Action    name: Execute
 

You can execute any script file supported by the built-in scripting engine (IDC or Python), or a scripting language added by a plugin. The scripting language to use is selected by the file name extension of the script.

See also Immediate execution of script commands, Load... submenu commands.

 Action    name: ExecuteLine
 

You can enter and execute a small script written in the built-in IDC language or any other registered extlang.

Here is the list of built-in functions.

See also:

• IDC language overview

• Execute script file command

• File... submenu commands

• How to use notepad.

In this submenu you can:

This submenu allows you to produce various output files. It also allows you to unload the database.

The text file-producing operations below will make use of

Create MAP File

Please enter a file name for the map. IDA will write the following information about this file:

You can use this map file for your information, and also for debugging (for example, Periscope from Periscope Company or Borland's Turbo Debugger can read this file).

Create ASM File

Please enter a file name for the assembler text file. IDA will write the disassembled text to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create INC File

Please enter a file name for the assembler include file. IDA will write the information about the defined types (structures and enums) to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create LST File

Enter a file name for the assembler listing file. IDA will write the disassembled text to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create Executable File

IDA produces executable files only for:

EXE files: Output files will have the same EXE-header and relocation table as the input file. IDA will fill unused ranges of the EXE file (e.g. between relocation table and loadable pages) with zeroes.

Create Difference File

This command will prompt you for a filename and then will create a plain text difference file of the following format:

Create HTML File

Please enter a file name for the HTML file. IDA will write the disassembled text to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

This command is available only in the graphical version of IDA.

Produce flow chart GDL file

This command creates a GDL (graph description file) with the flow chart of the current function.

If there is an active selection, its flow chart will be generated.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Produce call graph GDL file

This command creates a GDL (graph description file) with the graph of the function calls.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Dump database to IDC file

This command saves current IDA database into a text file.

You can use it as a safety command:

This command is used when you want to switch to a new version of IDA. Usually each new version of IDA has its own database format. To create a new format database, you need:

Please note that this command does not save everything to text file. Any information about the local variables will be lost!

Create C header file

This command saves all definitions in the local types window into a C header file.

Dump typeinfo to IDC file

This command saves information about the user-defined types from the IDA database into a text file.

Information about enums, structure types and other user-defined types is saved in a text form as an IDC program.

You can use this command to migrate the type definitions from one database to another.

All IDA commands are available from the followings menus:

• File

• Edit

• Jump

• Search

• View

• Debugger

• Lumina

• Options

• Windows

Abort IDA

 Action    name: Abort
 

This command terminates the current IDA session. The Abort command is not available if the database was not packed.

IDA will NOT save changes to the disk.

See also other File... submenu commands. Quit command.

This submenu allows you to load additional files into the database.

• Reload input file

• Script file

• Binary file

• IDS file

• Debug information file

• PDB debug information file

• TDS debug information file

• FLIRT signature file

• C header file

Reload the input file

Action    name: ReloadFile

This command reloads the same input file into the database. IDA tries to retain as much information as possible in the database. All the names, comments, segmentation information and similar will be retained.

Only the values of individual bytes will be changed.

This command works for some input file types only: if the file was loaded into the database with special settings, this command may fail. In this case, use Dump database to IDC file command and reload the file manually.

See also Load... submenu commands.

Load additional file

 Action    name: LoadFile
 

This command loads a binary file. The new file is added to the current database and all existing information is retained.

The file content will appear as unexplored bytes in the program.

This command only allows you to load binary files.

See also Load... submenu commands.

Load IDS file

 Action    name: LoadIdsFile
 

This command loads an IDS file.

An IDS file contains information about well-known functions (such as functions from MS Windows API), namely:

        - their names
        - their ordinal number in the DLL
        - an eventual informative comment
        - the number of parameters passed on the stack
        - the number of parameters purged when returning

IDS files are automatically loaded if they are found in the IDS directory. This command allows you to load an IDS file from any directory, even after the main file has been loaded into the database.

See also Load... submenu commands.

Load debug information file

 Action    name: LoadDbgFile
 

This command loads a DBG file.

If the program being disassembled has a companion DBG file, then this command may be used to load information from a DBG file into the database. IDA loads DBG files automatically if it can find them in the directory with the input file.

The built-in debug information loader cannot load NB10 format files and PDB files. To load those files, please use a special plugin, PDB.DLL, which can be run manually using Edit->Plugins submenu. This plugin uses MS Windows DLLs to load the debug information and therefore has the following limitations:

        - it works only under MS Windows
        - it will load only PDBs compatible with the currently
          installed IMAGEHLP.DLL

See also Load... submenu commands.

Load PDB debug information file

 Action    name: LoadPdbFile
 

This command loads a PDB file.

If the program being disassembled has a companion PDB file, then this command may be used to load information from the PDB file into the database.

By default IDA uses in-house code to parse and load PDB files. However, our code can not parse old v2.0 PDB files. For them, IDA can fall back to using Microsoft DLLs (the default is "do not fall back"). Please read more in cfg/pdb.cfg.

Command line switch '-Opdb:option1:option2' overrides for ida session the value in cfg/pdb.cfg.

List of options

  off    : disable PDB
  pdbida : uses Hex-rays in-house code to parse and load PDB files.
  msdia  : uses Microsoft DLLs to parse and load PDB files.
           only available on Windows, for Linux/Macos you need to configure
           win32_remote.exe or win64_remote64.exe server in cfg/pdb.cfg
  fallback   : fallback from pdbida to msdia for the old 2.0 format
  nofallback : no fallback to msdia

Example

  -Opdb:off

Ida will not load PDB plugin for this session.

Load TDS debug information file

 Action    name: LoadTdsFile
 

This command loads a TDS file.

If the program being disassembled has a companion TDS file, this command may be used to load information from the TDS file into the database.

The TDS file must be placed in the same directory together with the input file.

The LoadTdsFile command launches a special plugin TDS.DLL which can be run manually using Edit->Plugins submenu.

See also Load... submenu commands.

Load FLIRT signature file

 Action    name: LoadSigFile
 

This command allows you to apply an additional signature file to the program.

A signature file contains patterns of standard runtime functions. With their help, IDA is able to recognize the standard functions and names them accordingly.

IDA attempts to detect the necessary signature files automatically but unfortunately, this is not always possible. This command adds the specified signature file into the planned signature files queue.

Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equivalent to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

There is another way to load a signature file: you may insert/delete signature files in the following way:

        - open the signatures window
        - press Ins to insert a signature file to the queue
        - press Del to delete a signature file from the queue

This is a preferred way of applying signatures because useful information, such as the number of identified functions is displayed in the signature window.

See also Load... submenu commands.

Load C header

 Action    name: LoadHeaderFile
 

This command allows you to apply type declarations from a C header file to the program.

IDA reads and parses the specified header file as a C compiler does. In other words, it mimics the front-end of a C compiler with some restrictions:

        - only type declarations are allowed. The function definitions
          in the input file are skipped
        - not all C++ header files are not supported, only simple classes can
          be parsed
        - the compiler specific predefined macros are not defined,
          you have to define them manually in the header file

Don't forget to specify the compiler and memory model in the compiler setup dialog box before loading a header file.

All type declarations found in the input file are stored in the current database in the form of a type library. These type declarations can be used to define new structure and enumeration definitions by pressing "Add standard structure" or "Add standard enum" buttons in the Add enum type... and Add struct type... dialog boxes.

In the case of an error in the input file, the error messages appear in the message window. In any case, the function declarations that are already parsed are not deleted from the database. IDA stops parsing the input file when 20 errors occur.

IDA 7.7 introduced an alternative header file parser based on libclang.

See also

• Load... submenu commands.

• Local types window

• IDAClang plugin

IDAClang plugin

The IDAClang plugin is shipped with IDA, and it provides the ability to parse header files that contain arbitrarily complex C/C++/Objective-C source code using the Load C header action.

To enable the IDAClang parser, go to Options>Compiler>Source parser, and select "clang". Then use 'File>Load file>Parse C header file' to invoke the parser on a given source file.

Since IDAClang is based on the third-party libclang parser, it can only parse standalone source files that contain valid C/C++/Objective-C syntax.

See also Load C header command.

See also other File... submenu commands.

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

This command saves and packs the current database.

 Action    name: Redo
 

This command reverts the previously issued Undo command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

See also

• Undo

• Reset Undo

• Disable Undo

• Open undo history

 Action    name: MakeUnknown
 

This command deletes the current instruction or data, converting it to 'unexplored' bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the anchor, all the bytes in this range will be converted into 'unexplored' bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

See also Edit submenu

To delete a name, simply give an empty name.

Local name

Include in name list

Public name

Autogenerated name

Weak name

Create name anyway

• Convert operand to offset (data segment)

• Convert operand to offset (code segment)

• Convert operand to offset (any segment)

• Convert operand to offset (user-defined base)

• Convert operand to struct offset

Convert operand to offset (data segment)

 Action    name: OpOffset
 

This command converts the immediate operand of the current instruction/data to an offset from the current data segment (DS).

If current DS value is unknown (or equal 0xFFFF) IDA will warn you -- it will beep. In this case, you have to define DS register value for the current byte. The best way to do it is:

• jump to segment register change point

• change value of DS

• return or you can change default value of DS for the current segment.

If you want to delete offset definition, you can use this command again - it works as trigger.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

To create offsets to structure members use Convert to struct offset command.

See also:

• Enter the operand manually command.

• Set operand type

Convert operand to offset (code segment)

 Action    name: OpOffsetCs
 

This command converts the immediate operand of the current instruction/data to an offset from the current segment (CS).

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise, it will be left unmodified.

If this command is applied to a structure member in the local types window, then IDA will create an "automatic offset". An automatic offset is an offset with the base equal to 0xFFFFFFFF. This base value means that the actual value of the base will be calculated by IDA when a structure instance is created.

To create offsets to structure members, use Convert to struct offset command.

See also:

• Enter #th operand manually commands.

• Set operand type

Convert operand to offset (any segment)

 Action    name: OpAnyOffset
 

This command converts the immediate operand of the current instruction/data to an offset from any segment.

IDA will ask to choose a base segment for the offset.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

To create offsets to structure members use Convert to struct offset command.

See also:

• Enter #th operand manually commands.

• Set operand type

Convert operand to offset (user-defined base)

Action    name: OpUserOffset

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

If the offset base is specified as 0xFFFFFFFF, then IDA will create "an automatic offset". Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

  Treat the base address as a plain number

        if checked, IDA will treat the base address as a number.
        In this case, IDA will not create a cross-reference to it
        and the base address will be printed as a number,
        not as an offset expression.

  Offset points past the main object

        Offsets of this type point past an object end.
        They do not cause an object created/deletion.

  Use image base as offset base

        These offsets are based on the image base.
        There is no need to explicitly specify the offset base.
        These offsets are displayed in a concise form:
          rva func
        instead of
          offset func - imagebase
        If you intend to reassemble the output file, execute the
        following IDC statement:
        set_inf_attr(INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) & ~INFFL_ALLASM);

  Subtract operand value

        Use this option when the operand value should be substracted
        from the base to get the target address. In this case the displayed
        expression will be displayed as
          offset base - target
        instead of the usual
          offset target - base

  Signed operand

        Use this option if the operand should be interpreted
        as a signed value. This option is only available for OFF_REF8,
        OFF_REF16, OFF_REF32 and OFF_REF64 offset types.

  Operand value of 0 is invalid

        If the operand value is 0, the value will be highlighted in red.

  Operand value of NOT 0 is invalid

        If the operand value is zero's complement (i.e. all bits are set),
        the value will be highlighted in red.
        For example a OFF_REF16 with an operand value of 0xFFFF would be invalid.

  Use the current address as the offset base

The offset base is dynamically calculated and is equal to the address of the current element:

• for standalone items: their start address

• for arrays: the start of the array element

• for structures: the start of the structure field The offset expression is displayed in the following concise form: offset target - $ where "$" denotes the start of the element (and is assembler-dependent). To create offsets to structure members use Convert to struct offset command.

See also:

• Enter #th operand manually commands.

• Set operand type

Convert operand to structure offset

 Action    name: OpStructOffset
 

 GUI version:
 ------------

This command permits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions. If no selection is active, IDA will simply permit to convert the current operand. In this case, it will display a simple dialog box the same way as the text version (see below).

You can select the desired register in the drop-down list: all operands relative to this register will be added to the 'Offsets' list. A special empty line in the drop-down list is used to directly work on immediate values. Checkboxes in the 'Offsets' list allow you to select which operand you indeed want to modify. By default, IDA will select only undefined operands, to avoid overwriting previous type definitions. This list is sorted by operand value, by instruction address and finally by operand number. You can easily see the instructions related to the operand by moving the mouse over it, and wait for a hint to be displayed.

The 'Structures and Unions' tree will contain all selectable structures, and sub unions. Once you select or move over a structure, the 'Offsets' list updates itself for each checked offset: the computed name of the operand is displayed, according to the selected structure in the tree. An icon is also drawn, to easily know if a specific structure matchs the offset or not, or if the offset is too big for the selected structure. The structures who match the most offsets will be near the top of the tree. You can also move your mouse over structures in the tree to obtain an interesting hint.

A '?' icon can also appear, if the offset can be specialized by selecting an union member. In this case, if you expand the structure in the tree, you can select the adequate union member simply by checking the desired radio button. IDA automatically corrects the related name in the 'Offsets' list.

The 'Offset delta' value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like "mystruct.field_6-2", then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure.

The 'Hide sub structures without sub unions' option (checked by default) avoids to add unnecessary sub structures to the tree, to keep it as small as possible. If you uncheck this option, all sub structures will be added to the tree.

By default, IDA displays the structure member at offset 0. To change this behaviour, you can directly disable the 'Force zero offset field' in the 'Options' frame. Later zero offsets can be forced using Edit, Structs, Force zero offset menu item.

 Text version:
 -------------

This command converts immediate operand(s) type of the current instruction/data to an offset within the specified structure. Before using this command, you have to define a structure type.

First of all, IDA will ask a so-called "struct offset delta". This value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like "mystruct.field_6-2", then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the an operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

By default IDA doesn't display the structure member at offset 0. To change this behaviour, use Force zero field offset command.

Moreover, if there are several possible representations (this can happen if unions are used), select the desired representation using the Select union member... command.

See also:

• Enter #th operand manually command.

• Set operand type

Related topics: Edit|Operand types submenu.

 Action    name: MakeArray
 

This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

1. Create the first element of array using the data definition commands (data, string, structs)

2. Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:

   Copy

        - the address of the next item with a cross reference
        - the address of the next user-defined name

For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

Items on a line (meaningless for string literals):

        0               place maximal number of items on a line
        other value     number of items on a line

Please note that the margin parameter affects the number of items on a line too.

Alignment (meaningless for string literals):

        -1              do not align items
        0               align automatically
        other value     width of each item

 Signed elements:       if checked, IDA treats all elements as signed numbers.
                        only meaningful for numbers (not for offsets and
                        segments and strings)

 Display indexes:       if checked, IDA will display the indexes of array
                        elements in the form of comments (0,1,2...)

 Create as array:       if not checked, IDA will create a separate item for
                        each array element. Useful for creating huge arrays.
                        If the box is unchecked when this command is
                        applied to string literals, IDA will create many
                        string literals instead of one big string.

If applied to a variable-sized structure, this command is used to specify the overall size of the structure. You cannot create arrays of variable-sized structures.

See also:

• Edit submenu

• How to Enter a Number.

 Action    name: OpSegment
 

This command converts the immediate operand(s) type of the current instruction/data to segment base. The segment bases are usually displayed like this:

        mov     ax, seg dseg

When you use this command, IDA deletes the manually entered operand.

If IDA cannot find a segment whose base is equal to the operand value, it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also Edit|Operand types submenu.

 Action    name: OpChar
 

This command converts immediate operand(s) type of the current instruction/data to character.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also Edit|Operand types submenu.

If you have selected a range before applying an operand conversion command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

 ALL OPERANDS
 -----------

The operation will be performed on all operands as a toggle. For example, if you ask to convert to a character, then all non-character operands will become characters, and all character operands will become non-chars.

 OPERAND VALUE RANGE
 -------------------

The operation will be performed on the void operands which contain immediate numbers in the specified range.

 ... OPERANDS
 ------------

This selection will convert all operands with the specified type to undefined operands. Example: all characters become non-characters.

 NOT ... OPERANDS
 ---------------

This selection allows to convert all operands that do not have the specified type to the specified type. Example: all non-characters to characters.

 NOT TYPED OPERANDS
 -----------------

This selection allows to convert all operands without any type to the specified type. Example: all operands with no type to characters.

 APPLY ONLY IF POSSIBLE
 ---------------------

IDA will check whether an operand can be represented with the specified type (as a character constant, for example), and perform type conversion only if the check is successful.

 Action    name: ManualOperand
 

You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you change operand representation using operand types submenu.

NOTE: A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated.

See also Edit|Operand types submenu.

 Action    name: ChangeSign
 

This command changes the sign of the current operand. Please note that not all operands can change their sign.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

 Action    name: SetOpType
 

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin. Setting operand type is most useful in case of indirect calls: the decompiler will use the type information to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

        int (*func)(int param1, char param2);

To delete a type declaration, enter an empty string.

For details on possible calling conventions, see Set function/item type... menu item description.

See also Set function/item type...

 Action    name: OpEnum
 

This command converts immediate operand(s) type of the current instruction/data to an enum member. Before using this command, you have to define an enumeration type.

If the selected enum is a bitfield, IDA will try to build a bitfield expression to represent the constant. Please note that for bitfields having multiple constants with the same value some expressions won't be possible.

If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to symbolic constants. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

This command terminates the current IDA session. IDA will write all changes to the disk and will close all databases.

You can also perform garbage collection on the database before packing it. The garbage collection removes the unused database pages, making it smaller. However, IDA needs some free database pages when it works,therefore it will allocate them again when you reuse the database. Removing and adding free pages takes time and, what is most important, it changes the database control blocks.

Use garbage collection only when you do not intend to work with the database in the near future.

 Action    name: SaveBaseSnap
 

This command takes a database snapshot. The snapshot can be later restored from the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also View database snapshot manager commands.

• Create alignment directive...

• Manual instruction...

• Color instruction...

• Hide/show border

See also Edit submenu.

Create alignment directive

Action    name: MakeAlignment
 

This command allows you to create an alignment directive. The alignment directive will replace a number of useless bytes inserted by the linker to align code and data to paragraph boundary or any other address which is equal to a power of two.

You can select a range to be converted to an alignment directive. If you have selected a range, IDA will try to determine a correct alignment automatically.

There are at least two requirements for this command to work:

• there must be enough unexplored bytes at the current address.

• an alignment directive must always end at an address which is divisible by a power or two.

See also

• How to Enter an Address.

Specify instruction representation manually

Action    name: ManualInstruction
 

This command allows you to specify the representation of an instruction or data in the program.

Use it if IDA cannot represent the current instruction as desired. If the instruction itself is ok and only one operand is misrepresented, then use Enter operand manually command.

To delete the manual representation, specify an empty string.

Specify instruction color

Action    name: ColorInstruction
 

This command allows you to specify the background color for the current instruction or data item.

Only GUI version supports different background colors. Specifying a non-defined custom color will reset the instruction color.

Hide/unhide a border

Action    name: ToggleBorder
 

This command allows you to hide a thin border which is like the one generated automatically by IDA between instructions and data. If the border was already hidden, then it is displayed again.

Note that you can hide all borders at once in the Comments Dialog.

This submenu allows you to manipulate segments of the program:

See also:

Create a new segment

This command allows you to create a new segment.

You need to specify at least:

If another segment already exists at the specified address, the existing segment is truncated and the new segment lasts from the specified start address to the next segment (or specified end address, whichever is lower). If the old and the new segments have the same base address, instructions/data will not be discarded by IDA. Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

IDA address space concepts

nternally, IDA has 32-bit linear address space (IDA64 uses 64-bit address space). The internal addresses are called "linear addresses". The input program is loaded into this linear address space.

Please note that usually the linear addresses are not used in the program directly. During disassembling, we use so-called "virtual addresses", which are calculated by the following formula:

We see that the SegmentBase determines what addresses will be displayed on the screen. More than that, IDA allows to create several segments with the same virtual address in them. For this, you just need to create segments with correct segment base values.

There are some address restrictions in IDA.

There is a range of addresses that are used for internal housekeeping. This range can be specified by the configuration variable PRIVRANGE (start address and size). It is not recommended to use these addresses for other purposes.

There is also one address which must never be used in the disassembly. It is the 'all ones' address, or -1. Internally, it is used as a BADADDR (bad address). No address or address range can include BADADDR.

Related topics:

Create segment - simple case (PC)

IBM PC case -----------

Suppose we need to create a segment occupying addresses F000:1000..F000:2000 Let's calculate linear addresses:

The segment base must be selected so that the first offset in our segment will be 0x1000. Let's find it using the following equation:

After solving this equation, we see that the segment base is equal to 0xF000. (you see, this is really a very simple case :) )

Now, we can create a segment entering:

Please note that the end address never belongs to the segment in IDA.

Create segment - simple case (Z80)

Suppose we need to create a segment occupying virtual addresses 8000-C000. Since we are free to place our segment anywhere in the linear address space, we choose the linear addresses at our convenience. Let's say we choose a linear address 0x20000:

The segment base must be selected so that the virtual address in our segment will be 0x8000. Let's find it using the following equation:

After solving this equation, we see that the segment base is equal to 0x1800.

Now we can create a segment entering:

Please note that the end address never belongs to the segment in IDA.

Create segment - automatically chosen selector case

Suppose we need to create a segment occupying linear addresses 200000-200C00 and the virtual addresses must have be 0000..0C00. If we simply enter

Then IDA will notice that the segment base is too big and does not fit into 16bits. Because of this IDA will find a free selector (let's say it has found selector number 5), define it to point at paragraph 0x20000 and create a segment. After all this we will have:

The first virtual address in the segment will be 0:

Please note that the end address never belongs to the segment in IDA.

Create segment - user-defined selector case

2. Create a segment. Specify the selector number as the segment base.

Delete a segment

This command allows you to delete a segment.

IDA will ask your the permission to disable the addresses occupied by the segment. If you allow this operation, all information about the segment will be deleted. In other words, IDA will discard the information about instructions or data, comments etc.

If you check the "disable addresses" checkbox, IDA will mark the addresses occupied by the segment as "nonexistent" in the program. You will lose *ALL* information, including byte values.

It is impossible to disassemble the content of addresses not located in any segment, therefore you must create a new segment if you want to resume the disassembly of that part of the code.

IDA will ask your the permission to disable addresses occupied by the segment. If you give your permission, information about the segment will be deleted, otherwise IDA will discard information about instruction/data, comments etc, but retain byte values so that you will be able to create another segment afterwards.

Change segment attributes

Changing the segment class may change the segment type.

DISABLE ADDRESSES: if set, when a segment is shrunk, all information about bytes going out of the segment will be completely removed.. Otherwise, IDA will discard information about instructions/data, comments etc, but will retain byte values so that another segment can be created later and it will use the existing byte values.

If IDA creates 2 segments where only one segment must exist, you may try the following sequence:

Segments with the 'debugger' attribute are the segments whose memory contents are not saved in the database. Usually, these segments are created by the debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently stay in the database after closing the debugger session. The database will reflect the state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and will be deleted at the end of the debugging session.

The "debugger segment" checbkox is available only during debugging sessions.

The 'loader' segments are the segment created by the file loader. The segment having this attribute are considered to be part of the input file.

A segment with the 'debugger' attribute set and the 'loader' attribute not set is considered to be an ephemeral segment. Such segments are not analyzed automatically by IDA.

"Segment permissions" group box can be used to modify Segment access permissions (Read/Write/Execute)

Change Segment Name

Enter a new name for the segment. A segment name is up to 8 characters long. IDA does check if the length is ok. Try to give mnemonic names for the segments.

Segment Class Name

The segment class name identifies the segment with a class name (such as CODE, FAR_DATA, or STACK). The linker places segments with the same class name into a contiguous range of memory in the runtime memory map.

Changing the segment class changes only the segment definition on the screen. There are the following predefined segment class names:

If you change segment class and the segment type is "Regular", then the segment type will be changed accordingly.

In order to set the segment type "Regular", you should change the segment class to "UNK".

Change Segment Addressing

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment address is changed.

Never do it if you are not sure. It may have irreversible consequences, all instructions/data will be converted to undefined bytes.

Change Segment Alignment

Alignment: select between abs,byte,word,dword,para,page

You can specify the segment alignment for the selected segment. By default, IDA assumes 'byte' alignment.

Changing the alignment changes only the segment definition on the screen. Nothing else will happen.

Change Segment Combination

Combination

A field that describes how the linker can combine the segment with other segments. Under MS-DOS, segments with the same name and class can be combined in two ways: they can be concatenated to form one logical segment, or they can be overlapped. In the latter case, they have either the same start address or the same end address, and they describe a common range in memory. Values for the field are:

Changing segment combination changes only the segment definition on the screen. Nothing else will happen.

Move a segment

This command allows you to move segment(s) to another address. Use it if the segment(s) are loaded at a wrong address.

This command shifts (moves) the selected segments in the memory to the target address. There must be enough free space at the target address for the segments.

All information in the segment will be moved to the new address, but since the addresses change, the disassembly might be not valid anymore (especially if the program is moved to the wrong addresses and the relocation information is not available).

Rebase program

The whole program will be shifted by the specified amount of bytes in the memory. The following options are available (we strongly recommend to leave them turned on):

Please note rebasing the program might remove user-defined xrefs.

Change segment translation

in the segment C obviously refers to the segment B while the instruction

refers to the segment A.

However, IDA does not try to link these references unless you tell it to do so: include the segments A and B into a translation list of the segment C. It means that you have to create a translation list

for the segment C.

Below is a more complicated example:

translations

allow you to emulate overlays (the first set is A B D, the second A C E)

See also

Set Default Segment Register Value

Relevant only for processors with the segment registers.

You can specify a default value of a segment register for the current segment. When you change the default value, IDA will reanalyze the segment, taking the default value when it cannot determine the actual value of the register. This takes time, so do not be surprised if references are not corrected immediately.

Change Segment Register Value

Relevant only for processors with the segment registers. Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors.

ALPHA DISASSEMBLY

For Alpha processors, the user must enter the difference between the real GP value and the start of the GOT (global offset table). For example:

If you want to specify that a register points to "label", you must calculate and enter the difference "label-.got" as the register value.

ARM DISASSEMBLY

The ARM processor module has a virtual segment register T which reflects the state of the T bit of the processor state register (PSR). Therefore, the value of this register controls THUMB/ARM mode. If its value is not zero, then the disassembly will be in the thumb mode.

POWER PC DISASSEMBLY

For PowerPC processors, the user must enter an offset from the beginning of the TOC to the TOC entry which contains the address of the target. An example:

If you want to specify that a register points to "datachunk", you must calculate and enter the difference "sometc-TOC" as the register value. You can change the TOC value in the processor specific options (which is accessible from the analysis options).

INTEL 80196 DISASSEMBLY

For Intel 80196NP/NU processors, the user must enter the value of WSR or WSR1 register. IDA will automatically take the new value into account.

See also:

Segment Register Change Points

IDA classifies the change points. In the list of the change points, you can see the following postfixes after the register values:

Choose segment

IDA can display a list of the program segments. Each segment is represented by a line in the list. Please note that the end address of the segment never belongs to the segment in IDA.

The following segment attributes are visible:

The rest of the columns display the default values of the segment registers for the segment.

By default, the cursor is located on the current segment.

You can use normal cursor movement keys and the mouse. You can also search for the segment by pressing Alt-T, or directly jump to the desired line by typing in its number.

Press <Enter> to select line, <Esc> to cancel the selection.

This submenu allows you to patch the image of the input file. More precisely, IDA never modifies the input file. The image of the input file which was loaded to the database will be modified.

You can modify the image of the input file:

IDA will display the original value, the current value and file offset. If the file offset is equal to 0xFFFFFFFF then the current byte comes from a compressed page (LX/LE/NE iterated pages, for example) and/or it is not possible to tell the file position.

The following commands are available:

See also:

Patching the Image

If this command is invoked when the debugger is active, then IDA will modify the memory and the database. If the database does not contain the patched bytes, then only the process memory will be modified.

Apply patches to input file

Apply previously patched bytes back to the input file. If the "Restore" option is selected then the original bytes will be applied to the input file.

Binary string format

The sequence must be separated by a space or a comma.

An entered number will occupy the minimal number of bytes it fits in with the restriction that the number of bytes is a power of 2 (1, 2, or 4 bytes).

Two question marks without a space between them are the same as one question mark. One question mark corresponds to one CPU byte. One CPU byte may consist of multiple octets for a wide-byte CPU, like TMS320C28.

Example:

Assemble an instruction

This command allows you to assemble instructions. Currently, only the IBM PC processors provide an assembler, nonetheless, plugin writers can extend or totally replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets. For example:

Also, the keyword 'offset' must not be used. Instead of

you must write

This submenu allows you to manipulate the structures in specific operations. The following commands are accessible from the disassembly window.

Use regular commands to specify struct and union members, their types, comments, etc.

A union is a special kind of structure. Use structure definition commands to manipulate unions.

Declare a structure variable

This command declares a variable of the specified structure type.

You can also use this command to declare a structure field in another structure (i.e. nested structures are supported too).

Force zero field offset

This command forces IDA to display a full structure member name even if the offset of the member is equal to zero.

If used twice, the command cancels itself.

Example: Suppose we have the following structure:

Select union member

This command tells IDA how to display references to a union from the current cursor location.

Example: Suppose we have the following union:

Create a new structure from current data

This command defines a new structure from data already defined. The new structure is created with adequate data types, and each member uses the current data name if it is available.

This command is available only in the graphical version of IDA.

Copy field info to pointers

This command scans the current struct variable and renames the locations pointed by offset expressions unless they already have a non-dummy name.

It also copies the type info from the struct members to pointed locations.

 Action    name: MakeCode
 

This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the [anchor](../../../disassembler/navigation/anchor.md, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

See also Edit submenu

 Action    name: Undo
 

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis. Autoanalysis generates copious amounts of undo data. Also please note that maintaining undo data during autoanalysis slows it down a bit. In practice it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

  UNDO_MAXSIZE  max size of undo buffers; default: 128MB
                once this limit is reached, the undo info about the oldest
                user action will be forgotten.

  UNDO_DEPTH    max number of user actions to remember; default: 1000000
                if set to 0, the undo feature will be unavailable.

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

See also

• Redo

• Reset Undo

• Disable Undo

• Open undo history

 Action    name: ResetUndo
 

This command clears the undo history. After it the Undo and Redo commands become unavailable. However, once the user performs a new action, IDA will again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user action to revert yet, IDA does not maintain undo buffers and this speeds up the analysis.

See also

• Undo

• Redo

• Disable Undo

• Open undo history

 Action    name: DisableUndo
 

This command completely disables the undo feature.

See also

• Undo

• Redo

• Reset Undo

• Open undo history

This submenu allows the user to modify text representation and to patch the file. It also has the commands to control the analysis:

• Anchor

• Export data

• Undo

• Redo

• Convert to instruction

• Convert to data

• Convert to STRLIT string

• Convert to array

• Undefine

• Rename

• Operand types submenu

• Comments submenu

• Functions submenu

• Structs submenu

• Segments submenu

• Patch program submenu

• Other submenu

• Plugins submenu

See also Menu Bar submenus.

 Action    name: MakeData
 

This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using setup data command.

If the target assembler does not support double words or another data type, it will be skipped. To create a structure variable, use Declare struct var command. To create an array, use Array command. To convert back, use Undefine command. See also Edit submenu

The full syntax and semantics of the regular expressions that are supported by PCRE2 are described in the pcre2pattern documentation. This document contains a quick-reference summary of the syntax.

QUOTING

  \x         where x is non-alphanumeric is a literal x
  \Q...\E    treat enclosed characters as literal

ESCAPED CHARACTERS

This table applies to ASCII and Unicode environments.

  \a         alarm, that is, the BEL character (hex 07)
  \cx        "control-x", where x is any ASCII printing character
  \e         escape (hex 1B)
  \f         form feed (hex 0C)
  \n         newline (hex 0A)
  \r         carriage return (hex 0D)
  \t         tab (hex 09)
  \0dd       character with octal code 0dd
  \ddd       character with octal code ddd, or backreference
  \o{ddd..}  character with octal code ddd..
  \U         "U" if PCRE2_ALT_BSUX is set (otherwise is an error)
  \uhhhh     character with hex code hhhh (if PCRE2_ALT_BSUX is set)
  \xhh       character with hex code hh
  \x{hhh..}  character with hex code hhh..

Note that \0dd is always an octal code. The treatment of backslash followed by a non-zero digit is complicated; for details see the section "Non-printing characters" in the pcre2pattern documentation, where details of escape processing in EBCDIC environments are also given.

When \x is not followed by {, from zero to two hexadecimal digits are read, but if PCRE2_ALT_BSUX is set, \x must be followed by two hexadecimal digits to be recognized as a hexadecimal escape; otherwise it matches a literal "x". Likewise, if \u (in ALT_BSUX mode) is not followed by four hexadecimal digits, it matches a literal "u".

CHARACTER TYPES

  .          any character except newline;
               in dotall mode, any character whatsoever
  \C         one code unit, even in UTF mode (best avoided)
  \d         a decimal digit
  \D         a character that is not a decimal digit
  \h         a horizontal white space character
  \H         a character that is not a horizontal white space character
  \N         a character that is not a newline
  \p{xx}     a character with the xx property
  \P{xx}     a character without the xx property
  \R         a newline sequence
  \s         a white space character
  \S         a character that is not a white space character
  \v         a vertical white space character
  \V         a character that is not a vertical white space character
  \w         a "word" character
  \W         a "non-word" character
  \X         a Unicode extended grapheme cluster

\C is dangerous because it may leave the current matching point in the middle of a UTF-8 or UTF-16 character. The application can lock out the use of \C by setting the PCRE2_NEVER_BACKSLASH_C option. It is also possible to build PCRE2 with the use of \C permanently disabled.

By default, \d, \s, and \w match only ASCII characters, even in UTF-8 mode or in the 16-bit and 32-bit libraries. However, if locale-specific matching is happening, \s and \w may also match characters with code points in the range 128-255. If the PCRE2_UCP option is set, the behaviour of these escape sequences is changed to use Unicode properties and they match many more characters.

GENERAL CATEGORY PROPERTIES FOR \p and \P

  C          Other
  Cc         Control
  Cf         Format
  Cn         Unassigned
  Co         Private use
  Cs         Surrogate

  L          Letter
  Ll         Lower case letter
  Lm         Modifier letter
  Lo         Other letter
  Lt         Title case letter
  Lu         Upper case letter
  L&         Ll, Lu, or Lt

  M          Mark
  Mc         Spacing mark
  Me         Enclosing mark
  Mn         Non-spacing mark

  N          Number
  Nd         Decimal number
  Nl         Letter number
  No         Other number

  P          Punctuation
  Pc         Connector punctuation
  Pd         Dash punctuation
  Pe         Close punctuation
  Pf         Final punctuation
  Pi         Initial punctuation
  Po         Other punctuation
  Ps         Open punctuation

  S          Symbol
  Sc         Currency symbol
  Sk         Modifier symbol
  Sm         Mathematical symbol
  So         Other symbol

  Z          Separator
  Zl         Line separator
  Zp         Paragraph separator
  Zs         Space separator

PCRE2 SPECIAL CATEGORY PROPERTIES FOR \p and \P

  Xan        Alphanumeric: union of properties L and N
  Xps        POSIX space: property Z or tab, NL, VT, FF, CR
  Xsp        Perl space: property Z or tab, NL, VT, FF, CR
  Xuc        Univerally-named character: one that can be
               represented by a Universal Character Name
  Xwd        Perl word: property Xan or underscore

Perl and POSIX space are now the same. Perl added VT to its space character set at release 5.18.

SCRIPT NAMES FOR \p AND \P

Ahom, Anatolian_Hieroglyphs, Arabic, Armenian, Avestan, Balinese, Bamum, Bassa_Vah, Batak, Bengali, Bopomofo, Brahmi, Braille, Buginese, Buhid, Canadian_Aboriginal, Carian, Caucasian_Albanian, Chakma, Cham, Cherokee, Common, Coptic, Cuneiform, Cypriot, Cyrillic, Deseret, Devanagari, Duployan, Egyptian_Hieroglyphs, Elbasan, Ethiopic, Georgian, Glagolitic, Gothic, Grantha, Greek, Gujarati, Gurmukhi, Han, Hangul, Hanunoo, Hatran, Hebrew, Hiragana, Imperial_Aramaic, Inherited, Inscriptional_Pahlavi, Inscriptional_Parthian, Javanese, Kaithi, Kannada, Katakana, Kayah_Li, Kharoshthi, Khmer, Khojki, Khudawadi, Lao, Latin, Lepcha, Limbu, Linear_A, Linear_B, Lisu, Lycian, Lydian, Mahajani, Malayalam, Mandaic, Manichaean, Meetei_Mayek, Mende_Kikakui, Meroitic_Cursive, Meroitic_Hieroglyphs, Miao, Modi, Mongolian, Mro, Multani, Myanmar, Nabataean, New_Tai_Lue, Nko, Ogham, Ol_Chiki, Old_Hungarian, Old_Italic, Old_North_Arabian, Old_Permic, Old_Persian, Old_South_Arabian, Old_Turkic, Oriya, Osmanya, Pahawh_Hmong, Palmyrene, Pau_Cin_Hau, Phags_Pa, Phoenician, Psalter_Pahlavi, Rejang, Runic, Samaritan, Saurashtra, Sharada, Shavian, Siddham, SignWriting, Sinhala, Sora_Sompeng, Sundanese, Syloti_Nagri, Syriac, Tagalog, Tagbanwa, Tai_Le, Tai_Tham, Tai_Viet, Takri, Tamil, Telugu, Thaana, Thai, Tibetan, Tifinagh, Tirhuta, Ugaritic, Vai, Warang_Citi, Yi.

CHARACTER CLASSES

  [...]       positive character class
  [^...]      negative character class
  [x-y]       range (can be used for hex characters)
  [[:xxx:]]   positive POSIX named set
  [[:^xxx:]]  negative POSIX named set

  alnum       alphanumeric
  alpha       alphabetic
  ascii       0-127
  blank       space or tab
  cntrl       control character
  digit       decimal digit
  graph       printing, excluding space
  lower       lower case letter
  print       printing, including space
  punct       printing, excluding alphanumeric
  space       white space
  upper       upper case letter
  word        same as \w
  xdigit      hexadecimal digit

In PCRE2, POSIX character set names recognize only ASCII characters by default, but some of them use Unicode properties if PCRE2_UCP is set. You can use \Q...\E inside a character class.

QUANTIFIERS

  ?           0 or 1, greedy
  ?+          0 or 1, possessive
  ??          0 or 1, lazy
  *           0 or more, greedy
  *+          0 or more, possessive
  *?          0 or more, lazy
  +           1 or more, greedy
  ++          1 or more, possessive
  +?          1 or more, lazy
  {n}         exactly n
  {n,m}       at least n, no more than m, greedy
  {n,m}+      at least n, no more than m, possessive
  {n,m}?      at least n, no more than m, lazy
  {n,}        n or more, greedy
  {n,}+       n or more, possessive
  {n,}?       n or more, lazy

ANCHORS AND SIMPLE ASSERTIONS

  \b          word boundary
  \B          not a word boundary
  ^           start of subject
                also after an internal newline in multiline mode
                (after any newline if PCRE2_ALT_CIRCUMFLEX is set)
  \A          start of subject
  $           end of subject
                also before newline at end of subject
                also before internal newline in multiline mode
  \Z          end of subject
                also before newline at end of subject
  \z          end of subject
  \G          first matching position in subject

MATCH POINT RESET

  \K          reset start of match

\K is honoured in positive assertions, but ignored in negative ones.

ALTERNATION

  expr|expr|expr...

CAPTURING

  (...)           capturing group
  (?<name>...)    named capturing group (Perl)
  (?'name'...)    named capturing group (Perl)
  (?P<name>...)   named capturing group (Python)
  (?:...)         non-capturing group
  (?|...)         non-capturing group; reset group numbers for
                   capturing groups in each alternative

ATOMIC GROUPS

  (?>...)         atomic, non-capturing group

COMMENT

  (?#....)        comment (not nestable)

OPTION SETTING

  (?i)            caseless
  (?J)            allow duplicate names
  (?m)            multiline
  (?s)            single line (dotall)
  (?U)            default ungreedy (lazy)
  (?x)            extended (ignore white space)
  (?-...)         unset option(s)

The following are recognized only at the very start of a pattern or after one of the newline or \R options with similar syntax. More than one of them may appear. (*LIMIT_MATCH=d) set the match limit to d (decimal number)

  (*LIMIT_RECURSION=d) set the recursion limit to d (decimal number)
  (*NOTEMPTY)     set PCRE2_NOTEMPTY when matching
  (*NOTEMPTY_ATSTART) set PCRE2_NOTEMPTY_ATSTART when matching
  (*NO_AUTO_POSSESS) no auto-possessification (PCRE2_NO_AUTO_POSSESS)
  (*NO_DOTSTAR_ANCHOR) no .* anchoring (PCRE2_NO_DOTSTAR_ANCHOR)
  (*NO_JIT)       disable JIT optimization
  (*NO_START_OPT) no start-match optimization (PCRE2_NO_START_OPTIMIZE)
  (*UTF)          set appropriate UTF mode for the library in use
  (*UCP)          set PCRE2_UCP (use Unicode properties for \d etc)

Note that LIMIT_MATCH and LIMIT_RECURSION can only reduce the value of the limits set by the caller of pcre2_match(), not increase them. The application can lock out the use of (*UTF) and (*UCP) by setting the PCRE2_NEVER_UTF or PCRE2_NEVER_UCP options, respectively, at compile time.

NEWLINE CONVENTION

These are recognized only at the very start of the pattern or after option settings with a similar syntax.

  (*CR)           carriage return only
  (*LF)           linefeed only
  (*CRLF)         carriage return followed by linefeed
  (*ANYCRLF)      all three of the above
  (*ANY)          any Unicode newline sequence

WHAT \R MATCHES

These are recognized only at the very start of the pattern or after option setting with a similar syntax.

  (*BSR_ANYCRLF)  CR, LF, or CRLF
  (*BSR_UNICODE)  any Unicode newline sequence

LOOKAHEAD AND LOOKBEHIND ASSERTIONS

  (?=...)         positive look ahead
  (?!...)         negative look ahead
  (?<=...)        positive look behind
  (?<!...)        negative look behind

Each top-level branch of a look behind must be of a fixed length.

BACKREFERENCES

  \n              reference by number (can be ambiguous)
  \gn             reference by number
  \g{n}           reference by number
  \g{-n}          relative reference by number
  \k<name>        reference by name (Perl)
  \k'name'        reference by name (Perl)
  \g{name}        reference by name (Perl)
  \k{name}        reference by name (.NET)
  (?P=name)       reference by name (Python)

SUBROUTINE REFERENCES (POSSIBLY RECURSIVE)

  (?R)            recurse whole pattern
  (?n)            call subpattern by absolute number
  (?+n)           call subpattern by relative number
  (?-n)           call subpattern by relative number
  (?&name)        call subpattern by name (Perl)
  (?P>name)       call subpattern by name (Python)
  \g<name>        call subpattern by name (Oniguruma)
  \g'name'        call subpattern by name (Oniguruma)
  \g<n>           call subpattern by absolute number (Oniguruma)
  \g'n'           call subpattern by absolute number (Oniguruma)
  \g<+n>          call subpattern by relative number (PCRE2 extension)
  \g'+n'          call subpattern by relative number (PCRE2 extension)
  \g<-n>          call subpattern by relative number (PCRE2 extension)
  \g'-n'          call subpattern by relative number (PCRE2 extension)

CONDITIONAL PATTERNS

  (?(condition)yes-pattern)
  (?(condition)yes-pattern|no-pattern)

  (?(n)               absolute reference condition
  (?(+n)              relative reference condition
  (?(-n)              relative reference condition
  (?(<name>)          named reference condition (Perl)
  (?('name')          named reference condition (Perl)
  (?(name)            named reference condition (PCRE2)
  (?(R)               overall recursion condition
  (?(Rn)              specific group recursion condition
  (?(R&name)          specific recursion condition
  (?(DEFINE)          define subpattern for reference
  (?(VERSION[>]=n.m)  test PCRE2 version
  (?(assert)          assertion condition

BACKTRACKING CONTROL

The following act immediately they are reached:

  (*ACCEPT)       force successful match
  (*FAIL)         force backtrack; synonym (*F)
  (*MARK:NAME)    set name to be passed back; synonym (*:NAME)

The following act only when a subsequent match failure causes a backtrack to reach them. They all force a match failure, but they differ in what happens afterwards. Those that advance the start-of-match point do so only if the pattern is not anchored. (*COMMIT) overall failure, no advance of starting point

  (*PRUNE)        advance to next starting character
  (*PRUNE:NAME)   equivalent to (*MARK:NAME)(*PRUNE)
  (*SKIP)         advance to current matching position
  (*SKIP:NAME)    advance to position corresponding to an earlier
                  (*MARK:NAME); if not found, the (*SKIP) is ignored
  (*THEN)         local failure, backtrack to next alternation
  (*THEN:NAME)    equivalent to (*MARK:NAME)(*THEN)

CALLOUTS

  (?C)            callout (assumed number 0)
  (?Cn)           callout with numerical data n
  (?C"text")      callout with string data

The allowed string delimiters are ` ' " ^ % # $ (which are the same for the start and the end), and the starting delimiter { matched with the ending delimiter }. To encode the ending delimiter within the string, double it.

You can search for:

See also

Search for next suspicious operand

Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.

Search for next code

Search for next data

Search for next unexplored byte

Search for next explored byte

Search for next instruction/data with the specified operand

This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.

If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:

will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored. IDA will look for all immediate values without type in this case.

Repeat search for instruction/data with the specified operand

Search for substring in the disassembly

Note that this command searches the same as what you see on your screen (and not in binary image).

Repeat search for substring in the disassembly

Search for substring in the file

This command searches for the specified substring in the file being disassembled. This command can be used for fast lookups of text strings in the executable file or even to find references to a data. You can interrupt it pressing Ctrl-Break.

The substring is specified like this:

i.e. in the double-quotes. Also you can specify individual byte values as numbers:

For example, if you want to find a reference to the following string:

you could search for number 106A in the file.

See also

Repeat search for substring in the file

Search for bytes not belonging to any function

Set Direction for Searches

The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display.

Find all suspicious operands

This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.

See also

Search for next string with error

This commands searches for the 'error' operands. Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

Find all errors

This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.

See also

This command converts immediate operand(s) type of the current instruction to an offset to stack variables, i.e. a local variable or function argument in the stack.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

Convert to string literal

This command converts the current unexplored bytes to a string.

The GUI version allows you to assign a special hotkey to create Unicode strings. To do so, change the value of the StringUnicode parameter in the IDAGUI.CFG file.

Pascal Strings

IDA opens a special non-closable window at the start. This window is called "message window". In this window you see various IDA messages.

If the message window is hidden behind other windows, you will not see the IDA messages.

You can duplicate all messages appearing in this window to a file. For this, you have to define an environment variable:

This command shows the database snapshot manager. In this dialog, it is possible to restore previously saved snapshots, rename or delete them.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

Here are commands to open various windows, display information etc.