Action    name: MakeData
 

This command converts the current unexplored bytes to data. If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using setup data command.

If the target assembler does not support double words or another data type, it will be skipped. To create a structure variable, use Declare struct var command. To create an array, use Array command. To convert back, use Undefine command. See also Edit submenu

 Action    name: Unhide
 

This command allows you to unhide a hidden part of disassembly.

If the cursor is on the hidden function name, the function will be unhidden.

If the cursor is on the terse structure variable, the structure will be uncollapsed and displayed in the regular form.

If the cursor is on the hidden range, the hidden range will be unhidden.

If the cursor is on the hidden segment name, the segment will be unhidden.

See also hide command and setup hidden command.

See also Edit|View submenu

 Action    name: HideAll
 

This command allows you to hide:

• all functions and hidden ranges if invoked in the disassembly window

IDA will display only the header of the hidden items.

If you want to see hidden items on the screen, you may use unhide command or enable the display of the hidden items.

See also Unhide all command.

See also Edit|View submenu

 Action    name: ProcessPause
 

This command pauses a running process. Please note that it is not always possible to pause a process executing the system code. See also

• Start process

• Terminate process

• Debugger submenu.

 Action    name: ThreadStepInto
 

This command executes one assembler instruction at a time, stepping into functions. See also

• Step over

• Run until return

• Debugger submenu.

 Action    name: ThreadRunToCursor
 

This command executes instructions until the instruction under the cursor is reached.

Internally, IDA setups a temporary breakpoint on the instruction under the cursor. See also Debugger submenu.

 Action    name: ThreadSetCurrentIp
 

This command sets the instruction pointer of the current suspended thread to the current cursor location.

It is accessible only when the debugger is active and the process is suspended. See also Debugger submenu.

This submenu allows you to manipulate segments of the program:

• Create a new segment...

• Delete a segment...

• Change segment attributes...

See also:

• submenu.

Create a new segment

This command allows you to create a new segment.

If you select a range using the , IDA will propose the start address and the end address of the selection as defaults for the segment bounds.

You need to specify at least:

Click to learn about addressing model used in IDA.

If "sparse storage" is set, IDA will use special sparse storage method for the segment. This method is recommended for huge segments. Later, it is possible to change the storage method of any region using IDC function.

If another segment already exists at the specified address, the existing segment is truncated and the new segment lasts from the specified start address to the next segment (or specified end address, whichever is lower). If the old and the new segments have the same base address, instructions/data will not be discarded by IDA. Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

IDA address space concepts

nternally, IDA has 32-bit linear address space (IDA64 uses 64-bit address space). The internal addresses are called "linear addresses". The input program is loaded into this linear address space.

Please note that usually the linear addresses are not used in the program directly. During disassembling, we use so-called "virtual addresses", which are calculated by the following formula:

We see that the SegmentBase determines what addresses will be displayed on the screen. More than that, IDA allows to create several segments with the same virtual address in them. For this, you just need to create segments with correct segment base values.

Normally a SegmentBase is a 16bit quantity. To create a segment with base >= 0x10000, you need to use . However, if you try to create a segment with a segment base >= 0x10000, IDA will automatically choose appropriately a free selector and setup for the new segment.

All SegmentBases are looked up in the table.

There are some address restrictions in IDA.

There is a range of addresses that are used for internal housekeeping. This range can be specified by the configuration variable PRIVRANGE (start address and size). It is not recommended to use these addresses for other purposes.

There is also one address which must never be used in the disassembly. It is the 'all ones' address, or -1. Internally, it is used as a BADADDR (bad address). No address or address range can include BADADDR.

Related topics:

• Click to see an example of segment creation (simple case - IBM PC)

• Click to see an example of segment creation (simple case - Z80)

• Click to see another example of segment creation (automatically chosen selector)

Create segment - simple case (PC)

IBM PC case -----------

Suppose we need to create a segment occupying addresses F000:1000..F000:2000 Let's calculate linear addresses:

The segment base must be selected so that the first offset in our segment will be 0x1000. Let's find it using the following equation:

After solving this equation, we see that the segment base is equal to 0xF000. (you see, this is really a very simple case :) )

Now, we can create a segment entering:

Please note that the end address never belongs to the segment in IDA.

Create segment - simple case (Z80)

Suppose we need to create a segment occupying virtual addresses 8000-C000. Since we are free to place our segment anywhere in the linear address space, we choose the linear addresses at our convenience. Let's say we choose a linear address 0x20000:

The segment base must be selected so that the virtual address in our segment will be 0x8000. Let's find it using the following equation:

After solving this equation, we see that the segment base is equal to 0x1800.

Now we can create a segment entering:

Please note that the end address never belongs to the segment in IDA.

Create segment - automatically chosen selector case

Suppose we need to create a segment occupying linear addresses 200000-200C00 and the virtual addresses must have be 0000..0C00. If we simply enter

Then IDA will notice that the segment base is too big and does not fit into 16bits. Because of this IDA will find a free selector (let's say it has found selector number 5), define it to point at paragraph 0x20000 and create a segment. After all this we will have:

The first virtual address in the segment will be 0:

Please note that the end address never belongs to the segment in IDA.

Create segment - user-defined selector case

If the example we saw how IDA allocates a selector automatically. You could make it yourself:

1. Create a selector. For this, open the and press Ins. Enter a selector number and its value.

2. Create a segment. Specify the selector number as the segment base.

Delete a segment

This command allows you to delete a segment.

IDA will ask your the permission to disable the addresses occupied by the segment. If you allow this operation, all information about the segment will be deleted. In other words, IDA will discard the information about instructions or data, comments etc.

If you check the "disable addresses" checkbox, IDA will mark the addresses occupied by the segment as "nonexistent" in the program. You will lose *ALL* information, including byte values.

It is impossible to disassemble the content of addresses not located in any segment, therefore you must create a new segment if you want to resume the disassembly of that part of the code.

You can also edit (see below) an adjacent segment to it to those addresses.

IDA will ask your the permission to disable addresses occupied by the segment. If you give your permission, information about the segment will be deleted, otherwise IDA will discard information about instruction/data, comments etc, but retain byte values so that you will be able to create another segment afterwards.

To disassemble the addresses occupied by the segment, you need to create a new segment again (i.e. you cannot disassemble bytes without a segment). You can also another adjacent segment to these addresses.

Change segment attributes

Changing the segment class may change the segment type.

MOVE ADJACENT SEGMENTS: means that the previous and next segments will be shrunk or expanded to fill gaps between segments. Click for more information.

DISABLE ADDRESSES: if set, when a segment is shrunk, all information about bytes going out of the segment will be completely removed.. Otherwise, IDA will discard information about instructions/data, comments etc, but will retain byte values so that another segment can be created later and it will use the existing byte values.

If IDA creates 2 segments where only one segment must exist, you may try the following sequence:

• one segment. Choose one with bad segment base value. Do not disable addresses occupied by the segment being deleted.

• change bounds of another segment. Note that the segment command changes the boundaries of the overlapping segment automatically.

Segments with the 'debugger' attribute are the segments whose memory contents are not saved in the database. Usually, these segments are created by the debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently stay in the database after closing the debugger session. The database will reflect the state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and will be deleted at the end of the debugging session.

The "debugger segment" checbkox is available only during debugging sessions.

The 'loader' segments are the segment created by the file loader. The segment having this attribute are considered to be part of the input file.

A segment with the 'debugger' attribute set and the 'loader' attribute not set is considered to be an ephemeral segment. Such segments are not analyzed automatically by IDA.

"Segment permissions" group box can be used to modify Segment access permissions (Read/Write/Execute)

Change Segment Name

Enter a new name for the segment. A segment name is up to 8 characters long. IDA does check if the length is ok. Try to give mnemonic names for the segments.

Segment Class Name

The segment class name identifies the segment with a class name (such as CODE, FAR_DATA, or STACK). The linker places segments with the same class name into a contiguous range of memory in the runtime memory map.

Changing the segment class changes only the segment definition on the screen. There are the following predefined segment class names:

If you change segment class and the segment type is "Regular", then the segment type will be changed accordingly.

In order to set the segment type "Regular", you should change the segment class to "UNK".

Change Segment Addressing

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment address is changed.

Never do it if you are not sure. It may have irreversible consequences, all instructions/data will be converted to undefined bytes.

Change Segment Alignment

Alignment: select between abs,byte,word,dword,para,page

You can specify the segment alignment for the selected segment. By default, IDA assumes 'byte' alignment.

Changing the alignment changes only the segment definition on the screen. Nothing else will happen.

Change Segment Combination

Combination

A field that describes how the linker can combine the segment with other segments. Under MS-DOS, segments with the same name and class can be combined in two ways: they can be concatenated to form one logical segment, or they can be overlapped. In the latter case, they have either the same start address or the same end address, and they describe a common range in memory. Values for the field are:

Changing segment combination changes only the segment definition on the screen. Nothing else will happen.

Move a segment

This command allows you to move segment(s) to another address. Use it if the segment(s) are loaded at a wrong address.

This command shifts (moves) the selected segments in the memory to the target address. There must be enough free space at the target address for the segments.

All information in the segment will be moved to the new address, but since the addresses change, the disassembly might be not valid anymore (especially if the program is moved to the wrong addresses and the relocation information is not available).

Rebase program

The whole program will be shifted by the specified amount of bytes in the memory. The following options are available (we strongly recommend to leave them turned on):

Please note rebasing the program might remove user-defined xrefs.

Change segment translation

in the segment C obviously refers to the segment B while the instruction

refers to the segment A.

However, IDA does not try to link these references unless you tell it to do so: include the segments A and B into a translation list of the segment C. It means that you have to create a translation list

for the segment C.

Below is a more complicated example:

translations

allow you to emulate overlays (the first set is A B D, the second A C E)

IMPORTANT NOTE1: If you use the segment translations, make sure that all segments have unique segment bases. If two segments are placed in the linear address space so that they must have the same segment base, you may assign different with equal values to them.

IMPORTANT NOTE2: IDA supports only one translation list per segment. This translation is applied by default to all instruction in the segment. If the segment uses other mappings, then these individual mappings can be specified for each instruction separately by using the commands.

IMPORTANT NOTE3: Since only code references are affected by the segment translations, try to create the RAM segment at its usual place (i.e. its linear address in IDA corresponds to its address in the processor memory). This will make all data references to it to be correct without any segment translation. For the data references to other segments you'll need to use the command for each such reference.

See also

Set Default Segment Register Value

Relevant only for processors with the segment registers.

You can specify a default value of a segment register for the current segment. When you change the default value, IDA will reanalyze the segment, taking the default value when it cannot determine the actual value of the register. This takes time, so do not be surprised if references are not corrected immediately.

To specify a value other than the default value of a segment register, you can use command.

See also

Change Segment Register Value

Relevant only for processors with the segment registers. Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors.

This command creates or updates a segment register .

See for more info.

ALPHA DISASSEMBLY

For Alpha processors, the user must enter the difference between the real GP value and the start of the GOT (global offset table). For example:

If you want to specify that a register points to "label", you must calculate and enter the difference "label-.got" as the register value.

ARM DISASSEMBLY

The ARM processor module has a virtual segment register T which reflects the state of the T bit of the processor state register (PSR). Therefore, the value of this register controls THUMB/ARM mode. If its value is not zero, then the disassembly will be in the thumb mode.

POWER PC DISASSEMBLY

For PowerPC processors, the user must enter an offset from the beginning of the TOC to the TOC entry which contains the address of the target. An example:

If you want to specify that a register points to "datachunk", you must calculate and enter the difference "sometc-TOC" as the register value. You can change the TOC value in the processor specific options (which is accessible from the analysis options).

INTEL 80196 DISASSEMBLY

For Intel 80196NP/NU processors, the user must enter the value of WSR or WSR1 register. IDA will automatically take the new value into account.

See also:

Segment Register Change Points

When IDA encounters an instruction which changes a segment register, it creates a segment register change point. So, mostly change points are maintained by IDA itself. IDA assumes that the segment registers do not change their values between change points. If you find out that IDA failed to locate a segment register change, or if you want to change a register value, you can create a change point using command. You can change the value of a segment register using command too.

IDA classifies the change points. In the list of the change points, you can see the following postfixes after the register values:

IDA generates the appropriate 'assume' instructions for the change points if it was not disabled by .

Choose segment

IDA can display a list of the program segments. Each segment is represented by a line in the list. Please note that the end address of the segment never belongs to the segment in IDA.

The following segment attributes are visible:

The rest of the columns display the default values of the segment registers for the segment.

By default, the cursor is located on the current segment.

You can use normal cursor movement keys and the mouse. You can also search for the segment by pressing Alt-T, or directly jump to the desired line by typing in its number.

Press <Enter> to select line, <Esc> to cancel the selection.

 Action    name: ProcessStart
 

This command starts the process in the debugger. If the process was suspended, it will continue its execution. See also

• Attach to process...

• Process options

• Pause process

 Action    name: SetupProcess
 

This dialog box allows to specify different settings related to the process being debugged.

Application

        Host application to launch.
        When the debugging target (== 'input file') is an executable file, this field is equal to the 'input file'.
        If this field is wrong, IDA will not be able to launch the program.
        For remoting debugging, this field denotes a remote file.

Input file

        The input file used to create the database.
        For remoting debugging, this field denotes a remote file.

Directory

        Directory to start the application. If empty, then the current directory
        will be used.
        For remoting debugging, this field denotes a remote directory.

Parameters

        Optional parameters to pass to the debugged application (or the host application)
        when it starts. This field may be empty.
        The standard input/output/error channels can be redirected using
        the bash shell notations. for example: >output 2>&1

Hostname If entered, denotes the name of the remote host with the application to debug. In this case, a remote IDA server on this host must be launched. Click here to see the list of remote servers. Port

        The port number of the remote server

Password

        Optional password to protect your server from strangers connecting to
        it and running arbitrary commands. The same password switch must be
        specified on the remote server.

The hostname, port, and password are not available for debuggers connected locally to the computer. See also

 Action    name: ThreadStepOver
 

This command executes one assembler instruction at a time, stepping over procedures while executing them as a single unit.

Internally, in the case of a function call, IDA setups a temporary breakpoint on the instruction following this function call. See also

• Step into

• Run until return

• .

 Action    name: ProcessDetach
 

This command detaches the debugger from the debugged process. Note: this command is only available on Windows XP or Windows 2003 Server !

See also

• Start process

• Pause process

• .

 Action    name: TakeSnapshot
 

This command copies the contents of the process memory to the database. It is available during a debugging session.

The memory contents will be copied to the database. The user may specify that only the segments with the 'loader' attribute will be saved in the database.

The segments with the loader attribute are created by the input file loader and usually contain information from the input file. However, in some cases (like attaching to an existing process), there will not be any loader segments because the input file was not loaded by IDA.

To be able to make a partial snapshot in this case and other similar cases, the user can set or clear the 'loader' attribute of the desired segments using the edit segment command.

After applying this command, the user can terminate the debugging process and continue to analyze the program in the database.

Please note that it is possible to save the database without taking a memory snapshot. Such a database might be used to keep global information about the program like the breakpoint information, notes, etc. However, we recommend to take a memory snapshot of at least the 'loader' segments because it will allow to save also information about the program functions, names, comments, etc.

See also .

 Action    name: Shell
 

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

See also other File... submenu commands.

 Action    name: SaveBaseSnap
 

This command takes a database snapshot. The snapshot can be later restored from the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also View database snapshot manager commands.

 Action    name: Execute
 

You can execute any script file supported by the built-in scripting engine (IDC or Python), or a scripting language added by a plugin. The scripting language to use is selected by the file name extension of the script.

See also Immediate execution of script commands, Load... submenu commands.

 Action    name: SaveBase
 

This command saves and packs the current database.

See also other File... submenu commands. Save database as... command.

All IDA commands are available from the followings menus:

• File

• Edit

• Jump

 Action    name: ExecuteLine
 

You can enter and execute a small script written in the built-in IDC language or any other registered extlang.

Here is the list of built-in functions.

See also:

• IDC language overview

• Execute script file command

• commands

• How to use .

In this submenu you can:

• Load file

• Execute a script command

• Generate output file

This command terminates the current IDA session. IDA will write all changes to the disk and will close all databases.

You can enable/disable database packing. When the database is packed, it consists of one file with IDB extension. When the database is not packed, it consists of several files on the disk. If packing is disabled, in the next session you cannot IDA. We do not recommend to leave the database in the unpacked form because you will not have a backup copy.

You can also perform garbage collection on the database before packing it. The garbage collection removes the unused database pages, making it smaller. However, IDA needs some free database pages when it works,therefore it will allocate them again when you reuse the database. Removing and adding free pages takes time and, what is most important, it changes the database control blocks.

Use garbage collection only when you do not intend to work with the database in the near future.

IDA will remember all information about the screen, cursor position, jump stack, etc. The following information will be lost: , the position To resume a disassembly session simply type: "ida file"

This submenu allows the user to modify text representation and to patch the file. It also has the commands to control the analysis:

Abort IDA

This command terminates the current IDA session. The Abort command is not available if the database was not packed.

IDA will NOT save changes to the disk.

This command clears the undo history. After it the Undo and Redo commands become unavailable. However, once the user performs a new action, IDA will again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user action to revert yet, IDA does not maintain undo buffers and this speeds up the analysis.

See also

This command reverts the previously issued command. It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after the last Undo command, including the eventual useful modifications made by the autoanalysis. In other words, the entire database is modified to get to the exact state that it had before executing the last Undo command.

See also

 Action    name: MakeCode
 

This command converts the current unexplored bytes to instruction(s). IDA will warn you if it is not possible.

If you have selected a range using the [anchor](../../../disassembler/navigation/anchor.md, all the bytes from this range will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

See also Edit submenu

 Action    name: MakeUnknown
 

This command deletes the current instruction or data, converting it to 'unexplored' bytes. IDA will delete the subsequent instructions if there are no more references to them (functions are never deleted).

If you have selected a range using the anchor, all the bytes in this range will be converted into 'unexplored' bytes. In this case, IDA will not delete any other instructions even if there are no references to them after the deletion.

See also Edit submenu

 Action    name: Undo
 

This command reverts the database to the state before executing the last user action. It is possible to apply Undo multiple times, in this case multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that were made to the database after executing the user action and including the ones that are not connected to the user action. For example, if a third party plugin modified the database during or after the user action, this modification will be reverted. In theory it is possible to go back in time to the very beginning and revert the database to the state state that was present immediately after performing the very first user action. However, in practice the undo buffers overflow because of the changes made by autoanalysis. Autoanalysis generates copious amounts of undo data. Also please note that maintaining undo data during autoanalysis slows it down a bit. In practice it is not a big deal because the limit on the undo data is reached quite quickly (in a matter of minutes). Therefore, if during analysis the user does not perform any actions that modify the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis, just turn off the UNDO_DURING_AA parameter in ida.cfg.

The configuration file ida.cfg has 2 more undo-related parameters:

  UNDO_MAXSIZE  max size of undo buffers; default: 128MB
                once this limit is reached, the undo info about the oldest
                user action will be forgotten.

  UNDO_DEPTH    max number of user actions to remember; default: 1000000
                if set to 0, the undo feature will be unavailable.

Since there is a limit on the size of undo buffers, any action, even the tiniest, may become non-undoable after some time. This is true because the analysis or plugins may continue to modify the database and overflow the buffers. Some massive actions, like deleting a segment, may be non-undoable just because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script variables will not change their values because of Undo. Also nothing external to the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming from a breakpoint cannot be undone.

See also

This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

1. Create the first element of array using the data definition commands (, , )

2. Apply the array command to the created data item. Enter array size in current array elements (not bytes). The suggested array size is the minimum of the following values:

For string literals, you can use this command to change the length of the string.

This command gives name/renames/deletes for the current item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you try, IDA will generate a name.

Local name

Include in name list

Here you can also include/remove the name from the . If the name is hidden, you will not see it in .

Convert to string literal

This command converts the current unexplored bytes to a string.

The set of allowed characters is specified in the file, parameter StrlitChars. Character '\0' is not allowed in any case. If the current does not allow characters above 0x7F, characters with high bit set are not allowed.

If the has been dropped, IDA will take for the string all characters between the current cursor position and the anchor.

This submenu allows you to change the operand types to offsets, numbers, chars, etc. Use it to make disassembled text more understandable.

This command completely disables the undo feature.

See also

This window shows the contents of a source code file. IDA automatically opens source views provided that proper mapping of the source code paths is specified in "Options, Source paths".

This window may also display a decompilation result because it is considered as a source code. This can be useful if the source files are not available.

Watch view (source level)

In this window the user can view values of selected variables.

Global variables (data item names) as well as variables that are local to the current function can be added by pressing Ins.

Expressions can be added to the view as well, they will be considered as IDC expressions.

Expressions may have a type cast at the beginning. For example

(int)0x12345678

means that the contents of the memory at the address 0x12345678 should be displayed as an integer. Note: to display strings use "char[]" as the typo.

Locals view (source level)

This window displays the values of the variables that are local to the current functions (register and stack based).

In this window the user can view values of selected variables.

Global variables (data item names) as well as variables that are local to the current function can be added by pressing Ins.

Expressions can be added to the view as well, they will be considered as IDC expressions.

Expressions may have a type cast at the beginning. For example

(int)0x12345678

means that the contents of the memory at the address 0x12345678 should be displayed as an integer. Note: to display strings use "char[]" as the typo.

See also Source code view

 Action    name: OpChar
 

This command converts immediate operand(s) type of the current instruction/data to character.

When you use this command, IDA deletes the manually entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also Edit|Operand types submenu.

 Action    name: OpSegment
 

This command converts the immediate operand(s) type of the current instruction/data to segment base. The segment bases are usually displayed like this:

        mov     ax, seg dseg

When you use this command, IDA deletes the manually entered operand.

If IDA cannot find a segment whose base is equal to the operand value, it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.

See also Edit|Operand types submenu.

 Action    name: ChangeSign
 

This command changes the sign of the current operand. Please note that not all operands can change their sign.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

 Action    name: BitwiseNegate
 

This command bit-wisely negates the current operand. Please note that not all types of operands can be negated. It is not possible to negate and change sign of an operand simultaneously.

This command works only if the current assembler supports the bitwise negation operation.

See also: Edit|Operand types submenu. Enter #th operand manually commands. Set operand type

 Action    name: SetOpType
 

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin. Setting operand type is most useful in case of indirect calls: the decompiler will use the type information to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

        int (*func)(int param1, char param2);

To delete a type declaration, enter an empty string.

For details on possible calling conventions, see Set function/item type... menu item description.

See also Set function/item type...

 Action    name: MakeAnyName
 

This command gives name/renames/deletes name for the specified address. This is a more powerful variant of Rename command.

To delete a name, simply give an empty name.

If the specified address is referenced, you cannot delete its name. Even if you try it, IDA will generate a dummy name.

This command is available only from the name window.

For an explanation about the dialog box entries, please see the Rename current address command.

See also Edit|Other submenu. How to Enter an Identifier. Names representation.

 Action    name: CenterInWindow
 

This command centers the cursor.

IDA opens a special non-closable window at the start. This window is called "message window". In this window you see various IDA messages.

If the message window is hidden behind other windows, you will not see the IDA messages.

You can duplicate all messages appearing in this window to a file. For this, you have to define an environment variable:

        set IDALOG=logfile

 Action    name: ShowSnapMan
 

This command shows the database snapshot manager. In this dialog, it is possible to restore previously saved snapshots, rename or delete them.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also Take database snapshot commands.

 Action    name: OpenBookmarks
 

This command opens the bookmarks window. This window lets the user jump to a specific place in the listing.

 Action    name: ShowRegisters
 

This command displays segment register contents in the message window.

You may use this command to refresh the disassembly window too.

See also Edit|Segments submenu. View submenu.

 Action    name: ShowFlags
 

This command displays the internal flag values for the current item. The information appears in the message window.

See also View submenu.

 Action    name: DelHiddenRange
 

This command allows you to delete a hidden range of disassembly (previously defined by using the hide command).

See also hide command.

See also Edit|View submenu

 Action    name: UnhideAll
 

This command allows you to unhide:

• all segments, functions, and hidden ranges if invoked in the disassembly window

See also Hide all command.

See also Edit|View submenu.

 Action    name: SetupHidden
 

This command allows you to toggle the display of hidden items.

Automatically hide library functions

        This option hides the functions recognized by FLIRT.
        If will have an effect only from the time when the option is set.

Display hidden instructions

        If this option is set, IDA will display all the instructions
        as unhidden even if they were hidden.

Display hidden functions

Display hidden segments

See also View submenu.

 Action    name: Debugger
 

Opens the debugger window.

In this window, you can view the register values for the selected thread. The debugger always selects the thread where the latest debugging event occurred.

For most registers, we have two different boxes:

       - the first box (on the left) indicates the current value of the register.
         Blue indicates that the value has changed since the last debugging event.
         Purple indicates that the value has been modified by the user.
         A popup menu is available on this control, offering different commands.

       - the second box (on the right) shows the current value of the register,
         interpreted like an address (if possible).

For a segment register, we only have one box indicating the current value.

For the flags register, we have one box indicating the current value, and small boxes indicating the status of the most important flags.

A popup menu is accessible everywhere in the window, which allows the user to show or hide different parts of the window: toolbar, thread list and available register classes.

See also Debugger submenu.

 Action    name: ShowUserScreen
 

This command displays the application screen.

It is useful for the text mode debugger.

When the debugged application runs in the same window as IDA itself, the application output is hidden by IDA windows. This command allows to see the application screen in this case.

To return to IDA display, press any key.

This command is available when the application is suspended or finished. See also Debugger submenu.

 Action    name: ManualRegions
 

This command open a window with manual memory regions. In this window the user can manipulate memory region definitions: add or delete them.

Some debugger backends (e.g. the gdb backend) do not provide memory layout information. IDA needs this information in order to show the memory contents. When this information is not available, the user must specify it.

The defined memory regions will be accessible when the debugger is active. The user will be able to see the memory contents in the disassembly windows.

If no memory information is provided by the user nor by the debugger backend, IDA will assume that entire memory space is accessible. However, it is better to specify memory layout more precisely.

See also Debugger submenu.

 Action    name: RefreshMemcfg
 

This command refreshes the segments and memory contents in IDA. It is available only during a debugging session. NOTE: this command is currently hidden from the user interface because IDA does synchronize with the process memory automatically.

Please note that IDA itself tries to keep the program segments in sync with the debugged process. However, in order to accelerate the debugger, the synchronization is done only at major events, for example when dynamic library gets loaded or unloaded or a thread is created or deleted. If the memory configuration is changed because of a simple system call (think of VirtualAlloc), IDA might miss it. Use the "refresh memory" command in these cases.

Note2: when IDA detects a discrepancy in the segments, it will automatically synchronize with the process.

 Action    name: Threads
 

Opens the threads window.

In this window, you can view all the threads of the debugged process. Double clicking on a thread jumps to its current instruction (available only if the process has been suspended). Double clicking also changes the current thread for the hlpHelpDebugger[CPU] window.

The right click brings a popup menu, where you can suspend or resume threads. The following thread states are possible:

  - Running: the thread is running
  - Ready: the thread is ready to run but the application has been suspended
  - Suspended: the thread has been suspended by the user

See also Debugger submenu.

 Action    name: StackTrace
 

Opens the stack trace window.

This window displays the function calls that brought the current instruction.

The top of the Stack Trace window lists the last function called by the program. Below this is the listing for the previously called functions. Each line indicates the name of the function which called the function represented by the previous line.

Double clicking on a line jumps to the exact address of the instruction realizing this call.

Currently, IDA uses the EBP frame pointer values to gather the stack trace information. It will fail for functions using other methods for the frame. See also Tracing submenu.

 Action    name: ManualOperand
 

You may specify any string instead of an operand if IDA does not represent the operand in the desired form. In this case, IDA will simply display the specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you change operand representation using operand types submenu.

NOTE: A text offset reference is generated if you use a label in the program as the operand string. In other cases no cross-references are generated.

See also submenu.

In the graphical version, IDA highlights the identifier under the cursor. For example, if the cursor is on the "EAX" register, then all occurrences of "EAX" will be displayed with the yellow background. This feature is meant to make the program analysis easier by highlighting the interesting parts of the disassembly. For example, if the user wants to see all references to "EAX", he just clicks on any "EAX" on the screen and all of them will be highlighted.

The selection is made by pressing the Up, Down, Left, Right keys or by simply clicking on the identifier.

The selection is not changed by pressing the PageUp, PageDown, Home, End keys, using the scrollbar, or pressing the Alt-Up, Alt-Down, Ctrl-Up, Ctrl-Down keys.

The Alt-Up and Alt-Down keys perform a search of the currently selected identifier backward or forward respectively.

The Ctrl-Up and Ctrl-Down keys scroll the disassembly text.

IDA does not highlight the segment names at the line prefix because it is not very useful.

It is possible to turn off the highlight. The appropriate checkbox is in the tab.

 Action    name: Hide
 

This command allows you to hide a part of disassembly. You can hide a function, a segment, or create a special hidden range.

If a range is specified, a special hidden range is created on this range.

If the cursor is on the segment name at the start of the segment, the segment will be hidden. IDA will display only the header of the hidden segment.

If the cursor is on a structure variable and if the target assembler has the 'can display terse structures or the INFFL_ALLASM' bit on, then the structure will be collapsed into one line and displayed in the terse form.

Otherwise, the current function will be hidden. IDA will display only the header of the hidden function.

If there is no current function then IDA will beep.

If you want to see hidden items on the screen, you may use unhide command or enable the display of the hidden items. If you want to delete a previously created hidden range, you may use command.

See also submenu

 Action    name: ThreadRunUntilReturn
 

This command executes assembler instructions and stops on the instruction immediately following the instruction that called the current function.

Internally, IDA executes each instruction in the current function until a 'return from function' instruction is reached.

See also

• Step into

• Step over

• .

 Action    name: ProcessAttach
 

This command displays running processes corresponding to the disassembled file in the database and allows the user to choose a process to attach to.

See also

• Start process

• Process options

• .

If you have selected a range before applying an operand conversion command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

The operation will be performed on all operands as a toggle. For example, if you ask to convert to a character, then all non-character operands will become characters, and all character operands will become non-chars.

The operation will be performed on the operands which contain immediate numbers in the specified range.

This selection will convert all operands with the specified type to undefined operands. Example: all characters become non-characters.

This selection allows to convert all operands that do not have the specified type to the specified type. Example: all non-characters to characters.

This selection allows to convert all operands without any type to the specified type. Example: all operands with no type to characters.

A complex offset expression looks like

It is specified by:

The relationship between these parameters is (the formula is given for full offsets):

You always have to specify the offset type and base. Usually, the delta is equal to zero. For the full offset type you may omit the offset target, which is recommended. In this case, IDA will calculate it automatically. However, if you specify the offset target, make sure that the relationship between the parameters still holds. For the half offset types, you have to specify the target because there is no way to calculate it.

The offset types:

See also

This command converts immediate operand(s) type of the current instruction to an offset to stack variables, i.e. a local variable or function argument in the stack.

You need to stack variables before using this command.

If the current operand is based on the value of the stack pointer ([ESP+xxx]) and the SP value is traced incorrectly, then you need to correct SP value using command.

If a range is selected using the , IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to stack variables. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to stack variable, otherwise it will be left unmodified.

When you use this command, IDA deletes the entered operand.

If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise all other operands will be affected.

Here are commands to open various windows, display information etc.

In the graphical version, there is a small window with arrows on the left of the disassembly. These arrows represent the execution flow, namely the branch and jump instructions. The arrow color can be:

The arrow thickness can be:

Finally, the arrows can be solid or dotted. The dotted arrows represent conditional branches when the solid arrows represent unconditional branches.

You can resize the arrows window using a vertical splitter or even fully hide it. If it is hidden, the arrows window will not be visible on the screen but you can reveal it by dragging the splitter to the right. IDA remembers the current arrow window size in the registry when you close the disassembly window.

This tab of IDA Options dialog allows for editing of hint and identifier highlight related settings. There are two groups of settings.

The first group is for hints that are displayed when the mouse is hovered over some text.

The second group is for highlighting.

Number of lines for identifier hints

Delay for identifier hints

Mouse wheel resizes hint window

No hints if debugger is active

Auto highlight the current identifier

Lumina options

Lumina dialog box options

This options tab allows for modification of Lumina credentials and use settings.

In order to provide intuitive yet powerful interface to types IDA introduces two kinds of types:

Assembler level types are the ones defined by the user using the or views.

Since the user has to specify manually the member offset and other attributes, IDA considers the member offsets to be fixed for them and never shifts members of such types. If a member of struct becomes too big and does not fit the struct anymore, IDA will delete it.

The types defined in the window are considered as C level types. For them IDA automatically calculates the member offsets and if necessary may shift members and change the total struct size.

The user may change the type level by simply editing the type from the appropriate window. For example, if a C level type is edited from the view, IDA will consider such a type as an Assembler level type in the future.

Here are the commands to use the debugger watches (assembler level).

This dialog box allows to setup how the debugger will react to specific exceptions. For each exception, two settings can be specified, simply by selecting the desired exception, and clicking the 'Edit' button in the popup menu.

Suspend program

Passed to

Report

For new exceptions being added by the "Insert" command, you have to specify the exception name and code. These values must be unique, the name cannot be empty, and the code cannot be zero. See also .

Opens the modules window.

This window lists all the modules loaded by the debugged process. Double click on a module to see the list of its exported names.

The right click menu allows for loading debug information for the current module. For that, select the "Load debug symbols" command from the popup menu. If IDA manages to find and load the corresponding debug information file, it will import all symbols from it into the database. Currently, only files are supported. The operation result is displayed in the . See also . command.

This command terminates the debugged process. See also

This submenu allows you to produce various output files. It also allows you to unload the database.

The text file-producing operations below will make use of

• the currently-selected encoding for output files.

• Generate MAP file

Create MAP File

Please enter a file name for the map. IDA will write the following information about this file:

You may disable the generation of the segmentation information. You may also enable or disable names in the output file.

You can use this map file for your information, and also for debugging (for example, Periscope from Periscope Company or Borland's Turbo Debugger can read this file).

Create ASM File

Please enter a file name for the assembler text file. IDA will write the disassembled text to this file.

If you have selected a range on the screen using command, IDA will write only the selected range (from the current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create INC File

Please enter a file name for the assembler include file. IDA will write the information about the defined types (structures and enums) to this file.

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create LST File

Enter a file name for the assembler listing file. IDA will write the disassembled text to this file.

If you've selected a range on the screen using command, IDA will write only the selected range (from the current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

Create Executable File

Enter a file name for the new executable file. Usually this command is used after patching (see commands and ) to obtain a patched version of the file.

IDA produces executable files only for:

For other file formats please create a file.

EXE files: Output files will have the same EXE-header and relocation table as the input file. IDA will fill unused ranges of the EXE file (e.g. between relocation table and loadable pages) with zeroes.

See also submenu.

Create Difference File

This command will prompt you for a filename and then will create a plain text difference file of the following format:

See also submenu.

Create HTML File

Please enter a file name for the HTML file. IDA will write the disassembled text to this file.

If you've selected a range on the screen using command, IDA will write only the selected range (from the current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing to the file, IDA will stop and a partial file will be created.

This command is available only in the graphical version of IDA.

Produce flow chart GDL file

This command creates a GDL (graph description file) with the flow chart of the current function.

If there is an active selection, its flow chart will be generated.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Produce call graph GDL file

This command creates a GDL (graph description file) with the graph of the function calls.

IDA will ask for the output file name. Regardless of the specified extension, the .GDL extension will be used.

Dump database to IDC file

This command saves current IDA database into a text file.

You can use it as a safety command:

This command is used when you want to switch to a new version of IDA. Usually each new version of IDA has its own database format. To create a new format database, you need:

Please note that this command does not save everything to text file. Any information about the local variables will be lost!

Create C header file

This command saves all definitions in the local types window into a C header file.

Dump typeinfo to IDC file

This command saves information about the user-defined types from the IDA database into a text file.

Information about enums, structure types and other user-defined types is saved in a text form as an IDC program.

You can use this command to migrate the type definitions from one database to another.

See also commands.

Here are commands to draw various graphs:

• Display function flow-chart

• Display function call graph

• Display chart of xrefs to addresses

IDA uses an external program to display graphs. The program name is wingraph32.exe and it is located in the current directory.

The user can change the name of this program using the GRAPH_VISUALIZER parameter in the file.

The user can zoom the graph and move it around the window.

See also submenu.

Display function flow-chart

This command displays the flow chart of the current function.

The colored edges of the flow chart represent the outcome of conditional jump instructions. Green means that the condition is satisfied, red means not satisfied.

Display function call graph

This command displays the graph of all function calls in the program.

The functions are represented as nodes. The calls are represented as edges between nodes. Instructions outside functions are ignored.

Display chart of xrefs to addresses

This command displays the graph of code and data xrefs to current address/range of selected addresses in the program.

The addresses are represented as nodes. The xrefs are represented as edges between nodes.

Display chart of xrefs from addresses

This command displays the graph of code xrefs from the current address/range of selected addresses in the program.

In this direction, data xrefs aren't analyzed to avoid overloaded graphs.

The addresses are represented as nodes. The xrefs are represented as edges between nodes.

Display used-defined chart of xrefs

This command displays a user-defined graph of xrefs from/to the current address/range of selected addresses in the program.

The direction of the xrefs to analyze can be chosen. If the Recursive flag is checked, all found xrefs are themselves analyzed to find new xrefs. You can choose to search for xrefs to new referenced addresses only in the current direction. Only External, data xrefs, xrefs from library functions and to library functions can possibly be ignored.

A recursion depth can be specified. If 'Print recursion dots' is checked, and a function has others xrefs outside of the range defined by the 'recursion depth' setting, small nodes containing dots are printed.

The 'Print comments' flag causes the generated function node to also contain the function comment.

The addresses are represented as nodes. The xrefs are represented as edges between nodes. The used colors are the same as in IDA.

IDA can parse and handle simple C++ class declarations. It cannot parse templates and other complex constructs but simple standard cases can be parsed.

If a C++ class contains virtual functions, IDA will try to rebuild the virtual function table (VFT) for the class. The VFT will be linked to the class by the name: if the class is called "A", the VFT type will be "A_vtbl".

Let us consider the following class hierarchy:

  class A { virtual int f(); int data; };
  class B : public A { virtual int g(); };

IDA will create the following structures:

  struct __cppobj A {A_vtbl *__vftable;int data;}
  struct A_vtbl {int (*f)(A *__hidden this);}
  struct __cppobj B : A {}
  struct B_vtbl {int (*f)(A *__hidden this);
                 int (*g)(B *__hidden this);}

Please note that the VFT pointer in the class A has a special name: "__vftable". This name allows IDA to recognize the pointer as a VFT pointer and treat it accordingly.

Another example of more complex class hierarchy:

  class base1 { virtual int b1(); int data; };
  class base2 { virtual int b2(); int data; };
  class der2 : public base2 { virtual int b2(); int data; };
  class derived : public base1, public der2 { virtual int d(); };

Compiling in 32-bit Visual Studio mode yields the following layout:

  class derived size(20):
        +---
   0    | +--- (base class base1)
   0    | | {vfptr}
   4    | | data
        | +---
   8    | +--- (base class der2)
   8    | | +--- (base class base2)
   8    | | | {vfptr}
  12    | | | data
        | | +---
  16    | | data
        | +---
        +---

IDA will generate the following types:

The 'derived' class will use 2 VFTs:

IDA and Decompiler can use both VFTs and produce nice code for virtual calls.

Please note that the VFT layout will be different in g++ mode and IDA can handle it too. Therefore it is important to have the target compiler set correctly.

It is possible to build the class hierarchy manually. Just abide by the following rules:

C++ classes are marked with "__cppobj" keyword, it influences the class layout. However, this keyword is not required for VFT types.

In the case of a multiple inheritance it is possible to override a virtual table for a secondary base class by declaring a type with the following name: "CLASSNAME_XXXX_vtbl" where XXXX is the offset to the virtual table inside the derived (CLASSNAME) class.

Example: if in the above example we add one more function

then we need one more virtual table. Its name must be "derived_0008_vtbl". Please note that our parser does not create such vtables, you have to do it manually. See also .

This submenu allows you to load additional files into the database.

This submenu allows you to manipulate different kinds of comments. Use them to make the disassembled text more understandable.

This submenu allows you to manipulate the structures in specific operations. The following commands are accessible from the disassembly window.

Here are the debugger commands:

This submenu allows you to patch the image of the input file. More precisely, IDA never modifies the input file. The image of the input file which was loaded to the database will be modified.

You can modify the image of the input file:

        - change a byte
        - change a word
        - enter an assembler instruction (only for IBM PC)

IDA will display the original value, the current value and file offset. If the file offset is equal to 0xFFFFFFFF then the current byte comes from a compressed page (LX/LE/NE iterated pages, for example) and/or it is not possible to tell the file position.

You can create a difference file and use an external tool to apply the patches or you can apply the patches directly to the file using IDA.

The following commands are available:

See also:

• submenu.

Patching the Image

You can modify the executable file and eventually file.

If you patch bytes, then you may enter multiple bytes. Follow this to learn about format of the input string.

If this command is invoked when the debugger is active, then IDA will modify the memory and the database. If the database does not contain the patched bytes, then only the process memory will be modified.

You can create a file too.

See also .

Apply patches to input file

Apply previously patched bytes back to the input file. If the "Restore" option is selected then the original bytes will be applied to the input file.

See also .

Binary string format

The sequence must be separated by a space or a comma.

An entered number will occupy the minimal number of bytes it fits in with the restriction that the number of bytes is a power of 2 (1, 2, or 4 bytes).

Two question marks without a space between them are the same as one question mark. One question mark corresponds to one CPU byte. One CPU byte may consist of multiple octets for a wide-byte CPU, like TMS320C28.

Example:

Assemble an instruction

This command allows you to assemble instructions. Currently, only the IBM PC processors provide an assembler, nonetheless, plugin writers can extend or totally replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets. For example:

Also, the keyword 'offset' must not be used. Instead of

you must write

See also .

 Action    name: SetupDebugger
 

This dialog box allows to specify different settings related to the debugger.

Events

  - Suspend on debugging start

      If selected, the debugger will suspend directly once the debugging
      starts.

  - Evaluate event condition on exit

      If selected, the debugger will evaluate the event condition immediately
      before closing the debugging session (once we receive PROCESS_EXITED or
      PROCESS_DETACHED event)

  - Suspend on process entry point

      If selected, the debugger will insert a temporary breakpoint
      at the main entry point of the debugged application.

  - Suspend on thread start/exit

      If selected, the debugger will suspend if a new thread starts
      or if an existing thread terminates.

  - Suspend on library load/unload

      If selected, the debugger will suspend if a new library is
      loaded or if a previously loaded library is unloaded.

  - Suspend on debugging message

      If selected, the debugger will suspend if the debugged application
      generates a message destined to the debugger.

Event condition

      When one or more debug events (see above) are checked then this
      option is used to specify a condition. In the following example,
      the debugger will suspend the process whenever a module with the
      name test.dll is loaded:

 get_event_id() == LIB_LOADED && strstr(get_event_module_name(), "test.dll") != -1

Log

  - Segment modifications

      If selected, the debugger will print information regarding
      segment modifications (creation, deletion, or resizing of
      segments) since the last event. Note that the debugger
      doesn't continuously track segment modifications, but detects
      those only if a debugging event occurs.

  - Thread start/exit

      If selected, the debugger will print a message if a new thread
      starts or if an existing thread terminates.

  - Library load/unload

      if Selected, the debugger will print a message if a new library is
      loaded or if a previously loaded library is unloaded.

  - Breakpoint

      If selected, the debugger will print a message if the debugged process
      reaches a breakpoint.

  - Debugging message

      If selected, the debugger will print debugging messages from
      the application.