1 of 100

IDC

IDC is an IDA native, embedded scripting language semantically similar to C/C++.

Typical use cases

With IDC, you can write simple scripts for automating repetitive tasks and extending out-of-the-box IDA functionality (for example, for getting the list of all functions or marked positions) without creating more complex plugins with C++ SDK or IDAPython.

What to check next?

Core concepts

IDC language is a C-like language. It has the same lexical tokens as C does: character set, constants, identifiers, keywords, etc. However, since it is a scripting language, there are no pointers, and all variable types can be handled by the interpreter. Any variable may hold any value; variables are declared without specifying their type;

auto myvar;

An IDC program consists of function declarations. By default, execution starts from a function named 'main'.

Select a topic to read:

Expressions

In the IDC expressions you can use almost all C operations except:

  complex assignment operations as '+='

Constants are defined more or less like in C, with some minor differences.

There are four type conversion operations:

  long(expr)  floating point numbers are truncated during conversion
  char(expr)
  float(expr)
  __int64(expr)

However, explicit type conversions are rarely required because all type conversions are made automatically:

  - addition:
        if both operands are strings,
          string addition is performed (strings are concatenated);
        if both operands are objects,
          object combination is performed (a new object is created)
        if floating point operand exists,
          both operands are converted to floats;
        otherwise
          both operands are converted to longs;

  - subtraction/multiplication/division:
        if floating point operand exists,
          both operands are converted to floats;
        if both operands are objects and the operation is subtraction,
          object subtraction is performed (a new object is created)
        otherwise
          both operands are converted to longs;

  - comparisons (==,!=, etc):
        if both operands are strings, string comparison is performed;
        if floating point operand exists,
          both operands are converted to floats;
        otherwise
          both operands are converted to numbers;

  - all other operations:
        operand(s) are converted to longs;

If any of the long operands is 64bit, the other operand is converted to 64bit too.

There is one notable exception concerning type conversions: if one operand is a string and the other is zero (0), then a string operation is performed. Zero is converted to an empty string in this case.

The & operator is used to take a reference to a variable. References themselves cannot be modified once created. Any assignment to them will modify the target variable. For example:

        auto x, r;
        r = &x;
        r = 1;   // x is equal to 1 now

References to references are immediately resolved:

        auto x, r1, r2;
        r1 = &x;
        r2 = &r1; // r2 points to x

Since all non-object arguments are passed to functions by value, references are a good way to pass arguments by reference.

Statements

In IDC there are the following statements:

; (expression-statement) if (expression) statement if (expression) statement else statement for ( expr1; expr2; expr3 ) statement while (expression) statement do statement while (expression); break; continue; return ; return; the same as 'return 0;' { statements... } throw ; ; (empty statement)

Please note that the 'switch' statement is not supported.

Functions

An IDC function always returns a value. There are 2 kinds of functions:

functions
user-defined functions A user-defined function is declared this way: static func(arg1,arg2,arg3) { ... } It is not necessary to specify the parameter types because all necessary type conversions are performed automatically.

By default all function arguments are passed by value, except:

  - objects are always passed by reference
  - functions are always passed by reference
  - it is possible to pass a variable by reference using the & operator

If the function to call does not exist, IDA tries to resolve the name using the debugged program labels. If it succeeds, an is performed.

Variables

There are two kinds of variables in IDC:

  - local variables: they are created at the function entry
    and destroyed at the exit

  - global variables: they are created at the compilation time
    and destroyed when the database is closed

A variable can contain:

LONG: a 32-bit signed long integer (64-bit in 64-bit version of IDA)
INT64: a 64-bit signed long integer
STR: a character string
FLOAT: a floating point number (extra precision, up to 25 decimal digits)
OBJECT: an object with attributes and methods (a concept very close to C++ class)
REF: a reference to another variable
FUNC: a function reference

A local variable is declared this way:

  auto var1;
  auto var2 = <expr>;

Global variables are declared like this:

  extern var;

Global variables can be redefined many times. IDA will silently ignore subsequent declarations. Please note that global variables cannot be initialized at the declaration time.

All C and C++ keywords are reserved and cannot be used as a variable name.

While it is possible to declare a variable anywhere in the function body, all variables are initialized at the function entry and all of them are destroyed only at the exit. So, a variable declared in a loop body will not be reinitialized at each loop iteration, unless explicitly specified with an assignment operator.

If a variable or function name cannot be recognized, IDA tries to resolve them using the names from the disassembled application. In it succeeds, the name is replaced by its value in the disassembly listing. For example:

  .data:00413060 errtable        dd 1   ; oscode
  .data:00413060                 dd 16h ; errnocode

        msg("address is: %x\n", _errtable);

will print 413060. If the label denotes a structure, it is possible to refer to its fields:

        msg("address is: %x\n", _errtable.errnocode);

NOTE: The processor register names can be used in the IDC scripts when the debugger is active. Reading from such a variable return the corresponding register value. Writing to such a variable modifies the register value in the debugged process. Such variables are accessible only when the application is in the suspended mode.

Constants

The following constants can be used in IDC:

 - long numbers (32-bit for 32-bit version of IDA
            and 64-bit for 64-bit version of IDA)

    12345 - decimal constants
    0x444 - hex constants
    01236 - octal constants
    0b110 - binary constants
    'c'   - character constants

  Any numeric constant may have 'u' and 'l' suffixes, they are ignored.

 - 64-bit numbers. To declare a 64-bit constant, use 'i64' suffix:

   123i64

   Also, if a constant does not fit 32-bits, it will automatically be
   stored as a 64-bit constant.

 - strings. Strings are declared using the double quotes. The backslash
   character can be used to as an escape:

   "string"
   "string\nwith four embedded \x0\x00\000\0 zeroes"

   Multiple string constants in a row will be automatically concatenated:

   "this" " is" " one " "string"

Exceptions

Any runtime error generates an exception. Exceptions terminate the execution. It is possible to catch an exception instead of terminating the execution:

    auto e;
    try
    {
      ... some statements that cause a runtime error...
    }
    catch ( e )
    {
      // e holds the exception information
      // it is an instance of the exception class
    }

See the details of classes.

The try/catch blocks can be nested. If the current function has no try/catch blocks, the calling function will be examined, and so on, until we find a try/catch block or exit the main function. If no try/catch block is found, an unhandled exception is reported.

It is also possible to throw an exception explicitly. Any object can be thrown. For example:

    throw 5;

will throw value '5'.

Classes

Classes can be declared the following way:

  class name
  {
    method1(...) {}
    ...
  };

Inside the class, method functions are declared without the 'static' keyword. The method with the name of the class is the class constructor. For example:

  class myclass
  {
     myclass(x,y)
     {
       print("myclass constructor has been called with two arguments: ", x, y);
       this.x = x;
       this.y = x;
     }
     ~myclass()
     {
       print("destructor has been called: ", this);
     }
  };

Inside the class methods, the 'this' variable can be used to refer to the current object.

Only one constructor per class is allowed.

Class instances are created like this:

  o = myclass(1, 2);

And object attributes (or fields) are accessed like this:

  print(o.x);
  o.y = o.x + 1;

A new attribute is created upon assigning to it:

  o.new_attr = 1;

Accessing an unexisting attribute generates an exception, which can be caught.

The following special method names exist:

  __setattr__(attr, value)
    This method is called when an object attribute is assigned a new value.
    Instead of assigning a value, this method can do something else.
    To modify a class attribute from this method, please use the setattr()
    global function.
    Compare with: Python _setattr_ method

  __getattr__(attr)
    This method is called when an object attribute is accessed for reading.
    Instead of simply returning a value, this method can do something else,
    for example to calculate the attribute on the fly. To retrieve a
    attribute from this function, use the getattr() global function.
    Compare with: Python _getattr_ method

Simple class inheritance is support. Derived classed are declared like this:

  class derived : base
  {
    ...
  };

Here we declare the 'derived' class that is derived from the 'base' class. For derived classes, the base class constructor can be called explicitly:

  class derived : base
  {
    derived() : base(args...)
    {
    }
  };

If the base class constructor is not called explicitly, IDA will call it implicitly, without any arguments.

It is possible to call base class methods using full names:

    base::func(this, args...);

The 'this' argument must be passed explicitly in this case.

When there are no more references to an object, it is automatically destroyed. We use a simple reference count algorithm to track the object use. Circularly dependent objects are not detected: they are never destroyed.

The following built-in object classes exist:

  - object: the default base class for all new classes. When the base class
    is not specified, the new class will inherit from 'object'
    This class has no fields and no special constructor. It has the following
    methods:

void object.store(typeinfo, ea, flags)

void object.retrieve(typeinfo, ea, flags)

- exception: class used to report exceptions. It has the following attributes:

  file - source file name where the exception occurred
  func - current function name
  line - line number
  pc   - program counter value (internal to idc)

  Runtime errors are reported as exceptions too. They are two more fields:

  qerrno      - runtime error code
  description - printable error description

  This class has no special constructor and has no methods.

- typeinfo: class used to represent type info. It has the following attributes:

  type        - binary encoded type string
  fields      - field names for the type (e.g. structure member names)
  name        - (optional) variable/function name

Human readable form of the typeinfo can be obtained by calling the print() method. The type size can be calculated using the size() method.

loader_input_t: class to read files.

Predefined symbols

The following symbols are predefined in the IDC preprocessor:

  _NT_           IDA is running under MS Windows
  _LINUX_        IDA is running under Linux
  _MAC_          IDA is running under Mac OS X
  _UNIX_         IDA is running under Unix (linux or mac)
  _EA64_         64-bit version IDA
  _QT_           GUI version of IDA (Qt)
  _GUI           GUI version of IDA
  _TXT_          Text version of IDA
  _IDA_VERSION_  The current IDA version. For example: "9.0"
  _IDAVER_       The current, numerical IDA version. For example: "900" means v9.0

These symbols are also defined when parsing C header files.

loader_input_t class

The loader_input_t class can read from input files. It has the following methods:

Instances of this class can be created by calling the open_loader_input function.

See other IDC classes.

Slices

The slice operator can be applied IDC objects are strings.

For strings, the slice operator denotes a substring:

  str[i1:i2] - substring from i1 to i2. i2 is excluded
  str[idx]   - one character substring at 'idx'.
               this is equivalent to str[idx:idx+1]
  str[:idx]  - substring from the beginning of the string to idx
               this is equivalent to str[0:idx]
  str[idx:]  - substring from idx to the end of the string
               this is equivalent to str[idx:0x7fffffff]

Any indexes that are out of bounds are silently adjusted to correct values. If i1 >= i2, empty string is returned. Negative indexes are used to denote positions counting from the end of the string.

String slices can be used on the right side of an assignment. For example:

  str[0:2] = "abc";

will replace 2 characters at the beginning of the string by "abc".

For objects, the slice operator denotes a subset of attributes. It can be used to emulate arrays:

  auto x = object();
  x[0] = value1;
  x[1] = "value2";

x[i1:i2] denotes all attributes with numeric values between i1 and i2 (i2 is excluded).

Any non-numeric attributes are ignored by the slice operator.

IDC API Reference

Check the overview of all IDC functions with detailed descriptions.

Index of debugger related IDC functions

is_member_id

Is a member id?
     id         - any id
returns: 1 there is structure member with the specified ID
         0 otherwise

long is_member_id(id);

load_type

Convenience function to load a type into a type library.
'name' may be empty for anonymous types.

     flags   -  combination of LOADTYPE_ constants,
                in case of 0 the LOADTYPE_DEFAULT is used
     ordinal -  slot number (1...NumberOfLocalTypes), is ignored if LOADTYPE_USEORD is clear
     name    -  type name
     type    -  serialized type string (internal type represenation)
     fields  -  serialized field names
     cmt     -  type comment
     fldcmts -  serialized field comments
     sclass  -  storage class of the type

tinfo_code_t load_type( long flags, long ordinal, string name, string type, string fields="", string cmt="", string fldcmts="", long sclass=0); #define LOADTYPE_USEORD 0x01 // use ordinal to set type, otherwise set type by name #define LOADTYPE_REPLACE 0x02 // overwrite the existing type #define LOADTYPE_DEFAULT (LOADTYPE_USEORD|LOADTYPE_REPLACE)

get_member_by_idx

get member id by member ordinal number
     id         - structure type ID
     member_idx - member ordinal number
returns: -1 if bad structure type ID is passed or there is
         no member with the specified index
         otherwise returns the member id.

long get_member_by_idx(long id, long member_idx);

get_ordinal_limit

Get number of local types + 1
returns: value >= 1. 1 means that there are no local types.

long get_ordinal_limit();

set_selector

set a selector value
        arguments:      sel - the selector number
                        val - value of selector
        returns:        nothing
        note:           ida supports up to 4096 selectors.
                        if 'sel' == 'val' then the
                        selector is destroyed because
                        it has no significance

void set_selector(long sel, long value);

enable_tracing

Enable step tracing
     trace_level - what kind of trace to modify
     enable      - 0: turn off, 1: turn on
Returns: success

success enable_tracing(long trace_level, long enable);

#define TRACE_STEP 0x0  // lowest level trace. trace buffers are not maintained
#define TRACE_INSN 0x1  // instruction level trace
#define TRACE_FUNC 0x2  // function level trace (calls & rets)
#define TRACE_BBLK 0x4  // basic block level trace

get_prev_fixup_ea

find previous address with fixup information
     ea - current address
returns: -1 - no more fixups
         otherwise returns the previous address with fixup information

long get_prev_fixup_ea(long ea);

del_segm

Delete a segment
  ea      - any address in the segment
  flags   - combination of SEGMOD_... flags

success del_segm(long ea, long flags);

#define SEGMOD_KILL    0x0001 // disable addresses if segment gets shrinked or deleted
#define SEGMOD_KEEP    0x0002 // keep information (code & data, etc)
#define SEGMOD_SILENT  0x0004 // be silent
#define SEGMOD_KEEP0   0x0008 // flag for internal use, don't set
#define SEGMOD_KEEPSEL 0x0010 // do not try to delete unused selector
#define SEGMOD_NOMOVE  0x0020 // don't move info from the start of segment to
                              // the new start address (for set_segment_bounds())
#define SEGMOD_SPARSE  0x0040 // use sparse storage if extending the segment
                              // (for set_segment_bounds())

get_bmask_cmt

get bitmask comment (only for bitfields)
     enum_id - id of enum
     bmask   - bitmask of the constant
     repeatable - type of comment, 0-regular, 1-repeatable
returns: comment attached to bitmask if it exists.
         otherwise returns 0.

long get_bmask_cmt(long enum_id, long bmask, long repeatable);

end_type_updating

End type updating. Refreshes the type system
at the end of type modification operations

     utp  - (one of UTP_... consts)
returns: none

success end_type_updating(long utp);

Find

The following functions search for the specified byte
     ea - address to start from
     flag is combination of the following bits:
Returns BADADDR - not found

#define SEARCH_UP       0x00            // search backward
#define SEARCH_DOWN     0x01            // search forward
#define SEARCH_NEXT     0x02            // start the search at the next/prev item
                                        // useful only for find_text() and find_binary()
                                        // for other Find.. functions it is implicitly set
#define SEARCH_CASE     0x04            // search case-sensitive
                                        // (only for bin&txt search)
#define SEARCH_REGEX    0x08            // enable regular expressions (only for txt)
#define SEARCH_NOBRK    0x10            // don't test ctrl-break
#define SEARCH_NOSHOW   0x20            // don't display the search progress

long find_suspop(long ea, long flag);
long find_code(long ea, long flag);
long find_data(long ea, long flag);
long find_unknown(long ea, long flag);
long find_defined(long ea, long flag);
long find_imm(long ea, long flag, long value);
long find_text(long ea, long flag, long y, long x, string str);
                // y - number of text line at ea to start from (0..MAX_ITEM_LINES)
                // x - x coordinate in this line
long find_binary(long ea, long flag, string str);
                // str - a string as a user enters it for Search Text in Core
                //      example:  "41 42" - find 2 bytes 41h, 42h
                // The default radix depends on the current IDP module
                // (radix for ibm pc is 16)

toggle_bnot

Toggle the bitwise not operator for the operand (for the explanations of 'ea' and 'n' please see op_bin())

success toggle_bnot(long ea, int n);

patch_byte

Change value of a program byte
If debugger was active then the debugged process memory will be patched too
     ea    - linear address
     value - new value of the byte
Returns: 1 if the database has been modified,
         0 if either the debugger is running and the process' memory
           has value 'value' at address 'ea',
           or the debugger is not running, and the IDB
           has value 'value' at address 'ea already.

success patch_byte(long ea, long value);

get_module_info

Get a description of the module that contains the given ea
returned objct has attributes:
  "name"      - the full path of the module
  "base"      - module's base address
  "size"      - module size
  "rebase_to" - address the module was rebased to
                BADADDR if module was not rebased at all

object get_module_info(long ea);

set_member_name

change structure member name
     id            - structure type ID
     member_offset - offset of the member
     name          - new name of the member
returns: !=0 - ok.

long set_member_name(long id, long member_offset, string name);

create_float

Convert the current item to a floating point (4 bytes) ea - linear address returns: 1-ok, 0-failure This is a convenience macro, see also create_data() function

#define create_float(ea) create_data(ea, FF_FLOAT, 4, BADADDR)

del_struc_member

delete structure member
     id            - structure type ID
     member_offset - offset of the member
returns: !=0 - ok.
NOTE: IDA allows 'holes' between members of a structure.
      It treats these 'holes' as unnamed arrays of bytes.

long del_struc_member(long id, long member_offset);

read_dbg_memory

Read from debugger memory
     ea - linear address
     size - size of data to read
returns: data as a string. If failed, If failed, throws an exception
Thread-safe function (may be called only from the main thread and debthread)

string read_dbg_memory(long ea, long size);

get_enum_width

get width of enum elements
     enum_id - ID of enum
returns: size of enum elements in bytes
         (0 if enum_id is bad or the width is unknown).

long get_enum_width(long enum_id);

getn_thread_name

del_struc

delete a structure type
     id - structure type ID
returns: 0 if bad structure type ID is passed
         1 otherwise the structure type is deleted. All data
           and other structure types referencing to the
           deleted structure type will be displayed as array of bytes.

success del_struc(long id);

filelength

get file length
     handle - file handle
returns: -1 - error
         otherwise file length in bytes
Thread-safe function.

long filelength(long handle);

set_manual_insn

Specify instruction representation manually.
     ea   - linear address
     insn - a string representation of the operand
IDA will not check the specified instruction, it will simply display
it instead of the original representation.

void set_manual_insn(long ea, string insn);

is_value...() functions

Check the variable type
Returns true if the variable type is the expected one
Thread-safe functions.

success value_is_string(var);
success value_is_long(var);
success value_is_float(var);
success value_is_object(var);
success value_is_func(var);
success value_is_pvoid(var);
success value_is_int64(var);

get_ip_val

get value of the IP (program counter) register for the current thread

long get_ip_val();

del_extra_cmt

Delete an extra comment line
     ea   - linear address
     n    - number of additional line (0..MAX_ITEM_LINES)
To delete anterior  line #n use (E_PREV + n)
To delete posterior line #n use (E_NEXT + n)

void del_extra_cmt(long ea, long n);

create_insn

op_offset_high16

Convert operand to a high offset High offset is the upper 16bits of an offset. This type is used by PPC, MIPS, and other RISC processors. (for the explanations of 'ea' and 'n' please see ()) target - the full value (all 32bits) of the offset

success op_offset_high16(long ea, int n, long target);

get_cmt

Get indented comment
     ea - linear address
     repeatable: 0-regular, !=0-repeatable comment

string get_cmt(long ea, long repeatable);

expand_struc

expand or shrink a structure type
     id     - structure type ID
     offset - offset in the structure
     delta  - how many bytes to add or remove
     recalc - recalculate the locations where
              the structure type is used
returns: !=0 - ok

success expand_struc(long id, long offset, long delta, long recalc);

get_idb_path

Get IDB full path
This function returns full path of the current IDB database

string get_idb_path();

set_frame_size

get_file_ext

Get the extension of file name

string get_file_ext(string filename);

has_value

readshort

read 2 bytes from file
     handle    - file handle
     mostfirst - 0 least significant byte is first (intel)
                 1 most  significant byte is first
returns: -1 - error
         otherwise: a 16-bit value
Thread-safe function.

long readshort(long handle, long mostfirst);

sanitize_file_name

Sanitize the file name.
Remove the directory path, and replace wildcards ? * and chars<' ' with underscore.

string sanitize_file_name(string filename);

get_member_flag

get type of a member id - structure type ID member_offset - member offset. The offset can be any offset in the member. For example, is a member is 4 bytes long and starts at offset 2, then 2, 3, 4, 5 denote the same structure member. returns: -1 if bad structure type ID is passed or no such member in the structure otherwise returns type of the member, see bit definitions above. If the member type is a structure then function () should be used to get the structure type id.

long get_member_flag(long id, long member_offset);

create_struct

Create a structure data item at the specified address
     ea      - linear address
     size    - structure size in bytes. -1 means that the size
               will be calculated automatically
     strname - name of a structure type
returns: 1-ok, 0-failure

success create_struct(long ea, long size, string strname);

ARM specific

Some ARM compilers in Thumb mode use BL (branch-and-link)
instead of B (branch) for long jumps, since BL has more range.
By default, IDA tries to determine if BL is a jump or a call.
You can override IDA's decision using commands in Edit/Other menu
(Force BL call/Force BL jump) or the following two functions.

//  Force BL instruction to be a jump
//       ea - address of the BL instruction
//  returns: 1-ok, 0-failed

success force_bl_jump(long ea);

//  Force BL instruction to be a call
//       ea - address of the BL instruction
//  returns: 1-ok, 0-failed

success force_bl_call(long ea);

set_enum_member_cmt

set a comment of a symbolic constant
     const_id - id of const
     cmt     - new comment for the constant
     repeatable - 0:set regular comment
                  1:set repeatable comment
returns: 1-ok, 0-failed

success set_enum_member_cmt(long const_id, string cmt, long repeatable);

rename

rename a file
     oldname - existing file name
     newname - new file name
returns: error code from the system
Thread-safe function.

long rename(string oldname, string newname);

set_ida_state

Change IDA indicator.
Returns the previous status.

long set_ida_state(long status);

#define IDA_STATUS_READY    0 // READY     IDA is idle
#define IDA_STATUS_THINKING 1 // THINKING  Analyzing but the user may press keys
#define IDA_STATUS_WAITING  2 // WAITING   Waiting for the user input
#define IDA_STATUS_WORK     3 // BUSY      IDA is busy

get_member_size

get size of a member
     id            - structure type ID
     member_offset - member offset. The offset can be
                     any offset in the member. For example,
                     is a member is 4 bytes long and starts
                     at offset 2, then 2, 3, 4, 5 denote
                     the same structure member.
returns: -1 if bad structure type ID is passed
            or no such member in the structure
         otherwise returns size of the specified member in bytes.

long get_member_size(long id, long member_offset);

msg

Display an UTF-8 encoded message in the message window
     format - printf() style format string
     ...    - additional parameters if any
This function can be used to debug IDC scripts
The result of the stringification of the arguments
will be treated as an UTF-8 string.
Thread-safe function.

void msg(string format, ...);

// Print variables in the message window
// This function print text representation of all its arguments to the output window.
// This function can be used to debug IDC scripts

void print(...);

// Display a message in a message box
//      format - printf() style format string
//      ...    - additional parameters if any
// This function can be used to debug IDC scripts
// The user will be able to hide messages if they appear twice in a row on the screen

void warning(string format, ...);

// Display a fatal message in a message box and quit IDA
//      format - printf() style format string
//      ...    - additional parameters if any

void error(string format, ...);

qbasename

Get the file name part of the given path

string qbasename(string path);

get_enum_member_enum

get id of enum by id of constant
     const_id - id of symbolic constant
returns: id of enum the constant belongs to.
                        -1 if const_id is bad.

long get_enum_member_enum(long const_id);

auto_mark_range

Plan to perform an action in the future.
This function will put your request to a special autoanalysis queue.
Later IDA will retrieve the request from the queue and process
it. There are several autoanalysis queue types. IDA will process all
queries from the first queue and then switch to the second queue, etc.

// plan/unplan range of addresses
void auto_mark_range(long start, long end, long queuetype);
void auto_unmark(long start, long end, long queuetype);

// plan to analyze an address
#define auto_mark(ea, qtype)      auto_mark_range(ea, (ea)+1, qtype)

#define AU_UNK  10      // make unknown
#define AU_CODE 20      // convert to instruction
#define AU_PROC 30      // make function
#define AU_USED 40      // reanalyze
#define AU_LIBF 60      // apply a flirt signature (the current signature!)
#define AU_FINAL 200    // coagulate unexplored items

plan_to_apply_idasgn

Load (plan to apply) a FLIRT signature file
     name - signature name without path and extension
returns: 0 if could not load the signature file, !=0 otherwise

success plan_to_apply_idasgn(string name);

set_named_type

Store a type in the til.
To replace the existing type use #NTF_REPLACE
     name    -  type name
     type    -  serialized type string
     fields  -  serialized type fields
     cmt     -  main type comment
     fldcmts -  serialized type field comments
     sclass  -  type storage class

tinfo_code_t set_named_type(
        string name,
        long ntf_flags,
        string type,
        string fields="",
        string cmt="",
        string fldcmts="",
        long sclass=0);

op_offset

Convert operand to a complex offset expression This is a more powerful version of op_plain_offset() function. It allows to explicitly specify the reference type (off8, off16, etc) and the expression target with a possible target delta. The complex expressions are represented by IDA in the following form:

        target + tdelta - base

If the target is not present, then it will be calculated using
        target = operand_value - tdelta + base
The target must be present for LOW.. and HIGH.. reference types
     ea      - linear address of the instruction/data
     n       - number of operand to convert (the same as in op_plain_offset)
     reftype - one of REF_... constants
     target  - an explicitly specified expression target. if you don't
               want to specify it, use -1. Please note that LOW... and
               HIGH... reference type require the target.
     base    - the offset base (a linear address)
     tdelta  - a displacement from the target which will be displayed
               in the expression.

success op\_offset(long ea, int n, long reftype, long target, long base, long tdelta);

#define REF_OFF8    0              // 8bit full offset
#define REF_OFF16   1              // 16bit full offset
#define REF_OFF32   2              // 32bit full offset
#define REF_LOW8    3              // low 8bits of 16bit offset
#define REF_LOW16   4              // low 16bits of 32bit offset
#define REF_HIGH8   5              // high 8bits of 16bit offset
#define REF_HIGH16  6              // high 16bits of 32bit offset
#define V695_REF_VHIGH   7         // obsolete
#define V695_REF_VLOW    8         // obsolete
#define REF_OFF64   9              // 64bit full offset
                                   // note: processor modules or plugins may register additional
                                   // custom reference types (for example, REF_HIGHA16 is
                                   // used by MIPS, SPARC, PPC, ALPHA, TRICORE, etc.)
#define REFINFO_RVA         0x10   // based reference (rva)
#define REFINFO_PASTEND     0x20   // reference past an item
                                   // it may point to an nonexistitng address
                                   // do not destroy alignment dirs
#define REFINFO_NOBASE      0x80   // offset base is a number
                                   // implies that base have be any value
                                   // nb: base xrefs are created only if base
                                   // points to the middle of a segment
#define REFINFO_SUBTRACT  0x0100   // the reference value is subtracted from
                                   // the base value instead of (as usual)
                                   // being added to it
#define REFINFO_SIGNEDOP  0x0200   // the operand value is sign-extended (only
                                   // supported for REF_OFF8/16/32/64)
#define REFINFO_NO_ZEROS  0x0400  ///< an opval of 0 will be considered invalid
#define REFINFO_NO_ONES   0x0800  ///< an opval of ~0 will be considered invalid

rename_entry

rename entry point
     ordinal - entry point number
     name    - new name
returns: !=0 - ok

success rename_entry(long ordinal, string name);

strlen

Return length of a string in bytes
     str - input string
Returns: length (0..n)
Thread-safe function.

long strlen(string str);

get_extra_cmt

Get extra comment line
     ea - linear address
     n  - number of line (0..MAX_ITEM_LINES)
          MAX_ITEM_LINES is defined in IDA.CFG
To get anterior  line #n use (E_PREV + n)
To get posterior line #n use (E_NEXT + n)
Returns number 0 if the comment line does not exit

string get_extra_cmt(long ea, long n);

get_enum_flag

get flag of enum
     enum_id - ID of enum
returns: flags of enum. These flags determine representation
         of numeric constants (binary, octal, decimal, hex)
         in the enum definition. See start of this file for
         more information about flags.
         Returns 0 if enum_id is bad.

long get_enum_flag(long enum_id);

fgetc

read one byte from file
     handle  - file handle
returns: -1 - error
         otherwise a byte read.
Thread-safe function.

long fgetc(long handle);

op_stkvar

Convert operand to a stack variable (for the explanations of 'ea' and 'n' please see ())

success op_stkvar(long ea, int n);

get_last_index

get index of the last existing array element
     tag     - tag of array (AR_LONG or AR_STR)
     id      - array id
returns: -1 - array is empty
         otherwise returns index of the last array element

long get_last_index(long tag, long id);

get_field_ea

Get address of the specified field using the type information
     ea         - address of the structure
     field_name - name of the structure field
If the database contains a structure at the specified ea and the
type information is present, this function will return the address of the
structure field.

long get_field_ea(long ea, string field_name);

For example:

  .data:00413060 errtable        dd 1   ; oscode
  .data:00413060                 dd 16h ; errnocode

        msg("address is: %x\n", _errtable.errnocode);

prints 413064. The "_errtable.errnocode" expression is essentially a shortcut for:

get_field_ea(get_name_ea_simple("_errtable"), "errnocode")

get_struc_id

get structure ID by structure name
     structure type name
returns: -1 if bad structure type name is passed
         otherwise returns structure ID.

long get_struc_id(string name);

select_thread

Select the given thread as the current debugged thread.
     tid - ID of the thread to select
The process must be suspended to select a new thread.
returns: success

success select_thread(long tid);

create_array

create array
     name - name of array. There are no restrictions
            on the name (its length should be less than
            120 characters, though)
returns: -1 - can't create array (it already exists)
         otherwise returns id of the array

long create_array(string name);

get_struc_cmt

get structure type comment
     id         - structure type ID
     repeatable - 1: get repeatable comment
                  0: get regular comment
returns: 0 if bad structure type ID is passed
         otherwise returns comment.

string get_struc_cmt(long id, long repeatable);

set_array_string

set string value of array element
     id      - array id
     idx     - index of an element
     str     - string to store in array element
returns: 1-ok, 0-failed

success set_array_string(long id, long idx, string str);

set_func_attr

set_storage_type

Set storage type
     start_ea - starting address
     end_ea   - ending address
     stt     - new storage type, one of STT_VA and STT_MM
returns: 0 - ok, otherwise internal error code

long set_storage_type(long start_ea, long end_ea, long stt);

#define STT_VA 0  // regular storage: virtual arrays, an explicit flag for each byte
#define STT_MM 1  // memory map: sparse storage. useful for huge objects

get_struc_size

get size of a structure
     id         - structure type ID
returns: 0 if bad structure type ID is passed
         otherwise returns size of structure in bytes.

long get_struc_size(long id);

demangle_name

Demangle a name
     name - name to demangle
     disable_mask - a mask that tells how to demangle the name
                    it is a good idea to get this mask using
                    get_inf_attr(INF_SHORT_DN) or get_inf_attr(INF_LONG_DN)
Returns: a demangled name
If the input name cannot be demangled, returns 0

string demangle_name(string name, long disable_mask);

get_next_fixup_ea

find next address with fixup information
     ea - current address
returns: -1 - no more fixups
         otherwise returns the next address with fixup information

long get_next_fixup_ea(long ea);

get_next_bmask

get next bitmask in the enum (bitfield)
     enum_id - id of enum
     bmask   - value of the current bitmask
returns: value of a bitmask with value higher than the specified
         value. -1 if no such bitmasks exist.
         All bitmasks are sorted by their values as unsigned longs.

long get_next_bmask(long enum_id, long value);

delattr

Del object attribute
     self  - object
     attr  - attribute name
Thread-safe function.

success delattr(object self, string attr);

gen_simple_call_chart

Generate a function call graph GDL file
     outfile - output file name. GDL extension will be used
     title   - graph title
     ea1     - beginning of the range to flow chart
     ea2     - end of the range to flow chart. if ea2 == BADADDR
               then ea1 is treated as an address within a function.
               That function will be flow charted.
     flags   - combination of CHART_GEN_GDL, CHART_WINGRAPH, CHART_NOLIBFUNCS

success gen_simple_call_chart(string outfile, string title, long flags);

patch_qword

Change value of a quad word
     ea    - linear address
     value - new value of the quad word
Returns: 1 if the database has been modified,
         0 if either the debugger is running and the process' memory
           has value 'value' at address 'ea',
           or the debugger is not running, and the IDB
           has value 'value' at address 'ea' already.

success patch_qword(long ea, long value);

get_enum_name

get name of enum
     enum_id - ID of enum
returns: name of enum or empty string

string get_enum_name(long enum_id);

loader_input_t.getc

Read one byte from the input file
Returns -1 if no more bytes

long loader_input_t.getc();

get_debugger_event_cond

Return the debugger event condition

returns: event condition

string get_debugger_event_cond();

read_dbg_qword

Get value of program quadro word (8 bytes) using the debugger memory
     ea - linear address
returns: the value of the quadro word. If failed, throws an exception
Thread-safe function (may be called only from the main thread and debthread)

long read_dbg_qword(long ea);

define_local_var

generate_disasm_line

Get disassembly line
     ea - linear address of instruction
     flags - combination of the GENDSM_ flags, or 0
returns: "" - could not decode instruction at the specified location
note: this function may return not exactly the same mnemonics
as you see on the screen.

string generate_disasm_line(long ea, long flags);  // get disassembly line

// flags for generate_disasm_line
#define GENDSM_FORCE_CODE 1     // generate a disassembly line as if
                                // there is an instruction at 'ea'
#define GENDSM_MULTI_LINE 2     // if the instruction consists of several lines,
                                // produce all of them(useful for parallel instructions)

add_idc_hotkey

Add hotkey for IDC function
     hotkey  - hotkey name ('a', "Alt-A", etc)
     idcfunc - IDC function name
returns:
#define IDCHK_OK        0       // ok
#define IDCHK_ARG       -1      // bad argument(s)
#define IDCHK_KEY       -2      // bad hotkey name
#define IDCHK_MAX       -3      // too many IDC hotkeys

long add_idc_hotkey(string hotkey, string idcfunc);

tolower

Convert string to lowercase
     str    - input string
returns: lowercase string
Thread-safe function.

string tolower(string str);

del_selector

delete a selector
        arguments:      sel - the selector number to delete
        returns:        nothing
        note:           if the selector is found, it will
                        be deleted

void del_selector(long sel);

set_debugger_event_cond

Set a new debugger event condition

string set_debugger_event_cond(string condition);

get_imagebase

Get base address of the input file

long get_imagebase();

gen_file

Generate an output file
     type  - type of output file. One of OFILE_... symbols. See below.
     fp    - the output file handle
     ea1   - start address. For some file types this argument is ignored
     ea2   - end address. For some file types this argument is ignored
     flags - bit combination of GENFLG_...
returns: number of the generated lines.
         -1 if an error occurred
         OFILE_EXE: 0-can't generate exe file, 1-ok

int gen_file(long type, long file_handle, long ea1, long ea2, long flags);

// output file types:

#define OFILE_MAP  0
#define OFILE_EXE  1
#define OFILE_IDC  2
#define OFILE_LST  3
#define OFILE_ASM  4
#define OFILE_DIF  5

// output control flags:

#define GENFLG_MAPSEGS 0x0001          // map: generate map of segments
#define GENFLG_MAPNAME 0x0002          // map: include dummy names
#define GENFLG_MAPDMNG 0x0004          // map: demangle names
#define GENFLG_MAPLOC  0x0008          // map: include local names
#define GENFLG_IDCTYPE 0x0008          // idc: gen only information about types
#define GENFLG_ASMTYPE 0x0010          // asm&lst: gen information about types too
#define GENFLG_GENHTML 0x0020          // asm&lst: generate html (gui version only)
#define GENFLG_ASMINC  0x0040          // asm&lst: gen information only about types
#define GENFLG_TIPLACE 0x0080          // asm&lst: dump tiplace (c syntax)
#define GENFLG_TIPLACE_ASM 0x0100      // asm&lst: dump tiplace (asm syntax)

get_entry

retrieve entry point address
     ordinal - entry point number
               it is returned by get_entry_ordinal()
returns: -1 if entry point doesn't exist
         otherwise entry point address.
         If entry point address is equal to its ordinal
         number, then the entry point has no ordinal.

long get_entry(long ordinal);