Search

In this menu, you can select a command to search for something in the disassembly. Searches are relatively slow and your previous position is saved in the jump stack.

You can search for:

• suspicious operands (instructions that need your attention)

• instructions

• data bytes

• unexplored bytes

• explored bytes

• immediate operand values

• substring in the text representation

• substring in the binary image of the file

• bytes not belonging to any function

• find all suspicious operands

• string with error

• find all errors

• pictures (i.e., raster images) in both - directions (up and down).

See also

• Jump menu for fast navigating.

• Menu Bar submenus

Search for next suspicious operand

Action    name: JumpSuspicious
 

Suspicious operands are the operands that need your attention because they contain an immediate value that could be a number or an offset. IDA does not know about it, so it marks these instructions as 'suspicious'. You can change the suspiciousness of the operands using set lower limit of suspicious operands and set upper limit of suspicious operands commands.

Data arrays are considered to be suspicious if the first element of the data array is within the lower and upper suspicious limits. Values of other elements are not examined.

You can disable the display of the 'suspicious' marks in the Comments Dialog.

Search for next code

Action    name: JumpCode
 

This command searches for the first instruction in the current direction.

Search for next data

Action    name: JumpData
 

This command searches for the first defined data item in the current direction.

Search for next unexplored byte

Action    name: JumpUnknown
 

This command searches for the first unexplored byte in the current direction.

Search for next explored byte

 Action    name: JumpExplored
 

This command searches for the first defined byte (instruction or data) in the current direction.

Search for next instruction/data with the specified operand

 Action    name: AskNextImmediate
 

This command searches for the first instruction or data byte that contains the specified immediate value. The command is relatively slow (but much faster than the text search), because it disassembles each instruction to find the operand values.

If the immediate value in an instruction has been logically or bitwise negated, then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored. IDA will look for all immediate values without type in this case.

Repeat search for instruction/data with the specified operand

 Action    name: JumpImmediate
 

This command repeats search for immediate command.

Search for substring in the disassembly

 Action    name: AskNextText

This command searches for the specified substring in the text representation of the disassembly. This command is a slow command, because it disassembles each instruction to get the text representation. IDA will show its progress on the indicator. You can interrupt this command pressing Ctrl-Break.

You may search for regular expressions too.

If a range is selected using anchor, IDA will search for the specified substring in the range.

Note that this command searches the same as what you see on your screen (and not in binary image).

For binary search, look at Search for substring in the file

Repeat search for substring in the disassembly

Action    name: JumpText
 

This command repeats search for text command.

Search for substring in the file

Action    name: AskBinaryText
 

This command searches for the specified substring in the file being disassembled. This command can be used for fast lookups of text strings in the executable file or even to find references to a data. You can interrupt it pressing Ctrl-Break.

If a range is selected using anchor, IDA will search for the specified substring in the range.

The substring is specified like this:

        "This is substring to search"

i.e. in the double-quotes. Also you can specify individual byte values as numbers:

        6A 10

Follow this link to learn more about the format of the input string.

For example, if you want to find a reference to the following string:

 35F2:106A      db 'Hello',0

you could search for number 106A in the file.

See also

• the input string format

• search for text command.

Repeat search for substring in the file

Action    name: JumpBinaryText
 

This command repeats search for text in core command.

Search for bytes not belonging to any function

Action    name: JumpNotFunction
 

This command searches for the first byte not belonging to any function in the current direction.

Set Direction for Searches

 Action    name: SetDirection
 

The current direction for searches is displayed in the right upper corner of the screen. Using this command, you can toggle the display.

See also Options submenu.

Find all suspicious operands

Action    name: FindAllSuspicious
 

This command searches for all suspicious operands and presents a list of them. You may use this list to examine the operands and modify them as needed.

See also

• suspicious operands

Search for next string with error

Action    name: JumpError
 

This commands searches for the 'error' operands. Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

        - reference to an unexisting address
        - illegal offset base
        - unprintable character constant
        - invalid structure or enum reference
        - and so on...

Find all errors

Action    name: FindAllErrors
 

This command searches for all strings containing any error and presents a list of them. You may use this list to examine errors and correct them as needed.

See also

• string with error