With IDA 9.0, we changed how the Hex-Rays documentation is organized and added new guides and tutorials to kickstart your IDA journey and ease the migration from previous IDA versions.

New Structure

Our docs are divided into three main categories:

• User Guide, dedicated to individual users and covering whole IDA products (including add-ons, like Teams and Lumina). Most of the documentation regarding IDA, like manuals or tutorials, is currently accessible under the User Guide.

• Developer Guide, which focuses on developer's needs, covers the reference and contextual documentation for IDAPython API and C++ SDK, as well as native IDC language. This part is mainly dedicated to plugin authors and devs interested in enhancing basic IDA capabilities with our development kit or scripting.

• Admin Guide mainly focuses on administrators installing and managing servers for Teams and Lumina or floating licenses.

In Archive, we gathered docs with rather historical value that some of you may still find interesting but focused on previous versions of IDA.

New Getting Started Guides

We prepared a Getting Started section for IDA newbies and also gathered additional materials to help you find your way around our IDAPython API or IDA SDK.

Migration and Porting Guides

For those familiar with previous versions of IDA, we prepared Porting Guides for IDAPython and C++ SDK. If you use the Flexera server for floating licenses, check our Migration Guide for new Hex-Rays license server.

First experience with IDA? Great, you are in the right place. Here you can find guides designed to quickly onboard you into IDA. We will walk you through license activation and IDA installation to the essential tasks you can perform in IDA.

Discover the core of Hex-Rays guides and manuals, guiding you through IDA features and real-life usage scenarios.

Getting Started

New to IDA? Explore our selection of documentation to guide you through the installation process and jumpstart your reverse engineering journey.

Our Guides

Delve into detailed guides to discover IDA features and maximize its capabilities.

In this document, we covered the basics regarding our licensing model: you can check how to activate your license depending on the license type, what to do with the downloaded license files, and how to finalize license settings while running IDA. This guide is dedicated to individual users.

Licenses overview

License types

In Hex-Rays, we offer two basic license types for IDA products, that are suitable for individual users:

• Named licenses, that are assigned to specific individuals.

• Computer licenses that are assigned to specific devices.

There is also an additional type, called floating licenses, that allow a set number of concurrent users but are not assigned to specific individuals or devices.

What are license files, and where can I find them?

The license file contains your license ID and other data and is required to make your IDA instance fully operative after installation.

You can download your license file from My Hex-Rays portal, after its activation.

License Activation

To complete the installation, you need an active IDA license with an assigned owner or a MAC address. Without activation, you cannot download your license file.

What is needed to assign my license?

• for named licenses: the email address of the owner,

• for computer licenses: the MAC address of a specific device

• for floating licenses: the MAC address of the device where the license server will be running

Named licenses activation

1. Go to My Hex-Rays portal. On the left menu, select a customer to see licenses assigned to it.

1. Navigate to Licenses -> Subscriptions. On the list, find the license ID and product for which you want to activate the license. Under Actions column, click on the three dots, and then in the dropdown menu, click Activate license.

1. In the new dialog, assign the ownership of the license: set the email address for this IDA instance user (it can be yours) and select decompilers. Optionally, select a Lumina and Teams server and tick the checkbox to send your license via email.

1. Click Assign button and then Click to confirm to finalize the assignment.

2. In the main subscriptions view, click on the three dots under Actions column, and in the dropdown menu, click Download license key to save it locally. You will need it to complete the installation process.

1. Navigate to the Download center on the left-side menu, locate your IDA product and base on your operating system, select an installer to download.

What's next?

Now you are ready to install your IDA instance.

Computer licenses activation

1. Go to My Hex-Rays portal. On the left menu, select a customer to see licenses assigned to it.

1. Navigate to Licenses -> Subscriptions. On the list, find the license ID and product for which you want to activate the license. Under Actions column, click on the three dots, and then in the dropdown menu, click Activate license.

1. In the new dialog, assign the ownership of the license: set the MAC address of the machine where this IDA instance will be installed and running (it can be yours) and select decompilers. Optionally, select a Lumina and Teams server and tick the checkbox to send your license via email.

1. Click Assign button and then Click to confirm to finalize the assignment.

2. In the main subscriptions view, click on the three dots under Actions column, and in the dropdown menu, click Download license key to save it locally. You will need it to complete the installation process.

1. Navigate to the Download center on the left-side menu, locate your IDA product and base on your operating system, select an installer to download.

What's next?

Now you are ready to install your IDA instance.

Server licenses for businesses and organizations

In this part, we cover the basics of license activation for floating license servers, Teams and Private Lumina servers, and the floating license server.

The Admin Guide covers the comprehensive manual regarding installation and server management.

The server installers and license files are available via My Hex-Rays portal.

License server licenses

Floating licenses are managed by administrators and require a license server to work. If you purchase the floating licenses, you will see an additional license for the license server in your Hex-Rays portal.

License server activation for admins

Similar to named and computer licenses, license server licenses need to be activated in the My Hex-Rays portal.

1. Go to My Hex-Rays portal. On the left menu, select a customer to see licenses assigned to it.

2. Navigate to Licenses -> Subscriptions. On the list, find the license server ID for which you want to activate the license. Under Actions column, click on the three dots, and then in the dropdown menu, click Activate license.

3. In the new dialog, assign the ownership to the license server and provide the MAC address of the device where the license server will be running.

4. Click Assign button and then Click to confirm to finalize the assignment.

5. In the main subscriptions view, click on the three dots under Actions column, and in the dropdown menu, click Download license key to save it locally. You will need it to complete the installation process.

6. Navigate to the Download center on the left-side menu, and select a license server installer to download.

License server installation for admins

Server installation for floating licenses should be done by the administrator. Check our Admin Guide for details.

How can I start using IDA as a floating license user?

Once your administrator installs a license server, adds particular license seats to the pool, and hands over the credentials, you are ready to install your IDA instance.

You don't need to download a license file/key to your local machine while using the floating licenses server.

Floating licenses borrowing

Every time you launch IDA, you'll see the License Manager pop-up window. As long as there are free seats, you can borrow one of the available licenses and start using IDA.

Add-ons servers' licenses

Each of our add-ons, Teams and Private Lumina, requires a separate server to work. The server license is provided with the first IDA instance/plan with the specific add-on enabled.

Teams server activation for admins

Similar to named/computer licenses and floating license server, the Teams server license needs to be activated in My Hex-Rays portal.

Teams server installation for admins

Server installation for Teams should be done by the administrator. Check our Admin Guide for details.

Private Lumina server activation for admins

Similar to named/computer licenses and floating license server, the Private Lumina server license needs to be activated in the My Hex-Rays portal.

Private Lumina server installation for admins

Server installation for Private Lumina should be done by the administrator. Check our Admin Guide for details.

Basic Usage

In this document, we'll explore the essentials of IDA capabilities to kickstart your journey and disassemble your first binary file.

Prerequisites

Before you begin

What files and processors are supported?

What are IDA database files?

IDA stores the analysis results in the IDA Database files (called IDB), with the extension .i64. This allows you to save your work and continue from the same point later. After loading a file at the beginning, IDA does not require access to the binary.

Any modifications you make are saved in the database and do not affect the original executable file.

Dive deeper

What decompilers can I work with?

IDA provides decompilers designed to work with multiple processor architectures. The number of decompilers and their type (local or remote) available in your IDA instance depends on your chosen product and subscription plan and affects your ability to produce C-like pseudocode.

Where can I find exemplary binaries to work with?

Part 1: Loading your file

When you launch IDA, you will see a Quick Start dialog that offers three ways to continue. For now, we'll focus on loading a new file and proceeding to disassembly results.

1. Launch IDA and in the Quick start dialog (1), click New.

2. Specify the path for your binary file.

3. In the Load a new file dialog (2), IDA presents loaders that are suited to deal with a selected file. Accepting the loader default selection and then the processor type is a good strategy for beginners. Click OK to confirm your selection.

1. IDA begins autoanalysis of your binary file.

Dive deeper

Part 2: UI overview

After autoanalysis is done, you'll see the main IDA desktop with the initial results. Let's examine the default desktop layout and commonly used UI elements.

1. Main menu bar (1)

2. Toolbar (2)

3. Navigation band (3)

4. Subviews (4)

5. Output (5)

6. Status bar (6)

Main menu bar

For a handy cheatsheet of all commands and their hotkeys, check Options -> Show command palette....

Dive deeper

Toolbar

Below the main menu bar, you will see a toolbar with icons that give you quick access to common functionalities (available also via the main menu/shortcuts). It has just one line by default, but you can customize it by adding or rearranging your actions.

Dive deeper

Navigation band

The navigation band shows the graphical representation of the analyzed binary file and gives a short overview of its contents and which areas may need your attention. The yellow arrow (indicator) shows where the cursor is currently positioned in the disassembly view.

As you'll soon recognize, the colors used in the nav band match those in other views.

Dive deeper

Output

Status bar

At the bottom left corner of the IDA window, you can see the status bar, which contains:

• analysis indicator AU, which shows the actual status of autoanalysis (1). In our case, it is idle, which means the autoanalysis is already finished.

• search direction indicator (2)

• remaining free disk space (3)

Right-clicking on the status bar brings up a context menu that allows you to reanalyze the program.

Dive deeper

Subviews

The subviews are one of the most prominent parts of your everyday work with IDA. These additional views (behaving like tabs) give a different perspective and information on the binary file, but the number of native IDA subviews may be a bit overwhelming. Here, we will focus on the most versatile and common subviews for beginners, where you'll spend most of the time, like:

• IDA View

• Pseudocode

• Hex Dump View

• Local Types

• Functions View

IDA View / Disassembly Window

When autoanalysis is done, you will see a graph view inside an IDA View by default. This flowchart graph should help you to understand the flow of the functions.

IDA view has three modes:

• graph view (1), that shows instructions grouped in blocks,

• linear view (2), that lists all instructions and data in order of their addresses,

• and proximity view (3), which allows you to see relations between functions, global variables, and other parts of the program.

Dive deeper

Hex View Window

In hex view, you can see the raw bytes of the program's instructions.

There are two ways of highlighting the data in this view:

1. Text match highlight, which shows matches of the selected text anywhere in the views.

2. Current item highlight, which shows the bytes group constituting the current item.

Dive deeper

Pseudocode Window

Generated by the famous F5 shortcut, the pseudocode shows the assembly language translated into human-readable, C-like pseudocode. Click Tab to jump right into the Pseudocode view.

Local Types Window

This view shows the high-level types used in databases, like structs or enums.

Dive deeper

Functions Window

This window displays all the functions recognized by IDA, along with key details for each:

• Function name

• Segment the segment that contains the function

• Start: the function starting address

• Length: the size of the function in bytes

• Local: the amount of stack space taken by local variables

• Arguments: the amount of stack space taken by arguments

This view is read-only, but you can automatically synchronize the function list with the IDA view, pseudocode, or hex view. Click to open the context menu and select Turn on synchronization.

Dive deeper

Part 3: Basic navigation

A crucial step in mastering IDA is learning how to navigate quickly to specific locations in the output. To help you get started, we'll cover essential commands and hotkeys commonly used for efficient navigation in IDA.

Double-click and jump to the location

When you double-click on an item, such as a name or address, IDA automatically jumps to that location and relocate the display.

Jump to address

1. Go to Jump -> Jump to address.. or press G hotkey

2. Enter the item name or hex address in the dialog box, then click OK.

To jump back to the previous position, press Esc. To jump to the next position, press Ctrl + Enter. You can also navigate using the arrows in the toolbar.

See the list of cross-references

1. Position the cursor on a function or instruction, then go to Jump -> Jump to xref to operand... or press X to see the dialog with listed all cross-references to this identifier.

2. Select an item from the list and click OK to jump to that location.

Dive deeper

Part 4: Manipulate your disassembly results

Now that the initial autoanalysis is done and you’ve mastered the basics of navigation, it’s time to explore the basic interactive operations that reveal the true power of IDA in transforming your analysis.

Rename a stack variable

One of the first steps you might take is to enhance readability by assigning meaningful names to local or global variables, but also functions, registers and other objects that IDA initially assigned a dummy name.

1. In the IDA View, right-click on the variable you want to rename and click Rename or press N when the variable is cursor-highlighted.

2. In the newly opened dialog, insert a new name and click OK.

If at any point you want to go back to the original dummy name given by IDA, leave the field blank and click OK. It will reset the name to the default one.

Dive deeper

Add a comment

Adding comments may be a useful way to annotate your work.

1. Highlight the line where you want to insert a comment and press :.

2. In the dialog box, type your comment (you can use multiple lines) and click OK. This will add a regular (non-repeatable) comment to the location.

Dive deeper

Part 5: Customizing IDA

Nearly every UI element is customizable, allowing you to rearrange and align widgets to suit your habits. You can save your personalized desktop layout by going to Windows -> Save desktop.

Most of the basic appearance you can change under Options menu.

• To change the colors or theme, go to Options -> Colors.

• To change the font, go to Options -> Fonts.

Part 6: Debug your file

If you are ready to delve into dynamic analysis and start debugging your programs, here are some key steps to get you started:

1. Select the right debugger and complete the setup: Go to Debugger -> Select debugger... and pick up one of the avaliable debuggers. Under Debugger -> Debugger options, you can configure the setup in detail.

2. Add breakpoints: Right-click on the line where you want to stop the execution and select Add breakpoint from the context menu, or press F2.

3. Start the process: Run the debuggin session by pressing F9 or click a green arrow on the tooltip.

Dive Deeper

Part 7: Install a plugin

One of the most common way of extanding IDA capabilities is to use on of our community-developed plugins.

Where can I find IDA plugins?

Installing your plugin

For this guide purposes, we'll walk you through general installation steps.

Load your plugin

1. Copy your plugin folder to the plugins directory inside your IDA installation directory.

2. Alternatively, you can load the plugin from the command line in IDA by using File -> Script file... and selecting app.entry.py file.

Run your plugin

1. Navigate to Edit -> Plugins -> your_plugin_name or use the assigned hotkey.

Dive deeper

Key hotkeys cheatsheet

Here's a handy list of all of the shortcuts we used so far.

• Space Switches between graph and linear mode in the IDA View

• F5 Generates pseudocode

• Tab Jumps into pseudocode View

• G Opens Jump to address dialog

• Esc Jumps back to the previous position

• Ctrl + Enter Jumps to the next position

• X Shows the list of all cross-references

• N Opens dialog to rename the current item

• ; Adds repeatable comment

• : Adds regular comment

By following the steps in this guide, you can successfully install your IDA instance on macOS, Linux, and Windows.

The installation steps are valid for all product versions: IDA Pro, IDA Home, or IDA Free (except license registration).

This installation guide is dedicated to individual users.

Minimum system requirements

Pre-installation steps

Installation on macOS

Prerequisites:

• Make sure Python 3 or later is installed on your computer for the IDAPython API to function properly.

Step 1: Download the installer

Step 2: Run the installer

• Extract the .zip archive.

• Double-click on the extracted file to run the instalation wizard.

• Follow the wizard's instructions to complete the installation:

  • accept the license agreement and installation directory;

  • copy your ida.hexlic file to IDA installation directory or to $HOME/.idapro directory before launching IDA.

Step 4: Launch IDA Pro for the first time

• Double-click on the IDA Pro icon to launch the application.

Step 5: Point to your named/computer license

• In the License manager pop-up window, specify the path of your license file and click OK.

Installation on Linux

Prerequisites:

• Make sure Python 3 or later is installed on your computer for the IDAPython API to function properly.

• Verify that you have the required libraries installed. Use your package manager to install any missing dependencies. Common dependencies include libx11, libxext, libxrender, and libglib2.0.

Step 1: Download the installer

Step 4: Run the installer

• Navigate to the directory containing your IDA installer, and make it executable.

• Run the installer by double-click it or enter ./<your_IDA_version_>linux.run in the terminal to execute it.

• Follow the wizard's instructions to complete the installation:

  • accept the license agreement and installation directory;

  • copy your ida.hexlic file to IDA installation directory or to $HOME/.idapro directory before launching IDA.

Step 5: Launch IDA Pro for the first time

• Go to the directory where IDA is installad and run the command: ./ida90

Step 6: Point to your named/computer license

• In the License manager pop-up window, specify the path of your license file and click OK.

Installation on Windows

• Make sure Python 3 or later is installed on your computer for the IDAPython API to function properly.

Step 1: Download the installer

Step 2: Run the installer

• Locate the downloaded .exe file and double-click it to run the installer.

• Follow the installation wizard's instructions to complete the installation:

  • accept the license agreement and installation directory;

  • copy your ida.hexlic file to IDA installation directory or to %APPDATA%/Hex-Rays/IDA Pro directory before launching IDA.

Step 5: Launch IDA Pro for the first time

• Navigate to the Start Menu or desktop shortcut and launch IDA Pro.

Step 6: Point to your named/computer license

• In the License Manager pop-up window, specify the path of your license file and click OK.

Use floating license server

Step 1: In the License manager pop-up window, select the option Use floating license server and then type a license server hostname provided by your administrator.

Step 2: Borrow one of the licenses visible under the available licenses list and click OK.

Note that you don't need a license file stored on your machine locally while using floating licenses.

Common Post-Installation Steps

Step 1: Update IDA Pro

• After installation, check for any available updates. Hex-Rays often releases patches and updates for IDA Pro. You can check for updates within the application via Help -> Check for free update or download the latest version from My Hex-Rays portal.

Step 2: Configure environment (optional)

Step 3: Install additional plugins (optional)

• You can extend the functionality of IDA Pro by installing additional plugins that can be found on the official Hex-Rays website or other trusted sources in the reverse engineering community.

In this submenu you can:

• Load file Load file

• Script command Execute a script command

• Produce output file Generate output file

• OS shell Execute OS commands

• Save database Save database in packed form

• Save database as... Save database in packed form in another file

• Take database snapshot Take database snapshot

• Abort Abort - do not save changes

• Quit Quit to DOS - save changes

See also Menu Bar submenus.

All IDA commands are available from the followings menus:

• File

• Edit

• Jump

• Search

• View

• Debugger

• Lumina

• Options

• Windows

 Action    name: Execute
 

You can execute any script file supported by the built-in scripting engine (IDC or Python), or a scripting language added by a plugin. The scripting language to use is selected by the file name extension of the script.

See also Immediate execution of script commands, Load... submenu commands.

 Action    name: ExecuteLine
 

You can enter and execute a small script written in the built-in IDC language or any other registered extlang.

Here is the list of built-in functions.

See also:

• IDC language overview

• Execute script file command

• File... submenu commands

• How to use notepad.

This submenu allows you to load additional files into the database.

• Reload input file

• Script file

• Binary file

• IDS file

• Debug information file

• PDB debug information file

• TDS debug information file

• FLIRT signature file

• C header file

Reload the input file

Action    name: ReloadFile

This command reloads the same input file into the database. IDA tries to retain as much information as possible in the database. All the names, comments, segmentation information and similar will be retained.

Only the values of individual bytes will be changed.

This command works for some input file types only: if the file was loaded into the database with special settings, this command may fail. In this case, use Dump database to IDC file command and reload the file manually.

See also Load... submenu commands.

Load additional file

 Action    name: LoadFile
 

This command loads a binary file. The new file is added to the current database and all existing information is retained.

The file content will appear as unexplored bytes in the program.

This command only allows you to load binary files.

See also Load... submenu commands.

Load IDS file

 Action    name: LoadIdsFile
 

This command loads an IDS file.

An IDS file contains information about well-known functions (such as functions from MS Windows API), namely:

        - their names
        - their ordinal number in the DLL
        - an eventual informative comment
        - the number of parameters passed on the stack
        - the number of parameters purged when returning

IDS files are automatically loaded if they are found in the IDS directory. This command allows you to load an IDS file from any directory, even after the main file has been loaded into the database.

See also Load... submenu commands.

Load debug information file

 Action    name: LoadDbgFile
 

This command loads a DBG file.

If the program being disassembled has a companion DBG file, then this command may be used to load information from a DBG file into the database. IDA loads DBG files automatically if it can find them in the directory with the input file.

The built-in debug information loader cannot load NB10 format files and PDB files. To load those files, please use a special plugin, PDB.DLL, which can be run manually using Edit->Plugins submenu. This plugin uses MS Windows DLLs to load the debug information and therefore has the following limitations:

        - it works only under MS Windows
        - it will load only PDBs compatible with the currently
          installed IMAGEHLP.DLL

See also Load... submenu commands.

Load PDB debug information file

 Action    name: LoadPdbFile
 

This command loads a PDB file.

If the program being disassembled has a companion PDB file, then this command may be used to load information from the PDB file into the database.

By default IDA uses in-house code to parse and load PDB files. However, our code can not parse old v2.0 PDB files. For them, IDA can fall back to using Microsoft DLLs (the default is "do not fall back"). Please read more in cfg/pdb.cfg.

Command line switch '-Opdb:option1:option2' overrides for ida session the value in cfg/pdb.cfg.

List of options

  off    : disable PDB
  pdbida : uses Hex-rays in-house code to parse and load PDB files.
  msdia  : uses Microsoft DLLs to parse and load PDB files.
           only available on Windows, for Linux/Macos you need to configure
           win32_remote.exe or win64_remote64.exe server in cfg/pdb.cfg
  fallback   : fallback from pdbida to msdia for the old 2.0 format
  nofallback : no fallback to msdia

Example

  -Opdb:off

Ida will not load PDB plugin for this session.

Load TDS debug information file

 Action    name: LoadTdsFile
 

This command loads a TDS file.

If the program being disassembled has a companion TDS file, this command may be used to load information from the TDS file into the database.

The TDS file must be placed in the same directory together with the input file.

The LoadTdsFile command launches a special plugin TDS.DLL which can be run manually using Edit->Plugins submenu.

See also Load... submenu commands.

Load FLIRT signature file

 Action    name: LoadSigFile
 

This command allows you to apply an additional signature file to the program.

A signature file contains patterns of standard runtime functions. With their help, IDA is able to recognize the standard functions and names them accordingly.

IDA attempts to detect the necessary signature files automatically but unfortunately, this is not always possible. This command adds the specified signature file into the planned signature files queue.

Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equivalent to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

There is another way to load a signature file: you may insert/delete signature files in the following way:

        - open the signatures window
        - press Ins to insert a signature file to the queue
        - press Del to delete a signature file from the queue

This is a preferred way of applying signatures because useful information, such as the number of identified functions is displayed in the signature window.

See also Load... submenu commands.

Load C header

 Action    name: LoadHeaderFile
 

This command allows you to apply type declarations from a C header file to the program.

IDA reads and parses the specified header file as a C compiler does. In other words, it mimics the front-end of a C compiler with some restrictions:

        - only type declarations are allowed. The function definitions
          in the input file are skipped
        - not all C++ header files are not supported, only simple classes can
          be parsed
        - the compiler specific predefined macros are not defined,
          you have to define them manually in the header file

Don't forget to specify the compiler and memory model in the compiler setup dialog box before loading a header file.

All type declarations found in the input file are stored in the current database in the form of a type library. These type declarations can be used to define new structure and enumeration definitions by pressing "Add standard structure" or "Add standard enum" buttons in the Add enum type... and Add struct type... dialog boxes.

In the case of an error in the input file, the error messages appear in the message window. In any case, the function declarations that are already parsed are not deleted from the database. IDA stops parsing the input file when 20 errors occur.

IDA 7.7 introduced an alternative header file parser based on libclang.

See also

• Load... submenu commands.

• Local types window

• IDAClang plugin

IDAClang plugin

The IDAClang plugin is shipped with IDA, and it provides the ability to parse header files that contain arbitrarily complex C/C++/Objective-C source code using the Load C header action.

To enable the IDAClang parser, go to Options>Compiler>Source parser, and select "clang". Then use 'File>Load file>Parse C header file' to invoke the parser on a given source file.

Since IDAClang is based on the third-party libclang parser, it can only parse standalone source files that contain valid C/C++/Objective-C syntax.

See also Load C header command.

See also other File... submenu commands.

Explore our in-depth guides, crafted to help you navigate through IDA features and master its advanced capabilities.

 Action    name: Shell
 

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

See also other File... submenu commands.

This submenu allows you to produce various output files. It also allows you to unload the database.

The text file-producing operations below will make use of

• the currently-selected encoding for output files.

• Generate MAP file

• Generate ASM file

• Generate INC file

• Generate LST file

• Generate EXE file

• Generate DIF file

• Generate HTML file

• Generate flow chart GDL file

• Generate call graph GDL file

• Dump database to IDC file

• Dump typeinfo to IDC file

• Create C header file

Create MAP File

 Action    name: ProduceMap
 

Please enter a file name for the map. IDA will write the following information about this file:

  - current segmentation
  - list of names sorted by values

You may disable the generation of the segmentation information. You may also enable or disable dummy names in the output file.

You can use this map file for your information, and also for debugging (for example, Periscope from Periscope Company or Borland's Turbo Debugger can read this file).

Create ASM File

 Action    name: ProduceAsm
 

Please enter a file name for the assembler text file. IDA will write the disassembled text to this file.

If you have selected a range on the screen using Drop Anchor command, IDA will write only the selected range (from the current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create INC File

 Action    name: ProduceInc
 

Please enter a file name for the assembler include file. IDA will write the information about the defined types (structures and enums) to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create LST File

 Action    name: ProduceLst
 

Enter a file name for the assembler listing file. IDA will write the disassembled text to this file.

If you've selected a range on the screen using Drop Anchor command, IDA will write only the selected range (from the current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create Executable File

 Action    name: ProduceExe
 

Enter a file name for the new executable file. Usually this command is used after patching (see commands Patch byte and Patch word) to obtain a patched version of the file.

IDA produces executable files only for:

  - MS DOS .exe
  - MS DOS .com
  - MS DOS .drv
  - MS DOS .sys
  - general binary
  - Intel Hex Object Format
  - MOS Technology Hex Object Format

For other file formats please create a difference file.

EXE files: Output files will have the same EXE-header and relocation table as the input file. IDA will fill unused ranges of the EXE file (e.g. between relocation table and loadable pages) with zeroes.

See also Edit|Patch core submenu.

Create Difference File

 Action    name: ProduceDiff
 

This command will prompt you for a filename and then will create a plain text difference file of the following format:

 comment

 filename
 offset: oldval  newval

See also Edit|Patch core submenu.

Create HTML File

 Action    name: ProduceHtml
 

Please enter a file name for the HTML file. IDA will write the disassembled text to this file.

If you've selected a range on the screen using Drop Anchor command, IDA will write only the selected range (from the current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

This command is available only in the graphical version of IDA.

Produce flow chart GDL file

 Action    name: ProduceFuncGdl
 

This command creates a GDL (graph description file) with the flow chart of the current function.

If there is an active selection, its flow chart will be generated.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Produce call graph GDL file

 Action    name: ProduceCallGdl
 

This command creates a GDL (graph description file) with the graph of the function calls.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Dump database to IDC file

 Action    name: DumpDatabase
 

This command saves current IDA database into a text file.

You can use it as a safety command:

  - to protect your work from disasters
  - to migrate information into new database formats of IDA.

This command is used when you want to switch to a new version of IDA. Usually each new version of IDA has its own database format. To create a new format database, you need:

  1. to issue the 'Dump...' command for the old
     database (using old version of IDA). You will
     get an IDC file containing all information
     from your old database.
  2. to reload your database using new IDA with switch -x.
  3. to compile and execute the IDC file with command
    'Execute IDC file' (usually F2)

Please note that this command does not save everything to text file. Any information about the local variables will be lost!

Create C header file

 Action    name: ProduceHeader
 

This command saves all definitions in the local types window into a C header file.

Dump typeinfo to IDC file

 Action    name: DumpTypes
 

This command saves information about the user-defined types from the IDA database into a text file.

Information about enums, structure types and other user-defined types is saved in a text form as an IDC program.

You can use this command to migrate the type definitions from one database to another.

See also other File... submenu commands.

Abort IDA

This command terminates the current IDA session. The Abort command is not available if the database was not packed.

IDA will NOT save changes to the disk.

 Action    name: Redo
 

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

See also

• Undo

• Reset Undo

• Disable Undo

• Open undo history

 Action    name: MakeCode
 

This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the [anchor](../../../disassembler/navigation/anchor.md, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

See also Edit submenu

 Action    name: SaveBase
 

This command saves and packs the current database.

See also other File... submenu commands. Save database as... command.

 Action    name: MakeArray
 

This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

1. Create the first element of array using the data definition commands (data, string, structs)

2. Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:

   Copy

        - the address of the next item with a cross reference
        - the address of the next user-defined name

For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

Items on a line (meaningless for string literals):

        0               place maximal number of items on a line
        other value     number of items on a line

Please note that the margin parameter affects the number of items on a line too.

Alignment (meaningless for string literals):

        -1              do not align items
        0               align automatically
        other value     width of each item

 Signed elements:       if checked, IDA treats all elements as signed numbers.
                        only meaningful for numbers (not for offsets and
                        segments and strings)

 Display indexes:       if checked, IDA will display the indexes of array
                        elements in the form of comments (0,1,2...)

 Create as array:       if not checked, IDA will create a separate item for
                        each array element. Useful for creating huge arrays.
                        If the box is unchecked when this command is
                        applied to string literals, IDA will create many
                        string literals instead of one big string.

If applied to a variable-sized structure, this command is used to specify the overall size of the structure. You cannot create arrays of variable-sized structures.

See also:

• Edit submenu

• How to Enter a Number.

 Action    name: MakeUnknown
 

This command deletes the current instruction or data, converting it to 'unexplored' bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the anchor, all the bytes in this range will be converted into 'unexplored' bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

See also Edit submenu

 Action    name: MakeName
 

This command gives name/renames/deletes name for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a dummy name.

Local name

  The name is considered to be defined only in the current function.
  Please note that IDA does not check the uniqueness of the local names
  in the whole program. However, it does verify that the name is unique for the
  function.

Include in name list

Here you can also include/remove the name from the name list. If the name is hidden, you will not see it in names window.

Public name

  You can declare a name as a public (global) name. If the current
  assembler supports the "public" directive, IDA will use it.
  Otherwise, the publicness of the name will be displayed as a comment.

Autogenerated name

  An autogenerated name will appear in a different color.
  if the item is indefined, it will disappear automatically .

Weak name

  You can declare a name as a weak name. If the current
  assembler supports the "weak" directive, IDA will use it.
  Otherwise, the weakness of the name will be displayed as a comment.

Create name anyway

  If this flag is on, and if the specified name already exists,
  IDA will try to variate the specified name by appending a suffix to it.

See also Edit submenu. How to Enter an Identifier. Names representation.

 Action    name: SaveBaseSnap
 

This command takes a database snapshot. The snapshot can be later restored from the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also View database snapshot manager commands.

If you have selected a range before applying an operand conversion command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

 ALL OPERANDS
 -----------

The operation will be performed on all operands as a toggle. For example, if you ask to convert to a character, then all non-character operands will become characters, and all character operands will become non-chars.

 OPERAND VALUE RANGE
 -------------------

The operation will be performed on the void operands which contain immediate numbers in the specified range.

 ... OPERANDS
 ------------

This selection will convert all operands with the specified type to undefined operands. Example: all characters become non-characters.

 NOT ... OPERANDS
 ---------------

This selection allows to convert all operands that do not have the specified type to the specified type. Example: all non-characters to characters.

 NOT TYPED OPERANDS
 -----------------

This selection allows to convert all operands without any type to the specified type. Example: all operands with no type to characters.

 APPLY ONLY IF POSSIBLE
 ---------------------

IDA will check whether an operand can be represented with the specified type (as a character constant, for example), and perform type conversion only if the check is successful.

 Action    name: OpChar
 

This command converts immediate operand(s) type of the current instruction/data to character.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also Edit|Operand types submenu.

 Action    name: Undo
 

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis. Autoanalysis generates copious amounts of undo data. Also please note that maintaining undo data during autoanalysis slows it down a bit. In practice it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

  UNDO_MAXSIZE  max size of undo buffers; default: 128MB
                once this limit is reached, the undo info about the oldest
                user action will be forgotten.

  UNDO_DEPTH    max number of user actions to remember; default: 1000000
                if set to 0, the undo feature will be unavailable.

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

See also

• Redo

• Reset Undo

• Disable Undo

• Open undo history

This command terminates the current IDA session. IDA will write all changes to the disk and will close all databases.

You can also perform garbage collection on the database before packing it. The garbage collection removes the unused database pages, making it smaller. However, IDA needs some free database pages when it works,therefore it will allocate them again when you reuse the database. Removing and adding free pages takes time and, what is most important, it changes the database control blocks.

Use garbage collection only when you do not intend to work with the database in the near future.

 Action    name: ResetUndo
 

This command clears the undo history. After it the Undo and Redo commands become unavailable. However, once the user performs a new action, IDA will again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user action to revert yet, IDA does not maintain undo buffers and this speeds up the analysis.

See also

• Undo

• Redo

• Disable Undo

• Open undo history

 Action    name: DisableUndo
 

This command completely disables the undo feature.

See also

• Undo

• Redo

• Reset Undo

• Open undo history

If the selected enum is a bitfield, IDA will try to build a bitfield expression to represent the constant. Please note that for bitfields having multiple constants with the same value some expressions won't be possible.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

A complex offset expression looks like

        offset target + delta - offset base

It is specified by:

        - type (OFF16, OFF32, LOW16, etc.)
        - base
        - optional target
        - optional delta from target

The relationship between these parameters is (the formula is given for full offsets):

        operand_value = target + delta - base

  or (the same relationship in a different form):

        target = operand_value - delta + base

You always have to specify the offset type and base. Usually, the delta is equal to zero. For the full offset type you may omit the offset target, which is recommended. In this case, IDA will calculate it automatically. However, if you specify the offset target, make sure that the relationship between the parameters still holds. For the half offset types, you have to specify the target because there is no way to calculate it.

The offset types:

  8-bit full offset            :
  16-bit full offset           :
  32-bit full offset           :

    The full offsets are regular offset expressions like

        offset label

    They can occupy 8, 16, or 32 bits.
    You have to specify the offset base for these offsets.

  low 8 bits of 16-bit offset  :

    Only the low 8 bits of the offset. IDA will represent them as

        (offset label) & 0xFF

  low 16 bits of 32-bit offset :

    Only the low 16 bits of the offset. IDA will represent them as

        (offset label) & 0xFFFF

  high 8 bits of 16-bit offset :

    Only the high 8 bits of the offset. IDA will represent them as

        offset label >> 8

  high 16 bits of 32-bit offset:

    Only the high 17 bits of the offset. IDA will represent them as

        offset label >> 16

See also offset by any user-specified base

 Action    name: ChangeSign
 

This command changes the sign of the current operand. Please note that not all operands can change their sign.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

 Action    name: MakeData
 

This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using setup data command.

If the target assembler does not support double words or another data type, it will be skipped. To create a structure variable, use Declare struct var command. To create an array, use Array command. To convert back, use Undefine command. See also Edit submenu

Convert to string literal

 Action    name: MakeStrlit
 

This command converts the current unexplored bytes to a string.

The set of allowed characters is specified in the configuration file, parameter StrlitChars. Character '\0' is not allowed in any case. If the current assembler does not allow characters above 0x7F, characters with high bit set are not allowed.

If the anchor has been dropped, IDA will take for the string all characters between the current cursor position and the anchor.

Use the anchor if the string starts a disallowed character.

This command also generates a name for the string. In the configuration file, you can specify the characters allowed in names (NameChars).

You can change the literal string length using Array command.

The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Pascal Strings

To create Pascal style strings (with first byte indicating string length) use Set String Style command.

See also Edit submenu

This submenu allows you to manipulate functions in the disassembly:

• Create function...

• Edit function...

• Append function tail...

• Remove function tail...

• Delete function...

• Set function end

• Define stack variables...

• Change stack pointer...

• Rename register...

• Set function/item type...

Create Function

Action    name: MakeFunction
 

This command defines a new function in the disassembly text.

You can specify function boundaries using the anchor. If you don't specify any, IDA will try to find the boundaries automatically:

   - function start point is equal to the current cursor position;
   - function end point is calculated by IDA.

A function cannot contain references to undefined instructions. If a function has already been defined at the specified addresses, IDA will jump to its start address, showing you a warning message.

A function must start with an instruction.

Edit Function

 Action    name: EditFunction
 

Here you can change function bounds, its name and flags. In order to change only the function end address, you can use FunctionEnd command.

If the current address does not belong to any function, IDA beeps.

This command allows you to change the function frame parameters too. You can change sizes of some parts of frame structure.

IDA considers the stack as the following structure:

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- BP
      | local variables              |
      +------------------------------+  <- SP

For some processors or functions, BP may be equal to SP. In other words, it can point to the bottom of the stack frame.

You may specify the number of bytes in each part of the stack frame. The size of the return address is calculated by IDA (possibly depending on the far function flag).

"Purged bytes" specifies the number of bytes added to SP upon function return. This value will be used to calculate the SP changes at call sites (used in some calling conventions, such as __stdcall in Windows 32-bit programs.)

"BP based frame" allows IDA to automatically convert [BP+xxx] operands to stack variables.

"BP equal to SP" means that the frame pointer points to the bottom of the stack. It is usually used for the processors which set up the stack frame with EBP and ESP both pointing to the bottom of the frame (for example MC6816, M32R).

If you press <Enter> even without changing any parameter,IDA will reanalyze the function.

Sometimes, EBP points to the middle of the stack frame. FPD (frame pointer delta) is used to handle such situations. FPD is the value substracted from the EBP before accessing variables. An example:

           push    ebp
           lea     ebp, [esp-78h]
           sub     esp, 588h
           push    ebx
           push    esi
           lea     eax, [ebp+74h]

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- typical BP
      |                              |
      |                              |
      |                              |  <- actual BP
      | local variables              |
      |                              |
      |                              |
      |                              |
      +------------------------------+  <- SP

In our example, the saved registers area is empty (since EBP has been initialized before saving EBX and ESI). The difference between the 'typical BP' and 'actual BP' is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

           lea     eax, [ebp+78h+var_4]

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify the value manually.

If the value of the stack pointer is modified in an unpredictable way, (e.g. "and esp, -16"), then IDA marks the function as "fuzzy-sp".

If this command is invoked for an imported function, then a simplified dialog box will appear on the screen.

Function flags

The following flags can be set in function properties:

Does not return

The function does not return to caller (for example, calls a process exit function or has an infinite loop). If no-return analysis is enabled in Kernel Options, IDA will not analyze bytes following the calls to this function.

Far function

On processors which distinguish near and far functions (e.g. PC x86), mark the function as 'far'. This may affect the size of the special stack frame field reserved for the return address, as well as analysis of calls to this function.

Library func

Mark the function as part of compiler runtime library code. This flag is usually set when applying FLIRT signatures

Static func

Mark the function as static. Currently this flag is not used by IDA and is simply informational.

BP based frame

Inform IDA that the function uses a frame pointer (BP/EBP/RBP on PC) to access local variables. The operands of the form [BP+xxx] will be automatically converted to stack variables.

BP equal to SP

Frame pointer points to the bottom of the stack instead of at the beginning of the local variables area as is typical.

Fuzzy SP

Function changes SP by an unknown value, for example: and esp, 0FFFFFFF0h

Outlined code

The function is not a real function but a fragment of multiple functions' common instruction sequence extracted by the compiler as a code size optimization (sometimes called "code factoring"). During decompilation, body of the function will be expanded at the call site.

Append Function Tail

 Action    name: AppendFunctionTail
 

This command appends an arbitrary range of the program to a function definition. A range must be selected before applying this command. This range must not intersect with other function chunks (however, an existing tail can be added to multiple functions).

IDA will ask to select the parent function for the selection and will append the range to the function definition.

Remove Function Tail

 Action    name: RemoveFunctionTail
 

This command removes the function tail at the cursor from a function definition.

If there are several parent functions for the current function tail range, IDA will ask to select the parent function(s) to remove the tail from.

After the confirmation, the current function tail range will be removed from the selected function definition.

If the parent was the only owner of the current tail, then the tail will be destroyed. Otherwise it will still be present in the database. If the removed parent was the owner of the tail, then another function will be selected as the owner.

Delete Function

 Action    name: DelFunction
 

Deleting a function deletes only information about a function, such as information about stack variables, comments, function type, etc.

The instructions composing the function will remain intact.

Set Function End

 Action    name: FunctionEnd
 

This command changes the current or previous function bounds so that its end will be set at the cursor. If it is not possible, IDA beeps.

Edit the argument location

Allow to edit argument or return value location.

Stack Variables Window

 Action    name: OpenStackVariables
 

This command opens the stack variables window for the current function.

The stack variables are internally represented as a structure. This structure consists of two parts: local variables and function arguments.

You can modify stack variable definitions here: add/delete/define stack variables, enter comments for them.

There may be two special fields in this window: " r" and " s". They represent the size of the function return address and of the saved registers in bytes. You cannot modify them directly. To change them, use edit function command.

Offsets at the line prefixes represent offsets from the frame pointer register (BP). The window indicator at the lower left corner of the window displays offsets from the stack pointer.

In order to create or delete a stack variable, use data definitions commands (data, strlit, array, undefine, Rename). Also you may define regular or repeatable comments.

The defined stack variables may be used in the program by converting operands to stack variables.

Esc closes this window.

See also Convert to stack variable.

Change Stack Pointer

Action    name: ChangeStackPointer
 

This command allows you to specify how the stack pointer (SP) is modified by the current instruction.

You cannot use this command if the current instruction does not belong to any function.

You will need to use this command only if IDA was not able to trace the value of the SP register. Usually IDA can handle it but in some special cases it fails. An example of such a situation is an indirect call of a function that purges its parameters from the stack. In this case, IDA has no information about the function and cannot properly trace the value of SP.

Please note that you need to specify the difference between the old and new values of SP.

The value of SP is used if the current function accesses local variables by [ESP+xxx] notation.

See also Convert to stack variable.

Rename register

 Action    name: RenameRegister
 

This command allows you to rename a processor general register to some meaningful name. While this is not used very often on IBM PCs, it is especially useful on RISC processors with lots of registers.

For example, a general register R9 is not very meaningful and a name like 'CurrentTime' is much better.

This command can be used to define a new register name as well as to remove it. Just move the cursor on the register name and press enter. If you enter the new register name as an empty string, then the definition will be deleted.

If you have selected a range before using this command, then the definition will be restricted to the selected range. But in any case, the definition cannot cross the function boundaries.

You cannot use this command if the current instruction does not belong to any function.

Set function/item type

 Action    name: SetType
 

This command allows you to specify the type of the current item.

If the cursor is located on a name, the type of the named item will be edited. Otherwise, the current function type (if there is a function) or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like 'this' pointer in C++) should be specified explicitly. IDA will use the type information to comment the disassembly with the information about function arguments. It can also be used by the Hex-Rays decompiler plugin for better decompilation.

Here is an example of a function declaration:

        int main(int argc, const char *argv[]);

To delete a type declaration, please enter an empty string.

IDA supports the user-defined calling convention. In this calling convention, the user can explicitly specify the locations of arguments and the return value. For example:

        int __usercall func@<ebx>(int x, int y@<esi>);

denotes a function with 2 arguments: the first argument is passed on the stack (IDA automatically calculates its offset) and the second argument is passed in the ESI register and the return value is stored in the EBX register. Stack locations can be specified explicitly:

        int __usercall runtime_memhash@<^12.4>(void *p@<^0.4>, int q@<^4.4>, int r@<^8.4>)

There is a restriction for a __usercall function type: all stack locations should be specified explicitly or all are automatically calculated by IDA. General rules for the user defined prototypes are:

  - the return value must be in a register.
    Exception: stack locations are accepted for the __golang and __usercall calling conventions.

  - if the return type is 'void', the return location must not be specified

  - if the argument location is not specified, it is assumed to be
    on the stack; consequent stack locations are allocated for such arguments

  - it is allowed to declare nested declarations, for example:
    int **__usercall func16@<eax>(int *(__usercall *x)@<ebx>
                                             (int, long@<ecx>, int)@<esi>);
    Here the pointer "x" is passed in the ESI register;
    The pointed function is a usercall function and expects its second
    argument in the ECX register, its return value is in the EBX register.
    The rule of thumb to apply in such complex cases is to specify the
    the registers just before the opening brace for the parameter list.

  - registers used for the location names must be valid for the current
    processor; some registers are unsupported (if the register name is
    generated on the fly, it is unsupported; inform us about such cases;
    we might improve the processor module if it is easy)

  - register pairs can be specified with a colon like <edx:eax>

- for really complicated cases this syntax can be used. IDA also understands the "__userpurge" calling convention. It is the same thing as __usercall, the only difference is that the callee cleans the stack.

The name used in the declaration is ignored by IDA.

If the default calling convention is __golang then explicit specification of stack offsets is permitted. For example:

  __attribute__((format(printf,2,3)))
  int myprnt(int id, const char *format, ...);

This declaration means that myprnt is a print-like function; the format string is the second argument and the variadic argument list starts at the third argument.

Below is the full list of attributes that can be handled by IDA. Please look up the details in the corresponding compiler help pages.

  packed        pack structure/union fields tightly, without gaps
  aligned       specify the alignment
  noreturn      declare as not returning function
  ms_struct     use microsoft layout for the structure/union
  format        possible formats: printf, scanf, strftime, strfmon

For data declarations, the following custom __attribute((annotate(X))) keywords have been added. The control the representation of numbers in the output:

__bin unsigned binary number

__oct unsigned octal number

__hex unsigned hexadecimal number

__dec signed decimal number

__sbin signed binary number

__soct signed octal number

__shex signed hexadecimal number

__udec unsigned decimal number

__float floating point

__char character

__segm segment name

__enum() enumeration member (symbolic constant)

__off offset expression (a simpler version of __offset)

__offset() offset expression

__strlit() string __stroff() structure offset

__custom() custom data type and format

__invsign inverted sign

__invbits inverted bitwise

__lzero add leading zeroes

__tabform() tabular form

The following additional keywords can be used in type declarations:

_BOOL1 a boolean type with explicit size specification (1 byte)

_BOOL2 a boolean type with explicit size specification (2 bytes)

_BOOL4 a boolean type with explicit size specification (4 bytes)

__int8 a integer with explicit size specification (1 byte)

__int16 a integer with explicit size specification (2 bytes)

__int32 a integer with explicit size specification (4 bytes)

__int64 a integer with explicit size specification (8 bytes)

__int128 a integer with explicit size specification (16 bytes)

_BYTE an unknown type; the only known info is its size: 1 byte

_WORD an unknown type; the only known info is its size: 2 bytes

_DWORD an unknown type; the only known info is its size: 4 bytes

_QWORD an unknown type; the only known info is its size: 8 bytes

_OWORD an unknown type; the only known info is its size: 16 bytes

_TBYTE 10-byte floating point value

_UNKNOWN no info is available

__pure pure function: always returns the same value and does not modify memory in a visible way

__noreturn function does not return

__usercall user-defined calling convention; see above

__userpurge user-defined calling convention; see above

__golang golang calling convention

__swiftcall swift calling convention

__spoils explicit spoiled-reg specification; see above

__hidden hidden function argument; this argument was hidden in the source code (e.g. 'this' argument in c++ methods is hidden)

__return_ptr pointer to return value; implies hidden

__struct_ptr was initially a structure value

__array_ptr was initially an array

__unused unused function argument __cppobj a c++ style struct; the struct layout depends on this keyword

__ptr32 explicit pointer size specification (32 bits)

__ptr64 explicit pointer size specification (64 bits)

__shifted shifted pointer declaration

__high high level prototype (does not explicitly specify hidden arguments like 'this', for example) this keyword may not be specified by the user but IDA may use it to describe high level prototypes

__bitmask a bitmask enum, a collection of bit groups

Shifted pointers

Sometimes in binary code we can encounter a pointer to the middle of a structure. Such pointers usually do not exist in the source code but an optimizing compiler may introduce them to make the code shorter or faster.

Such pointers can be described using shifted pointers. A shifted pointer is a regular pointer with additional information about the name of the parent structure and the offset from its beginning. For example:

        struct mystruct
        {
          char buf[16];
          int dummy;
          int value;            // <- myptr points here
          double fval;
        };
        int *__shifted(mystruct,20) myptr;

The above declaration means that myptr is a pointer to 'int' and if we decrement it by 20 bytes, we will end up at the beginning of 'mystruct'.

Please note that IDA does not limit parents of shifted pointers to structures. A shifted pointer after the adjustment may point to any type except 'void'.

Also, negative offsets are supported too. They mean that the pointer points to the memory before the structure.

When a shifted pointer is used with an adjustment, it will be displayed with the 'ADJ' helper function. For example, if we refer to the memory 4 bytes further, it can be represented like this:

        ADJ(myptr)->fval

Shifted pointers are an improvement compared to the CONTAINING_RECORD macro because expressions with them are shorter and easier to read.

See also Set type command.

Scattered argument locations

  00000000 struc_1         struc ; (sizeof=0xC)
  00000000 c1              db ?
  00000001                 db ? ; undefined
  00000002 s2              dw ?
  00000004 c3              db ?
  00000005                 db ? ; undefined
  00000006                 db ? ; undefined
  00000007                 db ? ; undefined
  00000008 i4              dd ?
  0000000C struc_1         ends

If we have this function prototype:

  void myfunc(struc_1 s);

the 64bit GNU compiler will pass the structure like this:

  RDI: c1, s2, and c3
  RSI: i4

Since compilers can use such complex calling conventions, IDA needs some mechanism to describe them. Scattered argument locations are used for that. The above calling convention can be described like this:

  void __usercall myfunc(struc_1 s@<0:rdi.1, 2:rdi^2.2, 4:rdi^4.1, 8:rsi.4>);

It reads:

  1 byte  at offset 0 of the argument is  passed in the byte 0 of RDI
  2 bytes at offset 2 of the argument are passed in the byte 1,2 of RDI
  1 byte  at offset 4 of the argument is  passed in the byte 3 of RDI
  4 bytes at offset 8 of the argument are passed starting from the byte 0 of RSI

In other words, the following syntax is used:

  argoff:register^regoff.size

where

  argoff - offset within the argument
  register - register name used to pass part of the argument
  regoff - offset within the register
  size - number of bytes

The regoff and size fields can be omitted if there is no ambiguity.

If the register is not specified, the expression describes a stack location:

  argoff:^stkoff.size

where

  argoff - offset within the argument
  stkoff - offset in the stack frame (the first stack argument is at offset 0)
  size - number of bytes

Please note that while IDA checks the argument location specifiers for soundness, it cannot perform all checks and some wrong locations may be accepted. In particular, IDA in general does not know the register sizes and accepts any offsets within them and any sizes.

See also Set type command.

Data representation: enum member

Syntax:

  __enum(enum_name)

Instead of a plain number, a symbolic constant from the specified enum will be used. The enum can be a regular enum or a bitmask enum. For bitmask enums, a bitwise combination of symbolic constants will be printed. If the value to print cannot be represented using the specified enum, it will be displayed in red.

Example:

   enum myenum { A=0, B=1, C=3 };
   short var __enum(myenum);

   If `var` is equal to 1, it will be represented as "B"

Another example:

   enum mybits __bitmask { INITED=1, STARTED=2, DONE=4 };
   short var __enum(mybits);

   If `var` is equal to 3, it will be represented as "INITED|STARTED"

This annotation is useful if the enum size is not equal to the variable size. Otherwise using the enum type for the declaration is better:

   myenum var;  // is 4 bytes, not 2 as above

Data representation: offset expression

Syntax:

  __offset(type, base, tdelta, target)
  __offset(type, base, tdelta)
  __offset(type, base)
  __offset(type|AUTO, tdelta)
  __offset(type)
  __off

where

type is one of:

  OFF8       8-bit full offset
  OFF16      16-bit full offset
  OFF32      32-bit full offset
  OFF64      64-bit full offset
  LOW8       low 8 bits of 16-bit offset
  LOW16      low 16 bits of 32-bit offset
  HIGH8      high 8 bits of 16-bit offset
  HIGH16     high 16 bits of 32-bit offset

The type can also be the name of a custom refinfo.

It can be combined with the following keywords:

  RVAOFF     based reference (rva)
  PASTEND    reference past an item
             it may point to an nonexistent address
  NOBASE     forbid the base xref creation
             implies that the base can be any value
             nb: base xrefs are created only if the offset base
             points to the middle of a segment
  SUBTRACT   the reference value is subtracted from the base value instead of
             (as usual) being added to it
  SIGNEDOP   the operand value is sign-extended (only supported for
             REF_OFF8/16/32/64)
  NO_ZEROS   an opval of 0 will be considered invalid
  NO_ONES    an opval of ~0 will be considered invalid
  SELFREF    the self-based reference

The base, target delta, and the target can be omitted. If the base is BADADDR, it can be omitted by combining the type with AUTO:

  __offset(type|AUTO, tdelta)

Zero based offsets without any additional attributes and having the size that corresponds the current application target (e.g. REF_OFF32 for a 32-bit bit application), the shoft __off form can be used.

Examples:

  A 64-bit offset based on the image base:

  int var __offset(OFF64|RVAOFF);

  A 32-bit offset based on 0 that may point to an non-existing address:

  int var __offset(OFF32|PASTEND|AUTO);

  A 32-bit offset based on 0x400000:

  int var __offset(OFF32, 0x400000);

  A simple zero based offset that matches the current application bitness:

  int var __off;

This annotation is useful the type of the pointed object is unknown or the variable size is different from the usual pointer size. Otherwise it is better to use a pointer:

  type *var;

Data representation: string

Syntax:

  __strlit(strtype, "encoding")
  __strlit(strtype, char1, char2, "encoding")
  __strlit(strtype)

where strtype is one of:

  C          Zero terminated string, 8 bits per symbol
  C_16       Zero terminated string, 16 bits per symbol
  C_32       Zero terminated string, 32 bits per symbol
  PASCAL     Pascal string: 1 byte length prefix, 8 bits per symbol
  PASCAL_16  Pascal string: 1 byte length prefix, 16 bits per symbol
  LEN2       Wide Pascal string: 2 byte length prefix, 8 bits per symbol
  LEN2_16    Wide Pascal string: 2 byte length prefix, 16 bits per symbol
  LEN4       Delphi string: 4 byte length prefix, 8 bits per symbol
  LEN4_16    Delphi string: 4 byte length prefix, 16 bits per symbol

It may be followed by two optional string termination characters (only for C). Finally, the string encoding may be specified, as the encoding name or "no_conversion" if the string encoding was not explicitly specified.

Example:

  A zero-terminated string in windows-1252 encoding:

  char array[10] __strlit(C,"windows-1252");

  A zero-terminated string in utf-8 encoding:

  char array[10] __strlit(C,"UTF-8");

Data representation: structure offset

Syntax:

  __stroff(structname)
  __stroff(structname, delta)

Instead of a plain number, the name of a struct or union member will be used. If delta is present, it will be subtracted from the value before converting it into a struct/union member name.

Example:

  An integer variable named `var` that hold an offset from the beginning of
  the `mystruct` structure:

  int var __stroff(mystruct);

  If mystruct is defined like this:

  struct mystruct
  {
    char a;
    char b;
    char c;
    char d;
  }

  The value 2 will be represented as `mystruct.c`

Another example:

  A structure offset with a delta:

  int var __stroff(mystruct, 1);

  The value 2 will be represented as `mystruct.d-1`

Data representation: custom data type and format

Syntax:

 __custom(dtid, fid)

where dtid is the name of a custom data type and fid is the name of a custom data format. The custom type and format must be registered by a plugin beforehand, at the database opening time. Otherwise, custom data type and format ids will be displayed instead of names.

Data representation: tabular form

Syntax:

  __tabform(flags)
  __tabform(flags,lineitems)
  __tabform(flags,lineitems,alignment)
  __tabform(,lineitems,alignment)
  __tabform(,,alignment)

This keyword is used to format arrays. The following flags are accepted:

  NODUPS do not use the `dup` keyword
  HEX    use hexadecimal numbers to show array indexes
  OCT    use octal numbers to show array indexes
  BIN    use binary numbers to show array indexes
  DEC    use decimal numbers to show array indexes

It is possible to combine NODUPS with the index radix: NODUPS|HEX

The `lineitems` and `alignment` attributes have the meaning described for the create array command.

Example:

  Display the array in tabular form, 4 decimal numbers on a line, each number
  taking 8 positions. Display indexes as comments in hexadecimal:

  char array[16] __tabform(HEX,4,8) __dec;

  A possible array may look like:

  dd   50462976, 117835012, 185207048, 252579084; 0
  dd  319951120, 387323156, 454695192, 522067228; 4
  dd  589439264, 656811300, 724183336, 791555372; 8
  dd  858927408, 926299444, 993671480,1061043516; 0Ch

Without this annotation, the `dup` keyword is permitted, number of items on a line and the alignment are not defined.

See also Edit submenu.

This submenu allows you to manipulate different kinds of comments. Use them to make the disassembled text more understandable.

Create a regular comment

If you stand at the function start and your cursor is on a function name, IDA will ask you to enter a function comment.

If you stand at the segment start and your cursor is on a segment name, IDA will ask you to enter a segment comment.

Otherwise, this command allows you to enter a normal indented comment for the current item.

See also

Create a repeatable comment

This command allows you to enter a repeatable comment. A repeatable comment will appear attached to the current item and all other items referencing it.

If you stand at the function start, IDA will ask you to enter a function comment.

Otherwise, this command allows you to enter a repeatable comment for the current item.

You cannot enter repeatable segment comments.

All items that refer to the current item will have this comment by default.

The repeatable comments may be used to describe subroutines, data items, etc., because all calls to the subroutine will have the repeatable comment.

Create additional comment lines

If you want to enter multi-line comments or additional instructions, you can use this feature of IDA.

There are two kinds of extra lines: the ones generated before the instruction line and the ones generated after the instruction line.

Do not forget that the maximal number of lines for an item is 500.

IDA does not insert a comment symbol at the beginning of the lines.

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin. Setting operand type is most useful in case of indirect calls: the decompiler will use the type information to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

To delete a type declaration, enter an empty string.

This command converts the immediate operand(s) type of the current instruction/data to segment base. The segment bases are usually displayed like this:

If IDA cannot find a segment whose base is equal to the operand value, it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.