Open subviews

Here are commands to open various windows, display information etc.

Some windows allow you to manipulate the window contents by using the list viewer commands.

Disassembly window

Action    name: WindowOpen

The "WindowOpen" command opens a new window with the disassembly. IDA automatically opens one disassembly window at the start.

If the current location is an instruction belonging to a function, then the graph view is available. You can toggle between the text and graph view using the Space key. You can also switch to proximity view by zooming out to the callgraph using the '-' key.

Use the disassembly editing commands to improve the listing.

Use Shift-<arrows> or Alt-L to drop anchor. If you have a mouse, you can drop the anchor with it too.

A double click of the mouse is equivalent to the <Enter> key.

To the left of disassembly, there is an arrows window (GUI version). Also the GUI version highlights the current identifier.

Exports window

Action    name: OpenExports

This command opens the exports window.

You can use list viewer commands in this window.

Imports window

Action    name: OpenImports

This command opens the imports window.

You can use list viewer commands in this window.

Functions window

 Action    name: OpenFunctions

A list of all functions in the program is displayed. You can add, delete, modify functions using list viewer commands.

Listed for each function are:

        - function name
        - segment that contains the function
        - offset of the function within the segment
        - function length in bytes
        - size (in bytes) of local variables + saved registers
        - size (in bytes) of arguments passed to the function

The last column of this window has the following format:

        R - function returns to the caller
        F - far function
        L - library function
        S - static function
        B - BP based frame. IDA will automatically convert
            all frame pointer [BP+xxx] operands to stack
            variables.
        T - function has type information
        = - Frame pointer is equal to the initial stack pointer
            In this case the frame pointer points to the bottom of the frame
        M - reserved
        S - reserved
        I - reserved
        C - reserved
        D - reserved
        V - reserved

If a function has its color set, its line is colored using the specified color. Otherwise library and lumina functions are colored with the corresponding color. Otherwise the line is not colored.

A bold font is used for functions that have definite (user-specified) prototype. Also some plugins too may set this flag. Such prototypes are taken as is by the decompiler, while other prototypes are considered only as a starting point during decompilation.

It is possible to automatically synchronize the function list with the active disassembler, pseudocode, or hex view. For that right click on the function list and select "Turn on synchronization".

Names window

Action    name: OpenNames

This command opens the names window.

You can use list viewer commands in this window.

The GUI version displays a small icon for each name:

        L (dark blue)   - library function
        F (dark blue)   - regular function
        C (light blue)  - instruction
        A (dark green)  - string literal
        D (light green) - data
        I (purple)      - imported name

Signatures window

 Action    name: OpenSignatures

This command opens the signatures window.

For each signature, the following is displayed:

        - name of file with the signature
        - state of signature:
                - Planned: the signature will be applied
                - Current: the signature is being applied
                - Applied: the signature has been applied
        - number of functions found using the signature
        - description of the signature

You can modify the planned signatures list here: add/delete library modules to be used during the disassembling.

You cannot delete an applied signature from the list.

To add a signature to the list for the application press <Ins>. You will see a list of signatures that can be applied to the program being disassembled.

Text version: Not all signature files will be displayed (for example, 32 bit signatures will not be shown for a 16 bit program). If you want to see the full list of signatures, select the first line of the list saying SWITCH TO FULL LIST OF SIGNATURES.

Signature files reside in the subdirectories of the SIG directory. Each processor has its own subdirectory. The name of the subdirectory is equal to the name of the processor module file (z80 for z80.w32, for example). Note: IBM PC signatures are located in the SIG directory itself. Note: the IDASGN environment variable can be used to specify the location of the signatures directory.

Segments window

Action    name: ShowSegments

This command opens the segments window. The format of this window is explained here.

You can use list viewer commands in this window.

In order to change the selector values, use selectors window.

Segment registers window

Action    name: ShowSegmentRegisters

This command opens the segment registers window. The window will contain segment register change points list.

You can use list viewer commands in this window.

Depending on the current processor type, you will see DS,ES,SS with or without FS,GS.

Selectors window

 Action    name: ShowSelectors

This command opens the selector window. Here you can change the "selector to base" mapping. The selector table is used to look up the selector values when calculating the addresses that are visible in the disassembly listing.

You can use list viewer commands in this window:

        - jump to the paragraph pointed by the selector
        - add a new selector
        - delete selector (if it is not used by any segment)
        - change selector value (this leads to reanalysis of all program)

Cross references window

Action    name: OpenXrefs

This command opens the cross-references window. This window contains all references to the current location.

You can use list viewer commands in this window.

You can add and delete cross references here too by pressing Ins or Del. Right clicking on the mouse will work too.

Add a cross reference: the from and to address, as well as the xref type should be specified.

Del a cross reference: if the 'undefine if no more xrefs' is check, then the instruction at the target address will be undefined upon the deletion of the last xref. IDA undefines instructions only if they do not start a function.

Structures window

Action    name: OpenStructures

This command opens the structure definitions window.

You can modify structure definitions here: add/rename/delete structures, add/delete/define structure members.

Each structure must have a unique name. A field name must be unique in the structure. In order to create or delete a field, use data definitions commands (data, string literal, array, undefine, Rename). You may also define regular or repeatable comments.

In order to modify member types, use commands from the Edit|Operand types... submenu. For example, to convert a structure member to an offset, use one of the following commands:

Some struct types in this window are created automatically by IDA. They are copies of some local types. Such structs are displayed in gray. They are considered as C-level types. As soon as the user edits such a type, it becomes an ASM-level type. Read more.

In the structure header IDA displays the following info:

  - the structure size in bytes
  - the alignment
  - for C level types: copyof_XX where XX is the ordinal type number.
  - for ASM level types: mappedto_XX where XX is the ordinal type number.
    It is possible to jump to the corresponding local type by pressing Enter.
  - for types copied from standard type libraries: "standard type"

Local types window

Action    name: OpenLocalTypes

Each database has a local type library embedded into it. This type library (til) is used to store types that are local to the current database. They are usually created by parsing a header file.

This command opens the local types window. The user can manipulate local types here:

  - the existing types can be modified (the default hotkey is Ctrl-E)
  - the existing types can be deleted (the default hotkey is Del)
  - new types can be added (the default hotkey is Ins)

Please note that Ins can be used to add many types at once. For that the user just needs to enter multiple declarations, one after another in the dialog box.

However, Ctrl-E permits for editing of one type at a time. This may cause problems with complex structure types with nested types. Nested types will not be saved by Ctrl-E.

If the edited type corresponds to an idb type (struct or enum), then the corresponding type will be automatically synchronized. If the user modifies an idb type in the struct/enum windows, the corresponding local type will be updated too. So the type synchronization works both ways.

Some types in this list are created automatically by IDA. They are copies of the types defined in the Struct or Types views. Such types are displayed using in gray, as if they are disabled.

Types displayed in black are considered as C level types. Read more.

Each type in the local type library has an ordinal number and may have a name.

Be careful when deleting existing types because if there are references to them, they will be invalidated.

A local type can be mapped to another type. Such an operation deletes the existing type and redirects all its references to the destination type. Circular dependencies are forbidden. In the case of a user mistake, a mapped type can be deleted and recreated with the correct information.

Add/Edit an enum

Action    name: AddEnum
 

Action    name: EditEnum

These commands allow you to define and to edit an enum type. You need to specify:

        - name of enum
        - its serial number (1,2...)
        - representation of enum members

Each enum has its ID and a serial number. The ID is a number used to refer to the enum, while a serial number is used to order enums during output. Changing the serial number moves the enum to another place.

The serial number of an enum is displayed at the lower left corner of the window.

You can specify any number as a serial number, IDA will move the enum to the specified place.

        1 - the current enum becomes the first enum
        2 - the current enum becomes the second enum
        ...

You also need to specify representation of enum constants. You may choose from various number bases (hex,dec,oct,bin) and character constants.

You may specify the element width or leave it zero. Zero means the element width is not specified. The allowed widths are the powers of 2 in the range of 1..64.

Please note that you can create bitfield definitions here by checking the "bitfield" checkbox.

These command is available when you open the types window.

Delete an enum type

 Action    name: DelEnum

This command deletes the current enum. Beware, when you delete an enum all references to it will be destroyed. Even if you recreate it later, you'll have to specify again all references to it.

This command is available when you open the types window.

Define an enum member

Action    name: AddConst

This command allows you to define an enum member. An enum member is a symbolic constant. You have to specify its name and value. You cannot define more than 256 constants with the same value in an enum.

If the current enum is a bitfield, you need to specify the bitmask. To learn about bitmasks, read about bitfields.

Edit an enum member

Action    name: EditConst

This command allows you to rename an enum member. An enum member is a symbolic constant. Its name must be unique in the program.

To rename an enum type name, position the cursor over the name of the enum.

Delete an enum member

 Action    name: DelConst

Please remember that deleting a member also deletes all the information about the member, including comments, member name etc.

Problems window

Action    name: OpenProblems

This command opens the problems window. The problem window contains the list of all problems encountered by IDA during disassembling the program.

You can jump to a problem by pressing Enter. The selected problem will be deleted from the list.

Type libraries window

Action    name: OpenTypeLibraries

This command opens the type libraries window. Here the user can load and unload standard type libraries.

The standard type libraries contain type definitions from the standard C header supplied with compilers. Usually, IDA tries to determine the target compiler and its type libraries automatically but if it fails, this window allows you to load the appropriate type library.

Furthermore, don't forget to specify the compiler and memory model in the compiler setup dialog box.

Inspecting a type library

Provide the ability to inspect the types present in a type library.

Local Types bookmarks

See: Choose marked location

Strings window

Action    name: OpenStrings

This command opens the string window.

The string window contains all strings in the program. However, if a range of addresses was selected before opening the window, only the selected range will be examined for strings.

You can setup the list parameters by right-clicking (or pressing Ctrl-U in the text version) on the list.

The list always contains strings defined in the program regardless of the settings in this dialog box, but the user can ask IDA to display strings not yet explicitly defined as strings.

The following parameters are available:

Display only defined strings If checked, IDA will display only strings explicitly marked as string items (using the create string literal command). In this case, the other checkboxes are ignored. Ignore instructions/data definitions

        If checked, IDA will ignore instruction/data definitions
        and will try to treat them as strings. If it can build a string
        with the length greater than the minimal length, the string
        will be displayed in the list.
        This setting is ignored if 'only defined strings' is on.

Strict ASCII (7-bit) strings If checked, only strings containing exclusively 7-bit characters (8th bit must be zero) will be added to the list. Please note that the user can specify which characters are accepted in the strings by modifying the StrlitChars parameter in the ida.cfg file. This setting is ignored if 'only defined strings' is on. Allowed string types

        Allows the user to specify the string types included in the list.
        This setting is ignored if 'only defined strings' is on.

Minimal string length

        The minimal length the string must have to be added to the list.

Function calls window

Action    name: OpenCallers

This command opens the function calls window.

All functions who call the current function are displayed at the top of the window.

All functions called from the current function are displayed at the bottom of the window.

The list is automatically refreshed when the cursor is moved to another function.

Notepad

Action    name: OpenNotepad

Opens a notepad window for the general notes about the current database. The entered notes will be saved in the current database.

Alt-T hotkey can be used to search for a text and Ctrl-T to repeat the last search.

The notepad is available only in the GUI version.

Show undo history

Action    name: ShowUndoHistory

This command opens a window with the undo history. It is available from the Views, Open subviews submenu.

Double clicking on a line reverts the database to the state before the corresponding action.

It is possible to truncate the undo history by using the corresponding context menu command. The undo information for the selected action will be removed together with the information about all preceding actions.

The redoable user actions are displayed in italics. The current position in the undo buffers is displayed in bold, it usually denotes the first redoable user action.