva)
  PASTEND    reference past an item
             it may point to an nonexistent address
  NOBASE     forbid the base xref creation
             implies that the base can be any value
             nb: base xrefs are created only if the offset base
             points to the middle of a segment
  SUBTRACT   the reference value is subtracted from the base value instead of
             (as usual) being added to it
  SIGNEDOP   the operand value is sign-extended (only supported for
             REF_OFF8/16/32/64)
  NO_ZEROS   an opval of 0 will be considered invalid
  NO_ONES    an opval of ~0 will be considered invalid
  SELFREF    the self-based reference

The base, target delta, and the target can be omitted. If the base is BADADDR, it can be omitted by combining the type with AUTO:

  __offset(type|AUTO, tdelta)

Zero based offsets without any additional attributes and having the size that corresponds the current application target (e.g. REF_OFF32 for a 32-bit bit application), the shoft __off form can be used.

Examples:

  A 64-bit offset based on the image base:

  int var __offset(OFF64|RVAOFF);

  A 32-bit offset based on 0 that may point to an non-existing address:

  int var __offset(OFF32|PASTEND|AUTO);

  A 32-bit offset based on 0x400000:

  int var __offset(OFF32, 0x400000);

  A simple zero based offset that matches the current application bitness:

  int var __off;

This annotation is useful the type of the pointed object is unknown or the variable size is different from the usual pointer size. Otherwise it is better to use a pointer:

  type *var;

Data representation: string

Syntax:

  __strlit(strtype, "encoding")
  __strlit(strtype, char1, char2, "encoding")
  __strlit(strtype)

where strtype is one of:

  C          Zero terminated string, 8 bits per symbol
  C_16       Zero terminated string, 16 bits per symbol
  C_32       Zero terminated string, 32 bits per symbol
  PASCAL     Pascal string: 1 byte length prefix, 8 bits per symbol
  PASCAL_16  Pascal string: 1 byte length prefix, 16 bits per symbol
  LEN2       Wide Pascal string: 2 byte length prefix, 8 bits per symbol
  LEN2_16    Wide Pascal string: 2 byte length prefix, 16 bits per symbol
  LEN4       Delphi string: 4 byte length prefix, 8 bits per symbol
  LEN4_16    Delphi string: 4 byte length prefix, 16 bits per symbol

It may be followed by two optional string termination characters (only for C). Finally, the string encoding may be specified, as the encoding name or "no_conversion" if the string encoding was not explicitly specified.

Example:

  A zero-terminated string in windows-1252 encoding:

  char array[10] __strlit(C,"windows-1252");

  A zero-terminated string in utf-8 encoding:

  char array[10] __strlit(C,"UTF-8");

Data representation: structure offset

Syntax:

  __stroff(structname)
  __stroff(structname, delta)

Instead of a plain number, the name of a struct or union member will be used. If delta is present, it will be subtracted from the value before converting it into a struct/union member name.

Example:

  An integer variable named `var` that hold an offset from the beginning of
  the `mystruct` structure:

  int var __stroff(mystruct);

  If mystruct is defined like this:

  struct mystruct
  {
    char a;
    char b;
    char c;
    char d;
  }

  The value 2 will be represented as `mystruct.c`

Another example:

  A structure offset with a delta:

  int var __stroff(mystruct, 1);

  The value 2 will be represented as `mystruct.d-1`

Data representation: custom data type and format

Syntax:

 __custom(dtid, fid)

where dtid is the name of a custom data type and fid is the name of a custom data format. The custom type and format must be registered by a plugin beforehand, at the database opening time. Otherwise, custom data type and format ids will be displayed instead of names.

Data representation: tabular form

Syntax:

  __tabform(flags)
  __tabform(flags,lineitems)
  __tabform(flags,lineitems,alignment)
  __tabform(,lineitems,alignment)
  __tabform(,,alignment)

This keyword is used to format arrays. The following flags are accepted:

  NODUPS do not use the `dup` keyword
  HEX    use hexadecimal numbers to show array indexes
  OCT    use octal numbers to show array indexes
  BIN    use binary numbers to show array indexes
  DEC    use decimal numbers to show array indexes

It is possible to combine NODUPS with the index radix: NODUPS|HEX

The `lineitems` and `alignment` attributes have the meaning described for the create array command.

Example:

  Display the array in tabular form, 4 decimal numbers on a line, each number
  taking 8 positions. Display indexes as comments in hexadecimal:

  char array[16] __tabform(HEX,4,8) __dec;

  A possible array may look like:

  dd   50462976, 117835012, 185207048, 252579084; 0
  dd  319951120, 387323156, 454695192, 522067228; 4
  dd  589439264, 656811300, 724183336, 791555372; 8
  dd  858927408, 926299444, 993671480,1061043516; 0Ch

Without this annotation, the `dup` keyword is permitted, number of items on a line and the alignment are not defined.