Offset
Convert operand to offset (data segment)
Action name: OpOffset
This command converts the immediate operand of the current instruction/data to an offset from the current data segment (DS).
If current DS value is unknown (or equal 0xFFFF) IDA will warn you -- it will beep. In this case, you have to define DS register value for the current byte. The best way to do it is:
return or you can change default value of DS for the current segment.
If you want to delete offset definition, you can use this command again - it works as trigger.
If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.
If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.
To create offsets to structure members use Convert to struct offset command.
See also:
Enter the operand manually command.
Convert operand to offset (code segment)
Action name: OpOffsetCs
This command converts the immediate operand of the current instruction/data to an offset from the current segment (CS).
If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.
If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise, it will be left unmodified.
If this command is applied to a structure member in the local types window, then IDA will create an "automatic offset". An automatic offset is an offset with the base equal to 0xFFFFFFFF. This base value means that the actual value of the base will be calculated by IDA when a structure instance is created.
To create offsets to structure members, use Convert to struct offset command.
See also:
Enter #th operand manually commands.
Convert operand to offset (any segment)
Action name: OpAnyOffset
This command converts the immediate operand of the current instruction/data to an offset from any segment.
IDA will ask to choose a base segment for the offset.
If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.
If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.
To create offsets to structure members use Convert to struct offset command.
See also:
Enter #th operand manually commands.
Convert operand to offset (user-defined base)
Action name: OpUserOffsetIf the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.
If the offset base is specified as 0xFFFFFFFF, then IDA will create "an automatic offset". Automatic offsets mean that the actual value of the base will be calculated by IDA.
The following offset attributes are available:
Treat the base address as a plain number
if checked, IDA will treat the base address as a number.
In this case, IDA will not create a cross-reference to it
and the base address will be printed as a number,
not as an offset expression.
Offset points past the main object
Offsets of this type point past an object end.
They do not cause an object created/deletion.
Use image base as offset base
These offsets are based on the image base.
There is no need to explicitly specify the offset base.
These offsets are displayed in a concise form:
rva func
instead of
offset func - imagebase
If you intend to reassemble the output file, execute the
following IDC statement:
set_inf_attr(INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) & ~INFFL_ALLASM);
Subtract operand value
Use this option when the operand value should be substracted
from the base to get the target address. In this case the displayed
expression will be displayed as
offset base - target
instead of the usual
offset target - base
Signed operand
Use this option if the operand should be interpreted
as a signed value. This option is only available for OFF_REF8,
OFF_REF16, OFF_REF32 and OFF_REF64 offset types.
Operand value of 0 is invalid
If the operand value is 0, the value will be highlighted in red.
Operand value of NOT 0 is invalid
If the operand value is zero's complement (i.e. all bits are set),
the value will be highlighted in red.
For example a OFF_REF16 with an operand value of 0xFFFF would be invalid.
Use the current address as the offset baseThe offset base is dynamically calculated and is equal to the address of the current element:
for standalone items: their start address
for arrays: the start of the array element
for structures: the start of the structure field The offset expression is displayed in the following concise form: offset target - $ where "$" denotes the start of the element (and is assembler-dependent). To create offsets to structure members use Convert to struct offset command.
See also:
Enter #th operand manually commands.
Convert operand to structure offset
Action name: OpStructOffset
GUI version:
------------This command permits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions. If no selection is active, IDA will simply permit to convert the current operand. In this case, it will display a simple dialog box the same way as the text version (see below).
You can select the desired register in the drop-down list: all operands relative to this register will be added to the 'Offsets' list. A special empty line in the drop-down list is used to directly work on immediate values. Checkboxes in the 'Offsets' list allow you to select which operand you indeed want to modify. By default, IDA will select only undefined operands, to avoid overwriting previous type definitions. This list is sorted by operand value, by instruction address and finally by operand number. You can easily see the instructions related to the operand by moving the mouse over it, and wait for a hint to be displayed.
The 'Structures and Unions' tree will contain all selectable structures, and sub unions. Once you select or move over a structure, the 'Offsets' list updates itself for each checked offset: the computed name of the operand is displayed, according to the selected structure in the tree. An icon is also drawn, to easily know if a specific structure matchs the offset or not, or if the offset is too big for the selected structure. The structures who match the most offsets will be near the top of the tree. You can also move your mouse over structures in the tree to obtain an interesting hint.
A '?' icon can also appear, if the offset can be specialized by selecting an union member. In this case, if you expand the structure in the tree, you can select the adequate union member simply by checking the desired radio button. IDA automatically corrects the related name in the 'Offsets' list.
The 'Offset delta' value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like "mystruct.field_6-2", then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure.
The 'Hide sub structures without sub unions' option (checked by default) avoids to add unnecessary sub structures to the tree, to keep it as small as possible. If you uncheck this option, all sub structures will be added to the tree.
By default, IDA displays the structure member at offset 0. To change this behaviour, you can directly disable the 'Force zero offset field' in the 'Options' frame. Later zero offsets can be forced using Edit, Structs, Force zero offset menu item.
Text version:
-------------This command converts immediate operand(s) type of the current instruction/data to an offset within the specified structure. Before using this command, you have to define a structure type.
First of all, IDA will ask a so-called "struct offset delta". This value represents the difference between the structure start and the pointer value. For example, if you have an operand 4 and want to convert in into an expression like "mystruct.field_6-2", then you have to enter 2 as the delta. Usually the delta is zero, i.e. the pointer points to the start of the structure.
If a range is selected using the anchor, IDA will perform 'en masse' conversion. It will convert immediate operands of all instructions in the selected range to offsets. However, IDA will ask you first the lower and upper limits of immediate operand value. If the an operand value is >= lower limit and <= upper limit then the operand will be converted to offset, otherwise it will be left unmodified.
When you use this command, IDA deletes the manually entered operand.
If the cursor is on the first operand (the cursor is before ',') then the first operand will be affected; otherwise, all other operands will be affected.
By default IDA doesn't display the structure member at offset 0. To change this behaviour, use Force zero field offset command.
Moreover, if there are several possible representations (this can happen if unions are used), select the desired representation using the Select union member... command.
See also:
Enter #th operand manually command.
Related topics: Edit|Operand types submenu.
Last updated
Was this helpful?