Gemfury

mochaa / idapro rpm

Repository URL to install this package:
Details
idapro / opt / ida90 / libexec / idapro / ida.hlp
HFh(¯hºhÅhÔhñhi¤ijÑk~l8no©pvs¤s¡ç¡ò¥/§u¨ղæ²³/³>³V³h³³³·³à³ö³´3´V´l´~´´¢´´´ϴë´ø´¹¬¹9չå¹ý¹
ºEºYºpºº¶º̺êº»1»T»w»»¯»ǻê»¼6¼R¼m¼¼¼¼ç¼½Q½½·½ݽ¾)¾c¾¾¥¾>æ¾ú¾"¿wÇÇ¶ÇàÇZË{ËË£Ë[ÍtÍÎÏ¸ÏóÏ%ÐMÐ{ÐøÐÑ;Ñ6ÒÒ¦ÒãÒúÒÓUÔnÔÔåÔ4ÕEÕbÕ©ÕÔÕõÕ	Ö×aØ¸ØöØIÙÙVÚÛeÛíÛbÜÉÜêÜÝ9ÝiÝÝ]ÞÙã¡Òç18±Ôü" h t #ã,O/2Í</|C|]}}Å~|2ĆW³.¾qáQ®ү÷°²@³´¯´[µ1¶·º¸C¹ø¹¸º9¼F½;ñ¾½¿Á~ÂÃÌÍÎÐÑ¦ÒÅÓðÔÖO×Ø°ÙêÚÜÜ¹Þ¸à½áãTåUîÛï1òìò°ô{øú<úû³ü<ÿêÿß¯
"3q
®:V%Ú%î&'ü(Ë*¾+°-Å.ú0Í275E6Ú6R78Ë8Z:!;è;?=>í?LA'BÜBHG:HóIMaN»OY[]²]h^c<d4k¾qÍçÐøÑÅÚbÜ Ý'ßùà âçâ²ãïäCæfç¸ïëòRô(õöCû#ÿóÆg}	-Î].¡ l!¸"÷#°$%T&£'Î(/*+b,0-/®/0128a9EºF°GÞH"J3KÚLeNPªQñRTWDYZG\=]Ö]R`^aâbÅچù4Y³ZëûT Z¡e¢ť'©¹«D®°³éµZ¸f»¾ú¾ÑÀ>Â"ÃvÄéË[ÍÎøÔ¯Öd×Ø)ÙÚÛÍÜÓÝÈÞ*åLèåêþýÕI
yÙPN^Ð!±#k&P(*ç,07Ü8<>)A¶C HÔIøMPQRtT`Vê[^|`õciqõswzI~ÿãpáE4m£y¨W·´¾©ÑF×ÝÞáÿävæBêoðóô(ö\ùÎ	ê "M$Ë&±)×,±/ú7~=?þ@eBC«EþJSWË[Aa\c5it<uþv${Ì|ˀQԎ·ôO¤¨g«¯c²p³m¶ï·»¾ê¿QÅÆfÉ½ÊÌ5Í^ÏÎÒÞÕMØ·ÚAÝîÞÃâåèPê1ëûìvîÖðpòõH÷½ø³ûÎþ !Jß½F¥ºÕ Q×0 XÚ\+^Å_]acßdÔhmp£ry®z×|Ԃi" TúNĚ?ü¯)³ϻa½aÈÛÉùÏsÝÂá"çÓõJù`ý 1")]9ÚIlK¬LãNP(R¼W^Z\,^´bÐczhÀiûj#nÞopür t½uxz¥{Ñ|È}¢~sR´ ²l,Yªƍé@c)iߖ¼é/U$¡H¥§*©¿«AƮä®w±¶¸é»S¾\¿{¿ÑÀTÂÇÃôÆÉ¡ÍÃÙuÚ=ÛÈÜÝZÞöà?ãüãå¸æéë¹ìzïñfóôuöË÷úøú$ü=ýµþÙÿ;í²Ê¨	â
]
¤ÁË]/8AJU`is«·ÁØð
$>Vp§·ÊÛò
!1:GPZco¢´ÈÖô&8Phx¨ÀØð)Jdw¥µÅáö+DS_nª¼Óê*=Xl|©½Ïàóÿ
!7H[w«ÅÚãìö0=Ojz®Ëêø*:Odzª¿Ôð#8Ok®Îñ 4 G R \ h x  ¡ ¿ Ü ÷ !!"!0!<!O!b!r!!!¦!¼!Ð!ä!ú!"F"k"~""¡"³"Æ"Ï"Ú"ï"ú"##0#A#R#a#q###¢#°#º#Æ#Ò#ç#ö#$$%$5$L$^$r$$¡$µ$É$×$å$ñ$ý$% %1%C%Z%o%%%¥%¶%Í%å%ú%&5&M&Â&å&é&'5'[''¨'×'(>(b((Ä(ü(;)z)*9*«*+Q+¾+ë+,D,k,¼,ó,]--ò-,.N/u0¡0É0
1%1d11Ö1	282[22Î2"3>3u3¥3Ý34X4z44¬4Í4ó45F6|7è7~8Ã8979õ:Ì<à<ú<<=\=÷=$@ÐE{FsG I`LxOÛO¤PvQRÊRcVüYºZ[È`Da+c½cÕcïc7ddd1eÈeJgjggi:iLiiÀiÔiIóù˓ö";_¬ٔû3`}ÿ7ìUҘ6b¢řۙýҜ®#G¡K¤s¤Ĥë¤¥C¥'¦â© ¬0Hfz®¯¯!°A±c²³¹_½¾:ÀþÀ%ÂöÂÄµÅªÆÈÈ&É<ÌGÌÌÌÂÌåÌÐÍºÎçÎøÎÏ0ÏÏÆÏÛÏ_ÐÐÓ×¾ØÞØÐ&	ö&	ã)	X*	u*	*	*	n+	õ+	J,	¤,	È,	î,	1-	\-	|-	§-	Ç-	.	{.	ê.	ü.	ª/	X0	Ý1	2	d2	ÿ2	
3	/3	:3	d3	S4	l4	w4	4	i5	<8	W8	½8	09	9	«;	<	z<	©=	\>	!?	Ò?	ÁA	F	oV	~]	e	|l	Ro	6p	òq	s	¥s	½s	øs	0t	Ot	ot	t	½t	Øt	õt	u	gu	[w	x	¦x	Ãx	ìx	Wy	{y	¨y	¾y	!z	Dz	nz	¬z	^}	ý~		)	6	ø	_	ĉ	ì	
	8	Z	¼	̒	 	t	ϓ	2		۔	ø		J	y		2	a	l	{	«		²		ê	T	±		d	¾	{	¤	ɞ	» 	۠	·¡	º¢	>¤	2¥	E¥	©	7©	6ª	^ª	ª	«	¬	®	Ը	ƽ	ֽ	Ӿ	f¿	_À	¨Á	$Ä	Å	ÍÅ	&Ç	êÇ	È	Ì	Í	eÏ	yÏ	oÐ	Ñ	·Ò	âÒ	}Õ	©Õ	ëÕ	'Ö	ýâ	Ëð	ôø	ÿ
*
.
ä6
7
o7
½7
8
8
ö8
9
=
>
F
ÿI
EJ
_J
J
Ã^
F`
Z`
`
#d
Fd
¤g
Gl
o
'o
Ho
l
±
ݎ

Z
%

[
ä¨
ͪ
}°
´
3¶
X»
Éì
î
5ð
Óò
ú
Éü
þ
bfh
8<>Ù÷i ¸!&å*¸,ø3j5Å6ú7Ö97;½=w@åAVSmVXwY¡Z]m.rFs^tv?|	~A{õ>Am؈18p؍úNµێw°¾¨\#£¨¦¯ªä®¦²£Á§Ã^ÅÆ§ÇmÉ\ÌÍöÎz+º5£6×:c;<³A&C}EE¾G+PVmbhãjWllºl9mhmsAsRsét~~¦~³~Â~Ú~å~/pMؐ®̑o̕æO_sü°m³7º½;¾`ÆÈÊ1ÊµÎìÎÏ:ÏÐÂÐÙÐïÐ!Ñ9ÑbÑÑ°ÑÓÑÅÒþÓºÔkÕ,ÖçÖØ×ÍØÙ·ÙNÛxÛ©ÛèÛÜÝ#ÝÊÝìÝÞ ÞBÞaÞÞªÞÎÞ÷Þßõàõöçøû>ür
F
#
a
ÿ

¾
Ö


ö 
Ó)
Å*
Á+
Ñ,
ã-
A0
]0
s0
¥1
é2
@4
5
ø6
:
:
t;
¤;
¤<
è=
ë>
?
;?
f?
?
½?
A
pB
KC
ÿC
ßD
F
¶F
ÒF
H
TJ
oJ
J
QK
TR
èY
^
1a
 d
Xf
®h
Üj
n
Lq
t
|v
Ãx
d
o
¡
̀
ì
:
m
f
ˑ
P
Z
]¡
i¨
,±
Ҳ
й
l»
x»
»
»
±»
ɻ
޻
ò»
¼
#¼
:¼
P¼
¼
¼
ÙÏ
ïÏ
tÐ
Ð
Çõ
°ú
:zÙíÂÜ6p	Cg@15Ë5ï5jCC¹CÚC×IöIM$O!RTÌWêX¿Yn[e!e(e7eKeÙoerßtvZyzyy¨y'z¢z{&{'|q||~P´«ïvõöóöAüüÇü¯ýþ¯þàgmÝp¥y;~(t¯އãóu2~` = ˠ¡£¡à¡ò¡
¢÷¢.£j££«£ף¤%¤F¤[¤s¤¤º¤ò¤¥D¥o¥%ã¥ú¥'¦S¦e¦y¦¦¦¤¦³¦&ܦ÷¦§§=§Q§i§§§¨§º§ѧé§ü§¨¨-¨?¨T¨d¨z¨¨HF	No Error	OS error
Disk is fullRead attempt past file endFile is too large get_current_thread▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get current thread ID
returns: -1 if failure

long get_current_thread();
 select_thread▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Select the given thread as the current debugged thread.
     tid - ID of the thread to select
The process must be suspended to select a new thread.
returns: success

success select_thread(long tid);
" suspend_thread▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Suspend thread
Suspending a thread may deadlock the whole application if the suspended
was owning some synchronization objects.
     tid - thread id
Return: -1:network error, 0-failed, 1-ok

long suspend_thread(long tid);
« resume_thread▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Resume thread
     tid - thread id
Return: -1:network error, 0-failed, 1-ok

long resume_thread(long tid);
¸ start_process▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Launch the debugger
     path - path to the executable file.
     args - command line arguments
     sdir - initial directory for the process
for all args: if empty, the default value from the database will be used
returns: -1-failed, 0-cancelled by the user, 1-ok
See the important note to the step_into() function

long start_process(string path, string args, string sdir);
Ô exit_process▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Stop the debugger
Kills the currently debugger process and returns to the disassembly mode
   arguments: none
returns: success

success exit_process();
 suspend_process▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Suspend the running process
Tries to suspend the process. If successful, the PROCESS_SUSPENDED
debug event will arrive (see wait_for_next_event)
   arguments: none
returns: success
To resume a suspended process use the @0:1214[wait_for_next_event] function.
See the important note to the step_into() function

success suspend_process();
Ë attach_process▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Attach the debugger to a running process
     pid - PID of the process to attach to. If NO_PROCESS, a dialog box
           will interactively ask the user for the process to attach to.
     event_id - reserved, must be -1
returns:
        -2 - impossible to find a compatible process
        -1 - impossible to attach to the given process (process died, privilege
             needed, not supported by the debugger plugin, ...)
         0 - the user cancelled the attaching to the process
         1 - the debugger properly attached to the process
See the important note to the step_into() function

long attach_process(long pid, long event_id);
,@0:690[]
File is not a virtual array file?!ô-WRAP
 Common Public License Version 1.0 ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Common Public License Version 1.0

THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC
LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.

1. DEFINITIONS

"Contribution" means:

    a) in the case of the initial Contributor, the initial code and
documentation distributed under this Agreement, and

    b) in the case of each subsequent Contributor:

    i) changes to the Program, and

    ii) additions to the Program;

    where such changes and/or additions to the Program originate from and are
distributed by that particular Contributor. A Contribution 'originates' from a
Contributor if it was added to the Program by such Contributor itself or anyone
acting on such Contributor's behalf. Contributions do not include additions to
the Program which: (i) are separate modules of software distributed in
conjunction with the Program under their own license agreement, and (ii) are not
derivative works of the Program.

"Contributor" means any person or entity that distributes the Program.

"Licensed Patents " mean patent claims licensable by a Contributor which are
necessarily infringed by the use or sale of its Contribution alone or when
combined with the Program.

"Program" means the Contributions distributed in accordance with this Agreement.

"Recipient" means anyone who receives the Program under this Agreement,
including all Contributors.

2. GRANT OF RIGHTS

    a) Subject to the terms of this Agreement, each Contributor hereby grants
Recipient a non-exclusive, worldwide, royalty-free copyright license to
reproduce, prepare derivative works of, publicly display, publicly perform,
distribute and sublicense the Contribution of such Contributor, if any, and such
derivative works, in source code and object code form.

    b) Subject to the terms of this Agreement, each Contributor hereby grants
Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed
Patents to make, use, sell, offer to sell, import and otherwise transfer the
Contribution of such Contributor, if any, in source code and object code form.
This patent license shall apply to the combination of the Contribution and the
Program if, at the time the Contribution is added by the Contributor, such
addition of the Contribution causes such combination to be covered by the
Licensed Patents. The patent license shall not apply to any other combinations
which include the Contribution. No hardware per se is licensed hereunder.

    c) Recipient understands that although each Contributor grants the licenses
to its Contributions set forth herein, no assurances are provided by any
Contributor that the Program does not infringe the patent or other intellectual
property rights of any other entity. Each Contributor disclaims any liability to
Recipient for claims brought by any other entity based on infringement of
intellectual property rights or otherwise. As a condition to exercising the
rights and licenses granted hereunder, each Recipient hereby assumes sole
responsibility to secure any other intellectual property rights needed, if any.
For example, if a third party patent license is required to allow Recipient to
distribute the Program, it is Recipient's responsibility to acquire that license
before distributing the Program.

    d) Each Contributor represents that to its knowledge it has sufficient
copyright rights in its Contribution, if any, to grant the copyright license set
forth in this Agreement.

3. REQUIREMENTS

A Contributor may choose to distribute the Program in object code form under its
own license agreement, provided that:

    a) it complies with the terms and conditions of this Agreement; and

    b) its license agreement:

    i) effectively disclaims on behalf of all Contributors all warranties and
conditions, express and implied, including warranties or conditions of title and
non-infringement, and implied warranties or conditions of merchantability and
fitness for a particular purpose;

    ii) effectively excludes on behalf of all Contributors all liability for
damages, including direct, indirect, special, incidental and consequential
damages, such as lost profits;

    iii) states that any provisions which differ from this Agreement are offered
by that Contributor alone and not by any other party; and

    iv) states that source code for the Program is available from such
Contributor, and informs licensees how to obtain it in a reasonable manner on or
through a medium customarily used for software exchange. 

When the Program is made available in source code form:

    a) it must be made available under this Agreement; and

    b) a copy of this Agreement must be included with each copy of the Program. 

Contributors may not remove or alter any copyright notices contained within the
Program.

Each Contributor must identify itself as the originator of its Contribution, if
any, in a manner that reasonably allows subsequent Recipients to identify the
originator of the Contribution.

4. COMMERCIAL DISTRIBUTION

Commercial distributors of software may accept certain responsibilities with
respect to end users, business partners and the like. While this license is
intended to facilitate the commercial use of the Program, the Contributor who
includes the Program in a commercial product offering should do so in a manner
which does not create potential liability for other Contributors. Therefore, if
a Contributor includes the Program in a commercial product offering, such
Contributor ("Commercial Contributor") hereby agrees to defend and indemnify
every other Contributor ("Indemnified Contributor") against any losses, damages
and costs (collectively "Losses") arising from claims, lawsuits and other legal
actions brought by a third party against the Indemnified Contributor to the
extent caused by the acts or omissions of such Commercial Contributor in
connection with its distribution of the Program in a commercial product
offering. The obligations in this section do not apply to any claims or Losses
relating to any actual or alleged intellectual property infringement. In order
to qualify, an Indemnified Contributor must: a) promptly notify the Commercial
Contributor in writing of such claim, and b) allow the Commercial Contributor to
control, and cooperate with the Commercial Contributor in, the defense and any
related settlement negotiations. The Indemnified Contributor may participate in
any such claim at its own expense.

For example, a Contributor might include the Program in a commercial product
offering, Product X. That Contributor is then a Commercial Contributor. If that
Commercial Contributor then makes performance claims, or offers warranties
related to Product X, those performance claims and warranties are such
Commercial Contributor's responsibility alone. Under this section, the
Commercial Contributor would have to defend claims against the other
Contributors related to those performance claims and warranties, and if a court
requires any other Contributor to pay any damages as a result, the Commercial
Contributor must pay those damages.

5. NO WARRANTY

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE,
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each
Recipient is solely responsible for determining the appropriateness of using and
distributing the Program and assumes all risks associated with its exercise of
rights under this Agreement, including but not limited to the risks and costs of
program errors, compliance with applicable laws, damage to or loss of data,
programs or equipment, and unavailability or interruption of operations.

6. DISCLAIMER OF LIABILITY

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST
PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS
GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7. GENERAL

If any provision of this Agreement is invalid or unenforceable under applicable
law, it shall not affect the validity or enforceability of the remainder of the
terms of this Agreement, and without further action by the parties hereto, such
provision shall be reformed to the minimum extent necessary to make such
provision valid and enforceable.

If Recipient institutes patent litigation against a Contributor with respect to
a patent applicable to software (including a cross-claim or counterclaim in a
lawsuit), then any patent licenses granted by that Contributor to such Recipient
under this Agreement shall terminate as of the date such litigation is filed. In
addition, if Recipient institutes patent litigation against any entity
(including a cross-claim or counterclaim in a lawsuit) alleging that the Program
itself (excluding combinations of the Program with other software or hardware)
infringes such Recipient's patent(s), then such Recipient's rights granted under
Section 2(b) shall terminate as of the date such litigation is filed.

All Recipient's rights under this Agreement shall terminate if it fails to
comply with any of the material terms or conditions of this Agreement and does
not cure such failure in a reasonable period of time after becoming aware of
such noncompliance. If all Recipient's rights under this Agreement terminate,
Recipient agrees to cease use and distribution of the Program as soon as
reasonably practicable. However, Recipient's obligations under this Agreement
and any licenses granted by Recipient relating to the Program shall continue and
survive.

Everyone is permitted to copy and distribute copies of this Agreement, but in
order to avoid inconsistency the Agreement is copyrighted and may only be
modified in the following manner. The Agreement Steward reserves the right to
publish new versions (including revisions) of this Agreement from time to time.
No one other than the Agreement Steward has the right to modify this Agreement.
IBM is the initial Agreement Steward. IBM may assign the responsibility to serve
as the Agreement Steward to a suitable separate entity. Each new version of the
Agreement will be given a distinguishing version number. The Program (including
Contributions) may always be distributed subject to the version of the Agreement
under which it was received. In addition, after a new version of the Agreement
is published, Contributor may elect to distribute the Program (including its
Contributions) under the new version. Except as expressly stated in Sections
2(a) and 2(b) above, Recipient receives no rights or licenses to the
intellectual property of any Contributor under this Agreement, whether
expressly, by implication, estoppel or otherwise. All rights in the Program not
expressly granted under this Agreement are reserved.

This Agreement is governed by the laws of the State of New York and the
intellectual property laws of the United States of America. No party to this
Agreement will bring a legal action under this Agreement more than one year
after the cause of action arose. Each party waives its rights to a jury trial in
any resulting litigation.K@0:692[]
Virtual Array: Too high VA version
(press F1 for the explanation)	 msg▄
 ▀▀▀▀

Display an UTF-8 encoded message in the message window
     format - printf() style format string
     ...    - additional parameters if any
This function can be used to debug IDC scripts
The result of the stringification of the arguments
will be treated as an UTF-8 string.
Thread-safe function.

void msg(string format, ...);

// Print variables in the message window
// This function print text representation of all its arguments to the output window.
// This function can be used to debug IDC scripts

void print(...);

// Display a message in a message box
//      format - printf() style format string
//      ...    - additional parameters if any
// This function can be used to debug IDC scripts
// The user will be able to hide messages if they appear twice in a row on the screen

void warning(string format, ...);

// Display a fatal message in a message box and quit IDA
//      format - printf() style format string
//      ...    - additional parameters if any

void error(string format, ...);
;AUTOHIDE REGISTRY
HIDECANCEL
The databases used in IDA up to 4.8 were limited in their size.
The maximal database size was 512MB.
Since programs grow to occupy all available memory
we removed this limitation and switched to a new database format.

Database '%s' is in the old format. Do you want IDA to upgrade it?D create_data▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Create a data item at the specified address
     ea - linear address
     flags - FF_BYTE..FF_PACKREAL
     size - size of item in bytes
     tid - for FF_STRUCT the structure id
returns: 1-ok, 0-failure

success create_data(long ea, long flags, long size, long tid);
^
WRAP
Graph options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Use graph view by default

        IDA switches to graph mode for each 'jump' command.

Enable graph animation

        Animate the graph layout, movement, and group collapsing/uncollapsing.
        While animation takes time, it gives the user some idea what's going on.

Draw node shadows

        Display shadows for each graph node. Shadows are not displayed
        for really huge or ridiculously small nodes.

Auto fit graph into window

        Zoom the graph so that it occupies the whole window.

Fit window max zoom level 100%

        The 'fit window' command maximal zoom level is 100%.

Re-layout graph if nodes overlap

        IDA recomputes the graph layout if a node overlap is detected.
        The presence of a custom layout (if the user has displaced
        some graph nodes) effectively turns off this option.

Re-layout graph upon screen refresh

        IDA recomputes the graph layout at each screen refresh.
        Turning this option off accelerates IDA but then
        a manual layout might be required after some operations.

Truncate at the right margin

        All nodes at truncated at the right margin. The right @0:605[margin]
        is specified in the Options, General, Disassembly tab.
        This option narrows the graph but hides some information
        by truncating long lines.

Lock graph layout

        Locks the graph layout by ignoring attempts to displace
        nodes. This prevents the creation of custom layouts that might lead
        to ugly graph layouts when nodes change their sizes.

PROXIMITY VIEW

Show data references

        Show data cross-referenced items in proximity view.

Hide library functions

        Do not show data or code cross-references to library functions,
        only show cross-referenced local functions.

Unlimited children recursion

        Recurse until there are no more callees (children) of the currently
        selected central node and all of his children.

Recurse into library functions

        Displays children data or code cross-references from library
        functions.

Max parents recursion

        Maximum recursion level for displaying parents of the currently
        selected central node. The value '0' disables parents recursion.

Max children recursion

        Maximum recursion level for displaying children of the currently
        selected central node. The value '0' means no maximum recursion
        level.

Max nodes per level

        Maximum number of nodes to show per level of children and parents.


Back to @0:42[graph view] or @0:1626[proximity view]Bad digit '%c'Bad floating point constant)Floating point constant conversion error
No separatorNon-terminated stringToo long stringNon-terminated char constantBad character '%c'Too long identifier '%s''Bad or ill-formed preprocessor commandBad #include syntaxMax depth of includes is 32Can't open include file '%s'!getstr() function is not definedEnd of file reachedMisplaced #elseMisplaced #endifMissing #endifBad macro usageBad # of macro argumentsIDC function '%s' is busy#error: %sWRAP
Graph view ▄
 ▀▀▀▀▀▀▀▀▀▀▀
Starting from IDA v5.0, the disassembly can be displayed in a graph form.

In the graph view, the current function is represented as a collection of
nodes linked together with edges. Nodes represent basic blocks and edges
represent code cross-references between them.

Only code items are visible in the graph view, data items are hidden. To
display them, switch to text mode by pressing Space. The graph view
is available for the instructions belonging to functions. IDA
automatically switches to text mode if the current item cannot be
displayed in graph mode. It also displays a warning, which we
recommend to hide away as soon as you become familiar with the concept.

The Space key can be used to toggle between the graph and text views.

Please select one of the following topic to learn more about graphs:

 - @0:85[The current node]
 - @0:241[Selections in graphs]
 - @0:1160[Customizing graph layout]
 - @0:281[Zooming graphs]
 - @0:1117[Scrolling graphs]
 - @0:1129[Graph node groups]
 - @0:1130[Graph overview window]
 - @0:1142[Graph colors]
 - @0:19[Graph options]
 - @0:1159[Various graph hints]

!Missing while statement for a doMissing semicolonMissing braket '['Missing colonSyntax error near: %sMissing brace6Function '%s' is too large (max compiled size is 64k)Misplaced 'break'Misplaced 'continue''Variable '%s' has already been definedVariable '%s' is undefinedToo complex programIllegal catch variable '%s'*Bad number of arguments for function '%s'Too many local variables!Illegal postfix/prefix operation!Function declaration is expectedVariable name is expectedIDC type conversion errorInvalid storage class!Abstract declaration is expected)Abstract declaration is not allowed hereTypedefs cannot be initializedToo many type declaratorsUndefined type name '%s'Type '%s' is already defined.The current type cannot be signed or unsigned)The current type cannot be short or long-The current type cannot be const or volatile9The current type cannot be signed/unsigned or short/long6Arrays of voids and arrays of functions are forbidden,Functions cannot return functions or arrays$Negative sized arrays are forbidden,Size of previous array dimension is unknownVoid type is forbidden here8Function arguments cannot contain structure definitions#A new type cannot be declared hereConflicting type modifiersBitfield size is invalid$Size of the type is unknown or zeroToo big alignment&This construct is allowed only in C++SWRAP
The current node ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

There are two concepts: the current node and the selected nodes. The
node with the keyboard cursor is considered as the current node. If the
user clicks on the graph background, the keyboard cursor will disappear
and there will be no current node. In the absence of the current node,
IDA uses the last valid address for the user commands (like
@0:457[rename] and similar commands). For example, if the user
invokes the 'rename' command by pressing N and if there is no current node,
IDA will still display the 'rename' dialog box for the last valid
address.

Clicking on the node title will make the clicked node the current one. The
keyboard cursor will be moved to the clicked node. Any selection of the
disassembly text will be cancelled upon switching the current node.

The default color for the title of the current node is dark gray.

In addition to the obvious method of clicking with the mouse left-button
to select the current node, IDA supports many other methods:

 - Clicking with the mouse wheel selects the clicked node and centers
   the clicked point in the window
 - Keyboard arrows can be used to move from one node to another. When
   the keyboard cursor reaches the node border and the user presses
   the arrow once more, IDA finds a node in the specified direction
   and makes it the current.
 - The Ctrl-Up key displays the list of nodes referring to the current
   node and allows jumping to them. The Ctrl-Down key does the same
   with the referenced nodes.
 - Pressing '5' on the keypad positions the keyboard cursor at
   the window center
 - Left-click on an edge makes one of its ends (source or destination)
   the current node. The node farthest from the click point is selected
 - Ctrl-click on an edge jumps to its destination
 - Alt-click on an edge jumps to its source

Clicking with the mouse on the node text (disassembly listing) has the
usual meaning: IDA will move the keyboard cursor to the clicked
location. It is also possible to select the disassembly listing within
one node.

Back to @0:42[graph view]Zero divide/Attempt to call non-existent external function(Attempt to call undefined function '%s'xWRAP
IDC: Exceptions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Any runtime error generates an exception. Exceptions terminate the execution.
It is possible to catch an exception instead of terminating the execution:

        auto e;
        try
        {
          ... some statements that cause a runtime error...
        }
        catch ( e )
        {
          // e holds the exception information
          // it is an instance of the @0:1577[exception] class
        }

The try/catch blocks can be nested. If the current function has no try/catch blocks,
the calling function will be examined, and so on, until we find a try/catch block
or exit the main function. If no try/catch block is found, an unhandled exception
is reported.

It is also possible to throw an exception explicitly. Any object can be thrown.
For example:

        throw 5;

will throw value '5'.

Exception in external functionAppcall: cleanup failedAppcall: %s¶ loader_input_t.read▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Read from the input file
     buf - reference to the variable that will hold the read bytes
           in form of a string
     size - number of bytes to read
Returns: number of read bytes

long loader_input_t.read(vref buf, long size);

// For example:

        auto li, buf;
        li = open_loader_input("myfile", 0);
        li.read(&buf, 100);
Application is running loader_input_t.size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get size of the input file

long loader_input_t.size();
 loader_input_t.seek▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Seek in the input file
     pos - position to seek to
     whence - where from?
Returns: the new file position

long loader_input_t.seek(long pos, long whence);

#define SEEK_SET   0 // from the file start
#define SEEK_CUR   1 // from the current position
#define SEEK_END   2 // from the file end
,Floating point operation underflow/overflow9Floating point value doesn't fit into 32bit long integer0@0:426[]
You've entered an invalid address: %s.&@0:424[]
%s is not a valid identifier,@0:422[]
You've entered invalid segment: %s{@0:421[]
IDA - The Interactive Disassembler

%sVersion %s %s

Copyright (c) 2024 Hex-Rays
https://www.hex-rays.com
The key file is not found.$Cannot be used to provide servicesù set_func_start▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

change function start address
     ea  - any address belonging to the function
     end - new function start address
returns: !=0 - ok

success set_func_start(long ea, long start);
H@0:421[]
This feature doesn't work in the demonstration version, sorry.$Field '%s' has already been defined;@0:1136[]
ZZZZZZZZZZZZString to search (case-insensitive)
Can't read file '%s'Can't write file '%s'A get_first_index▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get index of the first existing array element
     tag     - tag of array (AR_LONG or AR_STR)
     id      - array id
returns: -1 - array is empty
         otherwise returns index of the first array element

long get_first_index(long tag, long id);
Can't create file '%s',HIDECANCEL
Save the current window as '%s'?GThe current window '%s' is modified. Do you want to save its contents?MHIDECANCEL
The current window is modified. Do you want to save its contents?Search failed.Enter file name to save toEReplace a string

<Pattern    :q:79:32::>
<Replace to :q:79:32::>


)Find a string

<Pattern    :q:79:50::>

Replace occurrence at (%d,%d)?@0:1415[]
Exports get_member_by_idx▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get member id by member ordinal number
     id         - structure type ID
     member_idx - member ordinal number
returns: -1 if bad structure type ID is passed or there is
         no member with the specified index
         otherwise returns the member id.

long get_member_by_idx(long id, long member_idx);
Í is_member_id▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Is a member id?
     id         - any id
returns: 1 there is structure member with the specified ID
         0 otherwise

long is_member_id(id);
U@0:501[]
Bad enum name '%s'. Probably the name is invalid or is used in the program.<HIDECANCEL
@0:502[]
Do you really want to delete enum '%s'?Q@0:503[]
Add enum member

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>

R@0:504[]
Edit enum member

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>

·@0:503[]
Add bit field definition

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>
  <~M~ask :N::40::>

  For wide fields you may specify the mask name
  <Ma~s~k name:q::40::>

¸@0:504[]
Edit bit field definition

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>
  <~M~ask :N::40::>

  For wide fields you may specify the mask name
  <Ma~s~k name:q::40::>

SBad enum member name '%s'. Probably the name is invalid or is used in the program.Bad enum member mask %08a. The specified mask should not intersect with any existing mask in the enum. Zero masks are prohibited too.sBad enum member mask (%08a) and value (%08a) combination. All bits set in the value should be set in the mask too.e@0:503[]
Bad enum member value 0x%a. There are too many (256) constants with this value in the enum.internal error: bad enum id %a'@0:479[]
Enter ENUM repeatable comment$@0:479[]
Enter ENUM regular comment.@0:479[]
Enter enum member repeatable comment+@0:479[]
Enter enum member regular commentÅ get_ordinal_limit▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get number of local types + 1
returns: value >= 1. 1 means that there are no local types.

long get_ordinal_limit();
z1WRAP
x64 MSVC C++ Exception Handler for the Decompiler ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Hex-Rays' support for exceptions in Microsoft Visual C++/x64 incorporates the C++ exception metadata for functions into their decompilation, and presents the results to the user via built-in constructs in the decompilation (`try`, `catch`, `__wind`, `__unwind`). When the results cannot be presented entirely with these constructs, they will be presented via helper calls in the decompilation.

# USAGE

This support is fully automated and requires no user interaction. The user can disable (and later, if desired, re-enable) the plugin for the entire database under the `Edit->Other->EH34 analysis` menu item. This setting is saved persistently in the database.

Additionally, the plugin can be disabled on a per-function basis. For any function that has C++ exception metadata, right-click and press "Disable EH3/4 analysis" to show the function without it. The listing will automatically refresh. To re-enable display of C++ exception metadata for a function that you previously disabled, use right-click "Enable EH3/4 analysis". Again, the listing will automatically refresh. These per-function settings are not saved persistently in the database.

# TRY, CATCH, AND THROW

The C++ language provides the `try` scoped construct in which the developer expects that an exception might occur. `try` blocks must be followed by one or more scoped `catch` constructs for catching exceptions that may occur within. `catch` blocks may use `...` to catch any exception. Alternatively, `catch` blocks may name the type of an exception, such as `std::bad_alloc`. `catch` blocks with named types may or may not also catch the exception object itself. For example, `catch(std::bad_alloc *v10)` and `catch(std::bad_alloc *)` are both valid. The former can access the exception object through variable `v10`, whereas the latter cannot access the exception object.

C++ provides the `throw` keyword for throwing an exception, as in `std::bad_alloc ba; throw ba;`. This is represented in the output as (for example) `__eh34_throw(v10);`. C++ also allows code to rethrow the current exception via `throw;`. This is represented in the output as `__eh34_throw();`.

# WIND AND UNWIND

Exception metadata in C++ binaries is split into two categories: `try` and `catch` blocks, as discussed above, and so-called `wind` and `unwind` blocks. C++ does not have `wind` and `unwind` keywords, but the compiler creates these blocks implicitly. In most binaries, they outnumber `try` and `catch` blocks by about 20 to 1. 

Consider the following code, which may or may not throw an `int` as an exception at three places:

```
void may_throw() {
  // Point -1
  if(rand() % 2)
    throw -1;

  string s0 = "0"; 

  // Point 0
  if(rand() % 2)
    throw 0;

  string s1 = "1";

  // Point 1
  if(rand() % 2)
    throw 1;

  // Point 2
  printf("%s %s\n",
    s0.c_str(),
    s1.c_str());

  // Implicit
  // destruction
  s1.~string();
  s0.~string();
}
```

If an exception is thrown at point -1, the function exits early without executing any of its remaining code. As no objects have been created on the stack, nothing needs to be cleaned up before the function returns.

If an exception is thrown at point 0, the function exits early as before. However, since `string s0` has been created on the stack, it needs to be destroyed before exiting the function. Similarly, if an exception is thrown at point 1, both `string s1` and `string s0` must be destroyed.

These destructor calls would normally happen at the end of their enclosing scope, i.e. the bottom of the function, where the compiler inserts implicitly-generated destructor calls. However, since the function does not have any `try` blocks, none of the function's remaining code will execute after the exception is thrown. Therefore, the destructor calls at the bottom will not execute. If there were no other mechanism for destructing `s0` and/or `s1`, the result would be memory leaks or other state management issues involving those objects. Therefore, the C++ exception management runtime provides another mechanism to invoke them: `wind` blocks and their corresponding `unwind` handlers.

`wind` blocks are effectively `try` blocks that are inserted invisibly by the compiler. They begin immediately after constructing some object, and end immediately before destructing that object. Their `unwind` blocks play the role of `catch` handlers, calling the destructor upon the object when exceptional control flow would otherwise cause the destructor call to be skipped.

Microsoft Visual C++ effectively transforms the previous example as follows:

```
void may_throw_transformed() {
  if(rand() % 2)
    throw -1;

  string s0 = "0";

  // Implicit try
  __wind {
    if(rand() % 2)
      throw 0;

    string s1 = "1";

    // Implicit try
    __wind {
      if(rand() % 2)
        throw 1;

      printf("%s %s\n",
        s0.c_str(),
        s1.c_str());
    }
    // Implicit catch
    __unwind {
      s1.~string();
    }
    s1.~string();
  }
  // Implicit catch
  __unwind {
    s0.~string();
  }
  s0.~string();
}
```

`unwind` blocks always re-throw the current exception, unlike `catch` handlers, which may or may not re-throw it. Re-throwing the exception ensures that prior `wind` blocks will have a chance to execute. So, for example, if an exception is thrown at point 1, after the `unwind` handler destroys `string s1`, re-throwing the exception causes the unwind handler for point 0 to execute, thereby allowing it to destroy `string s0` before re-throwing the exception out of the function.

# STATE NUMBERS AND INSTRUCTION STATES

As we have discussed, the primary components of Microsoft Visual C++ x64 exception metadata are `try` blocks, `catch` handlers, `wind` blocks, and `unwind` handlers. Generally speaking, these elements can be nested within one another. For example, in C++ code, it is legal for one `try` block to contain another, and a `catch` handler may contain `try` blocks of its own. The same is true for `wind` and `unwind` constructs: `wind` blocks may contain other `wind` blocks (as in the previous example) or `try` blocks, and `try` and `catch` blocks may contain `wind` blocks.

Exceptions must be processed in a particular sequence: namely, the most nested handlers must be consulted first. For example, if a `try` block contains another `try` block, any exceptions occurring within the latter region must be processed by the innermost `catch` handlers first. Only if none of the inner `catch` handlers can handle the exception should the outer `try` block's catch handlers be consulted. Similarly, as in the previous example, `unwind` handlers must destruct their corresponding objects before passing control to any previous exception handlers (such as `string s1`'s `unwind` handler passing control to `string s0`'s `unwind` handler).

Microsoft's solution to ensure that exceptions are processed in the proper sequence is simple. It assigns a "state number" to each exception-handling construct. Each exception state has a "parent" state number whose handler will be consulted if the current state's handler is unable to handle the exception. In the previous example, what we called "point 0" is assigned the state number 0, while "point 1" is assigned the state number 1. State 1 has a parent of 0. (State 0's parent is a dummy value that signifies that it has no parent.) Since `unwind` handlers always re-throw exceptions, if state 1's `unwind` handler is ever invoked, the exception handling machinery will always invoke state 0's `unwind` handler afterwards. Because state 0 has no parent, the exception machinery will re-throw the exception out of the current function. This same machinery ensures that the catch handlers for inner `try` blocks are consulted before outer `try` blocks.

There is only one more piece to the puzzle: given that an exception could occur anywhere, how does the exception machinery know which exception handler should be consulted first? I.e., for every address within a function with C++ exception metadata, what is the current exception state? Microsoft C++/x64 binaries provide this information in the `IPtoStateMap` metadata tables, which is an array of address ranges and their corresponding state numbers.

# HELPER CALLS

Hex-Rays' Microsoft C++ x64 exception support tries to hide the aforementioned details about exception state numbers as much as possible. However, compiler optimizations can cause binaries to diverge from the original source code. For example, inlined functions can produce `goto` statements in the decompilation despite there being none in the source. Optimizations can also cause C++ exception metadata to differ from the original code. As a result, it is not always possible to represent `try`, `catch`, `wind`, and `unwind` constructs as scoped regions that hide the low-level details.

In these cases, Hex-Rays' Microsoft C++ x64 exception support will produce helper calls with informative names to indicate when exception states are entered and exited, and to ensure that the user can see the bodies of `catch` and `unwind` handlers in the output. The user can hover their mouse over those calls to see their descriptions. They are also catalogued below.

The following helper calls are used when exception states have multiple entrypoints, or multiple exits:

  `__eh34_enter_wind_state(s1, s2) : switch state from parent state s1 to child wind state s2`
  `__eh34_enter_try_state(s1, s2) : switch state from parent state s1 to child try state s2`
  `__eh34_exit_wind_state(s1, s2) : switch state from child wind state s1 to parent state s2`
  `__eh34_exit_try_state(s1, s2) : switch state from child try state s1 to parent state s2`

The following helper calls are used when exception states had single entry and exit points, but could not be represented via `try` or `__wind` keywords:

  `__eh34_wind(s1, s2) : switch state from parent state s1 to child state s2; a new c++ object that requires a dtr has been created`
  `__eh34_try(s1, s2) : switch state from parent state s1 to child state s2; mark beginning of a try block`

The following helper calls are used to display `catch` handlers for exception states that could not be represented via the `catch` keyword:

  `__eh34_catch(s) : beginning of catch blocks at state s; s corresponds to the second argument of the matching try call(if present)`
  `__eh34_catch_type(s, \"handler_address\") : a catch statement for the type described at \"address\"`
  `__eh34_catch_ellipsis(s) : \"catch all\" statement`

The following helper calls should be removed, but if you see them, they signify the boundary of a `catch` handler:

  `__eh34_try_continuation(s, i, ea) : end of catch handler `i` for state `s`, returning to address `ea``
  `__eh34_caught_type(s, \"handler_address\") : a pairing call for __eh34_catch_type when catch handler has no continuation`
  `__eh34_caught_ellipsis(s) : \"caught all\", paired with __eh34_catch_ellipsis when catch handler has no continuation`

The following helper calls are used to display `unwind` handlers for exception states that could not be represented via the `__unwind` keyword:

  `__eh34_unwind(s) : destruct the c++ object created immediately before entering state s; s corresponds to the second argument of the matching wind call(if present)`

The following helper calls are used to signify that an `unwind` handler has finished executing, and will transfer control to a parent exception state (or outside of the function):

  `__eh34_continue_unwinding(s1, s2) : after unwinding at child state s1, switch to parent state s2 and perform its unwind or catch action`
  `__eh34_propagate_exception_into_caller(s1, s2) : after unwinding at child state s1, switch to root state s2; this corresponds to the exception being propagated into the calling function`

The following helper call is used when the exception metadata did not specify a function pointer for an `unwind` handler, which causes program termination:

  `__eh34_no_unwind_handler(s) : the state s did not have an unwind handler, which causes program termination in the event that an exception reaches it`

The following helper calls are used to signify that Hex-Rays was unable to display an exception handler in the decompilation:

  `__eh34_unwind_handler_absent(s, ea) : could not inline unwind handler at ea for wind state s`
  `__eh34_catch_handler_absent(s, i, ea) : could not inline i'th catch handler at ea for try state s`¨WRAP
Create C header file▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceHeader
 Current hotkey: @<ProduceHeader>

This command saves all definitions in the local types window into a C header
file

Please note that that types created in the structures window will not
be saved unless they are synchronized with the local types

See also other @0:438[Produce output file] commands.Create C ~h~eader file...BThread-unsafe function '%s' cannot be called from non-main thread¼WRAP
Low level breakpoint conditions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Low level breakpoint conditions can be used to speed up the debugger.
They are evaluated like this:

  - in case of remote debugging, the condition is evaluated on the remote
    computer. The following actions are bypassed:
      - sending of the breakpoint event to the local computer
      - switching from debthread to the main thread
      - updating internal IDA structures and caches
      - updating the screen

  - in case of local debugging, the condition is evaluated at low level.
    The following actions are bypassed:
      - switching from debthread to the main thread
      - updating internal IDA structures and caches
      - updating the screen

In both cases, there is a significant speed up. This improvement imposes
some limitations on the breakpoint condition:

  - only @0:157[IDC] expressions can be used for low level conditions
  - only functions marked as 'thread-safe' may be called
  - only entire registers can be accessed (e.g. EAX is ok but AL is not)

Essentially this means that the only available functions are:

  - read/write process registers
  - read/write process memory
  - file i/o
  - auxiliary string and object functions
  - msg() function (for debugging the breakpoint conditions)

Low level breakpoint conditions are available only for Win32, Linux, Mac,
and Android debuggers.
hWRAP
Android debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Android debugger has the following particularities and limitations:

- Android on ARM is supported (not on x86)

- Both ARM and Thumb mode code is supported

- Multithreaded applications can be debugged. However, since the operating
  system does not report thread deaths, they are reported only when
  the debugger notices that the thread is missing (for example, because
  there is an error when we try to suspend it)

- Apparently Android reports applications that are currently executing
  a system call as executing "LDMFD SP!, {R4,R7}" before the syscall.
  Once the syscall completes, the next instruction is reached.

- Hardware breakpoints are not supported.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1463[How to launch remote debugging]Å add_auto_stkpnt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Add automatic SP register change point
     func_ea  - function start
     ea       - linear address where SP changes
                usually this is the end of the instruction which
                modifies the stack pointer (cmd.ea+cmd.size)
     delta    - difference between old and new values of SP
returns: 1-ok, 0-failed

success add_auto_stkpnt(func_ea, ea, sval_t delta);
@0:586[]
FunctionsH      Function name               Segment   Start    Length  RFLSBMICDV@0:485[]
Edit function

  <~N~ame of function:q::32::>
  <~S~tart address   :$::18::>
  <~E~nd address     :$::18::>    <D~o~es not return:C>
  <~C~olor           :K::8::>     <~F~ar function:C>
                                  <~L~ibrary func:C>
  Enter size of (in bytes)        <S~t~atic func:C>
  <Local ~v~ariables area:N::18::><~B~P based frame:C>
  <Saved ~r~egisters     :N::18::><BP e~q~uals to SP:C>
  <~P~urged bytes        :N::18::><Fu~z~zy SP:C>
  <Frame pointer ~d~elta :N::18::><O~u~tlined code:C>>

EHIDECANCEL
Are you sure you want to delete the selected function(s)?0A function must start with an instruction (%s).!Could not find a function at %s.&Can't set a function '%s' start to %s$Can't set a function '%s' end to %sD@0:695[]
Sorry, cannot add the selection to the function definition
@0:1118[]WRAP
IDC language ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

IDC language is a C-like language. It has the same lexical tokens as C does:
character set,constants,identifiers,keywords, etc. However, since it is a
scripting language, there are no pointers, and all variable types
can be handled by the interpreter. Any variable may hold any value;
variables are declared without specifying their type;

auto myvar;

An IDC program consists of function declarations. By default, execution
starts from a function named 'main'.
Select a topic to read:

  @0:161[Variables]
  @0:160[Functions]
  @0:159[Statements]
  @0:158[Expressions]
  @0:1165[Predefined symbols]
  @0:1578[Slices]
  @0:89[Exceptions]
  @0:162[Index of IDC functions]
  @0:1216[Index of debugger related IDC functions]
X	WRAP
IDC: Expressions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In the IDC expressions you can use almost all C operations except:

  complex assignment operations as '+='

@0:1582[Constants] are defined more or less like in C, with
some minor differences.

There are four type conversion operations:

  long(expr)  floating point numbers are truncated during conversion
  char(expr)
  float(expr)
  __int64(expr)

However, explicit type conversions are rarely required because all type
conversions are made automatically:

  - addition:
        if both operands are strings,
          string addition is performed (strings are concatenated);
        if both operands are objects,
          object combination is performed (a new object is created)
        if floating point operand exists,
          both operands are converted to floats;
        otherwise
          both operands are converted to longs;

  - subtraction/multiplication/division:
        if floating point operand exists,
          both operands are converted to floats;
        if both operands are objects and the operation is subtraction,
          object subtraction is performed (a new object is created)
        otherwise
          both operands are converted to longs;

  - comparisons (==,!=, etc):
        if both operands are strings, string comparison is performed;
        if floating point operand exists,
          both operands are converted to floats;
        otherwise
          both operands are converted to numbers;

  - all other operations:
        operand(s) are converted to longs;

If any of the long operands is 64bit, the other operand is converted to 64bit too.

There is one notable exception concerning type conversions: if one
operand is a string and the other is zero (0), then a string operation
is performed. Zero is converted to an empty string in this case.

The & operator is used to take a reference to a variable. References
themselves cannot be modified once created. Any assignment to them
will modify the target variable. For example:

        auto x, r;
        r = &x;
        r = 1;   // x is equal to 1 now

References to references are immediately resolved:

        auto x, r1, r2;
        r1 = &x;
        r2 = &r1; // r2 points to x

Since all non-object arguments are passed to functions by value, references are
a good way to pass arguments by reference.
jWRAP
IDC: Statements ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In IDC there are the following statements:

  @0:158[expression];        (expression-statement)
  if (expression) statement
  if (expression) statement else statement
  for ( expr1; expr2; expr3 ) statement
  while (expression) statement
  do statement while (expression);
  break;
  continue;
  return <expr>;
  return;              the same as 'return 0;'
  { statements... }
  @0:89[try statement catch ( var ) statement]
  throw <expr>;
  ;                    (empty statement)

Please note that the 'switch' statement is not supported.
6WRAP
IDC: Functions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

An IDC function always returns a value. There are 2 kinds of functions:

  - @0:162[built-in] functions
  - user-defined functions

A user-defined function is declared this way:

  static func(arg1,arg2,arg3)
  {
    @0:159[statements] ...
  }

It is not necessary to specify the parameter types
because all necessary type conversions are performed automatically.

By default all function arguments are passed by value, except:

  - objects are always passed by reference
  - functions are always passed by reference
  - it is possible to pass a variable by reference using the & operator

If the function to call does not exist, IDA tries to resolve the name using
the debugged program labels. If it succeeds, an @0:1572[dbg_appcall] is performed.
D
WRAP
IDC: variables ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

There are two kinds of variables in IDC:

  - local variables: they are created at the function entry
    and destroyed at the exit

  - global variables: they are created at the compilation time
    and destroyed when the database is closed

A variable can contain:

  - LONG: a 32-bit signed long integer (64-bit in 64-bit version of IDA)
  - INT64: a 64-bit signed long integer
  - STR: a character string
  - FLOAT: a floating point number (extra precision, up to 25 decimal digits)
  - OBJECT: an object with attributes and methods
            (a concept very close to C++ class) @0:1577[more]
  - REF: a reference to another variable
  - FUNC: a function reference

A local variable is declared this way:

  auto var1;
  auto var2 = <expr>;

Global variables are declared like this:

  extern var;

Global variables can be redefined many times. IDA will silently ignore subsequent
declarations. Please note that global variables cannot be initialized at the
declaration time.

All C and C++ keywords are reserved and cannot be used as a variable name.

While it is possible to declare a variable anywhere in the function body,
all variables are initialized at the function entry and all of them are
destroyed only at the exit. So, a variable declared in a loop body will not
be reinitialized at each loop iteration, unless explicitly specified with
an assignment operator.

If a variable or function name cannot be recognized, IDA tries
to resolve them using the names from the disassembled application. In it succeeds,
the name is replaced by its value in the disassembly listing. For example:

  .data:00413060 errtable        dd 1   ; oscode
  .data:00413060                 dd 16h ; errnocode


        msg("address is: %x\n", _errtable);

will print 413060. If the label denotes a structure, it is possible
to refer to its fields:

        msg("address is: %x\n", _errtable.errnocode);

will print 413064. Please note that IDA does not try to read the data but
just returns the address of the structure field. The field address can also
be calculated using the @0:1579[get_field_ea] function.

NOTE: The processor register names can be used in the IDC scripts when the
debugger is active. Reading from such a variable return the corresponding
register value. Writing to such a variable modifies the register value
in the debugged process. Such variables are accessible only when the application
is in the suspended mode.

NOTE: another way to emulate global scope variables is to use @0:668[array]
functions and create global persistent arrays.`?WRAP
Alphabetical list of IDC functions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following conventions are used in the function descriptions:

  'ea' is a linear address
  'success' is 0 if a function fails, 1 otherwise
  'void' means that function returns no meaningful value (always 0)
  'anyvalue' means that function may return value of any type

 @0:146[add_auto_stkpnt]
 @0:1076[add_bpt]
 @0:313[add_cref]
 @0:174[add_default_til]
 @0:313[add_dref]
 @0:355[add_entry]
 @0:731[add_enum]
 @0:739[add_enum_member]
 @0:330[add_func]
 @0:654[add_hidden_range]
 @0:192[add_idc_hotkey]
 @0:299[add_segm_ex]
 @0:644[add_sourcefile]
 @0:393[add_struc]
 @0:398[add_struc_member]
 @0:1051[add_user_stkpnt]
 @0:1077[append_func_tail]
 @0:173[apply_type]
 @0:288[ask_addr]
 @0:288[ask_file]
 @0:288[ask_long]
 @0:288[ask_seg]
 @0:288[ask_str]
 @0:288[ask_yn]
 @0:188[atoa]
 @0:190[atol]
 @0:12[attach_process]
 @0:678[auto_mark]
 @0:678[auto_mark_range]
 @0:678[auto_unmark]
 @0:195[auto_wait]
 @0:287[batch]
 @0:1606[begin_type_updating]
 @0:249[byte]
 @0:177[byte_value]
 @0:270[calc_gtn_flags]
 @0:198[call_system]
 @0:1214[can_exc_continue]
 @0:1076[check_bpt]
 @0:342[choose_func]
 @0:1573[cleanup_appcall]
 @0:1203[clear_selection]
 @0:1650[clear_trace]
 @0:1739[clr_database_flag]
 @0:1247[collect_stack_trace]
 @0:196[compile_idc_file]
 @0:224[compile_idc_text]
 @0:683[create_align]
 @0:668[create_array]
 @0:208[create_byte]
 @0:680[create_custom_data]
 @0:18[create_data]
 @0:215[create_double]
 @0:210[create_dword]
 @0:1741[create_enum_type]
 @0:214[create_float]
 @0:201[create_insn]
 @0:212[create_oword]
 @0:347[create_pack_real]
 @0:211[create_qword]
 @0:207[create_strlit]
 @0:682[create_struct]
 @0:656[create_tbyte]
 @0:209[create_word]
 @0:213[create_yword]
 @0:1673[dalvik_get_array_elem]
 @0:1673[dalvik_get_array_size]
 @0:1673[dalvik_get_instance_fld]
 @0:1673[dalvik_get_local]
 @0:1673[dalvik_get_local_typed]
 @0:1572[dbg_appcall]
 @0:1218[decode_insn]
 @0:1311[define_exception]
 @0:685[define_local_var]
 @0:675[del_array_element]
 @0:1076[del_bpt]
 @0:313[del_cref]
 @0:313[del_dref]
 @0:732[del_enum]
 @0:665[del_enum_member]
 @0:711[del_extra_cmt]
 @0:366[del_fixup]
 @0:331[del_func]
 @0:643[del_hash_string]
 @0:654[del_hidden_range]
 @0:193[del_idc_hotkey]
 @0:686[del_items]
 @0:300[del_segm]
 @0:293[del_selector]
 @0:649[del_source_linnum]
 @0:646[del_sourcefile]
 @0:1135[del_stkpnt]
 @0:394[del_struc]
 @0:399[del_struc_member]
 @0:1278[del_user_info]
 @0:1546[delattr]
 @0:200[delete_all_segments]
 @0:671[delete_array]
 @0:272[demangle_name]
 @0:1318[detach_process]
 @0:1650[diff_trace_file]
 @0:252[dword]
 @0:1076[enable_bpt]
 @0:1234[enable_tracing]
 @0:1607[end_type_updating]
 @0:16[error]
 @0:1220[eval]
 @0:1220[EVAL_FAILURE]
 @0:1122[eval_python]
 @0:1603[exec_idc]
 @0:1138[exec_python]
 @0:10[exit_process]
 @0:1351[expand_struc]
 @0:315[fclose]
 @0:321[fgetc]
 @0:316[filelength]
 @0:284[find_binary]
 @0:284[find_code]
 @0:1589[find_custom_data_format]
 @0:1219[find_custom_data_type]
 @0:284[find_data]
 @0:284[find_defined]
 @0:344[find_func_end]
 @0:284[find_imm]
 @0:291[find_selector]
 @0:284[find_suspop]
 @0:284[find_text]
 @0:284[find_unknown]
 @0:1077[first_func_chunk]
 @0:1547[firstattr]
 @0:314[fopen]
 @0:681[force_bl_call]
 @0:681[force_bl_jump]
 @0:1313[forget_exception]
 @0:1646[format_cdata]
 @0:323[fprintf]
 @0:322[fputc]
 @0:317[fseek]
 @0:318[ftell]
 @0:271[func_contains]
 @0:244[gen_file]
 @0:1253[gen_flow_graph]
 @0:1254[gen_simple_call_chart]
 @0:273[generate_disasm_line]
 @0:1572[get_appcall_options]
 @0:674[get_array_element]
 @0:669[get_array_id]
 @0:722[get_bmask_cmt]
 @0:721[get_bmask_name]
 @0:368[get_bookmark]
 @0:369[get_bookmark_desc]
 @0:1076[get_bpt_attr]
 @0:1076[get_bpt_ea]
 @0:1076[get_bpt_qty]
 @0:1651[get_bpt_tev_ea]
 @0:1600[get_bytes]
 @0:1651[get_call_tev_callee]
 @0:280[get_cmt]
 @0:167[get_color]
 @0:258[get_curline]
 @0:710[get_current_tev]
 @0:5[get_current_thread]
 @0:1366[get_db_byte]
 @0:1205[get_debug_name]
 @0:1209[get_debug_name_ea]
 @0:1503[get_debugger_event_cond]
 @0:253[get_double]
 @0:357[get_entry]
 @0:1307[get_entry_name]
 @0:356[get_entry_ordinal]
 @0:354[get_entry_qty]
 @0:406[get_enum]
 @0:408[get_enum_cmt]
 @0:410[get_enum_flag]
 @0:716[get_enum_member]
 @0:411[get_enum_member_bmask]
 @0:412[get_enum_member_by_name]
 @0:730[get_enum_member_cmt]
 @0:715[get_enum_member_enum]
 @0:729[get_enum_member_name]
 @0:413[get_enum_member_value]
 @0:407[get_enum_name]
 @0:409[get_enum_size]
 @0:1298[get_enum_width]
 @0:1214[get_event_bpt_hea]
 @0:1214[get_event_ea]
 @0:1214[get_event_exc_code]
 @0:1214[get_event_exc_ea]
 @0:1214[get_event_exc_info]
 @0:1214[get_event_exit_code]
 @0:1214[get_event_id]
 @0:1214[get_event_info]
 @0:1214[get_event_module_base]
 @0:1214[get_event_module_name]
 @0:1214[get_event_module_size]
 @0:1214[get_event_pid]
 @0:1214[get_event_tid]
 @0:1309[get_exception_code]
 @0:1310[get_exception_flags]
 @0:1310[get_exception_name]
 @0:1308[get_exception_qty]
 @0:278[get_extra_cmt]
 @0:1077[get_fchunk_attr]
 @0:1077[get_fchunk_referer]
 @0:1579[get_field_ea]
 @0:1157[get_file_ext]
 @0:717[get_first_bmask]
 @0:313[get_first_cref_from]
 @0:313[get_first_cref_to]
 @0:313[get_first_dref_from]
 @0:313[get_first_dref_to]
 @0:725[get_first_enum_member]
 @0:313[get_first_fcref_from]
 @0:313[get_first_fcref_to]
 @0:643[get_first_hash_key]
 @0:111[get_first_index]
 @0:384[get_first_member]
 @0:1212[get_first_module]
 @0:294[get_first_seg]
 @0:364[get_fixup_target_dis]
 @0:1683[get_fixup_target_flags]
 @0:363[get_fixup_target_off]
 @0:362[get_fixup_target_sel]
 @0:361[get_fixup_target_type]
 @0:708[get_flags]
 @0:253[get_float]
 @0:282[get_forced_operand]
 @0:253[get_fpnum]
 @0:348[get_frame_args_size]
 @0:345[get_frame_id]
 @0:346[get_frame_lvar_size]
 @0:650[get_frame_regs_size]
 @0:349[get_frame_size]
 @0:248[get_full_flags]
 @0:335[get_func_attr]
 @0:340[get_func_cmt]
 @0:337[get_func_flags]
 @0:339[get_func_name]
 @0:343[get_func_off_str]
 @0:1094[get_gotea]
 @0:643[get_hash_long]
 @0:643[get_hash_string]
 @0:247[get_idb_path]
 @0:1058[get_imagebase]
 @0:285[get_inf_attr]
 @0:246[get_input_file_path]
 @0:1119[get_ip_val]
 @0:268[get_item_end]
 @0:1605[get_item_head]
 @0:269[get_item_size]
 @0:718[get_last_bmask]
 @0:726[get_last_enum_member]
 @0:643[get_last_hash_key]
 @0:537[get_last_index]
 @0:385[get_last_member]
 @0:1291[get_local_tinfo]
 @0:652[get_manual_insn]
 @0:122[get_member_by_idx]
 @0:388[get_member_cmt]
 @0:390[get_member_flag]
 @0:1644[get_member_id]
 @0:387[get_member_name]
 @0:386[get_member_offset]
 @0:381[get_member_qty]
 @0:389[get_member_size]
 @0:391[get_member_strid]
 @0:1267[get_min_spd_ea]
 @0:1248[get_module_info]
 @0:1212[get_module_name]
 @0:1212[get_module_size]
 @0:270[get_name]
 @0:255[get_name_ea]
 @0:255[get_name_ea_simple]
 @0:1741[get_named_type_tid]
 @0:719[get_next_bmask]
 @0:313[get_next_cref_from]
 @0:313[get_next_cref_to]
 @0:313[get_next_dref_from]
 @0:313[get_next_dref_to]
 @0:727[get_next_enum_member]
 @0:1077[get_next_fchunk]
 @0:313[get_next_fcref_from]
 @0:313[get_next_fcref_to]
 @0:359[get_next_fixup_ea]
 @0:333[get_next_func]
 @0:643[get_next_hash_key]
 @0:610[get_next_index]
 @0:1212[get_next_module]
 @0:383[get_next_offset]
 @0:295[get_next_seg]
 @0:353[get_nsec_stamp]
 @0:1292[get_numbered_type_name]
 @0:1741[get_numbered_type_tid]
 @0:276[get_operand_type]
 @0:277[get_operand_value]
 @0:139[get_ordinal_limit]
 @0:1286[get_ordinal_qty]
 @0:250[get_original_byte]
 @0:720[get_prev_bmask]
 @0:728[get_prev_enum_member]
 @0:1077[get_prev_fchunk]
 @0:360[get_prev_fixup_ea]
 @0:334[get_prev_func]
 @0:643[get_prev_hash_key]
 @0:532[get_prev_index]
 @0:382[get_prev_offset]
 @0:1214[get_process_state]
 @0:1319[get_processes]
 @0:279[get_processor_name]
 @0:1321[get_qword]
 @0:169[get_reg_value]
 @0:1651[get_ret_tev_return]
 @0:246[get_root_filename]
 @0:257[get_screen_ea]
 @0:311[get_segm_attr]
 @0:256[get_segm_by_sel]
 @0:297[get_segm_end]
 @0:298[get_segm_name]
 @0:296[get_segm_start]
 @0:648[get_source_linnum]
 @0:645[get_sourcefile]
 @0:352[get_sp_delta]
 @0:351[get_spd]
 @0:261[get_sreg]
 @0:1649[get_step_trace_options]
 @0:283[get_str_type]
 @0:1516[get_strlit_contents]
 @0:379[get_struc_cmt]
 @0:377[get_struc_id]
 @0:378[get_struc_name]
 @0:380[get_struc_size]
 @0:1651[get_tev_ea]
 @0:1651[get_tev_mem]
 @0:1651[get_tev_mem_ea]
 @0:1651[get_tev_mem_qty]
 @0:1651[get_tev_qty]
 @0:1651[get_tev_reg]
 @0:1651[get_tev_tid]
 @0:1651[get_tev_type]
 @0:1166[get_thread_qty]
 @0:1533[get_tinfo]
 @0:1650[get_trace_file_desc]
 @0:172[get_type]
 @0:249[get_wide_byte]
 @0:252[get_wide_dword]
 @0:251[get_wide_word]
 @0:313[get_xref_type]
 @0:1543[getattr]
 @0:1625[getn_thread]
 @0:1249[getn_thread_name]
 @0:171[guess_type]
 @0:180[has_name]
 @0:180[has_user_name]
 @0:176[has_value]
 @0:180[has_xref]
 @0:1545[hasattr]
 @0:245[idadir]
 @0:175[import_type]
 @0:285[inf_is_32bit_or_higher]
 @0:285[inf_is_64bit]
 @0:285[inf_set_32bit]
 @0:285[inf_set_64bit]
 @0:181[is_align]
 @0:738[is_bf]
 @0:181[is_bin0]
 @0:181[is_bin1]
 @0:181[is_byte]
 @0:181[is_char0]
 @0:181[is_char1]
 @0:179[is_code]
 @0:285[is_code_far]
 @0:181[is_custfmt0]
 @0:181[is_custfmt1]
 @0:181[is_custom]
 @0:179[is_data]
 @0:285[is_data_far]
 @0:181[is_dec0]
 @0:181[is_dec1]
 @0:181[is_defarg0]
 @0:181[is_defarg1]
 @0:181[is_double]
 @0:181[is_dword]
 @0:181[is_enum0]
 @0:181[is_enum1]
 @0:1214[is_event_handled]
 @0:180[is_extra_cmts]
 @0:181[is_float]
 @0:181[is_float0]
 @0:181[is_float1]
 @0:180[is_flow]
 @0:179[is_head]
 @0:181[is_hex0]
 @0:181[is_hex1]
 @0:178[is_loaded]
 @0:181[is_manual0]
 @0:181[is_manual1]
 @0:482[is_mapped]
 @0:123[is_member_id]
 @0:181[is_oct0]
 @0:181[is_oct1]
 @0:181[is_off0]
 @0:181[is_off1]
 @0:181[is_oword]
 @0:181[is_pack_real]
 @0:181[is_qword]
 @0:181[is_seg0]
 @0:181[is_seg1]
 @0:181[is_stkvar0]
 @0:181[is_stkvar1]
 @0:181[is_strlit]
 @0:181[is_stroff0]
 @0:181[is_stroff1]
 @0:181[is_struct]
 @0:179[is_tail]
 @0:181[is_tbyte]
 @0:392[is_union]
 @0:179[is_unknown]
 @0:1650[is_valid_trace_file]
 @0:181[is_word]
 @0:181[is_yword]
 @0:1673[JDWP_ArrayReference_GetValues]
 @0:1673[JDWP_ArrayReference_Length]
 @0:1673[JDWP_Method_Bytecodes]
 @0:1673[JDWP_Method_VariableTable]
 @0:1673[JDWP_Method_VariableTableWithGeneric]
 @0:1673[JDWP_ObjectReference_ReferenceType]
 @0:1673[JDWP_ReferenceType_Fields]
 @0:1673[JDWP_ReferenceType_Instances]
 @0:1673[JDWP_ReferenceType_Methods]
 @0:1673[JDWP_ReferenceType_NestedTypes]
 @0:1673[JDWP_ReferenceType_Signature]
 @0:1673[JDWP_ReferenceType_SourceFile]
 @0:1673[JDWP_StackFrame_GetValue]
 @0:1673[JDWP_StringReference_Value]
 @0:1673[JDWP_ThreadReference_Frames]
 @0:1673[JDWP_ThreadReference_ThreadGroup]
 @0:1673[JDWP_VirtualMachine_AllClasses]
 @0:1673[JDWP_VirtualMachine_AllThreads]
 @0:1673[JDWP_VirtualMachine_ClassesBySignature]
 @0:1673[JDWP_VirtualMachine_IDSizes]
 @0:1673[JDWP_VirtualMachine_Version]
 @0:194[jumpto]
 @0:1548[lastattr]
 @0:653[load_and_run_plugin]
 @0:1137[load_debugger]
 @0:1650[load_trace_file]
 @0:1317[load_type]
 @0:1570[loader_input_t.close]
 @0:1551[loader_input_t.getc]
 @0:1576[loader_input_t.gets]
 @0:1427[loader_input_t.getz]
 @0:93[loader_input_t.read]
 @0:1553[loader_input_t.readbytes]
 @0:96[loader_input_t.seek]
 @0:95[loader_input_t.size]
 @0:1302[loader_input_t.tell]
 @0:319[loadfile]
 @0:189[ltoa]
 @0:206[make_array]
 @0:1617[mkdir]
 @0:1525[move_segm]
 @0:16[msg]
 @0:262[next_addr]
 @0:1077[next_func_chunk]
 @0:264[next_head]
 @0:266[next_not_tail]
 @0:1549[nextattr]
 @0:1575[object.retrieve]
 @0:1574[object.store]
 @0:696[op_bin]
 @0:696[op_chr]
 @0:696[op_dec]
 @0:704[op_enum]
 @0:1524[op_flt]
 @0:696[op_hex]
 @0:701[op_man]
 @0:700[op_num]
 @0:696[op_oct]
 @0:698[op_offset]
 @0:707[op_offset_high16]
 @0:697[op_plain_offset]
 @0:699[op_seg]
 @0:706[op_stkvar]
 @0:705[op_stroff]
 @0:1571[open_loader_input]
 @0:191[ord]
 @0:1756[parse_decl]
 @0:1517[parse_decls]
 @0:713[patch_byte]
 @0:1365[patch_dbg_byte]
 @0:679[patch_dword]
 @0:254[patch_qword]
 @0:714[patch_word]
 @0:202[plan_and_wait]
 @0:1161[plan_to_apply_idasgn]
 @0:263[prev_addr]
 @0:265[prev_head]
 @0:267[prev_not_tail]
 @0:1550[prevattr]
 @0:16[print]
 @0:1676[print_decls]
 @0:274[print_insn_mnem]
 @0:275[print_operand]
 @0:642[process_config_directive]
 @0:1293[process_config_line]
 @0:1431[process_ui_action]
 @0:367[put_bookmark]
 @0:603[qbasename]
 @0:602[qdirname]
 @0:197[qexit]
 @0:1060[qisabspath]
 @0:1066[qmake_full_path]
 @0:984[qmakefile]
 @0:1315[qsleep]
 @0:1321[qword]
 @0:1596[read_dbg_byte]
 @0:1598[read_dbg_dword]
 @0:1613[read_dbg_memory]
 @0:1599[read_dbg_qword]
 @0:1597[read_dbg_word]
 @0:712[read_msr]
 @0:260[read_selection_end]
 @0:259[read_selection_start]
 @0:325[readlong]
 @0:324[readshort]
 @0:328[readstr]
 @0:1526[rebase_program]
 @0:1426[recalc_spd]
 @0:1080[refresh_choosers]
 @0:1214[refresh_debugger_memory]
 @0:1080[refresh_idaview_anyway]
 @0:1077[remove_fchunk]
 @0:1615[rename]
 @0:670[rename_array]
 @0:676[rename_entry]
 @0:1214[resume_process]
 @0:8[resume_thread]
 @0:1294[retrieve_input_file_md5]
 @0:655[rotate_byte]
 @0:655[rotate_dword]
 @0:655[rotate_left]
 @0:655[rotate_word]
 @0:1213[run_to]
 @0:1127[RunPythonStatement]
 @0:1195[sanitize_file_name]
 @0:1303[save_database]
 @0:1650[save_trace_file]
 @0:320[savefile]
 @0:1096[search_path]
 @0:290[sel2para]
 @0:6[select_thread]
 @0:307[selector_by_name]
 @0:1592[send_dbg_command]
 @0:1572[set_appcall_options]
 @0:1572[SET_APPCALL_TIMEOUT]
 @0:672[set_array_long]
 @0:1334[set_array_params]
 @0:673[set_array_string]
 @0:724[set_bmask_cmt]
 @0:723[set_bmask_name]
 @0:1076[set_bpt_attr]
 @0:1076[set_bpt_cond]
 @0:204[set_cmt]
 @0:168[set_color]
 @0:710[set_current_tev]
 @0:1738[set_database_flag]
 @0:1505[set_debugger_event_cond]
 @0:1215[set_debugger_options]
 @0:308[set_default_sreg_value]
 @0:737[set_enum_bf]
 @0:735[set_enum_cmt]
 @0:736[set_enum_flag]
 @0:667[set_enum_member_cmt]
 @0:666[set_enum_member_name]
 @0:734[set_enum_name]
 @0:1301[set_enum_width]
 @0:1312[set_exception_flags]
 @0:1077[set_fchunk_attr]
 @0:365[set_fixup]
 @0:285[set_flag]
 @0:350[set_frame_size]
 @0:336[set_func_attr]
 @0:341[set_func_cmt]
 @0:332[set_func_end]
 @0:338[set_func_flags]
 @0:105[set_func_start]
 @0:643[set_hash_long]
 @0:643[set_hash_string]
 @0:289[set_ida_state]
 @0:285[set_inf_attr]
 @0:1289[set_local_type]
 @0:651[set_manual_insn]
 @0:402[set_member_cmt]
 @0:400[set_member_name]
 @0:401[set_member_type]
 @0:203[set_name]
 @0:1041[set_named_type]
 @0:1757[set_numbered_type]
 @0:286[set_processor_type]
 @0:170[set_reg_value]
 @0:1215[set_remote_debugger]
 @0:1314[set_root_filename]
 @0:306[set_segm_addressing]
 @0:304[set_segm_alignment]
 @0:312[set_segm_attr]
 @0:303[set_segm_class]
 @0:305[set_segm_combination]
 @0:302[set_segm_name]
 @0:310[set_segm_type]
 @0:301[set_segment_bounds]
 @0:292[set_selector]
 @0:647[set_source_linnum]
 @0:1649[set_step_trace_options]
 @0:1527[set_storage_type]
 @0:397[set_struc_cmt]
 @0:396[set_struc_name]
 @0:1077[set_tail_owner]
 @0:1583[set_target_assembler]
 @0:1650[set_trace_file_desc]
 @0:1544[setattr]
 @0:1580[sizeof]
 @0:677[split_sreg_range]
 @0:183[sprintf]
 @0:9[start_process]
 @0:710[step_back]
 @0:1213[step_into]
 @0:1213[step_over]
 @0:1213[step_until_ret]
 @0:1558[strfill]
 @0:185[stristr]
 @0:186[strlen]
 @0:185[strstr]
 @0:283[STRTERM1]
 @0:283[STRTERM2]
 @0:184[substr]
 @0:11[suspend_process]
 @0:7[suspend_thread]
 @0:1235[take_memory_snapshot]
 @0:1758[tinfo_errstr]
 @0:182[to_ea]
 @0:1734[TO_LONG]
 @0:703[toggle_bnot]
 @0:702[toggle_sign]
 @0:1185[tolower]
 @0:1186[toupper]
 @0:1560[trim]
 @0:1733[TRUNC]
 @0:1647[typeinfo.print]
 @0:1508[typeinfo.size]
 @0:1616[unlink]
 @0:709[update_extra_cmt]
 @0:654[update_hidden_range]
 @0:205[validate_idb_names]
 @0:1221[value_is_float]
 @0:1221[value_is_func]
 @0:1221[value_is_int64]
 @0:1221[value_is_long]
 @0:1221[value_is_object]
 @0:1221[value_is_pvoid]
 @0:1221[value_is_string]
 @0:1214[wait_for_next_event]
 @0:16[warning]
 @0:251[word]
 @0:1614[write_dbg_memory]
 @0:712[write_msr]
 @0:327[writelong]
 @0:326[writeshort]
 @0:329[writestr]
 @0:187[xtol]
@0:1416[]
Imports@0:242[]
Load Binary or User-Defined Format file
%/%*
  File name: %A

  <~B~inary file:R>>

  <~L~oading segment:N::18::> (in paragraphs)
  <Loading  ~o~ffset:N::18::>

  Processor: %1A
  <Change ~p~rocessor:B2:-1::::>

  <Analy~s~is options:B:2::::>

  <~C~reate segments:C>>

+@0:242[]
Load File
%/%*
  Load file %A as
9  <~B~inary file:R>3>

  <~L~oading segment:N::18::> (EXE & BIN)
  <Loading  ~o~ffset:N::18::> (BIN)

  <~C~reate segments:C>      (BIN)  Processor: %1A
  <Load ~r~esources:C>              <Change ~p~rocessor:B2:-1::::>
  <Rename DLL en~t~ries:C>
  <~M~anual load:C>                 <Analy~s~is options:B:2::::>
µ get_color▄
 ▀▀▀▀▀▀▀▀▀▀

get item color
     ea - address of the item
     what - type of the item (one of COLWHAT... constants)
returns: color code in RGB (hex 0xBBGGRR)

long get_color(long ea, long what);

// color item codes:
#define CIC_ITEM 1          // one instruction or data
#define CIC_FUNC 2          // function
#define CIC_SEGM 3          // segment

#define DEFCOLOR 0xFFFFFFFF     // Default color
 set_color▄
 ▀▀▀▀▀▀▀▀▀▀

set item color
     ea - address of the item
     what - type of the item (one of COLWHAT... constants)
     color - new color code in RGB (hex 0xBBGGRR)
returns: 1-ok, 0-failure

success set_color(long ea, long what, long color);
é get_reg_value▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get register value
     name - the register name
the debugger should be running. otherwise the function fails
the register name should be valid.
It is not necessary to use this function to get register values
because a register name in the script will do too.
returns: register value (integer or floating point)
Thread-safe function (may be called only from the main thread and debthread)

number get_reg_value(string name);
° set_reg_value▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set register value
     name - the register name
     value - new register value
the debugger should be running
It is not necessary to use this function to set register values.
A register name in the left side of an assignment will do too.
Thread-safe function (may be called only from the main thread and debthread)

success set_reg_value(number value, string name);
ä guess_type▄
 ▀▀▀▀▀▀▀▀▀▀▀

Guess type of function/variable
     ea - the address of the object.
          can be the structure member id too
returns: type string, 0 - failed

string guess_type(long ea);
ª get_type▄
 ▀▀▀▀▀▀▀▀▀

Get type of function/variable
     ea - the address of the object
returns: type string, 0 - failed

string get_type(long ea);
 apply_type▄
 ▀▀▀▀▀▀▀▀▀▀▀

Apply the specified type to the address
     ea    - the address of the object
     type  - typeinfo object or a C declaration string with ';'
             if specified as zero or an empty string, then the type
             assciated with 'ea' will be deleted
     flags - combination of TINFO_... constants or 0
returns: 1-ok, 0-failed.
Note: this function accepts member ids and change struct member types too

success apply_type(long ea, typeinfo type, long flags = TINFO_DEFINITE);

#define TINFO_GUESSED    0x0000 // this is a guessed type
#define TINFO_DEFINITE   0x0001 // this is a definite type
#define TINFO_DELAYFUNC  0x0002 // if type is a function and no function exists at ea,
                                // schedule its creation and argument renaming to auto-analysis
                                // otherwise try to create it immediately
¾ add_default_til▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Load a type library
     name - name of type library.
returns: 1-ok, 0-failed.

success add_default_til(string name);
 import_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Copy information from type library to local types
   Copy structure, union, or enum definition from the type library
   to Local Types.
        idx       - -1, ignored
        type_name - name of type to copy
   returns: BADADDR-failed, otherwise the type id
                (tid of structure or enum type)

long import_type(long idx, string type_name);
Ó has_value▄
 ▀▀▀▀▀▀▀▀▀▀

Do flags contain byte value? (i.e. has the byte a value?)
if not, the byte is uninitialized.

#define has_value(F)   ((F & FF_IVL) != 0)     // any defined value?

 byte_value▄
 ▀▀▀▀▀▀▀▀▀▀▀

Get byte value from flags
Get value of byte provided that the byte is initialized.
This macro works ok only for 8-bit byte machines.

#define byte_value(F)  (F & MS_VAL)    // quick replacement for get_wide_byte()
 is_loaded▄
 ▀▀▀▀▀▀▀▀▀▀

Is the byte initialized?

#define is_loaded(ea)    has_value(get_full_flags(ea))  // any defined value?
 is_code▄
 ▀▀▀▀▀▀▀▀


#define MS_CLS  0x00000600             // Mask for typing
#define FF_CODE 0x00000600             // Code ?
#define FF_DATA 0x00000400             // Data ?
#define FF_TAIL 0x00000200             // Tail ?
#define FF_UNK  0x00000000             // Unknown ?

#define is_code(F)       ((F & MS_CLS) == FF_CODE) // is code byte?
#define is_data(F)       ((F & MS_CLS) == FF_DATA) // is data byte?
#define is_tail(F)       ((F & MS_CLS) == FF_TAIL) // is tail byte?
#define is_unknown(F)    ((F & MS_CLS) == FF_UNK)  // is unexplored byte?
#define is_head(F)       ((F & FF_DATA) != 0)      // is start of code/data?
± CommonBits▄
 ▀▀▀▀▀▀▀▀▀▀▀

//
//      Common bits
//

#define MS_COMM 0x000FF800             // Mask of common bits
#define FF_COMM 0x00000800             // Has comment?
#define FF_REF  0x00001000             // has references?
#define FF_LINE 0x00002000             // Has next or prev cmt lines ?
#define FF_NAME 0x00004000             // Has user-defined name ?
#define FF_LABL 0x00008000             // Has dummy name?
#define FF_FLOW 0x00010000             // Exec flow from prev instruction?
#define FF_SIGN 0x00020000             // Inverted sign of operands
#define FF_BNOT 0x00040000             // Bitwise negation of operands
#define FF_ANYNAME      (FF_LABL|FF_NAME)

#define is_flow(F)       ((F & FF_FLOW) != 0)
#define is_extra_cmts(F) ((F & FF_LINE) != 0)
#define has_xref(F)      ((F & FF_REF)  != 0)
#define has_name(F)      ((F & FF_NAME) != 0)
#define has_user_name(F) ((F & FF_ANYNAME) == FF_NAME)
n OpTypes▄
 ▀▀▀▀▀▀▀▀


#define MS_0TYPE 0x00F00000            // Mask for 1st arg typing
#define FF_0VOID 0x00000000            // Void (unknown)?
#define FF_0NUMH 0x00100000            // Hexadecimal number?
#define FF_0NUMD 0x00200000            // Decimal number?
#define FF_0CHAR 0x00300000            // Char ('x')?
#define FF_0SEG  0x00400000            // Segment?
#define FF_0OFF  0x00500000            // Offset?
#define FF_0NUMB 0x00600000            // Binary number?
#define FF_0NUMO 0x00700000            // Octal number?
#define FF_0ENUM 0x00800000            // Enumeration?
#define FF_0FOP  0x00900000            // Forced operand?
#define FF_0STRO 0x00A00000            // Struct offset?
#define FF_0STK  0x00B00000            // Stack variable?
#define FF_0FLT  0x00C00000            // Floating point number?
#define FF_0CUST 0x00D00000            // Custom format type?

#define MS_1TYPE 0x0F000000            // Mask for 2nd arg typing
#define FF_1VOID 0x00000000            // Void (unknown)?
#define FF_1NUMH 0x01000000            // Hexadecimal number?
#define FF_1NUMD 0x02000000            // Decimal number?
#define FF_1CHAR 0x03000000            // Char ('x')?
#define FF_1SEG  0x04000000            // Segment?
#define FF_1OFF  0x05000000            // Offset?
#define FF_1NUMB 0x06000000            // Binary number?
#define FF_1NUMO 0x07000000            // Octal number?
#define FF_1ENUM 0x08000000            // Enumeration?
#define FF_1FOP  0x09000000            // Forced operand?
#define FF_1STRO 0x0A000000            // Struct offset?
#define FF_1STK  0x0B000000            // Stack variable?
#define FF_1FLT  0x0C000000            // Floating point number?
#define FF_1CUST 0x0D000000            // Custom format type?

// The following macros answer questions like
//   'is the 1st (or 2nd) operand of instruction or data of the given type'?
// Please note that data items use only the 1st operand type (is...0)

#define is_defarg0(F)    ((F & MS_0TYPE) != FF_0VOID)
#define is_defarg1(F)    ((F & MS_1TYPE) != FF_1VOID)
#define is_dec0(F)       ((F & MS_0TYPE) == FF_0NUMD)
#define is_dec1(F)       ((F & MS_1TYPE) == FF_1NUMD)
#define is_hex0(F)       ((F & MS_0TYPE) == FF_0NUMH)
#define is_hex1(F)       ((F & MS_1TYPE) == FF_1NUMH)
#define is_oct0(F)       ((F & MS_0TYPE) == FF_0NUMO)
#define is_oct1(F)       ((F & MS_1TYPE) == FF_1NUMO)
#define is_bin0(F)       ((F & MS_0TYPE) == FF_0NUMB)
#define is_bin1(F)       ((F & MS_1TYPE) == FF_1NUMB)
#define is_off0(F)       ((F & MS_0TYPE) == FF_0OFF)
#define is_off1(F)       ((F & MS_1TYPE) == FF_1OFF)
#define is_char0(F)      ((F & MS_0TYPE) == FF_0CHAR)
#define is_char1(F)      ((F & MS_1TYPE) == FF_1CHAR)
#define is_seg0(F)       ((F & MS_0TYPE) == FF_0SEG)
#define is_seg1(F)       ((F & MS_1TYPE) == FF_1SEG)
#define is_enum0(F)      ((F & MS_0TYPE) == FF_0ENUM)
#define is_enum1(F)      ((F & MS_1TYPE) == FF_1ENUM)
#define is_manual0(F)    ((F & MS_0TYPE) == FF_0FOP)
#define is_manual1(F)    ((F & MS_1TYPE) == FF_1FOP)
#define is_stroff0(F)    ((F & MS_0TYPE) == FF_0STRO)
#define is_stroff1(F)    ((F & MS_1TYPE) == FF_1STRO)
#define is_stkvar0(F)    ((F & MS_0TYPE) == FF_0STK)
#define is_stkvar1(F)    ((F & MS_1TYPE) == FF_1STK)
#define is_float0(F)     ((F & MS_0TYPE) == FF_0FLT)
#define is_float1(F)     ((F & MS_1TYPE) == FF_1FLT)
#define is_custfmt0(F)   ((F & MS_0TYPE) == FF_0CUST)
#define is_custfmt1(F)   ((F & MS_1TYPE) == FF_1CUST)

//
//      Bits for DATA bytes
//
#define DT_TYPE       0xF0000000       // Mask for DATA typing

#define FF_BYTE       0x00000000       // byte
#define FF_WORD       0x10000000       // word
#define FF_DWORD      0x20000000       // dword
#define FF_QWORD      0x30000000       // qword
#define FF_TBYTE      0x40000000       // tbyte
#define FF_STRLIT     0x50000000       // ASCII    ?
#define FF_STRUCT     0x60000000       // Struct   ?
#define FF_OWORD      0x70000000       // octaword (16 bytes/128 bits)
#define FF_FLOAT      0x80000000       // float
#define FF_DOUBLE     0x90000000       // double
#define FF_PACKREAL   0xA0000000       // packed decimal real
#define FF_ALIGN      0xB0000000       // alignment directive
#define FF_CUSTOM     0xD0000000       // custom data type
#define FF_YWORD      0xE0000000       // ymm word (32 bytes/256 bits)
#define FF_ZWORD      0xF0000000       // zmm word (64 bytes/512 bits)

#define is_byte(F)      (is_data(F) && (F & DT_TYPE) == FF_BYTE)
#define is_word(F)      (is_data(F) && (F & DT_TYPE) == FF_WORD)
#define is_dword(F)     (is_data(F) && (F & DT_TYPE) == FF_DWORD)
#define is_qword(F)     (is_data(F) && (F & DT_TYPE) == FF_QWORD)
#define is_oword(F)     (is_data(F) && (F & DT_TYPE) == FF_OWORD)
#define is_yword(F)     (is_data(F) && (F & DT_TYPE) == FF_YWORD)
#define is_tbyte(F)     (is_data(F) && (F & DT_TYPE) == FF_TBYTE)
#define is_float(F)     (is_data(F) && (F & DT_TYPE) == FF_FLOAT)
#define is_double(F)    (is_data(F) && (F & DT_TYPE) == FF_DOUBLE)
#define is_pack_real(F) (is_data(F) && (F & DT_TYPE) == FF_PACKREAL)
#define is_strlit(F)    (is_data(F) && (F & DT_TYPE) == FF_STRLIT)
#define is_struct(F)    (is_data(F) && (F & DT_TYPE) == FF_STRUCT)
#define is_align(F)     (is_data(F) && (F & DT_TYPE) == FF_ALIGN)
#define is_custom(F)    (is_data(F) && (F & DT_TYPE) == FF_CUSTOM)

//
//      Bits for CODE bytes
//

#define MS_CODE 0xF0000000
#define FF_FUNC 0x10000000             // function start?
#define FF_IMMD 0x40000000             // Has Immediate value ?
#define FF_JUMP 0x80000000             // Has jump table

//
//      Loader flags
//

#define NEF_SEGS   0x0001               // Create segments
#define NEF_RSCS   0x0002               // Load resources
#define NEF_NAME   0x0004               // Rename entries
#define NEF_MAN    0x0008               // Manual load
#define NEF_FILL   0x0010               // Fill segment gaps
#define NEF_IMPS   0x0020               // Create imports section
#define NEF_FIRST  0x0080               // This is the first file loaded
#define NEF_CODE   0x0100               // for load_binary_file:
#define NEF_RELOAD 0x0200               // reload the file at the same place:
#define NEF_FLAT   0x0400               // Autocreated FLAT group (PE)
n to_ea▄
 ▀▀▀▀▀▀

Return value of expression: ((seg<<4) + off)

long to_ea(long seg, long off);
 sprintf▄
 ▀▀▀▀▀▀▀▀

Return a formatted string.
     format - printf-style format string.
              %a - means address expression.
              floating point values are output only in one format
               regardless of the character specified (f, e, g, E, G)
              %p is not supported.
Thread-safe function.

string sprintf(string format, ...);
# substr▄
 ▀▀▀▀▀▀▀

Return substring of a string
     str - input string
     x1  - starting index (0..n)
     x2  - ending index. If x2 == -1, then return substring
           from x1 to the end of string.
Thread-safe function.

string substr(string str, long x1, long x2);
 strstr▄
 ▀▀▀▀▀▀▀

Search a substring in a string
     str    - input string
     substr - substring to search
     icase  - is case-insensitive search?
returns: 0..n - index in the 'str' where the substring starts
         -1   - if the substring is not found
Thread-safe function.

long strstr(string str, string substr, bool icase=false);
#define stristr(str, substr) strstr((str), (substr), 1)
¦ strlen▄
 ▀▀▀▀▀▀▀

Return length of a string in bytes
     str - input string
Returns: length (0..n)
Thread-safe function.

long strlen(string str);
Í xtol▄
 ▀▀▀▀▀

Convert ascii string to a binary number.
(this function is the same as hexadecimal 'strtoul' from C library,
 use long() for atol)
Thread-safe function.

long xtol(string str);
 atoa▄
 ▀▀▀▀▀

Convert address value to a string
Returns address in the form 'seg000:1234'
(the same as in line prefixes)

string atoa(long ea);
ª ltoa▄
 ▀▀▀▀▀

Convert a number to a string.
     n - number
     radix - number base (2, 8, 10, 16)
Thread-safe function.

string ltoa(long n, long radix);
Ô atol▄
 ▀▀▀▀▀

Convert ascii string to a number
     str - a decimal representation of a number
returns: a binary number
See also @0:191[ord]() function
Thread-safe function.

long atol(string str);
Ó ord▄
 ▀▀▀▀

Get code of an ascii character
     str - string with one character
returns: a binary number, character code
See also @0:190[atol]() function
Thread-safe function.

long ord(string str);
² add_idc_hotkey▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Add hotkey for IDC function
     hotkey  - hotkey name ('a', "Alt-A", etc)
     idcfunc - IDC function name
returns:
#define IDCHK_OK        0       // ok
#define IDCHK_ARG       -1      // bad argument(s)
#define IDCHK_KEY       -2      // bad hotkey name
#define IDCHK_MAX       -3      // too many IDC hotkeys

long add_idc_hotkey(string hotkey, string idcfunc);
 del_idc_hotkey▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete IDC function hotkey

success del_idc_hotkey(string hotkey);
³ jumpto▄
 ▀▀▀▀▀▀▀

Move cursor to the specified linear address
     ea - linear address
Screen is refreshed at the end of IDC execution

success jumpto(long ea);
¾ auto_wait▄
 ▀▀▀▀▀▀▀▀▀▀

Wait for the end of autoanalysis
This function will suspend execution of IDC program
till the autoanalysis queue is empty.

void auto_wait();
 compile_idc_file▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Compile an IDC script file.
The input should not contain functions that are
currently executing - otherwise the behaviour of the replaced
functions is undefined.
     path - path to compile
returns: 0 - ok, otherwise it returns an error message.
Thread-safe function.

string compile_idc_file(string path);
 qexit▄
 ▀▀▀▀▀▀

Stop execution of IDC program, close the database and exit to OS
     code - code to exit with.
To quit without saving the database, execute the following line:
process_config_directive("ABANDON_DATABASE=YES");

void qexit(long code);
 call_system▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Execute an OS command.
IDA will wait for the started program to finish.
In order to start the command in parallel, use OS methods.
For example, you may start another program in parallel using "start" command.
     command - command line to execute
returns: error code from OS
Thread-safe function.

long call_system(string command);
"  <~F~ill segment gaps:C>4> (NE)
Ê delete_all_segments▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete all segments, instructions, comments, i.e. everything
except values of bytes.

void delete_all_segments();
Y create_insn▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Create an instruction at the specified address
     ea - linear address
returns: 0 - can't create an instruction (no such opcode, the instruction would
             overlap with existing items, etc)
         otherwise returns length of the instruction in bytes

long create_insn(long ea);
d plan_and_wait▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Perform full analysis of the range
     sEA        - starting linear address
     eEA        - ending linear address (excluded)
     final_pass - make the final pass over the specified range
returns: 1-ok, 0-Ctrl-Break was pressed.

long plan_and_wait(long sEA, long eEA, long final_pass=1);
C
 set_name▄
 ▀▀▀▀▀▀▀▀▀

Rename an address
     ea - linear address
     name - new name of address. If name == "", then delete old name
     flags - combination of SN_... constants
returns: 1-ok, 0-failure

success set_name(long ea, string name, long flags=SN_CHECK);

#define SN_CHECK        0x00    // Fail if the name contains invalid characters.
#define SN_NOCHECK      0x01    // Replace invalid characters silently.
                                // If this bit is set, all invalid chars
                                // (not in NameChars or MangleChars) will be replaced
                                // by '_'.
                                // List of valid characters is defined in ida.cfg
#define SN_PUBLIC       0x02    // if set, make name public
#define SN_NON_PUBLIC   0x04    // if set, make name non-public
#define SN_WEAK         0x08    // if set, make name weak
#define SN_NON_WEAK     0x10    // if set, make name non-weak
#define SN_AUTO         0x20    // if set, make name autogenerated
#define SN_NON_AUTO     0x40    // if set, make name non-autogenerated
#define SN_NOLIST       0x80    // if set, exclude name from the list
                                // if not set, then include the name into
                                // the list (however, if other bits are set,
                                // the name might be immediately excluded
                                // from the list)
#define SN_NOWARN       0x100   // don't display a warning if failed
#define SN_LOCAL        0x200   // create local name. a function should exist.
                                // local names can't be public or weak.
                                // also they are not included into the list of names
                                // they can't have dummy prefixes
#define SN_IDBENC       0x400   // the name is given in the IDB encoding;
                                // non-ASCII bytes will be decoded accordingly.
                                // Specifying SN_IDBENC also implies SN_NODUMMY
#define SN_FORCE        0x800   // if the specified name is already present
                                // in the database, try variations with a
                                // numerical suffix like "_123"
#define SN_NODUMMY      0x1000  // automatically prepend the name with '_' if it
                                // begins with a dummy suffix such as 'sub_'.
                                // See also SN_IDBENC
#define SN_DELTAIL      0x2000  // if name cannot be set because of a tail byte,
                                // delete the hindering item
Ó set_cmt▄
 ▀▀▀▀▀▀▀▀

Set an indented comment.
     ea      - linear address
     comment - comment string
     rptble  - is repeatable?

success set_cmt(long ea, string comment, long rptble);
ÿ validate_idb_names▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

check consistency of IDB name records, return number of bad ones
     do_repair: (bool) try to repair netnode header it TRUE

long validate_idb_names(long do_repair = 0);
l make_array▄
 ▀▀▀▀▀▀▀▀▀▀▀

Create an array.
     ea      - linear address
     nitems  - size of array in items
This function will create an array of the items with the same type as the
type of the item at 'ea'. If the byte at 'ea' is undefined, then this
function will create an array of bytes.

success make_array(long ea, long nitems);
 create_strlit▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Create a string.
This function creates a string (the string type is determined by the value
of get_inf_attr(INF_STRTYPE))
  ea      - linear address
  len     - length of the string in bytes
returns: 1-ok, 0-failure
note: the type of an existing string is returned by get_str_type()

success create_strlit(long ea, long len=0);
 create_byte▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a byte
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_byte(ea)     create_data(ea, FF_BYTE, 1, BADADDR)
 create_word▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a word (2 bytes)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_word(ea)     create_data(ea, FF_WORD, 2, BADADDR)
) create_dword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a double word (4 bytes)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_dword(ea)    create_data(ea, FF_DWORD, 4, BADADDR)
) create_qword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a quadro word (8 bytes)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_qword(ea)    create_data(ea, FF_QWORD, 8, BADADDR)
2 create_oword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a octa word (16 bytes/128 bits)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_oword(ea)    create_data(ea, FF_OWORD, 16, BADADDR)
1 create_yword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a ymm word (32 bytes/256 bits)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_yword(ea)    create_data(ea, FF_YWORD, 32, BADADDR)
, create_float▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a floating point (4 bytes)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_float(ea)    create_data(ea, FF_FLOAT, 4, BADADDR)
8 create_double▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a double floating point (8 bytes)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_double(ea)   create_data(ea, FF_DOUBLE, 8, BADADDR)
WRAP
Packed Files ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Sometimes, executable files are shipped in a packed form. It means
that to disassemble these files you need to unpack them.

IDA displays this message if the relocation table of the input MZ executable file is
empty.WRAP
Bad Relocation Table ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Relocation table has references beyond program limits.WRAP
Additional information at the end of file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The file being loaded is not completely loaded to memory by the
operating system. This may be because:
        - the file is overlayed; IDA does not know this type of overlays
        - the file has debugging information attached to its end
        - the file has other type of information at the end

Anyway, IDA will not load the additional information.
ýWRAP
Overlayed files ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Some EXE files are built with overlays.
This means that the whole file is
not loaded into the memory at the start of
the program, but only a part of it. Other
parts are loaded by the program itself
into the dynamic memory or over some
subroutines of the program.  This fact
leads to many difficulties when you
disassemble such a program.

Currently,  IDA knows about overlays created by Borland and Microsoft C
and Pascal compilers.WRAP
Error loading overlays ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

One of the following occurred:

        - overlay stub is not found
        - overlay relocation data is incorrect

i.e. the input file structure is bad.
àWRAP
Maximal number of segments is reached ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

When IDA tried to delete bytes outside of any segment, the maximal number
of contiguous chunks is reached. This is NOT a fatal error.

Some bytes outside of any segment will be present => the output text
will be incorrect because of these bytes. However, you can delete them in the
output text using a text editor.
³WRAP
Cannot generate executable file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA produces executable files only for:
  - MS DOS .exe
  - MS DOS .com
  - MS DOS .drv
  - MS DOS .sys
  - general binary
  - Intel Hex Object Format
  - MOS Technology Hex Object Format

Furthermore, external loaders may or may not support the creation of user-defined
input file formats.
ÿWRAP
Bad input file format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 The input file does not conform to the following definitions:

Intel Hex Object Format
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This is the default format.  This format is
line  oriented  and  uses only printable ASCII characters except for
the carriage return/line feed at the end of each line.  Each line in
the file assumes the following format:

 :NNAAAARRHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHCCTT

Where:

All fields marked 'hex' consist of two  or  four  ASCII  hexadecimal
digits  (0-9,  A-F).  A maximum of 24 data bytes will be represented
on each line.

 :      = Record Start Character
 NN     = Byte Count (hex)
 AAAA   = Address of first byte (hex)
 RR     = Record Type (hex, 00 except for last record which is 01)
 HH     = Data Bytes (hex)
 CC     = Check Sum (hex)
 TT     = Line Terminator (carriage return, line feed)

The last line of the file will be a record conforming to  the  above
format with a byte count of zero (':00000001FF').

The checksum is defined as:

        sum      =  byte_count + address_hi + address_lo +
                        record_type + (sum of all data bytes)
        checksum =  ((-sum) & ffh)

MOS  Technology  Hex Object Format
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This format is line oriented and
uses  only  printable  ASCII  characters  except  for  the  carriage
return/line  feed  at  the  end of each line.  Each line in the file
assumes the following format:

 ;NNAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHCCCCTT

Where:

All fields marked 'hex' consist of two  or  four  ASCII  hexadecimal
digits  (0-9,  A-F).  A maximum of 24 data bytes will be represented
on each line.

 ;      = Record Start Character
 NN     = Byte Count (hex)
 AAAA   = Address of first byte (hex)
 HH     = Data Bytes (hex)
 CCCC   = Check Sum (hex)
 TT     = Line Terminator (carriage return, line feed)

The last line of the file will be a record with a byte count of zero
(';00').

The checksum is defined as:

        sum      =  byte_count + address_hi + address_lo +
                        (sum of all data bytes)
        checksum =  (sum & ffffh)
 compile_idc_text▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Compile IDC script text.
The input should not contain functions that are
currently executing - otherwise the behaviour of the replaced
functions is undefined.
     idc_text - text to compile
returns: 0 - ok, otherwise it returns an error message.
Thread-safe function.

string compile_idc_text(string idc_text);
TWRAP
Choose mark number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows you to mark a location so that afterwards you can
jump to the marked location immediately. Select any line from the list.
The selected line will be used for mark description.
Afterwards, you will be able to jump to the marked location using <Alt-J> key.

You can use <Up>, <Down>, <PgUp>, <PgDn>, <Home>, <End> keys. If you
select the first line of the list, nothing will be selected.

Press <Enter> to select line, <Esc> to cancel.

See also:
 @0:227[How to jump to the marked location]¹WRAP
Enter mark description ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Mark description is any text line. The description is for your information only.ÂWRAP
Choose marked location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows you to jump to the previously marked location.
Select any line. You will jump to the selected location.

You can use <Up>, <Down>, <PgUp>, <PgDn>, <Home>, <End> keys. If you
select the first line of the list, nothing will be selected.

Press <Enter> to select line, <Esc> to cancel.

See also:
 @0:225[How to mark a location]ÉWRAP
Cannot rename a location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

It might be because of one of the following reasons:

1. The name is ill-formed:

        - it is a reserved word
          NOTE: IDA does not allow the use of register names as byte names.
        - it contains bad characters.
          The list of allowed characters is specified in IDA.CFG
        - it starts with a reserved prefix. Some prefixes are used
          by IDA to generate names. See @0:609[Names Representation]
          dialog for the list of prefixes.

2. The name is already used in the program. Try to use another @0:424[name].
   In order to know where the name is used, you can try to jump to it using
   @0:545[Jump to the Named Location]

3. The address cannot have a name:

     - IDA refuses to rename tail bytes (i.e. the second, third...
       bytes of instruction/data).
     - the address does not belong to the program
WRAP
Cannot find file segmentation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


The database is empty or corrupt. Unfortunately, all information has been lost.

Please use a backup copy of the database if there is any.

If you have previously saved your database into a text file,
you can load it. See the @0:444[Dump database] command for explanations.#  <~F~ill segment gaps:C>4> (OMF)
CWRAP
Negative Offsets ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

A segment cannot have bytes with negative offset from the segment base.
Example:
        if a segment base is 0x3000, this segment can have a
        start address above or equal to 0x30000, but it cannot
        have a start address 0x2FFFF.0WRAP
Cannot move segment start address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA cannot change the segment start address if some instructions/data would occur outside
of the segment. @0:456[Undefine] this instructions/data first.WRAP
Cannot move segment start address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA cannot change the segment start address because this segment with the
new start address would overlap another adjacent segment. For example,
the following situation:

  seg_a  starts at 0x0000 ends at 0x1000
  seg_b  starts at 0x1000 ends at 0x2000
  seg_c  starts at 0x2000 ends at 0x3000

If you ask to change seg_c so that it starts at 0x500, you'll see this
error message, because the new seg_c would overlap seg_b.

Please note that the end address never belongs to the segment in IDA.
¬WRAP
Cannot Create Database ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Most probably your disk is full or some disk I/O error occurred.óWRAP
Database is not closed ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The database was not closed after the last IDA session. Most probably
this happened due to a power fault, unexpected reboot of the computer,
or another abnormal session termination.

You may try to repair the database but the best solution would be to
use the intact packed database or use a backup.

The repairing may fail to recover the database.

See also the @0:444[Dump database] command.
ÎWRAP
Obsolete Database Format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Please use an old version of IDA. The current
version of IDA does not support this database.
YWRAP
The Name List is Empty ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows you to select a name from the user defined names.
It means that no such names are defined now, or that all user-defined names are hidden.
To give a name to the location,
use @0:457[Rename] or @0:531[Rename any] commands.WRAP
Upgrading IDA database ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If IDA finds out that your database has an old format, it will try to upgrade
the database to a new format.
The upgrade process is completely automatic, no user intervention
is needed. However, after upgrading your database, you will not be able to
work with it using old versions of IDA. That is why IDA asks your
confirmation before upgrading the database.

This feature works only for databases starting from IDA version 2.05.WRAP
Unexpected Database Format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Database format is newer than expected.
That is because you are using an old version of IDA. The only thing you can do
is to get a new version of IDA.<WRAP
Imported module is not found ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

  IDA did not find the specified module in:
    - the current directory
    - the operating system directory (see switch @0:417[-W]
      and configuration file parameters @0:419[WINDIR,OS2DIR])

  OR
        - the module cannot be accepted because:
        - the module name (recorded in the file) doesn't match
          the expected name
        - the module does not contains any exported names (all exported functions
          are exported by ordinal numbers)

Entries imported by ordinal entries will not be commented. If IDA finds a module,
all entries that are imported by ordinal will be commented like this:

  KERNEL_91:
                retf            ; INITTASK
                                  ^^^^^^^^^
                                  comment

This comment will be propagated (@0:480[repeated]) to all
locations which call this
entry:

                call    far ptr KERNEL_91 ; INITTASK


IDA searches all files named "modulename.*" for the module.
If you know that the imported module resides in another directory,
copy it to your current directory. If the module file name is different
from "modulename.*",
rename it. After the database is loaded, you can
delete the copied module.

IDA also looks for file "modulename.ids"
  in the current directory
  in the IDS subdirectory of the directory where IDA.EXE resides
  in the PATHed directories

You can create such a file yourself. For an example, look at DOSCALLS.IDS
in the IDS subdirectory.
;WRAP
Selections in graphs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Many graph operations are applied to the selected nodes. The current
node is considered to be part of the node selection for all operations.

The graph nodes can be selected using the mouse. To select many nodes at
once, press and hold the Ctrl key during the mouse operation. The Alt
key removes nodes from the current selection.

Internally, IDA keeps track of the selected nodes and edge layout points.
Edge layout points are the points where edges are bent. If the current
selection is moved in the graph, the selected edge layout points are
moved too.

The default color for the title of the selected nodes is light gray.
Other node titles are displayed with white color.

Back to @0:42[graph view] or @0:1626[proximity view]WRAP
Load file dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Below is the description of dialog box fields:

 Load address - the paragraph where the file will be loaded.
                Meaningful only for EXE and binary files. For new exe
                files, please use 'manual load' feature.
 Load offset  - relevant only for binary files.
                specifies offset of the first byte from the start of
                the first segment. For example, if load offset=0x2700 and
                load address=0x1000, the first byte of the file will
                be at 1000:2700.
 DLL directory - path where IDA will look up referenced DLL files.
                Note that if IDA finds .IDS file, it does not look for
                .DLL file.
 Create segments        - relevant for binary files.
                          If not checked, IDA does not create segments.
 Load resources         - If not checked, IDA does not load resources from
                          NE files.
 Rename DLL entries     - If not checked, IDA makes repeatable comments
                          for entries imported by ordinals. Otherwise,
                          IDA renames the entries to meaningful names.
 Manual load            - relevant only for NE,LE,LX,ELF files.
                          If checked, IDA will ask loading addresses
                          and selectors for each object of the file.
                          For experienced users only!
 Fill segment gaps      - relevant only for COFF & OMF files.
                          If checked, IDA will fill gaps between
                          segments, creating one big chunk.
                          This option facilitates loading of big
                          object files.
 Make imports section   - relevant only for PE files.
                          If checked, IDA will convert .idata section
                          definitions to "extrn" directives and truncate it.
                          Unfortunately, sometimes there are some additional
                          data in .idata section so you'll need to disable
                          this feature if some information is not loaded
                          into the database.
 Create FLAT group      - relevant only for IBM PC PE files.
                          If checked, IDA will automatically create FLAT
                          group and use its selector as the default value
                          for the segment registers.
 Code segment           - If checked, IDA creates a code but not a data
                          segment. Relevant for processors with different
                          code/data segment addressing schemes (for
                          example, Atmel AVR).
 Loading options        - relevant only ELF,JAVA files.
                          If checked, IDA will ask additional loader
                          options. For experienced users only!
EWRAP
PE .idata section has additional data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If "create imports section" in the file loading dialog is checked,
IDA will convert .idata section definitions to "extrn"
directives and truncate it so it will not contain empty lines.

Unfortunately, sometimes there is some additional data in .idata
section so you'll need to disable this feature if some information is
not loaded into the database.

IDA tries to detect additional data in .idata section automatically.

If you disable conversion of .idata section to a segment with "extrn"
directives, you will see

somename        dd      ?

instead of

        extrn   somename

directives.

Another impact is that the .idata segment will not be truncated in any way.
Ó gen_file▄
 ▀▀▀▀▀▀▀▀▀

Generate an output file
     type  - type of output file. One of OFILE_... symbols. See below.
     fp    - the output file handle
     ea1   - start address. For some file types this argument is ignored
     ea2   - end address. For some file types this argument is ignored
     flags - bit combination of GENFLG_...
returns: number of the generated lines.
         -1 if an error occurred
         OFILE_EXE: 0-can't generate exe file, 1-ok

int gen_file(long type, long file_handle, long ea1, long ea2, long flags);

// output file types:

#define OFILE_MAP  0
#define OFILE_EXE  1
#define OFILE_IDC  2
#define OFILE_LST  3
#define OFILE_ASM  4
#define OFILE_DIF  5

// output control flags:

#define GENFLG_MAPSEGS 0x0001          // map: generate map of segments
#define GENFLG_MAPNAME 0x0002          // map: include dummy names
#define GENFLG_MAPDMNG 0x0004          // map: demangle names
#define GENFLG_MAPLOC  0x0008          // map: include local names
#define GENFLG_IDCTYPE 0x0008          // idc: gen only information about types
#define GENFLG_ASMTYPE 0x0010          // asm&lst: gen information about types too
#define GENFLG_GENHTML 0x0020          // asm&lst: generate html (gui version only)
#define GENFLG_ASMINC  0x0040          // asm&lst: gen information only about types
#define GENFLG_TIPLACE 0x0080          // asm&lst: dump tiplace (c syntax)
#define GENFLG_TIPLACE_ASM 0x0100      // asm&lst: dump tiplace (asm syntax)
 idadir▄
 ▀▀▀▀▀▀▀

Get IDA directory
This function returns the directory where IDA.EXE resides

string idadir();
 get_root_filename▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get input file name
This function returns name of the file being disassembled

string get_root_filename();             // only the file name
string get_input_file_path();           // full path
¢ get_idb_path▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get IDB full path
This function returns full path of the current IDB database

string get_idb_path();
h get_full_flags▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get full internal flags
     ea - linear address
This function returns all bits, including MS_VAL and FF_IVL.
These bits may be expensive to retrieve when the debugger is active.
returns: 32-bit value of internal flags. See start of this file
for explanations.

long get_full_flags(long ea);
Í get_wide_byte▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get one wide byte of the program at 'ea'.
     ea - linear address
returns: value of byte. If byte has no value then returns 0xFF
Some processors may access more than 8bit quantity at an address.
These processors have 32-bit byte organization from the IDA's point of view.
To check if a byte has a value, use @0:178[is_loaded](ea).

long get_wide_byte(long ea);
#define byte(ea) get_wide_byte(ea)
ñ get_original_byte▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get original value of program byte
     ea - linear address
returns: the original value of byte before any patch applied to it

long get_original_byte(long ea);
ð get_wide_word▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get one wide word (2 'byte') of the program at 'ea'.
     ea - linear address
returns: the value of the word. If word has no value then returns 0xFFFF
Some processors may access more than 8bit quantity at an address.
These processors have 32-bit byte organization from the IDA's point of view.
This function takes into account order of bytes specified in inf.is_be()

long get_wide_word(long ea);
#define word(ea) get_wide_word(ea)
 get_wide_dword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get value of program double word (4 bytes)
     ea - linear address
returns: the value of the double word. Throws an exception on failure.

long get_wide_dword(long ea);
#define dword(ea) get_wide_dword(ea)
3 get_fpnum▄
 ▀▀▀▀▀▀▀▀▀▀

Get value of a floating point number (4/8 bytes)
     ea - linear address or string that contains float number byte rep
Returns: a floating point number at the specified address.
If the bytes at the specified address cannot be represented as a floating
point number, then return integer value -1.
If the first argument has not long or string type, throw an exception

float get_fpnum(long ea, long size);

// Convenience macros:
#define get_float(ea)     get_fpnum(ea, 4)
#define get_double(ea)    get_fpnum(ea, 8)
Ñ patch_qword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Change value of a quad word
     ea    - linear address
     value - new value of the quad word
Returns: 1 if the database has been modified,
         0 if either the debugger is running and the process' memory
           has value 'value' at address 'ea',
           or the debugger is not running, and the IDB
           has value 'value' at address 'ea' already.

success patch_qword(long ea, long value);
h get_name_ea▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Get linear address of a name
     from - the referring address.
            Allows to retrieve local label addresses in functions.
            If a local name is not found, then address of a global name is returned.
     name - name of program byte
returns: address of the name
         BADADDR - no such name
Dummy names (like byte_xxxx where xxxx are hex digits) are parsed by this
function to obtain the address. The database is not consulted for them.

long get_name_ea(long from, string name);
#define get_name_ea_simple(name)  get_name_ea(BADADDR, name)
 get_segm_by_sel▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get segment by segment base
     base - segment base paragraph or selector
returns: linear address of the start of the segment
         BADADDR - no such segment

long get_segm_by_sel(long base);
 get_screen_ea▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get linear address of cursor

long get_screen_ea();

#define here  get_screen_ea()
v get_curline▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Get the disassembly line at the cursor

string get_curline();
Á read_selection_start▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get start address of the selected range
returns BADADDR - no selection

long read_selection_start();
´ read_selection_end▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get end address of the selected area
returns BADADDR - no selection

long read_selection_end();
 get_sreg▄
 ▀▀▀▀▀▀▀▀▀

Get value of segment register at the specified address
     ea - linear address
     reg - name of segment register
returns: the value of the segment register. The segment registers in
32bit program usually contain selectors, so to get paragraph pointed by
the segment register you need to call sel2para() function.

long get_sreg(long ea, string reg);
Å next_addr▄
 ▀▀▀▀▀▀▀▀▀▀

Get next address in the program
     ea - linear address
returns: BADADDR - the specified address in the last used address

long next_addr(long ea);
Å prev_addr▄
 ▀▀▀▀▀▀▀▀▀▀

Get previous address in the program
     ea - linear address
returns: BADADDR - the specified address in the first address

long prev_addr(long ea);
U next_head▄
 ▀▀▀▀▀▀▀▀▀▀

Get next defined item (instruction or data) in the program
     ea    - linear address to start search from
     maxea - the search will stop at the address
             maxea is not included in the search range
returns: BADADDR - no (more) defined items

long next_head(long ea, long maxea);
U prev_head▄
 ▀▀▀▀▀▀▀▀▀▀

Get previous defined item (instruction or data) in the program
     ea    - linear address to start search from
     minea - the search will stop at the address
             minea is included in the search range
returns: BADADDR - no (more) defined items

long prev_head(long ea, long minea);
U next_not_tail▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get next not-tail address in the program
This function searches for the next displayable address in the program.
The tail bytes of instructions and data are not displayable.
     ea - linear address
returns: BADADDR - no (more) not-tail addresses

long next_not_tail(long ea);
] prev_not_tail▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get previous not-tail address in the program
This function searches for the previous displayable address in the program.
The tail bytes of instructions and data are not displayable.
     ea - linear address
returns: BADADDR - no (more) not-tail addresses

long prev_not_tail(long ea);
Ù get_item_end▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get address of the end of the item (instruction or data)
     ea - linear address
returns: address past end of the item at 'ea'

long get_item_end(long ea);
³ get_item_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get size of instruction or data item in bytes
     ea - linear address
returns: 1..n

long get_item_size(long ea);
j get_name▄
 ▀▀▀▀▀▀▀▀▀

Get name at the specified address.
     ea        - linear address
     gtn_flags - how exactly the name should be retrieved.
                 combination of GN_ bits
returns: name

string get_name(long ea, long gtn_flags=0);

// GN_ bits for @0:270[get_name]() function.
// There is a convenience function calc_gtn_flags() to calculate the GN_LOCAL flag
#define GN_VISIBLE   0x0001     // replace forbidden characters by SUBSTCHAR
#define GN_COLORED   0x0002     // return colored name
#define GN_DEMANGLED 0x0004     // return demangled name
#define GN_STRICT    0x0008     // fail if cannot demangle
#define GN_SHORT     0x0010     // use short form of demangled name
#define GN_LONG      0x0020     // use long form of demangled name
#define GN_LOCAL     0x0040     // try to get local name first; if failed, get global
#define GN_ISRET     0x0080     // for dummy names: use retloc
#define GN_NOT_ISRET 0x0100     // for dummy names: do not use retloc

// Calculate flags for get_name() function
static calc_gtn_flags(from, ea)
{
  return func_contains(from, ea) ? GN_LOCAL : 0;
}
ð func_contains▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Does the given function contain the given address?
     func_ea - any address belonging to the function
     ea - linear address

success func_contains(long func_ea, long ea);
· demangle_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Demangle a name
     name - name to demangle
     disable_mask - a mask that tells how to demangle the name
                    it is a good idea to get this mask using
                    get_inf_attr(INF_SHORT_DN) or get_inf_attr(INF_LONG_DN)
Returns: a demangled name
If the input name cannot be demangled, returns 0

string demangle_name(string name, long disable_mask);
 generate_disasm_line▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get disassembly line
     ea - linear address of instruction
     flags - combination of the GENDSM_ flags, or 0
returns: "" - could not decode instruction at the specified location
note: this function may return not exactly the same mnemonics
as you see on the screen.

string generate_disasm_line(long ea, long flags);  // get disassembly line

// flags for generate_disasm_line
#define GENDSM_FORCE_CODE 1     // generate a disassembly line as if
                                // there is an instruction at 'ea'
#define GENDSM_MULTI_LINE 2     // if the instruction consists of several lines,
                                // produce all of them(useful for parallel instructions)
_ print_insn_mnem▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get instruction mnemonics
     ea - linear address of instruction
returns: 0 - no instruction at the specified location
note: this function may not return exactly the same mnemonics
as you see on the screen.

string print_insn_mnem(long ea);              // get instruction name
X print_operand▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get text representation of an operand
     ea - linear address of instruction (or data)
     n  - number of operand:
             0 - the first operand
             1 - the second operand
returns: the current text representation of operand

string print_operand(long ea, long n);
^	 get_operand_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get type of instruction operand
     ea - linear address of instruction
     n  - number of operand:
             0 - the first operand
             1 - the second operand
returns:
     -1      bad operand number passed

long get_operand_type(long ea, long n);

#define o_void        0  // No Operand                           ----------
#define o_reg         1  // General Register (al, ax, es, ds...) reg
#define o_mem         2  // Direct Memory Reference  (DATA)      addr
#define o_phrase      3  // Memory Ref [Base Reg + Index Reg]    phrase
#define o_displ       4  // Memory Reg [Base Reg + Index Reg + Displacement] phrase+addr
#define o_imm         5  // Immediate Value                      value
#define o_far         6  // Immediate Far Address  (CODE)        addr
#define o_near        7  // Immediate Near Address (CODE)        addr
#define o_idpspec0    8  // IDP specific type
#define o_idpspec1    9  // IDP specific type
#define o_idpspec2   10  // IDP specific type
#define o_idpspec3   11  // IDP specific type
#define o_idpspec4   12  // IDP specific type
#define o_idpspec5   13  // IDP specific type

// x86
#define o_trreg         o_idpspec0      // trace register
#define o_dbreg         o_idpspec1      // debug register
#define o_crreg         o_idpspec2      // control register
#define o_fpreg         o_idpspec3      // floating point register
#define o_mmxreg        o_idpspec4      // mmx register
#define o_xmmreg        o_idpspec5      // xmm register

// arm
#define o_reglist       o_idpspec1      // Register list (for LDM/STM)
#define o_creglist      o_idpspec2      // Coprocessor register list (for CDP)
#define o_creg          o_idpspec3      // Coprocessor register (for LDC/STC)
#define o_fpreglist     o_idpspec4      // Floating point register list
#define o_text          o_idpspec5      // Arbitrary text stored in the operand
#define o_cond          (o_idpspec5+1)  // ARM condition as an operand

// ppc
#define o_spr           o_idpspec0      // Special purpose register
#define o_twofpr        o_idpspec1      // Two FPRs
#define o_shmbme        o_idpspec2      // SH & MB & ME
#define o_crf           o_idpspec3      // crfield      x.reg
#define o_crb           o_idpspec4      // crbit        x.reg
#define o_dcr           o_idpspec5      // Device control register
j get_operand_value▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get number used in the operand
This function returns an immediate number used in the operand
     ea - linear address of instruction
     n  - the operand number
The return values are:
     operand is an immediate value  => immediate value
     operand has a displacement     => displacement
     operand is a direct memory ref => memory address
     operand is a register          => register number
     operand is a register phrase   => phrase number
     otherwise                      => -1

long get_operand_value(long ea, long n);
{ get_extra_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get extra comment line
     ea - linear address
     n  - number of line (0..MAX_ITEM_LINES)
          MAX_ITEM_LINES is defined in IDA.CFG
To get anterior  line #n use (E_PREV + n)
To get posterior line #n use (E_NEXT + n)
Returns number 0 if the comment line does not exit

string get_extra_cmt(long ea, long n);
¬ get_processor_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get name of the current processor
returns: processor name

string get_processor_name();
´ get_cmt▄
 ▀▀▀▀▀▀▀▀

Get indented comment
     ea - linear address
     repeatable: 0-regular, !=0-repeatable comment

string get_cmt(long ea, long repeatable);
®WRAP
Zooming graphs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The graph can be zoomed in and out. There are several ways of zooming the graph:

 - Use Ctrl-Wheel. The current mouse position will be the zoom center
   point (i.e. this point will not move during the zoom operation)
 - Use the predefined 'Zoom 100%' and 'Fit window' commands. They are
   available from the right-click menu or by their shortcuts: '1' and
   'W' respectively. The current mouse position is the zoom center
   point for the 'zoom 100%' command.
 - Use Ctrl-KeypadPlus or Ctrl-KeypadMinus keys. The current keyboard
   cursor is the zoom center for these commands.
 - Use Ctrl-Shift-drag. This lets you draw a rectangle to which IDA
   will zoom.

There are two options linked to the graph zooming:

 - Auto fit graph to window: will fit the current graph to the window
   size. Default: off
 - Fit window max zoom level 100%: the 'fit window' command does not
   use zoom levels higher than 100%. Default: on

The zoom level is never greater than 1000% and less than 1%.
IDA remembers the current zoom level for each location in the navigation
history.

Back to @0:42[graph view] or @0:1626[proximity view]" get_forced_operand▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get manually entered operand string
     ea - linear address
     n  - number of operand:
             0 - the first operand
             1 - the second operand

string get_forced_operand(long ea, long n);
ö get_str_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get string type
     ea - linear address
Returns one of STRTYPE_... constants

long get_str_type(long ea);

// Character-terminated string. The termination characters are kept in
// the next bytes of string type.
#define STRTYPE_TERMCHR   (STRWIDTH_1B|STRLYT_TERMCHR<<STRLYT_SHIFT)
// C-style string.
#define STRTYPE_C         STRTYPE_TERMCHR
// Zero-terminated 16bit chars
#define STRTYPE_C_16      (STRWIDTH_2B|STRLYT_TERMCHR<<STRLYT_SHIFT)
// Zero-terminated 32bit chars
#define STRTYPE_C_32      (STRWIDTH_4B|STRLYT_TERMCHR<<STRLYT_SHIFT)
// Pascal-style, one-byte length prefix
#define STRTYPE_PASCAL    (STRWIDTH_1B|STRLYT_PASCAL1<<STRLYT_SHIFT)
// Pascal-style, 16bit chars, one-byte length prefix
#define STRTYPE_PASCAL_16 (STRWIDTH_2B|STRLYT_PASCAL1<<STRLYT_SHIFT)
// Pascal-style, two-byte length prefix
#define STRTYPE_LEN2      (STRWIDTH_1B|STRLYT_PASCAL2<<STRLYT_SHIFT)
// Pascal-style, 16bit chars, two-byte length prefix
#define STRTYPE_LEN2_16   (STRWIDTH_2B|STRLYT_PASCAL2<<STRLYT_SHIFT)
// Pascal-style, two-byte length prefix
#define STRTYPE_LEN4      (STRWIDTH_1B|STRLYT_PASCAL4<<STRLYT_SHIFT)
// Pascal-style, 16bit chars, two-byte length prefix
#define STRTYPE_LEN4_16   (STRWIDTH_2B|STRLYT_PASCAL4<<STRLYT_SHIFT)

#define         STRTERM1(strtype)       ((strtype>>8)&0xFF)
                                        // 3d byte:
#define         STRTERM2(strtype)       ((strtype>>16)&0xFF)
                                        // The termination characters are kept in
                                        // the 2nd and 3d bytes of string type
                                        // if the second termination character is
                                        // '\0', then it is ignored.
 Find▄
 ▀▀▀▀▀

The following functions search for the specified byte
     ea - address to start from
     flag is combination of the following bits:
Returns BADADDR - not found

#define SEARCH_UP       0x00            // search backward
#define SEARCH_DOWN     0x01            // search forward
#define SEARCH_NEXT     0x02            // start the search at the next/prev item
                                        // useful only for find_text() and find_binary()
                                        // for other Find.. functions it is implicitly set
#define SEARCH_CASE     0x04            // search case-sensitive
                                        // (only for bin&txt search)
#define SEARCH_REGEX    0x08            // enable regular expressions (only for txt)
#define SEARCH_NOBRK    0x10            // don't test ctrl-break
#define SEARCH_NOSHOW   0x20            // don't display the search progress

long find_suspop(long ea, long flag);
long find_code(long ea, long flag);
long find_data(long ea, long flag);
long find_unknown(long ea, long flag);
long find_defined(long ea, long flag);
long find_imm(long ea, long flag, long value);
long find_text(long ea, long flag, long y, long x, string str);
                // y - number of text line at ea to start from (0..MAX_ITEM_LINES)
                // x - x coordinate in this line
long find_binary(long ea, long flag, string str);
                // str - a string as a user enters it for Search Text in Core
                //      example:  "41 42" - find 2 bytes 41h, 42h
                // The default radix depends on the current IDP module
                // (radix for ibm pc is 16)
][ inf_attr▄
 ▀▀▀▀▀▀▀▀▀

The following functions allow you to set/get common parameters.
Please note that not all parameters can be set directly.

long    get_inf_attr(long attr);
success set_inf_attr(long attr, long value);

// Set or clear bits in parameter
//      attr   - same as for get_inf_attr()/set_inf_attr() functions
//      bits   - bit mask
//      on     - boolean value, set or clear bits
// Convenience function
void set_flag(long attr, long bits, long on);

// 'attr' may be one of the following:

#define INF_VERSION      0              // ushort;  Version of database
#define INF_PROCNAME     1              // char[16];Name of current processor
#define INF_GENFLAGS     2              // ushort;  General flags:
#define         INFFL_AUTO       0x01   //              Autoanalysis is enabled?
#define         INFFL_ALLASM     0x02   //              May use constructs not supported by
                                        //              the target assembler
#define         INFFL_LOADIDC    0x04   //              Loading an idc file that contains database info
#define         INFFL_NOUSER     0x08   //              do not store user info in the database
#define         INFFL_READONLY   0x10   //              (internal) temporary interdiction to modify the database
#define         INFFL_CHKOPS     0x20   //              check manual operands? (unused)
#define         INFFL_NMOPS      0x40   //              allow non-matched operands? (unused)
#define         INFFL_GRAPH_VIEW 0x80   //              currently using graph options (\dto{graph})
#define INF_LFLAGS       3              // uint32   IDP-dependent flags
#define     LFLG_PC_FPP     0x00000001  //              decode floating point
                                        //              processor instructions?
#define     LFLG_PC_FLAT    0x00000002  //              Flat model?
#define     LFLG_64BIT      0x00000004  //              64-bit program?
#define     LFLG_IS_DLL     0x00000008  //              is dynamic library?
#define     LFLG_FLAT_OFF32 0x00000010  //              treat REF_OFF32 as 32-bit offset for 16bit segments (otherwise try SEG16:OFF16)
#define     LFLG_MSF        0x00000020  //              byte order: is MSB first?
#define     LFLG_WIDE_HBF   0x00000040  //              bit order of wide bytes: high byte first?
#define     LFLG_DBG_NOPATH 0x00000080  //              do not store input full path
#define     LFLG_SNAPSHOT   0x00000100  //              is memory snapshot?
#define     LFLG_PACK       0x00000200  //              pack the database?
#define     LFLG_COMPRESS   0x00000400  //              compress the database?
#define     LFLG_KERNMODE   0x00000800  //              is kernel mode binary?

#define INF_DATABASE_CHANGE_COUNT 4     // uint32; database change counter; keeps track of byte and segment modifications

#define INF_FILETYPE     5              // ushort;  type of input file (see ida.hpp)
#define         FT_EXE_OLD      0       //              MS DOS EXE File (obsolete)
#define         FT_COM_OLD      1       //              MS DOS COM File (obsolete)
#define         FT_BIN          2       //              Binary File
#define         FT_DRV          3       //              MS DOS Driver
#define         FT_WIN          4       //              New Executable (NE)
#define         FT_HEX          5       //              Intel Hex Object File
#define         FT_MEX          6       //              MOS Technology Hex Object File
#define         FT_LX           7       //              Linear Executable (LX)
#define         FT_LE           8       //              Linear Executable (LE)
#define         FT_NLM          9       //              Netware Loadable Module (NLM)
#define         FT_COFF         10      //              Common Object File Format (COFF)
#define         FT_PE           11      //              Portable Executable (PE)
#define         FT_OMF          12      //              Object Module Format
#define         FT_SREC         13      //              R-records
#define         FT_ZIP          14      //              ZIP file (this file is never loaded to IDA database)
#define         FT_OMFLIB       15      //              Library of OMF Modules
#define         FT_AR           16      //              ar library
#define         FT_LOADER       17      //              file is loaded using LOADER DLL
#define         FT_ELF          18      //              Executable and Linkable Format (ELF)
#define         FT_W32RUN       19      //              Watcom DOS32 Extender (W32RUN)
#define         FT_AOUT         20      //              Linux a.out (AOUT)
#define         FT_PRC          21      //              PalmPilot program file
#define         FT_EXE          22      //              MS DOS EXE File
#define         FT_COM          23      //              MS DOS COM File
#define         FT_AIXAR        24      //              AIX ar library
#define         FT_MACHO        25      //              Mac OS X Mach-O file
#define INF_OSTYPE       6              // ushort;  FLIRT: OS type the program is for
#define         OSTYPE_MSDOS 0x0001
#define         OSTYPE_WIN   0x0002
#define         OSTYPE_OS2   0x0004
#define         OSTYPE_NETW  0x0008
#define INF_APPTYPE      7              // ushort;  FLIRT: Application type
#define         APPT_CONSOLE 0x0001     //              console
#define         APPT_GRAPHIC 0x0002     //              graphics
#define         APPT_PROGRAM 0x0004     //              EXE
#define         APPT_LIBRARY 0x0008     //              DLL
#define         APPT_DRIVER  0x0010     //              DRIVER
#define         APPT_1THREAD 0x0020     //              Singlethread
#define         APPT_MTHREAD 0x0040     //              Multithread
#define         APPT_16BIT   0x0080     //              16 bit application
#define         APPT_32BIT   0x0100     //              32 bit application
#define INF_ASMTYPE      8              // uchar;   target assembler number (0..n)
#define INF_SPECSEGS     9              // uchar;   What format do special segments use? 0-unspecified, 4-entries are 4 bytes, 8- entries are 8 bytes
                                        //          program execution

#define INF_AF          10              // uint32;  Analysis flags:
#define AF_CODE         0x00000001      //              Trace execution flow
#define AF_MARKCODE     0x00000002      //              Mark typical code sequences as code
#define AF_JUMPTBL      0x00000004      //              Locate and create jump tables
#define AF_PURDAT       0x00000008      //              Control flow to data segment is ignored
#define AF_USED         0x00000010      //              Analyze and create all xrefs
#define AF_UNK          0x00000020      //              Delete instructions with no xrefs

#define AF_PROCPTR      0x00000040      //              Create function if data xref data->code32 exists
#define AF_PROC         0x00000080      //              Create functions if call is present
#define AF_FTAIL        0x00000100      //              Create function tails
#define AF_LVAR         0x00000200      //              Create stack variables
#define AF_STKARG       0x00000400      //              Propagate stack argument information
#define AF_REGARG       0x00000800      //              Propagate register argument information
#define AF_TRACE        0x00001000      //              Trace stack pointer
#define AF_VERSP        0x00002000      //              Perform full SP-analysis. (\ph{verify_sp})
#define AF_ANORET       0x00004000      //              Perform 'no-return' analysis
#define AF_MEMFUNC      0x00008000      //              Try to guess member function types
#define AF_TRFUNC       0x00010000      //              Truncate functions upon code deletion

#define AF_STRLIT       0x00020000      //              Create string literal if data xref exists
#define AF_CHKUNI       0x00040000      //              Check for unicode strings
#define AF_FIXUP        0x00080000      //              Create offsets and segments using fixup info
#define AF_DREFOFF      0x00100000      //              Create offset if data xref to seg32 exists
#define AF_IMMOFF       0x00200000      //              Convert 32bit instruction operand to offset
#define AF_DATOFF       0x00400000      //              Automatically convert data to offsets

#define AF_FLIRT        0x00800000      //              Use flirt signatures
#define AF_SIGCMT       0x01000000      //              Append a signature name comment for recognized anonymous library functions
#define AF_SIGMLT       0x02000000      //              Allow recognition of several copies of the same function
#define AF_HFLIRT       0x04000000      //              Automatically hide library functions

#define AF_JFUNC        0x08000000      //              Rename jump functions as j_...
#define AF_NULLSUB      0x10000000      //              Rename empty functions as nullsub_...

#define AF_DODATA       0x20000000      //              Coagulate data segs at the final pass
#define AF_DOCODE       0x40000000      //              Coagulate code segs at the final pass
#define AF_FINAL        0x80000000      //              Final pass of analysis

#define INF_AF2         11              // uint32;  Analysis flags 2

#define AF2_DOEH        0x00000001      //              Handle EH information
#define AF2_DORTTI      0x00000002      //              Handle RTTI information
#define AF2_MACRO       0x00000004      //              Try to combine several instructions into a macro instruction

#define INF_BASEADDR    12              // uval_t;  base paragraph of the program
#define INF_START_SS    13              // sel_t;   value of SS at the start
#define INF_START_CS    14              // sel_t;   value of CS at the start
#define INF_START_IP    15              // ea_t;    IP register value at the start of
#define INF_START_EA    16              // ea_t;    Linear address of program entry point
#define INF_START_SP    17              // ea_t;    SP register value at the start of
#define INF_MAIN        18              // ea_t;    address of main()
#define INF_MIN_EA      19              // ea_t;    The lowest address used
                                        //          in the program
#define INF_MAX_EA      20              // ea_t;    The highest address used
                                        //          in the program - 1
#define INF_OMIN_EA     21              // ea_t;
#define INF_OMAX_EA     22              // ea_t;
#define INF_LOWOFF      23              // ea_t;    low limit of voids
#define INF_HIGHOFF     24              // ea_t;    high limit of voids
#define INF_MAXREF      25              // uval_t;  max xref depth
#define INF_PRIVRANGE_START_EA 27       // ea_t;    Range of addresses reserved for internal use.
#define INF_PRIVRANGE_END_EA 28         // ea_t;    Initially specified by cfgvar PRIVRANGE

#define INF_NETDELTA    29              // sval_t; Delta value to be added to all addresses for mapping to netnodes.
                                        // Initially 0.
// CROSS REFERENCES
#define INF_XREFNUM     30              // uchar;   Number of references to generate
                                        //          0 - xrefs won't be generated at all
#define INF_TYPE_XREFNUM 31             // uchar;   Number of references to generate
                                        //          in the struct & enum windows
                                        //          0 - xrefs won't be generated at all
#define INF_REFCMTNUM   32              // uchar; number of comment lines to
                                        //        generate for refs to ASCII
                                        //        string or demangled name
                                        //        0 - such comments won't be
                                        //        generated at all
#define INF_XREFFLAG    33              // uchar;   xrefs representation:
#define         SW_SEGXRF       0x01    //              show segments in xrefs?
#define         SW_XRFMRK       0x02    //              show xref type marks?
#define         SW_XRFFNC       0x04    //              show function offsets?
#define         SW_XRFVAL       0x08    //              show xref values? (otherwise-"...")

// NAMES
#define INF_MAX_AUTONAME_LEN 34         // ushort;  max autogenerated name length (without zero byte)
#define INF_NAMETYPE    34              // char;    dummy names representation type
#define         NM_REL_OFF      0
#define         NM_PTR_OFF      1
#define         NM_NAM_OFF      2
#define         NM_REL_EA       3
#define         NM_PTR_EA       4
#define         NM_NAM_EA       5
#define         NM_EA           6
#define         NM_EA4          7
#define         NM_EA8          8
#define         NM_SHORT        9
#define         NM_SERIAL      10
#define INF_SHORT_DEMNAMES 36           // uint32;  short form of demangled names
#define INF_LONG_DEMNAMES 37            // uint32;  long form of demangled names
                                        //          see demangle.h for definitions
#define INF_DEMNAMES    38              // uchar;   display demangled names as:
#define         DEMNAM_CMNT  0          //              comments
#define         DEMNAM_NAME  1          //              regular names
#define         DEMNAM_NONE  2          //              don't display
#define         DEMNAM_GCC3  4          //          assume gcc3 names (valid for gnu compiler)
#define         DEMNAM_FIRST 8          //          override type info
#define INF_LISTNAMES   39              // uchar;   What names should be included in the list?
#define         LN_NORMAL       0x01    //              normal names
#define         LN_PUBLIC       0x02    //              public names
#define         LN_AUTO         0x04    //              autogenerated names
#define         LN_WEAK         0x08    //              weak names

// DISASSEMBLY LISTING DETAILS
#define INF_INDENT      40              // uchar;   Indention for instructions
#define INF_CMT_INDENT  41              // uchar;   Indention for comments
#define INF_MARGIN      42              // ushort;  max length of data lines
#define INF_LENXREF     43              // ushort;  max length of line with xrefs
#define INF_OUTFLAGS    44              // uint32;  output flags
#define         OFLG_SHOW_VOID  0x0002  //              Display void marks?
#define         OFLG_SHOW_AUTO  0x0004  //              Display autoanalysis indicator?
#define         OFLG_GEN_NULL   0x0010  //              Generate empty lines?
#define         OFLG_SHOW_PREF  0x0020  //              Show line prefixes?
#define         OFLG_PREF_SEG   0x0040  //              line prefixes with segment name?
#define         OFLG_LZERO      0x0080  //              generate leading zeroes in numbers
#define         OFLG_GEN_ORG    0x0100  //              Generate 'org' directives?
#define         OFLG_GEN_ASSUME 0x0200  //              Generate 'assume' directives?
#define         OFLG_GEN_TRYBLKS 0x0400 //              Generate try/catch directives?
#define INF_CMTFLG      45              // uchar;   comments:
#define         SCF_RPTCMT       0x01   //              show repeatable comments?
#define         SCF_ALLCMT       0x02   //              comment all lines?
#define         SCF_NOCMT        0x04   //              no comments at all
#define         SCF_LINNUM       0x08   //              show source line numbers
#define         SCF_TESTMODE     0x10   //              testida.idc is running
#define         SCF_SHHID_ITEM   0x20   //              show hidden instructions
#define         SCF_SHHID_FUNC   0x40   //              show hidden functions
#define         SCF_SHHID_SEGM   0x80   //              show hidden segments
#define INF_LIMITER     46              // uchar;   Generate borders?
#define INF_BIN_PREFIX_SIZE 47          // short;   # of instruction bytes to show
                                        //          in line prefix
#define INF_PREFFLAG    48              // uchar;   line prefix type:
#define         PREF_SEGADR     0x01    //              show segment addresses?
#define         PREF_FNCOFF     0x02    //              show function offsets?
#define         PREF_STACK      0x04    //              show stack pointer?
#define         PREF_PFXTRUNC   0x08    //              truncate instruction bytes if they would need more than 1 line

// STRING LITERALS
#define INF_STRLIT_FLAGS 49             // uchar;   string literal flags
#define         STRF_GEN        0x01    //              generate names?
#define         STRF_AUTO       0x02    //              names have 'autogenerated' bit?
#define         STRF_SERIAL     0x04    //              generate serial names?
#define         STRF_COMMENT    0x10    //              generate auto comment for string references?
#define         STRF_SAVECASE   0x20    //              preserve case of strings for identifiers
#define INF_STRLIT_BREAK 50             // uchar;   string literal line break symbol
#define INF_STRLIT_ZEROES 51            // char;    leading zeroes
#define INF_STRTYPE     52              // int32;   current ascii string type
                                        //          is considered as several bytes:
                                        //      low byte:
// Number of bytes per "units" in a string.
#define STRWIDTH_1B 0
#define STRWIDTH_2B 1
#define STRWIDTH_4B 2
#define STRWIDTH_MASK 0x03
// The string layout; how the string is laid out in data.
#define STRLYT_TERMCHR 0
#define STRLYT_PASCAL1 1
#define STRLYT_PASCAL2 2
#define STRLYT_PASCAL4 3
#define STRLYT_MASK 0xFC
#define STRLYT_SHIFT 2

#define INF_STRLIT_PREF 53              // char[16];ASCII names prefix
#define INF_STRLIT_SERNUM 54            // uval_t;  serial number

// DATA ITEMS
#define INF_DATATYPES   55              // uval_t;  data types allowed in data carousel

// COMPILER
#define INF_CC_ID       57              // uchar;   compiler
#define      COMP_MASK        0x0F      //              mask to apply to get the pure compiler id
#define         COMP_UNK      0x00      // Unknown
#define         COMP_MS       0x01      // Visual C++
#define         COMP_BC       0x02      // Borland C++
#define         COMP_WATCOM   0x03      // Watcom C++
#define         COMP_GNU      0x06      // GNU C++
#define         COMP_VISAGE   0x07      // Visual Age C++
#define         COMP_BP       0x08      // Delphi
#define         COMP_UNSURE   0x80      // uncertain compiler id
#define INF_CC_CM       58              // cm_t;  memory model & calling convention. see below
#define INF_CC_SIZE_I   59              // uchar;  sizeof(int)
#define INF_CC_SIZE_B   60              // uchar;  sizeof(bool)
#define INF_CC_SIZE_E   61              // uchar;  sizeof(enum)
#define INF_CC_DEFALIGN 62              // uchar;  default alignment
#define INF_CC_SIZE_S   63              // uchar;
#define INF_CC_SIZE_L   64              // uchar;
#define INF_CC_SIZE_LL  65              // uchar;
#define INF_CC_SIZE_LDBL 66             // uchar;  sizeof(long double)
#define INF_ABIBITS     67              // uint32; ABI features
#define   ABI_8ALIGN4       0x00000001  //   4 byte alignment for 8byte scalars (__int64/double) inside structures?
#define   ABI_PACK_STKARGS  0x00000002  //   do not align stack arguments to stack slots
#define   ABI_BIGARG_ALIGN  0x00000004  //   use natural type alignment for argument if the alignment exceeds native word size (e.g. __int64 argument should be 8byte aligned on some 32bit platforms)
#define   ABI_STACK_LDBL    0x00000008  //   long double areuments are passed on stack
#define   ABI_STACK_VARARGS 0x00000010  //   varargs are always passed on stack (even when there are free registers)
#define   ABI_HARD_FLOAT    0x00000020  //   use the floating-point register set
#define   ABI_SET_BY_USER   0x00000040  //   compiler/abi were set by user flag and require SETCOMP_BY_USER flag to be changed
#define   ABI_GCC_LAYOUT    0x00000080  //   use gcc layout for udts (used for mingw)
#define   ABI_MAP_STKARGS   0x00000100  //   register arguments are mapped to stack area (and consume stack slots)
#define   ABI_HUGEARG_ALIGN 0x00000200  //   use natural type alignment for an argument
                                        //   even if its alignment exceeds double native word size
                                        //   (the default is to use double word max).
                                        //   e.g. if this bit is set, __int128 has 16-byte alignment
#define INF_APPCALL_OPTIONS 68          // uint32; appcall options

// Pointer size, memory model, and calling convention are encoded using:
#define  CM_MASK   0x03         // Default pointer size:
#define   CM_UNKNOWN     0x00   //   unknown
#define   CM_N8_F16      0x01   //   if sizeof(int)<=2: near 1 byte, far 2 bytes
#define   CM_N64         0x01   //   if sizeof(int)>2: near 8 bytes, far 8 bytes
#define   CM_N16_F32     0x02   //   near 2 bytes, far 4 bytes
#define   CM_N32_F48     0x03   //   near 4 bytes, far 6 bytes
#define  CM_M_MASK   0x0C       // Memory model:
#define   CM_M_NN        0x00   //   small:   code=near, data=near (or unknown if CM_UNKNOWN)
#define   CM_M_FF        0x04   //   large:   code=far, data=far
#define   CM_M_NF        0x08   //   compact: code=near, data=far
#define   CM_M_FN        0x0C   //   medium:  code=far, data=near

#define is_code_far(cm) (((cm) & 4) != 0) // Does the given model specify far code?
#define is_data_far(cm) (((cm) &= CM_M_MASK) && (cm) != CM_M_FN) // Does the given model specify far data?

\defgroup CM_CC_
//@{
#define  CM_CC_MASK   0xF0      // Calling convention
#define   CM_CC_INVALID    0x00 // this value is invalid
#define   CM_CC_UNKNOWN    0x10 // unknown calling convention
#define   CM_CC_VOIDARG    0x20 // function without arguments
                                // if has other cc and argnum == 0,
                                // represent as f() - unknown list
#define   CM_CC_CDECL      0x30 // stack
#define   CM_CC_ELLIPSIS   0x40 // cdecl + ellipsis
#define   CM_CC_STDCALL    0x50 // stack, purged
#define   CM_CC_PASCAL     0x60 // stack, purged, reverse order of args
#define   CM_CC_FASTCALL   0x70 // stack, purged (x86), first args are in regs (compiler-dependent)
#define   CM_CC_THISCALL   0x80 // stack, purged (x86), first arg is in reg (compiler-dependent)
#define   CM_CC_GOLANG     0xB0 // GO: arguments and return value in stack
#define   CM_CC_SPECIALE   0xD0 // ::CM_CC_SPECIAL with ellipsis
#define   CM_CC_SPECIALP   0xE0 // Equal to ::CM_CC_SPECIAL, but with purged stack.
#define   CM_CC_SPECIAL    0xF0 // usercall: locations of all arguments
                                // and the return value are explicitly specified

// Convenience function to set a flag bit
static set_flag(off, bit, value)
{
  auto v = get_inf_attr(off);
  v = value ? (bit | v) : (~bit & v);
  return set_inf_attr(off, v);
}
// Set/get application bitness
#define inf_set_64bit()          set_flag(INF_LFLAGS, LFLG_64BIT, 1)
#define inf_set_32bit()          set_flag(INF_LFLAGS, LFLG_PC_FLAT, 1)
#define inf_is_64bit()           ((get_inf_attr(INF_LFLAGS) & LFLG_64BIT) != 0)
#define inf_is_32bit_or_higher() ((get_inf_attr(INF_LFLAGS) & LFLG_PC_FLAT) != 0)

È set_processor_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set target processor type.
Once a processor module is loaded, it cannot be replaced until we close the idb.
     processor - name of processor in short form.
     level     - the request level:
 SETPROC_IDB         set processor type for old idb
 SETPROC_LOADER      set processor type for new idb;
                     if the user has specified a compatible processor,
                     return success without changing it.
                     if failure, call loader_failure()
 SETPROC_LOADER_NON_FATAL the same as SETPROC_LOADER but non-fatal failures.
 SETPROC_USER        set user-specified processor
                     used for -p and manual processor change at later time

success set_processor_type(string processor, long level);

#define SETPROC_IDB              0
#define SETPROC_LOADER           1
#define SETPROC_LOADER_NON_FATAL 2
#define SETPROC_USER             3
 batch▄
 ▀▀▀▀▀▀

Enable/disable batch mode of operation
     batch:  0 - ida will display dialog boxes and wait for the user input
             1 - ida will not display dialog boxes, warnings, etc.
returns: old balue of batch flag

long batch(long batch);
Ë Asks▄
 ▀▀▀▀▀

// Ask the user to enter a string
//      defval - the default string value. This value
//               will appear in the dialog box.
//      hist   - history id. One of HIST_... constants
//      prompt - the prompt to display in the dialog box
// Returns: the entered string.

string ask_str(string defval, long hist, string prompt);

#define HIST_SEG    1           ///< segment names
#define HIST_CMT    2           ///< comments
#define HIST_SRCH   3           ///< search substrings
#define HIST_IDENT  4           ///< names
#define HIST_FILE   5           ///< file names
#define HIST_TYPE   6           ///< type declarations
#define HIST_CMD    7           ///< commands
#define HIST_DIR    8           ///< directory names (text version only)

// Ask the user to choose a file
//      for_saving- 0: "Open" dialog box, 1: "Save" dialog box
//      mask   - the input file mask as "*.*" or the default file name.
//      prompt - the prompt to display in the dialog box
// Returns: the selected file.

string ask_file(bool for_saving, string mask, string prompt);

// Ask the user to enter an address
//      defval - the default address value. This value
//               will appear in the dialog box.
//      prompt - the prompt to display in the dialog box
// Returns: the entered address or BADADDR.

long ask_addr(long defval, string prompt);

// Ask the user to enter a number
//      defval - the default value. This value
//               will appear in the dialog box.
//      prompt - the prompt to display in the dialog box
// Returns: the entered number or -1.

long ask_long(long defval, string prompt);

// Ask the user to enter a segment value
//      defval - the default value. This value
//               will appear in the dialog box.
//      prompt - the prompt to display in the dialog box
// Returns: the entered segment selector or BADSEL.

long ask_seg(long defval, string prompt);

// Ask the user a question and let him answer Yes/No/Cancel
//      defval - the default answer. This answer will be selected if the user
//               presses Enter.
//      prompt - the prompt to display in the dialog box
// Returns: -1:cancel, 0-no, 1-ok

long ask_yn(long defval, string prompt);
 set_ida_state▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change IDA indicator.
Returns the previous status.

long set_ida_state(long status);

#define IDA_STATUS_READY    0 // READY     IDA is idle
#define IDA_STATUS_THINKING 1 // THINKING  Analyzing but the user may press keys
#define IDA_STATUS_WAITING  2 // WAITING   Waiting for the user input
#define IDA_STATUS_WORK     3 // BUSY      IDA is busy
< sel2para▄
 ▀▀▀▀▀▀▀▀▀

Get mapping of a selector.
        arguments:      sel - the selector number
        returns:        selector value if found
                        otherwise the input value (sel)
        note:           selector values are always in paragraphs

long sel2para(long sel);
 find_selector▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Find a selector that has mapping to the specified paragraph.
        arguments:      val - value to search for
        returns:        the selector number if found
                        otherwise the input value (val & 0xFFFF)
        note:           selector values are always in paragraphs

long find_selector(long val);
Ð set_selector▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

set a selector value
        arguments:      sel - the selector number
                        val - value of selector
        returns:        nothing
        note:           ida supports up to 4096 selectors.
                        if 'sel' == 'val' then the
                        selector is destroyed because
                        it has no significance

void set_selector(long sel, long value);
% del_selector▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

delete a selector
        arguments:      sel - the selector number to delete
        returns:        nothing
        note:           if the selector is found, it will
                        be deleted

void del_selector(long sel);
Å get_first_seg▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get first segment
returns: linear address of the start of the first segment
BADADDR - no segments are defined

long get_first_seg();
É get_next_seg▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get next segment
     ea - linear address
returns: start of the next segment
         BADADDR - no next segment

long get_next_seg(long ea);
; get_segm_start▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get start address of a segment
     ea - any address in the segment
returns: start of segment
         BADADDR - the specified address doesn't belong to any segment
Note: it is a macro

#define get_segm_start(ea)  get_segm_attr(ea, SEGATTR_START)
R get_segm_end▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get end address of a segment
     ea - any address in the segment
returns: end of segment (an address past end of the segment)
         BADADDR - the specified address doesn't belong to any segment
Note: it is a macro

#define get_segm_end(ea)    get_segm_attr(ea, SEGATTR_END)
! get_segm_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get name of a segment
     ea - any address in the segment
  flags - 0-name as is;1-substitute invalid chars with _
returns: segment name, 0 - no segment at the specified address

string get_segm_name(long ea, long flags=0);
P add_segm_ex▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Create a new segment
     startea  - linear address of the start of the segment
     endea    - linear address of the end of the segment
                this address will not belong to the segment
                'endea' should be higher than 'startea'
     base     - base paragraph or selector of the segment.
                a paragraph is 16byte memory chunk.
                If a selector value is specified, the selector should be
                already defined.
     use32    - 0: 16bit segment, 1: 32bit segment, 2: 64bit segment
     align    - segment alignment. see below for alignment values
     comb     - segment combination. see below for combination values.
     flags    - combination of ADDSEG_... bits
returns: 0-failed, 1-ok

success add_segm_ex(long startea, long endea, long sel, long use32, long align, long comb, long flags);

#define ADDSEG_NOSREG   0x0001  // set all default segment register values
                                // to BADSELs
                                // (undefine all default segment registers)
#define ADDSEG_OR_DIE   0x0002  // qexit() if can't add a segment
#define ADDSEG_NOTRUNC  0x0004  // don't truncate the new segment at the beginning
                                // of the next segment if they overlap.
                                // destroy/truncate old segments instead.
#define ADDSEG_QUIET    0x0008  // silent mode, no "Adding segment..." in the messages window
#define ADDSEG_FILLGAP  0x0010  // If there is a gap between the new segment
                                // and the previous one, and this gap is less
                                // than 64K, then fill the gap by extending the
                                // previous segment and adding .align directive
                                // to it. This way we avoid gaps between segments.
                                // Too many gaps lead to a virtual array failure.
                                // It cannot hold more than ~1000 gaps.
#define ADDSEG_SPARSE   0x0020  // Use sparse storage method for the new segment
1 del_segm▄
 ▀▀▀▀▀▀▀▀▀

Delete a segment
  ea      - any address in the segment
  flags   - combination of SEGMOD_... flags

success del_segm(long ea, long flags);

#define SEGMOD_KILL    0x0001 // disable addresses if segment gets shrinked or deleted
#define SEGMOD_KEEP    0x0002 // keep information (code & data, etc)
#define SEGMOD_SILENT  0x0004 // be silent
#define SEGMOD_KEEP0   0x0008 // flag for internal use, don't set
#define SEGMOD_KEEPSEL 0x0010 // do not try to delete unused selector
#define SEGMOD_NOMOVE  0x0020 // don't move info from the start of segment to
                              // the new start address (for set_segment_bounds())
#define SEGMOD_SPARSE  0x0040 // use sparse storage if extending the segment
                              // (for set_segment_bounds())
e set_segment_bounds▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change segment boundaries
  ea      - any address in the segment
  startea - new start address of the segment
  endea   - new end address of the segment
  flags   - combination of SEGMOD_... flags

success set_segment_bounds(long ea, long startea, long endea, long flags);
Ô set_segm_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change name of the segment
  ea      - any address in the segment
  name    - new name of the segment

success set_segm_name(long ea, string name);
Ü set_segm_class▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change class of the segment
  ea      - any address in the segment
  class   - new class of the segment

success set_segm_class(long ea, string klass);
; set_segm_alignment▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change alignment of the segment
  ea      - any address in the segment
  align   - new alignment of the segment, one of sa... constants
Note: it is a macro

#define set_segm_alignment(ea, alignment) set_segm_attr(ea, SEGATTR_ALIGN, alignment)
        #define saAbs         0  // Absolute segment.
        #define saRelByte     1  // Relocatable, byte aligned.
        #define saRelWord     2  // Relocatable, word (2-byte, 16-bit) aligned.
        #define saRelPara     3  // Relocatable, paragraph (16-byte) aligned.
        #define saRelPage     4  // Relocatable, aligned on 256-byte boundary (a "page"
                                 // in the original Intel specification).
        #define saRelDble     5  // Relocatable, aligned on a double word (4-byte)
                                 // boundary. This value is used by the PharLap OMF for
                                 // the same alignment.
        #define saRel4K       6  // This value is used by the PharLap OMF for page (4K)
                                 // alignment. It is not supported by LINK.
        #define saGroup       7  // Segment group
        #define saRel32Bytes  8  // 32 bytes
        #define saRel64Bytes  9  // 64 bytes
        #define saRelQword   10  // 8 bytes
Þ set_segm_combination▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change combination of the segment
  ea      - any address in the segment
  comb    - new combination of the segment, one of sc... constants
Note: it is a macro

#define set_segm_combination(ea, comb) set_segm_attr(ea, SEGATTR_COMB, comb)
        #define scPriv     0    // Private. Do not combine with any other program
                                // segment.
        #define scPub      2    // Public. Combine by appending at an offset that meets
                                // the alignment requirement.
        #define scPub2     4    // As defined by Microsoft, same as C=2 (public).
        #define scStack    5    // Stack. Combine as for C=2. This combine type forces
                                // byte alignment.
        #define scCommon   6    // Common. Combine by overlay using maximum size.
        #define scPub3     7    // As defined by Microsoft, same as C=2 (public).
÷ set_segm_addressing▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change segment addressing
  ea      - any address in the segment
  bitness - 0: 16bit, 1: 32bit, 2: 64bit

success set_segm_addressing(long ea, long bitness);
Õ selector_by_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get segment selector by name
     segname - name of segment
returns: segment selector or BADADDR

long selector_by_name(string segname);
Ñ set_default_sreg_value▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set default segment register value for a segment
  ea      - any address in the segment
            if no segment is present at the specified address
            then all segments will be affected
  reg     - name of segment register
  value   - default value of the segment register. -1-undefined.

success set_default_sreg_value(long ea, string reg, long value);
K  <Make ~i~mports section:C> (PE&XBE)
  <Create FLAT ~g~roup:C>4>    (PE)
R set_segm_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set segment type
        arguments:      segea - any address within segment
                        type  - new segment type:
        returns:        !=0 - ok
note: this function is a macro, see its definition at the end of idc.idc
Note: it is a macro

#define set_segm_type(ea, type)  set_segm_attr(ea, SEGATTR_TYPE, type)

#define SEG_NORM        0
#define SEG_XTRN        1       // * segment with 'extern' definitions
                                //   no instructions are allowed
#define SEG_CODE        2       // pure code segment
#define SEG_DATA        3       // pure data segment
#define SEG_IMP         4       // implementation segment
#define SEG_GRP         6       // * group of segments
                                //   no instructions are allowed
#define SEG_NULL        7       // zero-length segment
#define SEG_UNDF        8       // undefined segment type
#define SEG_BSS         9       // uninitialized segment
#define SEG_ABSSYM     10       // * segment with definitions of absolute symbols
                                //   no instructions are allowed
#define SEG_COMM       11       // * segment with communal definitions
                                //   no instructions are allowed
#define SEG_IMEM       12       // internal processor memory & sfr (8051)
 get_segm_attr▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get segment attribute
      arguments:      segea - any address within segment
                      attr  - one of SEGATTR_... (see @0:312[set_segm_attr]()) constants

long get_segm_attr(long segea, long attr);
®
 set_segm_attr▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set segment attribute
     arguments:      segea - any address within segment
                     attr  - one of SEGATTR_... constants
Please note that not all segment attributes are modifiable.
Also some of them should be modified using special functions
like set_segment_bounds, set_segm_addressing, etc.

success set_segm_attr(long segea, long attr, long value);

#ifndef __EA64__
#define SEGATTR_START    0      // starting address
#define SEGATTR_END      4      // ending address
#define SEGATTR_ORGBASE 16
#define SEGATTR_ALIGN   20      // alignment
#define SEGATTR_COMB    21      // combination
#define SEGATTR_PERM    22      // permissions
#define SEGATTR_BITNESS 23      // bitness (0: 16, 1: 32, 2: 64 bit segment)
                                // Note: modifying the attribute directly does
                                // not lead to the reanalysis of the segment.
                                // Using set_segm_addressing() is more correct.
#define SEGATTR_FLAGS   24      // segment flags
#define SEGATTR_SEL     28      // segment selector
#define SEGATTR_ES      32      // default ES value
#define SEGATTR_CS      36      // default CS value
#define SEGATTR_SS      40      // default SS value
#define SEGATTR_DS      44      // default DS value
#define SEGATTR_FS      48      // default FS value
#define SEGATTR_GS      52      // default GS value
#define SEGATTR_TYPE    96      // segment type
#define SEGATTR_COLOR   100     // segment color
#else
#define SEGATTR_START    0
#define SEGATTR_END      8
#define SEGATTR_ORGBASE 32
#define SEGATTR_ALIGN   40
#define SEGATTR_COMB    41
#define SEGATTR_PERM    42
#define SEGATTR_BITNESS 43
#define SEGATTR_FLAGS   44
#define SEGATTR_SEL     48
#define SEGATTR_ES      56
#define SEGATTR_CS      64
#define SEGATTR_SS      72
#define SEGATTR_DS      80
#define SEGATTR_FS      88
#define SEGATTR_GS      96
#define SEGATTR_TYPE    184
#define SEGATTR_COLOR   188
#endif

// Segment permissions
#define SEGPERM_EXEC  1         // Execute
#define SEGPERM_WRITE 2         // Write
#define SEGPERM_READ  4         // Read
#define SEGPERM_MAXVAL (SEGPERM_EXEC + SEGPERM_WRITE + SEGPERM_READ)

// Valid segment flags
#define SFL_COMORG   0x01       // IDP dependent field (IBM PC: if set, ORG directive is not commented out)
#define SFL_OBOK     0x02       // orgbase is present? (IDP dependent field)
#define SFL_HIDDEN   0x04       // is the segment hidden?
#define SFL_DEBUG    0x08       // is the segment created for the debugger?
#define SFL_LOADER   0x10       // is the segment created by the loader?
#define SFL_HIDETYPE 0x20       // hide segment type (do not print it in the listing)
à Xrefs▄
 ▀▀▀▀▀▀

//      See sample file xrefs.idc to learn to use these functions.

//      Flow types (combine with XREF_USER!):
#define fl_CF   16              // Call Far
#define fl_CN   17              // Call Near
#define fl_JF   18              // jumpto Far
#define fl_JN   19              // jumpto Near
#define fl_F    21              // Ordinary flow

#define XREF_USER 32            // All user-specified xref types
                                // must be combined with this bit

// Mark exec flow 'from' 'to'
success add_cref(long from, long to, long flowtype);

// Unmark exec flow 'from' 'to'
// undef - make 'to' undefined if no
//        more references to it
// returns 1 - planned to be made undefined
long del_cref(long from, long to, int undef);

// The following functions include the ordinary flows:
// (the ordinary flow references are returned first)

// Get first code xref from 'from'
long get_first_cref_from(long From);

// Get next code xref from
long get_next_cref_from(long from, long current);

// Get first code xref to 'to'
long get_first_cref_to(long to);

// Get next code xref to 'to'
long get_next_cref_to(long to, long current);

// The following functions don't take into account the ordinary flows:
long get_first_fcref_from(long from);
long get_next_fcref_from(long from, long current);
long get_first_fcref_to(long to);
long get_next_fcref_to(long to, long current);

// Data reference types (combine with XREF_USER!):
#define dr_O    1                       // Offset
#define dr_W    2                       // Write
#define dr_R    3                       // Read
#define dr_T    4                       // Text (names in manual operands)
#define dr_I    5                       // Informational

// Create Data Ref
success add_dref(long From, long to, long dreftype);

// Unmark Data Ref
void del_dref(long from, long to);

// Get first data xref from 'from'
long get_first_dref_from(long from);
long get_next_dref_from(long From, long current);

// Get first data xref to 'to'
long get_first_dref_to(long to);
long get_next_dref_to(long to, long current);

// returns type of the last xref
// obtained by get_first_.../get_next_...
// functions. Return values
// are fl_... or dr_...
long get_xref_type();
½ fopen▄
 ▀▀▀▀▀▀

open a file
arguments: similar to C fopen()
returns: 0 - error
         otherwise a file handle
Thread-safe function.

long fopen(string file, string mode);
 fclose▄
 ▀▀▀▀▀▀▀

close a file
     handle - file handle
returns: nothing
Thread-safe function.

void fclose(long handle);
Ï filelength▄
 ▀▀▀▀▀▀▀▀▀▀▀

get file length
     handle - file handle
returns: -1 - error
         otherwise file length in bytes
Thread-safe function.

long filelength(long handle);
q fseek▄
 ▀▀▀▀▀▀

set cursor position in the file
     handle - file handle
     offset - offset from origin
     origin - 0 = from the start of file
              1 = from the current cursor position
              2 = from the end of file
returns: 0 - ok
         otherwise error
Thread-safe function.

long fseek(long handle, long offset, long origin);
É ftell▄
 ▀▀▀▀▀▀

get cursor position in the file
     handle - file handle
returns: -1 - error
         otherwise current cursor position
Thread-safe function.

long ftell(long handle);
J loadfile▄
 ▀▀▀▀▀▀▀▀▀

load file into IDA database
     handle - file handle or loader_input_t object
     pos    - position in the file
     ea     - linear address to load
     size   - number of bytes to load
returns: 0 - error
         1 - ok

success loadfile(long handle, long pos, long ea, long size);
= savefile▄
 ▀▀▀▀▀▀▀▀▀

save from IDA database to file
     handle  - file handle
     pos     - position in the file
     ea      - linear address to save from
     size    - number of bytes to save
returns: 0 - error
         1 - ok

success savefile(long handle, long pos, long ea, long size);
· fgetc▄
 ▀▀▀▀▀▀

read one byte from file
     handle  - file handle
returns: -1 - error
         otherwise a byte read.
Thread-safe function.

long fgetc(long handle);
Î fputc▄
 ▀▀▀▀▀▀

write one byte to file
     handle  - file handle
     byte    - byte to write
returns: 0 - ok
         -1 - error
Thread-safe function.

long fputc(long byte, long handle);
Ò fprintf▄
 ▀▀▀▀▀▀▀▀

fprintf
     handle  - file handle
     format  - format string
returns: 0 - ok
         -1 - error
Thread-safe function.

long fprintf(long handle, string format, ...);
M readshort▄
 ▀▀▀▀▀▀▀▀▀▀

read 2 bytes from file
     handle    - file handle
     mostfirst - 0 least significant byte is first (intel)
                 1 most  significant byte is first
returns: -1 - error
         otherwise: a 16-bit value
Thread-safe function.

long readshort(long handle, long mostfirst);
) readlong▄
 ▀▀▀▀▀▀▀▀▀

read 4 bytes from file
     handle  - file handle
     mostfirst  - 0 least significant byte is first (intel)
                  1 most  significant byte is first
returns: a 32-bit value
Thread-safe function.

long readlong(long handle, long mostfirst);
_ writeshort▄
 ▀▀▀▀▀▀▀▀▀▀▀

write 2 bytes to file
     handle    - file handle
     word      - a 16-bit value to write
     mostfirst - 0 least significant byte is first (intel)
                 1  most  significant byte is first
returns: 0 - ok
Thread-safe function.

long writeshort(long handle, long word, long mostfirst);
Z writelong▄
 ▀▀▀▀▀▀▀▀▀▀

write 4 bytes to file
     handle    - file handle
     dword     - a 32-bit value to write
     mostfirst - 0 least significant byte is first (intel)
                 1 most  significant byte is first
returns: 0 - ok
Thread-safe function.

long writelong(long handle, long dword, long mostfirst);
Õ readstr▄
 ▀▀▀▀▀▀▀▀

read a string from file
     handle  - file handle
returns: a string
Check for EOF like this: !value_is_string(retvalue)
Thread-safe function.

string readstr(long handle);
Ì writestr▄
 ▀▀▀▀▀▀▀▀▀

write a string to file
     handle  - file handle
     str     - string to write
returns: 0 - ok
Thread-safe function.

long writestr(long handle, string str);
Þ add_func▄
 ▀▀▀▀▀▀▀▀▀

create a function
     start, end - function bounds
                  If the function end address is BADADDR, then
                  IDA will try to determine the function bounds
                  automatically. IDA will define all necessary
                  instructions to determine the function bounds.
returns: !=0 - ok
note: an instruction should be present at the start address

success add_func(long start, long end=BADADDR);
 del_func▄
 ▀▀▀▀▀▀▀▀▀

delete a function
     ea - any address belonging to the function
returns: !=0 - ok

success del_func(long ea);
é set_func_end▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

change function end address
     ea  - any address belonging to the function
     end - new function end address
returns: !=0 - ok

success set_func_end(long ea, long end);
ü get_next_func▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

find next function
     ea - any address belonging to the function
returns: -1 - no more functions
         otherwise returns the next function start address

long get_next_func(long ea);
 get_prev_func▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

find previous function
     ea - any address belonging to the function
returns: -1 - no more functions
         otherwise returns the previous function start address

long get_prev_func(long ea);
| get_func_attr▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get a function attribute
     ea   - any address belonging to the function
     attr - one of FUNCATTR_... constants
returns: -1 - error
         otherwise returns the attribute value

long get_func_attr(long ea, long attr);

#ifndef __EA64__
#define FUNCATTR_START    0     // readonly: function start address
#define FUNCATTR_END      4     // readonly: function end address
#define FUNCATTR_FLAGS    8     // function flags
#define FUNCATTR_FRAME   16     // readonly: function frame id
#define FUNCATTR_FRSIZE  20     // readonly: size of local variables
#define FUNCATTR_FRREGS  24     // readonly: size of saved registers area
#define FUNCATTR_ARGSIZE 28     // readonly: number of bytes purged from the stack
#define FUNCATTR_FPD     32     // frame pointer delta
#define FUNCATTR_COLOR   36     // function color code
#define FUNCATTR_OWNER   16     // readonly: chunk owner (valid only for tail chunks)
#define FUNCATTR_REFQTY  20     // readonly: number of chunk parents (valid only for tail chunks)
#else // EA64
#define FUNCATTR_START    0
#define FUNCATTR_END      8
#define FUNCATTR_FLAGS   16
#define FUNCATTR_FRAME   24
#define FUNCATTR_FRSIZE  32
#define FUNCATTR_FRREGS  40
#define FUNCATTR_ARGSIZE 48
#define FUNCATTR_FPD     56
#define FUNCATTR_COLOR   64
#define FUNCATTR_OWNER   24
#define FUNCATTR_REFQTY  32
#endif

D set_func_attr▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set a function attribute
     ea    - any address belonging to the function
     attr  - one of @0:335[FUNCATTR_...] constants.
     value - new value of the attribute
returns: 1 - ok
         0 - failed

success set_func_attr(long ea, long attr, long value);
/ get_func_flags▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

retrieve function flags
     ea - any address belonging to the function
returns: -1 - function doesn't exist
         otherwise returns the flags FUNC_...

#define get_func_flags(ea)        get_func_attr(ea, FUNCATTR_FLAGS)

#define FUNC_NORET         0x00000001     // function doesn't return
#define FUNC_FAR           0x00000002     // far function
#define FUNC_LIB           0x00000004     // library function
#define FUNC_STATIC        0x00000008     // static function
#define FUNC_FRAME         0x00000010     // function uses frame pointer (BP)
#define FUNC_USERFAR       0x00000020     // user has specified far-ness
                                          // of the function
#define FUNC_HIDDEN        0x00000040     // a hidden function
#define FUNC_THUNK         0x00000080     // thunk (jump) function
#define FUNC_BOTTOMBP      0x00000100     // BP points to the bottom of the stack frame
#define FUNC_NORET_PENDING 0x00000200     // Function 'non-return' analysis
                                          // must be performed. This flag is
                                          // verified upon func_does_return()
#define FUNC_SP_READY      0x00000400     // SP-analysis has been performed
                                          // If this flag is on, the stack
                                          // change points should not be not
                                          // modified anymore. Currently this
                                          // analysis is performed only for PC
#define FUNC_FUZZY_SP      0x00000800     // Function changes SP in untraceable way,
                                          // for example: and esp, 0FFFFFFF0h
#define FUNC_PROLOG_OK     0x00001000     // Prolog analysis has be performed
                                          // by last SP-analysis
#define FUNC_PURGED_OK     0x00004000     // 'argsize' field has been validated.
                                          // If this bit is clear and 'argsize'
                                          // is 0, then we do not known the real
                                          // number of bytes removed from
                                          // the stack. This bit is handled
                                          // by the processor module.
#define FUNC_TAIL          0x00008000     // This is a function tail.
                                          // Other bits must be clear
                                          // (except FUNC_HIDDEN)
#define FUNC_LUMINA        0x00010000     // Function info is provided by Lumina
#define FUNC_OUTLINE       0x00020000     // Outlined code, not a real function
#define FUNC_REANALYZE     0x00040000     // Function frame changed, request to
                                          // reanalyze the function after the last
                                          // insn is analyzed.
#define FUNC_UNWIND        0x00080000     // function is an exception unwind handler
#define FUNC_CATCH         0x00100000     // function is an exception catch handler
& set_func_flags▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

change function flags
     ea    - any address belonging to the function
     flags - see @0:337[get_func_flags]() for explanations
returns: !=0 - ok

#define set_func_flags(ea, flags) set_func_attr(ea, FUNCATTR_FLAGS, flags)
ô get_func_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

retrieve function name
     ea - any address belonging to the function
returns: 0 - function doesn't exist
         otherwise returns function name

string get_func_name(long ea);
, get_func_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

retrieve function comment
     ea - any address belonging to the function
     repeatable - 1: get repeatable comment
                  0: get regular comment
returns: function comment string

string get_func_cmt(long ea, long repeatable);
B set_func_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

set function comment
     ea         - any address belonging to the function
     cmt        - a function comment line
     repeatable - 1: get repeatable comment
                  0: get regular comment

void set_func_cmt(long ea, string cmt, long repeatable);
 choose_func▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

ask the user to select a function
     title - title of the dialog box
returns: -1 - user refused to select a function
         otherwise returns the selected function start address

long choose_func(string title);
¥ get_func_off_str▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

convert address to 'funcname+offset' string
     ea - address to convert
returns: if the address belongs to a function then
           return a string formed as 'name+offset'
           where 'name'   is a function name
                 'offset' is offset within the function
         else
           return 0

string get_func_off_str(long ea);
 find_func_end▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Determine a new function boundaries
     ea  - starting address of a new function
returns: if a function already exists,
         then return its end address.
         if a function end cannot be determined,
         then return BADADDR
         otherwise return the end address of the new function

long find_func_end(long ea);
± get_frame_id▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get ID of function frame structure
     ea - any address belonging to the function
returns: ID of function frame.
         In order to access stack variables you need to use
         structure member manipulation functions with the
         obtained ID.
         -1 if function or function frame does not exist.

#define get_frame_id(ea)  get_func_attr(ea, FUNCATTR_FRAME)
 get_frame_lvar_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get size of local variables in function frame
     ea - any address belonging to the function
returns: Size of local variables in bytes.
         If the function doesn't have a frame, return 0
         If the function doesn't exist, return -1

#define get_frame_lvar_size(ea)  get_func_attr(ea, FUNCATTR_FRSIZE)
E create_pack_real▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a packed real (10 or 12 bytes)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_pack_real(ea) create_data(ea, FF_PACKREAL, 10, BADADDR)
« get_frame_args_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get size of arguments in function frame which are purged upon return
     ea - any address belonging to the function
returns: Size of function arguments in bytes.
         If the function doesn't have a frame, return 0
         If the function doesn't exist, return -1

#define get_frame_args_size(ea)  get_func_attr(ea, FUNCATTR_ARGSIZE)
s get_frame_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get full size of function frame
     ea - any address belonging to the function
returns: Size of function frame in bytes.
         This function takes into account size of local
         variables + size of saved registers + size of
         return address + number of purged bytes.
         The purged bytes correspond to the arguments of
         __stdcall functions.
         If the function doesn't have a frame, return size of
         function return address in the stack.
         If the function doesn't exist, return 0

long get_frame_size(long ea);
/ set_frame_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Make function frame
     ea      - any address belonging to the function
     lvsize  - size of function local variables
     frregs  - size of saved registers
     argsize - size of function arguments that will be purged
               from the stack upon return
returns: ID of function frame or -1
         If the function did not have a frame, the frame
         will be created. Otherwise the frame will be modified

long set_frame_size(long ea, long lvsize, long frregs, long argsize);
E get_spd▄
 ▀▀▀▀▀▀▀▀

Get current delta for the stack pointer
     ea      - end address of the instruction
               i.e. the last address of the instruction+1
returns: The difference between the original SP upon
         entering the function and SP for the specified address

long get_spd(long ea);
º get_sp_delta▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get modification of SP made by the instruction
     ea      - end address of the instruction
               i.e. the last address of the instruction+1
returns: Get modification of SP made at the specified location
         If the specified location doesn't contain a SP
         change point, return 0
         Otherwise return delta of SP modification

long get_sp_delta(long ea);
ô get_nsec_stamp▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get the current timestamp, in nanoseconds.
   Retrieves the high-resolution current timestamp, in nanoseconds.
returns: the timestamp, a 64-bit number.

long get_nsec_stamp();
 get_entry_qty▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

retrieve number of entry points
returns: number of entry points

long get_entry_qty();
z add_entry▄
 ▀▀▀▀▀▀▀▀▀▀

add entry point
     ordinal  - entry point number
                if entry point doesn't have an ordinal
                number, 'ordinal' should be equal to 'ea'
     ea       - address of the entry point
     name     - name of the entry point. If null string,
                the entry point won't be renamed.
     makecode - if 1 then this entry point is a start
                of a function. Otherwise it denotes data bytes.
returns: 0 - entry point with the specified ordinal already exists
         1 - ok

success add_entry(long ordinal, long ea, string name, long makecode);

 get_entry_ordinal▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

retrieve entry point ordinal number
     index - 0..get_entry_qty()-1
returns: 0 if entry point doesn't exist
         otherwise entry point ordinal

long get_entry_ordinal(long index);
 get_entry▄
 ▀▀▀▀▀▀▀▀▀▀

retrieve entry point address
     ordinal - entry point number
               it is returned by get_entry_ordinal()
returns: -1 if entry point doesn't exist
         otherwise entry point address.
         If entry point address is equal to its ordinal
         number, then the entry point has no ordinal.

long get_entry(long ordinal);
ß"WRAP
Menu system ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

@0:428[Main Menu Bar]

  @0:429[File]
    @0:430[Load file]
      @0:431[Reload input file]
      @0:432[Script file]
      @0:433[Binary file]
      @0:434[IDS file]
      @0:435[Debug information file]
      @0:1374[PDB debug information file]
      @0:1512[TDS debug information file]
      @0:436[FLIRT signature file]
      @0:1367[C header file]
    @0:437[Script command]
    @0:438[Produce output file]
      @0:439[Generate MAP file]
      @0:440[Generate ASM file]
      @0:1475[Generate INC file]
      @0:441[Generate LST file]
      @0:442[Generate EXE file]
      @0:443[Generate DIF file]
      @0:1504[Generate HTML file]
      @0:1674[Generate SIG file]
      @0:1251[Generate flow chart GDL file]
      @0:1252[Generate call graph GDL file]
      @0:444[Dump database to IDC file]
      @0:445[Dump typeinfo to IDC file]
      @0:141[Create C header file]
    @0:447[Save database]
    @0:448[Save database as...]
    @0:1621[Take database snapshot...]
    @0:449[Abort]
    @0:450[Quit]
  @0:451[Edit]
    @0:420[Anchor]
    @0:1671[Export data]
    @0:1710[Undo]
    @0:1711[Redo]
    @0:452[instruction]
    @0:453[data]
    @0:454[strlit]
    @0:455[array]
    @0:456[undefine]
    @0:457[Rename]
    @0:458[Operand types]
      @0:1381[Offset]
        @0:467[Convert operand to offset (data segment)]
        @0:468[Convert operand to offset (code segment)]
        @0:469[Convert operand to offset (any segment)]
        @0:470[Convert operand to offset (user-defined base)]
        @0:472[Convert operand to struct offset]
      @0:1382[Number]
        @0:460[Convert operand to number]
        @0:461[Convert operand to hex number]
        @0:462[Convert operand to decimal number]
        @0:464[Convert operand to octal number]
        @0:463[Convert operand to binary number]
        @0:1380[Convert operand to floating point number]
        @0:1510[Toggle leading zeroes]
      @0:465[Convert operand to character]
      @0:466[Convert operand to segment]
      @0:473[Convert operand to symbolic constant (enum member)]
      @0:474[Convert operand to stack variable]
      @0:475[Change operand sign]
      @0:476[Bitwise negate operand]
      @0:477[User-defined operand]
      @0:1601[Set operand type]
    @0:478[Comments]
      @0:479[Create a regular comment]
      @0:480[Create a repeatable comments]
      @0:481[Create additional comment lines]
    @0:483[Functions]
      @0:484[Create function...]
      @0:485[Edit function...]
      @0:687[Append function tail...]
      @0:688[Remove function tail...]
      @0:486[Delete function...]
      @0:487[Set function end]
      @0:488[Define stack variables...]
      @0:489[Change stack pointer...]
      @0:1346[Rename register...]
      @0:1361[Set function/item type...]
    @0:490[Structures]
      @0:491[Add struct type...]
      @0:1370[Duplicate struct type...]
      @0:492[Del struct type]
      @0:493[Insert gap...]
      @0:494[Delete gap...]
      @0:495[Edit struct type...]
      @0:496[Declare struct var]
      @0:497[Force zero field offset]
      @0:498[Select union member...]
      @0:1392[Create struct type from data...]
    @0:506[Segments]
      @0:507[Create a new segment...]
      @0:513[Delete a segment...]
      @0:514[Change segment attributes...]
      @0:520[Move a segment...]
      @0:1408[Rebase program...]
      @0:521[Change segment translation...]
      @0:522[Set default segment register value...]
      @0:523[Change segment register value...]
    @0:526[Patch core]
      @0:527[Patch core...]
      @0:529[Assemble...]
      @0:1618[Apply patches to input file...]
    @0:530[Other]
      @0:533[Alignment...]
      @0:534[Manual instruction...]
      @0:1456[Color instruction...]
      @0:535[Hide/show border]
    @0:536[Plugins]
      @0:1761[Borland RTTI]
      @0:1675[DWARF]
      @0:1478[Golang]
      @0:1760[Find Functions]
      @0:1687[Objective-C]
      @0:1374[Pdb]
      @0:1477[Rust]
      @0:1479[Swift]
      @0:140[x64 MSVC C++ Exception Handler for the Decompiler]
    @0:543[Jump]
    @0:538[Jump immediate]
    @0:539[Jump back]
    @0:540[Undo last jump back]
    @0:541[Empty navigation stack]
    @0:544[Jump to address]
    @0:545[Jump to named location]
    @0:546[Jump to segment start]
    @0:547[Jump to segment register change point]
    @0:548[Jump to problematic location]
    @0:582[Mark location]
    @0:563[Jump to marked position]
    @0:564[Jump to cross reference]
    @0:565[Jump to cross reference to operand]
    @0:566[Jump to function]
    @0:567[Jump to entry point]
    @0:1393[Jump to file offset]
  @0:568[Search for]
    @0:569[suspicious operands]
    @0:1481[string with error]
    @0:570[instruction bytes]
    @0:571[data bytes]
    @0:572[unexplored bytes]
    @0:573[explored bytes]
    @0:574[immediate operand values]
    @0:576[substring in the text representation]
    @0:579[substring in the binary image of the file]
    @0:581[instructions not belonging to any function]
    @0:1373[find all suspicious operands]
    @0:1482[find all errors]
    @0:623[Search direction]
  @0:583[View]
    @0:1356[Open subviews...]
      @0:585[Open disassembly window]
      @0:1415[Open exports window]
      @0:1416[Open imports window]
      @0:586[Open functions window]
      @0:587[Open names window]
      @0:588[Open signatures window]
      @0:589[Open segments window]
      @0:590[Open segment registers window]
      @0:591[Open selectors window]
      @0:592[Open cross references window]
      @0:593[Open structures window]
      @0:1259[Open local types window]
      @0:595[Open problems window]
      @0:1358[Open type libraries window]
      @0:1379[Open strings window]
      @0:1383[Open function calls window]
      @0:1384[Open notepad]
      @0:1714[Open undo history]
    @0:1378[Graphs...]
      @0:1376[Display function flow-chart]
      @0:1377[Display function call graph]
      @0:1389[Display chart of xrefs to addresses]
      @0:1390[Display chart of xrefs from addresses]
      @0:1391[Display user-defined chart of xrefs]
    @0:596[Calculator]
    @0:597[View segment registers]
    @0:598[View internal flags]
    @0:1622[Database snapshot manager]
    @0:599[Hide]
    @0:600[Unhide]
    @0:1394[Del hidden range]
    @0:1387[Hide all]
    @0:1388[Unhide all]
    @0:601[Setup hidden items...]
  @0:1395[Debugger]
    @0:1396[Debugger window]
    @0:1423[Thread list]
    @0:1457[Module list]
    @0:1397[Start process]
    @0:1452[Attach to process...]
    @0:1398[Process options]
    @0:1399[Pause process]
    @0:1400[Terminate process]
    @0:1453[Detach from process]
    @0:1470[Take memory snapshot]
    @0:1697[Manual memory regions]
    @0:1401[Step into]
    @0:1402[Step over]
    @0:1442[Run until return]
    @0:1403[Run to cursor]
    @0:1471[Set current ip]
    @0:1472[Show application screen]
    @0:1454[Breakpoints]
      @0:1404[Breakpoint list]
      @0:1405[Add breakpoint]
      @0:1407[Edit breakpoint]
      @0:1488[Breakpoint conditions]
      @0:1406[Delete breakpoint]
      @0:1648[Page breakpoints]
    @0:1272[Source view]
      @0:1325[Watch view (source level)]
      @0:1518[Local variables]
    @0:1455[Watches (assembler level)]
      @0:1409[Watch list]
      @0:1410[Add watch]
      @0:1411[Del watch]
    @0:1443[Tracing]
      @0:1629[Trace management]
      @0:1444[Tracing window]
        @0:1630[Select trace]
        @0:1631[Other options]
        @0:1632[Edit trace description]
        @0:1634[Diff to binary trace]
        @0:1633[Remove binary trace]
        @0:1635[Import binary trace]
        @0:1636[Export binary trace]
        @0:1637[Export trace to text file]
        @0:1638[Show trace callgraph]
      @0:1445[Clear trace]
      @0:1446[Instruction tracing]
      @0:1447[Function tracing]
      @0:1628[Basic block tracing]
      @0:1448[Add write trace]
      @0:1448[Add write trace]
      @0:1449[Add read/write trace]
      @0:1450[Add execution trace]
      @0:1412[Stack trace]
      @0:1451[Tracing Options]
    @0:1413[Debugger options]
    @0:1461[Switch debugger...]
  @0:1698[Lumina]
  @0:604[Options]
    @0:605[Text representation...]
    @0:1369[Comments...]
    @0:607[Representation of cross references...]
    @0:608[Assembler directives...]
    @0:609[Names representation...]
    @0:611[Demangled C++ names...]
    @0:1354[Compiler...]
    @0:613[STRLIT string style...]
    @0:614[String options...]
    @0:615[Colors...]
    @0:616[Dump/normal View]
    @0:617[Setup data types...]
    @0:618[Processor type...]
    @0:619[Target assembler...]
    @0:620[Analysis options...]
    @0:1371[Miscellaneous...]
  @0:624[Windows]
    @0:1419[Load desktop...]
    @0:1420[Save desktop...]
    @0:1421[Delete desktop...]
    @0:1422[Reset desktop]
    @0:1464[Reset hidden messages...]
    @0:625[Set video mode...]
    @0:626[External help]
    @0:627[Keyboard layout] get_next_fixup_ea▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

find next address with fixup information
     ea - current address
returns: -1 - no more fixups
         otherwise returns the next address with fixup information

long get_next_fixup_ea(long ea);
 get_prev_fixup_ea▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

find previous address with fixup information
     ea - current address
returns: -1 - no more fixups
         otherwise returns the previous address with fixup information

long get_prev_fixup_ea(long ea);
 get_fixup_target_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get fixup target type
     ea - address to get information about
returns: -1 - no fixup at the specified address
         otherwise returns fixup target type FIXUP_...

long get_fixup_target_type(long ea);

#define FIXUP_MASK      0xF
#define FIXUP_BYTE      FIXUP_OFF8 // 8-bit offset.
#define FIXUP_OFF8      0       // 8-bit offset.
#define FIXUP_OFF16     1       // 16-bit offset.
#define FIXUP_SEG16     2       // 16-bit base--logical segment base (selector).
#define FIXUP_PTR32     3       // 32-bit long pointer (16-bit base:16-bit
                                // offset).
#define FIXUP_OFF32     4       // 32-bit offset.
#define FIXUP_PTR48     5       // 48-bit pointer (16-bit base:32-bit offset).
#define FIXUP_HI8       6       // high  8 bits of 16bit offset
#define FIXUP_HI16      7       // high 16 bits of 32bit offset
#define FIXUP_LOW8      8       // low   8 bits of 16bit offset
#define FIXUP_LOW16     9       // low  16 bits of 32bit offset
#define FIXUP_REL       0x10    // fixup is relative to the linear address
                                // specified in the 3d parameter to set_fixup()
#define FIXUP_SELFREL   0x0     // self-relative?
                                //   - disallows the kernel to convert operands
                                //      in the first pass
                                //   - this fixup is used during output
                                // This type of fixups is not used anymore.
                                // Anyway you can use it for commenting purposes
                                // in the loader modules
#define FIXUP_EXTDEF    0x20    // target is a location (otherwise - segment)
#define FIXUP_UNUSED    0x40    // fixup is ignored by IDA
                                //   - disallows the kernel to convert operands
                                //   - this fixup is not used during output
#define FIXUP_CREATED   0x80    // fixup was not present in the input file
' get_fixup_target_sel▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get fixup target selector
     ea - address to get information about
returns: -1 - no fixup at the specified address
         otherwise returns fixup target selector

long get_fixup_target_sel(long ea);
# get_fixup_target_off▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get fixup target offset
     ea - address to get information about
returns: -1 - no fixup at the specified address
         otherwise returns fixup target offset

long get_fixup_target_off(long ea);
/ get_fixup_target_dis▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get fixup target displacement
     ea - address to get information about
returns: -1 - no fixup at the specified address
         otherwise returns fixup target displacement

long get_fixup_target_dis(long ea);
' set_fixup▄
 ▀▀▀▀▀▀▀▀▀▀

set fixup information
     ea        - address to set fixup information about
     type      - fixup type. see get_fixup_target_type()
                 for possible fixup types.
     fixupf    - FIXUPF_... bits
     targetsel - target selector
     targetoff - target offset
     displ     - displacement
returns: none

void set_fixup(long ea, long type, long fixupf, long targetsel, long targetoff, long displ);

The fixupf argument may have the following bits:
fixup is relative to the linear address `base'. Otherwise fixup is
relative to the start of the segment with `sel' selector.
#define FIXUPF_REL         0x0001

target is a location (otherwise - segment).
Use this bit if the target is a symbol rather than an offset from the
beginning of a segment.
#define FIXUPF_EXTDEF      0x0002

fixup is ignored by IDA
  - disallows the kernel to convert operands
  - this fixup is not used during output
#define FIXUPF_UNUSED      0x0004

fixup was not present in the input file
#define FIXUPF_CREATED     0x0008
¥ del_fixup▄
 ▀▀▀▀▀▀▀▀▀▀

delete fixup information
     ea - address to delete fixup information about
returns: none

void del_fixup(long ea);
0 put_bookmark▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

mark position
     ea      - address to mark
     lnnum   - number of generated line for the 'ea'
     x       - x coordinate of cursor
     y       - y coordinate of cursor
     slot    - slot number: 0..1023
               if the specified value is not within the range,
               IDA will ask the user to select slot.
     comment - description of the mark.
               Should be not empty.
returns: none

void put_bookmark(long ea, long lnnum, long x, long y, long slot, string comment);
] get_bookmark▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

get marked position
     slot    - slot number: 0..1023
               if the specified value is <= 0,
               IDA will ask the user to select slot.
returns: -1 - the slot doesn't contain a marked address
         otherwise returns the marked address

long get_bookmark(long slot);
$ get_bookmark_desc▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get marked position comment
     slot    - slot number: 0..1023
returns: 0 if the slot doesn't contain a marked address
         otherwise returns the marked address comment

string get_bookmark_desc(long slot);
ó get_struc_id▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

get structure ID by structure name
     structure type name
returns: -1 if bad structure type name is passed
         otherwise returns structure ID.

long get_struc_id(string name);
ó get_struc_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get structure type name
     structure type ID
returns: -1 if bad structure type ID is passed
         otherwise returns structure type name.

string get_struc_name(long id);
W get_struc_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get structure type comment
     id         - structure type ID
     repeatable - 1: get repeatable comment
                  0: get regular comment
returns: 0 if bad structure type ID is passed
         otherwise returns comment.

string get_struc_cmt(long id, long repeatable);
 get_struc_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get size of a structure
     id         - structure type ID
returns: 0 if bad structure type ID is passed
         otherwise returns size of structure in bytes.

long get_struc_size(long id);
	 get_member_qty▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get number of members of a structure
     id         - structure type ID
returns: -1 if bad structure type ID is passed
         otherwise returns number of members.

long get_member_qty(long id);
^ get_prev_offset▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get previous offset in a structure
     id     - structure type ID
     offset - current offset
returns: -1 if bad structure type ID is passed
         or no (more) offsets in the structure
         otherwise returns previous offset in a structure.
         NOTE: IDA allows 'holes' between members of a
               structure. It treats these 'holes'
               as unnamed arrays of bytes.
         This function returns a member offset or a hole offset.
         It will return size of the structure if input
         'offset' is bigger than the structure size.
         NOTE: Union members are, in IDA's internals, located
               at subsequent byte offsets: member 0 -> offset 0x0,
               member 1 -> offset 0x1, etc...

long get_prev_offset(long id, long offset);
` get_next_offset▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get next offset in a structure
     id     - structure type ID
     offset - current offset
returns: -1 if bad structure type ID is passed
         or no (more) offsets in the structure
         otherwise returns next offset in a structure.
         NOTE: IDA allows 'holes' between members of a
               structure. It treats these 'holes'
               as unnamed arrays of bytes.
         This function returns a member offset or a hole offset.
         It will return size of the structure if input
         'offset' belongs to the last member of the structure.
         NOTE: Union members are, in IDA's internals, located
               at subsequent byte offsets: member 0 -> offset 0x0,
               member 1 -> offset 0x1, etc...

long get_next_offset(long id, long offset);
 get_first_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get offset of the first member of a structure
     id            - structure type ID
returns: -1 if bad structure type ID is passed
         or structure has no members
         otherwise returns offset of the first member.
         NOTE: IDA allows 'holes' between members of a
               structure. It treats these 'holes'
               as unnamed arrays of bytes.
         NOTE: Union members are, in IDA's internals, located
               at subsequent byte offsets: member 0 -> offset 0x0,
               member 1 -> offset 0x1, etc...

long get_first_member(long id);
 get_last_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get offset of the last member of a structure
     id            - structure type ID
returns: -1 if bad structure type ID is passed
         or structure has no members
         otherwise returns offset of the last member.
         NOTE: IDA allows 'holes' between members of a
               structure. It treats these 'holes'
               as unnamed arrays of bytes.
         NOTE: Union members are, in IDA's internals, located
               at subsequent byte offsets: member 0 -> offset 0x0,
               member 1 -> offset 0x1, etc...

long get_last_member(long id);
Y get_member_offset▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get offset of a member of a structure by the member name
     id            - structure type ID
     member_name   - name of structure member
returns: -1 if bad structure type ID is passed
         or no such member in the structure
         otherwise returns offset of the specified member.
         NOTE: Union members are, in IDA's internals, located
               at subsequent byte offsets: member 0 -> offset 0x0,
               member 1 -> offset 0x1, etc...

long get_member_offset(long id, string member_name);
u get_member_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get name of a member of a structure
     id            - structure type ID
     member_offset - member offset. The offset can be
                     any offset in the member. For example,
                     is a member is 4 bytes long and starts
                     at offset 2, then 2, 3, 4, 5 denote
                     the same structure member.
returns: 0 if bad structure type ID is passed
           or no such member in the structure
         otherwise returns name of the specified member.

string get_member_name(long id, long member_offset);
Ñ get_member_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get comment of a member
     id            - structure type ID
     member_offset - member offset. The offset can be
                     any offset in the member. For example,
                     is a member is 4 bytes long and starts
                     at offset 2, then 2, 3, 4, 5 denote
                     the same structure member.
     repeatable   - 1: get repeatable comment
                    0: get regular comment
returns: 0 if bad structure type ID is passed
           or no such member in the structure
         otherwise returns comment of the specified member.

string get_member_cmt(long id, long member_offset, long repeatable);
o get_member_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get size of a member
     id            - structure type ID
     member_offset - member offset. The offset can be
                     any offset in the member. For example,
                     is a member is 4 bytes long and starts
                     at offset 2, then 2, 3, 4, 5 denote
                     the same structure member.
returns: -1 if bad structure type ID is passed
            or no such member in the structure
         otherwise returns size of the specified member in bytes.

long get_member_size(long id, long member_offset);

 get_member_flag▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get type of a member
     id            - structure type ID
     member_offset - member offset. The offset can be
                     any offset in the member. For example,
                     is a member is 4 bytes long and starts
                     at offset 2, then 2, 3, 4, 5 denote
                     the same structure member.
returns: -1 if bad structure type ID is passed
            or no such member in the structure
         otherwise returns type of the member, see bit
         definitions above. If the member type is a structure
         then function @0:391[get_member_strid]() should be used to
         get the structure type id.

long get_member_flag(long id, long member_offset);
° get_member_strid▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get structure id of a member
     id            - structure type ID
     member_offset - member offset. The offset can be
                     any offset in the member. For example,
                     is a member is 4 bytes long and starts
                     at offset 2, then 2, 3, 4, 5 denote
                     the same structure member.
returns: -1 if bad structure type ID is passed
            or no such member in the structure
         otherwise returns structure id of the member.
         If the current member is not a structure, returns -1.

long get_member_strid(long id, long member_offset);
à is_union▄
 ▀▀▀▀▀▀▀▀▀

is a structure a union?
     id            - structure type ID
returns: 1: yes, this is a union id
         0: no

Unions are a special kind of structures

long is_union(long id);
Õ add_struc▄
 ▀▀▀▀▀▀▀▀▀▀

define a new structure type
     index    - Not used anymore
     name     - name of the new structure type.
     is_union - 0: structure
                1: union

returns: -1 if can't define structure type because of bad structure name:
            the name is ill-formed or is already used in the program.
         otherwise returns ID of the new structure type

long add_struc(long index, string name, long is_union);
k del_struc▄
 ▀▀▀▀▀▀▀▀▀▀

delete a structure type
     id - structure type ID
returns: 0 if bad structure type ID is passed
         1 otherwise the structure type is deleted. All data
           and other structure types referencing to the
           deleted structure type will be displayed as array of bytes.

success del_struc(long id);
â set_struc_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

change structure name
     id      - structure type ID
     name    - new name of the structure
returns: !=0 - ok

long set_struc_name(long id, string name);
R set_struc_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

change structure comment
     id      - structure type ID
     comment - new comment of the structure
     repeatable - 1: change repeatable comment
                  0: change regular comment
returns: !=0 - ok

long set_struc_cmt(long id, string comment, long repeatable);
q add_struc_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Add structure member.

This function can be used in two forms.
First form:
long add_struc_member(long id, string name, long offset, long flag,
                    long typeid, long nbytes);
Second form:
long add_struc_member(long id, string name, long offset, long flag,
                    long typeid, long nbytes,
                    long target, long tdelta, long reftype);

arguments:
  id      - structure type ID
  name    - name of the new member
  offset  - offset of the new member
            -1 means to add at the end of the structure
  flag    - type of the new member. Should be one of
            FF_BYTE..FF_PACKREAL (see above)
            combined with FF_DATA
  typeid  - if is_struct(flag) then typeid specifies
            the structure id for the member
            if is_off0(flag) then typeid specifies
            the offset base.
            if is_strlit(flag) then typeid specifies
            the string type (@0:283[STRTYPE_...]).
            if is_stroff(flag) then typeid specifies
            the structure id
            if is_enum(flag) then typeid specifies
            the enum id
            Otherwise typeid should be -1
  nbytes  - number of bytes in the new member
the remaining arguments are allowed only if isOff0(flag) and you want
to specify a complex offset expression
  target  - target address of the offset expr. You may specify it as
            -1, ida will calculate it itself
  tdelta  - offset target delta. usually 0
  reftype - see REF_... definitions
returns: 0-ok, otherwise error code TERR_...

long add_struc_member(long id, string name, long offset, long flag, long typeid, long nbytes,
                      long target, long tdelta, long reftype);

// Constants used with begin_type_updating() and end_type_updating()
#define UTP_ENUM      0
#define UTP_STRUCT    1
p del_struc_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

delete structure member
     id            - structure type ID
     member_offset - offset of the member
returns: !=0 - ok.
NOTE: IDA allows 'holes' between members of a structure.
      It treats these 'holes' as unnamed arrays of bytes.

long del_struc_member(long id, long member_offset);
6 set_member_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

change structure member name
     id            - structure type ID
     member_offset - offset of the member
     name          - new name of the member
returns: !=0 - ok.

long set_member_name(long id, long member_offset, string name);
c set_member_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change structure member type.

This function can be used in two forms.
First form:
long set_member_type(long id, long member_offset, long flag, long typeid, long nitems);

Second form:
long set_member_type(long id, long member_offset, long flag, long typeid, long nitems,
                     long target, long tdelta, long reftype);

arguments:
  id            - structure type ID
  member_offset - offset of the member
  flag    - new type of the member. Should be one of
            FF_BYTE..FF_PACKREAL (see above)
            combined with FF_DATA
  typeid  - if is_struct(flag) then typeid specifies
            the structure id for the member
            if is_off0(flag) then typeid specifies
            the offset base.
            if is_strlit(flag) then typeid specifies
            the string type (@0:283[STRTYPE_...]).
            if is_stroff(flag) then typeid specifies
            the structure id
            if is_enum(flag) then typeid specifies
            the enum id
            Otherwise typeid should be -1
  nitems  - number of items in the member
the remaining arguments are allowed only if @0:181[is_off0(flag)] and you want
to specify a complex offset expression:
  target  - target address of the offset expr. You may specify it as
            -1, ida will calculate it itself
  tdelta  - offset target delta. usually 0
  reftype - see REF_... definitions
returns:        !=0 - ok.

long set_member_type(long id, long member_offset, long flag, long typeid, long nitems,
                     long target, long tdelta, long reftype);
µ set_member_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

change structure member comment
     id            - structure type ID
     member_offset - offset of the member
     comment       - new comment of the structure member
     repeatable    - 1: change repeatable comment
                     0: change regular comment
returns: !=0 - ok

long set_member_cmt(long id, long member_offset, string comment, long repeatable);
³ get_enum▄
 ▀▀▀▀▀▀▀▀▀

get enum ID by the name of enum
     name - name of enum
returns: ID of enum or -1 if no such enum exists

long get_enum(string name);
¶ get_enum_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get name of enum
     enum_id - ID of enum
returns: name of enum or empty string

string get_enum_name(long enum_id);
 get_enum_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

get comment of enum
     enum_id - ID of enum
     repeatable - 0:get regular comment
                  1:get repeatable comment
returns: comment of enum

string get_enum_cmt(long enum_id, long repeatable);
Ý get_enum_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get size of enum
     enum_id - ID of enum
returns: number of constants in the enum
         Returns 0 if enum_id is bad.

long get_enum_size(long enum_id);
 get_enum_flag▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get flag of enum
     enum_id - ID of enum
returns: flags of enum. These flags determine representation
         of numeric constants (binary, octal, decimal, hex)
         in the enum definition. See start of this file for
         more information about flags.
         Returns 0 if enum_id is bad.

long get_enum_flag(long enum_id);
1 get_enum_member_bmask▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get bit mask of symbolic constant
     const_id - id of symbolic constant
returns: bitmask of constant or 0
                        ordinary enums have bitmask = -1

long get_enum_member_bmask(long const_id);
 get_enum_member_by_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get member of enum - a symbolic constant ID
     name - name of symbolic constant
returns: ID of constant or -1

long get_enum_member_by_name(string name);
ó get_enum_member_value▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get value of symbolic constant
     const_id - id of symbolic constant
returns: value of constant or 0

long get_enum_member_value(long const_id);
`WRAP
The Interactive Disassembler Help Index ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For additional information and tutorial please visit
https://www.hex-rays.com/products/ida

  @0:415[Main Idea]

  @0:358[Menu system]

  @0:162[Index of IDC functions]

  @0:1462[Credits]

Basics

  @0:417[Command line switches]
  @0:419[Configuration file]
  @0:1375[Environment variables]
  @0:418[Keyboard Macros]
  @0:596[Calculator]
  @0:524[Segment Register Change Points]
  @0:549[Problems List]
  @0:420[Anchor]
  @0:416[Background Analysis]
  @0:1395[Debugger]

Windows

  @0:585[Disassembly window]
  @0:42[Graph view]
  @0:1626[Proximity view]
  @0:1385[Arrows window]
  @0:584[Message window]
  @0:1415[Exports window]
  @0:1416[Imports window]
  @0:589[Segments window]
  @0:587[Names window]
  @0:586[Functions window]
  @0:593[Structures window]
  @0:488[Stack variables window]
  @0:595[Problems window]
  @0:1358[Type libraries window]
  @0:1259[Local types window]
  @0:588[Signatures window]
  @0:592[Cross-references window]
  @0:591[Selectors window]
  @0:590[Segment registers window]
  @0:1379[Strings window]
  @0:1383[Function calls window]

How to...

  @0:1463[How to launch remote debugging]
  @0:427[How To Use List Viewer]
  @0:425[How to use the Notepad]
  @0:424[How to Enter an Identifier]
  @0:422[How to Enter a Segment Value]
  @0:426[How to Enter an Address]
  @0:423[How to Enter a Number]

@0:157[IDC language]

  @0:158[Expressions]
  @0:159[Statements]
  @0:161[Variables]
  @0:160[Functions]

@0:1345[Miscellaneous]
 WRAP
Main Idea ▄
 ▀▀▀▀▀▀▀▀▀▀

IDA is an interactive disassembler, which means that the user
takes active participation in the disassembly process.
IDA is not an automatic analyzer of programs.
IDA will give you hints about suspicious instructions, unsolved
problems etc. It is your job to inform IDA how to proceed.

If you are using IDA for the very first time, here are some commands that
you will find very useful:

  - convert to @0:452[instruction] : the hotkey is "C"
  - convert to @0:453[data] : the hotkey is "D"

All the changes that you made are saved to disk. When you run IDA again,
all the information on the file being disassembled is read from the disk, so that you can resume your work.

For other commands please refer to the @0:428[menu] system and the help.WRAP
Background Analysis ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can analyze a program when it is not occupied performing
an action you prompted. You disassemble a program together with IDA, but your requests have priority.

The state of background analysis is shown on the upper right-hand corner
of the screen.

You can @0:620[disable] autoanalysis, but in this case
some functions of IDA will produce strange results (e.g. if you try to
convert data into instructions, IDA will NOT trace all the threads of
control flow and the data will be converted into instructions only on
the screen...)

See also @0:620[analysis options].
´WRAP
Command line switches ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can be launched with one of the following command lines:

        ida input-file        (Start graphical interface)
        idat input-file       (Start text interface)

Add the '64' postfix to the command name in order to start the 64-bit version of IDA.
For example:

        ida64 input-file

will start 64-bit graphical interface.

The following command line switches are recognized:

 -a     disable @0:416[auto analysis]. (-a- enables it)
 -A     autonomous mode. IDA will not display dialog boxes.
        Designed to be used together with -S switch.
 -b#### loading address, a hexadecimal number, in paragraphs
        (a paragraph is 16 bytes)
 -B     batch mode. IDA will generate .IDB and .ASM files automatically
 -c     disassemble a new file (delete the old database)
 -C#### set @0:1354[compiler] in format name:abi
 --cvt64 confirms the question
         'You passed 32bit IDB file foo.idb to ida64.
         Do you wish to convert it to 64bit database?'
         more information available at @0:1476[Database conversion]
 -ddirective
        A configuration directive which must be processed at the first
        pass. Example: -dVPAGESIZE=8192
 -Ddirective
        A configuration directive which must be processed at the second
        pass.
 -f     disable FPP instructions (IBM PC only)
 -h     help screen
 -i#### program entry point (hex)
 -I#    set IDA as just-in-time debugger (0 to disable and 1 to enable)
 -L#### name of the log file
 -M     disable mouse (text only)
 -O#### @0:1465[options] to pass to plugins.
        This switch is not available in the IDA Home edition.
 -o#### specify the output database (implies -c)
 -p#### @0:618[processor type]
 -P+    compress database (create zipped idb)
 -P     pack database (create unzipped idb)
 -P-    do not pack database (not recommended, see @0:449[Abort] command)
 -r###  immediately run the built-in debugger
        format of this switch is explained @0:1502[here]
 -R     load MS Windows exe file resources
 -S###  Execute a script file when the database is opened.
        The script file extension is used to determine which extlang
        will run the script.
        It is possible to pass command line arguments after the script name.
        For example: -S"myscript.idc argument1 \"argument 2\" argument3"

        The passed parameters are stored in the "ARGV" global IDC variable.
        Use "ARGV.count" to determine the number of arguments.
        The first argument "ARGV[0]" contains the script name.

        This switch is not available in the IDA Home edition.

 -T###  interpret the input file as the specified file type
        The file type is specified as a prefix of a file type
        visible in the 'load file' dialog box
        To specify archive member put it after the colon char,
        for example: -TZIP:classes.dex
        You can specify any nested paths:
        -T<ftype>[:<member>{:<ftype>:<member>}[:<ftype>]]
        IDA does not display the 'load file' dialog in this case
 -t     create an empty database.
 -W###  specify MS Windows directory
 -x     do not create segmentation
        (used in pair with @0:444[Dump database] command)
        this switch affects EXE and COM format files only.
 -z     debug:
                00000001 drefs
                00000002 offsets
                00000004 flirt
                00000008 idp module
                00000010 ldr module
                00000020 plugin module
                00000040 ids files
                00000080 config file
                00000100 check heap
                00000200 licensing
                00000400 demangler
                00000800 queue
                00001000 rollback
                00002000 already data or code
                00004000 type system
                00008000 show all notifications
                00010000 debugger
                00020000 @0:1572[dbg_appcall]
                00040000 source-level debugger
                00080000 accessibility
                00100000 network
                00200000 full stack analysis (simplex method)
                00400000 handling of debug info (e.g. pdb, dwarf)
                00800000 lumina
 -?     this screen (works for the text version)
 ?      this screen (works for the text version)
 -h     this screen (works for the text version)
 -H     this screen (works for the text version)
 --help this screen (works for the text version)


For batch mode, IDA must be invoked with the following command line:

        ida -B input-file

which is equivalent to:

        ida -c -A -Sanalysis.idc input-file

The text interface (idat.exe/idat) is better for batch mode because it uses less
system resources. However, please note that regular plugins are not automatically loaded
in batch mode because the analysis.idc file quits and the kernel has no chance to load them.

For more information, please see the analysis.idc file in the IDC subdirectory.
`WRAP
Keyboard macros ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can define a keyboard macro to automate frequent keystroke sequences.
They are defined in the same manner as in the Borland IDE:

        - Press Alt--
        - Press <key> - macro name
        - Enter macro body
        - Press Alt-=

All macros are lost when you @0:450[exit] IDA.
If you want to have a static macro which is not lost when you quit IDA,
then write it down into IDATUI.CFG file. The format of a macro definition
is explained @0:419[here].

NOTE: keyboard macros are available only in the text version of IDA.
WRAP
Configuration files ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The configuration files are searched first in %IDADIR%\cfg, then in
%IDAUSR%\cfg.

See documentation about the @0:1375[IDAUSR] environment variable.

In the configuration files, you can use C,C++ style comments and include files.
If no file is found, IDA uses default values. IDA uses the following
configuration files:

 _IDA.CFG_    - general config file
 _IDATUI.CFG_ - text mode interface config file
 _IDAGUI.CFG_ - graphics mode interface config file

In the IDATUI.CFG, you can define the hotkeys and keyboard macros for the text version
of IDA.
Syntax:

        "ActionName" = Value

where value may be:

        a string:       "Ctrl-F5"
        a char:         'F'
        a scancode:     0x4900
        zero:           0

Zero scancode disables the hotkey.

To define the keyboard macros:

     MACRO key { key1 key2 key3 ... keyN }

where key is a string (key name), char or a scancode.
Example:

        MACRO   "Alt-W" // this sample macro jumps to "start" label
        {
                "Ctrl-G"
                's' 't' 'a' 'r', 't'
                "Enter"
        }
<WRAP
Anchor ▄
 ▀▀▀▀▀▀▀

Some IDA commands such as selecting a portion of file to output or specifying a segment to move need an anchor.

To drop the anchor, you can either use the Alt-L key or the Shift-<arrow> combination, which is more convenient.
You can also drop the anchor with the mouse by simply clicking and dragging it.

After you've dropped the anchor, you can navigate freely using arrows, etc.
Any command that uses the anchor, raises it.

The anchored range is displayed with another color.

When you exit from IDA, the anchor value is lost.rWRAP
Demonstration Version Constraints ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The demo version works only with new databases and doesn't save the disassembly
results in an IDB file.

Unlike the full version, it cannot create .ASM and .LST files.

The demo version will accept only some file formats as input.
Currently, the supported file formats are: PE, ELF, Mach-O

Note that it will stop working after a while: this is a demo, not a full version, isn't it? :)

For information about the full version please visit
https://www.hex-rays.com/products/ida
.WRAP
How to Enter a Segment Value ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You must enter a segment base value as a hexadecimal number or a segment name.
IDA will warn you if you enter an invalid segment.

You may enter a segment register name too.WRAP
How to Enter a Number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can enter any 'C' expression with constants. Long arithmetic will
be used for calculations.

In these expressions, you can use all the names that you have created in your
program.
?WRAP
How to Enter an Identifier ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

An identifier is a name which starts with a letter and contains
only letters and digits. The list of allowed characters
is specified in config file @0:419[IDA.CFG]. All names are case-sensitive.

Maximal length of a name is specified in the configuration file too:

        MAX_NAME_LENGTH=120     // Maximal length of new names

Default is 120.

Some assemblers have a shorter name length limit, beware!

IDA will warn you if you enter an illegal name.
uWRAP
How to enter text ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 In the text version of IDA, you can use the following keys:

 Enter          starts a new line
 Ctrl-Enter     finishes the input
 Esc            cancels the input
 F1             gives some help

                                        Shift-<arrow>  Select
 Ctrl-L         Search Again            Shift-Ins       Paste
 Ctrl-O         Indent Mode             Shift-Del       Cut
 Ctrl-T         Delete Word             Ctrl-Ins        Copy
 Ctrl-U         Undo                    Ctrl-Del        Clear
 Ctrl-Y         Delete Line             Ctrl-K B        Start Select
 Ctrl-Left      Word Left               Ctrl-K H        Hide Select
 Ctrl-Right     Word Right
 Ctrl-PgUp      Text Start              Ctrl-Q A        Replace
 Ctrl-PgDn      Text End                Ctrl-Q F        Search
                                        Ctrl-Q H        Delete Line Start
                                        Ctrl-Q Y        Delete Line End

Input containing only whitespaces is equal to an empty input.

Do not forget that you can also use the clipboard.ÃWRAP
How to Enter an Address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You should enter an address as a hexadecimal number or a location name. When
you enter the address in the hexadecimal format, you can omit
the segment part of the address and the current segment will be used.
Addresses beyond the program limits are invalid.

Also, you can enter a location name with a displacement:

        name+5

And finally you can specify a relative address:

        +10             0x10 bytes further
        -5              5 bytes backwards

If the entered string cannot be recognized as a hexadecimal number or location name,
IDA will try to interpret it as an expression using the current script interpreter.
The default interpreter is @0:157[IDC].

Special addresses:

        $ - current location (depends on the current @0:619[assembler])

Examples:

        456             current segment, offset 0x456
        5E              current segment, offset 0x5E
        3000:34         segment 0x3000,  offset 0x34
        ds:67           segment pointed by ds, offset 0x67
        0:4000000       @0:508[linear address] 0x4000000
        start           a location with name 'start'7WRAP
How To Use List Viewers in IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following commands work in the list viewers:

1. All usual movement keys: PgUp,PgDn,Home,End and arrows.

2. It is possible to position to a line simply by typing in the desired
   line number.

3. It is possible to position on a line by typing in its beginning.
   In this case the user can use:
        Backspace key to erase the last character typed in.
        Ctrl-Enter to find another line with the same prefix.
   Please note that List Viewer ignores the prefix of a line up to the last
   backslash (\\) or slash (/) if it exists.

4. Alt-T         search for a substring (case-insensitive)
   Ctrl-T        repeat last search

5. If the list is not in dialog mode, you can use the following keys:
   Enter         jump to the selected item in the last IDA View window
   Ctrl-E        edit the current item
   Del           delete the current item
   Ins           insert a new item
   Ctrl-U        refresh information in the window

6. Quick filtering is available using Ctrl-F. More complex filters can be
   defined with a right click (only the GUI mode).

7. The list can be sorted by any column by clicking on it. Please note that
   maintaining a frequently modified list sorted can be very time consuming,
   so try not to sort non-modal lists during the initial analysis.
   (sorting is available only in the GUI mode).

8. Right-click may show additional functionality for the list viewer.

Esc or Enter close modal list viewers.
WRAP
Main Menu Bar ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

All IDA commands are available from the followings menus:

 @0:429[File]
 @0:451[Edit]
 @0:543[Jump]
 @0:568[Search]
 @0:583[View]
 @0:1395[Debugger]
 @0:1698[Lumina]
 @0:604[Options]
 @0:624[Windows]
pWRAP
File submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

In this submenu you can:

  @0:430[Load file]           Load file
  @0:437[Script command] Execute a script command
  @0:438[Produce output file] Generate output file
  @0:446[OS shell]            Execute OS commands
  @0:447[Save database]       Save database in packed form
  @0:448[Save database as...] Save database in packed form in another file
  @0:1621[Take database snapshot] Take database snapshot
  @0:449[Abort]               Abort - do not save changes
  @0:450[Quit]                Quit to DOS - save changes

See also @0:428[Menu Bar] submenus.ßWRAP
File|Load file submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to load additional files into the database.

  @0:431[Reload input file]
  @0:432[Script file]
  @0:433[Binary file]
  @0:434[IDS file]
  @0:435[Debug information file]
  @0:1374[PDB debug information file]
  @0:1512[TDS debug information file]
  @0:436[FLIRT signature file]
  @0:1367[C header file]

See also @0:429[other File... submenu] commands.¸WRAP
Reload the input file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ReloadFile
 Current hotkey: @<ReloadFile>

This command reloads the same input file into the database.
IDA tries to retain as much information as possible in the database.
All the names, comments, segmentation information and similar will be retained.

Only the values of individual bytes will be changed.

This command works for some input file types only: if the file was loaded into the database with special settings, this command
may fail. In this case, use @0:444[Dump database to IDC file]
command and reload the file manually.

See also @0:430[Load... submenu] commands.ãWRAP
Execute Script File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Execute
 Current hotkey: @<Execute>

You can execute any script file supported by the built-in scripting engine (@0:157[IDC] or Python),
or a scripting language added by a plugin. The scripting language to use is selected by the file name extension of the script.

See also

         @0:437[Immediate execution] of script commands
         @0:430[Load... submenu] commands.´WRAP
Load additional file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadFile
 Current hotkey: @<LoadFile>

This command loads a binary file. The new file is added
to the current database and all existing information is
retained.

The file content will appear as unexplored bytes in the program.

This command only allows you to load binary files.

See also @0:430[Load... submenu] commands.ßWRAP
Load IDS file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadIdsFile
 Current hotkey: @<LoadIdsFile>

This command loads an IDS file.

An IDS file contains information about well-known functions (such as
functions from MS Windows API), namely:

        - their names
        - their ordinal number in the DLL
        - an eventual informative comment
        - the number of parameters passed on the stack
        - the number of parameters purged when returning

IDS files are automatically loaded if they are found in the IDS
directory. This command allows you to load an IDS file from any
directory, even after the main file has been loaded into the
database.

See also @0:430[Load... submenu] commands.WRAP
Load debug information file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadDbgFile
 Current hotkey: @<LoadDbgFile>

This command loads a DBG file.

If the program being disassembled has a companion DBG file, then
this command may be used to load information from a DBG file into the
database. IDA loads DBG files automatically if it can find them
in the directory with the input file.

The built-in debug information loader cannot load NB10 format files and PDB files.
To load those files, please use a special plugin PDB.DLL which can be run manually
using Edit->Plugins submenu. This plugin uses MS Windows DLLs to load the
debug information and therefore has the following limitations:

        - it works only under MS Windows
        - it will load only PDBs compatible with the currently
          installed IMAGEHLP.DLL

See also @0:430[Load... submenu] commands.nWRAP
Load FLIRT signature file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadSigFile
 Current hotkey: @<LoadSigFile>

This command allows you to apply an additional signature file
to the program.

A signature file contains patterns of standard runtime functions.
With their help, IDA is able to recognize the standard functions and
names them accordingly.

IDA attempts to detect the necessary signature files automatically but unfortunately, this is not always possible.
This command adds the specified signature file into the planned signature files queue.

Signature files reside in the subdirectories of the SIG directory. Each
processor has its own subdirectory. The name of the subdirectory
is equivalent to the name of the processor module file (z80 for z80.w32, for example).
Note: IBM PC signatures are located in the SIG directory itself.
Note: the IDASGN environment variable can be used to specify
the location of the signatures directory.

There is another way to load a signature file: you may insert/delete signature
files in the following way:

        - open the signatures window
        - press Ins to insert a signature file to the queue
        - press Del to delete a signature file from the queue

This is a preferred way of applying signatures because useful
information, such as the number of identified functions is displayed
in the signature window.

NOTE: FLIRT works only for the processors with normal byte size. The byte
size must be equal to 8 (processors with wide bytes like AVR or DSP56K are
not supported)

See also @0:430[Load... submenu] commands.ÔWRAP
Script command ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExecuteLine
 Current hotkey: @<ExecuteLine>

You can enter and execute a small script written
in the built-in IDC language or any other registered extlang.

Here is the list of @0:162[built-in] functions.

See also

         @0:157[IDC] language overview
         Execute @0:432[script file] command
         @0:429[File... submenu] commands
         How to use @0:425[notepad].3WRAP
File|Produce output files  submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to produce various output files.
It also allows you to unload the database.

The text file-producing operations below will make use of
@0:1371[the currently-selected encoding] for output files.

 @0:439[Generate MAP file]
 @0:440[Generate ASM file]
 @0:1475[Generate INC file]
 @0:441[Generate LST file]
 @0:442[Generate EXE file]
 @0:443[Generate DIF file]
 @0:1504[Generate HTML file]
 @0:1674[Generate SIG file]
 @0:1251[Generate flow chart GDL file]
 @0:1252[Generate call graph GDL file]
 @0:444[Dump database to IDC file]
 @0:445[Dump typeinfo to IDC file]
 @0:141[Create C header file]

See also @0:429[other File... submenu] commands.WRAP
Create MAP File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceMap
 Current hotkey: @<ProduceMap>

Please enter a file name for the map. IDA will write the following
information about this file:

  - current segmentation
  - list of names sorted by values

You may disable the generation of the segmentation information.
You may also enable or disable @0:609[dummy] names in the output file.

You can use this map file for your information, and also for debugging (for example, Periscope from Periscope
Company or Borland's Turbo Debugger can read this file).

See also other @0:438[Produce output file] commands.WRAP
Create ASM File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceAsm
 Current hotkey: @<ProduceAsm>

Please enter a file name for the assembler text file. IDA will write
the disassembled text to this file.

If you have selected a range on the screen using @0:420[Drop Anchor]
command, IDA will write only the selected range (from the
current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce assembler
files.

See also other @0:438[Produce output file] commands.WRAP
Create LST File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceLst
 Current hotkey: @<ProduceLst>

Enter a file name for the assembler listing file. IDA will write
the disassembled text to this file.

If you've selected a range on the screen using @0:420[Drop Anchor]
command, IDA will write only the selected range (from the
current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce assembler
listing files.

See also other @0:438[Produce output file] commands.hWRAP
Create Executable File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceExe
 Current hotkey: @<ProduceExe>

Enter a file name for the new executable file. Usually this
command is used after patching (see commands @0:527[Patch byte] and
@0:527[Patch word]) to obtain a patched version of the file.

IDA produces executable files only for:

  - MS DOS .exe
  - MS DOS .com
  - MS DOS .drv
  - MS DOS .sys
  - general binary
  - Intel Hex Object Format
  - MOS Technology Hex Object Format

For other file formats please create a @0:443[difference] file.

NOTE: only @0:527[Patch byte/word] commands affect the executable
file contents, other commands
(including @0:477[User-Specified String for the #th Operand])
will not affect the content of the disassembled file.

EXE files: Output files will have the same EXE-header and relocation table as
the input file. IDA will fill unused ranges of the EXE file (e.g.
between relocation table and loadable pages) with zeroes.

See also

         @0:438[File|Produce output file] submenu,
         @0:526[Edit|Patch core] submenu.²WRAP
Create Difference File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceDiff
 Current hotkey: @<ProduceDiff>

This command will prompt you for a filename and then will create a
plain text difference file of the following format:

 comment

 filename
 offset: oldval  newval

See also

         @0:438[File|Produce output file] submenu,
         @0:526[Edit|Patch core] submenu."WRAP
Dump database to IDC file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DumpDatabase
 Current hotkey: @<DumpDatabase>

This command saves current IDA database into a text file.

You can use it as a safety command:

  - to protect your work from disasters
  - to migrate information into new database formats of IDA.

This command is used when you want to switch to a new version
of IDA. Usually each new version of IDA has its own database
format. To create a new format database, you need:

  1. to issue the 'Dump...' command for the old
     database (using old version of IDA). You will
     get an IDC file containing all information
     from your old database.
  2. to reload your database using new IDA with switch -x.
  3. to compile and execute the IDC file with command
    'Execute IDC file' (usually F2)

Please note that this command does not save everything to text file.
Any information about the local variables will be lost!

See also other @0:438[Produce output file] commands.WRAP
Dump typeinfo to IDC file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DumpTypes
 Current hotkey: @<DumpTypes>

This command saves information about the user-defined types from the IDA
database into a text file.

Information about enums, structure types and other user-defined types
is saved in a text form as an IDC program.

You can use this command to migrate the type definitions from one
database to another.

See also other @0:438[Produce output file] commands.tWRAP
Invoke OS Shell ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Shell
 Current hotkey: @<Shell>

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

See also @0:429[other File... submenu] commands.WRAP
Save database ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SaveBase
 Current hotkey: @<SaveBase>

This command saves and packs the current database.

See also @0:429[other File... submenu] commands.
         @0:448[Save database as...] command.ßWRAP
Save database as... ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SaveBaseAs
 Current hotkey: @<SaveBaseAs>

This command saves and packs the current database.
IDA will prompt you to enter a new name for the database file. Databases
are saved with an .IDB extension.
Use this command if you don't want to overwrite an earlier database.

See also

         @0:429[other File... submenu] commands.
         @0:447[Save database] command.êWRAP
Abort IDA ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: Abort
 Current hotkey: @<Abort>

This command terminates the current IDA session.
The Abort command is not available if the database was not packed.

        IDA will NOT save changes to the disk. ▄
        ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See also

         @0:429[other File... submenu] commands.
         @0:450[Quit] command.WRAP
Exit IDA ▄
 ▀▀▀▀▀▀▀▀▀

 Action    name: Quit
 Current hotkey: @<Quit>

This command terminates the current IDA session. IDA will
write all changes to the disk and will close all databases.

You can enable/disable database packing. When the database is packed,
it consists of one file with IDB extension. When the database is not
packed, it consists of several files on the disk.
If packing is disabled, in the next session you cannot @0:449[abort] IDA.
We do not recommend to leave the database in the unpacked form because
you will not have a backup copy.

You can also perform garbage collection on the database before packing it.
The garbage collection removes the unused database pages, making it smaller.
However, IDA needs some free database pages when it works,therefore it will
allocate them again when you reuse the database. Removing and adding
free pages takes time and, what is most important, it changes the database
control blocks.

Use garbage collection only when you do not intend to work with the
database in the near future.

IDA will remember all information about the screen, cursor
position, jump stack, etc.
The following information
will be lost:

        @0:418[keystroke macros],
        the @0:420[anchor] position

To resume a disassembly session simply type: "ida file"

See also

         @0:429[other File... submenu] commands.
         @0:449[Abort] command.¡WRAP
Edit submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows the user to modify text representation
and to patch the file. It also has the commands to control the
analysis:

 @0:420[Anchor]
 @0:1671[Export data]
 @0:1710[Undo]
 @0:1711[Redo]

 @0:452[Convert to instruction]
 @0:453[Convert to data]
 @0:454[Convert to STRLIT string]
 @0:455[Convert to array]
 @0:456[Undefine]
 @0:457[Rename]

 @0:458[Operand types] submenu
 @0:478[Comments] submenu

 @0:483[Functions] submenu
 @0:490[Structures] submenu
 @0:506[Segments] submenu
 @0:526[Patch program] submenu
 @0:530[Other] submenu
 @0:536[Plugins] submenu

See also @0:428[Menu Bar] submenus.íWRAP
Convert to instruction ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeCode
 Current hotkey: @<MakeCode>

This command converts the current unexplored bytes to instruction(s).
IDA will warn you if it is not possible.

If you have selected a range using the @0:420[anchor], all the bytes from this range
will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

See also
 @0:451[Edit] submenuwWRAP
Convert to data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeData
 Current hotkey: @<MakeData>

This command converts the current unexplored bytes to data.
If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using @0:617[setup data] command.

If the @0:619[target assembler] does not support double words or another
data type, it will be skipped.

 To create a structure variable, use @0:496[Declare struct var] command.
 To create an array, use @0:455[Array] command.
 To convert back, use @0:456[Undefine] command.

See also
 @0:451[Edit] submenuWRAP
Convert to string literal ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeStrlit
 Current hotkey: @<MakeStrlit>

This command converts the current unexplored bytes to a string.

The set of allowed characters is specified in the @0:419[configuration]
file, parameter StrlitChars. Character '\0' is not allowed in any case.
If the current @0:619[assembler] does not allow characters above 0x7F,
characters with high bit set are not allowed.

If the @0:420[anchor] has been dropped, IDA will take for the string
all characters between the current cursor position and the anchor.

Use the @0:420[anchor] if the string starts a disallowed character.

This command also generates a @0:424[name] for the string.
In the @0:419[configuration] file, you can specify the
characters allowed in names (NameChars).

You can change the literal string length using @0:455[Array] command.

The GUI version allows you to assign a special hotkey to create
Unicode strings. To do so, change the value of the StringUnicode
parameter in the IDAGUI.CFG file.

Pascal Strings ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

To create Pascal style strings (with first byte indicating string
length) use @0:613[Set String Style] command.

See also
 @0:451[Edit] submenuuWRAP
Convert to array ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeArray
 Current hotkey: @<MakeArray>

This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

  1. Create the first element of array using the data
     definition commands (@0:453[data], @0:454[string], @0:496[structs])
  2. Apply the array command to the created data item.

Enter array size in current array elements (not bytes).
The suggested array size is the minimum of the following values:

        - the address of the next item with a cross reference
        - the address of the next user-defined name

For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

Items on a line (meaningless for string literals):

        0               place maximal number of items on a line
        other value     number of items on a line

Please note that the @0:605[margin] parameter affects the number of
items on a line too.

Alignment (meaningless for string literals):

        -1              do not align items
        0               align automatically
        other value     width of each item

 Signed elements:       if checked, IDA treats all elements as signed numbers.
                        only meaningful for numbers (not for offsets and
                        segments and strings)

 Display indexes:       if checked, IDA will display the indexes of array
                        elements in the form of comments (0,1,2...)

 Create as array:       if not checked, IDA will create a separate item for
                        each array element. Useful for creating huge arrays.
                        If the box is unchecked when this command is
                        applied to string literals, IDA will create many
                        string literals instead of one big string.

If applied to a variable-sized structure, this command is used
to specify the overall size of the structure. You cannot create arrays of
variable-sized structures.

See also

 @0:451[Edit] submenu
 @0:423[How to Enter a Number].lWRAP
Undefine a byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeUnknown
 Current hotkey: @<MakeUnknown>

This command deletes the current instruction or data, converting
it to 'unexplored' bytes. IDA will delete the subsequent instructions if
there are no more references to them (functions are never deleted).

If you have selected a range using the @0:420[anchor], all the bytes in this range
will be converted into 'unexplored' bytes. In this case, IDA will not delete
any other instructions even if there are no references to them after the deletion.

See also
 @0:451[Edit] submenuWRAP
Give Name to the Location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeName
 Current hotkey: @<MakeName>

This command gives name/renames/deletes @0:424[name] for the current
item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you
try, IDA will generate a @0:609[dummy] name.

Local name

  The name is considered to be defined only in the current function.
  Please note that IDA does not check the uniqueness of the local names
  in the whole program. However, it does verify that the name is unique for the
  function.

Include in name list

  Here you can also include/remove the name from the @0:545[name list].
  If the name is hidden, you will not see it in @0:587[names window].

Public name

  You can declare a name as a public (global) name. If the current
  assembler supports the "public" directive, IDA will use it.
  Otherwise, the publicness of the name will be displayed as a comment.

Autogenerated name

  An autogenerated name will appear in a different color.
  if the item is indefined, it will disappear automatically .

Weak name

  You can declare a name as a weak name. If the current
  assembler supports the "weak" directive, IDA will use it.
  Otherwise, the weakness of the name will be displayed as a comment.

Create name anyway

  If this flag is on, and if the specified name already exists,
  IDA will try to variate the specified name by appending a suffix to it.

See also

         @0:451[Edit] submenu.
         @0:424[How to Enter an Identifier].
         @0:609[Names representation].ÐWRAP
Edit|Operand types submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to change the operand types
to offsets, numbers, chars, etc.
Use it to make disassembled text more understandable.

 @0:1381[Convert operand to offset]
 @0:1382[Convert operand to number]
 @0:465[Convert operand to character]
 @0:466[Convert operand to segment]
 @0:473[Convert operand to enum]
 @0:474[Convert operand to stack variable]
 @0:475[Change operand sign]
 @0:476[Bitwise negate operand]
 @0:477[User-defined operand]
 @0:1601[Set operand type]

If IDA suspects that an operand can be represented as something different
from a plain number, it will mark the operand as "suspicious" and show it in red.
Use these commands to delete @0:569[suspicious] marks.

Some of these commands can be applied to a selected range.
Click @0:459[here] to learn about the rules applied to such
operations.

See also @0:451[Edit] submenu.´WRAP
Perform en masse operation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If you have selected a range before applying an operand conversion
command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

 ALL OPERANDS
 -----------

The operation will be performed on all
operands as a toggle. For example, if you
ask to convert to a character, then all
non-character operands will become characters,
and all character operands will become non-chars.

 OPERAND VALUE RANGE
 -------------------

The operation will be performed on the @0:569[void] operands
which contain immediate numbers in the specified range.

 ... OPERANDS
 ------------

This selection will convert all operands with the specified type to
undefined operands.
Example: all characters become non-characters.

 NOT ... OPERANDS
 ---------------

This selection allows to convert all operands that do not have the specified type
to the specified type. Example: all non-characters to characters.

 NOT TYPED OPERANDS
 -----------------

This selection allows to convert all operands without any type to the specified
type. Example: all operands with no type to characters.

 APPLY ONLY IF POSSIBLE
 ---------------------

IDA will check whether an operand can be represented with the specified type
(as a character constant, for example), and perform type conversion only if
the check is successful.
âWRAP
Convert operand to number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpNumber
 Current hotkey: @<OpNumber>

This command converts immediate operand(s) type of the
current instruction/data to a number. That way, you can
delete @0:569[suspicious] mark of the item.

The number is represented in the default radix for the current processor
(usually hex, but octal for PDP-11, for example).

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.WRAP
Convert operand to hexadecimal number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpHex
 Current hotkey: @<OpHex>

This command converts immediate operand(s) type of the
current instruction/data to hex number. So you can
delete @0:569[suspicious] mark of the item.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.oWRAP
Convert operand to decimal number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpDecimal
 Current hotkey: @<OpDecimal>

This command converts the immediate operand(s) type of the
current instruction/data to decimal. Therefore, it
becomes a 'number'.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.WRAP
Convert operand to binary number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpBinary
 Current hotkey: @<Opbinary>

This command makes the current instruction or data operand type binary.
IDA always uses 123b notation for binary numbers even if the current
assembler does not support binary numbers.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.WRAP
Convert operand to octal number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpOctal
 Current hotkey: @<OpOctal>

This command makes the current instruction or data operand type octal.
IDA always uses 123o notation for octal numbers even if the current
assembler does not support octal numbers.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.)WRAP
Convert operand to character ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpChar
 Current hotkey: @<OpChar>

This command converts immediate operand(s) type of the
current instruction/data to character.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:458[Edit|Operand types] submenu.íWRAP
Convert operand to segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpSegment
 Current hotkey: @<OpSegment>

This command converts the immediate operand(s) type of the
current instruction/data to segment base. The segment bases are usually
displayed like this:

        mov     ax, seg dseg


When you use this command, IDA deletes the @0:477[manually] entered operand.

If IDA cannot find a segment whose base is equal to the operand value,
it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:458[Edit|Operand types] submenu.ÞWRAP
Convert operand to offset (data segment) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpOffset
 Current hotkey: @<OpOffset>

This command converts the immediate operand of the
current instruction/data to an offset from the current data segment (DS).

If current DS value is unknown (or equal 0xFFFF) IDA
will warn you -- it will beep. In this case, you have to
define DS register value for the current byte. The
best way to do it is:

  - @0:547[jump to segment register change point]
  - @0:523[change value of DS]
  - @0:539[return]

or you can @0:522[change default value] of DS for the current
segment.

If you want to delete offset definition, you can use
this command again - it works as trigger.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

To create offsets to structure members use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no offset]
          @0:469[offset by any segment]
          @0:470[offset by any user-specified base]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter the operand manually] command.
          @0:1601[Set operand type]WWRAP
Convert operand to offset (code segment) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpOffsetCs
 Current hotkey: @<OpOffsetCs>

This command converts the immediate operand of the
current instruction/data to an offset from the current segment (CS).

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise, it
will be left unmodified.


If this command is applied to a structure member in the @0:593[structure window],
then IDA will create an "automatic offset". An automatic offset is an offset
with the base equal to 0xFFFFFFFF. This base value means that the actual
value of the base will be calculated by IDA when a structure instance is
created.

To create offsets to structure members, use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no offset]
          @0:469[offset by any segment]
          @0:470[offset by any user-specified base]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]
WRAP
Convert operand to offset (any segment) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpAnyOffset
 Current hotkey: @<OpAnyOffset>

This command converts the immediate operand of the
current instruction/data to an offset from any segment.

IDA will ask to choose a base segment for the offset.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

To create offsets to structure members use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no]
          @0:468[offset by current segment]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]ÜWRAP
Convert operand to offset (user-defined base) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpUserOffset
 Current hotkey: @<OpUserOffset>

This command converts the immediate operand of the
current instruction/data to a complex offset expression.

Please click here to learn more about @0:471[complex offsets].

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the an operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

If the offset base is specified as 0xFFFFFFFF, then IDA will create "an automatic offset".
Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

  Treat the base address as a plain number

        if checked, IDA will treat the base address as a number.
        In this case, IDA will not create a cross-reference to it
        and the base address will be printed as a number,
        not as an offset expression.

  Offset points past the main object

        Offsets of this type point past an object end.
        They do not cause an object created/deletion.

  Use image base as offset base

        These offsets are based on the image base.
        There is no need to explicitly specify the offset base.
        These offsets are displayed in a concise form:
          rva func
        instead of
          offset func - imagebase
        If you intend to reassemble the output file, execute the
        following IDC statement:
        set_inf_attr(INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) & ~INFFL_ALLASM);

  Subtract operand value

        Use this option when the operand value should be substracted
        from the base to get the target address. In this case the displayed
        expression will be displayed as
          offset base - target
        instead of the usual
          offset target - base

  Signed operand

        Use this option if the operand should be interpreted
        as a signed value. This option is only available for OFF_REF8,
        OFF_REF16, OFF_REF32 and OFF_REF64 offset types.

  Operand value of 0 is invalid

        If the operand value is 0, the value will be highlighted in red.

  Operand value of NOT 0 is invalid

        If the operand value is zero's complement (i.e. all bits are set),
        the value will be highlighted in red.
        For example a OFF_REF16 with an operand value of 0xFFFF would be invalid.

  Use the current address as the offset base

        The offset base is dynamically calculated and is equal to the address of
        the current element:
          - for standalone items: their start address
          - for arrays: the start of the array element
          - for structures: the start of the structure field
        The offset expression is displayed in the following concise form:
          offset target - $
        where "$" denotes the start of the element (and is @0:619[assembler]-dependent).


To create offsets to structure members use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no]
          @0:468[offset by current segment]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type][WRAP
Complex Offset Expression ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

A complex offset expression looks like

        offset target + delta - offset base

It is specified by:

        - type (OFF16, OFF32, LOW16, etc.)
        - base
        - optional target
        - optional delta from target

The relationship between these parameters is
(the formula is given for full offsets):

        operand_value = target + delta - base

  or (the same relationship in a different form):

        target = operand_value - delta + base

You always have to specify the offset type and base.
Usually, the delta is equal to zero.
For the full offset type you may omit the offset target, which is recommended.
In this case, IDA will calculate it automatically.
However, if you specify the offset target, make sure that the relationship
between the parameters still holds.
For the half offset types, you have to specify the target because
there is no way to calculate it.

The offset types:

  8-bit full offset            :
  16-bit full offset           :
  32-bit full offset           :

    The full offsets are regular offset expressions like

        offset label

    They can occupy 8, 16, or 32 bits.
    You have to specify the offset base for these offsets.

  low 8 bits of 16-bit offset  :

    Only the low 8 bits of the offset. IDA will represent them as

        (offset label) & 0xFF

  low 16 bits of 32-bit offset :

    Only the low 16 bits of the offset. IDA will represent them as

        (offset label) & 0xFFFF

  high 8 bits of 16-bit offset :

    Only the high 8 bits of the offset. IDA will represent them as

        offset label >> 8

  high 16 bits of 32-bit offset:

    Only the high 17 bits of the offset. IDA will represent them as

        offset label >> 16

See also @0:470[offset by any user-specified base]óWRAP
Convert operand to structure offset ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpStructOffset
 Current hotkey: @<OpStructOffset>

 GUI version:
 ------------

This command permits to convert all immediate operands of instructions in a
range selection to a path of offsets through a structure and its possible sub unions.
If no selection is active, IDA will simply permit to convert the current operand.
In this case, it will display a simple dialog box the same way as the text version (see below).

You can select the desired register in the drop-down list: all operands relative
to this register will be added to the 'Offsets' list. A special empty line in the
drop-down list is used to directly work on immediate values.
Checkboxes in the 'Offsets' list allow you to select which operand you indeed
want to modify. By default, IDA will select only undefined operands, to avoid
overwriting previous type definitions. This list is sorted by operand value, by
instruction address and finally by operand number. You can easily see the instructions
related to the operand by moving the mouse over it, and wait for a hint to be
displayed.

The 'Structures and Unions' tree will contain all selectable structures, and sub unions.
Once you select or move over a structure, the 'Offsets' list updates itself for each
checked offset: the computed name of the operand is displayed, according to the selected
structure in the tree. An icon is also drawn, to easily know if a specific structure
matchs the offset or not, or if the offset is too big for the selected structure.
The structures who match the most offsets will be near the top of the tree.
You can also move your mouse over structures in the tree to obtain an interesting hint.

A '?' icon can also appear, if the offset can be specialized by selecting an union
member. In this case, if you expand the structure in the tree, you can select the adequate
union member simply by checking the desired radio button. IDA automatically corrects
the related name in the 'Offsets' list.

The 'Offset delta' value represents the difference between the structure start and the
pointer value. For example, if you have an operand 4 and want to convert in into an
expression like "mystruct.field_6-2", then you have to enter 2 as the delta.
Usually the delta is zero, i.e. the pointer points to the start of the structure.

The 'Hide sub structures without sub unions' option (checked by default) avoids to
add unnecessary sub structures to the tree, to keep it as small as possible. If you
uncheck this option, all sub structures will be added to the tree.

By default, IDA displays the structure member at offset 0. To change this behaviour, you
can directly disable the 'Force zero offset field' in the 'Options' frame. Later zero offsets
can be forced using @0:497[Edit, Structs, Force zero offset] menu item.

 Text version:
 -------------

This command converts immediate operand(s) type of the
current instruction/data to an offset within the specified structure.
Before using this command, you have to @0:491[define] a structure type.

First of all, IDA will ask a so-called "struct offset delta". This value
represents the difference between the structure start and the pointer value.
For example, if you have an operand 4 and want to convert in into an expression
like "mystruct.field_6-2", then you have to enter 2 as the delta.
Usually the delta is zero, i.e. the pointer points to the start of the structure.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the an operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

By default IDA doesn't display the structure member at offset 0.
To change this behaviour, use @0:497[Force zero field offset] command.

Moreover, if there are several possible representations (this can happen if
unions are used), select the desired representation using the
@0:498[Select union member...] command.

See also:

          @0:467[offset by data segment/no]
          @0:468[offset by current segment]
          @0:469[offset by any segment]
          @0:470[offset by any user-specified base]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] command.
          @0:1601[Set operand type]WRAP
Convert operand to symbolic constant (enum) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpEnum
 Current hotkey: @<OpEnum>

This command converts immediate operand(s) type of the
current instruction/data to an enum member.
Before using this command, you have to @0:501[define] an enumeration type.

If the selected enum is a bitfield, IDA will try to build a bitfield
expression to represent the constant. Please note that for bitfields having
multiple constants with the same value some expressions won't be possible.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
symbolic constants. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise all other operands will be
affected.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]¸WRAP
Convert operand to stack variable ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpStackVariable
 Current hotkey: @<OpStackVariable>

This command converts immediate operand(s) type of the
current instruction to an offset to stack variables, i.e. a local variable
or function argument in the stack.

You need to @0:488[define] stack variables before using this command.

If the current operand is based on the value of the stack pointer ([ESP+xxx])
and the SP value is traced incorrectly, then you need to correct SP value
using @0:489[change stack pointer] command.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
stack variables. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to stack variable, otherwise it
will be left unmodified.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise all other operands will be
affected.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:488[Define stack variables...]WRAP
Change operand sign ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChangeSign
 Current hotkey: @<ChangeSign>

This command changes the sign of the current operand.
Please note that not all operands can change their sign.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]eWRAP
Bitwise negate operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BitwiseNegate
 Current hotkey: @<BitwiseNegate>

This command bit-wisely negates the current operand.
Please note that not all types of operands can be negated.
It is not possible to negate and change @0:475[sign] of an operand simultaneously.

This command works only if the current @0:619[assembler] supports the bitwise negation operation.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]øWRAP
User-defined operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ManualOperand
 Current hotkey: @<ManualOperand>

You may specify any string instead of an operand if IDA does not represent
the operand in the desired form. In this case, IDA will simply display the
specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data
items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you
change operand representation using operand @0:458[types] submenu.

NOTE: A text offset reference is generated if you use a label in the program as the operand string.
In other cases no cross-references are generated.

See also @0:458[Edit|Operand types] submenu.uWRAP
Edit|Comments submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate different kinds of comments.
Use them to make the disassembled text more understandable.

 @0:479[Create a regular comment]
 @0:480[Create a repeatable comments]
 @0:481[Create additional comment lines]

See also @0:451[Edit] submenu.ÊWRAP
Create a regular comment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeComment
 Current hotkey: @<MakeComment>

If you stand at the function start and your cursor is
on a function name, IDA will ask you to enter a function comment.

If you stand at the segment start and your cursor is
on a segment name, IDA will ask you to enter a segment comment.

If this command is issued in the
@0:593[structures window], it allows you to change the comment of a structure, or
structure member. If the cursor is on the structure name, it will be changed, otherwise
the member name will be changed.
Otherwise, this command allows you to enter a normal indented comment for
the current item.

You can show/hide all comments in @0:1369[Comments Dialog].

See also

        "How to use the @0:425[notepad]"
         @0:478[Edit|Comments] submenu
         @0:480[Repeatable comments]
         How to use the @0:425[notepad]+WRAP
Create a repeatable comment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeRptCmt
 Current hotkey: @<MakeRptCmt>

This command allows you to enter a repeatable comment. A repeatable
comment will appear attached to the current item and all other items
referencing it.

If you stand at the function start, IDA will ask you to enter a function comment.

If this command is issued in the
@0:593[structures window], it allows you to change the comment of a structure or
structure member. If the cursor is on the structure name, the structure comment
will be changed, otherwise the member comment will be changed.

Otherwise, this command allows you to enter a repeatable comment for
the current item.

You cannot enter repeatable segment comments.

All items that refer to the current item will have this comment by default.

Note that if you have defined both comment types (@0:479[regular] and repeatable),
the regular comment will be displayed for the current item and the repeatable
comment will be displayed for all items that refer to the current item, if
they do not have their own comments.

The repeatable comments may be used to describe subroutines, data items etc.,
because all calls to the subroutine will have the repeatable comment.

You can show/hide all comments in the @0:1369[Comments Dialog].

You can show and hide repeatable comments in the @0:1369[Comments Dialog].

See also

        "How to use the @0:425[notepad]"
         @0:478[Edit|Comments] submenu
         @0:479[Regular comments]WRAP
Create additional comment lines ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action                 Name
 ------                 ----
 edit anterior lines    MakeExtraLineA
 edit posterior lines   MakeExtraLineB

If you want to enter multi-line comments or additional instructions,
you can use this feature of IDA.

There are two kinds of extra lines: the ones generated before the instruction line
and the ones generated after the instruction line.

Do not forget that the maximal number of lines for an item is 500.

IDA does not insert a comment symbol at the beginning of the lines.

See also

        "How to use the @0:425[notepad]"
        @0:478[Edit|Text|Comments] submenu.
        @0:425[How to use the Notepad] is_mapped▄
 ▀▀▀▀▀▀▀▀▀▀

Is the specified address 'ea' present in the program?

success is_mapped(long ea);
WRAP
Functions submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate functions in the disassembly:

      @0:484[Create function...]
      @0:485[Edit function...]
      @0:687[Append function tail...]
      @0:688[Remove function tail...]
      @0:486[Delete function...]
      @0:487[Set function end]
      @0:488[Define stack variables...]
      @0:489[Change stack pointer...]
      @0:1346[Rename register...]
      @0:1361[Set function/item type...]

See also @0:451[Edit] submenu.2WRAP
Create Function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeFunction
 Current hotkey: @<MakeFunction>

This command defines a new function in the disassembly text.

You can specify function boundaries using the @0:420[anchor].
If you don't specify any, IDA will try to find the boundaries automatically:

   - function start point is equal to the current cursor position;
   - function end point is calculated by IDA.

A function cannot contain references to undefined instructions.
If a function has already been defined at the specified addresses,
IDA will jump to its start address, showing you a warning message.

A function must start with an instruction.

See also

         @0:483[Edit|Functions] submenu.
         @0:485[Edit a function]
         @0:486[Delete a function]pWRAP
Edit Function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditFunction
 Current hotkey: @<EditFunction>

Here you can change function bounds, its name and @0:1729[flags].
In order to change only the function end address, you can use @0:487[FunctionEnd]
command.

If the current address does not belong to any function, IDA beeps.

This command allows you to change the function frame parameters too.
You can change sizes of some parts of frame structure.

IDA considers the stack as the following structure:

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- BP
      | local variables              |
      +------------------------------+  <- SP

For some processors or functions, BP may be equal to SP. In other words, it can
point to the bottom of the stack frame.

You may specify the number of bytes in each part of the stack frame. The size of the
return address is calculated by IDA (possibly depending on the far function @0:1729[flag]).

"Purged bytes" specifies the number of bytes added to SP upon function return.
This value will be used to calculate the SP changes at call sites (used in some
calling conventions, such as __stdcall in Windows 32-bit programs.)

"BP based frame" allows IDA to automatically convert [BP+xxx] operands
to @0:474[stack variables].

"BP equal to SP" means that the frame pointer points to the bottom of the stack.
It is usually used for the processors which set up the stack frame with EBP and ESP
both pointing to the bottom of the frame (for example MC6816, M32R).

If you press <Enter> even without changing any parameter,IDA will reanalyze the function.

Sometimes, EBP points to the middle of the stack frame.
FPD (frame pointer delta) is used to handle such situations.
FPD is the value substracted from the EBP before accessing variables.
An example:

           push    ebp
           lea     ebp, [esp-78h]
           sub     esp, 588h
           push    ebx
           push    esi
           lea     eax, [ebp+74h]

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- typical BP
      |                              |
      |                              |
      |                              |  <- actual BP
      | local variables              |
      |                              |
      |                              |
      |                              |
      +------------------------------+  <- SP

In our example, the saved registers area is empty (since EBP has been initialized
before saving EBX and ESI). The difference between the 'typical BP'
and 'actual BP' is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

           lea     eax, [ebp+78h+var_4]

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify
the value manually.

If the value of the stack pointer is modified in an unpredictable way,
(e.g. "and esp, -16"), then IDA marks the function as "fuzzy-sp".

If this command is invoked for an imported function, then a simplified dialog
box will appear on the screen.

See also

         @0:1729[Function flags]
         @0:484[Make a function]
         @0:486[Delete a function]
         @0:483[Edit|Functions] submenu.ÅWRAP
Delete Function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelFunction
 Current hotkey: @<DelFunction>

Deleting a function deletes only information about a function, such as
information about stack variables, comments, function type, etc.

The instructions composing the function will remain intact.

See also

         @0:483[Edit|Functions] submenu.
         @0:484[Make a function]
         @0:485[Edit a function]WRAP
Set Function End ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FunctionEnd
 Current hotkey: @<FunctionEnd>


This command changes the current or previous function bounds so that its end
will be set at the cursor. If it is not possible, IDA beeps.

See also @0:483[Edit|Functions] submenu.
         @0:484[Make a function]
         @0:485[Edit a function]jWRAP
Stack Variables Window ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenStackVariables
 Current hotkey: @<OpenStackVariables>

This command opens the stack variables window for the current function.

The stack variables are internally represented as a structure. This structure
consists of two parts: local variables and function arguments.

You can modify stack variable definitions here:
add/delete/define stack variables, enter comments for them.

There may be two special fields in this window: " r" and " s".
They represent the size of the function return address and
of the saved registers in bytes.
You cannot modify them directly. To change them, use
@0:485[edit function] command.

Offsets at the line prefixes represent offsets from the frame pointer register (BP).
The window indicator at the lower left corner of the window displays
offsets from the stack pointer.

In order to create or delete a stack variable, use data definitions
commands (@0:453[data], @0:454[strlit], @0:455[array], @0:456[undefine], @0:457[Rename]).
Also you may define @0:479[regular] or @0:480[repeatable] comments.

The defined stack variables may be used in the program by converting
operands to @0:474[stack variables].

Esc closes this window.

See also

         @0:483[Edit|Functions] submenu.
         @0:474[Convert to stack variable]WRAP
Change Stack Pointer ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChangeStackPointer
 Current hotkey: @<ChangeStackPointer>

This command allows you to specify how the stack pointer (SP)
is modified by the current instruction.

You cannot use this command if the current instruction does not belong to
any @0:484[function].

You will need to use this command only if IDA was not able to trace the value of the SP register.
Usually IDA can handle it but in some special cases it fails.
An example of such a situation is an indirect call of a function that
purges its parameters from the stack. In this case, IDA has no
information about the function and cannot properly trace the value of SP.

Please note that you need to specify the _difference_ between the old and
new values of SP.

The value of SP is used if the current function accesses local variables
by [ESP+xxx] notation.

See also

         @0:483[Edit|Functions] submenu.
         @0:474[Convert to stack variable]^WRAP
Structures submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Commands of this submenu are available in the
@0:593[structures window].
Only @0:496[Declare struct var...] is available in
the disassembly window.

      @0:491[Add a struct type...]
      @0:1370[Duplicate struct type...]
      @0:492[Delete a struct type...]
      @0:493[Insert gap...]
      @0:494[Delete gap...]
      @0:495[Edit a struct type...]
      @0:496[Declare struct var...]
      @0:497[Force zero field offset]
      @0:498[Select union member...]
      @0:1392[Create struct type from data...]
      @0:1684[Copy field info to pointers...]

Use regular commands to specify struct and union members,
their types, comments, etc.

A union is a special kind of structure. Use structure definition commands to
manipulate unions.

See also @0:451[Edit] submenu.WRAP
Define a new structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AddStruct
 Current hotkey: @<AddStruct>

This command defines a new structure or a new union.
The new structure is created with zero length. You will have to add structure
members using @0:490[structure] manipulation commands.

If the entered structure name denotes a standard structure type from a loaded
type library, then its definition will be automatically used. In this
case, the value of the 'create union' checkbox will be ignored.

This command is available when you open a structures @0:593[window].

You can add new members to the structure using the following commands:

        command         hotkey
        -------         ------
    @0:453[make data]            D
    @0:454[make strlit]           A
    @0:455[make array]           *
    @0:457[rename]               N

You may also insert/delete undefined bytes into the middle of the structure
by using @0:493[expand] and @0:494[shrink] commands.

"Create before current structure" means that the new structure will be
placed immediately before the current structure type. Otherwise, the new
structure is placed after the current structure.

"Don't include in the list" means that the structure will not be included
in the list of the structures which appears when the user applies the structure
definition, for example, when he creates a variable of this structure type.
We recommend to mark this checkbox when you have defined all variables of
this structure type and want to reduce the number of choices in the list.

See also @0:490[Edit|Structs] submenu.
         @0:424[How to Enter an Identifier]
WRAP
Delete a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelStruct
 Current hotkey: @<DelStruct>

This command deletes the current structure.
Beware, when you delete a structure, all references to it will be destroyed as well.
Even if you recreate it later, you'll have to specify again all references
to it.

You may use this command to delete unions also.

This command is available when you open a structures @0:593[window].

See also @0:490[Edit|Structs] submenu.
ôWRAP
Expand a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExpandStruct
 Current hotkey: @<ExpandStruct>

This command expands the current structure by inserting undefined bytes
at the cursor location. The cursor must not be at the end of the structure.
To define a member at the end of the structure, just use normal data
definition commands.

This command is available when you open a structure @0:593[window].

See also @0:490[Edit|Structs] submenu.
ÃWRAP
Shrink a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShrinkStruct
 Current hotkey: @<ShrinkStruct>

This command shrinks the current structure by deleting undefined bytes
at the cursor location. The cursor must be at an undefined byte. IDA will
ask the user the number of bytes to remove.

This command is available when you open a structure @0:593[window].

See also @0:490[Edit|Structs] submenu.
|WRAP
Edit a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditStruct
 Current hotkey: @<EditStruct>

This command allows the user to change the structure alignment

Structure alignment is used to calculate the number of padding bytes at the end of the
structure. For example, if alignment is 4 and the last field is a byte at offset 11h,
IDA will add 3 bytes of padding so that the struct size is 14h (multiple of 4).

The alignment must be a power of 2.

This command is available in the Structures @0:593[window].

See also @0:490[Edit|Structs] submenu.
         @0:423[How to Enter a Number].
äWRAP
Declare a structure variable ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeStructVar
 Current hotkey: @<MakeStructVar>

This command declares a variable of the specified structure type.

IDA will ask you to choose a structure type. You must have some structure
types @0:491[defined] in order to use this command.

If the @0:619[target assembler] supports it, IDA will display the
structure in terse form (using just one line).
To uncollapse a terse structure variable use the @0:600[Unhide] command.

You can also use this command to declare a structure field in another structure
(i.e. nested structures are supported too).

See also @0:490[Edit|Structs] submenu.
$WRAP
Force zero field offset ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ZeroStructOffset
 Current hotkey: @<ZeroStructOffset>

This command forces IDA to display a full structure member name
even if the offset of the member is equal to zero.

If used twice, the command cancels itself.

Example: Suppose we have the following structure:

        xxx     struc
        a       db ?
        b       db ?
        c       db ?
        xxx     ends

        dloc    xxx ?

  Normally IDA displays references to it like this:

        mov     eax, offset dloc
        mov     eax, offset dloc.b

  If you force IDA, then it displays member 'a':

        mov     eax, offset dloc.a
        mov     eax, offset dloc.b

See also @0:490[Edit|Structs] submenu.
ØWRAP
Select union member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SelectUnionMember
 Current hotkey: @<SelectUnionMember>

This command tells IDA how to display references to a union from the current
cursor location.

Example:
  Suppose we have the following union:

        xxx     union
        a       db ?
        b       dw ?
        c       dd ?
        ends   xxx

        dloc    xxx ?

  Normally, IDA displays references to "dloc" like this:

        mov     al,  byte ptr dloc
        mov     eax, word ptr dloc

  After using this command, IDA can display the union members:

        mov     al,  dloc.b
        mov     eax, dloc.d

See also @0:490[Edit|Structs] submenu.
GWRAP
Bitfields ▄
 ▀▀▀▀▀▀▀▀▀▀

There is a special kind of enums: bitfields.
A bitfield is an enum divided into bit groups. When you define a new symbolic constant
in a bitfield, you need to specify the group to which the constant will belong
to. By default, IDA proposes groups containing one bit each.
If a group is not defined yet, it is automatically created when the first
constant in the group is defined. For example:

        name    CONST1
        value   0x1
        mask    0x1

will define a constant named CONST1 with value 1 and will create a group containing
only one bit. Another example. Let's consider the following definitions:

 #define OOF_SIGNMASK    0x0003
 #define   OOFS_IFSIGN   0x0000
 #define   OOFS_NOSIGN   0x0001
 #define   OOFS_NEEDSIGN 0x0002
 #define OOF_SIGNED      0x0004
 #define OOF_NUMBER      0x0008
 #define OOF_WIDTHMASK   0x0030
 #define   OOFW_IMM      0x0000
 #define   OOFW_16       0x0010
 #define   OOFW_32       0x0020
 #define   OOFW_8        0x0030
 #define OOF_ADDR        0x0040
 #define OOF_OUTER       0x0080
 #define OOF_ZSTROFF     0x0100

How do we describe this?

   name           value    mask   maskname

   OOFS_IFSIGN   0x0000   0x0003 OOF_SIGNMASK
   OOFS_NOSIGN   0x0001   0x0003 OOF_SIGNMASK
   OOFS_NEEDSIGN 0x0002   0x0003 OOF_SIGNMASK
 OOF_SIGNED      0x0004   0x0004
 OOF_NUMBER      0x0008   0x0008
   OOFW_IMM      0x0000   0x0030 OOF_WIDTHMASK
   OOFW_16       0x0010   0x0030 OOF_WIDTHMASK
   OOFW_32       0x0020   0x0030 OOF_WIDTHMASK
   OOFW_8        0x0030   0x0030 OOF_WIDTHMASK
 OOF_ADDR        0x0040   0x0040
 OOF_OUTER       0x0080   0x0080
 OOF_ZSTROFF     0x0100   0x0100


If a mask consists of more than one bit, it can have a name and a comment.
A mask name can be set when a constant with the mask is being defined.
IDA will display the mask names in a different color.

In order to use a bitfield in the program, just convert an instruction
operand to @0:473[enum]. IDA will display the operand like this:

        mov     ax, 70h

will be replaced by

        mov     ax, OOFS_IFSIGN or OOFW_8 or OOF_ADDR
WRAP
Add/Edit an enum ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AddEnum
 Current hotkey: @<AddEnum>

 Action    name: EditEnum
 Current hotkey: @<EditEnum>

These commands allow you to define and to edit an enum type.
You need to specify:

        - name of enum
        - its serial number (1,2...)
        - representation of enum members

Each enum has its ID and a serial number. The ID is a number used to
refer to the enum, while a serial number is used to order enums
during output. Changing the serial number moves the enum to another place.

The serial number of an enum is displayed at the lower left corner of the window.

You can specify any number as a serial number,
IDA will move the enum to the specified place.

        1 - the current enum becomes the first enum
        2 - the current enum becomes the second enum
        ...

You also need to specify representation of enum constants. You may choose
from various number bases (hex,dec,oct,bin) and character constants.

You may specify the element width or leave it zero. Zero means the element
width is not specified. The allowed widths are the powers of 2 in the range of 1..64.

Please note that you can create @0:500[bitfield] definitions here
by checking the "bitfield" checkbox.

These command is available when you open the types @0:1259[window].

See also

         @0:423[How to Enter a Number].
WRAP
Delete an enum type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelEnum
 Current hotkey: @<DelEnum>

This command deletes the current enum.
Beware, when you delete an enum all references to it will be destroyed.
Even if you recreate it later, you'll have to specify again all references
to it.

This command is available when you open the enums @0:1259[window].
äWRAP
Define an enum member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AddConst
 Current hotkey: @<AddConst>

This command allows you to define an enum member. An enum member
is a symbolic constant. You have to specify its name and value.
You cannot define more than 256 constants with the same value in an enum.

If the current enum is a bitfield, you need to specify the bitmask.
To learn about bitmasks, read about @0:500[bitfields].
eWRAP
Edit an enum member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditConst
 Current hotkey: @<EditConst>

This command allows you to rename an enum member. An enum member
is a symbolic constant. Its name must be unique in the program.

To rename an enum type name, position the cursor over the name of the enum.
WRAP
Delete an enum member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelConst
 Current hotkey: @<DelConst>

Please remember that deleting a member also deletes all the information
about the member, including comments, member name etc.
&WRAP
Edit|Segments submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate segments of the program:

 @0:507[Create a new segment...]
 @0:513[Delete a segment...]
 @0:514[Change segment attributes...]
 @0:520[Move a segment...]
 @0:1408[Rebase program...]
 @0:521[Change segment translation...]

 @0:522[Set default segment register value...]
 @0:523[Change segment register value...]

See also:

 @0:525[How to choose a segment]
 @0:546[How to jump to a segment]
 @0:451[Edit] submenu.QWRAP
Create a new segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CreateSegment
 Current hotkey: @<CreateSegment>

This command allows you to create a new segment.

If you select a range using the @0:420[anchor], IDA will propose the start
address and the end address of the selection as defaults for the segment bounds.

You need to specify at least:

    - the segment start address
    - the segment end address (excluded from the range)
    - the segment base

Click @0:508[here] to learn about addressing model used in IDA.

If "sparse storage" is set, IDA will use special sparse storage method
for the segment. This method is recommended for huge segments.
Later, it is possible to change the storage method of any region using
@0:1527[set_storage_type] IDC function.

If another segment already exists at the specified address,
the existing segment is truncated and the new segment lasts from the
specified start address to the next segment
(or specified end address, whichever is lower). If the old and the new segments
have the same base address, instructions/data will not be discarded by IDA.
Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

See also @0:506[Edit|Segments] submenu.WRAP
IDA address space concepts ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Internally, IDA has 32-bit linear address space (IDA64 uses 64-bit address space).
The internal addresses are called "linear addresses". The input program
is loaded into this linear address space.

Please note that usually the linear addresses are not used in the program
directly.
During disassembling, we use so-called "virtual addresses", which
are calculated by the following formula:

        VirtualAddress = LinearAddress - (SegmentBase << 4);

We see that the SegmentBase determines what addresses will be
displayed on the screen. More than that, IDA allows to create
several segments with the same virtual address in them. For this,
you just need to create segments with correct segment base values.

Normally a SegmentBase is a 16bit quantity.
To create a segment with base >= 0x10000, you need to use
@0:591[selectors]. However, if you try to create a segment
with a segment base >= 0x10000, IDA will automatically choose appropriately
a free selector and setup for the new segment.

All SegmentBases are looked up in the @0:591[selector] table.

There are some address restrictions in IDA.

There is a range of addresses that are used for internal housekeeping. This
range can be specified by the configuration variable PRIVRANGE (start address
and size). It is not recommended to use these addresses for other purposes.

There is also one address which must never be used in the disassembly.
It is the 'all ones' address, or -1. Internally, it is used as a BADADDR (bad address).
No address or address range can include BADADDR.

 Click @0:509[here] to see an example of segment creation
 (simple case - IBM PC)

 Click @0:510[here] to see an example of segment creation
 (simple case - Z80)

 Click @0:511[here] to see another example of segment creation
 (automatically chosen selector)

 Click @0:512[here] to see another example of segment creation
 (user-defined selector)

See also @0:521[How to change segment translation]	WRAP
Create segment - simple case (PC) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IBM PC case
-----------

Suppose we need to create a segment occupying addresses F000:1000..F000:2000
Let's calculate linear addresses:

        start = (0xF000 << 4) + 0x1000 = 0xF1000
        end   = (0xF000 << 4) + 0x2000 = 0xF2000

The segment base must be selected so that the first offset in our segment
will be 0x1000. Let's find it using the following equation:

        VirtualAddress = LinearAddress - (SegmentBase << 4);
        0x1000         = 0xF1000 - (base << 4);

After solving this equation, we see that the segment base is equal to 0xF000.
(you see, this is really a very simple case :) )

Now, we can create a segment entering:

        segment start address:  0xF1000
        segment end address:    0xF2000
        segment base:           0xF000

Please note that the end address never belongs to the segment in IDA.

Go back to @0:508[addressing space concepts]¯WRAP
Create segment - simple case (Z80) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Z80 case
 --------

Suppose we need to create a segment occupying virtual addresses 8000-C000.
Since we are free to place our segment anywhere in the linear address space,
we choose the linear addresses at our convenience. Let's say we choose
a linear address 0x20000:

        start = 0x20000
        end   = start + 0x4000 = 0x24000

The segment base must be selected so that the virtual address in our segment
will be 0x8000. Let's find it using the following equation:

        VirtualAddress = LinearAddress - (SegmentBase << 4);
        0x8000         = 0x20000 - (base << 4);
        base << 4      = 0x20000 - 0x8000
        base << 4      = 0x18000
        base           = 0x1800

After solving this equation, we see that the segment base is equal to 0x1800.

Now we can create a segment entering:

        segment start address:  0x20000
        segment end address:    0x24000
        segment base:           0x1800


Please note that the end address never belongs to the segment in IDA.

Go back to @0:508[addressing space concepts]tWRAP
Create segment - automatically chosen selector case ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Suppose we need to create a segment occupying linear addresses 200000-200C00
and the virtual addresses must have be 0000..0C00. If we simply
enter

        segment start address:  0x200000
        segment end address:    0x200C00
        segment base:           0x20000

Then IDA will notice that the segment base is too big and does not
fit into 16bits. Because of this IDA will find a free selector (let's
say it has found selector number 5), define it to point at paragraph
0x20000 and create a segment. After all this we will have:

        - a new selector is defined (5 -> 0x20000)
        - a new segment is created. Its attributes:
                start = 0x200000
                end   = 0x200C00
                base  = 5

The first virtual address in the segment will be 0:

        VirtualAddress = LinearAddress - (SelectorValue(SegmentBase) << 4)
                       = 0x200000      - (SelectorValue(5) << 4)
                       = 0x200000      - (0x20000 << 4)
                       = 0x200000      - 0x200000
                       = 0

Please note that the end address never belongs to the segment in IDA.

Go back to @0:508[addressing space concepts]WRAP
Create segment - user-defined selector case ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If the @0:511[previous] example we saw how IDA allocates a selector
automatically. You could make it yourself:

1. Create a selector. For this, open the @0:591[selectors window]
and press Ins. Enter a selector number and its value.

2. Create a segment. Specify the selector number as the segment base.

Go back to @0:508[addressing space concepts]×WRAP
Delete a segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: KillSegment
 Current hotkey: @<KillSegment>

This command allows you to delete a segment.

IDA will ask your the permission to disable the addresses occupied by the segment.
If you allow this operation, all information about the segment will
be deleted. In other words, IDA will discard the information about
instructions or data, comments etc.

If you check the "disable addresses" checkbox, IDA will mark the addresses
occupied by the segment as "nonexistent" in the program. You will lose *ALL*
information, including byte values.

It is impossible to disassemble the content of addresses not located in any
segment, therefore you must create a new segment if you want to resume the
disassembly of that part of the code.

You can also edit (see below) an adjacent segment to @0:514[expand] it to those
addresses.

IDA will ask your the permission to disable addresses occupied by the segment.
If you give your permission, information about the segment will be
deleted, otherwise IDA will discard information about instruction/data,
comments etc, but retain byte values so that you will be able to create
another segment afterwards.

To disassemble the addresses occupied by the segment, you need to create a
new segment again (i.e. you cannot disassemble bytes without a segment).
You can also @0:514[expand] another adjacent segment to
these addresses.

See also @0:506[Edit|Segments] submenu.Ü
WRAP
Change segment attributes ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditSegment
 Current hotkey: @<EditSegment>

This command allows you to change segment attributes.
You can change all attributes except the segment base. To change the segment
base, you have to delete the segment and create it again.

Please use the following links to learn about the segment attributes:

      @0:515[How to change segment name]
      @0:517[How to change segment class]
      @0:516[How to change segment addressing mode (16/32)]
      @0:518[How to change segment alignment]
      @0:519[How to change segment combination]

Changing the segment class may change the segment type.

MOVE ADJACENT SEGMENTS: means that the previous and next segments will
be shrunk or expanded to fill gaps between segments.
Click @0:628[here] for more information.

DISABLE ADDRESSES: if set, when a segment is shrunk,
all information about bytes going out of the segment will be completely removed..
Otherwise, IDA will discard information about instructions/data,
comments etc, but will retain byte values so that another segment can be
created later and it will use the existing byte values.

If IDA creates 2 segments where only
one segment must exist, you may try
the following sequence:

        - @0:513[delete] one segment. Choose one with
          bad segment base value. Do not disable addresses occupied
          by the segment being deleted.
        - change bounds of another segment.

Note that the @0:507[create] segment command changes the boundaries of
the overlapping segment automatically.

Segments with the 'debugger' attribute are the segments whose memory contents
are not saved in the database. Usually, these segments are created by the
debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently
stay in the database after closing the debugger session. The database will reflect the
state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and
will be deleted at the end of the debugging session.

The "debugger segment" checbkox is available only during debugging sessions.

The 'loader' segments are the segment created by the file loader. The
segment having this attribute are considered to be part of the input file.

A segment with the 'debugger' attribute set and the 'loader' attribute
not set is considered to be an ephemeral segment.
Such segments are not analyzed automatically by IDA.

"Segment permissions" group box can be used to modify Segment access permissions (Read/Write/Execute)

See also @0:506[Edit|Segments] submenu.'WRAP
Change Segment Name ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Enter a new name for the segment.
A segment name is up to 8 characters long.
IDA does check if the length is ok.
Try to give mnemonic names for the segments.

See also other @0:514[SegEdit] form fields.ÀWRAP
Change Segment Addressing ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment
address is changed.

Never do it if you are not sure. It may have irreversible consequences,
all instructions/data will be converted to undefined bytes.

See also other @0:514[SegEdit] form fields.$WRAP
Segment Class Name ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The segment class name identifies the segment with a class name
(such as CODE, FAR_DATA, or STACK). The linker places segments with
the same class name into a contiguous range of memory in the runtime
memory map.

Changing the segment class changes only the segment definition
on the screen. There are the following predefined segment class names:

        CODE    -       Pure code
        DATA    -       Pure data
        CONST   -       Pure data
        BSS     -       Uninitialized data
        STACK   -       Uninitialized data
        XTRN    -       Extern definitions segment

If you change segment class and the segment type is "Regular",
then the segment type will be changed accordingly.

In order to set the segment type "Regular", you should change the segment
class to "UNK".

NOTE: Segment class names are never deleted. Once you
define a segment class name, you cannot reuse it as a name of another object.

See also other @0:514[SegEdit] form fields.¦WRAP
Change Segment Alignment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Alignment:  select between abs,byte,word,dword,para,page

You can specify the segment alignment for the selected
segment. By default, IDA assumes 'byte' alignment.

Changing the alignment changes only the segment definition
on the screen. Nothing else will happen.

See also other @0:514[SegEdit] form fields.ýWRAP
Change Segment Combination ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Combination

A field that describes how the linker can combine the
segment with other segments. Under MS-DOS, segments with
the same name and class can be combined in two ways: they
can be concatenated to form one logical segment, or they
can be overlapped. In the latter case, they have either the
same start address or the same end address, and they
describe a common range in memory. Values for the field
are:

  Private. Do not combine with any
           other program segment.
  Public.  Combine by appending at
           an offset that meets the
           alignment requirement.

  Stack.   Combine as for Public.
           This combine type forces
           byte alignment.

  Common.  Combine by overlay using
           maximum size.


Changing segment combination changes only the segment definition
on the screen. Nothing else will happen.

See also other @0:514[SegEdit] form fields.WRAP
Move a segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MoveSegment
 Current hotkey: @<MoveSegment>

This command allows you to move segment(s) to another address.
Use it if the segment(s) are loaded at a wrong address.

This command shifts (moves) the selected segments in the memory to the target address.
There must be enough free space at the target address for the segments.

All information in the segment will be moved to the new address, but since the
addresses change, the disassembly might be not valid anymore (especially if the
program is moved to the wrong addresses and the relocation information is not
available).

 Fix up relocations

        This option allows IDA to modify the references
        to/from the relocated segment(s). If it is turned
        off, the references might be wrong after the move.


See also @0:506[Edit|Segments] submenu.
WRAP
Change segment translation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SegmentTranslation
 Current hotkey: @<SegmentTranslation>

A segment translation is a sequence of other segments to use
when resolving the references to instructions from the current segment.
Only code references are affected by the segment translation. Data references
can be redirected to the desired addresses by modifying the data segment
register.

This feature is available only for selected processors
(it is not available for IBM PC processors).

We hope it is easier to give an example than to give a formal definition.
Suppose we have 3 segments:

                start   end
        A       0000    1000
        B       1000    2000
        C       3000    4000

The instruction

        call    1000

in the segment C obviously refers to the segment B while the instruction

        call    500

refers to the segment A.

However, IDA does not try to link these references unless you tell it to do so:
include the segments A and B into a translation list of the segment C.
It means that you have to create a translation list

        A B

for the segment C.

Below is a more complicated example:

                start   end
        A       0000    1000
        B       1000    2000
        C       1000    2000
        D       3000    4000
        E       3000    4000

translations

        B:      A
        C:      A
        D:      A B
        E:      A C

allow you to emulate overlays (the first set is A B D, the second A C E)

IMPORTANT NOTE1: If you use the segment translations, make sure that all
segments have unique segment bases. If two segments are placed in the linear
address space so that
they must have the same segment base, you may assign different
@0:591[selectors] with equal values to them.

IMPORTANT NOTE2:
IDA supports only one translation list per segment.
This translation is applied by default to all instruction in the segment.
If the segment uses other mappings, then these individual mappings
can be specified for each instruction separately by using the
@0:469[make offset] commands.

IMPORTANT NOTE3:
Since only code references are affected by the segment translations,
try to create the RAM segment at its usual place (i.e. its linear
address in IDA corresponds to its address in the processor memory).
This will make all data references to it to be correct without any
segment translation. For the data references to other segments you'll
need to use the @0:469[make offset] command for each
such reference.

See also

         @0:508[addressing space concepts]
         @0:506[Edit|Segments] submenu.BWRAP
Set Default Segment Register Value ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetSegmentRegisterDefault
 Current hotkey: @<SetSegmentRegisterDefault>

Relevant only for processors with the segment registers.

You can specify a default value of a segment register for the current segment.
When you change the default value, IDA will reanalyze the segment,
taking the default value when it cannot determine the actual value
of the register. This takes time, so do not be surprised if references
are not corrected immediately.

To specify a value other than the default value of a segment register, you can
use @0:523[change segment register value] command.

 See also @0:506[Edit|Segments] submenu.
 See also @0:422[How to enter segment value].WRAP
Change Segment Register Value ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetSegmentRegister
 Current hotkey: @<SetSegmentRegister>

Relevant only for processors with the segment registers.
Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors.

This command creates or updates a segment register
@0:524[change point].

See @0:547[jump to segment register change point] for more info.

ALPHA DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For Alpha processors, the user must enter the difference between the real GP value
and the start of
the GOT (global offset table). For example:

         .got
         ....
         ; gp points here
 label:

If you want to specify that a register points to "label", you must
calculate and enter the difference "label-.got" as the register value.

ARM DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The ARM processor module has a virtual segment register T which reflects the
state of the T bit of the processor state register (PSR). Therefore, the value
of this register controls THUMB/ARM mode. If its value is not zero, then
the disassembly will be in the thumb mode.

POWER PC DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For PowerPC processors, the user must enter an offset from the beginning of
the TOC to the TOC entry which contains the address of the target. An example:

 TOC:    .toc
         ....
 sometc: .tc sometc[tc], datachunk

If you want to specify that a register points to "datachunk", you must
calculate and enter the difference "sometc-TOC" as the register value.
You can change the TOC value in the processor specific options (which is accessible
from the analysis options).

INTEL 80196 DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For Intel 80196NP/NU processors, the user must enter the value of WSR or WSR1
register. IDA will automatically take the new value into account.

 See also @0:506[Edit|Segments] submenu.
 See also @0:422[How to enter segment value].
 See also @0:423[How to Enter a Number].;WRAP
Segment Register Change Points ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

When IDA encounters an instruction which changes a segment
register, it creates a segment register change point.
So, mostly change points are maintained by IDA itself. IDA assumes that
the segment registers do not change their values between change
points. If you find out that IDA failed to locate a segment register change,
or if you want to change a register value,
you can create a change point using @0:523[Change Segment Register]
command. You can change the value of a segment register
using @0:522[Set default segment register value] command too.

IDA classifies the change points. In the list of the change points,
you can see the following postfixes after the register values:

 a (auto)     - Created by IDA. May be changed by IDA afterwards.
 u (by user)  - Created by user. IDA will not change it.

IDA generates the appropriate 'assume' instructions for the
change points if it was not disabled
by @0:608[the corresponding command].YWRAP
Choose segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can display a list of the program segments.
Each segment is represented by a line in the list.
Please note that the end address of the segment never belongs to the segment in IDA.

The following segment attributes are visible:

  Name          Segment name
  Start         Virtual start address
  End           Virtual end address (address past the end of the segment)
  R             'R': readable,      '.': not readable,   '?':unknown
  W             'W': writable,      '.': not writable,   '?':unknown
  X             'X': executable,    '.': not executable, '?':unknown
  D             'D': debugger only, '.': regular
  L             'L': created by loader, '.': no
  Align         Segment alignment
  Base          Segment base selector or address
  Type          Segment type
  Class         Segment class
  AD            Segment addressing width

The rest of the columns display the default values of the segment registers
for the segment.

By default, the cursor is located on the current segment.

You can use normal cursor movement keys and the mouse.
You can also search for the segment by pressing Alt-T, or directly jump to the desired line by typing in its number.

Press <Enter> to select line, <Esc> to cancel the selection.

See also @0:506[other segment related commands]CWRAP
Edit|Patch core  submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to patch the image of the input file.
More precisely, IDA never modifies the input file. The image of the input file
which was loaded to the database will be modified.

You can modify the image of the input file:

        - change a byte
        - change a word
        - enter an assembler instruction (only for IBM PC)

IDA will display the original value, the current value and file offset.
If the file offset is equal to 0xFFFFFFFF then the current byte comes
from a compressed page (LX/LE/NE iterated pages, for example) and/or it is
not possible to tell the file position.

You can create a @0:443[difference] file and use an external tool to apply the patches
or you can apply the @0:1618[patches] directly to the file using IDA.

The following commands are available:

 @0:527[Patch byte or word]
 @0:529[Assemble...]
 @0:1618[Apply patches to input file...]

See also:

 @0:442[Produce EXE file]
 @0:443[Produce DIF file]
 @0:451[Edit] submenu.
ÑWRAP
Patching the Image ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: PatchByte, PatchWord
 Current hotkey: @<PatchByte>, @<PatchWord>

You can modify the executable file and eventually @0:442[generate a new] file.

If you patch bytes, then you may enter multiple bytes.
Follow this @0:528[link] to learn about format of the input
string.

If this command is invoked when the debugger is active, then IDA will
modify the memory and the database. If the database does not contain the patched
bytes, then only the process memory will be modified.

You can create a @0:443[difference] file too.

See also

         @0:526[Edit|Patch core] submenu.
         @0:423[How to Enter a Number].
)Binary string format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

It is possible to enter a sequence of the following items:

  - a number in the selected radix (hexadecimal, decimal or octal)
  - a string constant: "string"
  - a Unicode string constant: L"unicode string"
  - a question mark '?' to ignore variable bytes

The sequence must be separated by a space or a comma.

An entered number will occupy the minimal number of bytes it fits in
with the restriction that the number of bytes is a power of 2 (1, 2, or 4 bytes).

Two question marks without a space between them are the same as one question mark.
One question mark corresponds to one CPU byte. One CPU byte may consist of
multiple octets for a wide-byte CPU, like TMS320C28.

Example:

  CD 21          - bytes 0xCD, 0x21
  21CD           - bytes 0xCD, 0x21 (the order depends on the endiannes)
  "Hello", 0     - the null terminated string "Hello"
  L"Hello"       - 'H', 0, 'e', 0, 'l', 0, 'l', 0, 'o', 0
  B8 ? ? ? ? 90  - byte 0xB8, 4 bytes with any value, byte 0x90

ÏWRAP
Assemble an instruction  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Assemble
 Current hotkey: @<Assemble>

This command allows you to assemble instructions. Currently, only the IBM PC
processors provide an assembler, nonetheless, plugin writers can extend or totally
replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets.
For example:

        mov ax, [counter]

Also, the keyword 'offset' must not be used. Instead of

        mov eax, offset name

you must write

        mov eax, name

See also

         @0:526[Edit|Patch core] submenu.
         @0:423[How to Enter a Number].WRAP
Edit|Other Submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

      @0:533[Create alignment directive...]
      @0:534[Manual instruction...]
      @0:1456[Color instruction...]
      @0:535[Hide/show border]

See also @0:451[Edit] submenu.ûWRAP
Rename Any Address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeAnyName
 Current hotkey: @<MakeAnyName>

This command gives name/renames/deletes @0:424[name] for the
specified address. This is a more powerful variant of @0:457[Rename] command.

To delete a name, simply give an empty name.

If the specified address is referenced, you cannot delete its name.
Even if you try it, IDA will generate a @0:609[dummy] name.

This command is available only from the @0:587[name window].

For an explanation about the dialog box entries, please see the @0:457[Rename current address] command.

See also

         @0:530[Edit|Other] submenu.
         @0:424[How to Enter an Identifier].
         @0:609[Names representation]. get_prev_index▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get index of the previous existing array element
     tag     - tag of array (AR_LONG or AR_STR)
     id      - array id
     idx     - index of the current element
returns: -1 - no more array elements
         otherwise returns index of the previous array element

long get_prev_index(long tag, long id, long idx);
WRAP
Create alignment directive ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeAlignment
 Current hotkey: @<MakeAlignment>

This command allows you to create an alignment directive.
The alignment directive will replace a number of useless bytes
inserted by the linker to align code and data to paragraph boundary
or any other address which is equal to a power of two.

You can select a range to be converted to an alignment directive.
If you have selected a range, IDA will try to determine a
correct alignment automatically.

There are at least two requirements for this command to work:
        - there must be enough unexplored bytes at the current address.
        - an alignment directive must always end at an address
          which is divisible by a power or two.

See also

         @0:530[Edit|Other] submenu
         @0:426[How to Enter an Address].WRAP
Specify instruction representation manually ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ManualInstruction
 Current hotkey: @<ManualInstruction>

This command allows you to specify the representation of an instruction
or data in the program.

Use it if IDA cannot represent the current instruction as desired.
If the instruction itself is ok and only one operand is misrepresented,
then use @0:477[Enter operand manually] command.

To delete the manual representation, specify an empty string.

See also @0:530[Edit|Other] submenu.ÒWRAP
Hide/unhide a border ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleBorder
 Current hotkey: @<ToggleBorder>

This command allows you to hide a thin border which is like the one generated
automatically by IDA between instructions and data.
If the border was already hidden, then it is displayed again.

Note that you can hide all borders at once
in the @0:1369[Comments Dialog].

See also @0:530[Edit|Other] submenueWRAP
Plugin modules ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

A plugin module is a module written on C++ that provides additional
functionality to IDA.

Usually, a plugin is invoked through a hotkey or the menu system.
The registered and loaded plugins will appear in a special Edit|Plugins submenu.
A plugin may provide better analysis, automation of tedious tasks, etc.

The plugin modules reside in the "plugins" subdirectory of IDA.
IDA is able to find and load all the plugins from this directory
automatically.

However, you can write a configuration file and tell IDA how to load
plugins. To do so, you need to modify the "plugins.cfg" file in the
"plugins" subdirectory.

The format of this file is simple:

Empty lines and lines starting with ';' are comment lines.
Other lines must have the following structure:

           menuname filename hotkey arg

 Example:

           Undefine undef    Alt-U  0

If the filename doesn't include the file extension or the directory,
IDA will add them. The plugin modules have the following extensions:

        Windows:        *.dll
        Linux:          *.so
        Mac:            *.dylib

Note: plugins compiled with support for 64-bit address space, will
feature a '64' suffix before the extension. E.g., 'pdb64.dll'

For more details, see information on individual plugin modules.

See also @0:451[Edit] submenu.: get_last_index▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get index of the last existing array element
     tag     - tag of array (AR_LONG or AR_STR)
     id      - array id
returns: -1 - array is empty
         otherwise returns index of the last array element

long get_last_index(long tag, long id);
×WRAP
Jump Immediate ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpEnter
 Current hotkey: @<JumpEnter>

By pressing <Enter> you navigate in the program in the same
way as in a hypertext (the way the web browsers and help screens use).

This is the easiest way to explore the program: just position the cursor
at the desired name and press "@<JumpEnter>".

Your current address is saved in the @0:542[jump stack].

The @0:539[Jump back] command (usually Esc) will return you back.

If the cursor is at a stack variable, a window with
@0:488[stack variables] is opened and the definition of the
stack variable is displayed.

See also

         @0:543[Jump] submenu
         @0:541[Empty Stack] command.UWRAP
Jump back ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: Return
 Current hotkey: @<Return>

This command brings you back to the previous position in the history.
It takes positions from @0:542[Jumps Stack].

See also

         @0:543[Jump] submenu
         @0:540[Undo "jump back"] command.
         @0:541[Empty Stack] command.WWRAP
Undo the last 'Return' Command ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: UndoReturn
 Current hotkey: @<UndoReturn>

This command cancels the last @0:539[Jump back] command.

See also

         @0:543[Jump] submenu
         @0:541[Empty navigation stack] command.WRAP
Empty navigation stack ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EmptyStack
 Current hotkey: @<EmptyStack>

This command clears the @0:542[jump stack].

See also

         @0:543[Jump] submenu
         @0:539[Jump back] command.'WRAP
Jumps Stack ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Each IDA Window has its own jump stack. This stack keeps the cursor locations.
Many IDA commands use the jump stack, i.e. they save the old cursor position to
the stack. For example, when you are at the address 3000:0100 and press
the Ctrl-C key (find instruction), the 3000:0100 is saved into the jump stack
and the search is started. Afterwards, you can return to the old position
using @0:539[Jump back] command.

You can clear the jump stack using the @0:541[Empty stack]
menu command.
nWRAP
Jump submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

In this menu, you can select a command to jump to the specified
location in the file.  Jumps are very fast and your previous
position is saved. This submenu contains the following items:

 @0:538[Jump immediate]
 @0:539[Jump back]
 @0:540[Undo last jump back]
 @0:541[Empty navigation stack]
 @0:544[Jump to address]
 @0:545[Jump to named location]
 @0:546[Jump to segment start]
 @0:547[Jump to segment register change point]
 @0:548[Jump to problematic location]
 @0:582[Mark location]
 @0:563[Jump to marked position]
 @0:564[Jump to cross reference]
 @0:565[Jump to cross reference to operand]
 @0:566[Jump to function]
 @0:567[Jump to entry point]
 @0:1393[Jump to file offset]

See also

        @0:568[Search] menu for fast navigating.
        @0:542[Jumps Stack] concept.
        @0:428[Menu Bar] submenusWRAP
Jump to the specified address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpAsk
 Current hotkey: @<JumpAsk>

This command jumps to the specified address in the program.
IDA will ask you for the target address.
You can enter a name or an address as a hexadecimal number
with or without a segment.
If you enter a valid address then:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

In the structure and enum views, the cursor will be moved to the corresponding
offset in the current type.

See also

         @0:543[Jump] submenu
         @0:426[How to Enter an Address].mWRAP
Jump to the named location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpName
 Current hotkey: @<JumpName>

This command allows you to jump to a name definition by selecting it
from the list of the names.

IDA will display the list of the names (sorted by addresses)
and you can choose a name.
@0:609[Dummy] names (generated by IDA) are not listed.
Hidden names are not listed either. You can control which names are listed
in the @0:609[Names representation] dialog box.

See also

         @0:543[Jump] submenu
         @0:427[How to use the lister].hWRAP
Jump to the specified segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpSegment
 Current hotkey: @<JumpSegment>

This command jumps to the start of the selected segment.
IDA will ask you to select the target segment.
After:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

See also:

        @0:525[How to choose a segment]
        @0:506[Other segment related commands]
        @0:543[Jump] submenuWRAP
Jump to the specified segment register change point ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpSegmentRegister
 Current hotkey: @<JumpSegmentRegister>

This command jumps to the selected
@0:524[Segment Register Change Point].
IDA will ask you to select a target change point.
And after:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

See also @0:543[Jump] submenu.«WRAP
Jump to a problematic location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpQ
 Current hotkey: @<JumpQ>

This command allows you to jump to a problematic location.
IDA will display the @0:549[Problems List] and will allow you
to select a problem.

The @0:539[Jump back] command (usually Esc) will return you back.

See also @0:543[Jump] submenu.ÓWRAP
Problems List ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following problems may occur:

 NOOFFSET @0:550[Cannot find offset base]
 NONAME   @0:551[Cannot find name]
 NOFORCED @0:552[Cannot find alternative string for an operand]
 NOCMT    @0:553[Cannot find comment]
 NOREF    @0:554[Cannot find references]
 INDIRJMP @0:555[Indirect execution flow]
 NODISASM @0:556[Cannot disassemble]
 ALREADY  @0:557[Already data or code]
 BOUNDS   @0:558[Execution flows beyond limits]
 OVERFLOW @0:559[Too many lines]
 BADSTACK @0:1368[Failed to trace the value of the stack pointer]
 LOOKHERE @0:560[Attention! Probably erroneous situation]
 DECISION @0:561[Decision to convert to instruction/data is made by IDA]
 ROLLBACK @0:562[The decision made by IDA was wrong and rolled back]
 COLISION @0:1441[FLIRT collision: the function with the given name already exists]
 SIGFNREF @0:1627[FLIRT match indecision: reference to function expected]


See also @0:543[Jump] submenu.ÇWRAP
Problem: Cannot find offset base ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item has an operand marked as an offset,
        but IDA cannot find the offset base in the database.

 Possible reason(s):
        The database is probably corrupted.
        This may occur if the database was corrupted and repaired.

 What to do:
        Mark the operand again as an offset. Use one of the following
        commands:
         @0:467[Convert to offset (DS)]
         @0:468[Convert to offset (CS)]
         @0:469[Convert to offset by any segment]
         @0:470[Convert to offset by any user-specified base]
zWRAP
Problem: Cannot find name ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        Two reasons can cause this problem:
          1.Reference to an illegal address is made in the program being
            disassembled;
          2.IDA couldn't find a name for the address but
            it must exist.
 What to do:
        1. If this problem is caused by a reference to an illegal address
            - try to enter the operand @0:477[manually]
            - or make the illegal address legal by @0:507[creating] a new segment.
        2. Otherwise, the database is corrupt.
FWRAP
Problem: Cannot find alternative string for an operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item has an operand marked as entered manually,
        but IDA cannot find the manually entered string in the database.

 Possible reason(s):
        The database is corrupt.

 What to do:
        Enter the operand manually again. Use one of the following
        commands:
         @0:477[User-defined operand]ßWRAP
Problem: Cannot find comment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

        Should not happen!
        Please inform the author if you encounter this problem.
ÈWRAP
Problem: Cannot find references ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item is marked as referenced from other place(s) in the
        program, but IDA cannot find any reference to it.

 Possible reason(s):
        The database is corrupt.

 What to do:
        Database is corrupt, the best thing to do is
           to @0:444[reload] the database.yWRAP
Problem: Indirect execution flow ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        Actually, this is not a problem. IDA warns you
        that here it encountered an indirect jump and
        couldn't follow the execution.

 What to do:
        Nothing, this entry is just for your information^WRAP
Problem: Cannot disassemble ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA cannot represent the specified bytes as an instruction.

 Possible reason(s):
        1. The specified bytes do not form an instruction.
        2. The current @0:618[processor] type is incorrect.

 What to do:
        If you are sure that the specified bytes contain an instruction,
        you can try to change @0:618[processor] type and
        mark these bytes as an instruction using the following command:
         @0:452[Convert to instruction]WRAP
Problem: Already data or code ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA cannot convert this byte(s) to an @0:452[instruction]
        or @0:453[data] because it would overlap another instruction.

 What to do:
        Make the following overlapping instruction or data 'unexplored'
        using @0:456[undefine] command.ªWRAP
Problem: Execution flows beyond limits ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA encountered a jump or call instruction to an illegal address.
        Namely:
          - jump/call beyond program segments
          - near jump/call beyond the current segment
 What to do:
        1. Enter the operand @0:477[manually]
        2. or Create a new @0:507[segment] making the illegal address legal
        3. or Change the current segment bounds using one of the following:
              @0:514[How to change segment attributes]
              @0:520[How to move a segment]*WRAP
Problem: Too many lines ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item (instruction or data) occupies more lines
        on the screen than it is allowed by the current configuration.

 What to do:
        1. If the current item is an @0:455[array] or @0:454[String literal], try to divide it.
     or 2. Delete @0:481[Additional comment lines]
     or 3. Disable @0:607[cross-references] display
     or 4. Increase the limit in IDA.CFG, the parameter name is MAX_ITEM_LINES.
sWRAP
Problem: Attention! Probably erroneous situation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        This is a generic problem message. IDA uses it when no more detailed
        information is available or the problem is processor-specific.
ôWRAP
Problem: Decision to convert to instruction/data is made by IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        In fact, this is not exactly a problem: IDA collects all the locations
        where it has decided to convert undefined bytes to
        instructions or data even if they don't have
        any references to them. We consider this decision as dangerous
        and therefore we provide you with a way to examine all such places.

 What to do:
        Examine the result of conversion and modify the instructions
        or data if IDA has made a wrong conversion.
WRAP
Problem: The decision made by IDA was wrong and rolled back ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        This problem occurs when IDA has converted unexplored bytes to
        instruction(s) and later found that the decision was wrong.
        For example:

                mov     ax, bx
                db 0FFh, 0FFh

        0FFh, 0FFh cannot be converted to an instruction, therefore
        the "mov" instruction cannot be here.

        In this case, IDA automatically destroys the instruction(s)
        and enlists the address as problematic.

 What to do:
        Examine the end result and modify it accordingly.
PWRAP
Jump to previously marked position ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpPosition
 Current hotkey: @<JumpPosition>

This command jumps to the selected position.
IDA will ask you to select a target position.
After:
  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

You can mark the position using @0:582[Mark Position] command.

See also @0:543[Jump] submenu.ÿWRAP
Jump to cross reference ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpXref
 Current hotkey: @<JumpXref>

This command shows you a list of cross-references to the current location: you can jump to the selected one by pressing Enter.

Click @0:1305[here] to see the description of the cross reference dialog box.

See also

         @0:543[Jump] submenu
         @0:1593[Jump to Cross Reference From]
         @0:565[Jump to Cross References to Operand]'WRAP
Jump to cross references to operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpOpXref
 Current hotkey: @<JumpOpXref>

This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter.

Click @0:1305[here] to see the description of the cross reference dialog box.

See also

         @0:543[Jump] submenu
         @0:564[Jump to Cross References]
         @0:1593[Jump to Cross Reference From]WRAP
Jump to function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpFunction
 Current hotkey: @<JumpFunction>

This command shows you a list of functions: you can jump to the selected one by pressing Enter.

See also

        @0:1590[Jump to next function]
        @0:1591[Jump to previous function]
        @0:543[Jump] submenu
        @0:639[How to choose a function]ÜWRAP
Jump to Entry Point ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpEntryPoint
 Current hotkey: @<JumpEntryPoint>

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time.
It is not modified after that (for example, renaming an exported function does
not change the list of entry points).

See also @0:543[Jump] submenu.WRAP
Search submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In this menu, you can select a command to search for something
in the disassembly.  Searches are relatively slow and your previous
position is saved in the @0:542[jump stack].

You can search for:

   @0:569[suspicious operands] (instructions that need your attention)
   @0:570[instructions]
   @0:571[data bytes]
   @0:572[unexplored bytes]
   @0:573[explored bytes]
   @0:574[immediate operand values]
   @0:576[substring in the text representation]
   @0:579[substring in the binary image of the file]
   @0:581[bytes not belonging to any function]
   @0:1373[find all suspicious operands]
   @0:1481[string with error]
   @0:1482[find all errors]
   @0:1735[pictures (i.e., raster images)]

 in both @0:623[directions] (up and down).

See also

        @0:543[Jump] menu for fast navigating.
        @0:428[Menu Bar] submenus]WRAP
Search for next suspicious operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpSuspicious
 Current hotkey: @<JumpSuspicious>

Suspicious operands are the operands that need your attention
because they contain an immediate value that could be a
number or an offset. IDA does not know about it, so it marks these
instructions as 'suspicious'.  You can change the suspiciousness of the operands
using @0:606[set lower limit of suspicious operands] and
@0:606[set upper limit of suspicious operands] commands.

Data arrays are considered to be suspicious if the first element of the
data array is within the lower and upper suspicious limits. Values of other
elements are not examined.

You can disable the display of the 'suspicious' marks in the @0:1369[Comments Dialog].

NOTE: We strongly recommend that before producing an ASM file you go
through all 'suspicious' marks and get rid of them.  After this you have
a certain level of confidence that the file has been
disassembled correctly.

See also @0:568[Search] submenuWRAP
Search for next code ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpCode
 Current hotkey: @<JumpCode>

This command searches for the first @0:452[instruction] in the
@0:623[current direction].

See also @0:568[Search] submenuWRAP
Search for next data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpData
 Current hotkey: @<JumpData>

This command searches for the first @0:453[defined data] item in the
@0:623[current direction].

See also @0:568[Search] submenuIWRAP
Search for next unexplored byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpUnknown
 Current hotkey: @<JumpUnknown>

This command searches for the first @0:456[unexplored] byte in the
@0:623[current direction].

See also @0:568[Search] submenu^WRAP
Search for next explored byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpExplored
 Current hotkey: @<JumpExplored>

This command searches for the first defined byte
(@0:452[instruction] or @0:453[data]) in the
@0:623[current direction].

See also @0:568[Search] submenu+WRAP
Search for next instruction/data with the specified operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AskNextImmediate
 Current hotkey: @<AskNextImmediate>

This command searches for the first instruction or data byte
that contains the specified immediate value. The command is
relatively slow (but much faster than the text search), because it disassembles each instruction to
find the operand values.

If the immediate value in an instruction has been logically or bitwise negated,
then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but
not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored.
IDA will look for all immediate values without type in this case.

See also

         @0:568[Search] submenu
         @0:423[How to Enter a Number].¢WRAP
Repeat search for instruction/data with the specified operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpImmediate
 Current hotkey: @<JumpImmediate>

This command repeats @0:574[search for immediate] command.

See also @0:568[Search] submenuWRAP
Search for substring in the disassembly ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AskNextText
 Current hotkey: @<AskNextText>

This command searches for the specified substring in the text
representation of the disassembly.
This command is a slow command, because it
disassembles each instruction to get the text representation.
IDA will show its progress on the @0:620[indicator].
You can interrupt this command pressing Ctrl-Break.

You may search for @0:578[regular expressions] too.

If a range is selected using @0:420[anchor], IDA will search
for the specified substring in the range.

Note that this command searches the same as what you see on your
screen (and not in binary image).

For binary search, look at @0:579[Search for substring in the file]

See also @0:568[Search] submenuWWRAP
Repeat search for substring in the disassembly ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpText
 Current hotkey: @<JumpText>

This command repeats @0:576[search for text] command.

See also @0:568[Search] submenuh8WRAP
REGULAR EXPRESSION SYNTAX SUMMARY ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The full syntax and semantics of the regular expressions that are supported by PCRE2 are described in the pcre2pattern documentation. This document contains a quick-reference summary of the syntax.

QUOTING


  \x         where x is non-alphanumeric is a literal x
  \Q...\E    treat enclosed characters as literal



ESCAPED CHARACTERS

This table applies to ASCII and Unicode environments.

  \a         alarm, that is, the BEL character (hex 07)
  \cx        "control-x", where x is any ASCII printing character
  \e         escape (hex 1B)
  \f         form feed (hex 0C)
  \n         newline (hex 0A)
  \r         carriage return (hex 0D)
  \t         tab (hex 09)
  \0dd       character with octal code 0dd
  \ddd       character with octal code ddd, or backreference
  \o{ddd..}  character with octal code ddd..
  \U         "U" if PCRE2_ALT_BSUX is set (otherwise is an error)
  \uhhhh     character with hex code hhhh (if PCRE2_ALT_BSUX is set)
  \xhh       character with hex code hh
  \x{hhh..}  character with hex code hhh..

Note that \0dd is always an octal code. The treatment of backslash followed by a non-zero digit is complicated; for details see the section "Non-printing characters" in the pcre2pattern documentation, where details of escape processing in EBCDIC environments are also given.

When \x is not followed by {, from zero to two hexadecimal digits are read, but if PCRE2_ALT_BSUX is set, \x must be followed by two hexadecimal digits to be recognized as a hexadecimal escape; otherwise it matches a literal "x". Likewise, if \u (in ALT_BSUX mode) is not followed by four hexadecimal digits, it matches a literal "u".

CHARACTER TYPES


  .          any character except newline;
               in dotall mode, any character whatsoever
  \C         one code unit, even in UTF mode (best avoided)
  \d         a decimal digit
  \D         a character that is not a decimal digit
  \h         a horizontal white space character
  \H         a character that is not a horizontal white space character
  \N         a character that is not a newline
  \p{xx}     a character with the xx property
  \P{xx}     a character without the xx property
  \R         a newline sequence
  \s         a white space character
  \S         a character that is not a white space character
  \v         a vertical white space character
  \V         a character that is not a vertical white space character
  \w         a "word" character
  \W         a "non-word" character
  \X         a Unicode extended grapheme cluster

\C is dangerous because it may leave the current matching point in the middle of a UTF-8 or UTF-16 character. The application can lock out the use of \C by setting the PCRE2_NEVER_BACKSLASH_C option. It is also possible to build PCRE2 with the use of \C permanently disabled.

By default, \d, \s, and \w match only ASCII characters, even in UTF-8 mode or in the 16-bit and 32-bit libraries. However, if locale-specific matching is happening, \s and \w may also match characters with code points in the range 128-255. If the PCRE2_UCP option is set, the behaviour of these escape sequences is changed to use Unicode properties and they match many more characters.

GENERAL CATEGORY PROPERTIES FOR \p and \P


  C          Other
  Cc         Control
  Cf         Format
  Cn         Unassigned
  Co         Private use
  Cs         Surrogate

  L          Letter
  Ll         Lower case letter
  Lm         Modifier letter
  Lo         Other letter
  Lt         Title case letter
  Lu         Upper case letter
  L&         Ll, Lu, or Lt

  M          Mark
  Mc         Spacing mark
  Me         Enclosing mark
  Mn         Non-spacing mark

  N          Number
  Nd         Decimal number
  Nl         Letter number
  No         Other number

  P          Punctuation
  Pc         Connector punctuation
  Pd         Dash punctuation
  Pe         Close punctuation
  Pf         Final punctuation
  Pi         Initial punctuation
  Po         Other punctuation
  Ps         Open punctuation

  S          Symbol
  Sc         Currency symbol
  Sk         Modifier symbol
  Sm         Mathematical symbol
  So         Other symbol

  Z          Separator
  Zl         Line separator
  Zp         Paragraph separator
  Zs         Space separator



PCRE2 SPECIAL CATEGORY PROPERTIES FOR \p and \P


  Xan        Alphanumeric: union of properties L and N
  Xps        POSIX space: property Z or tab, NL, VT, FF, CR
  Xsp        Perl space: property Z or tab, NL, VT, FF, CR
  Xuc        Univerally-named character: one that can be
               represented by a Universal Character Name
  Xwd        Perl word: property Xan or underscore

Perl and POSIX space are now the same. Perl added VT to its space character set at release 5.18.

SCRIPT NAMES FOR \p AND \P

Ahom, Anatolian_Hieroglyphs, Arabic, Armenian, Avestan, Balinese, Bamum, Bassa_Vah, Batak, Bengali, Bopomofo, Brahmi, Braille, Buginese, Buhid, Canadian_Aboriginal, Carian, Caucasian_Albanian, Chakma, Cham, Cherokee, Common, Coptic, Cuneiform, Cypriot, Cyrillic, Deseret, Devanagari, Duployan, Egyptian_Hieroglyphs, Elbasan, Ethiopic, Georgian, Glagolitic, Gothic, Grantha, Greek, Gujarati, Gurmukhi, Han, Hangul, Hanunoo, Hatran, Hebrew, Hiragana, Imperial_Aramaic, Inherited, Inscriptional_Pahlavi, Inscriptional_Parthian, Javanese, Kaithi, Kannada, Katakana, Kayah_Li, Kharoshthi, Khmer, Khojki, Khudawadi, Lao, Latin, Lepcha, Limbu, Linear_A, Linear_B, Lisu, Lycian, Lydian, Mahajani, Malayalam, Mandaic, Manichaean, Meetei_Mayek, Mende_Kikakui, Meroitic_Cursive, Meroitic_Hieroglyphs, Miao, Modi, Mongolian, Mro, Multani, Myanmar, Nabataean, New_Tai_Lue, Nko, Ogham, Ol_Chiki, Old_Hungarian, Old_Italic, Old_North_Arabian, Old_Permic, Old_Persian, Old_South_Arabian, Old_Turkic, Oriya, Osmanya, Pahawh_Hmong, Palmyrene, Pau_Cin_Hau, Phags_Pa, Phoenician, Psalter_Pahlavi, Rejang, Runic, Samaritan, Saurashtra, Sharada, Shavian, Siddham, SignWriting, Sinhala, Sora_Sompeng, Sundanese, Syloti_Nagri, Syriac, Tagalog, Tagbanwa, Tai_Le, Tai_Tham, Tai_Viet, Takri, Tamil, Telugu, Thaana, Thai, Tibetan, Tifinagh, Tirhuta, Ugaritic, Vai, Warang_Citi, Yi.

CHARACTER CLASSES


  [...]       positive character class
  [^...]      negative character class
  [x-y]       range (can be used for hex characters)
  [[:xxx:]]   positive POSIX named set
  [[:^xxx:]]  negative POSIX named set

  alnum       alphanumeric
  alpha       alphabetic
  ascii       0-127
  blank       space or tab
  cntrl       control character
  digit       decimal digit
  graph       printing, excluding space
  lower       lower case letter
  print       printing, including space
  punct       printing, excluding alphanumeric
  space       white space
  upper       upper case letter
  word        same as \w
  xdigit      hexadecimal digit

In PCRE2, POSIX character set names recognize only ASCII characters by default, but some of them use Unicode properties if PCRE2_UCP is set. You can use \Q...\E inside a character class.

QUANTIFIERS


  ?           0 or 1, greedy
  ?+          0 or 1, possessive
  ??          0 or 1, lazy
  *           0 or more, greedy
  *+          0 or more, possessive
  *?          0 or more, lazy
  +           1 or more, greedy
  ++          1 or more, possessive
  +?          1 or more, lazy
  {n}         exactly n
  {n,m}       at least n, no more than m, greedy
  {n,m}+      at least n, no more than m, possessive
  {n,m}?      at least n, no more than m, lazy
  {n,}        n or more, greedy
  {n,}+       n or more, possessive
  {n,}?       n or more, lazy



ANCHORS AND SIMPLE ASSERTIONS


  \b          word boundary
  \B          not a word boundary
  ^           start of subject
                also after an internal newline in multiline mode
                (after any newline if PCRE2_ALT_CIRCUMFLEX is set)
  \A          start of subject
  $           end of subject
                also before newline at end of subject
                also before internal newline in multiline mode
  \Z          end of subject
                also before newline at end of subject
  \z          end of subject
  \G          first matching position in subject



MATCH POINT RESET


  \K          reset start of match

\K is honoured in positive assertions, but ignored in negative ones.

ALTERNATION


  expr|expr|expr...



CAPTURING


  (...)           capturing group
  (?<name>...)    named capturing group (Perl)
  (?'name'...)    named capturing group (Perl)
  (?P<name>...)   named capturing group (Python)
  (?:...)         non-capturing group
  (?|...)         non-capturing group; reset group numbers for
                   capturing groups in each alternative



ATOMIC GROUPS


  (?>...)         atomic, non-capturing group



COMMENT


  (?#....)        comment (not nestable)



OPTION SETTING


  (?i)            caseless
  (?J)            allow duplicate names
  (?m)            multiline
  (?s)            single line (dotall)
  (?U)            default ungreedy (lazy)
  (?x)            extended (ignore white space)
  (?-...)         unset option(s)

The following are recognized only at the very start of a pattern or after one of the newline or \R options with similar syntax. More than one of them may appear.   (*LIMIT_MATCH=d) set the match limit to d (decimal number)

  (*LIMIT_RECURSION=d) set the recursion limit to d (decimal number)
  (*NOTEMPTY)     set PCRE2_NOTEMPTY when matching
  (*NOTEMPTY_ATSTART) set PCRE2_NOTEMPTY_ATSTART when matching
  (*NO_AUTO_POSSESS) no auto-possessification (PCRE2_NO_AUTO_POSSESS)
  (*NO_DOTSTAR_ANCHOR) no .* anchoring (PCRE2_NO_DOTSTAR_ANCHOR)
  (*NO_JIT)       disable JIT optimization
  (*NO_START_OPT) no start-match optimization (PCRE2_NO_START_OPTIMIZE)
  (*UTF)          set appropriate UTF mode for the library in use
  (*UCP)          set PCRE2_UCP (use Unicode properties for \d etc)

Note that LIMIT_MATCH and LIMIT_RECURSION can only reduce the value of the limits set by the caller of pcre2_match(), not increase them. The application can lock out the use of (*UTF) and (*UCP) by setting the PCRE2_NEVER_UTF or PCRE2_NEVER_UCP options, respectively, at compile time.

NEWLINE CONVENTION

These are recognized only at the very start of the pattern or after option settings with a similar syntax.

  (*CR)           carriage return only
  (*LF)           linefeed only
  (*CRLF)         carriage return followed by linefeed
  (*ANYCRLF)      all three of the above
  (*ANY)          any Unicode newline sequence



WHAT \R MATCHES

These are recognized only at the very start of the pattern or after option setting with a similar syntax.

  (*BSR_ANYCRLF)  CR, LF, or CRLF
  (*BSR_UNICODE)  any Unicode newline sequence



LOOKAHEAD AND LOOKBEHIND ASSERTIONS


  (?=...)         positive look ahead
  (?!...)         negative look ahead
  (?<=...)        positive look behind
  (?<!...)        negative look behind

Each top-level branch of a look behind must be of a fixed length.

BACKREFERENCES


  \n              reference by number (can be ambiguous)
  \gn             reference by number
  \g{n}           reference by number
  \g{-n}          relative reference by number
  \k<name>        reference by name (Perl)
  \k'name'        reference by name (Perl)
  \g{name}        reference by name (Perl)
  \k{name}        reference by name (.NET)
  (?P=name)       reference by name (Python)



SUBROUTINE REFERENCES (POSSIBLY RECURSIVE)


  (?R)            recurse whole pattern
  (?n)            call subpattern by absolute number
  (?+n)           call subpattern by relative number
  (?-n)           call subpattern by relative number
  (?&name)        call subpattern by name (Perl)
  (?P>name)       call subpattern by name (Python)
  \g<name>        call subpattern by name (Oniguruma)
  \g'name'        call subpattern by name (Oniguruma)
  \g<n>           call subpattern by absolute number (Oniguruma)
  \g'n'           call subpattern by absolute number (Oniguruma)
  \g<+n>          call subpattern by relative number (PCRE2 extension)
  \g'+n'          call subpattern by relative number (PCRE2 extension)
  \g<-n>          call subpattern by relative number (PCRE2 extension)
  \g'-n'          call subpattern by relative number (PCRE2 extension)



CONDITIONAL PATTERNS


  (?(condition)yes-pattern)
  (?(condition)yes-pattern|no-pattern)

  (?(n)               absolute reference condition
  (?(+n)              relative reference condition
  (?(-n)              relative reference condition
  (?(<name>)          named reference condition (Perl)
  (?('name')          named reference condition (Perl)
  (?(name)            named reference condition (PCRE2)
  (?(R)               overall recursion condition
  (?(Rn)              specific group recursion condition
  (?(R&name)          specific recursion condition
  (?(DEFINE)          define subpattern for reference
  (?(VERSION[>]=n.m)  test PCRE2 version
  (?(assert)          assertion condition



BACKTRACKING CONTROL

The following act immediately they are reached:

  (*ACCEPT)       force successful match
  (*FAIL)         force backtrack; synonym (*F)
  (*MARK:NAME)    set name to be passed back; synonym (*:NAME)

The following act only when a subsequent match failure causes a backtrack to reach them. They all force a match failure, but they differ in what happens afterwards. Those that advance the start-of-match point do so only if the pattern is not anchored.   (*COMMIT)       overall failure, no advance of starting point

  (*PRUNE)        advance to next starting character
  (*PRUNE:NAME)   equivalent to (*MARK:NAME)(*PRUNE)
  (*SKIP)         advance to current matching position
  (*SKIP:NAME)    advance to position corresponding to an earlier
                  (*MARK:NAME); if not found, the (*SKIP) is ignored
  (*THEN)         local failure, backtrack to next alternation
  (*THEN:NAME)    equivalent to (*MARK:NAME)(*THEN)



CALLOUTS

  (?C)            callout (assumed number 0)
  (?Cn)           callout with numerical data n
  (?C"text")      callout with string data

The allowed string delimiters are ` ' " ^ % # $ (which are the same for the start and the end), and the starting delimiter { matched with the ending delimiter }. To encode the ending delimiter within the string, double it.
>WRAP
Search for substring in the file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AskBinaryText
 Current hotkey: @<AskBinaryText>

This command searches for the specified substring in the file being
disassembled. This command can be used for fast lookups of text
strings in the executable file or even to find references to a data.
You can interrupt it pressing Ctrl-Break.

If a range is selected using @0:420[anchor], IDA will search
for the specified substring in the range.

The substring is specified like this:

        "This is substring to search"

i.e. in the double-quotes. Also you can specify individual byte values as
numbers:

        6A 10

Follow this @0:528[link] to learn more about the format of the input
string.

For example, if you want to find a reference to the following string:

 35F2:106A      db 'Hello',0

you could search for number 106A in the file.

See also

         @0:528[the input string format]
         @0:576[search for text] command.
         @0:568[Search] submenuOWRAP
Repeat search for substring in the file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpBinaryText
 Current hotkey: @<JumpBinaryText>

This command repeats @0:579[search for text in core] command.

See also @0:568[Search] submenuWRAP
Search for bytes not belonging to any function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpNotFunction
 Current hotkey: @<JumpNotFunction>

This command searches for the first byte not belonging to any function
in the
@0:623[current direction].

See also @0:568[Search] submenuWRAP
Mark Position ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MarkPosition
 Current hotkey: @<MarkPosition>

You can mark certain locations of the file to be able to @0:563[jump] to
them quickly. Text description of the location may help to find
a desired location easily.

First select a slot for the mark, then enter a
description for the location.

See also @0:543[Jump] submenu.·WRAP
View submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are commands to open various windows, display information etc.

  @0:1356[Open subviews...]
  @0:1378[Graphs...]

  @0:596[Calculator]
  @0:597[View segment registers]
  @0:598[View internal flags]

  @0:599[Hide]
  @0:600[Unhide]
  @0:1394[Del hidden range]
  @0:1387[Hide all]
  @0:1388[Unhide all]
  @0:601[Setup hidden items...]

See also @0:428[Menu Bar] submenus.ÇWRAP
Message Window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA opens a special non-closable window at the start.
This window is called "message window".
In this window you see various IDA messages.

If the message window is hidden behind other windows, you
will not see the IDA messages.

You can duplicate all messages appearing in this window to a file.
For this, you have to define an environment variable:

        set IDALOG=logfile
óWRAP
Disassembly window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: WindowOpen
 Current hotkey: @<WindowOpen>

The "WindowOpen" command opens a new window with the disassembly.
IDA automatically opens one disassembly window at the start.

If the current location is an instruction belonging to a function,
then the @0:42[graph view] is available. You can toggle between
the text and graph view using the Space key. You can also switch to
proximity view by zooming out to the callgraph using the '-' key.

Use the disassembly @0:451[editing] commands to improve the listing.

Use Shift-<arrows> or Alt-L to drop @0:420[anchor].
If you have a mouse, you can drop the anchor with it too.

A double click of the mouse is equivalent to the <Enter> key.

To the left of disassembly, there is an @0:1385[arrows window] (GUI version).
Also the GUI version @0:1386[highlights] the current identifier.

 See also @0:1356[View|Open subviews] submenu
          @0:414[Main Help Index]
WRAP
Functions window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenFunctions
 Current hotkey: @<OpenFunctions>

A list of all functions in the program is displayed.
You can @0:484[add], @0:486[delete], @0:485[modify] functions
using @0:427[list] viewer commands.

Listed for each function are:

        - function name
        - segment that contains the function
        - offset of the function within the segment
        - function length in bytes
        - size (in bytes) of local variables + saved registers
        - size (in bytes) of arguments passed to the function

The last column of this window has the following format:

        R - function returns to the caller
        F - far function
        L - library function
        S - static function
        B - BP based frame. IDA will automatically convert
            all frame pointer [BP+xxx] operands to stack
            variables.
        T - function has type information
        = - Frame pointer is equal to the initial stack pointer
            In this case the frame pointer points to the bottom of the frame
        M - reserved
        S - reserved
        I - reserved
        C - reserved
        D - reserved
        V - reserved

If a function has its color set, its line is colored using the specified color.
Otherwise library and lumina functions are colored with the corresponding
color. Otherwise the line is not colored.

A bold font is used for functions that have definite (user-specified) prototype.
Also some plugins too may set this flag. Such prototypes are taken as is
by the decompiler, while other prototypes are considered only as a starting
point during decompilation.

It is possible to automatically synchronize the function list with the active
disassembler, pseudocode, or hex view. For that right click on the function
list and select "Turn on synchronization".

See also @0:1356[View|Open subviews] submenu.4WRAP
Names window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenNames
 Current hotkey: @<OpenNames>

This command opens the @0:457[names] window.

You can use @0:427[list viewer] commands in this window.

The GUI version displays a small icon for each name:

        L (dark blue)   - library function
        F (dark blue)   - regular function
        C (light blue)  - instruction
        A (dark green)  - string literal
        D (light green) - data
        I (purple)      - imported name


See also @0:1356[View|Open subviews] submenu.nWRAP
Signatures window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenSignatures
 Current hotkey: @<OpenSignatures>

This command opens the signatures window.

For each signature, the following is displayed:

        - name of file with the signature
        - state of signature:
                - Planned: the signature will be applied
                - Current: the signature is being applied
                - Applied: the signature has been applied
        - number of functions found using the signature
        - description of the signature

You can modify the planned signatures list here:
add/delete library modules to be used during the disassembling.

You cannot delete an applied signature from the list.

To add a signature to the list for the application press <Ins>.
You will see a list of signatures that can be applied to the program being
disassembled.

Text version: Not all signature files will be displayed (for example,
32 bit signatures will not be shown for a 16 bit program). If you want
to see the full list of signatures, select the first line of the list
saying SWITCH TO FULL LIST OF SIGNATURES.

Signature files reside in the subdirectories of the SIG directory. Each
processor has its own subdirectory. The name of the subdirectory
is equal to the name of the processor module file (z80 for z80.w32, for example).
Note: IBM PC signatures are located in the SIG directory itself.
Note: the IDASGN environment variable can be used to specify
the location of the signatures directory.

See also

         @0:1356[View|Open subviews] submenu.
         @0:427[How To Use List Viewer]WRAP
Segments window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSegments
 Current hotkey: @<ShowSegments>

This command opens the segments window. The format of this window
is explained @0:525[here].

You can use @0:427[list viewer] commands in this window.

In order to change the selector values, use @0:591[selectors] window.

See also @0:1356[View|Open subviews] submenu.'WRAP
Segment registers window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSegmentRegisters
 Current hotkey: @<ShowSegmentRegisters>

This command opens the segment registers window.
The window will contain segment register
@0:524[change points]
list.

You can use @0:427[list viewer] commands in this window.

Depending on the current processor type, you will see
DS,ES,SS with or without FS,GS.

See also
         @0:506[Edit|Segments] submenu.
         @0:1356[View|Open subviews] submenu.ÂWRAP
Selectors window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSelectors
 Current hotkey: @<ShowSelectors>

This command opens the selector window. Here you can change
the "selector to base" mapping. The selector table is used
to look up the selector values when @0:508[calculating] the addresses that
are visible in the disassembly listing.

You can use @0:427[list viewer] commands in this window:

        - jump to the paragraph pointed by the selector
        - add a new selector
        - delete selector (if it is not used by any segment)
        - change selector value (this leads to reanalysis of all program)

See also @0:1356[View|Open subviews] submenu.7WRAP
Cross references window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenXrefs
 Current hotkey: @<OpenXrefs>

This command opens the cross-references window. This window contains
all references to the current location.

You can use @0:427[list viewer] commands in this window.

You can add and delete cross references here too by pressing Ins or Del.
Right clicking on the mouse will work too.

Add a cross reference: the from and to address, as well as the xref type should be specified.

Del a cross reference: if the 'undefine if no more xrefs' is check, then the instruction
at the target address will be undefined upon the deletion of the last xref.
IDA undefines instructions only if they do not start a function.

See also @0:1356[View|Open subviews] submenu.WRAP
Structures window▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenStructures
 Current hotkey: @<OpenStructures>

This command opens the structure definitions window.

You can modify structure definitions here: add/rename/delete structures,
add/delete/define structure members.

Each structure must have a unique name. A field name must be unique in the
structure. In order to create or delete a field, use data definitions
commands (@0:453[data], @0:454[string literal], @0:455[array], @0:456[undefine], @0:457[Rename]).
You may also define @0:479[regular] or @0:480[repeatable] comments.

In order to modify member types, use commands from the @0:458[Edit|Operand types...] submenu.
For example, to convert a structure member to an offset, use one of the following
commands:

      @0:468[Convert to offset (automatic)]
      @0:467[Convert to offset (from a segment base)]
      @0:470[Convert to offset (complex offset expression)]

Some struct types in this window are created automatically by IDA. They are
copies of some local types. Such structs are displayed in gray. They are
considered as C-level types. As soon as the user edits such a type, it becomes
an ASM-level type. Read @0:1042[more].

In the structure header IDA displays the following info:

  - the structure size in bytes
  - the alignment
  - for C level types: copyof_XX where XX is the ordinal type number.
  - for ASM level types: mappedto_XX where XX is the ordinal type number.
    It is possible to jump to the corresponding local type by pressing Enter.
  - for types copied from standard type libraries: "standard type"

See also @0:1356[View|Open subviews] submenu.·WRAP
Problems window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenProblems
 Current hotkey: @<OpenProblems>

This command opens the problems window.
The problem window contains the @0:549[list] of all problems encountered by
IDA during disassembling the program.

You can jump to a problem by pressing Enter. The selected problem will
be deleted from the list.

See also @0:1356[View|Open subviews] submenu.nWRAP
Calculator ▄
 ▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Calculate
 Current hotkey: @<Calculate>

A simple calculator is provided. You can enter constant C-style
expressions. Syntax of the expressions is the same is the syntax of
IDC @0:158[expressions].
The result is displayed in the message window in three
forms: hexadecimal,decimal and character.

All the names created during a disassembly may be used in these
expressions. IDA can also pick up the name or number under the
cursor and to store it into the input line.

See also

         @0:583[View] submenu.
         @0:423[How to Enter a Number].WRAP
View segment registers ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowRegisters
 Current hotkey: @<ShowRegisters>

This command displays segment register contents in
the @0:584[message window].

You may use this command to refresh the disassembly window too.

See also

         @0:506[Edit|Segments] submenu.
         @0:583[View] submenu.2WRAP
View Internal Flags ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowFlags
 Current hotkey: @<ShowFlags>

This command displays the internal flag values for the current item.
The information appears in the @0:584[message window].

See also @0:583[View] submenu.EWRAP
Hide ▄
 ▀▀▀▀▀

 Action    name: Hide
 Current hotkey: @<Hide>

This command allows you to hide a part of disassembly.
You can hide a function, a segment, or create a special
hidden range.

If a range is specified, a special hidden range is created on
this range.

If the cursor is on the segment name at the start of the segment,
the segment will be hidden.
IDA will display only the header of the hidden segment.

If the cursor is on a structure variable and if the target assembler has the
'can display terse structures or the @0:285[INFFL_ALLASM]' bit on, then
the structure will be collapsed into one line and displayed in the terse form.

Otherwise, the current function will be hidden.
IDA will display only the header of the hidden function.

If there is no current function then IDA will beep.

If you want to see hidden items on the screen, you may use
@0:600[unhide] command or @0:601[enable]
the display of the hidden items.
If you want to delete a previously created hidden range, you
may use @0:1394[del hidden range] command.

See also @0:583[Edit|View] submenu]WRAP
Unhide ▄
 ▀▀▀▀▀▀▀

 Action    name: Unhide
 Current hotkey: @<Unhide>

This command allows you to unhide a hidden part of disassembly.

If the cursor is on the hidden function name,
the function will be unhidden.

If the cursor is on the terse structure variable, the structure
will be uncollapsed and displayed in the regular form.

If the cursor is on the hidden range, the hidden range
will be unhidden.

If the cursor is on the hidden segment name,
the segment will be unhidden.

See also @0:599[hide] command and @0:601[setup hidden] command.

See also @0:583[Edit|View] submenuRWRAP
Setup hidden items ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupHidden
 Current hotkey: @<SetupHidden>

This command allows you to toggle the display of @0:599[hidden] items.

Automatically hide library functions

        This option hides the functions recognized by FLIRT.
        If will have an effect only from the time when the option is set.

Display hidden instructions

        If this option is set, IDA will display all the instructions
        as unhidden even if they were hidden.

Display hidden functions

        If this options is set, IDA will display all the functions
        as unhidden even if they were hidden.

Display hidden segments

        If this options is set, IDA will display all the segments
        as unhidden even if they were hidden.

See also @0:583[View] submenu.t qdirname▄
 ▀▀▀▀▀▀▀▀▀

Get the directory part of the given path

string qdirname(string path);
y qbasename▄
 ▀▀▀▀▀▀▀▀▀▀

Get the file name part of the given path

string qbasename(string path);
ÏWRAP
Options Submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to change various options and settings:

    @0:605[Text representation...]
    @0:1369[Comments...]
    @0:607[Representation of cross references...]
    @0:1713[Disable history]
    @0:1712[Clear undo history]
    @0:608[Assembler directives...]
    @0:609[Names representation...]
    @0:611[Demangled C++ names...]
    @0:1354[Compiler...]
    @0:613[String styles...]
    @0:614[String options...]
    @0:615[Colors...]
    @0:616[Dump/normal View]
    @0:617[Setup data types...]

    @0:618[Processor type...]
    @0:619[Target assembler...]

    @0:620[Analysis options...]

See also @0:428[Menu Bar] submenus.êWRAP
Text Representation Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command changes the look of the disassembly.
Here you can change the values of the following checkboxes/input fields:

Line prefixes

        This checkbox enables or disables line prefixes display.
        Line prefix is the address of the current byte:

         3000:1000      mov ax, bx
         ^^^^^^^^^

        @0:419[IDA.CFG] parameter: SHOW_LINEPREFIXES

Number of opcode bytes

        Opcode bytes are shown below:

         3000:1000 55           push    bp
                   ^^^^^^^^^

        The opcode is the operation code of the current instruction.
        For the data items, the opcodes are elements of data directives.
        Sometimes there is not enough place to display all bytes of an item
        (of a large array, for example). In this case, IDA will display just
        the few first bytes of the item. For the code items, IDA will try
        to display all bytes of the instruction, even if it requires adding
        more lines just for the opcode bytes. If this behavior is not desired,
        the number of opcode bytes can be specified as a negative value.
        A negative value -N means to display N opcode bytes on a line but
        never display empty lines just for the opcode bytes.
        By default, IDA does not display the opcodes.

        @0:419[IDA.CFG] parameter: OPCODE_BYTES

Use segment names

        This option controls the appearance of the segment names in the
        addresses. Example (codeseg has base 3000):

           Enabled:     codeseg:0034
           Disabled:    3000:0034

        @0:419[IDA.CFG] parameter: USE_SEGMENT_NAMES

Segment addresses

        Marking this checkbox, you can disable segment addresses in the
        disassembly. IDA will show only offsets. Example:

           Enabled:     codeseg:0034
           Disabled:    0034

        @0:419[IDA.CFG] parameter: SHOW_SEGMENTS

Function offsets

        This option controls the appearance of the line prefixes.
        If it is enabled, the addresses will be displayed as offsets
        from a function beginning. Example:

           Enabled:     somefunc+0x44
           Disabled:    cseg:0x4544

Right margin

        This option controls the length of disassembly lines for data
        directives.

        @0:419[IDA.CFG] parameter: MAX_DATALINE_LENGTH

Instruction indention

        You can change indention of disassembled instructions:

                         mov ax, bx
         <-------------->
            indention

        @0:419[IDA.CFG] parameter: INDENTION

Display bad instruction <BAD> marks

        Some assemblers do not understand some instructions even if they
        must. For example, the Z80 processor has several undocumented
        instructions and many assemblers fail to recognize them. IDA knows
        about this fact and tries to produce an output that can be compiled
        without errors, so it replaces such instructions with data bytes.

        The problem is more severe with Intel 80x86 processors: the same
        instruction can be coded differently. There are 2 operation codes
        for ADD instruction, etc. The worst thing is that the different
        operation codes have different lengths. If the assembler used to
        compile a file and your assembler produce different operation codes,
        you may obtain completely different output files.

        That is why IDA can mark such instructions as <BAD> and replace them
        with data bytes. Example:

           Enabled:
                        db 0Fh,86h,7Eh,0,0,0 ; <BAD> jbe     loc_0_205
                        db 0Fh,82h,78h,0,0,0 ; <BAD> jb      loc_0_205
                        db 0Fh,83h,72h,0,0,0 ; <BAD> jnb     loc_0_205
           Disabled:
                        jbe     loc_0_205
                        jb      loc_0_205
                        jnb     loc_0_205

        @0:419[IDA.CFG] parameter: SHOW_BAD_INSTRUCTIONS

Use tabulations in output

        You can disable the tab chars (0x09) in the output file if you do not
        like them. By default, IDA produces output files with tab chars.

        @0:419[IDA.CFG] parameter: USE_TABULATION

low suspicious limit
high suspicious limit

        Click @0:606[here] to get information about these fields.

Display stack pointer

        If this option is set, IDA will display the value of
        the stack pointer in the line prefix.

        @0:419[IDA.CFG] parameter: SHOW_SP

See also @0:604[Options] submenu.+WRAP
Low & High Suspicious Operand Limits ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If IDA suspects that an operand can be represented as something different
from a plain number, it will mark the operand as "suspicious" and display
it in red/orange.

Two values control the definition of suspiciousness.  An operand is 'suspicious' if
it has an immediate value between low and high 'suspicious' limits.
The comparison is always unsigned, i.e. in the instruction

        mov ax,[bp-2]

  the immediate operand is 0xFFFE, not -2.


IDA uses a simple heuristic to determine initial suspiciousness limits.
You may change these limits any time you want.

See also

         @0:1369[Comments Dialog]
         @0:423[How to Enter a Number].¤WRAP
Cross References Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA maintains cross-references automatically. Of course, when IDA starts to
disassemble a new file, the cross-references will not appear immediately;
they will be collected during background @0:416[analysis].

This command changes the representation of cross references.

Display segments in xrefs

        This checkbox enables or disables segments in cross references:

           Enabled:     ; CODE XREF: 3000:1025
           Disabled:    ; CODE XREF: 1025

Display xref type mark

        If this option is disabled, IDA will not display "CODE"
        or "DATA" in the cross-references.

        @0:419[IDA.CFG] parameter: SHOW_XREF_TYPES

Display function offsets

        This option controls the appearance of the cross-reference addresses.
        If it is enabled, the addresses will be displayed as offsets
        from a function beginning. Example:

           Enabled:     somefunc+0x44
           Disabled:    cseg:0x4544

        @0:419[IDA.CFG] parameter: SHOW_XREF_FUNC

Display xref values

        If this option is disabled, IDA will just display the presence
        of cross-references, like this:

                ; CODE XREF: ...

        @0:419[IDA.CFG] parameter: SHOW_XREF_VALUES

Right margin

        Determines the maximal length of a line with the cross references.

        @0:419[IDA.CFG] parameter: MAX_XREF_LENGTH

Cross reference depth

        This value "how many bytes of an object to look at to collect
        cross references". For example we have an array:

                A       db 100 dup(0)

        If some instruction refers to the 5-th element of the array:

                mov     al,A+5

         with TD=3      we'll have no xrefs displayed
         with TD=10     we'll have this xref

        @0:419[IDA.CFG] parameter: MAX_TAIL

Number of xrefs to display

        Determines the maximal number of the cross references to display.
        You may keep this value low because you can access all xrefs by
        using the @0:564[Jump to cross reference] command.

        @0:419[IDA.CFG] parameter: SHOW_XREFS

See also @0:604[Options] submenu.WRAP
Assembler Directives Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command enables/disables the generation of some assembler directives,
namely:

        assume directive
        origin directive

Sometimes (when you do not intend to assemble the output file), you may want
to disable their generation.

See also @0:604[Options] submenu.þ
WRAP
Names Representation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetNameType
 Current hotkey: @<SetNameType>

Dummy names are automatically generated by IDA. They are used to denote
subroutines, program locations and data.

Dummy names have various prefixes depending on the item type and value:

  sub_          instruction, subroutine start
  locret_       'return' instruction
  loc_          instruction
  off_          data, contains offset value
  seg_          data, contains segment address value
  asc_          data, string literal
  byte_         data, byte
  word_         data, 16-bit
  dword_        data, 32-bit
  qword_        data, 64-bit
  byte3_        data, 3 bytes
  xmmword_      data, 128-bit
  ymmword_      data, 256-bit
  packreal_     data, packed real
  flt_          floating point data, 32-bit
  dbl_          floating point data, 64-bit
  tbyte_        floating point data, 80-bit
  stru_         structure
  custdata_     custom data type
  algn_         alignment directive
  unk_          unexplored byte

You can change representation of dummy names.
IDA supports several types of dummy names:

  0     loc_0_1234     segment base address relative to program base address
                       & offset from the segment base
  1     loc_1000_1234  segment base address & offset from the segment base
  2     loc_dseg_1234  segment name & offset from the segment base
  3     loc_0_11234    segment relative to base address & full address
  4     loc_1000_11234 segment base address & full address
  5     loc_dseg_11234 segment name & full address
  6     loc_12         full address
  7     loc_0012       full address (at least 4 digits)
  8     loc_00000012   full address (at least 8 digits)
  9     dseg_1234      the same as 2, but without data type specifier
 10     loc_1          enumerated names (loc_1,loc_2,loc_3...)

If you have selected names type 10 (enumerated names), you may
renumber them using a checkbox. The process is relatively fast, surprisingly.

The best representation for MS DOS programs is #0,
for 16-bit processors - #7, and for 32-bit processors - #8.
You can change dummy names type any time you want.

You can also set up types of names included in the @0:545[name list].
IDA knows about the following types of names:

        - normal names
        - public names
        - weak public or extern names
        - autogenerated (meaningful) names.
        - dummy (meaningless) names.

Dummy names may be public or weak, but they never appear in the list of names.
You can specify the type of a name when you create or @0:457[modify] it.

You can also set maximal length of new names. Old names will not be
affected by this parameter.

See also:

  @0:457[Rename] command
  @0:604[Options] submenux get_next_index▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get index of the next existing array element
     tag     - tag of array (AR_LONG or AR_STR)
     id      - array id
     idx     - index of the current element
returns: -1 - no more array elements
         otherwise returns index of the next array element

long get_next_index(long tag, long id, long idx);
WRAP
Demangled Names ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


 Action    name: SetDemangledNames
 Current hotkey: @<SetDemangledNames>

IDA can demangle mangled C++ names of the most popular C++ compilers:

        - Microsoft
        - Borland
        - Watcom
        - Visual Age
        - GNU

The demangled names are represented in two
forms: short and long form. The short form is used when a name is used as a
reference, the long form is used at the declaration.

You can set how demangled C++ names must be represented:

        - as comments. this representation allows you to obtain
          recompilable source text
        - instead of mangled names. this representation makes the output
          more readable. the disadvantage is that you cannot recompile the
          output
        - don't display demangled names.

You can setup short and long forms of demangled names. Short form is used
when a reference to the name is made; long form is used at the declaration.

To make demangled names more readable, we introduce the possibility to
suppress pointer modifiers (near/far/huge).

To demangle GNU C v3.x names, the "Assume GCC v3.x names" checkbox should be set,
otherwise such names might not be demangled.
furthermore, to make the demangled name more compact, unsigned types may be displayed
as uchar, uint, ushort, ulong. The same with signed basic types.

If the "Override type info" checkbox is set, the demangled name overrides the
type information if both are present.


See also @0:612[How to customize demangled names]x
WRAP
Customize Demangled Names ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

All your changes will be saved in the current database. If you want to change the
form of demangled names for all new databases, then you need to edit
the @0:419[configuration] file,
variables 'ShortNameForm' and 'LongNameForm'.
Below is the list of all checkboxes with examples (spaces are inserted only
for the ease of understanding):

Only main name

        on:     func;
        off:    static void __pascal func(void) const;

No underscores in calling conventions

        on:     void   pascal func(void);
        off:    void __pascal func(void);

No calling conventions for parameters and __based()

        on:  void         func(int (*          f2)(void));
        off: void __cdecl func(int (* __pascal f2)(void));

No return type of functions

        on:         func(void);
        off:    int func(void);

No "based()" specifier

        on:   int                            a;
        off:  int __based(__segname("DATA")) a;
        on:   void __based(void) *b;
        off:  void               *b;
        on:   int __based(__self) (*p)(void);
        off:  int                 (*p)(void);

No calling conventions

        on:     void          func(void);
        off:    void __pascal func(void);

No postfix const

        on:     void aclass::func(void);
        off:    void aclass::func(void) const;

No access keywords

        on:             void func(void);
        off:    private void func(void);

No throw descriptions

        on:     void func(void);
        off:    void func(void) throw(Class::Member);

No static and virtual keywords

        on:                    void aclass::func(void);
        off:    static virtual void aclass::func(void);

No UDT keywords

        on:            A & func(      A *,      B *);
        off:     class A & func(class A *, enum B *);

No const and volatile keywords

        on:     char       * func(void);
        off:    char const * func(void);

No __closure keyword

        Do not display '__closure'

No __unaligned keyword

        Do not display '__unaligned'

No __pin/__box/__gc

        Do not display '__pin', '__box', '_gc'

Suppress pointer modifiers

     Selection    16Names     Description
     ---------    -------     -----------
     near           Yes     Do not display 'near'
     near/__ptr64           Do not display 'near' and '__ptr64'
     far            Yes     Do not display 'far'
     all, 16bit     Yes     Do not display any modifiers
     huge           Yes     Do not display 'huge'
     __ptr64                Do not display '__ptr64'
     Display all    Yes     Display all modifiers
     Display none   Auto    Do not display any modifiers

     16bit means that the demangler will assume that
     names were generated by 16bit compilers. Otherwise,
     it will assume names generated by 32/64 bit compilers.

Quash j_

        This option allows IDA to demangle a name even if it was formed
        by adding j_ prefix to a mangled name. The prefix j_ will simply
        be thrown away.

Transfer j_

        This option also allows IDA to demangle names with prefix j_.
        Unlike the previous option, this one will show the prefix
        in the demangled name.

Ignore postfix _nn

        This option allows IDA to demangle names formed by adding
        postfix _nn to a mangled name (n is any digit).
MWRAP
String literal style dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetStrlitStyle
 Current hotkey: @<SetStrlitStyle>

With this dialog you can setup string styles and also create a new
string immediately at the current location.

The following string styles are defined:

      C-style (zero-terminated)
      DOS style ($ terminated)
      Pascal style (one byte length prefix)
      Wide pascal (two-byte length prefix)
      Delphi (four-byte length prefix)
      Unicode (UTF-16)
      Unicode pascal style (two-byte length prefix)
      Unicode wide pascal style (four-byte length prefix)
      Character terminated

If you select "character terminated" string style then you may
specify up to 2 termination characters. The string will be terminated
by any of these characters. If the second character
is equal to 0, then it is ignored.

In IDA Qt you can also set a specific encoding to be used to display the string,
or change the defaults for all strings. See @0:1433[string encodings].

See also @0:604[Options] submenu.^WRAP
String options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This dialog sets up the string literals options:

Generate names

        If this option is set, IDA will give meaningful names to
        newly created string literals.

Names prefix

        This prefix will be used to form the string name.

Mark as autogenerated

        If a name is marked as @0:609[autogenerated], it will be
        displayed in a different color and will be included in the
        @0:545[list] of names depending on the current setting.

Generate serial names

        IDA can generate serial names for string literals, i.e.

                pref_001,pref_002,pref_003 etc...

        To enable serial names generation, specify
        prefix for names,starting serial number and number of leading zeroes.

        Each time you @0:454[create] a string literal, IDA generates
        a new serial name and assigns it to the string.

String literal next line char

        This symbol, when encountered in the string, will make
        IDA start a new line in the string representation in the
        disassembly. Usually it is the line feed character ('\n').

Comment string literal references:

        This option tells IDA to display the contents of the string
        literal next to the instruction or offset that refers to the string.

See also @0:604[Options] submenu.¯WRAP
Color configuration ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This dialog allows you to customize the color settings.

 GUI version:
 ------------

IDA keeps the color configuration in the registry. There are 3 predefined
schemes. The user can modify the existing schemes or add his own schemes.
New schemes should be added to the "themes" subdirectory in IDA.

 Text version:
 -------------

IDA keeps colors in file IDACOLOR.CF. This file may reside in the IDA
directory or in the current directory. It is a binary file.
IDA automatically saves all your changes into this file.

If the current item line prefix has "black on black" color, then
the current item will not be highlighted. The same is with current line
color - if it is "black on black", the current line will not be highlighted.

You can change the colors using the Customize button.
You may have up to 4 different color palettes and switch between them
on fly. The color palette is saved in IDACOLOR.CF file.

Each line prefix has its own color code depending on the current item:
(the fourth color palette values are shown)

 Line prefixes
   Library function             BRIGHT CYAN ON BLUE
   Regular function             WHITE ON BLUE
   Instruction                  BROWN ON BLUE
   Data                         WHITE ON BLUE
   Unexplored                   WHITE ON BLACK
   Externs                      BRIGHT MAGENTA ON BLUE
   Current item                 BRIGHT BLUE ON BLUE
   Current line                 YELLOW ON BLUE
   Default                      BLACK ON BLACK (not used)

If the "current item" or "current line" are BLACK ON BLACK, then
they will not be highlighted.

The rest of the line is colored with the following codes:

 Keywords
   Instruction                  WHITE ON BLUE
   Directive                    YELLOW ON BLUE
   Macro name                   MAGENTA ON BLUE
   Register name                WHITE ON BLUE
   Other                        WHITE ON BLUE

 Names
   Dummy data                   WHITE ON BLUE
   Dummy code                   WHITE ON BLUE
   Dummy unexplored             MAGENTA ON BLUE
   Hidden                       GREY ON BLUE
   Library function             BRIGHT CYAN ON BLUE
   Local variable               GREEN ON BLUE
   Regular data                 YELLOW ON BLUE
   Regular code                 YELLOW ON BLUE
   Regular unexplored           RED ON BLUE
   Demangled                    BRIGHT GREEN ON BRIGHT BLUE
   Segment name                 YELLOW ON BLUE
   Imported name                LIGHT MAGENTA ON BLUE

 Constants
   Suspicious                   BRIGHT RED ON BLUE
   Char in instruction          BRIGHT CYAN ON BLUE
   String in instruction        BRIGHT CYAN ON BLUE
   Number in instruction        BRIGHT GREEN ON BLUE
   Char in data                 BRIGHT GREEN ON BLUE
   String in data               BRIGHT GREEN ON BLUE
   Number in data               WHITE ON BLUE

 Xrefs
   Code                         GREEN ON BLUE
   Data                         CYAN ON BLUE
   Code to tail                 BRIGHT RED ON BLUE
   Data to tail                 MAGENTA ON BLUE

 Comments
   Automatic                    BROWN ON BLUE
   Regular                      BRIGHT WHITE ON BLUE
   Repeatable                   BROWN ON BLUE
   Extra line                   YELLOW ON BLUE

 Other
   Punctuation                  WHITE ON BLUE
   Opcode bytes                 BRIGHT GREEN ON BLUE
   Manual operand               BRIGHT WHITE ON BLUE
   Errors                       RED ON BLACK
   Selected                     BLACK ON WHITE
   Default                      YELLOW ON BLUE

(Other,Default) color code is used if a token has no color attached to it.

See also @0:604[Options] submenu.uWRAP
Dump/normal View ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleDump
 Current hotkey: @<ToggleDump>

This command switches the current disassembly window mode between
dump mode and normal mode.
Initially all disassembly windows are in normal mode
so you can see instructions and data.
When you are in dump mode, no instructions or data are displayed.
All bytes of the program will be dumped
on the screen as plain bytes and in ASCII.
This command may be useful when you want to find something in the program visually.
Do not forget that many commands continue to work in dump mode.
For example, you can use binary @0:579[search] command.

The text version supports only paragraph aligned addressing in the view.
Switching to the hex dump view and back may change the cursor position in the disassembly listing.

See also @0:604[Options] submenu.WRAP
Setup data types ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupData
 Current hotkey: @<SetupData>

This command allows you to select the data types used in the round-robin
carousel in @0:453[MakeData] command.

Valid data types are:

        - byte
        - word          (2 bytes)
        - double word   (4 bytes)
        - float         (4 bytes)
        - quadro word   (8 bytes)
        - double        (8 bytes)
        - long double   (10 or 12 bytes)
        - packed real   (10 or 12 bytes)
        - octa word     (16 bytes)

Naturally, not all data types are usable for all processors. For example,
Intel 8051 processor doesn't have the 'double word' type.

Furthermore, this command allows you to select a data type for the current undefined
item and convert it to data.

Please note that if the current processor does not support a data
type, you cannot assign it even if you have selected it.
If you unselect all data types, IDA will use the 'byte' type.

See also @0:604[Options] submenu.©"WRAP
Processor Type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetProcessor
 Current hotkey: @<SetProcessor>


Valid processor types are:

  type      description
  ----      -----------

  8086    - Intel 8086                   ┐
  80286r  - Intel 80286 real mode        │
  80286p  - Intel 80286 protected mode   │
  80386r  - Intel 80386 real mode        │
  80386p  - Intel 80386 protected mode   │
  80486r  - Intel 80486 real mode        │
  80486p  - Intel 80486 protected mode   │
  80586r  - Intel Pentium & MMX real mode│ (IBM PC family)
  80586p  - Intel Pentium & MMX prot mode│
  80686p  - Intel Pentium Pro & MMX      │
  k62     - AMD K6-2 with 3DNow!         │
  p2      - Intel Pentium II             │
  p3      - Intel Pentium III            │
  athlon  - AMD K7                       │
  p4      - Intel Pentium 4              │
  metapc  - Disassemble all IBMPC opcodes┘
  8085    - Intel 8085                   ┐
  z80     - Zilog 80                     │
  z180    - Zilog 180                    │ (Zilog 80 family)
  z380    - Zilog 380                    │
  64180   - Hitachi HD64180              │
  gb      - Gameboy                      ┘
  z8      - Zilog 8                        (Zilog 8 family)
  860xr   - Intel 860 XR                 ┐ (Intel 860 family)
  860xp   - Intel 860 XP                 ┘
  8051    - Intel 8051                     (Intel 51 family)
  80196   - Intel 80196                  ┐ (Intel 80196 family)
  80196NP - Intel 80196NP, NU            ┘
  m6502   - MOS 6502                     ┐ (MOS Technology 65xx family)
  m65c02  - MOS 65c02                    ┘
  pdp11   - DEC PDP/11                     (PDP family)
  68000   - Motorola MC68000             ┐
  68010   - Motorola MC68010             │
  68020   - Motorola MC68020             │
  68030   - Motorola MC68030             │
  68040   - Motorola MC68040             │ (Motorola 680x0 family)
  68330   - Motorola CPU32 (68330)       │
  68882   - Motorola MC68020 with MC68882│
  68851   - Motorola MC68020 with MC68851│
  68020EX - Motorola MC68020 with both   │
  colfire - Motorola ColdFire            │
  68K     - Motorola MC680x0 all opcodes ┘
  6800    - Motorola MC68HC00            ┐
  6801    - Motorola MC68HC01            │
  6803    - Motorola MC68HC03            │
  6301    - Hitachi HD 6301              │
  6303    - Hitachi HD 6303              │
  6805    - Motorola MC68HC05            │ (Motorola 8bit family)
  6808    - Motorola MC68HC08            │
  6809    - Motorola MC68HC09            │
  6811    - Motorola MC68HC11            ┘
  6812    - Motorola MC68HC12
  hcs12   - Motorola MC68HCS12
  6816    - Motorola MC68HC16
  java    - java                           (Java family)
  ppc     - PowerPC big endian           ┐
  ppcl    - PowerPC little endian        ┘ (PowerPC family)
  arm     - ARM little endian            ┐ (@0:1350[ARM] family)
  armb    - ARM big endian               ┘
  tms320c2- TMS320C2x series             ┐ (TMS 16bit addressing family)
  tms320c5- TMS320C5x series             ┘
  tms320c6- TMS320C6x series             ┐ (TMS VLIW family)
  tms320c3- TMS320C3x series             ┘
  tms32054- TMS320C54xx series
  tms32055- TMS320C55xx series
  sh3     - Renesas SH-3 (little endian) ┐
  sh3b    - Renesas SH-3 (big endian)    │ (Renesas SuperH series)
  sh4     - Renesas SH-4 (little endian) │
  sh4b    - Renesas SH-4 (big endian)    │
  sh2a    - Renesas SH-2A (big endian)   ┘
  avr     - ATMEL AVR                      (ATMEL family)
  mipsl   - MIPS little endian           ┐ (MIPS family:R2000, R3000, R4000,
  mipsb   - MIPS big endian              │ R4200, R4300,  R4400, R4600,
  mipsrl  - MIPS & RSP little            │ R8000, R10000)
  mipsr   - MIPS & RSP big               │
  r5900l  - MIPS R5900 little            ┘
  r5900r  - MIPS R5900 big               ┘
  h8300   - H8/300x in normal mode       ┐
  h8300a  - H8/300x in advanced mode     │ (Hitachi H8 family)
  h8s300  - H8S in normal mode           │
  h8s300a - H8S in advanced mode         ┘
  h8500   - H8/500                         (Hitachi H8/500 family)
  pic12cxx- Microchip PIC 12-bit (12xxx) ┐
  pic16cxx- Microchip PIC 14-bit (16xxx) │ (PIC family)
  pic18cxx- Microchip PIC 16-bit (18xxx) ┘
  sparcb  - SPARC big endian             ┐
  sparcl  - SPARC little endian          ┘ (SPARC family)
  alphab  - DEC Alpha big endian         ┐
  alphal  - DEC Alpha little endian      ┘ (ALPHA family)
  hppa    - HP PA-RISC big endian          (HP PA-RISC family)
  dsp56k  - Motorola DSP 5600x           ┐
  dsp561xx- Motorola DSP 561xx           │ (DSP 56K family)
  dsp563xx- Motorola DSP 563xx           │
  dsp566xx- Motorola DSP 566xx           ┘
  c166    - Siemens C166                 ┐
  c166v1  - Siemens C166 v1 family       │
  c166v2  - Siemens C166 v2 family       │ (C166 family)
  st10    - SGS-Thomson ST10             │
  super10 - Super10                      ┘
  st20    - SGS-Thomson ST20/C1            (ST20 family)
  st20c4  - SGS-Thomson ST20/C2-C4
  st7     - SGS-Thomson ST7                (ST7 family)
  ia64l   - Intel Itanium little endian  ┐
  ia64b   - Intel Itanium big endian     ┘ (IA64 family)
  cli     - Microsoft.Net platform
  net     - Microsoft.Net platform (alias)
  i960l   - Intel 960 little endian      ┐
  i960b   - Intel 960 big endian         ┘ (i960 family)
  f2mc16l - Fujitsu F2MC-16L             ┐
  f2mc16lx- Fujitsu F2MC-16LX            ┘ (Fujitsu F2MC family)
  78k0    - NEC 78k/0
  78k0s   - NEC 78k/0s
  m740    - Mitsubishi 8-bit
  m7700   - Mitsubishi 16-bit            ┐
  m7750   - Mitsubishi 16-bit            ┘ (Mitsubishi 16-bit family)
  m32r    - Mitsubishi 32-bit            ┐
  m32rx   - Mitsubishi 32-bit extended   ┘ (Mitsubishi 32-bit family)
  st9     - STMicroelectronics ST9+
  fr      - Fujitsu FR family
  m7900   - Mitsubishi M7900
  kr1878  - Angstrem KR1878
  ad218x  - Analog Devices ADSP
  oakdsp  - Atmel OAK DSP
  tricore - Infineon Tricore
  ebc     - EFI Bytecode
  msp430  - Texas Instruments MSP430

You can change processor type only within the current family. If you have
selected IBM PC family, you cannot select Zilog 80 family
and vice versa.

Processor modules can accept additional options that can be passed on the commandline with the -p switch.
Currently only the @0:1350[ARM] module supports it. For example, -parm:ARMv7-A will turn on options specific for the
ARMv7-A architecture, such as NEON instruction set.

For information about additional processor modules, please visit
our web page at https://www.hex-rays.com/products/ida/processors.shtml

Please note that when you change the processor type, IDA may change the
@0:619[target assembler], so check it out.

You may get a message saying that IDA does not know the specified
processor if IDA fails to load the corresponding processor module.

        Windows IDA uses .dll file extension
        Linux IDA uses .so file extension
        Mac IDA uses .dylib file extension

NOTE: modules compiled with support for 64-bit address space, will
feature a '64' suffix before the extension. E.g., 'pc64.dll'

NOTE: Changing the processor type leads to reanalysis of the whole program.
Sometimes this is useful.

NOTE: when you load a new processor module, all @0:416[analysis]
options are reset to the values specified in
the @0:419[configuration] file.

IDA determines the default processor using the input file extension and the
contents of the input file.
The table which describes the input file extensions and the corresponding
processor types is located in @0:419[IDA.CFG] file and looks like this:

 DEFAULT_PROCESSOR = {
 /* Extension   Processor */
  "com" :       "8086"                  // IDA will try the specified
  "exe" :       "80386r"                // extensions if no extension is
  "dll" :       "80386r"                // given.
  "drv" :       "80386r"
  "o"   :       "68000"
  "prc" :       "68000"                 // PalmPilot programs
  "axf" :       "arm"
  "h68" :       "68000"                 // MC68000 for *.H68 files
  "i51" :       "8051"                  // i8051   for *.I51 files
  "sav" :       "pdp11"                 // PDP-11  for *.SAV files
  "rom" :       "z80"                   // Z80     for *.ROM files
  "cla" :       "java"                  // Java classes
  "class":      "java"                  // Java classes
  "s19":        "6811"
  "*":          "80386p"                // Default processor
}

If you want to change the default processor type, you need to change this table.
You may add/delete rows in this table.

See also:
  @0:604[Options] submenu.
  @0:1350[ARM] processor specifics.
$WRAP
Specify Target Assembler ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetAssembler
 Current hotkey: @<SetAssembler>

This command allows you to change the target assembler, i.e. the assembler
for which the output is generated. You select the target assembler from
a menu. The menu items depend on the current @0:618[processor type].

NOTE: Currently, IDA supports only a generic assembler
for 80x86 processors. We recommend the use of Borland's TASM to compile the
output assembler files.NWRAP
Analysis options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetAuto
 Current hotkey: @<SetAuto>

This command allows you to disable and enable the autoanalysis
and its indicator.

Usually, the auto analysis is enabled.
Disable it if you are sure that it will help you.

Here you can change various kernel analysis @0:621[options 1]
and @0:622[options 2] and @0:1688[options 3],
change the processor type (if the processor module supports several types), or
the assembler style.
If the current @0:618[processor] has options, there will also be a button
to change processor-specific options.
If the current @0:618[processor] supports memory mapping, there will
also be a button to change the memory mapping ranges.

The analysis indicator is located in the bottom left corner of the main IDA window (upper right corner in text version).
Possible values of the indicator:

 "          " empty indicator means that the indicator is turned off.
 AU:  idle    Autoanalysis is finished.
 AU:disabled  Autoanalysis is disabled.
 FL:<address> execution flow is being traced
 PR:<address> a function is being created
 TL:<address> a function tail is being created
 SP:<address> the stack pointer is being traced
 AC:<address> the address is being analyzed
 LL:<number>  a signature file is being loaded
 L1:<address> the first pass of FLIRT
 L2:<address> the second pass of FLIRT
 L3:<address> the third pass of FLIRT
 TP:<address> type information is being applied
 FI:<address> the final pass of autoanalysis
 WF:<address> weak execution flow is being traced
 ??:<address> the address becomes unexplored
  @:<number>  indication of various activity

Hint: you can right-click the analysis indicator to quickly disable or enable it, or to reanalyze the program.

See also @0:604[Options] submenu.
         @0:416[auto analysis explanation].
ÚWRAP
Kernel analysis options 1▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Trace execution flow

  This option allows IDA to trace execution flow and convert all
  references bytes to @0:452[instructions].

Mark typical code sequences as code

  IDA knows some typical code sequences for each processor.
  For example, it knows about typical sequence

          push    bp
          mov     bp, sp

  If this option is enabled, IDA will search for all typical sequences
  and convert them to instructions even if there are no references
  to them. The search is performed at the loading time.

Locate and create jump tables

  This option allows IDA to try to guess the address and size of jump
  tables. Please note that disabling this option will not disable
  the recognition of C-style typical switch constructs.

Control flow to data segment is ignored

  If set, IDA will not analyze code reference targets in
  pure data segments. Usually pure data segments have some
  instructions (e.g. thunk functions), that's why this option
  is set off by default. For Mach-O files, it is set on
  because pure data segment do not contain instructions in them.

Analyze and create all xrefs

  If this option is disabled, IDA will not thoroughly analyze the program: it
  will simply trace execution flow, nothing more (no xrefs, no additional
  checks, etc)

Delete instructions with no xrefs

  This option allows IDA to undefine instructions without any xrefs to them.
  For example, if you @0:456[undefine] an instruction at the start of a
  function, IDA will trace execution flow and delete all instructions
  that lose references to them.

Create function if data xref data->code32 exists

  If IDA encounters a data reference from DATA segment to 32bit
  CODE segment, it will check for the presence of meaningful
  (disassemblable) instruction at the target. If there is an
  instruction, it will mark it as an instruction and will create
  a function there.

Create functions if call is present

  This option allows IDA to create @0:484[function] (proc) if a call
  instruction is present. For example, the presence of:

          call loc_1234

  leads to creation of a function at label loc_1234

Create function tails

  This option allows IDA to find and append separately located
  function tails to function definitions.

Create stack variables

  This option allows IDA to automatically create stack variables and
  function parameters.

Propagate stack argument information

  This option propagates the stack argument information
  (the type and the name) to the caller's stack. If the caller is
  called, then the information will be propagated further through
  the whole program. Currently, the type propagation is really
  simple and non-intelligent: the first encountered type for
  a stack variable will be used.

Propagate register argument information

  This option propagates the register argument information
  (the type and the name) to the caller. If the caller is
  also called, then the information will be propagated further through
  the whole program.

Trace stack pointer

  This option allows IDA to @0:489[trace] the value of the SP register.

Perform full stack pointer analysis

  This option allows IDA to perform the stack pointer
  analysis using the simplex method. This option is valid
  only for the IBM PC processor.

Perform 'no-return' analysis

  This option allows IDA to perform the control flow
  analysis and determine functions which do not return to
  their callers. The 'exit()' function, for example, does not
  return to its caller.

Try to guess member function types

  If set, IDA will guess member function types using the demangled
  names. Please note that this rule may occasionally produce wrong
  results, for example, for static member functions. IDA has no
  means of distinguishing them from non-static member functions.
  If clear, IDA will guess only types of non-member functions.

See also @0:622[analysis options 2] @0:1688[analysis options 3]
{WRAP
Kernel analysis options 2▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Truncate functions upon code deletion

  Truncate functions when the code at the function end gets deleted.
  If this option is turned off, IDA does not modify function
  definitions when code is deleted.

Create string literals if data xref exists

  If IDA encounters a data reference to an undefined item, it checks for the
  presence of the string literal at the target. If the length of the candidate
  string literal is big enough (more than 4 chars in 16bit or data
  segments; more than 16 chars otherwise), IDA will automatically create
  a @0:454[string literal].

Check for unicode strings

  This option allows IDA to check for the presence of the unicode
  strings in the program and creates them if necessary.
  IDA will check for the unicode strings only if the @0:613[string style]
  is set to "C-style (0 terminated)" or "Unicode".

Create offsets and segments using fixup info

  IDA will use relocation information to make the disassembly
  nicer. More precisely, it will convert all data items with
  relocation information to words or dwords like this:

          dd offset label
          dw seg seg000

  If an instruction has a relocation information attached to it,
  IDA will convert its immediate operand to an offset or segment:

          mov     eax, offset label

  You can display the relocation information attached to the current
  item by using show @0:598[internal] flags command.

Create offset if data xref to seg32 exists

  If IDA encounters a data reference to 32bit segment and the target
  contains 32bit value which can be represented as an offset expression,
  IDA will convert it to an offset.

Convert 32bit instruction operand to offset

  This option works only in 32bit and 64bit segments.
  If an instruction has an immediate operand and the operand
  can be represented as a meaningful offset expression, IDA will
  convert it to an offset. However, the value of immediate operand
  must be higher than 0x10000.

Automatically convert data to offsets

  This option allows IDA to convert all newly created data items
  to offsets if the following conditions are satisfied:
    - the offset target is a valid address in the program
    - the target address is higher than 0x20
    - the target does not point into the middle of an item
    - if the target is code, the execution does not flow to it
      from the previous instruction
    - the data is dword (4 bytes) in a 32-bit segment
      or qword(8 bytes) in a 64-bit segment
    - the segment type is not special (extern, communal, abs...)

Use flirt signatures

  Allows usage of FLIRT technology

Comment anonymous library functions

  This option appends a comment to anonymous library functions.
  The comment consists of the description of the FLIRT signature
  which has recognized the function and marked it as coming
  from a library.

Multiple copy library function recognition

  This option allows FLIRT to recognize several copies of the same
  function in the program.

Automatically hide libary functions

  This option hides the functions recognized by FLIRT.
  It will have effect only from the time it is set.

Rename jump functions as j_...

  This option allows IDA to rename simple functions containing only

          jmp somewhere

  instruction to "j_somewhere".

Rename empty functions as nullsub_...

  This option allows IDA to rename empty functions containing only
  a "return" instruction as "nullsub_..."
  (... is replaced by a serial number: 0,1,2,3...)

Coagulate data at the final pass

  This option is meaningful only if "Make final analysis pass"
  is enabled. It allows IDA to convert @0:456[unexplored] bytes
  to data arrays in the non-code segments.

Coagulate code at the final pass

  This option is meaningful only if "Make final analysis pass"
  is enabled. It allows IDA to convert @0:456[unexplored] bytes
  to data arrays in the code segments.

Make final analysis pass

  This option allows IDA to coagulate all @0:456[unexplored] bytes
  by converting them to data or instructions.

See also @0:621[analysis options 1] @0:1688[analysis options 3]
WRAP
Set Direction for Searches ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetDirection
 Current hotkey: @<SetDirection>

The current direction for searches is displayed in the right
upper corner of the screen. Using this command, you can toggle
the display.

See also

         @0:568[Search] submenu,
         @0:604[Options] submenu.
>WRAP
Windows submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate windows on the screen.
You can also:

    @0:625[Set video mode...] (text version)
    @0:626[Invoke external help]
    @0:627[Consult keyboard layout] (text version)

See also @0:428[Menu Bar] submenus.5WRAP
Set Video Mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetVideoMode
 Current hotkey: @<SetVideoMode>

This command changes the current video mode.
The list of allowed video modes is kept in the
IDATUI.CFG file, the SCREEN_MODES parameter.

Please note that there are two instances in this variable:
one for MS-DOS and another for Windows.

If you use the MS DOS version, you need to specify the screen mode numbers
valid for you video card in SCREEN_MODES. Otherwise, this command will not
work.

See also @0:624[Windows] submenu.¡WRAP
Invoke external help ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExternalHelp
 Current hotkey: @<ExternalHelp>

This command invokes an external help.

In the MS Windows version of IDA, it starts WinHelp with the parameter
taken from the cursor location.

The HELPFILE parameter in IDATUI.CFG/IDAGUI.CFG points to the help file name.

See also @0:624[Windows] submenu. WRAP
Keyboard layout ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: KeyboardHelp
 Current hotkey: @<KeyboardHelp>

This command displays the current keyboard layout.

You can change the layout in the configuration file

        IDATUI.CFG (for the text version)
        IDAGUI.CFG (for the GUI version)

This command is available in the text version only.

See also @0:624[Windows] submenu.WRAP
Moving The Segment Start ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

When you edit the segment boundaries, you can check the "move the adjacent segments"
checkbox.

IDA will try to shrink/expand the previous
segment in order to move the beginning of the selected segment.
Of course, you cannot move the start of the segment 'too far':

  - the segment must have at least 1 byte
  - the start address of the segment must be less than the end of the segment
  - no segments can be killed during moving
  - the segment cannot have bytes with negative offsets

You cannot shrink a segment to zero bytes. A segment must have
at least one byte.

This command is mostly used when IDA does not detect the boundary
between segments correctly.

Sometimes, IDA creates 2 segments where only
one segment must exist. In this case, you should not use this command.
Use the following sequence instead:

        - @0:513[delete] one segment.
          Choose the one with the bad segment base value.
          Do not disable addresses occupied by the segment being deleted.
        - change boundaries of the other segment.

Caution: moving the first segment of the program will
delete all information about the bytes between the old start of the segment
and the new start of the segment!

See also another command that changes segment bounds:

 @0:514[Edit Segment]
 @0:506[Edit|Segments] submenu. WRAP
Deleting a Segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If you want to delete the segment, please mark 'CONFIRM DELETION' checkbox

Disable addresses checkbox ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

        CAUTION: ALL INFORMATION ABOUT THE SEGMENT WILL BE LOST!

If you disable the addresses occupied by the segment, all information
about these addresses will be lost. You will not see them on the screen anymore.

Otherwise, the segment will be deleted, but its data will remain unchanged.
You can create another segment(s) for these addresses using
@0:507[Create a New Segment] command.
¦WRAP
Auto analysis is not completed ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

As long as auto analysis is not completed, the IDA database is not consistent:

  - not all @0:607[cross-references] are found
  - not all @0:452[instructions] are disassembled
  - not all @0:453[data] items are explored

See also:
  @0:416[auto analysis]
  @0:620[setup auto analysis]$WRAP
Silent mode of IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In this mode, IDA will not display dialog boxes on the screen.
Instead, it will assume the default answer and proceed.
For example, if you press @<Quit>, IDA will promptly exit to OS
without asking for any confirmation.

To return to normal mode you will need to execute an IDC function:

        @0:287[batch](0);

i.e. disable batch "silent" mode. To execute a script command, select
@0:437[File|Script command...] menu item or press @<ExecuteLine> hotkey.
WRAP
Rename a structure/member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA maintains separate namespaces for each structure. For example, you can define
something like this:

 xxx    struc
 xxx    db ?
 xxx    struc

Beware, usually
assemblers have one common namespace and do not allow the mentioned above example.

An empty name cannot be specified.

This command is available when you open a structure @0:593[window].

If the cursor is on the structure name at the beginning of the structure definition,
IDA proposes to rename the structure. Otherwise, IDA proposes to rename a structure
field.

If a structure is being renamed, the option "Don't include in the list" means
that the structure will not be included
in the list of the structures which appears when the user applies the structure
definition (for example, when the user creates a variable of this structure type).
We recommend to mark this checkbox when you have defined all variables of
this structure type and want to reduce the number of choices in the list.

See also @0:490[Edit|Structs] submenu.
         @0:424[How to Enter an Identifier]
WRAP
Delete a structure member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Please remember that deleting a member deletes also all information
about this member, including comments, member name etc.

See also @0:490[Edit|Structs] submenu.
¨WRAP
Unpacked database is dangerous▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

First of all, you may lose all information because you will not have a backup
copy of the database. IDA makes modifications to the unpacked database
and if some unexpected condition occurs, the unpacked database
is usually damaged. IDA is able to repair this database, but some information
could be irreversibly lost, leading to disastrous consequences.

The only advantage of the unpacked database is that it is loaded very fast.
the same way, exiting IDA is fast too.

If packing is disabled, the @0:449[abort] command will not be available
the next time the database is loaded.

We strongly discourage using unpacked databases.

To disable this prompt in the future, simply modify ASK_EXIT_UNPACKED parameter in IDATUI.CFG or IDAGUI.CFG file.

Please note that when the "File -> Save as" is used with an unpacked database, IDA
will continue to use the unpacked database and not the newly created database (the saved as one).
In this case, please close and re-open the newly created database to ensure that IDA will use it
instead of the original database.
DWRAP
Database Is Empty ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Although the database exists, it is empty.
Please delete it and start over.

If you have previously saved your database into a text file,
you can load it. See @0:444[Dump database] command for explanations.

See also @0:417[IDA usage help]9WRAP
Illegal Usage of the Switch ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Not all switches can be used when you
start IDA for the second or more time.
Below are valid switches:

 -a     disable @0:416[auto analysis]
 -d     debug

See also @0:417[IDA usage help]&WRAP
Cannot find input File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA has tried to find a file with the extensions mentioned
in the @0:419[IDA.CFG] file, but could not find anything.

The default extension table looks like this:

 Extension    Processor

  "com" :       ""
  "exe" :       ""
  "dll" :       ""
  "drv" :       ""
  "sys" :       ""
  "bin" :       ""
  "ovl" :       ""
  "ovr" :       ""
  "ov?" :       ""
  "nlm" :       ""
  "lan" :       ""
  "dsk" :       ""
  "obj" :       ""
  "prc" :       "68000"
  "axf" :       "arm710a"
  "h68" :       "68000"
  "i51" :       "8051"
  "sav" :       "pdp11"
  "rom" :       "z80"
  "cla*":       "java"
  "s19":        "6811"
  "epoc":       "arm"
  "o":          ""

See also @0:417[IDA usage help]¹WRAP
Patched Bytes Are Skipped ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Some bytes in program memory have no corresponding byte in the executable
file. For example, uninitialized data is not kept in the file.
OS/2 Warp and Window support compressed pages.

In this case, IDA cannot create a full difference file. It shows the skipped
byte addresses along with their values in the message window.
¹WRAP
List of Functions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can use @0:427[list viewer] commands in this window.
Here is the @0:586[format] of this window.
aWRAP
Patched bytes have relocation information ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If a byte has relocation information attached to it, then
the value of this byte is changed when the file is loaded into
the memory by the system loader or linker.
Therefore, it doesn't make much sense (and sometimes it is simply illegal)
to modify the byte.

We recommend to return the original value of the byte(s).

You can see the relocation information attached to an item by using the
@0:598[show internal flags] command.
"WRAP
No Segment for the current byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Some commands cannot be applied to the addresses without a segment.

Create a segment first. You can do this using the
@0:507[CreateSegment] command. process_config_directive▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Parse one or more ida.cfg config directives
     line - directives to process, for example: PACK_DATABASE=2
If the directives are erroneous, a fatal error will be generated.
The changes are permanent: effective for the current session and the next ones

void process_config_directive(string directive);
Ü Hashes▄
 ▀▀▀▀▀▀▀

associative arrays (the same as hashes in Perl)
to create a hash, use @0:668[create_array]() function
you can use the following function with hashes:
     @0:669[get_array_id](), @0:670[rename_array](), @0:671[delete_array]()
The following additional functions are defined:

success set_hash_long(long id, string idx, long value);
success set_hash_string(long id, string idx, string value);
long    get_hash_long(long id, string idx);
string  get_hash_string(long id, string idx);
success del_hash_string(long id, string idx);
string  get_first_hash_key(long id);
string  get_next_hash_key(long id, string idx);
string  get_last_hash_key(long id);
string  get_prev_hash_key(long id, string idx);
ï add_sourcefile▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Mark a range of address as belonging to a source file
   An address range may belong only to one source file.
   A source file may be represented by several address ranges.
        ea1     - linear address of start of the address range
        ea2     - linear address of end of the address range
        filename- name of source file.
   returns: 1-ok, 0-failed.

success add_sourcefile(long ea1, ulong ea2, string filename);
 get_sourcefile▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get name of source file occupying the given address
     ea - linear address
returns: NULL - source file information is not found
         otherwise returns pointer to file name

string get_sourcefile(long ea);
* del_sourcefile▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete information about the source file
     ea - linear address belonging to the source file
returns: NULL - source file information is not found
         otherwise returns pointer to file name

success del_sourcefile(long ea);
õ set_source_linnum▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set source line number
     ea      - linear address
     lnnum   - number of line in the source file
returns: nothing

void set_source_linnum(long ea, long lnnum);
Ø get_source_linnum▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get source line number
     ea      - linear address
returns: number of line in the source file or -1

long get_source_linnum(long ea);
Ï del_source_linnum▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

delete information about source line number
arguments: ea      - linear address
     nothing

void del_source_linnum(long ea);
Ý get_frame_regs_size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get size of saved registers in function frame
     ea - any address belonging to the function
returns: Size of saved registers in bytes.
         If the function doesn't have a frame, return 0
         This value is used as offset for BP
         (if FUNC_FRAME is set)
         If the function doesn't exist, return -1

#define get_frame_regs_size(ea)  get_func_attr(ea, FUNCATTR_FRREGS)
` set_manual_insn▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Specify instruction representation manually.
     ea   - linear address
     insn - a string representation of the operand
IDA will not check the specified instruction, it will simply display
it instead of the original representation.

void set_manual_insn(long ea, string insn);
ê get_manual_insn▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get manual representation of instruction
     ea   - linear address
This function returns value set by set_manual_insn earlier.

string get_manual_insn(long ea);
 load_and_run_plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Load and run a plugin
The plugin name is a short plugin name without an extension
returns: 0 if could not load the plugin, 1 if ok

success load_and_run_plugin(string name, long arg);
¸ Hidden ranges▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// ----------------------------------------------------------------------------
//                           H I D D E N  A R E A S
// ----------------------------------------------------------------------------

// Hidden ranges - address ranges which can be replaced by their descriptions

// hide a range
//       start, end  - range boundaries
//       description - description to display if the range is collapsed
//       header      - header lines to display if the range is expanded
//       footer      - footer lines to display if the range is expanded
//       visible     - the range state
//       color       - RGB color code (-1 means default color)
//  returns: !=0 - ok

success add_hidden_range(long start, long end, string description, string header, string footer, long color);

// set hidden range state
//       ea      - any address belonging to the hidden range
//       visible - new state of the range
//  returns: !=0 - ok

success update_hidden_range(long ea, long visible);

// delete a hidden range
//       ea - any address belonging to the hidden range
//  returns: !=0 - ok

success del_hidden_range(long ea);
¾ rotate_left▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

rotate a value to the left (or right)
   arguments:
        x      - value to rotate
        count  - number of times to rotate. negative counter means
                 rotate to the right
        nbits  - number of bits to rotate
        offset - offset of the first bit to rotate
returns: the value with the specified field rotated
         all other bits are not modified
Thread-safe function.

long rotate_left(long value, long count, long nbits, long offset);

#define rotate_dword(x, count) rotate_left(x, count, 32, 0)
#define rotate_word(x, count)  rotate_left(x, count, 16, 0)
#define rotate_byte(x, count)  rotate_left(x, count,  8, 0)
+ create_tbyte▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a tbyte (10 or 12 bytes)
     ea - linear address
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_tbyte(ea)    create_data(ea, FF_TBYTE, 10, BADADDR)
-Argument location has already been specified 
  <~D~LL directory:q:64:20::>
@0:618[]
Choose processor!Please press a key for macro...
Macro definition cancelled.
6@0:1133[]
You can't redefine the keys Alt-- and Alt-=!Defining macro for the key '%s'
.@0:1134[]
Already recording a macro for '%s'!ø del_enum_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

delete a member of enum - a symbolic constant
     enum_id - id of enum
     value   - value of symbolic constant.
     serial  - serial number of the constant in the enumeration.
               See @0:704[op_enum]() for for details.
     bmask   - bitmask of the constant
               ordinary enums accept only -1 as a bitmask
returns: 1-ok, 0-failed

success del_enum_member(long enum_id, long value, long serial, long bmask);
 set_enum_member_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

rename a member of enum - a symbolic constant
     const_id - id of const
     name     - new name of constant
returns: 1-ok, 0-failed

success set_enum_member_name(long const_id, string name);
z set_enum_member_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set a comment of a symbolic constant
     const_id - id of const
     cmt     - new comment for the constant
     repeatable - 0:set regular comment
                  1:set repeatable comment
returns: 1-ok, 0-failed

success set_enum_member_cmt(long const_id, string cmt, long repeatable);
[ create_array▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

create array
     name - name of array. There are no restrictions
            on the name (its length should be less than
            120 characters, though)
returns: -1 - can't create array (it already exists)
         otherwise returns id of the array

long create_array(string name);
á get_array_id▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

get array id by its name
     name - name of existing array.
returns: -1 - no such array
         otherwise returns id of the array

long get_array_id(string name);
t rename_array▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

rename array
     id      - array id returned by create_array() or get_array_id()
     newname - new name of array. There are no
               restrictions on the name (its length should
               be less than 120 characters, though)
returns: 1-ok, 0-failed

success rename_array(long id, string newname);
¯ delete_array▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

delete array
This function deletes all elements of the array.
     id      - array id

void delete_array(long id);
* set_array_long▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set long value of array element.
     id      - array id
     idx     - index of an element
     value   - 32bit or 64bit value to store in the array
returns: 1-ok, 0-failed

success set_array_long(long id, long idx, long value);
+ set_array_string▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set string value of array element
     id      - array id
     idx     - index of an element
     str     - string to store in array element
returns: 1-ok, 0-failed

success set_array_string(long id, long idx, string str);
D get_array_element▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get value of array element
     tag     - tag of array, specifies one of two
               array types AR_...
     id      - array id
     idx     - index of an element
returns: value of the specified array element.
         note that this function may return char or long
         result. Unexistent array elements give zero as
         a result.

string or long get_array_element(long tag, long id, long idx);

#define AR_LONG 'A'     // array of longs
#define AR_STR  'S'     // array of strings
$ del_array_element▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

delete an array element
     tag     - tag of array (AR_LONG or AR_STR)
     id      - array id
     idx     - index of an element
returns: 1-ok, 0-failed

success del_array_element(long tag, long id, long idx);
Í rename_entry▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

rename entry point
     ordinal - entry point number
     name    - new name
returns: !=0 - ok

success rename_entry(long ordinal, string name);
y split_sreg_range▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set value of a segment register.
     ea - linear address
     reg - name of a register, like "cs", "ds", "es", etc.
     value - new value of the segment register.
     tag   - one of SR_... constants
IDA keeps tracks of all the points where segment registers change their
values. This function allows you to specify the correct value of a segment
register if IDA is not able to find the correct value.

success split_sreg_range(long ea, string reg, long value, long tag=SR_user);

#define SR_inherit      1               // the value is inherited from the previous range
#define SR_user         2               // the value is specified by the user
#define SR_auto         3               // the value is determined by IDA
#define SR_autostart    4               // used as SR_auto for segment starting address
§ auto_mark_range▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Plan to perform an action in the future.
This function will put your request to a special autoanalysis queue.
Later IDA will retrieve the request from the queue and process
it. There are several autoanalysis queue types. IDA will process all
queries from the first queue and then switch to the second queue, etc.

// plan/unplan range of addresses
void auto_mark_range(long start, long end, long queuetype);
void auto_unmark(long start, long end, long queuetype);

// plan to analyze an address
#define auto_mark(ea, qtype)      auto_mark_range(ea, (ea)+1, qtype)

#define AU_UNK  10      // make unknown
#define AU_CODE 20      // convert to instruction
#define AU_PROC 30      // make function
#define AU_USED 40      // reanalyze
#define AU_LIBF 60      // apply a flirt signature (the current signature!)
#define AU_FINAL 200    // coagulate unexplored items
Ô patch_dword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Change value of a double word
     ea    - linear address
     value - new value of the double word
Returns: 1 if the database has been modified,
         0 if either the debugger is running and the process' memory
           has value 'value' at address 'ea',
           or the debugger is not running, and the IDB
           has value 'value' at address 'ea already.

success patch_dword(long ea, long value);

 create_custom_data▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to a custom data type
     ea   - linear address
     size - size of the item
     dtid - custom data type id (see @0:1219[find_custom_data_type])
     fid  - custom data format id (see @0:1589[find_custom_data_format])
returns: 1-ok, 0-failure
This is a convenience macro, see also @0:18[create_data]() function

#define create_custom_data(ea, size, dtid, fid) create_data(ea, FF_CUSTOM, size, dtid|((fid)<<16))
 ARM specific▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Some ARM compilers in Thumb mode use BL (branch-and-link)
instead of B (branch) for long jumps, since BL has more range.
By default, IDA tries to determine if BL is a jump or a call.
You can override IDA's decision using commands in Edit/Other menu
(Force BL call/Force BL jump) or the following two functions.

//  Force BL instruction to be a jump
//       ea - address of the BL instruction
//  returns: 1-ok, 0-failed

success force_bl_jump(long ea);

//  Force BL instruction to be a call
//       ea - address of the BL instruction
//  returns: 1-ok, 0-failed

success force_bl_call(long ea);
 create_struct▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Create a structure data item at the specified address
     ea      - linear address
     size    - structure size in bytes. -1 means that the size
               will be calculated automatically
     strname - name of a structure type
returns: 1-ok, 0-failure

success create_struct(long ea, long size, string strname);
 create_align▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the current item to an alignment directive
     ea      - linear address
     count   - number of bytes to convert
     align   - 0 or 1..32
               if it is 0, the correct alignment will be calculated
               by the kernel
returns: 1-ok, 0-failure

success create_align(long ea, long count, long align);
Macro for '%s' is defined.
 define_local_var▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Create a local variable
     start, end - range of addresses for the local variable.
                  For the stack variables the end address is ignored.
                  If there is no function at 'start' then this function.
                  will fail.
     location  -  the variable location in the "[bp+xx]" form where xx is
                  a number. The location can also be specified
                  as a register name.
     name      -  name of the local variable
returns: 1-ok, 0-failure

success define_local_var(long start, long end, string location, string name);
¥ del_items▄
 ▀▀▀▀▀▀▀▀▀▀

Convert item (instruction/data) to unexplored bytes.
The whole item (including the head and tail bytes) will be destroyed.
It is allowed to pass any address in the item to this function
     ea     - any address within the item to delete
     flags  - combination of DELIT_... constants
     nbytes - number of bytes in the range to be undefined
returns: 1-ok, 0-failure

success del_items(ea_t ea, long flags=0, long nbytes=1);

#define DELIT_SIMPLE    0x0000  // simply undefine the specified item
#define DELIT_EXPAND    0x0001  // propogate undefined items, for example
                                // if removing an instruction removes all
                                // references to the next instruction, then
                                // plan to convert to unexplored the next
                                // instruction too.
#define DELIT_DELNAMES  0x0002  // delete any names at the specified
                                // address range (except for the starting
                                // address). this bit is valid if nbytes > 1
#define DELIT_NOTRUNC   0x0004  // don't truncate the current function
{WRAP
Append Function Tail ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AppendFunctionTail
 Current hotkey: @<AppendFunctionTail>

This command appends an arbitrary range of the program to a function definition.
A range must be selected before applying this command. This range must not
intersect with other function chunks (however, an existing tail can be
added to multiple functions).

IDA will ask to select the parent function for the selection and will
append the range to the function definition.

See also

         @0:483[Edit|Functions] submenu.
         @0:688[Remove function tail]LWRAP
Remove Function Tail ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: RemoveFunctionTail
 Current hotkey: @<RemoveFunctionTail>

This command removes the function tail at the cursor from a function definition.

If there are several parent functions for the current function tail range,
IDA will ask to select the parent function(s) to remove the tail from.

After the confirmation, the current function tail range will be removed from the
selected function definition.

If the parent was the only owner of the current tail, then the tail will be destroyed.
Otherwise it will still be present in the database. If the removed parent was the owner
of the tail, then another function will be selected as the owner.

See also

         @0:483[Edit|Functions] submenu.
         @0:687[Append function tail]hWRAP
Empty input file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The input file doesn't contain any instructions or data, i.e. there is
nothing to disassemble.

Some file formats allow the situation when the file is not empty
but it doesn't contain anything to disassemble. For example,
COFF/OMF/EXE formats could contain a file header which just declares that
there are no executable sections in the file.

There could be type information, compiler options and other auxiliary
information in the file. This is the reason why the file doesn't look empty
but IDA doesn't find anything to disassemble.
WRAP
Not a virtual array file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The most probable error is that you tried to use an incompatible version
of IDA. Starting from IDA 2.0 beta2 the format of virtual files was changed.
Illegal argument location %sTWRAP
Virtual Array: Too high VA version ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The most probable error is that you tried to open database with old version of IDA.
Please use newer version of IDA to open this database.
WRAP
Cannot create segment registers range ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error happens because of the database corruption.
Try to finish your work as soon as possible and generate
the text source file.

The best choice would be to restore from a backup because the
database is corrupted.
qWRAP
Cannot assign to Segment Register ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error happens because of the database corruption.
Try to finish your work as soon as possible and generate
the text source file.

The best choice would be to restore from a backup because the
database is corrupted.
+WRAP
Cannot add the selection to the function definition ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error message means that the selection cannot be added to the function.
It may be because of the following:

  - the specified function does not exist or it is not a function entry chunk

  - the selection crosses boundaries of the existing function chunks.
  the selection must not intersect with the existing function chunks
  or must be equal to a function tail chunk.

  - the selection crosses segment boundaries

  - the selection is in a special segment (imports, exports, ...)

  - the selection crosses boundaries of instructions or data

Correct your selection and try again. op_bin▄
 ▀▀▀▀▀▀▀

Convert an operand of the item (instruction or data) to a binary number
     ea  - linear address
      n  - number of operand
             0 - the first operand
             1 - the second, third and all other operands
             -1 - all operands
Note: the data items use only the type of the first operand
Returns: 1-ok, 0-failure

success op_bin(long ea, int n);

// Convert an operand of the item (instruction or data) to an octal number

success op_oct(long ea, int n);

// Convert operand to decimal, hex, char

success op_dec(long ea, int n);
success op_hex(long ea, int n);
success op_chr(long ea, int n);
 op_plain_offset▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert operand to an offset
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())
     base - base of the offset as a linear address
            If base == BADADDR then the current operand becomes non-offset
Example:
 seg000:2000 dw      1234h
and there is a segment at paragraph 0x1000 and there is a data item
within the segment at 0x1234:
 seg000:1234 MyString        db 'Hello, world!', 0
Then you need to specify a linear address of the segment base to
create a proper offset:
     op_plain_offset(to_ea("seg000", 0x2000), 0, 0x10000);
and you will have:
 seg000:2000 dw      offset MyString
Motorola 680x0 processor have a concept of "outer offsets".
If you want to create an outer offset, you need to combine number
of the operand with the following bit:

#define OPND_OUTER      0x80                    // outer offset base
// Please note that the outer offsets are meaningful only for
// Motorola 680x0.

success op_plain_offset(long ea, int n, long base);
  op_offset▄
 ▀▀▀▀▀▀▀▀▀▀

Convert operand to a complex offset expression
This is a more powerful version of @0:697[op_plain_offset]() function.
It allows to explicitly specify the reference type (off8, off16, etc)
and the expression target with a possible target delta.
The complex expressions are represented by IDA in the following form:

        target + tdelta - base

If the target is not present, then it will be calculated using
        target = operand_value - tdelta + base
The target must be present for LOW.. and HIGH.. reference types
     ea      - linear address of the instruction/data
     n       - number of operand to convert (the same as in op_plain_offset)
     reftype - one of REF_... constants
     target  - an explicitly specified expression target. if you don't
               want to specify it, use -1. Please note that LOW... and
               HIGH... reference type require the target.
     base    - the offset base (a linear address)
     tdelta  - a displacement from the target which will be displayed
               in the expression.

success op_offset(long ea, int n, long reftype, long target, long base, long tdelta);

#define REF_OFF8    0              // 8bit full offset
#define REF_OFF16   1              // 16bit full offset
#define REF_OFF32   2              // 32bit full offset
#define REF_LOW8    3              // low 8bits of 16bit offset
#define REF_LOW16   4              // low 16bits of 32bit offset
#define REF_HIGH8   5              // high 8bits of 16bit offset
#define REF_HIGH16  6              // high 16bits of 32bit offset
#define V695_REF_VHIGH   7         // obsolete
#define V695_REF_VLOW    8         // obsolete
#define REF_OFF64   9              // 64bit full offset
                                   // note: processor modules or plugins may register additional
                                   // custom reference types (for example, REF_HIGHA16 is
                                   // used by MIPS, SPARC, PPC, ALPHA, TRICORE, etc.)
#define REFINFO_RVA         0x10   // based reference (rva)
#define REFINFO_PASTEND     0x20   // reference past an item
                                   // it may point to an nonexistitng address
                                   // do not destroy alignment dirs
#define REFINFO_NOBASE      0x80   // offset base is a number
                                   // implies that base have be any value
                                   // nb: base xrefs are created only if base
                                   // points to the middle of a segment
#define REFINFO_SUBTRACT  0x0100   // the reference value is subtracted from
                                   // the base value instead of (as usual)
                                   // being added to it
#define REFINFO_SIGNEDOP  0x0200   // the operand value is sign-extended (only
                                   // supported for REF_OFF8/16/32/64)
#define REFINFO_NO_ZEROS  0x0400  ///< an opval of 0 will be considered invalid
#define REFINFO_NO_ONES   0x0800  ///< an opval of ~0 will be considered invalid
° op_seg▄
 ▀▀▀▀▀▀▀

Convert operand to a segment expression
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())

success op_seg(long ea, int n);
Æ op_num▄
 ▀▀▀▀▀▀▀

Convert operand to a number (with default number base, radix)
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())

success op_num(long ea, int n);
 op_man▄
 ▀▀▀▀▀▀▀

Specify operand representation manually.
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())
     str - a string representation of the operand
IDA will not check the specified operand, it will simply display
it instead of the original representation of the operand.

success op_man(long ea, long n, string str);// manually enter n-th operand
½ toggle_sign▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Change sign of the operand.
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())

success toggle_sign(long ea, int n);
Ñ toggle_bnot▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Toggle the bitwise not operator for the operand
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())

success toggle_bnot(long ea, int n);
 op_enum▄
 ▀▀▀▀▀▀▀▀

Convert operand to a symbolic constant
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())
     enumid - id of enumeration type
     serial - serial number of the constant in the enumeration
              The serial numbers are used if there are more than
              one symbolic constant with the same value in the
              enumeration. In this case the first defined constant
              get the serial number 0, then second 1, etc.
              There could be 256 symbolic constants with the same
              value in the enumeration.

success op_enum(long ea, int n, long enumid, long serial);
G op_stroff▄
 ▀▀▀▀▀▀▀▀▀▀

Convert operand to an offset in a structure
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())
     strid   - id of a structure type
     strpath - instead of strid, it is possible to specify a full strpath
               like this: "struct.mem1.mem2"
     delta - struct offset delta. usually 0. denotes the difference
             between the structure base and the pointer into the structure.

success op_stroff(long ea, int n, long strid, long delta);
success op_stroff(long ea, int n, string strpath, long delta);
» op_stkvar▄
 ▀▀▀▀▀▀▀▀▀▀

Convert operand to a stack variable
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())

success op_stkvar(long ea, int n);
 op_offset_high16▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert operand to a high offset
High offset is the upper 16bits of an offset.
This type is used by PPC, MIPS, and other RISC processors.
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())
     target - the full value (all 32bits) of the offset

success op_offset_high16(long ea, int n, long target);
/ get_flags▄
 ▀▀▀▀▀▀▀▀▀▀

Get internal flags without MS_VAL and FF_IVL.
     ea - linear address
MS_VAL and FF_IVL may be expensive to retrieve when the debugger is active.
returns: 32-bit value of internal flags. See start of this file
for explanations.

long get_flags(long ea);
X update_extra_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set or update extra comment line
     ea   - linear address
     n    - number of additional line (0..MAX_ITEM_LINES)
     line - the line to display
IDA displays additional lines from number 0 up to the first unexisting
additional line. So, if you specify additional line #150 and there is no
additional line #149, your line will not be displayed.
MAX_ITEM_LINES is defined in IDA.CFG
To set anterior  line #n use (E_PREV + n)
To set posterior line #n use (E_NEXT + n)

void update_extra_cmt(long ea, long n, string line);
q Functions provided by the replayer debugger▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Step back in the currently replayed trace
// Returns: error code (0 if none happened).

success step_back();

// Set the current event number, changing the PC register.
// Input  : the event to move to
// Events are numbered in reverse order, i.e. 0 is the last available event.
// Returns: error code.

success set_current_tev(long event);

// Get the current event number.
// Returns: the current event number.

long get_current_tev();
2 del_extra_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete an extra comment line
     ea   - linear address
     n    - number of additional line (0..MAX_ITEM_LINES)
To delete anterior  line #n use (E_PREV + n)
To delete posterior line #n use (E_NEXT + n)

void del_extra_cmt(long ea, long n);
¿ Functions provided by the WinDbg debugger▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Send arbitrary command to the WinDbg engine
// Returns: the command output

string @0:1592[send_dbg_command](string cmd);

// Read a model specific register
// Returns: the register value. if this function fails,
//          an exception with the error code is raised
// Note: this function works only in the kernel mode

int64 read_msr(long reg_id);

// Write a model specific register
// Returns: windows error code (0-ok)
// Note: this function works only in the kernel mode

success write_msr(long reg_id, int64 value);
 patch_byte▄
 ▀▀▀▀▀▀▀▀▀▀▀

Change value of a program byte
If debugger was active then the debugged process memory will be patched too
     ea    - linear address
     value - new value of the byte
Returns: 1 if the database has been modified,
         0 if either the debugger is running and the process' memory
           has value 'value' at address 'ea',
           or the debugger is not running, and the IDB
           has value 'value' at address 'ea already.

success patch_byte(long ea, long value);
Ó patch_word▄
 ▀▀▀▀▀▀▀▀▀▀▀

Change value of a program word (2 bytes)
     ea    - linear address
     value - new value of the word
Returns: 1 if the database has been modified,
         0 if either the debugger is running and the process' memory
           has value 'value' at address 'ea',
           or the debugger is not running, and the IDB
           has value 'value' at address 'ea already.

success patch_word(long ea, long value);
, get_enum_member_enum▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get id of enum by id of constant
     const_id - id of symbolic constant
returns: id of enum the constant belongs to.
                        -1 if const_id is bad.

long get_enum_member_enum(long const_id);
ß get_enum_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get id of constant
     enum_id - id of enum
     value   - value of constant
     serial  - serial number of the constant in the enumeration.
               See @0:704[op_enum]() for for details.
     bmask   - bitmask of the constant
               ordinary enums accept only -1 as a bitmask
returns: id of constant or -1 if error

long get_enum_member(long enum_id, long value, long serial, long bmask);
T get_first_bmask▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get first bitmask in the enum (bitfield)
     enum_id - id of enum (bitfield)
returns: the smallest bitmask of constant or -1
         no bitmasks are defined yet
         All bitmasks are sorted by their values as unsigned longs.

long get_first_bmask(long enum_id);
- get_last_bmask▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get last bitmask in the enum (bitfield)
     enum_id - id of enum
returns: the biggest bitmask or -1 no bitmasks are defined yet
         All bitmasks are sorted by their values as unsigned longs.

long get_last_bmask(long enum_id);
 get_next_bmask▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get next bitmask in the enum (bitfield)
     enum_id - id of enum
     bmask   - value of the current bitmask
returns: value of a bitmask with value higher than the specified
         value. -1 if no such bitmasks exist.
         All bitmasks are sorted by their values as unsigned longs.

long get_next_bmask(long enum_id, long value);
 get_prev_bmask▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get prev bitmask in the enum (bitfield)
     enum_id - id of enum
     value   - value of the current bitmask
returns: value of a bitmask with value lower than the specified
         value. -1 no such bitmasks exist.
         All bitmasks are sorted by their values as unsigned longs.

long get_prev_bmask(long enum_id, long value);
 get_bmask_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get bitmask name (only for bitfields)
     enum_id - id of enum
     bmask   - bitmask of the constant
returns: name of bitmask if it exists. otherwise returns 0.

long get_bmask_name(long enum_id, long bmask);
v get_bmask_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get bitmask comment (only for bitfields)
     enum_id - id of enum
     bmask   - bitmask of the constant
     repeatable - type of comment, 0-regular, 1-repeatable
returns: comment attached to bitmask if it exists.
         otherwise returns 0.

long get_bmask_cmt(long enum_id, long bmask, long repeatable);
" set_bmask_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set bitmask name (only for bitfields)
     enum_id - id of enum
     bmask   - bitmask of the constant
     name    - name of bitmask
returns: 1-ok, 0-failed

success set_bmask_name(long enum_id, long bmask, string name);
` set_bmask_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set bitmask comment (only for bitfields)
     enum_id - id of enum
     bmask   - bitmask of the constant
     cmt     - comment
     repeatable - type of comment, 0-regular, 1-repeatable
returns: 1-ok, 0-failed

long set_bmask_cmt(long enum_id, long bmask, string cmt, long repeatable);
° get_first_enum_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get first constant in the enum
     enum_id - id of enum
     bmask   - bitmask of the constant
               ordinary enums accept only -1 as a bitmask
returns: value of constant or -1 no constants are defined
         All constants are sorted by their values as unsigned longs.

long get_first_enum_member(long enum_id, long bmask);
ª get_last_enum_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get last constant in the enum
     enum_id - id of enum
     bmask   - bitmask of the constant
               ordinary enums accept only -1 as a bitmask
returns: value of constant or -1 no constants are defined
         All constants are sorted by their values as unsigned longs.

long get_last_enum_member(long enum_id, long bmask);
 get_next_enum_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get next constant in the enum
     enum_id - id of enum
     bmask   - bitmask of the constant
               ordinary enums accept only -1 as a bitmask
     value   - value of the current constant
returns: value of a constant with value higher than the specified
         value. -1 no such constants exist.
         All constants are sorted by their values as unsigned longs.

long get_next_enum_member(long enum_id, long value, long bmask);
 get_prev_enum_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get prev constant in the enum
     enum_id - id of enum
     bmask   - bitmask of the constant
               ordinary enums accept only -1 as a bitmask
     value   - value of the current constant
returns: value of a constant with value lower than the specified
         value. -1 no such constants exist.
         All constants are sorted by their values as unsigned longs.

long get_prev_enum_member(long enum_id, long value, long bmask);
Ü get_enum_member_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get name of a constant
arguments: const_id - id of const
returns: name of constant

string get_enum_member_name(long const_id);
8 get_enum_member_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get comment of a constant
     const_id   - id of const
     repeatable - 0:get regular comment
                  1:get repeatable comment
returns: comment string

string get_enum_member_cmt(long const_id, long repeatable);
/ add_enum▄
 ▀▀▀▀▀▀▀▀▀

add a new enum type
     idx - is not used anymore
     name - name of the enum.
     flag - flags for representation of numeric constants
            in the definition of enum.
returns: id of new enum or -1.

long add_enum(long idx, string name, long flag);
u del_enum▄
 ▀▀▀▀▀▀▀▀▀

delete enum type
     enum_id - id of enum

void del_enum(long enum_id);
Ñ set_enum_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

rename enum
     enum_id - id of enum
     name    - new name of enum
returns: 1-ok, 0-failed

success set_enum_name(long enum_id, string name);
E set_enum_cmt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

set comment of enum
     enum_id    - id of enum
     cmt        - new comment for the enum
     repeatable - 0:set regular comment
                  1:set repeatable comment
returns: 1-ok, 0-failed

success set_enum_cmt(long enum_id, string cmt, long repeatable);
 set_enum_flag▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set flag of enum
     enum_id - id of enum
     flag    - flags for representation of numeric constants
               in the definition of enum.
returns: 1-ok, 0-failed

success set_enum_flag(long enum_id, long flag);
 set_enum_bf▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

set bitfield property of enum
     enum_id - id of enum
     flag    - 1: convert to bitfield
               0: convert to ordinary enum
returns: 1-ok, 0-failed

success set_enum_bf(long enum_id, long flag);
 is_bf▄
 ▀▀▀▀▀▀

is enum a bitfield?
     enum_id - id of enum
returns: 1-yes, 0-no, ordinary enum

success is_bf(long enum_id);
Ð add_enum_member▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

add a member of enum - a symbolic constant
     enum_id - id of enum
     name    - name of symbolic constant. Must be unique
               in the program.
     value   - value of symbolic constant.
     bmask   - bitmask of the constant
               ordinary enums accept only -1 as a bitmask
               all bits set in value should be set in bmask too
returns: 0-ok, otherwise error code TERR_...

long add_enum_member(long enum_id, string name, long value, long bmask);

#define TERR_OK              0 // ok
#define TERR_BAD_NAME       -3 // name is not acceptable
#define TERR_BAD_TYPE       -6 // bad type
#define TERR_BAD_VALUE     -16 // value is not acceptable
#define TERR_BAD_BMASK     -18 // Bad enum member mask. The specified mask should not intersect with any existing mask in the enum. Zero masks are prohibited too
#define TERR_BAD_MSKVAL    -19 // bad bmask and value combination
~F~ile~E~dit~J~ump	Searc~h~	~W~indow~V~iewDeb~u~g
~O~ptionsHelpOt~h~er~F~unctions~S~egments
S~t~ructs~E~nums~A~dd struct type...~C~opy struct type...~D~elete struct type...~E~xpand struct type...~S~hrink struct type...Edi~t~ struct type...Declare struct ~v~ar...~F~orce zero field offsetSe~l~ect union member...Add e~n~um...De~l~ete enum...Ed~i~t enum...~A~dd enum member...~E~dit enum member...~D~el enum member...~R~esize/move~Z~oom~P~revious~N~ext~C~lose~T~ile
C~a~scadeReset ~h~idden messages...~S~et video mode...~E~xternal help~K~eyboard layout~L~oad fileExecute script ~c~ommand...~P~roduce output fileOS s~h~ellAbo~u~t...~S~ave databaseSa~v~e database as...~A~bort - do not save~Q~uit & saveProduce ~M~AP file...Produce ~A~SM file...Produce ~I~NC file...Produce ~L~ST file...Produce ~E~XE file...Produce ~D~IF file...D~u~mp database to IDC file...Dump ~t~ypeinfo to IDC file...~R~eload the input fileS~c~ript file...~A~dditional binary file...~I~DS file...~D~BG file...~P~DB file...~F~LIRT signature file...C ~h~eader file...Jump immediate
Jump back~U~ndo last jump backEmpty navigation stack
~A~ddress...
~N~ame...
~S~egment...Se~g~ment register...
~P~roblem...Mar~k~ position...C~l~ear mark...~M~arked position...~C~ross reference...Cross ~x~ref to operand...~F~unction...~E~ntry point...F~i~le offset...find all void o~p~erandsfind al~l~ errorsnext '~v~oid'~n~ext 'error'next ~c~odenext ~d~atanext ~u~nexplorednext ~e~xplored~i~mmediate...next i~m~mediate
~t~ext...next te~x~ttext in c~o~re...next text in co~r~enot ~f~unctionSearch direction(Re)~n~ame any address...~J~ump table... Create ~a~lignment directive...~M~anual instruction...Hide/show ~b~order~C~ode~D~ata~A~SCIIArra~y~...~U~ndefineRe~n~ame...~P~atch programCo~m~ments~O~perand types~T~ext representation...Comm~e~nts...C~r~oss references...Assembler d~i~rectives...String literals ~s~tyle...Strin~g~ literals options...~C~olors...~N~ame representation...De~m~angled names...Compi~l~er...D~u~mp/normal viewSetup ~d~ata types~P~rocessor type...Target ~a~ssembler...Analysis ~o~ptions...~M~ake function...~E~dit function...Append function ~t~ail...Remo~v~e function tail...~D~elete function...~S~et function endStac~k~ variables...~C~hange stack pointer...~R~ename register...Set function t~y~pe...Enter comment...Enter ~r~epeatable comment...!Retrieve ~p~redefined comment...Edit extra ~a~nterior lines... Edit extra p~o~sterior lines...~F~loating point	~B~inaryOcta~l~
~D~ecimal~H~exadecimal	~N~umber~O~ffset by data segment/NoOffset by ~c~urrent segmentOffset by ~a~ny segment...~U~ser-defined offset...Struc~t~ offset...	~O~ffset	~N~umberCha~r~acter
~S~egmentEnu~m~ member...Stac~k~ variableChange si~g~nBit~w~ise negateM~a~nual...~N~ew segment...~D~elete segment...~E~dit segment...~M~ove segment...~R~ebase program... Change segment ~t~ranslation...(~S~et default segment register value...#Change segment register ~v~alue...Change ~b~yte...Change ~w~ord...~A~ssemble...~O~pen subviewsInternal ~f~lags~H~ide	Unh~i~de~D~el hidden range	Hide allUnhide allSetup hidden items...Vie~w~ file...~E~dit file...~C~alculate...
Show segregs~D~isassemblyF~u~nctions~S~egmentsSegment ~r~egistersSe~l~ectors~N~ames
~E~xports
~I~mportsCr~o~ss references
Struc~t~ures~P~roblems
Si~g~naturesT~y~pe librariesStart processAttach to process...~P~ause processTerminate processDetach from processTa~k~e memory snapshotToggle breakpoint~E~dit breakpoint~A~dd watch~D~el watch
Step into
Step overRun until returnRun to cursorSet current ipShow app screenOpen ~C~PU registersOpen ~b~reakpointsOpen ~w~atchesOpen ~s~tacktraceOpen ~t~hreadsOpen ~m~odulesP~r~ocess options...Deb~u~gger options...Select debugger... No hot key is defined for '%s'!Current Processor: %s
Target Assembler: %s
sActions %s and %s have the same hotkey %s (%#x)
Please edit the configuration files (ida%cui.cfg or idauser%c.cfg)!Setting screen mode 0x%04X (%s)
-$@0:443[]
Please enter DIF file name$@0:439[]
Please enter MAP file name$@0:440[]
Please enter ASM file name%@0:1475[]
Please enter INC file name$@0:441[]
Please enter LST file name-@0:431[]
Please enter name of the input file?@0:431[]
Sorry, the input file of this type cannot be reloaded$@0:442[]
Enter binary file name for"Binary file %s has been created.
+@0:444[]
Please enter the unload file name3Variadic functions must have at least one argument6@0:432[]
Please enter the script file name to execute=@0:444[]
Please enter the IDC file name to dump the database=@0:445[]
Please enter the IDC file name to dump the typeinfo qmakefile▄
 ▀▀▀▀▀▀▀▀▀▀

Construct filename from base name and extension

string qmakefile(string base, string ext);
/@0:448[]
Please enter a new database file namep@0:527[]
Patch Bytes

 Address        %N
 File offset    %N
 Original value %q
 <~V~alues         :q:80:50::>

m@0:527[]
Patch Word

 Address        %N
 File offset    %N
 Original value %L

 <~V~alue (word)  :L::18::>

5@0:527[]
Please enter new value for the current wordkHIDECANCEL
@0:630[]
Auto analysis is not completed, the result may be inaccurate. Do you want to continue?+@0:433[]
Select an additional file to load+@0:434[]
Please select an IDS file to load*@0:435[]
Please select a DBG file to load%Please enter floating point constantOHIDECANCEL
The output database %s already exists. Do you want to overwrite it?5Some other instruction/data is already defined at %sh@0:529[]
Assemble instruction

 Previous line: %q
 Address      : %N:%N
 <~I~nstruction :q:1000:40::>

<Sorry, this processor module doesn't support the assembler.UThe FLIRT signature file '%s' has been put into the queue and will be applied later.8@0:640[]
The patched bytes have relocation information! Generate MAP file
    Include in the map file:

  <#Include segmentation information in the map#~S~egmentation information:C>
  <#Include dummy names in the map#D~u~mmy names :C>
  <#Demangle names if possible#~D~emangle names  :C>
  <#Include local names in the map#~L~ocal names :C>>

%@0:1372[]
Load Additional Binary File

  File name: %A

  <~L~oading segment     :N::10::> (in paragraphs)
  <Loading  ~o~ffset     :N::10::>
  <~F~ile offset in bytes:N::10::>
  <~N~umber of bytes     :N::10::> (0 means maxmimum)

  <Create ~s~egments     :C>
  <~C~ode segment        :C>>

*@0:1125[]
Cannot open for write file '%s'&Write error, may be the disk is full??%s: generating assembler file for the address range %08a-%08a
Writing include file %s
=%s: generating listing file for the address range %08a-%08a
3Assembler file has been created, total %lu lines.
;Assembler include file has been created, total %lu lines.
1Listing file has been created, total %lu lines.
-Map file has been created, total %lu lines.
!Output file '%s' already exists.#Difference file has been created.
L@0:638[]
Some patched bytes are skipped, see the message window for detailsR@0:421[]
Sorry, the demo version cannot produce asm files.
Press F1 for details.Creating the output file.5@0:222[]
This type of output files is not supported..startitem 0
@0:523[]
Segment Register Value

6startitem 0
@0:522[]
Segment Default Register Value

7@0:544[]
Jump to address

  <~J~ump address:$::32::>

@@0:1393[]
Jump to file offset

  <~J~ump file offset:M::32::>

 @0:546[]
Choose segment to jump @0:547[]
Choose address to jumpChoose a name@0:567[]
Choose an entry point$@0:639[]
Choose function to jump to¨@0:520[]
Move segment

Segment: %A
Start address: %N
End address: %N

<~T~arget address:N::12::>

<#Correct relocatable references#~F~ix up the relocated segment:C>>

§@0:520[]
Move multiple segments

Start address: %N
End address: %N

<~T~arget address:N::12::>

<#Correct relocatable references#~F~ix up the relocated segments:C>>

4STARTITEM 1
@0:1408[]
Rebase the whole program

%/Please enter the new

<~A~ddress of the first segment:R1>
<~S~hift delta:R2>
<~I~mage base:R3>4>

<~V~alue:N5:511:12::>

<#Correct relocatable references#~F~ix up the program:C>
<#Adjust internal variables to reflect the shift#~R~ebase the whole image:C>>

jHIDECANCEL
@0:628[]
You are about to change the segment '%s' bounds (%08a-%08a) to (%08a-%08a). Continue?HIDECANCEL
@0:508[]
The segment '%s' addressing mode will be changed to %d-bit. ALL INFORMATION about instructions/data WILL BE LOST! Are you sure?C@0:507[]
Segment end address is invalid or less than start addressI@0:507[]
Bad segment base: segment would have bytes with negative offset'@0:507[]
Invalid segment start address¼@0:507[]
Create a new segment
%/

 Start address and end address should be valid.
         End address > Start address

<Segment ~n~ame    :q:511:12::>
<~S~tart address   :N::12::> C-notation:
<~E~nd   address   :N::12::>   hex is 0x...
<~B~ase            :N::12::> in paragraphs
<Cl~a~ss           :q:511:12::> (class is any text)

<~1~6-bit segment  :R10>  <#Recommended for huge segments#Use s~p~arse storage:C>>
<~3~2-bit segment  :R11>>

Õ@0:507[]
Create a new segment
%/

 Start address and end address should be valid.
         End address > Start address

<Segment ~n~ame    :q:511:18::>
<~S~tart address   :N::18::> C-notation:
<~E~nd   address   :N::18::>   hex is 0x...
<~B~ase            :N::18::> in paragraphs
<Cl~a~ss           :q:511:18::> (class is any text)

<~1~6-bit segment  :R10>  <#Recommended for huge segments#Use s~p~arse storage:C>>
<~3~2-bit segment  :R11>
<~6~4-bit segment  :R12>>

@0:589[]
Segments@0:525[]
Choose segment@@0:521[]
Enter segment translation list (list of segment names)Segment translation list: %s
@0:629[]
Delete Segment

CAUTION: ALL INFORMATION ABOUT THE SEGMENT WILL BE LOST!
Segment %A (%N-%N)

<~C~ONFIRM DELETION:C>>

<~D~isable addresses:C>>
+ set_named_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Store a type in the til.
To replace the existing type use #NTF_REPLACE
     name    -  type name
     type    -  serialized type string
     fields  -  serialized type fields
     cmt     -  main type comment
     fldcmts -  serialized type field comments
     sclass  -  type storage class

tinfo_code_t set_named_type(
        string name,
        long ntf_flags,
        string type,
        string fields="",
        string cmt="",
        string fldcmts="",
        long sclass=0);
ªWRAP
Assembler level and C level types▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In order to provide intuitive yet powerful interface to types IDA introduces
two kinds of types:

  - Assembler level types
  - C level types

Assembler level types are the ones defined by the user using the
@0:593[Struct] or @0:1259[Types] views.

Since the user has to specify manually the member offset and other attributes,
IDA considers the member offsets to be fixed for them and never shifts members
of such types. If a member of struct becomes too big and does not fit the struct
anymore, IDA will delete it.

The types defined in the @0:1259[Local types] window are considered
as C level types. For them IDA automatically calculates the member offsets and
if necessary may shift members and change the total struct size.

The user may change the type level by simply editing the type from the appropriate
window. For example, if a C level type is edited from the @0:593[Struct]
view, IDA will consider such a type as an Assembler level type in the future.

 In the struct/enum view:
  Assembler level types are displayed using regular colors.
  C level types are displayed in gray, as if they are disabled (but they are not).

 In the local types view:
  C level types are displayed using regular colors.
  Assembler level types are displayed in gray, as if they are disabled (but they are not).
©@0:514[]
Change segment combination

 <~0~ Private:R>
 <~1~ Group:R>
 <~2~ Public:R>
 <~3~ Reserved:R>
 <~4~ Public:R>
 <~5~ Stack:R>
 <~6~ Common:R>
 <~7~ Public:R>>

ö@0:514[]
Change segment alignment

 <~A~bs:R>
 <~B~yte:R>
 <~W~ord:R>
 <~D~ouble word (4 bytes):R>
 <~Q~uadro word (8 bytes):R>
 <~P~aragraph (16 bytes):R>
 <~3~2 bytes:R>
 <~6~4 bytes:R>
 <Pag~e~ (256 bytes):R>
 <~4~096 bytes:R>
 <~G~roup:R>>

«@0:1369[]
Comment representation

<Co~m~ment indention:D::3::>

<Display '~s~uspicious' marks       :C>
<Display ~e~mpty lines              :C>
<Display borders bet~w~een data/code:C>
<Display ~b~asic blocks             :C>
<Display ~c~omments                 :C>
<Display ~r~epeatable comments      :C>
<Display ~a~uto comments            :C>
<Display s~o~urce lines             :C>
<Display ~t~ry block lines          :C>>

>@0:605[]
Text representation
 ┌<Line ~p~refixes:C>> ┌───────────────────────────────┐
┌┴──────┐ ┌──────────┴─┐  <Number of opco~d~e bytes :D::2::>
1000:0FE4               ;---------------------------
1000:0FE4
1000:0FE4               loc_0_FE4:
1000:0FE4 90                         nop     ;
└┬─┘<~U~se segment names:C>           │       ;   <Mar~g~in :D::4::>
 │  <~S~egment addresses:C>           │          (length of arguments of
 └──<~F~unction offsets :C>>           │           data directives)
<I~n~struction indention :D::3::> ─────┘
<Use ~t~abulations in output:C> <~l~ow  susp. limit:N::10:@0:606[]>
<Display st~a~ck pointer    :C>> <~h~igh susp. limit:N::10:@0:606[]>

@0:607[]
Cross-reference representation

<Display se~g~ments in xrefs:C>────────────────────────┐
<Display xref ~t~ype mark   :C>──────────────────┐     │
<Display ~f~unction offsets :C>                  │     │
<Display xref ~v~alues      :C>>                  │     │
                                               ┌┴──┐ ┌┴─┐
1000:0FE4 90                         nop     ; CREF: 1000:0FE0        |
                                                                      │
<Right ~m~argin             :D::8::> (max length of line with xrefs)┘
<Cross reference ~d~epth    :N::18::>

Number of xrefs to display
    <in d~i~sasembly :D::8::>
    <in ~s~truct/enum:D::8::>

a@0:608[]
Assembler directives
  <##Generate##~A~SSUME directives:C>
  <.~O~RG   directives:C>>

Ç@0:601[]
Setup the display of hidden items

   <Automatically hide ~l~ibrary functions:C>>

   <Display hidden ~i~nstructions:C>
   <Display hidden ~f~unctions:C>
   <Display hidden ~s~egments:C>>

Ð@0:620[]
Background analysis

   <~A~nalysis enabled:C>
   <~I~ndicator enabled:C>>

   <Kernel analyzer options ~1~:B:0:::>

   <Kernel analyzer options ~2~:B:1:::>

   <Kernel analyzer options ~3~:B:2:::>
 add_user_stkpnt▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Add user-defined SP register change point
     ea    - linear address where SP changes
     delta - difference between old and new values of SP
returns: 1-ok, 0-failed

success add_user_stkpnt(ea, sval_t delta);
4
   <~P~rocessor specific analysis options:B:3:::>
@0:621[]
Kernel analysis options 1

<~T~race execution flow                            :C>
<~M~ark typical code sequences as code             :C>
<~L~ocate and create jump tables                   :C>
<Control flo~w~ to data segment is ignored         :C>
<~A~nalyse and create all xrefs                    :C>
<~D~elete instructions with no xrefs               :C>
<Create function ~i~f data xref data->code32 exists:C>
<Create ~f~unctions if call is present             :C>
<Create function ~t~ails                           :C>
<Create ~s~tack variables                          :C>
<Propagate ~s~tack argument information            :C>
<Propagate ~r~egister argument information         :C>
<Trace stack ~p~ointer                             :C>
<Perform full stack ~p~ointer analysis             :C>
<Perform '~n~o-return' analysis                    :C>
<Try to ~g~uess member function types              :C>>

@0:622[]
Kernel analysis options 2

<Truncate ~f~unctions upon code deletion           :C>
<Create string literal if data ~x~ref exists       :C>
<Check for ~u~nicode strings                       :C>
<~C~reate offsets and segments using fixup info    :C>
<Create ~o~ffset if data xref to seg32 exists      :C>
<Convert ~3~2bit instruction operand to offset     :C>
<Automatically convert data to ~o~ffsets           :C>
<~U~se flirt signatures                            :C>
<Comment ~a~nonymous library functions             :C>
<~M~ultiple copy library function recognition      :C>
<Automatically ~h~ide library functions            :C>
<~R~ename jump functions as j_...                  :C>
<Rename ~e~mpty functions as nullsub_...           :C>
<Coagulate ~d~ata segments in the final pass       :C>
<~C~oagulate code segments in the final pass       :C>
<Make fi~n~al analysis pass                        :C>>

¼@0:609[]
Names
%/
<~D~ummy name representation:E1:75:75:1::>
  <~R~enumber:C2>>

<##Types of names included in the list of names##~N~ormal:C>
<~P~ublic:C>
<~A~utogenerated:C>
<~W~eak:C>>
ã@0:611[]
Demangled C++ names
<##Show demangled C++ names as##~C~omments:R>
<~N~ames:R>
<~D~on't demangle:R>>

<~A~ssume GCC v3.x names:C>>

<~O~verride type info:C>>

<Setup ~s~hort names:B:0:::> <Setup ~l~ong  names:B:1:::>

'startitem 2
@0:612[]
Demangled C++ names
<#Inhibit everything except the main name#Demangled C++ names##Only ~m~ain name          :C>  <##Suppress pointer modifiers##~n~ear:R>
<#No underscores in calling convention names (__cdecl, __pascal, etc)#No und~e~rscores in cc:C>   <near/__ptr64 :R>
<#No calling conventions for parameters and __based()#~R~emove some calling conv:C>   <~f~ar          :R>
<#No return type of functions#No return t~y~pe:C>   <all, ~1~6bit   :R>
<No "~b~ased"() specifier:C>   <~h~uge         :R>
<#Remove all calling conventions#Remove all ~c~alling conv:C>   <__ptr~6~4       :R>
<#No postfix const in member function declarations#No ~p~ostfix const:C>   <Display all  :R>
<#No public/private/protected keywords#No access keyw~o~rds:C>   <Display none:R>>
<No thro~w~ descriptions:C>
<#No static and virtual keywords#No static and ~v~irtual:C>     <si~g~ned int as 'sint'  :c>
<#No class/struct/union/enum keywords#No u~d~t keywords :C>     <~u~nsigned int as 'uint':c>
<#No const and volatile keywords#No const and volati~l~e:C>     <spaces af~t~er commas   :c>>
<No __clo~s~ure keyword:C>
<No __un~a~ligned keyword:C>    <#Remove 'j_' prefix in names#~Q~uash j_    :c>
<#No __pin/__box/__gc for MS.Net#No __pin/__bo~x~/__gc:C>>   <Transfer ~j~_ :c>>

<~I~gnore postfix _nn (duplicate):C>>

z get_imagebase▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get base address of the input file

long get_imagebase();
å@0:614[]
String literal options
%/%*
 <~G~enerate names:C>>       <Names pre~f~ix  :q:15:15::>
 <#Forces start of next line#Next ~l~ine char :N::5::>   <~M~ark as autogenerated:C>>
                             <Generate ~s~erial names:C>>

 Defaults                  Serial names
   <~T~ype :b::::>        <~N~umber :D::6::>
   8-bit  <            :B100::::>   <~W~idth  :D::6::>
   16-bit <            :B101::::>
   32-bit <            :B102::::>

 <~C~omment string references:C>>

 qisabspath▄
 ▀▀▀▀▀▀▀▀▀▀▀

Is the file name absolute (not relative to the current dir?)

long qisabspath(string file);
Search direction: up
Search direction: down
F@0:596[]
Evaluate expression

<Expression :q::50::>

%A
%A
%A
%A
%A

+The key file '%s' is expired or corrupted.Ë@0:615[]
Color configuration

  <Palette ~1~:R>
  <Palette ~2~:R>
  <Palette ~3~:R>
  <Palette ~4~:R>1>  <~C~ustomize:B:0:::>

  <~E~nable syntax highlighting:C>>
  <Highlight current ~i~dentifier:C>>

 qmake_full_path▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert relative path to absolute path

string qmake_full_path(string path);
@0:574[]
Search Immediate

  This command searches for the specified
  value in the instruction operands
  and data items.

  <~V~alue to search:N::18::>

  <#Find any operand value (excluding zero) which has no type or sign#~A~ny untyped value:C>
  <#Search up if checked. Search down otherwise#Search ~U~p:C>
  <#Find all occurrences and display a list#~F~ind all occurrences:C>>

Searching %s for value %a...
'Searching %s for untyped immediate...
@0:579[]
Binary search
%/%*

Enter binary search string:
  <~S~tring:q100:1000:40::>
  <#Perform case-sensitive search#Match ~c~ase:C>           <~H~ex:r>
  <#Search ~U~p:C>                                          <~D~ecimal:r>
  <#Find all occurrences and display a list#~F~ind all occurrences:C>> <~O~ctal:r>>
  <#Encoding of input strings literals#String e~n~coding:b101:0:33::>

"Search completed. Found at %08a.
Search failed.
7Searching %s CASE-SENSITIVELY for binary string %s...
9Searching %s CASE-INSENSITIVELY for binary string %s...
@0:548[]
Problemss Breakpoint handling functions▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Get number of breakpoints.
// Returns: number of breakpoints

long get_bpt_qty();

// Get breakpoint address
//      n - number of breakpoint, is in range 0..get_bpt_qty()-1
// returns: address of the breakpoint or BADADDR

long get_bpt_ea(long n);

// Get the characteristics of a breakpoint
//      address - any address in the breakpoint range
//      bptattr - the desired attribute code, one of BPTATTR_... constants
// Returns: the desired attribute value or -1

long get_bpt_attr(long ea, number bptattr);

#define NO_PROCESS    -1  // invalid process
#define NO_THREAD      0  // invalid thread
#define BPTATTR_EA     1  // starting address of the breakpoint
#define BPTATTR_SIZE   2  // size of the breakpoint (undefined for software breakpoint)
#define BPTATTR_TYPE   3                     // type of the breakpoint
                                             // Breakpoint types:
#define  BPT_WRITE   1                       // Hardware: Write access
#define  BPT_READ    2                       // Hardware: Read access
#define  BPT_RDWR    3                       // Hardware: Read/write access
#define  BPT_SOFT    4                       // Software breakpoint
#define  BPT_EXEC    8                       // Hardware: Execute instruction
#define  BPT_DEFAULT (BPT_SOFT|BPT_EXEC)     // Choose bpt type automatically

#define BPTATTR_COUNT  4  // number of times the breakpoint is hit before stopping

#define BPTATTR_FLAGS  5  // Breakpoint attributes:
#define BPT_BRK        0x001 // the debugger stops on this breakpoint
#define BPT_TRACE      0x002 // the debugger adds trace information when
                             // this breakpoint is reached
#define BPT_UPDMEM     0x004 // refresh the memory layout and contents before evaluating bpt condition
#define BPT_ENABLED    0x008 // enabled?
#define BPT_LOWCND     0x010 // condition is calculated at low level (on the server side)
#define BPT_TRACEON    0x020 // enable tracing when the breakpoint is reached
#define BPT_TRACE_INSN 0x040 //   instruction tracing
#define BPT_TRACE_FUNC 0x080 //   function tracing
#define BPT_TRACE_BBLK 0x100 //   basic block tracing

#define BPTATTR_COND   6  // Breakpoint condition
                          // NOTE: the return value is a string in this case
#define BPTATTR_PID    7  // Breakpoint process id
#define BPTATTR_TID    8  // Breakpoint thread id

// Breakpoint location type:
#define BPLT_ABS     0    // Absolute address. Attributes:
                          // - locinfo: absolute address

#define BPLT_REL     1    // Module relative address. Attributes:
                          // - locpath: the module path
                          // - locinfo: offset from the module base address

#define BPLT_SYM     2    // Symbolic name. The name will be resolved on DLL load/unload
                          // events and on naming an address. Attributes:
                          // - locpath: symbol name
                          // - locinfo: offset from the symbol base address

// Breakpoint properties:
#define BKPT_BADBPT   0x01 // failed to write the bpt to the process memory (at least one location)
#define BKPT_LISTBPT  0x02 // include in bpt list (user-defined bpt)
#define BKPT_TRACE    0x04 // trace bpt; should not be deleted when the process gets suspended
#define BKPT_ACTIVE   0x08 // active?
#define BKPT_PARTIAL  0x10 // partially active? (some locations were not written yet)
#define BKPT_CNDREADY 0x20 // condition has been compiled

// ***********************************************
class Breakpoint
{
  // Breakpoint type. One of BPT_... constants
  attribute type;

  // Breakpoint size (for hardware breakpoint)
  attribute size;

  // Breakpoint condition (string)
  attribute condition;

  // Scripting language of the condition string
  // "IDC" for IDC, "Python" for Python etc. ('name' field of extlang_t)
  // if empty, default extlang is assumed
  attribute elang;

  // Breakpoint flags. Refer to BPTATTR_FLAGS
  attribute flags;

  // Breakpoint properties. Refer to BKPT_... constants
  attribute props;

  // Breakpoint pass count
  attribute pass_count;

  // Attribute location type. Refer to BPLT_... constants.
  // Readonly attribute.
  attribute loctype;

  // Breakpoint path (depending on the loctype)
  // Readonly attribute.
  attribute locpath;

  // Breakpoint address info (depending on the loctype)
  // Readonly attribute.
  attribute locinfo;

  // Set absolute breakpoint
  success set_abs_bpt(address);

  // Set symbolic breakpoint
  success set_sym_bpt(symbol_name, offset);

  // Set relative breakpoint
  success set_rel_bpt(path, offset);
};

// Set modifiable characteristics of a breakpoint
//       address - any address in the breakpoint range
//       bptattr - the attribute code, one of BPTATTR_... constants.
//                 BPTATTR_COND is not allowed, see @0:1076[Bpts]
//       value   - the attribute value
// Returns: success

success set_bpt_attr(long ea, number bptattr, long value);

// Set breakpoint condition
//       address  - any address in the breakpoint range
//       cnd      - breakpoint condition
//       is_lowcnd- 0:regular condition, 1:low level condition
// Returns: success

success set_bpt_cond(long ea, string cnd, long is_lowcnd=0);

// Add a new breakpoint
//       ea   - any address in the process memory space:
//       size - size of the breakpoint (irrelevant for software breakpoints):
//       type - type of the breakpoint (one of BPT_... constants)
// Only one breakpoint can exist at a given address.
// Returns: success

success add_bpt(long ea, long size=0, long bpttype=BPT_DEFAULT);

// Delete breakpoint
//       ea   - any address in the process memory space:
// Returns: success

success del_bpt(long ea);

// Enable/disable breakpoint
//       ea   - any address in the process memory space
// Disabled breakpoints are not written to the process memory
// To check the state of a breakpoint, use check_bpt()
// Returns: success

success enable_bpt(long ea, long enable);

// Check a breakpoint
//       ea   - any address in the process memory space
// Returns: one of BPTCK_... constants

long check_bpt(long ea);

#define BPTCK_NONE -1  // breakpoint does not exist
#define BPTCK_NO    0  // breakpoint is disabled
#define BPTCK_YES   1  // breakpoint is enabled
#define BPTCK_ACT   2  // breakpoint is active (written to the process)
· Function chunk related functions▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


// Get a function chunk attribute
//       ea     - any address in the chunk
//       attr   - one of: FUNCATTR_START, FUNCATTR_END
//                        FUNCATTR_OWNER, FUNCATTR_REFQTY
// returns: desired attribute or -1

long get_fchunk_attr(long ea, long attr);

// Set a function chunk attribute
//       ea     - any address in the chunk
//       attr   - nothing defined yet
//       value  - desired bg color (RGB)
// returns: 0 if failed, 1 if success

success set_fchunk_attr(long ea, long attr, long value);

// Get a function chunk referer
//       ea     - any address in the chunk
//       idx    - referer index (0..get_fchunk_attr(FUNCATTR_REFQTY))
// returns: referer address or BADADDR

long get_fchunk_referer(long ea, long idx);

// Get next function chunk
//       ea     - any address
// returns: the starting address of the next
//          function chunk or BADADDR
// This function enumerates all chunks of all functions in the database

long get_next_fchunk(long ea);

// Get previous function chunk
//       ea     - any address
// returns: the starting address of the previous
//          function chunk or BADADDR
// This function enumerates all chunks of all functions in the database

long get_prev_fchunk(long ea);

// Append a function chunk to the function
//       funcea   - any address in the function
//       ea1, ea2 - boundaries of a function tail to add.
//                  If a chunk exists at the specified addresses,
//                  it must have exactly the specified boundaries
// returns: 0 if failed, 1 if success

success append_func_tail(long funcea, long ea1, long ea2);

// Remove a function chunk from the function
//       funcea - any address in the function
//       ea1    - any address in the function chunk to remove
// returns: 0 if failed, 1 if success

success remove_fchunk(long funcea, long tailea);

// Change the function chunk owner
//       tailea - any address in the function chunk
//       funcea - the starting address of the new owner
// returns: 0 if failed, 1 if success
// The new owner must already have the chunk appended before the call

success set_tail_owner(long tailea, long funcea);

// Get the first function chunk of the specified function
//       funcea - any address in the function
// returns: the function entry point or BADADDR
// This function returns the first (main) chunk of the specified function

long first_func_chunk(long funcea);

// Get the next function chunk of the specified function
//         arguments:      funcea - any address in the function
//                         tailea - any address in the current chunk
//         returns:        the starting address of the next
//                         function chunk or BADADDR
// This function returns the next chunk of the specified function

long next_func_chunk(long funcea, long tailea);
ïWRAP
Intel/ARM macOS debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

On macOS, the suggested approach is to use @0:1463[Remote debugging] with one of the mac_server*
binaries that are shipped with IDA - even when debugging apps on your local machine.

Using a standalone debug server application makes it easier to get around the codesigning and debugging restrictions
that are built into macOS. Note that this is also the approach used by lldb. Internally lldb uses a dedicated debugserver
that implements the core debugger engine - so IDA does the same.

It is possible to use the Local Mac OS X Debugger in ida.app, but you must run IDA as root.

For a deeper dive into macOS debugging, see our tutorial: https://www.hex-rays.com/wp-content/static/tutorials/mac_debugger_primer2/mac_debugger_primer2.html

 See also @0:1463[How to launch remote debugging]
          @0:1395[Debugger] submenu
          @0:1397[Start process]
          @0:1677[Remote iOS debugger]9.0Ð Refresh Screen▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Refresh all disassembly views

void refresh_idaview_anyway();

// Refresh all choosers (names, functions, etc)

void refresh_choosers();
)@0:481[]
Enter additional anterior lines*@0:481[]
Enter additional posterior lines@0:479[]
Enter comment"@0:480[]
Enter repeatable comment*@0:480[]
Enter repeatable SEGMENT comment@0:479[]
Enter SEGMENT comment+@0:480[]
Enter repeatable FUNCTION comment @0:479[]
Enter FUNCTION comment6@0:605[]
Repeatable comments are hidden, unhide them.+@0:479[]
Comments are hidden, unhide them.@0:639[]
Choose a function%s: The function has undefined instruction/data at the specified address.
Your request has been put in the autoanalysis queue.
6The function is already defined, start address at %s
³ get_gotea▄
 ▀▀▀▀▀▀▀▀▀▀

Get address of Global Offset Table
returns: address of the GOT table
         BADADDR - no GOT address detected

long get_gotea();
gFormat '%s (%s)' is not compatible with the selected processor ('%s'), disassembly might be erroneous
· search_path▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Search for a file in the PATH environment variable or the current directory

string search_path(string file, long search_cwd);
Â@0:1346[]
Rename register
%/
  <~S~tart address:N1:1000:20::>
  <~E~nd address  :N2:1000:20::>
  <~O~ld name     :q3:511:20::>
  <~N~ew name     :i4:511:20::>
  <~C~omment      :q5:1000:40::>

bHidden range

  ~S~tart address: %$
  ~E~nd address: %$

  <~N~ame :q::20::>
  <~C~olor:K::6::>

*@0:534[]
Enter instruction representation'@0:472[]
Choose a structure for offset@0:473[]
Choose enum!@0:496[]
Choose a structure typeStruct size is zero @0:469[]
Choose base for offsetÓSTARTITEM 1
@0:470[]
Enter reference information

<type radio buttons>

  <~B~ase address  :N::32::>
  <Treat the base address as a plain ~n~umber:C>
  <#This offset may point PAST object end#Offset points ~p~ast the main object:C>
  <#RVA keyword will be used to keep the listing concise#Use ~i~mage base as offset base:C>
  <#Operand value is subtracted from the base instead of being added#~S~ubtract operand value:C>
  <#Operand value is interpeted as a signed value#Si~g~ned operand:C>
  <Operand value of 0 is invalid:C>
  <#Zero's complement is invalid, independent of size#Operand value of NOT 0 is invalid:C>
  <Use ~c~urrent address as offset base:C>>

  <~T~arget address:N::32::>
  <Target ~d~elta  :N::32::>

GPlease specify the reference target address for this type of referenceIt is not necessary to specify the target address for full offsets because it can be calculated by IDA. Do you want to reset the target address?s@0:459[]
Convert to "%s" en masse

  Apply to:
        <~A~ll operands:R>
        <Operand value ~r~ange:R>
        <%s ~o~perands:R>
        <~N~ot %s operands:R>
        <Not ~t~yped operands:R>>

        <A~p~ply only if possible:C>>

 Please enter lower and upper limits
    of the value range (inclusive)

     <~L~ower value:N::18::>
     <~U~pper value:N::18::>

"@0:455[]
Convert to array
%/%*
  %A  :%$
  %A  :%$

  Array element size   : %D
  Maximal possible size: %D
  Current array size   : %D
  Suggested array size : %D

  <~A~rray size             :D::18::> (in elements)
  <~I~tems on a line        :D::18::> (0-max)
  <Element print ~w~idth    :D::18::> (-1-none,0-auto)

  <##Options##Use "~d~up" construct:C>    <##Indexes##D~e~cimal    :R>
  <Si~g~ned elements    :C>    <~H~exadecimal:R>
  <Displa~y~ indexes    :C>    <~O~ctal      :R>
  <Create as a~r~ray    :C57>55>   <~B~inary     :R>56>

@0:617[]
Setup data types
%*
  Immediately convert the |   Use the following types
  current item to:        |   in the data carousel:
  <~B~yte       :B:1:12::>         |   <~1~ Byte:C>
  <~W~ord       :B:2:12::>         |   <~2~ Word:C>
  <~D~ouble word:B:3:12::>         |   <~3~ Double word:C>
  <~F~loat      :B:4:12::>         |   <~4~ Float:C>
  <~Q~uadro word:B:5:12::>         |   <~5~ Quadro word:C>
  <Do~u~ble     :B:6:12::>         |   <~6~ Double:C>
  <~T~byte      :B:7:12::>         |   <~7~ Tbyte:C>
  <~P~acked real:B:8:12::>         |   <~8~ Packed real:C>
  <~O~cta word  :B:9:12::>         |   <~9~ Octaword (16 bytes):C>
  <~Y~mm word   :B:10:12::>        |   <Ymmword (32 bytes):C>
  <~Z~mm word   :B:11:12::>        |   <Zmmword (64 bytes):C>>

&@0:533[]
Create alignment directive

OCreate segment (%0*a-%0*a, sel %0*a):
Failed to create segment registers area.%@0:498[]
Choose union representation,@0:1361[]
Please enter the type declaration(@0:1367[]
Select C header file to parseâ@0:472[]
Struct offset delta

  Operand value: %D

  The delta is the difference between the pointer
  to the structure and the structure start.
  If you don't know what to enter, leave 0.

  <Struct offset ~d~elta:D::18::>

¹WRAP
Scrolling graphs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The user can pan (shift) the graph by clicking with the left mouse
button on the graph background and dragging it. In the rare case when
there is no graph background visible on the screen, the Shift-click can
be used to move the graph. This can happen on very high zoom levels,
when the current node occupies the whole window.

The mouse wheel scrolls the graph vertically. If the Alt key is pressed,
it will scroll the graph horizontally.

The Page Up and Page Down keys scroll the graph vertically. The keyboard
arrows can scroll the graph if they reach the node border and cannot
jump to another node in the specified direction.

Scrolling the graph does not change the keyboard cursor position.
As soon as the graph is refreshed on the screen, IDA will scroll the
graph so that the keyboard cursor becomes visible.

Back to @0:42[graph view] or @0:1626[proximity view]¼WRAP
How to use the help subsystem ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following keys exist:
  F1            this screen
  @0:414[Shift-F1]      help index
  @0:162[Ctrl-F1]       IDC index
  Tab           next highlighted phrase
  Shift-Tab     prev highlighted phrase
  Enter         follow a link
  Backspace     previous help screen
  F5            zoom help window
  Esc           close help window

  arrows        one step movement
  PgUp          Page Up
  PgDn          Page Down
  Ctrl-PgUp     top of the window
  Ctrl-PgDn     bottom of the window
  Home          start of the line
  End           logical end of the line
 get_ip_val▄
 ▀▀▀▀▀▀▀▀▀▀▀

get value of the IP (program counter) register for the current thread

long get_ip_val();
Wrong argument numberFloating license options... eval_python▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Evaluate a python expression.
     expr - an expression
returns: the expression value.
This function will throw an exception if the expression can not be evaluated.
Thread-safe function.

any eval_python(string expr);
WRAP
Disk Read Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error may occur when IDA tries to read past the end of the file.
WRAP
Can't Open File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The file probably does not exist or it is set to
read-only.
WRAP
Cannot Create File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This file probably exists but is read-only.
WRAP
Disk Write Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The most probable case is that the disk is full.

As IDA analyzes the input file, the database grows in size.
In the absence of free space on the disk IDA may abruptly stop and exit
with an error message.
  RunPythonStatement▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Execute a python statement.
     statement - a statement
returns: number 0 if executed the statement, otherwise an error string
Thread-safe function.

string or long RunPythonStatement(string statement);
WRAP
Disk Positioning Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Please inform our technical support if this happens.WRAP
Graph node groups ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Any number of nodes can be collapsed into a single synthetic node. Such
a synthetic node contains a user-provided text instead of normal
disassembly listing. The 'group' command is available from the
right-click menu if there are selected nodes.

Even a single node can be used to create a group. This feature can be used to
collapse huge nodes into something manageable or to hide a group that consists of
one node.

After creating a group, IDA automatically refreshes the graph layout. If a
custom layout was present, it is not applied to the reduced graph.
However, the existing custom layout is not destroyed and will be re-used
as soon as the user switches to the full graph by deleting the group or
uncollapsing it.

The node groups can be nested: synthetic nodes can be used to create
other groups. This feature allows reducing the graph into a single node.
Each node can belong to only one group at a time.

Groups can be uncollapsed to display the original node content. The node
frames of the current uncollapsed group (the one with the mouse pointer)
are displayed with a special color. The default group frame color is
yellow. This way, the existing uncollapsed groups can be visualized by
hovering the mouse over the graph nodes.

There are also commands to collapse and uncollapse all groups in the
graph. They are available from the right click menu.

To edit the contents of synthetic nodes, use the 'set node text' button
on the node title. The 'rename' command can be used too.

IDA automatically remembers the graph groups and their state for each function.

Back to @0:42[graph view]ÁWRAP
Graph overview window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA has a small graph overview window. It displays the whole graph in
the zoom out form and gives the user an idea about which part of the graph is visualized
on the main window.

Clicking on the graph overview window visualizes different parts of the
graph in the main window. It is also possible to click and drag the
focus frame - the main window will be refreshed accordingly.

The graph overview window is visible only in the graph view node. As
soon as another non-modal window gets focus, the graph overview is
closed. It automatically opens when a graph view is activated.

The graph overview is displayed by default. To hide it, right click on
the main toolbar background and select Navigation, Graph overview menu
item.

The graph overview window can be resized to accommodate really huge graphs.

Back to @0:42[graph view] or @0:1626[proximity view]&WRAP
Not enough memory available to complete operation. ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Unfortunately IDA ran out of memory. There is nothing we can do about it now.±WRAP
How to move/resize windows ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Keyboard:

Arrows,Home,End,PgUp,PgDn move the window.
All keys with Shift resize the window.
Ctrl key in the combination with other keys
move/resize the window faster.

Mouse:

To move: point to title of the window and drag to the new location.

To resize: point to the right lower corner of the window and drag.ÂWRAP
Bad Macro ▄
 ▀▀▀▀▀▀▀▀▀▀

It is impossible to redefine the Alt-- and Alt-= keys
because they are used to define other macros.

Please choose another key for the macro.%WRAP
Already recording a macro for... ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

It is impossible to define 2 macros at the same time.
Please finish definition of the first macro
(press Alt-=) and after that define the other one.Ï del_stkpnt▄
 ▀▀▀▀▀▀▀▀▀▀▀

Delete SP register change point
     func_ea - function start
     ea      - linear address
returns: 1-ok, 0-failed

success del_stkpnt(func_ea, ea_t ea);
%WRAP
Entering String for Search ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Please enter any string to search.

The search will be case-insensitive and the search direction will be forward.

If the substring is not found, the cursor will not move.
 load_debugger▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Load the debugger
     dbgname - debugger module name
               Examples: win32, linux, mac.
     use_remote - 0/1: use remote debugger or not
This function is needed only when running idc scripts from the command line.
In other cases IDA loads the debugger module automatically.

success load_debugger(string dbgname, long use_remote);
ó exec_python▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Execute a python statement.
     stmt - a statement
returns: number 0 if executed the statement, otherwise an error string
Thread-safe function.

string or long exec_python(string stmt);
XWRAP
Bad BIOS & DOS Comments Base ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA cannot use this database (ida.int) because

        - it does not exist or
        - it is corrupt

In this case IDA will not generate new automatic comments on DOS and BIOS
interrupts and port I/O instructions.WRAP
Internal Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The comment database is corrupted.
IDA will not generate comment(s).WRAP
bTree Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Normally this error should not occur, please inform our technical support
about it.
WRAP
Graph colors ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Graph edges can have several colors. In graph view:

 - Blue: a normal edge
 - Green: if the jump is taken (its condition is satisfied)
 - Red: if the jump is not taken
 - Blinking: when in the debugger, the edge that will be followed blinks

And, in proximity view:

 - Blue: Code cross-reference edge
 - Gray: Data cross-reference edge

IDA highlights the current mouse items. If the mouse is hovered over an
edge, it is highlighted. If the mouse is hovered over a node, all
adjacent edges are highlighted. To turn off the highlighting, specify
the 'current edge' color as an undefined custom color.

The 'highlighted edge' and 'foreign node' colors are not used yet.

Back to @0:42[graph view] or @0:1626[proximity view]	@0:584[]=@0:1131[]
Not enough memory available to complete operation.
@0:1132[].              Name                Address Pub!@0:237[]
The name list is empty.é@0:457[]
Rename address

  Address: %N
  <~N~ame :q::32::>

       <~L~ocal name:C>
       <~I~nclude in name list:C>
       <~P~ublic name:C>
       <~A~utogenerated name:C>
       <~W~eak name:C>
       <~C~reate name anyway:C>>

èstartitem 1
@0:531[]
Rename any address

  <A~d~ress   :q::32::>

  <~N~ew name :q::32::>

       <~L~ocal name:C>
       <~I~nclude in name list:C>
       <~P~ublic name:C>
       <~A~utogenerated name:C>
       <~W~eak name:C>>

+@0:531[]
Please enter a valid old address.@0:587[]
Names!Concatenating mismatched strings@0:591[]
SelectorsPDefine a selector

  <~S~elector:N::6::>
  <~V~alue (in paragraphs) :N::18::>

BHIDECANCEL
Do you really want to delete the selected selector(s)?Reset undo history get_file_ext▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get the extension of file name

string get_file_ext(string filename);
*Jump to Line

  <~L~ine number:D::18::>


WRAP
Various graph hints ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

1) The following actions can improve the speed of graph drawing:

 - Turn off animation
 - Turn off node shadows
 - Specify identical top and bottom background colors
 - Turn off 'relayout' options (might lead to stale graph contents)
 - Turn off the graph overview window

2) Printing the graph: the 'print' command is available at the
graph toolbar. The graph toolbar is visible by default but if you have
saved a @0:1420[custom desktop] configuration in the past,
it will not be visible. To set it on, check the View, Toolbars, Graph view menu item.

3) Working with huge graphs: do not forget about the node groups and use them
to make the graph simpler.

Back to @0:42[graph view]úWRAP
Customizing graph layout ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Each node has a title bar with title buttons. The title bar can be used
to displace the node. Displacing nodes  or edges creates a custom layout. The
custom layouts are automatically saved in the database. If there is a
custom layout for the function, IDA never destroys it without your
explicit permission. This behavior has its drawbacks: when the nodes are
resized (because of added comments, for example), the old layout will be
retained and the nodes could overlap. In this case, the user can ask IDA
to redo the layout or manually move the overlapping nodes. To avoid
displacing nodes inadvertently, turn on the @0:19[lock graph layout] option.

The user can also click on the edge layout points (edge bending points) and drag
them. If two edge layout points are too close, one of them will be deleted.
To create new edge layout points, use Shift-DoubleClick on the edge.

Back to @0:42[graph view]
) plan_to_apply_idasgn▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Load (plan to apply) a FLIRT signature file
     name - signature name without path and extension
returns: 0 if could not load the signature file, !=0 otherwise

success plan_to_apply_idasgn(string name);
Illegal return value locationðMWRAP
APPLE PUBLIC SOURCE LICENSE ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
APPLE PUBLIC SOURCE LICENSE
Version 2.0 - August 6, 2003

Please read this License carefully before downloading this software.
By downloading or using this software, you are agreeing to be bound by
the terms of this License. If you do not or cannot agree to the terms
of this License, please do not download or use the software.

1. General; Definitions. This License applies to any program or other
work which Apple Computer, Inc. ("Apple") makes publicly available and
which contains a notice placed by Apple identifying such program or
work as "Original Code" and stating that it is subject to the terms of
this Apple Public Source License version 2.0 ("License"). As used in
this License:

1.1 "Applicable Patent Rights" mean: (a) in the case where Apple is
the grantor of rights, (i) claims of patents that are now or hereafter
acquired, owned by or assigned to Apple and (ii) that cover subject
matter contained in the Original Code, but only to the extent
necessary to use, reproduce and/or distribute the Original Code
without infringement; and (b) in the case where You are the grantor of
rights, (i) claims of patents that are now or hereafter acquired,
owned by or assigned to You and (ii) that cover subject matter in Your
Modifications, taken alone or in combination with Original Code.

1.2 "Contributor" means any person or entity that creates or
contributes to the creation of Modifications.

1.3 "Covered Code" means the Original Code, Modifications, the
combination of Original Code and any Modifications, and/or any
respective portions thereof.

1.4 "Externally Deploy" means: (a) to sublicense, distribute or
otherwise make Covered Code available, directly or indirectly, to
anyone other than You; and/or (b) to use Covered Code, alone or as
part of a Larger Work, in any way to provide a service, including but
not limited to delivery of content, through electronic communication
with a client other than You.

1.5 "Larger Work" means a work which combines Covered Code or portions
thereof with code not governed by the terms of this License.

1.6 "Modifications" mean any addition to, deletion from, and/or change
to, the substance and/or structure of the Original Code, any previous
Modifications, the combination of Original Code and any previous
Modifications, and/or any respective portions thereof. When code is
released as a series of files, a Modification is: (a) any addition to
or deletion from the contents of a file containing Covered Code;
and/or (b) any new file or other representation of computer program
statements that contains any part of Covered Code.

1.7 "Original Code" means (a) the Source Code of a program or other
work as originally made available by Apple under this License,
including the Source Code of any updates or upgrades to such programs
or works made available by Apple under this License, and that has been
expressly identified by Apple as such in the header file(s) of such
work; and (b) the object code compiled from such Source Code and
originally made available by Apple under this License.

1.8 "Source Code" means the human readable form of a program or other
work that is suitable for making modifications to it, including all
modules it contains, plus any associated interface definition files,
scripts used to control compilation and installation of an executable
(object code).

1.9 "You" or "Your" means an individual or a legal entity exercising
rights under this License. For legal entities, "You" or "Your"
includes any entity which controls, is controlled by, or is under
common control with, You, where "control" means (a) the power, direct
or indirect, to cause the direction or management of such entity,
whether by contract or otherwise, or (b) ownership of fifty percent
(50%) or more of the outstanding shares or beneficial ownership of
such entity.

2. Permitted Uses; Conditions & Restrictions. Subject to the terms
and conditions of this License, Apple hereby grants You, effective on
the date You accept this License and download the Original Code, a
world-wide, royalty-free, non-exclusive license, to the extent of
Apple's Applicable Patent Rights and copyrights covering the Original
Code, to do the following:

2.1 Unmodified Code. You may use, reproduce, display, perform,
internally distribute within Your organization, and Externally Deploy
verbatim, unmodified copies of the Original Code, for commercial or
non-commercial purposes, provided that in each instance:

(a) You must retain and reproduce in all copies of Original Code the
copyright and other proprietary notices and disclaimers of Apple as
they appear in the Original Code, and keep intact all notices in the
Original Code that refer to this License; and

(b) You must include a copy of this License with every copy of Source
Code of Covered Code and documentation You distribute or Externally
Deploy, and You may not offer or impose any terms on such Source Code
that alter or restrict this License or the recipients' rights
hereunder, except as permitted under Section 6.

2.2 Modified Code. You may modify Covered Code and use, reproduce,
display, perform, internally distribute within Your organization, and
Externally Deploy Your Modifications and Covered Code, for commercial
or non-commercial purposes, provided that in each instance You also
meet all of these conditions:

(a) You must satisfy all the conditions of Section 2.1 with respect to
the Source Code of the Covered Code;

(b) You must duplicate, to the extent it does not already exist, the
notice in Exhibit A in each file of the Source Code of all Your
Modifications, and cause the modified files to carry prominent notices
stating that You changed the files and the date of any change; and

(c) If You Externally Deploy Your Modifications, You must make
Source Code of all Your Externally Deployed Modifications either
available to those to whom You have Externally Deployed Your
Modifications, or publicly available. Source Code of Your Externally
Deployed Modifications must be released under the terms set forth in
this License, including the license grants set forth in Section 3
below, for as long as you Externally Deploy the Covered Code or twelve
(12) months from the date of initial External Deployment, whichever is
longer. You should preferably distribute the Source Code of Your
Externally Deployed Modifications electronically (e.g. download from a
web site).

2.3 Distribution of Executable Versions. In addition, if You
Externally Deploy Covered Code (Original Code and/or Modifications) in
object code, executable form only, You must include a prominent
notice, in the code itself as well as in related documentation,
stating that Source Code of the Covered Code is available under the
terms of this License with information on how and where to obtain such
Source Code.

2.4 Third Party Rights. You expressly acknowledge and agree that
although Apple and each Contributor grants the licenses to their
respective portions of the Covered Code set forth herein, no
assurances are provided by Apple or any Contributor that the Covered
Code does not infringe the patent or other intellectual property
rights of any other entity. Apple and each Contributor disclaim any
liability to You for claims brought by any other entity based on
infringement of intellectual property rights or otherwise. As a
condition to exercising the rights and licenses granted hereunder, You
hereby assume sole responsibility to secure any other intellectual
property rights needed, if any. For example, if a third party patent
license is required to allow You to distribute the Covered Code, it is
Your responsibility to acquire that license before distributing the
Covered Code.

3. Your Grants. In consideration of, and as a condition to, the
licenses granted to You under this License, You hereby grant to any
person or entity receiving or distributing Covered Code under this
License a non-exclusive, royalty-free, perpetual, irrevocable license,
under Your Applicable Patent Rights and other intellectual property
rights (other than patent) owned or controlled by You, to use,
reproduce, display, perform, modify, sublicense, distribute and
Externally Deploy Your Modifications of the same scope and extent as
Apple's licenses under Sections 2.1 and 2.2 above.

4. Larger Works. You may create a Larger Work by combining Covered
Code with other code not governed by the terms of this License and
distribute the Larger Work as a single product. In each such instance,
You must make sure the requirements of this License are fulfilled for
the Covered Code or any portion thereof.

5. Limitations on Patent License. Except as expressly stated in
Section 2, no other patent rights, express or implied, are granted by
Apple herein. Modifications and/or Larger Works may require additional
patent licenses from Apple which Apple may grant in its sole
discretion.

6. Additional Terms. You may choose to offer, and to charge a fee for,
warranty, support, indemnity or liability obligations and/or other
rights consistent with the scope of the license granted herein
("Additional Terms") to one or more recipients of Covered Code.
However, You may do so only on Your own behalf and as Your sole
responsibility, and not on behalf of Apple or any Contributor. You
must obtain the recipient's agreement that any such Additional Terms
are offered by You alone, and You hereby agree to indemnify, defend
and hold Apple and every Contributor harmless for any liability
incurred by or claims asserted against Apple or such Contributor by
reason of any such Additional Terms.

7. Versions of the License. Apple may publish revised and/or new
versions of this License from time to time. Each version will be given
a distinguishing version number. Once Original Code has been published
under a particular version of this License, You may continue to use it
under the terms of that version. You may also choose to use such
Original Code under the terms of any subsequent version of this
License published by Apple. No one other than Apple has the right to
modify the terms applicable to Covered Code created under this
License.

8. NO WARRANTY OR SUPPORT. The Covered Code may contain in whole or in
part pre-release, untested, or not fully tested works. The Covered
Code may contain errors that could cause failures or loss of data, and
may be incomplete or contain inaccuracies. You expressly acknowledge
and agree that use of the Covered Code, or any portion thereof, is at
Your sole and entire risk. THE COVERED CODE IS PROVIDED "AS IS" AND
WITHOUT WARRANTY, UPGRADES OR SUPPORT OF ANY KIND AND APPLE AND
APPLE'S LICENSOR(S) (COLLECTIVELY REFERRED TO AS "APPLE" FOR THE
PURPOSES OF SECTIONS 8 AND 9) AND ALL CONTRIBUTORS EXPRESSLY DISCLAIM
ALL WARRANTIES AND/OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF
MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR
PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD
PARTY RIGHTS. APPLE AND EACH CONTRIBUTOR DOES NOT WARRANT AGAINST
INTERFERENCE WITH YOUR ENJOYMENT OF THE COVERED CODE, THAT THE
FUNCTIONS CONTAINED IN THE COVERED CODE WILL MEET YOUR REQUIREMENTS,
THAT THE OPERATION OF THE COVERED CODE WILL BE UNINTERRUPTED OR
ERROR-FREE, OR THAT DEFECTS IN THE COVERED CODE WILL BE CORRECTED. NO
ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE, AN APPLE
AUTHORIZED REPRESENTATIVE OR ANY CONTRIBUTOR SHALL CREATE A WARRANTY.
You acknowledge that the Covered Code is not intended for use in the
operation of nuclear facilities, aircraft navigation, communication
systems, or air traffic control machines in which case the failure of
the Covered Code could lead to death, personal injury, or severe
physical or environmental damage.

9. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO
EVENT SHALL APPLE OR ANY CONTRIBUTOR BE LIABLE FOR ANY INCIDENTAL,
SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING
TO THIS LICENSE OR YOUR USE OR INABILITY TO USE THE COVERED CODE, OR
ANY PORTION THEREOF, WHETHER UNDER A THEORY OF CONTRACT, WARRANTY,
TORT (INCLUDING NEGLIGENCE), PRODUCTS LIABILITY OR OTHERWISE, EVEN IF
APPLE OR SUCH CONTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY
REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY OF
INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY
TO YOU. In no event shall Apple's total liability to You for all
damages (other than as may be required by applicable law) under this
License exceed the amount of fifty dollars ($50.00).

10. Trademarks. This License does not grant any rights to use the
trademarks or trade names "Apple", "Apple Computer", "Mac", "Mac OS",
"QuickTime", "QuickTime Streaming Server" or any other trademarks,
service marks, logos or trade names belonging to Apple (collectively
"Apple Marks") or to any trademark, service mark, logo or trade name
belonging to any Contributor. You agree not to use any Apple Marks in
or as part of the name of products derived from the Original Code or
to endorse or promote products derived from the Original Code other
than as expressly permitted by and in strict compliance at all times
with Apple's third party trademark usage guidelines which are posted
at http://www.apple.com/legal/guidelinesfor3rdparties.html.

11. Ownership. Subject to the licenses granted under this License,
each Contributor retains all rights, title and interest in and to any
Modifications made by such Contributor. Apple retains all rights,
title and interest in and to the Original Code and any Modifications
made by or on behalf of Apple ("Apple Modifications"), and such Apple
Modifications will not be automatically subject to this License. Apple
may, at its sole discretion, choose to license such Apple
Modifications under this License, or on different terms from those
contained in this License or may choose not to license them at all.

12. Termination.

12.1 Termination. This License and the rights granted hereunder will
terminate:

(a) automatically without notice from Apple if You fail to comply with
any term(s) of this License and fail to cure such breach within 30
days of becoming aware of such breach;

(b) immediately in the event of the circumstances described in Section
13.5(b); or

(c) automatically without notice from Apple if You, at any time during
the term of this License, commence an action for patent infringement
against Apple; provided that Apple did not first commence
an action for patent infringement against You in that instance.

12.2 Effect of Termination. Upon termination, You agree to immediately
stop any further use, reproduction, modification, sublicensing and
distribution of the Covered Code. All sublicenses to the Covered Code
which have been properly granted prior to termination shall survive
any termination of this License. Provisions which, by their nature,
should remain in effect beyond the termination of this License shall
survive, including but not limited to Sections 3, 5, 8, 9, 10, 11,
12.2 and 13. No party will be liable to any other for compensation,
indemnity or damages of any sort solely as a result of terminating
this License in accordance with its terms, and termination of this
License will be without prejudice to any other right or remedy of
any party.

13. Miscellaneous.

13.1 Government End Users. The Covered Code is a "commercial item" as
defined in FAR 2.101. Government software and technical data rights in
the Covered Code include only those rights customarily provided to the
public as defined in this License. This customary commercial license
in technical data and software is provided in accordance with FAR
12.211 (Technical Data) and 12.212 (Computer Software) and, for
Department of Defense purchases, DFAR 252.227-7015 (Technical Data --
Commercial Items) and 227.7202-3 (Rights in Commercial Computer
Software or Computer Software Documentation). Accordingly, all U.S.
Government End Users acquire Covered Code with only those rights set
forth herein.

13.2 Relationship of Parties. This License will not be construed as
creating an agency, partnership, joint venture or any other form of
legal association between or among You, Apple or any Contributor, and
You will not represent to the contrary, whether expressly, by
implication, appearance or otherwise.

13.3 Independent Development. Nothing in this License will impair
Apple's right to acquire, license, develop, have others develop for
it, market and/or distribute technology or products that perform the
same or similar functions as, or otherwise compete with,
Modifications, Larger Works, technology or products that You may
develop, produce, market or distribute.

13.4 Waiver; Construction. Failure by Apple or any Contributor to
enforce any provision of this License will not be deemed a waiver of
future enforcement of that or any other provision. Any law or
regulation which provides that the language of a contract shall be
construed against the drafter will not apply to this License.

13.5 Severability. (a) If for any reason a court of competent
jurisdiction finds any provision of this License, or portion thereof,
to be unenforceable, that provision of the License will be enforced to
the maximum extent permissible so as to effect the economic benefits
and intent of the parties, and the remainder of this License will
continue in full force and effect. (b) Notwithstanding the foregoing,
if applicable law prohibits or restricts You from fully and/or
specifically complying with Sections 2 and/or 3 or prevents the
enforceability of either of those Sections, this License will
immediately terminate and You must immediately discontinue any use of
the Covered Code and destroy all copies of it that are in your
possession or control.

13.6 Dispute Resolution. Any litigation or other dispute resolution
between You and Apple relating to this License shall take place in the
Northern District of California, and You and Apple hereby consent to
the personal jurisdiction of, and venue in, the state and federal
courts within that District with respect to this License. The
application of the United Nations Convention on Contracts for the
International Sale of Goods is expressly excluded.

13.7 Entire Agreement; Governing Law. This License constitutes the
entire agreement between the parties with respect to the subject
matter hereof. This License shall be governed by the laws of the
United States and the State of California, except that body of
California law concerning conflicts of law.

Where You are located in the province of Quebec, Canada, the following
clause applies: The parties hereby confirm that they have requested
that this License and all related documents be drafted in English. Les
parties ont exige que le present contrat et tous les documents
connexes soient rediges en anglais.

EXHIBIT A.

"Portions Copyright (c) 1999-2003 Apple Computer, Inc. All Rights
Reserved.

This file contains Original Code and/or Modifications of Original Code
as defined in and that are subject to the Apple Public Source License
Version 2.0 (the 'License'). You may not use this file except in
compliance with the License. Please obtain a copy of the License at
http://www.opensource.apple.com/apsl/ and read it before using this
file.

The Original Code and all software distributed under the License are
distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
Please see the License for the specific language governing rights and
limitations under the License."$  <~F~ill segment gaps:C>4> (COFF)
ëWRAP
IDC: Predefined symbols ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


The following symbols are predefined in the IDC preprocessor:

  __NT__           IDA is running under MS Windows
  __LINUX__        IDA is running under Linux
  __MAC__          IDA is running under Mac OS X
  __UNIX__         IDA is running under Unix (linux or mac)
  __EA64__         64-bit version IDA
  __QT__           GUI version of IDA (Qt)
  __GUI_           GUI version of IDA
  __TXT__          Text version of IDA
  __IDA_VERSION__  The current IDA version. For example: "9.0"
  __IDAVER__       The current, numerical IDA version. For example: "900" means v9.0


These symbols are also defined when parsing C header files.
s get_thread_qty▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get number of threads.

long get_thread_qty();
@0:590[]
Segment Registers	@0:593[]	@0:488[]á@0:491[]
Create structure/union
%*
  <~S~tructure name:q::32::>

  <Create ~b~efore current structure:C>
  <~I~nclude in the list            :C>
  <Create ~u~nion                   :C>>

  <~A~dd standard structure:B:0:::>

@0:491[]
Can't create a structure/union named '%s'. Probably the name is invalid or is used in the program or in the type libraries.S@0:495[]
Edit Structure

  Structure name: %A

  <~A~lignment           :N::5::>

X@0:632[]
Rename Structure

  <~S~tructure name:q::32::>

  <~I~nclude in the list:C>>

"@0:632[]
Enter struct member name$@0:1323[]
Enter stack variable nameAHIDECANCEL
@0:492[]
Do you really want to delete structure '%s'?)@0:479[]
Enter STRUCT repeatable comment@0:479[]
Enter STRUCT comment)@0:479[]
Enter member repeatable comment@0:479[]
Enter member commentVBad local name '%s'. Probably the name is invalid or is already used in the function.ZBad structure field name '%s'. Probably the name is invalid or is used in this structure.mBad field offset %04a. Either the field size is too big or another field is present at the specified offset.Bad field size.¬ tolower▄
 ▀▀▀▀▀▀▀▀

Convert string to lowercase
     str    - input string
returns: lowercase string
Thread-safe function.

string tolower(string str);
¬ toupper▄
 ▀▀▀▀▀▀▀▀

Convert string to uppercase
     str    - input string
returns: uppercase string
Thread-safe function.

string toupper(string str);
@0:455[]
Struct field size

  Current offset       : %$
  Next defined item at : %$

  Array element width  : %D
  Maximal possible size: %D
  Current array size   : %D

  <Array ~s~ize     :D::18::> (in elements)
  <~I~tems on a line:D::18::> (0-max)
  <~A~lignment      :D::18::> (-1-none,0-auto)

  <Use "~d~up" construct:C>
  <Si~g~ned elements    :C>
  <Displa~y~ indexes    :C>>

@@0:493[]
Expand struct

  <~N~umber of bytes to add :D::18::>

C@0:494[]
Shrink struct

  <~N~umber of bytes to remove :D::18::>

@0:489[]
Change SP value

  Current SP value     : %A%N

  <~D~IFFERENCE between old and new SP:n::18::>
  (the current instruction modifies SP value)

Choose enum @0:469[]
Choose base for offset	@0:414[](internal error in lnar: too many lines!í sanitize_file_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Sanitize the file name.
Remove the directory path, and replace wildcards ? * and chars<' ' with underscore.

string sanitize_file_name(string filename);
Pattern is not found.
	@0:417[]~F~ind breakpointÜYou have just loaded a binary file.


IDA cannot identify the entry point automatically as
there is no standard of binaries.


Please move to what you think is an entry point
and press 'C' to start the autoanalysis.ÑWRAP

The input file is now loaded in the database. IDA is now busy
analysing it. You may either wait until the initial analysis is
over or immediately start exploring the disassembly. Some parts
of the file are probably still displayed as bytes : IDA has
probably not explored them yet. You may manually speed up the
analysis and convert those bytes into instructions. Move the cursor
cursor over the first undefined byte and press C.

When the initial analysis is over, IDA will beep. Use F6 to
toggle between the message and the disassembly window. A few useful
keys to get you started.

At the cursor position

  C converts bytes to code
  D converts bytes to data
  U undefines byte

Press Esc to close this window.Wrong argument attributed@0:641[]
This command can't be applied to the addresses without a segment. Create a segment first.
q clear_selection▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Clear selection

void clear_selection();
RThis command is not allowed for the current processor. Please choose another one.% get_debug_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get the name assigned to the ea by the debugger module
     ea  - linear address
     how - one of the DEBNAME_ constants

string get_debug_name(long ea, long how);

#define DEBNAME_EXACT 0 // find a name at exactly the specified address
#define DEBNAME_LOWER 1 // find a name with the address >= the specified address
#define DEBNAME_UPPER 2 // find a name with the address >  the specified address
#define DEBNAME_NICE  3 // find a name with the address <= the specified address
SHIDECANCEL
@0:449[]
You are about to discard all changes and quit to OS. Continue?xHIDECANCEL
@0:634[]
Leaving the database in unpacked form is dangerous. You may lose all data. Do you want to continue?-@0:450[]
Save database
%/
  DEBUG SESSION IN PROCESS. IT WILL BE TERMINATED.

  IDA will save all changes to the disk.

  <Do~n~'t pack database:R>
  <Pack database (~S~tore):R>
  <Pack database (De~f~late):R>2>

  <~C~ollect garbage:C3>
  <~D~ON'T SAVE the database:C1>
  <~T~ake memory snapshot:C4>± get_debug_name_ea▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get the address of a symbol created by the debugger module

long get_debug_name_ea(string name);
ÃAdd Cross Reference

  <From :$::32::>
  <To   :$::32::>

  <Call Far    :R>
  <Call Near   :R>
  <Jump Far    :R>
  <Jump Near   :R>
  <Offset      :R>
  <Write access:R>
  <Read access :R>>


¯Delete Cross Reference

  <From :$::32::>
  <To   :$::32::>

  <#Delete the item at the target address if we delete the last xref to it#~U~ndefine if no more references:C>>

í Debugger: modules▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Enumerate process modules
// These function return the module base address

long get_first_module();
long get_next_module(long base);

// Get process module name
//      base - the base address of the module
// returns: required info

string get_module_name(long base);

// Get process module size
//      base - the base address of the module
// returns: required info or -1

long get_module_size(long base);
Û Debugger: control▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Execute one instruction in the current thread.
// Other threads are kept suspended.
//
// NOTE
//   You must call wait_for_next_event() after this call
//   in order to find out what happened. Normally you will
//   get the STEP event but other events are possible (for example,
//   an exception might occur or the process might exit).
//   This remark applies to all execution control functions.
//   The event codes depend on the issued command.
// returns: success

success step_into();

// Execute one instruction in the current thread,
// but without entering into functions
// Others threads keep suspended.
// See the important note to the step_into() function

success step_over();

// Execute the process until the given address is reached.
// If no process is active, a new process is started.
// See the important note to the step_into() function

success run_to(long ea, long pid=NO_PROCESS, long tid=NO_THREAD);

// Execute instructions in the current thread until
// a function return instruction is executed (aka "step out").
// Other threads are kept suspended.
// See the important note to the step_into() function

success step_until_ret();
Ï Debugger: events▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Wait for the next event
This function (optionally) resumes the process
execution and wait for a debugger event until timeout
     wfne - combination of WFNE_... constants
     timeout - number of seconds to wait, -1-infinity
returns: debugger event codes, see below

long wait_for_next_event(long wfne, long timeout);

// convenience function
#define resume_process() wait_for_next_event(WFNE_CONT|WFNE_NOWAIT, 0)
// wfne flag is combination of the following:
#define WFNE_ANY    0x0001 // return the first event (even if it doesn't suspend the process)
                           // if the process is still running, the database
                           // does not reflect the memory state. you might want
                           // to call refresh_debugger_memory() in this case
#define WFNE_SUSP   0x0002 // wait until the process gets suspended
#define WFNE_SILENT 0x0004 // 1: be slient, 0:display modal boxes if necessary
#define WFNE_CONT   0x0008 // continue from the suspended state
#define WFNE_NOWAIT 0x0010 // do not wait for any event, immediately return DEC_TIMEOUT
                           // (to be used with WFNE_CONT)
#define WFNE_USEC   0x0020 // timeout is specified in microseconds
                           // (minimum non-zero timeout is 40000us)

// debugger event codes
#define NOTASK         -2            // process does not exist
#define DBG_ERROR      -1            // error (e.g. network problems)
#define DBG_TIMEOUT     0            // timeout
#define PROCESS_STARTED   0x00000001 // New process started
#define PROCESS_EXITED    0x00000002 // Process stopped
#define THREAD_STARTED    0x00000004 // New thread started
#define THREAD_EXITED     0x00000008 // Thread stopped
#define BREAKPOINT        0x00000010 // Breakpoint reached
#define STEP              0x00000020 // One instruction executed
#define EXCEPTION         0x00000040 // Exception
#define LIB_LOADED        0x00000080 // New library loaded
#define LIB_UNLOADED      0x00000100 // Library unloaded
#define INFORMATION       0x00000200 // User-defined information
#define PROCESS_ATTACHED  0x00000400 // Attached to running process
#define PROCESS_DETACHED  0x00000800 // Detached from process
#define PROCESS_SUSPENDED 0x00001000 // Process has been suspended

// refresh_idaview_anyway debugger memory
// Upon this call IDA will forget all cached information
// about the debugged process. This includes the segmentation
// information and memory contents (register cache is managed
// automatically). Also, this function refreshes exported name
// from loaded DLLs.
// You must call this function before using the segmentation
// information, memory contents, or names of a non-suspended process.
// This is an expensive call.

void refresh_debugger_memory();

// Get debugged process state
// returns: one of the DSTATE_... constants (see below)

long get_process_state();

#define DSTATE_SUSP             -1 // process is suspended
#define DSTATE_NOTASK            0 // no process is currently debugged
#define DSTATE_RUN               1 // process is running

// ***********************************************
// Get various information about the current debug event
// These function are valid only when the current event exists
// (the process is in the suspended state)

// For all events:
long get_event_id();
long get_event_pid();
long get_event_tid();
long get_event_ea();
long is_event_handled();

// For PROCESS_STARTED, PROCESS_ATTACHED, LIB_LOADED events:
string get_event_module_name();
long get_event_module_base();
long get_event_module_size();

// For PROCESS_EXITED, THREAD_EXITED events
long get_event_exit_code();

// For THREAD_STARTED (thread name)
// For LIB_UNLOADED (unloaded library name)
// For INFORMATION (message to display)
string get_event_info();

// For BREAKPOINT event
long get_event_bpt_hea();

// For EXCEPTION event
long get_event_exc_code();
long get_event_exc_ea();
long can_exc_continue();
string get_event_exc_info();

 Debugger: options▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get/set debugger options
     opt - combination of DOPT_... constants
returns: old options

long set_debugger_options(long opt);

#define DOPT_SEGM_MSGS    0x00000001 // print messages on debugger segments modifications
#define DOPT_START_BPT    0x00000002 // break on process start
#define DOPT_THREAD_MSGS  0x00000004 // print messages on thread start/exit
#define DOPT_THREAD_BPT   0x00000008 // break on thread start/exit
#define DOPT_BPT_MSGS     0x00000010 // print message on breakpoint
#define DOPT_LIB_MSGS     0x00000040 // print message on library load/unlad
#define DOPT_LIB_BPT      0x00000080 // break on library load/unlad
#define DOPT_INFO_MSGS    0x00000100 // print message on debugging information
#define DOPT_INFO_BPT     0x00000200 // break on debugging information
#define DOPT_REAL_MEMORY  0x00000400 // don't hide breakpoint instructions
#define DOPT_REDO_STACK   0x00000800 // reconstruct the stack
#define DOPT_ENTRY_BPT    0x00001000 // break on program entry point
#define DOPT_EXCDLG       0x00006000 // exception dialogs:
#  define EXCDLG_NEVER    0x00000000 // never display exception dialogs
#  define EXCDLG_UNKNOWN  0x00002000 // display for unknown exceptions
#  define EXCDLG_ALWAYS   0x00006000 // always display
#define DOPT_LOAD_DINFO   0x00008000 // automatically load debug files (pdb)

// ***********************************************
// Set remote debugging options
//       hostname - remote host name or address
//                  if empty, revert to local debugger
//       password - password for the debugger server
//       portnum  - port number to connect (-1: don't change)
// returns: nothing

void set_remote_debugger(string hostname, string password, long portnum);
WRAP
Index of debugger related IDC functions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 @0:1076[add_bpt]
 @0:1076[AddBpt]
 @0:12[attach_process]
 @0:1214[can_exc_continue]
 @0:1573[cleanup_appcall]
 @0:1572[dbg_appcall]
 @0:1311[define_exception]
 @0:1076[del_bpt]
 @0:1318[detach_process]
 @0:1076[enable_bpt]
 @0:1234[enable_tracing]
 @0:10[exit_process]
 @0:1313[forget_exception]
 @0:1076[get_bpt_attr]
 @0:1076[get_bpt_ea]
 @0:1076[get_bpt_qty]
 @0:5[get_current_thread]
 @0:1503[get_debugger_event_cond]
 @0:1214[get_event_bpt_hea]
 @0:1214[get_event_ea]
 @0:1214[get_event_exc_code]
 @0:1214[get_event_exc_ea]
 @0:1214[get_event_exc_info]
 @0:1214[get_event_exit_code]
 @0:1214[get_event_id]
 @0:1214[get_event_info]
 @0:1214[get_event_module_base]
 @0:1214[get_event_module_name]
 @0:1214[get_event_module_size]
 @0:1214[get_event_pid]
 @0:1214[get_event_tid]
 @0:1309[get_exception_code]
 @0:1310[get_exception_flags]
 @0:1310[get_exception_name]
 @0:1308[get_exception_qty]
 @0:1212[get_first_module]
 @0:1212[get_module_name]
 @0:1212[get_module_size]
 @0:1212[get_next_module]
 @0:1319[get_processes]
 @0:1214[get_process_state]
 @0:169[get_reg_value]
 @0:1649[get_step_trace_options]
 @0:1166[get_thread_qty]
 @0:1625[getn_thread]
 @0:1214[is_event_handled]
 @0:1137[load_debugger]
 @0:712[read_msr]
 @0:1214[refresh_debugger_memory]
 @0:8[resume_thread]
 @0:1213[run_to]
 @0:6[select_thread]
 @0:1592[send_dbg_command]
 @0:1076[set_bpt_attr]
 @0:1076[set_bpt_cond]
 @0:1505[set_debugger_event_cond]
 @0:1215[set_debugger_options]
 @0:1312[set_exception_flags]
 @0:170[set_reg_value]
 @0:1215[set_remote_debugger]
 @0:1649[set_step_trace_options]
 @0:1076[SetBptCnd]
 @0:9[start_process]
 @0:1213[step_into]
 @0:1213[step_over]
 @0:1213[step_until_ret]
 @0:11[suspend_process]
 @0:7[suspend_thread]
 @0:1214[wait_for_next_event]
 @0:712[read_msr]aWRAP
Linux debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Linux debugger has the following particularities and limitations:

- The debugger server can handle only one IDA client at a time

- By default, the 64-bits debugger will try to load "libunwind-x86_64.so.8"
  and "libunwind-ptrace.so.0" in order to help with stack recovery.

- ARMLinux: hardware breakpoints are not supported

- ARMLinux: The THUMB mode is not supported

- Configure the debugger specific options (for 64 bits only) in
    Debugger Options, Set specific options.

  - Path to libunwind:
    - "libunwind-x64_64.so.8" (the default): the debugger will try to load
      libunwind "libunwind-x86_64.so.8" + "libunwind-ptrace.so.0" pair
      using the regular 'ld' search path.
    - "libunwind-x64_64.so" (note the lack of ".8" at the end): like the
      default, except the debugger will look for "libunwind-x86_64.so"
      and "libunwind-ptrace.so" (this is particularly useful for working
      with libunwind "dev" packages)
    - absolute path to libunwind-x64_64.so.8 or libunwind-x64_64.so: Linux debugger
      will try to load libunwind only from the provided path.
    - absolute path to "libunwind-x64_64.so[.8]": the debugger will try
      to load the two libraries from there (the absolute path to
      "libunwind-ptrace.so[.0]" will be derived from that of
      "libunwind-x64_64.so[.8]")
    - left blank: don't use libunwind to collect stack traces.

  By default this is set to libunwind-x86_64.so meaning the default
  path will be used to load libunwind-x86_64.so(.8) and libunwind-ptrace.so(.0). If an absolute
  path is provided, both libraries will be loaded from this path. If left emtpy, the call
  stack will be analysed by Ida and not libunwind.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1463[How to launch remote debugging]Ô decode_insn▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Decode an instruction and returns an insn_t object (check ua.hpp)
     ea - linear address of the instruction to decode
The return values are:
     0 => if the function fails
   or:
     insn_t object:
       cs, ip, ea, itype, size, auxpref, insnpref, segpref, flags
       n: number of operands
       is_canonical: Boolean. True if its a canonical instruction.
       feature, mnem: canonical feature and mnemonic string (if is_canonical is True)
       Op0..Op7: instances of op_t (check ua.hpp)
                 n, type, offb, offo, flags, dtyp, reg, value, addr, specval,
                 specflag1, specflag2, specflag3, specflag4

object decode_insn(long ea);
â find_custom_data_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get id of a custom data type
     name - name of the custom data type
Returns: id or -1

long find_custom_data_type(string name);
º eval▄
 ▀▀▀▀▀

Evaluate an expression, in the current scripting language.
     expr - an expression
returns: the expression value.
If there are problems, the returned value will be "IDC_FAILURE: xxx"
where xxx is the error description
Thread-safe function.

string or long eval(string expr);

// Macro to check for evaluation failures:
#define EVAL_FAILURE(code) (value_is_string(code) && substr(code, 0, 13) == "IDC_FAILURE: ")
 is_value...() functions▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Check the variable type
Returns true if the variable type is the expected one
Thread-safe functions.

success value_is_string(var);
success value_is_long(var);
success value_is_float(var);
success value_is_object(var);
success value_is_func(var);
success value_is_pvoid(var);
success value_is_int64(var);
Loading registers...
Creating segments...
9Checking that segments for all addresses are created...
6@0:216[]
The input file seems to be packed, continue?Reading relocation table...
@0:217[]
Bad relocation table'@0:219[]
File has overlays. Load them?#Marking typical code sequences...
Illegal spoiled registerToo many spoiled registersDuplicate spoiled registerSCan't read input file (file structure error?), only part of file will be loaded...ò enable_tracing▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Enable step tracing
     trace_level - what kind of trace to modify
     enable      - 0: turn off, 1: turn on
Returns: success

success enable_tracing(long trace_level, long enable);

#define TRACE_STEP 0x0  // lowest level trace. trace buffers are not maintained
#define TRACE_INSN 0x1  // instruction level trace
#define TRACE_FUNC 0x2  // function level trace (calls & rets)
#define TRACE_BBLK 0x4  // basic block level trace
( take_memory_snapshot▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Take memory snapshot of the debugged process
     only_loader_segs: 0-copy all segments to idb
                       1-copy only SFL_LOADER segments

success take_memory_snapshot(long only_loader_segs);
Possible file format: %s (%s)
%s: incompatible version!
'Constant '%s' has already been definedi@0:240[]
File %s can't be used to rename imports of module '%s'. Probably it does not have named exports"File %s is used for module %s...
+apply_ids_entry %lx: can't create functionUninitialized valuea@0:689[]
File %s doesn't contain any instructions or data, i.e. there is nothing to disassemble.!Produce ~f~low chart GDL file...(@0:1139[]
Can't use BIOS comments base.<@0:1140[]
BIOS comments internal error: database is corrupt° collect_stack_trace▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Unwind the stack for the given thread
     tid - thread id
returns: a call stack object with the attributes:
"size" - number of frames
array subscript "[0]", "[1]", ... up to the number of frames - 1
each frame object has the attributes:
  "callea" - the address of the call instruction.
             for the 0th frame this is usually just the current value of EIP.
  "funcea" - the address of the called function
  "fp"     - the value of the frame pointer of the called function
  "funcok" - is there a function created in the database for the current frame?

object collect_stack_trace(long tid);
 get_module_info▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get a description of the module that contains the given ea
returned objct has attributes:
  "name"      - the full path of the module
  "base"      - module's base address
  "size"      - module size
  "rebase_to" - address the module was rebased to
                BADADDR if module was not rebased at all

object get_module_info(long ea);
 getn_thread_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get the NAME of a thread
     idx - number of thread, is in range 0..get_thread_qty()-1
           or -1 for the current thread
returns: required info

string getn_thread_name(long idx);
!Produce call graph ~G~DL file...WRAP
Produce flow chart GDL file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceFuncGdl
 Current hotkey: @<ProduceFuncGdl>

This command creates a GDL (graph description file) with the
flow chart of the current function.

If there is an active selection, its flow chart will be generated.

IDA will ask for the output file name. Regardless of the specified extension,
the .GDL extension will be used.

See also other @0:438[Produce output file] commands.ÀWRAP
Produce call graph GDL file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceCallGdl
 Current hotkey: @<ProduceCallGdl>

This command creates a GDL (graph description file) with the
graph of the function calls.

IDA will ask for the output file name. Regardless of the specified extension,
the .GDL extension will be used.

See also other @0:438[Produce output file] commands.e gen_flow_graph▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Generate a flow chart GDL file
     outfile - output file name. GDL extension will be used
     title   - graph title
     ea1     - beginning of the range to flow chart
     ea2     - end of the range to flow chart. if ea2 == BADADDR
               then ea1 is treated as an address within a function.
               That function will be flow charted.
     flags   - combination of CHART_... constants

success gen_flow_graph(string outfile, string title, long ea1, long ea2, long flags);

#define CHART_PRINT_NAMES 0x1000 // print labels for each block?
#define CHART_GEN_GDL     0x4000 // generate .gdl file (file extension is forced to .gdl)
#define CHART_WINGRAPH    0x8000 // call wingraph32 to display the graph
#define CHART_NOLIBFUNCS  0x0400 // don't include library functions in the graph
c gen_simple_call_chart▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Generate a function call graph GDL file
     outfile - output file name. GDL extension will be used
     title   - graph title
     ea1     - beginning of the range to flow chart
     ea2     - end of the range to flow chart. if ea2 == BADADDR
               then ea1 is treated as an address within a function.
               That function will be flow charted.
     flags   - combination of CHART_GEN_GDL, CHART_WINGRAPH, CHART_NOLIBFUNCS

success gen_simple_call_chart(string outfile, string title, long flags);
&@0:1504[]
Please enter HTML file name@0:225[]
Choose mark number,Conflicting access rights of the base class @0:227[]
Choose marked location`WRAP
Local types window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenLocalTypes
 Current hotkey: @<OpenLocalTypes>

Each database has a local type library embedded into it.
This type library (til) is used to store types that are local to the current database.
They are usually created by @0:1367[parsing] a header file.

This command opens the local types window. The user can manipulate local types
here:

  - the existing types can be modified (the default hotkey is Ctrl-E)
  - the existing types can be deleted (the default hotkey is Del)
  - new types can be added (the default hotkey is Ins)

Please note that Ins can be used to add many types at once. For that the user
just needs to enter multiple declarations, one after another in the dialog box.

However, Ctrl-E permits for editing of one type at a time. This may cause
problems with complex structure types with nested types. Nested types will not
be saved by Ctrl-E.

If the edited type corresponds to an idb type (struct or enum), then
the corresponding type will be automatically synchronized. If the user modifies
an idb type in the struct/enum windows, the corresponding local type will
be updated too. So the type synchronization works both ways.

Some types in this list are created automatically by IDA. They are
copies of the types defined in the @0:593[Struct] or @0:1259[Types] views.
Such types are displayed using in gray, as if they are disabled.

Types displayed in black are considered as C level types. Read @0:1042[more].

Each type in the local type library has an ordinal number and may have a name.

Be careful when deleting existing types because if there are references to
them, they will be invalidated.

A local type can be mapped to another type. Such an operation deletes the existing
type and redirects all its references to the destination type. Circular dependencies
are forbidden. In the case of a user mistake, a mapped type can be deleted and recreated
with the correct information.

 See also @0:1356[View|Open subviews] submenu.
          @0:1358[Type libraries window]
          @0:1691[C++ type details]Lo~c~al typesR@0:228[]
%a: can't rename byte as '%s' because the name '%s' is a register name.
R@0:228[]
%a: can't rename byte as '%s' because it contains a bad character '%s'.
Y@0:228[]
%a: can't rename byte as '%s' because the name is already used in the program.
a@0:228[]
%a: can't rename byte as '%s' because this byte can't have a name (it is a tail byte).
P@0:228[]
%a: can't rename byte as '%s' because the name has a reserved prefix.
UIDA did not find any occurrence of '%s' in the forced operand(s) (bad xref from %a)
 get_min_spd_ea▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Return the address with the minimal spd (stack pointer delta)
If there are no SP change points, then return BADADDR.
     func_ea - function start
returns: BADDADDR - no such function

long get_min_spd_ea(func_ea);
Missing default argument value/@0:229[]
SEGMENT: Can't find file segmentation-%3d. Creating a new segment  (%0*a-%0*a) ...@0:457[]
Rename address

  Address: %N
  <~N~ame :q::32::>

       <~I~nclude in name list:C>
       <~P~ublic name:C>
       <~A~utogenerated name:C>
       <~W~eak name:C>
       <~C~reate name anyway:C>
       <~L~ibrary function:C>
       <~M~ark as decompiled:C>>

¦WRAP
Source code view ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


This window shows the contents of a source code file. IDA automatically
opens source views provided that proper mapping of the source code paths
is specified in "Options, Source paths".

This window may also display a decompilation result because it is considered
as a source code. This can be useful if the source files are not available.
-     Request for reanalysing (%08a-%08a) ...	 ... OK

 ... FAILED
.     Deleting segment        (%0*a-%0*a) ...
q@0:231[]
Can't move the segment "%s" start from %0*a to %0*a:
The segment would have bytes with negative offsets del_user_info▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete information about the user who created the database

void del_user_info();
Z@0:233[]
Can't move the segment start address (%0*a->%0*a): would overlap another segmentÚAUTOHIDE SESSION
Create segment (%0*a-%0*a, sel %0*a):
segment base or start addresses are invalid. The segment would have negative offsets.
(wrong selector values too can lead to this error. check the selector table)hAUTOHIDE SESSION
Create a segment (%0*a-%0*a, sel %0*a):
IDP module disallowed creation of the segment.[AUTOHIDE SESSION
Create a segment (%0*a-%0*a, sel %0*a):
cannot trim the previous segment.gAUTOHIDE SESSION
Create a segment (%0*a-%0*a, sel %0*a):
cannot allocate varray chunk for the segment.HAUTOHIDE SESSION
Create a segment (%0*a-%0*a):
cannot create a segment.XAUTOHIDE SESSION
Create a segment (%0*a-%0*a):
end address is lower than start address.» get_ordinal_qty▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get number of local types + 1
returns: value >= 1. 1 means that there are no local types.

long get_ordinal_qty();
'@0:234[]
Fatal: Can't create database.#Alignment cannot be specified hereð set_local_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Parse one type declaration and store it in the specified slot
     ordinal -  slot number (1...NumberOfLocalTypes)
                -1 means allocate new slot or reuse the slot
                of the existing named type
     input -  C declaration. Empty input empties the slot
     flags -  combination of PT_... constants or 0
returns: slot number or 0 if error

success set_local_type(long ordinal, string input, long flags);
@0:1141[]
%s: bTree error: %sÚ get_local_tinfo▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Retrieve a local type
     ordinal -  slot number (1...NumberOfLocalTypes)
returns: typeinfo object or 0

typeinfo get_local_tinfo(long ordinal);
 get_numbered_type_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Retrieve a local type name
     ordinal -  slot number (1...NumberOfLocalTypes)
returns: local type name or ""

string get_numbered_type_name(long ordinal);
 process_config_line▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Parse one or more ida.cfg config directives
     line - directives to process, for example: PACK_DATABASE=2
If the directives are erroneous, a fatal error will be generated.
The changes are permanent: effective for the current session and the next ones

void process_config_line(string directive);
ò retrieve_input_file_md5▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get MD5 hash of the input file.
This function returns the MD5 hash string of the input file (32 chars)

string retrieve_input_file_md5();
Refresh ~m~emoryÒWRAP
Refresh memory ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: RefreshMemcfg
 Current hotkey: @<RefreshMemcfg>

This command refreshes the segments and memory contents in IDA.
It is available only during a debugging session.
NOTE: this command is currently hidden from the user interface because IDA
does synchronize with the process memory automatically.

Please note that IDA itself tries to keep the program segments in sync
with the debugged process. However, in order to accelerate the debugger,
the synchronization is done only at major events, for example when dynamic library
gets loaded or unloaded or a thread is created or deleted. If the memory
configuration is changed because of a simple system call (think of VirtualAlloc),
IDA might miss it. Use the "refresh memory" command in these cases.

Note2: when IDA detects a discrepancy in the segments, it will
automatically synchronize with the process.

See also @0:1395[Debugger] submenu.Illegal enum base type sizeý get_enum_width▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get width of enum elements
     enum_id - ID of enum
returns: size of enum elements in bytes
         (0 if enum_id is bad or the width is unknown).

long get_enum_width(long enum_id);
&@0:1299[]
Bad VA header (end < start))Variadic functions cannot be __userpurgeö set_enum_width▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

set width of enum elements
     enum_id - id of enum
     width   - element width in bytes (0-unknown)
returns: 1-ok, 0-failed

success set_enum_width(long enum_id, long width);
 loader_input_t.tell▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get the current file position

long loader_input_t.tell();
w save_database▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Save current database to the specified idb file
     idbname - name of the idb file. if empty, the current idb
               file will be used.
     flags   - DBFL_... bits or 0
see also @0:1738[set_database_flag](), @0:1739[clr_database_flag]()

success save_database(string idbname, long flags);

#define DBFL_KILL       0x01            // delete unpacked database
#define DBFL_COMP       0x02            // collect garbage
#define DBFL_BAK        0x04            // create backup file (if !DBFL_KILL)
#define DBFL_TEMP       0x08            // temporary database
C
WRAP
Browser options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This tab of IDA Options dialog allows for editing of hint and identifier highlight
related settings. There are two groups of settings.

The first group is for hints that are displayed when the mouse is hovered
over some text.

The second group is for highlighting.

Number of lines for identifier hints

        Specifies how tall the hint window will be initially.
        IDA may decide to display less lines than specified if the hint is
        small. The user can resize the hint window using the mouse wheel.

Delay for identifier hints

        Milliseconds that pass before the hint appears when the user
        hovers the mouse pointer over an identifier

Mouse wheel resizes hint window

        Permit to resize the hint window by using the mouse wheel.
        Can be turned off if the user does not want to resize the hints.

No hints if debugger is active

        Hints will be disabled when the debugger is active. This may be
        useful to speed of debugging: calculating hints for zero filled
        ranges can be very expensive


Auto highlight the current identifier

        Highlight the current identifier everywhere on the screen.
        IDA tries to determine if the current identifier denotes a register.
        In this case it will highlight references to other parts of the
        register. For example, if "AL" is highlighted, IDA will also highlight
        "AH", "AX", and "EAX" (if the current processor is x86).

Unhide collapsed items automatically when jumping to them (gui only)

        If this option is set on, IDA will automatically
        uncollapse hidden functions if the user decides to jump
        to them. As soon as the user quits the function by pressing
        Esc, the function is automatically collapsed again.

Lazy jumps (gui only)

        If this option is set on, IDA will not redraw the
        disassembly window if the jump target is already on the screen.
        In this case, it will just move the cursor to the specified
        address. This option leads to less screen redraws and
        less jumpy behaviour.

Number of items in navigation stack drop-down menus

        Specifies the number of entries in the drop-down menu for the 'Jump'
        toolbar

Number of lines for auto scroll

        Specifies how many lines force automatic scrolling of the
        disassembly view

Caret blinking interval

        Specifies how fast the input caret blinks (in milleseconds).
        Must be greater than or equal to 500, or zero.
        Zero means to disable blinking

ðWRAP
Cross reference attributes ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The cross reference dialog displays a list of references to the various items.
Each line has the following attributes:

Direction
        Up or Down. Meaningful for program address; denotes where the
        reference comes from, from the lower addresses than the reference
        target (down) or from higher addresses (up).

Type

        The following types exist:

          o - offset, the address of the item is taken
          r - read access
          w - write access
          t - textual referenced (used for manually specified operands)
          i - informational (e.g. a derived class refers to its base class)
          J - far (intersegment) jump
          j - near (intrasegment) jump
          P - far (intersegment) call
          p - near (intrasegment) call
          ^ - ordinary flow
          s - xref from a structure
          m - xref from a structure member
          k - xref from a stack variable

Address

        For 'xrefs to' dialogs: where the reference comes from (source)
        For 'xrefs from' dialogs: where the reference goes to (destination)

Text

        Additional info about the cross reference
Next functionû get_entry_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

retrieve entry point name
     ordinal - entry point number
               it is returned by get_entry_ordinal()
returns: entry point name or ""

string get_entry_name(long ordinal);
 get_exception_qty▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get number of defined exception codes

long get_exception_qty();
÷ get_exception_code▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get exception code
     idx - number of exception in the vector (0..get_exception_qty()-1)
returns: exception code (0 - error)

long get_exception_code(long idx);
G get_exception_name▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get exception information
     code - exception code
see also @0:1311[define_exception] (definition of exception flags)

string get_exception_name(long code); // returns "" on error
long get_exception_flags(long code);  // returns -1 on error
z define_exception▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Add exception handling information
     code - exception code
     name - exception name
     desc - exception description
     flags - exception flags (combination of EXC_...)
returns: failure description or ""

string define_exception(long code, string name, string desc, long flags);

#define EXC_BREAK  0x0001 // break on the exception
#define EXC_HANDLE 0x0002 // should be handled by the debugger?
#define EXC_MSG    0x0004 // instead of warn, log the exception to the output window
#define EXC_SILENT 0x0008 // do not warn or log to the output window
ò set_exception_flags▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set exception flags
     code - exception code
     flags - exception flags (combination of EXC_...)

success set_exception_flags(long code, long flags);
³ forget_exception▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete exception handling information
     code - exception code

success forget_exception(long code);
W set_root_filename▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set input file name
This function updates the file name that is stored in the database
It is used by the debugger and other parts of IDA
Use it when the database is moved to another location or when you
use remote debugging.

void set_root_filename(string path);
Â qsleep▄
 ▀▀▀▀▀▀▀

Sleep the specified number of milliseconds
This function suspends IDA for the specified amount of time
Thread-safe function.

void qsleep(long milliseconds);
}

//------------------------------------------------------------------------
// Information about bytes

static Bytes_%d(void)
{
  auto x;
#define id x

ø load_type▄
 ▀▀▀▀▀▀▀▀▀▀

Convenience function to load a type into a type library.
'name' may be empty for anonymous types.

     flags   -  combination of LOADTYPE_ constants,
                in case of 0 the LOADTYPE_DEFAULT is used
     ordinal -  slot number (1...NumberOfLocalTypes), is ignored if LOADTYPE_USEORD is clear
     name    -  type name
     type    -  serialized type string (internal type represenation)
     fields  -  serialized field names
     cmt     -  type comment
     fldcmts -  serialized field comments
     sclass  -  storage class of the type

tinfo_code_t load_type(
        long flags,
        long ordinal,
        string name,
        string type,
        string fields="",
        string cmt="",
        string fldcmts="",
        long sclass=0);
#define LOADTYPE_USEORD  0x01   // use ordinal to set type, otherwise set type by name
#define LOADTYPE_REPLACE 0x02   // overwrite the existing type
#define LOADTYPE_DEFAULT (LOADTYPE_USEORD|LOADTYPE_REPLACE)
 detach_process▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Detach the debugger from the debugged process.

success detach_process();
R get_processes▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Take a snapshot of running processes and return their description.
returns: the object with the attributes:
"size" - number of processes
"0", "1", "2", ... up to the number of processes - 1
       - contains object which describes the process with the attributes:
         "pid"  - PID
         "name" - process name, usually executable name prefixed
                  with the process bitness

object get_processes();

For example, to get the name of the 5th process:

  extern fifth_name;
  fifth_name = get_processes()[4].name
Previous functionô get_qword▄
 ▀▀▀▀▀▀▀▀▀▀

Get value of program quadro word (8 bytes)
     ea - linear address
returns: the value of the quadro word. If failed, throws an exception

long get_qword(long ea);
#define qword(ea) get_qword(ea)

  bytes   pages size description
--------- ----- ---- --------------------------------------------
%9lu %5u %4u allocating memory for b-tree...
²WRAP
Rename a stack variable ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows the user to rename a stack variable. Enter an identifier
for the stack variable and press Enter.

Internally, stack variables are represented as structure fields. IDA creates
a new structure type for each function frame.

See also @0:490[Edit|Structs] submenu.
         @0:424[How to Enter an Identifier]
)Argument location %s is not allowed hereWRAP
Watch view (source level) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In this window the user can view values of selected variables.

Global variables (data item names) as well as variables that are local
to the current function can be added by pressing Ins.

Expressions can be added to the view as well, they will be considered as IDC
expressions.

Expressions may have a type cast at the beginning. For example

(int)0x12345678

means that the contents of the memory at the address 0x12345678 should be
displayed as an integer. Note: to display strings use "char[]" as the typo.

See also @0:1272[Source code view]
*__thiscall requires at least one argument@@0:544[]
Jump to structure offset

  <~J~ump offset:M:+:32::>

:@0:544[]
Jump to enum offset

  <~J~ump offset:M::32::>

ÔWRAP
Bochs debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Bochs debugger plugin uses the Bochs internal command line debugger.
For more about the internal debugger: http://bochs.sourceforge.net/doc/docbook/user/internal-debugger.html

To use the Bochs debugger plugin, the following steps must be carried out:

  - Download and install Bochs v2.6.x from:
        http://bochs.sourceforge.net/getcurrent.html

    For Mac OS or Linux, please refer to the following guide:
        https://www.hex-rays.com//products/ida/support/tutorials/debugging_bochs_linux.pdf

  - Open or create an IDB file in IDA and select the Bochs debugger

  - Configure the debugger specific options in
        Debugger Options, Set specific options.
    One of three possible modes of operation can be selected: image, idb, or pe.

Because the debugger plugin uses the Bochs command line debugger, it has the
following limitations:

  - Breakpoints: the Bochs debugger has the limit of 10 physical, 10
    virtual, and 10 linear breakpoints. Since IDA uses some breakpoints
    for its own purposes, only 20 breakpoints can be set by the user

  - Watchpoints: the Bochs debugger has the limit of 16 read and 16 write
    watchpoints

  - FPU registers, MMX, XMM, control, task and segment registers cannot be modified

There are ways to overcome some of the limitations mentioned above by downloading
Bochs source code and modifying it. For example, the number of allowed breakpoints
can be increased.

The Bochs debugger configuration dialog box has the following entries:

  BOCHSRC
    This is the path to the Bochs configuration file template. It contains
    special variables prefixed with "$". These variables should not be
    modified or changed by the user, as they are automatically filled by the
    plugin. Other entries can be modified as needed.

  Operation mode
    The user can choose between @0:1330[Disk Image],
    @0:1331[IDB] and @0:1332[PE] operation modes.

  Delete image files upon session end
    If enabled, IDA will automatically delete the Bochs disk images used for
    the debugging session (this option only applies to IDB and PE operation modes).
    If the plugin (in IDB operation mode) finds a previously created image, it verifies that it
    corresponds to the database and uses it as is. Unchecking this option
    for the IDB operation mode will speed up launching the debugger.

  64-bit emulation
    This options enables 64bit emulation. It is only present in the 64-bit version of IDA.
    By default, the Bochs plugin will try to detect whether to choose 32 or 64-bit emulation.

Default configuration parameters are taken from ida\cfg\dbg_bochs.cfg.

The Bochs debugger module adds a new menu item: Debugger, Bochs Command.
It can be used to send arbitrary commands to Bochs. The command output is
displayed in the message window (there is also an IDC counterpart of this function,
please refer to "startup.idc" file). This command is very useful but may interfere
with IDA, especially if the user modifies breakpoints or resume execution outside IDA.

 See also:
        @0:1330[Disk Image operation mode]
        @0:1331[Bochs IDB operation mode]
        @0:1332[Bochs PE operation mode]
        @0:1333[Bochs plugin operation mode FAQ]
Ì
WRAP
Bochs Disk Image operation mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The disk image operation mode is used to run Bochs with any Bochs disk image.

A simple way to get started is to launch IDA and disassemble the bochsrc file
associated with your disk image. IDA will recognize bochsrc files, parse the contents,
determine the associated disk image and create a new database containing the first
sector of the disk image (usually the boot sector).

The database does not have to correspond to the disk image: it could in fact start as an empty database,
then user could convert the needed segments to loader segments for later analysis.
The following script can be used for that purpose:

        attrs = get_segm_attr(desired__segment__start, SEGATTR_FLAGS);
        attrs = (attrs & ~SFL_DEBUG) | SFL_LOADER;
        set_segm_attr(desired__segment__start, SEGATTR_FLAGS, attrs);

If the disk image switches to protected mode with memory paging enabled, IDA
will use the page table mapping to display segments. For 16-bit applications, IDA
automatically creates a default DOS memory map (Interrupt vector table, Bios Data Area, User Memory and BIOS ROM).
Also, the Bochs Debugger plugin will try to guess the debugger segment bitness, nonetheless the user can edit the bitness manually.

Moreover, the Bochs internal debugger provides the ability to add hardware like breakpoints,
known as watchpoints, but the addresses must be physical addresses.
In order to use the disk image operation mode in a more convenient way, the plugin will convert the virtual
addresses to physical addresses (if page table information is present) before adding the hardware breakpoint.
This mechanism will not always work, please check the @0:1333[FAQ] for more information.
For hardware breakpoint on execute, the plugin will use the selected address as-is and create a physical breakpoint.

The following parameters can be specified for the disk image operation mode:

  - The bochsrc file which contains the configuration for the Bochs virtual machine in question.
    The bochsrc file should be entered in:
    Debugger -> Process Options -> Application (other fields are ignored)

  - Use virtual breakpoints when protected mode is enabled:
    This parameter is set in the Debugger Specific options.
    It will allow the plugin to use "vb" command to create
    virtual breakpoints (using cs:eip), instead of using the "lb" which
    creates linear breakpoints (using only "eip"). It is useful when
    debugging code where the "cs" segment selector base is not zero.

This is a small example on how to debug a given disk image:

1. Prepare the needed bochs virtual machine files (bochsrc, disk image, floppy image if needed, etc...)

2. Load the bochsrc file into IDA. IDA will automatically create a database.

(Step 2, is optional. It is possible to use a database of your choice, but remember to point
its "Debugger->Process Options->Input file" to the bochsrc file)

3. Make sure the "Disk image" operation mode is selected
(If Step 2 was used, then Disk image operation mode will be selected automatically)

4. Enable "Debugger Options->Suspend on debugging start", and start debugging!

In the disk image operation mode, the Bochs debugger plugin does not handle or report exceptions, if they must be caught
and handled, please put breakpoints in the IDT or IVT entries.

 See also:
        @0:1329[Bochs debugger]
        @0:1333[Bochs plugin operation mode FAQ]
'WRAP
Bochs IDB operation mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The IDB operation mode, as its name implies, takes the current database as the input and runs it
under the Bochs debugger. This mode can be used to debug any x86 32 or 64-bit code.
Please note that the code executes with privilege ring 3.

The following parameters can be specified in the IDB operation mode:

  - Entry address: the address where the execution starts.
    This parameter can be specified in three ways (listed in order of
    precedence):
      - by renaming the desired location as "ENTRY" (global name)
      - by selecting an address range with the mouse or keyboard.
        The selection start address is used as the entry point
      - by positioning the cursor at a given position and running the
        debugger

  - Exit address (optional): the address where the execution ends.
    This parameter can be specified in two ways:
      - by renaming the desired location as "EXIT" (global name). Please note that
        the emulation will stop at the item following the exit label.
      - by selecting an address range with the mouse or keyboard
        The selection end address is used as the exit point
    If the exit address is not specified, the execution will continue until
    an exception occurs. However, if the exit address is reached, the debugger
    will ask the user if emulation should be continued or not.

  - Startup stack size: number of KBs to allocate for the stack segment.
    The stack segment is automatically created and named as "STACK".

It may also prove useful to enable the "Debugger Setup/Suspend on debugging start" so
that IDA automatically suspends the process before executing the first instruction.

While debugging, exceptions may occur and are caught by IDA. Please note that
these exceptions are raw machine exceptions. For example, instead of an access
violation exception, a page fault exception is generated.

 See also:
        @0:1329[Bochs debugger]
        @0:1333[Bochs plugin operation mode FAQ]
	$WRAP
Bochs PE operation mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The PE operation mode can be used to load PE files and debug them in a MS Windows like environment.

The current limitations include:

  - Thread or process manipulation are not supported

  - Limited support for PE+

  - We provide implementations of a limited number of system calls. Feel
    free to implement missing functions using IDC scripts or DLLs.

  - LoadLibrary() will fail on unknown DLLs: the list of desired DLLs must
    be specified before running the debugger in the startup.idc file

  - Limited emulation environment: IDA does not emulate the complete MS Windows
    operating system: it just provides the basic environment for a
    32bit PE file to run (please check the features below). There are many
    ways how the debugged program can detect that it runs in an emulated
    environment.

PE executables feature list:

- SEH support: we try to mimic MS Windows as much as possible. For example, the
ICEBP instruction is a privileged instruction, but Windows reports back a single
step exception. Similarly, MS Windows does not distinguish between 0xCC and 0xCD 0x03,
so when an exception occurs, it reports that the exception address is always
one byte before the trap. So if it was an INT 0x3 (CD03), the exception address
will point to the 0x03 (in the middle of the instruction).

- TLS callbacks: TLS callbacks are normally parsed by IDA and presented as
entry points. They will be called by the debugger before jumping to the main
entry point of the application. Turning on the "Debugger Setup/Suspend on debugging start"
may be a good idea since it will make all this logic clearly visible.

- Emulation of NT structures: Some malware do not use GetProcAddress() or
GetModuleHandle(). Instead, they try to parse the system structures and deduce these values.
For this we also provide and build the basic structure of TIB, PEB, PEB_LDR_DATA,
LDR_MODULE(s) and RTL_USER_PROCESS_PARAMETERS. Other structures can be built
in the bochs_startup() function of the startup.idc file.

PE/PE+ executables feature list:

- Extensible API emulation: The user may provide an implementation of a any API function
using scripts. The plugin supports IDC language by default, but if there are any other registered
and active external languages, then external language will be used. Currently, the plugin ships with
preconfigured IDC and Python scripts (please refer to startup.idc/startup.py).

It is also possible to take a copy of all the API and startup scripts and place them next to the database in question.
This will tell the Bochs debugger plugin that these scripts are to be used with the current database directory.
Such mechanism makes it possible to customize API/startup scripts for different databases.

In the following example, kernel32!GlobalAlloc is implemented via IDC like this:

 (file name: api_kernel32.idc)
 ///func=GlobalAlloc entry=k32_GlobalAlloc purge=8
 static k32_GlobalAlloc()
 {
   eax = BochsVirtAlloc(0, BochsGetParam(2), 1);
   return 0;
 }
 ///func=GlobalFree entry=k32_GlobalFree purge=4
 static k32_GlobalFree()
 {
   eax = BochsVirtFree(BochsGetParam(1), 0);
   return 0;
 }

A simple MessageBoxA replacement can be:

 (file name: api_user32.idc)
 ///func=MessageBoxA entry=messagebox purge=0x10
 static messagebox()
 {
   auto param2; param2 = BochsGetParam(2);
   msg("MessageBoxA has been called: %s\n",
        get_strlit_contents(param2, -1, STRTYPE_C));

   // Supply the return value
   eax = 1;

   // Continue execution
   return 0;
 }

To access the stack arguments passed to a given IDC function, please use the BochsGetParam() IDC function.

For a full reference on using IDC to implement API calls, please refer to ida\plugins\bochs\api_kernel32.idc file.

- Remap a DLL path (from the startup.idc script):

    /// map /home/johndoe/sys_dlls/user32.dll=d:\winnt\system32\user32.dll
    /// map /home/johndoe/sys_dlls/kernel32.dll=d:\winnt\system32\kernel32.dll

- Specify additional DLL search path (and optionally change the mapping):

    /// map /home/johndoe/sys_dlls/=d:\winnt\system32
  Or:

    /// map c:\projects\windows_xpsp2_dlls\=c:\windows\system32
  Or just as a search path without mapping:

    /// map c:\program files\my program
  You need to add the appropriate terminating slashes

- Redefine the environment variables: the environment variables can be redefined in startup.idc

    /// env PATH=c:\windows\system32\;c:\programs    /// env USERPROFILE=c:\Users\Guest

  In Linux, if no environment variable is defined in the startup file then no environment strings will be present.
  In Windows, we take the environment variables from the system if none were defined.

- Use native code: it is possible to write a custom Win32/64 DLL and map it into the process space.

Existing APIs can then be redirected to custom written functions. For example:

  ///func=GetProcAddress entry=bochsys.BxGetProcAddress
  ///func=ExitProcess entry=bochsys.BxExitProcess
  ///func=GetModuleFileNameA entry=bochsys.BxGetModuleFileNameA
  ///func=GetModuleHandleA entry=bochsys.BxGetModuleHandleA

Here we redirect some functions to bochsys.dll that modify the memory space of the application.
Please note that bochsys.dll is a special module, IDA is aware of it.
Custom functions are declared like this:

  (file name: api_kernel32.idc)
  ///func=GetCommandLineA entry=mydll.GetCommandLineA purge=0

Then in startup.idc file, the following line must be added:

   /// load mydll.dll

Custom DLLs are normal DLLs that can import functions from any other DLL. However,
it is advisable that the custom DLL is kept small in size and simple, by not linking it
to the runtime libraries.

- Helper IDC functions: a set of helper IDC functions are available when the
debugger is active. For more information, please refer to "startup.idc".

- Less demanding PE loader: Most PE files can be loaded and run, including
system drivers, DLL and some PE files that cannot be run by the operating system.

- Dependency resolution: In the PE operation mode, the plugin will recursively load all DLLs referenced
by the program. All DLLs that are not explicitly marked with "stub" in startup.idc
will be loaded as is. It is important to "stub" all system DLLs for faster loading.
The PE loader creates empty stubs for undefined functions in stubbed DLLs.
For example, the following line defines a stub that will always return 0 for CreateFileA:

  /// func=CreateFileA retval=0

Since CreateFileA is mentioned in the IDS files and IDA knows how many bytes it purges
from the stack, there is no need to specify the "purge" value. For other functions
that are not known to IDA, a full definition line would look like:

  /// func=FuncName purge=N_bytes retval=VALUE

- Startup and Exit scripts: It is possible to assign IDC functions that run when the debugging
session starts or is about to terminate (before the application continues from
the PROCESS_EXITED event). In addition to running code at startup, the startup
script serves a role in telling the PE loader which DLLs are to be mapped for
the current debugging session. For example:

  /// stub ntdll.dll
  /// stub kernel32.dll
  /// stub user32.dll
  /// stub shell32.dll
  /// stub shlwapi.dll
  /// stub wininet.dll

These lines list the DLLs that will be used during the debugging session.
IDA creates empty stubs for all functions from these DLLs. Non-trivial implementations
of selected functions can be specified in api_xxxx.idc files, where xxxx is the module name.

API and startup scripts are searched first in the current directory and then
in the ida/plugins/bochs directory.

- Memory allocation limit: The PE loader has a simple memory manager. It is
used for the initial memory allocation at the loading stage and for dynamic memory allocation
during the debugging session. No memory limits are applied at the loading stage:
the loader will load all modules regardless of their size. However, when the
debugging session starts, a limit applies on how much memory can be dynamically
allocated. This limit is specified in the debugger specific options as "Max allocatable
memory". Memory allocation will fail once this limit is reached.

Some notes on bochsys.dll:

- BxIDACall: This exported function is used as a trap to suspend the code execution
in Bochs and perform some actions in IDA. For example, when the target calls
kernel32.VirtualAlloc, it is redirected to bochsys.BxVirtualAlloc, which calls BxIDACall,
which triggers IDA:

  kernel32.VirtualAlloc -> bochsys.BxVirtualAlloc -> BxIDACall -> IDA bochs plugin

A breakpoint can be set on this function to monitor all API calls that are
handled by IDA.

- BxUndefinedApiCall: This exported function is executed when the application
calls an unimplemented function. Setting a breakpoint on it will allow discovering
unimplemented functions and eventually implementing them as IDC or
DLL functions. It can also be used to determine when unpacking/decryption
finishes (provided that all functions used by the unpacker have been defined).

 See also:
        @0:1329[Bochs debugger]
        @0:1333[Bochs plugin operation mode FAQ]

WRAP
Bochs debugger FAQ ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


General:

- How are breakpoints treated by IDA Bochs Plugin: Bochs debugger does not use
breakpoints by inserting 0xCC at the given address. Instead, since it is an
emulator, it constantly compares the current instruction pointer against the
breakpoint list. Data breakpoints are supported by Bochs and are known as "watchpoints".
If the user creates hardware breakpoints, IDA will automatically create Bochs watchpoints.

- How to select the Bochs operation mode programmatically: using IDC: it is possible to use
process_config_line() function to pass a key=value. For example, process_config_line("DEFAULT_MODE=1")
will select the disk image operation mode. (Please refer to cfg\dbg_bochs.cfg for list of configurable options).

- When debugging, IDA undefines instructions: if the "Debugger options / Reconstruct stack" is checked and
the stack pointer is in the same segment as the currently executing code, then IDA might undefine instructions.
To solve this program, uncheck the reconstruct stack option.

- How to convert from physical to linear addresses and vice versa: Bochs internal debugger provides two useful
commands for this: "info tab" and "page".

Disk image operation mode:

- Data/Software breakpoints are not always triggered: During a debugging session, when a breakpoint
is created while the protected mode/paging is enabled, the page table information is used to translate addresses
and correctly create the breakpoint. When debugging session is started again, IDA cannot access translation tables
to re-create the same breakpoint, thus the breakpoint will be created without any translation information (it will be treated as physical addresses)
This is why those breakpoints are not triggered. As a workaround, we suggest disabling those breakpoints and re-enable
them when paging is enabled. This problem can also arise when the "use virtual breakpoints" option is enabled.

IDB/PE operation mode:

- Cannot map VA: Sometimes, IDA may display a message stating that a given VA could
not be mapped. This mainly happens because both IDB/PE operation modes use virtual
addresses from 0x0 to 0x9000 and from 0xE0000000 to 0xFFFFFFFF internally.
To solve the problem, please rebase the program to another area:

  - IDB operation mode: use Edit, Segment, Rebase program
  - PE operation mode: rebase the input file using a third party utility

PE operation mode:

- Dynamic DLL loading: sometimes, when running a program, the plugin may attempt to load
a DLL that is not declared in the stub or load section of the startup script.
In this case, please write down the name of the DLL, then add it to the startup script,
and restart the debug session.
It is possible to create a local copy, next to your database, of startup scripts so
that these scripts will be used with this database only.

- Disk image loading slow: The disk image produced in the PE operation mode can be as big as 20MB. The reason
for this slow loading is most probably because the plugin tries to load all referenced DLLs instead of stubbing them.
To fix this, when the process starts, please take note of the loaded DLLs list (using IDA / Modules List) then
add the desired module names in the startup.* / "stub" section.

 See also:
        @0:1329[Bochs debugger]
 set_array_params▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set array representation format
     ea      - linear address
     flags   - combination of AP_... constants or 0
     litems  - number of items per line. 0 means auto
     align   - element alignment:
                 -1: do not align
                 0:  automatic alignment
                 other values: element width
Returns: 1-ok, 0-failure

success set_array_params(long ea, long flags, long litems, long align);

#define AP_ALLOWDUPS    0x00000001L     // use 'dup' construct
#define AP_SIGNED       0x00000002L     // treats numbers as signed
#define AP_INDEX        0x00000004L     // display array element indexes as comments
#define AP_ARRAY        0x00000008L     // reserved (this flag is not stored in database)
#define AP_IDXBASEMASK  0x000000F0L     // mask for number base of the indexes
#define   AP_IDXDEC     0x00000000L     // display indexes in decimal
#define   AP_IDXHEX     0x00000010L     // display indexes in hex
#define   AP_IDXOCT     0x00000020L     // display indexes in octal
#define   AP_IDXBIN     0x00000030L     // display indexes in binary
DWRAP
Remote GDB Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Remote GDB Debugger module allows for debugging code using the GDB remote serial protocol.
For this, the debuggee must contain a so-called "GDB stub" that controls the
execution and handles the remote protocol commands. There are many implementations
of such stubs available with different capabilities. The module has been tested
with the following GDB stubs:

 @0:1343[gdbserver]: Windows (Cygwin), Linux (ARM, MIPS, PowerPC)
 @0:1357[VMWare]: x86 (16/32 bit)
 @0:1521[QEMU]: x86 (16/32 bit), ARM, MIPS, PowerPC
 @0:1417[OpenOCD]: ARM

It is quite possible that the module will work with other stubs.
Note that only x86, ARM, MIPS and PowerPC processors are supported at the moment.

Some GDB stubs support so-called "monitor" commands. For example, VMWare stub
can return extra info about system registers. Use the command line at the bottom
of the main IDA window to send such commands. The output will be displayed in the message window.
Hint: most stubs have a "help" command (if they support any commands at all).

The module also makes the following function available from IDC:

 string @0:1592[send_dbg_command](string command);

 NOTE

When using @0:1502[instant debugging], you will need to tell IDA on which CPU the
target is running. This is done in the @0:1522[Remote GDB Debugger options] dialog,
available via "Debugger specific options" button in the Process options dialog shown when you
choose Remote GDB Debugger from the Run or Attach menu.

 NOTE

Many GDB stubs do not report the address that triggered a hardware breakpoint.
In this case, IDA will report a memory breakpoint hit as a generic TRAP signal.
Examine the previous instruction to see if it referenced a memory location
with breakpoint. When continuing from such a breakpoint, choose not to pass
the signal to the program.

 NOTE

IDA can be used together with a J-Link debug probe from SEGGER Microcontroller GmbH:

https://segger.com/jlink-debug-probes.html

See also

  @0:1522[Remote GDB Debugger options]
  @0:1395[Debugger] submenu.5@0:693[]
Can't create segment registers area at %08aR@0:694[]
Can't assign to Segment Register at %08a (%s=%04a). Trying to recover...Linternal error (please inform support): can't create segment register areasW@0:236[]
Fatal: the format of the database is obsolete. Use a previous version of IDA.AUTOHIDE REGISTRY
HIDECANCEL
@0:238[]
The format of the database is obsolete (%d). IDA will now upgrade it into format %d. Continue?W@0:239[]
Fatal: the database format is newer than expected. Use a new version of IDA.
@0:635[]
Database is emptyvWRAP
Debugging with gdbserver ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

gdbserver is a GDB stub implemented as a separate program. It runs a program to be debugged
or attaches to a process and then waits for commands.
The remote GDB debugger module has been tested with gdbserver available with Cygwin
and Linux.

To debug a specific program from the start, run the following command:

    gdbserver localhost:23946 <program>

and then choose Debugger,Attach,<process running on target> in IDA.

To debug a running process:

    gdbserver --multi localhost:23947

then choose Debugger,Attach,<enter PID to attach> in IDA and enter the PID of
the process to attach to.

Another method of debugging a running process is:

    gdbserver localhost:23947 --attach <PID>

then choose Debugger,Attach,<process running on target> in IDA.

To start a program from inside IDA, first launch the debugger server:

    gdbserver --multi localhost:23947

Then use Debugger,Start process or Debugger,Run in IDA.

 NOTE

The --multi option is only available in GDB 6.8 or higher.

Back to @0:1335[Remote GDB Debugger]
Bad keyboard assignment

Keyboard definition syntax is:

        "ActionName" = Value

  where value may be:

        a string:       "Ctrl-F5"
        a char:         'F'
        a scancode:     0x4900
        zero:           0

  Zero scancode disables the hot key.
eVarious dialog help messages ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

@0:216[Packed Files]
@0:217[Bad Relocation Table]
@0:218[Additional information at the end of file]
@0:219[Overlayed files]
@0:220[Error loading overlays]
@0:221[Maximal number of segments is reached]
@0:222[Cannot generate executable file]
@0:223[Bad input file format]
@0:225[Choose mark number]
@0:226[Enter mark description]
@0:227[Choose marked location]
@0:1720[IDA View bookmarks]
@0:1721[Structs bookmarks]
@0:1722[Enums bookmarks]
@0:228[Cannot Rename a Byte]
@0:229[Cannot find file segmentation]
@0:231[Negative Offsets]
@0:232[Cannot move segment start address]
@0:233[Cannot move segment start address]
@0:234[Cannot Create Database]
@0:235[DataBase is not closed]
@0:236[Obsolete Database Format]
@0:237[The Name List is Empty]
@0:238[Upgrading IDA database]
@0:239[Unexpected Database Format]
@0:240[Imported module is not found]
@0:242[Load file dialog]
@0:243[PE .idata section has additional data]
@0:575[Repeat search for instruction/data with the specified operand]
@0:577[Repeat search for substring in the disassembly]
@0:580[Repeat search for substring in the file]
@0:628[Moving Segment]
@0:629[Deleting a Segment]
@0:630[Auto analysis is not completed]
@0:631[Silent mode of IDA]
@0:632[Rename a structure/member]
@0:633[Delete a structure member]
@0:634[Unpacked database is dangerous]
@0:635[Database Is Empty]
@0:636[Illegal Usage of the Switch]
@0:637[Cannot Find Input File]
@0:638[Patched Bytes Are Skipped]
@0:639[Patched bytes have relocation information]
@0:641[No Segment for the current byte]
@0:689[Empty Program]
@0:1372[Load additional binary file]
@0:640[Patching Relocation Bytes]
@0:690[NotVaFile]
@0:692[VaTooHighVersion]
@0:1418[Desktops]
@0:693[Can't create segment registers range]
@0:694[Cannot assign to Segment Register]üWRAP
Rename register ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: RenameRegister
 Current hotkey: @<RenameRegister>

This command allows you to rename a processor general register to some
meaningful name. While this is not used very often on IBM PCs,
it is especially useful on RISC processors with lots of registers.

For example, a general register R9 is not very meaningful and a name like
'CurrentTime' is much better.

This command can be used to define a new register name as well as to remove it.
Just move the cursor on the register name and press enter.
If you enter the new register name as an empty string, then the definition
will be deleted.

If you have selected a range before using this command, then the definition will
be restricted to the selected range. But in any case, the definition cannot
cross the function boundaries.

You cannot use this command if the current instruction does not belong to
any @0:484[function].

See also

         @0:483[Edit|Functions] submenu.D'=' not found

By configuration file syntax here must be '=' sign.
Expected a string value%Bad character translation table size;WRAP
ARM processor specifics ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Since architecture version v4 (introduced in ARM7 cores), ARM processors
have a new 16-bit instruction set called Thumb (the original 32-bit
set is referred to as "ARM"). Since these two sets have different instruction
encodings and can be mixed in one segment, we need a way to specify
how to disassemble instructions.
For this purpose, IDA uses a virtual segment register named 'T'.
If its value is 0, then ARM mode is used. Otherwise, Thumb mode is used.
ARM is the default mode. Please note that if you change the value
of T register for a range, IDA will destroy all instructions in that range
because their disassembly is no longer correct.

IDA use UAL (Unified Assembly Language) syntax by default which uses the same
syntax for both ARM and Thumb mode. If necessary, legacy assembler syntax can be
selected in @0:620[Analysis options].

To decode Aarch64 (ARM64) instructions the segment with instructions must be
@0:514[set to 64-bit].

Processor options for ARM ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Simplify instructions

      If this option is on, IDA will simplify instructions and replace
      them by clearer pseudo-instructions
      For example,

              MOV     PC, LR

      is replaced by

              RET

Disable pointer dereferencing

      If this option is on, IDA will not use =label syntax for
      loads from literal pools.
      For example,

                    LDR     R1, =dst
                    ...
      off_0_1003C   DCD dst

      will be shown as

                    LDR     R1, off_0_1003C

No automatic ARM-Thumb switch

      If this option is on, IDA will not propagate
      ARM-Thumb modes automatically when following jumps and calls.

Disable BL jumps detection

      Some ARM compilers in Thumb mode use BL (branch-and-link)
      instead of B (branch) for long jumps, since BL has more range.
      By default, IDA tries to determine if BL is a jump or a call.
      You can override IDA's decision using commands in Edit/Other menu
      (Force BL call/Force BL jump).
      If your target does not use this trick, you can set this option
      and IDA will always treat BL as a call.

Scattered MOVT/MOVW pairs analysis
      A pair of MOVT and MOVW instructions can be used to load any 32-bit constant
      into a register without having to use the literal pool. For example:
      MOVW R1, #0xABA2
      MOVT R1, #0x32AA
      is simplified by IDA into
      MOV  R1, 0x32AAABA2
      (unless macro creation is @0:1688[turned off])

      However, if there is an unrelated instruction between them, such
      simplification is not possible. If you enable the conversion, then IDA will try to
      convert operands of even scattered instructions. The example above could be represented as:

      MOVW  R1, #:lower16:0x32AAABA2
      [other instructions]
      MOVT  R1, #:upper16:0x32AAABA2

      It is possible to select how aggressively IDA should try to handle such pairs:
      leave them as is, convert only if the result a valid address, or try to
      convert all pairs even if the result does not look like a valid address.

Edit ARM architecture options

      This button allows you to edit various features of the ARM architecture.
      This will affect the disassembly of some instructions depending on whether
      the selected architecture supports them. For details, see the ARM Architecture Reference Manual.



Command-line options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

      You can configure the architecture options from the command line.
      For that, use the -parm:<option1[;option2...]> switch.
      The following options are accepted:

      ARMv<N>  - base ARM architecture version (e.g. ARMv4, ARMv4T,
                 ARMv5TE, ..., ARMv7-M, ARMv7-A)
       or

      <name>   - ARM core name (e.g. ARM7TDMI, ARM926EJ-S, PXA270,
                Cortex-M3, Cortex-A8)

      Additionally, a special name "armmeta" can be used to enable decoding of all known instructions.

      The options above will set some default values that can be adjusted further:

      NoVFP/VFPv<N>           - disable or enable support for VFP
                                instructions (e.g. VFPv3).
      NoNEON/NEON/NEON-FMA    - disable or enable support for NEON
                                (aka Advanced SIMD) instructions.
      NoThumb/Thumb/Thumb-2   - disable or enable support for Thumb (16-bit)
                                or Thumb-2 (16/32-bit) instructions.
      NoARM/ARM               - disable or enable support for ARM
                                instructions.
      XScale                  - support for XScale-specific instructions.
                                Implies ARMv5TE.
      NoWMMX/WMMXv1/WMMXv2    - support for Intel Wireless MMX
                                extensions (v1 or v2). Implies XScale.

See

      @0:523[Change segment register value]
      @0:522[Set default segment register value]

commands to learn how to specify the segment register value. expand_struc▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

expand or shrink a structure type
     id     - structure type ID
     offset - offset in the structure
     delta  - how many bytes to add or remove
     recalc - recalculate the locations where
              the structure type is used
returns: !=0 - ok

success expand_struc(long id, long offset, long delta, long recalc);
Expected a number3The specified value isn't within the allowed rangeWRAP
Compiler ▄
 ▀▀▀▀▀▀▀▀▀

 Action    name: SetupCompiler
 Current hotkey: @<SetupCompiler>

This dialog box allows the user to specify the compiler used to create the
program along with the memory model, default calling convention, ABI and other
parameters.

Please note that while some combinations of the parameters are meaningless,
IDA doesn't check them for validity. It is up to the user to specify a correct
combination.

IDA tries to determine the correct values automatically.

The include directories are a list of directories that look for the standard C headers.
This parameter is used during parsing @0:1367[C header files].
The directories must be separated by ';' in MS Windows and ':' in Linux.
The predefined macros field has the same format and is used similarly.
Please note that IDA doesn't define any compiler-specific macros by default.

See also @0:604[Options] submenu!Expected YES/NO or ON/OFF values\WRAP
Open subviews ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are commands to open various windows, display information etc.

  @0:585[Open disassembly window]
  @0:1415[Open exports window]
  @0:1416[Open imports window]
  @0:586[Open functions window]
  @0:587[Open names window]
  @0:588[Open signatures window]
  @0:589[Open segments window]
  @0:590[Open segment registers window]
  @0:591[Open selectors window]
  @0:592[Open cross references window]
  @0:593[Open structures window]
  @0:1259[Open local types window]
  @0:595[Open problems window]
  @0:1358[Open type libraries window]
  @0:1379[Open strings window]
  @0:1383[Open function calls window]
  @0:1384[Open notepad]
  @0:1714[Open undo history]

Some windows allow you to manipulate the window contents by
using the @0:427[list] viewer commands.

See also @0:583[View] submenu.¡WRAP
Debugging with VMWare ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

VMWare Workstation 6.5 is recommended for debugging, though earlier versions may work too.
Only 32-bit debugging is supported.

In order to enable debugging with GDB protocol, add the following lines to the .vmx
file of the virtual machine:

   debugStub.listen.guest32 = "TRUE"
   debugStub.hideBreakpoints= "TRUE"

To debug the VM startup, use:

   monitor.debugOnStartGuest32 = "TRUE"

Please note that the execution will start in the BIOS.

To accept connections from remote computers, the following line must be specified:

   debugStub.listen.guest32.remote = "TRUE"

VMWare Workstation will listen on port 8832.

Tips:

Since the GDB server does not report the memory layout, it must be specified manually.
For example, to debug BIOS startup code, create a 16-bit segment from F0000 to 10000 with base F000.

Use the @0:1523[GDB command line] to get extra info about the registers.
For example, use "r cr0" to see current value of the cr0 register or "r cs" to see the base, limit
and other attributes of the CS selector in protected mode.

Back to @0:1335[Remote GDB Debugger]ÆWRAP
Type libraries window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenTypeLibraries
 Current hotkey: @<OpenTypeLibraries>

This command opens the type libraries window.
Here the user can load and unload standard type libraries.

The standard type libraries contain type definitions from the standard
C header supplied with compilers. Usually, IDA tries to determine the target
compiler and its type libraries automatically but if it fails, this window
allows you to load the appropriate type library.

Furthermore, don't forget to specify the compiler and memory model in
the @0:1354[compiler setup] dialog box.

See also @0:1356[View|Open subviews] submenu.Too long string valuePage size should be power of 2"WRAP
Set function/item type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetType
 Current hotkey: @<SetType>

This command allows you to specify the type of the current item.

If the cursor is located on a name, the type of the named item
will be edited. Otherwise, the current function type (if there is a function)
or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like
'this' pointer in C++) should be specified explicitly. IDA will use the type
information to comment the disassembly with the information about function arguments.
It can also be used by the Hex-Rays decompiler plugin for better decompilation.

Here is an example of a function declaration:

        int main(int argc, const char *argv[]);

To delete a type declaration, please enter an empty string.

IDA supports the user-defined calling convention. In this calling convention,
the user can explicitly specify the locations of arguments and the return value.
For example:

        int __usercall func@<ebx>(int x, int y@<esi>);

denotes a function with 2 arguments: the first argument is passed on the stack
(IDA automatically calculates its offset) and the second argument is passed
in the ESI register and the return value is stored in the EBX register.
Stack locations can be specified explicitly:

        int __usercall runtime_memhash@<^12.4>(void *p@<^0.4>, int q@<^4.4>, int r@<^8.4>)

There is a restriction for a __usercall function type: all stack locations
should be specified explicitly or all are automatically calculated by IDA.
General rules for the user defined prototypes are:

  - the return value must be in a register.
    Exception: stack locations are accepted for the __golang and __usercall calling conventions.

  - if the return type is 'void', the return location must not be specified

  - if the argument location is not specified, it is assumed to be
    on the stack; consequent stack locations are allocated for such arguments

  - it is allowed to declare nested declarations, for example:
    int **__usercall func16@<eax>(int *(__usercall *x)@<ebx>
                                             (int, long@<ecx>, int)@<esi>);
    Here the pointer "x" is passed in the ESI register;
    The pointed function is a usercall function and expects its second
    argument in the ECX register, its return value is in the EBX register.
    The rule of thumb to apply in such complex cases is to specify the
    the registers just before the opening brace for the parameter list.

  - registers used for the location names must be valid for the current
    processor; some registers are unsupported (if the register name is
    generated on the fly, it is unsupported; inform us about such cases;
    we might improve the processor module if it is easy)

  - register pairs can be specified with a colon like <edx:eax>

  - for really complicated cases @0:1492[this syntax] can be used.

IDA also understands the "__userpurge" calling convention. It is the same
thing as __usercall, the only difference is that the callee cleans the
stack.

The name used in the declaration is ignored by IDA.

If the default calling convention is __golang then explicit specification
of stack offsets is permitted. For example:

   int __usercall myfunc<^8>(__int64 arg<^0>);

Function declarations may have the __spoils keyword. It is used to specify
the list of registers spoiled by the function. The syntax is the following:

   int __spoils<eax, bh> func(int x);

If the __spoils keyword is present, the specified list overrides the standard
spoiled list. For x86, the standard spoiled list is <eax, edx, ecx>.
The list of spoiled registers may be empty.

IDA also understands some attributes in declarations. For example:

  __attribute__((format(printf,2,3)))
  int myprnt(int id, const char *format, ...);

This declaration means that myprnt is a print-like function; the format
string is the second argument and the variadic argument list starts at the
third argument.

Below is the full list of attributes that can be handled by IDA. Please look
up the details in the corresponding compiler help pages.

  packed        pack structure/union fields tightly, without gaps
  aligned       specify the alignment
  noreturn      declare as not returning function
  ms_struct     use microsoft layout for the structure/union
  format        possible formats: printf, scanf, strftime, strfmon

For data declarations, the following custom __attribute((annotate(X))) keywords
have been added. The control the representation of numbers in the output:

  __bin         unsigned binary number
  __oct         unsigned octal number
  __hex         unsigned hexadecimal number
  __dec         signed decimal number
  __sbin        signed binary number
  __soct        signed octal number
  __shex        signed hexadecimal number
  __udec        unsigned decimal number
  __float       floating point
  __char        character
  __segm        segment name
  __enum()      @0:1743[enumeration member (symbolic constant)]
  __off         offset expression (a simpler version of __offset)
  __offset()    @0:1744[offset expression]
  __strlit()    @0:1745[string]
  __stroff()    @0:1746[structure offset]
  __custom()    @0:1747[custom data type and format]
  __invsign     inverted sign
  __invbits     inverted bitwise
  __lzero       add leading zeroes
  __tabform()   @0:1748[tabular form]

The following additional keywords can be used in type declarations:

  _BOOL1        a boolean type with explicit size specification (1 byte)
  _BOOL2        a boolean type with explicit size specification (2 bytes)
  _BOOL4        a boolean type with explicit size specification (4 bytes)
  __int8        a integer with explicit size specification (1 byte)
  __int16       a integer with explicit size specification (2 bytes)
  __int32       a integer with explicit size specification (4 bytes)
  __int64       a integer with explicit size specification (8 bytes)
  __int128      a integer with explicit size specification (16 bytes)
  _BYTE         an unknown type; the only known info is its size: 1 byte
  _WORD         an unknown type; the only known info is its size: 2 bytes
  _DWORD        an unknown type; the only known info is its size: 4 bytes
  _QWORD        an unknown type; the only known info is its size: 8 bytes
  _OWORD        an unknown type; the only known info is its size: 16 bytes
  _TBYTE        10-byte floating point value
  _UNKNOWN      no info is available
  __pure        pure function: always returns the same value and does not
                modify memory in a visible way
  __noreturn    function does not return
  __usercall    user-defined calling convention; see above
  __userpurge   user-defined calling convention; see above
  __golang      golang calling convention
  __swiftcall   swift calling convention
  __spoils      explicit spoiled-reg specification; see above
  __hidden      hidden function argument; this argument was hidden in the
                source code (e.g. 'this' argument in c++ methods is hidden)
  __return_ptr  pointer to return value; implies hidden
  __struct_ptr  was initially a structure value
  __array_ptr   was initially an array
  __unused      unused function argument
  __cppobj      a c++ style struct; the struct layout depends on this keyword
  __ptr32       explicit pointer size specification (32 bits)
  __ptr64       explicit pointer size specification (64 bits)
  __shifted     @0:1695[shifted pointer] declaration
  __high        high level prototype (does not explicitly specify
                hidden arguments like 'this', for example)
                this keyword may not be specified by the user but
                IDA may use it to describe high level prototypes
  __bitmask     a bitmask enum, a collection of bit groups

See also

         @0:483[Edit|Functions] submenu.CSyntax error
Configuration file syntax is:
        KeyWord = Value*Illegal keyword in the configuration file&Illegal type of value for the keywordS patch_dbg_byte▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Change a byte in the debugged process memory only
     ea    - linear address
     value - new value of the byte
Returns: 1 if successful, 0 if not
Thread-safe function (may be called only from the main thread and debthread)

success patch_dbg_byte(long ea, long value);
É get_db_byte▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Get one byte (8-bit) of the program at 'ea' from the database
even if the debugger is active.
     ea - linear address
returns: byte value. If the byte has no value then 0xFF is returned.
If the current byte size is different from 8 bits, then the returned value
may have more 1's.
To check if a byte has a value, use @0:178[is_loaded](ea)

long get_db_byte(long ea);              // get a byte at ea
]WRAP
Load C header ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadHeaderFile
 Current hotkey: @<LoadHeaderFile>

This command allows you to apply type declarations from a C header file
to the program.

IDA reads and parses the specified header file as a C compiler does.
In other words, it mimics the front-end of a C compiler with some restrictions:

        - only type declarations are allowed. The function definitions
          in the input file are skipped
        - not all C++ header files are not supported, only simple classes can
          be parsed
        - the compiler specific predefined macros are not defined,
          you have to define them manually in the header file

Don't forget to specify the compiler and memory model in
the @0:1354[compiler setup] dialog box before loading a header file.

All type declarations found in the input file are stored in the current
database in the form of a type library. These type declarations can be used
to define new structure and enumeration definitions by pressing "Add standard structure"
or "Add standard enum" buttons in the
@0:501[Add enum type...] and
@0:491[Add struct type...]
dialog boxes.

In the case of an error in the input file, the error messages appear in
the message window. In any case, the function declarations that are already parsed
are not deleted from the database.
IDA stops parsing the input file when 20 errors occur.

IDA 7.7 introduced an
@0:1728[alternative header file parser]
based on libclang.

See also @0:430[Load... submenu] commands.
         @0:1259[Local types window]
         @0:1728[IDAClang plugin]ÕWRAP
Problem: Failed to trace the value of the stack pointer ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The value of the stack pointer at the end of the function is different
        from its value at the start of the function. IDA checks for the
        difference only if the function is ended by a "return" instruction.
        The most probable cause is that stack tracing has failed.
        This problem is displayed in the disassembly listing with
        the "sp-analysis failed" comment.

 What to do:
        1. Examine the value of @0:489[stack pointer] at various
           locations of the function and try to find out why the stack tracing
           has failed. Usually, it fails because some called function changed the
           stack pointer (by purging the input parameters, for example)
        2. If you have found the offending function, @0:485[change] its
           attributes (namely, number of bytes purged upon return).
        3. Another way is to specify manually how the stack pointer is
           modified. See @0:489[Change stack pointer] command
WRAP
Comments Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command changes the look of the disassembly comments.
Here you can change the values of the following checkboxes/input fields:

Comment indention

        You can change indention of comments:

                mov ax, bx                      ; this is a comment
        <-------------------------------------->
                       indention

        @0:419[IDA.CFG] parameter: COMMENTS_INDENTION

Display of 'suspicious' marks

        This option enables or disables @0:606[suspicious] marks display.
        Usually the suspicious marks are disabled because IDA displays the suspicious
        operands in red/orange anyway.

        @0:419[IDA.CFG] parameter: SHOW_SUSPICOUS

Display of empty lines

        This option enables or disables the presence of the autogenerated
        empty lines in the disassembly. It could be useful to decrease
        the number of the blank lines on the screen increasing amount
        of information on it.

        @0:419[IDA.CFG] parameter: SHOW_EMPTYLINES

Display of basic blocks

        This option enables or disables the presence of the autogenerated
        empty lines at the end of basic blocks in the disassembly.

        @0:419[IDA.CFG] parameter: SHOW_BASIC_BLOCKS

Display borders between data/code

        This command enables or disables the presence of the autogenerated
        border lines in the disassembly. It could be useful to decrease
        the number of the blank lines on the screen increasing amount
        of information on it. A border line looks like this:

         ;---------------------------------------------------------

        Note that you can hide a particular border by using @0:535[hide border] command.

        @0:419[IDA.CFG] parameter: SHOW_BORDERS

Display comments

        If this option is disabled, IDA will not show any comments.

Display repeatable comments

        This command enables or disables the @0:480[repeatable comments] display.

        @0:419[IDA.CFG] parameter: SHOW_REPEATABLE_COMMENTS

Display auto comments

        Autocomments are predefined comments for all instructions.
        If you forgot the meaning of a certain instruction, you can use
        this command to get comments to all lines of the screen.

        IDA does not give comments to very simple instructions such as
        'mov' instruction and does not override existing comments.

        @0:419[IDA.CFG] parameter: SHOW_AUTOCOMMENTS

Display source lines

        This options controls the presence of the source line number
        information in the disassembly. Some object files have this
        information.

        @0:419[IDA.CFG] parameter: SHOW_SOURCE_LINNUM

Display try block lines

       This option controls the display of the try block information
       in the disassembly.

       @0:419[IDA.CFG] parameter: SHOW_TRYBLOCKS

See also @0:604[Options] submenu.çWRAP
Duplicate a structure type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CopyStruct
 Current hotkey: @<CopyStruct>

This command duplicate the current structure type.
The new structure type will have the same members as the current one
but its name will be autogenerated (something like struc_333)

By default the new structure type will be placed after the current
structure type.

See also @0:490[Edit|Structs] submenu.
®Miscellaneous Options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Editor

        A text editor is to be used when the user decides to edit an
        IDC script using the IDC toolbar.

Navigation band refresh interval (milliseconds)

        Specifies how often the navigation band will be refreshed.
        IDA tries to minimize the number of redrawings because they
        could be really time and processor consuming (imagine
        a huge program, 50-100 megabytes of code. it would
        take a long time to refresh information on the navigation
        band because the whole program will be examined to
        determine how to draw the band). If this option is set to 0,
        the navigation band is refreshed only when the cursor is
        moved far enough to reflect its movement on the band.

Convert already defined bytes

        Determines how IDA should behave when user operations
        would end up redefining some already-defined bytes

Associate .IDB file extension with IDA

        Whether or not the .IDB extension should be associated,
        at the OS-level, with IDA

Enable autocomplete in forms

        Determines whether input fields should provide an auto-complete
        combo box by default

Output files encoding

       The encoding used to generate output text files from IDA
       The value '<default>' means that the IDB's default 8 bit-per-unit
       encoding will be used.
WRAP
Load Additional Binary File  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Below is the description of dialog box fields:

 Load segment    - The paragraph where the file will be loaded.
 Load offset     - Specifies offset of the first byte from the start of
                   the first segment. For example, if load offset=0x2700
                   and load segment=0x1000, the first byte of the file will
                   be at 1000:2700, or in linear addressing, 0x12700.
 File offset     - Offset in the input file to load bytes from.
 Number of bytes - Number of bytes to load from the file.
                   0 means load as many as possible.
 Create segments        - If not checked, IDA does not create segments.
 Code segment           - If checked, IDA creates a code segment.
                          relevant for processors which have different
                          code/data segment addressing schemes (for
                          example, Atmel AVR).
«WRAP
Find all suspicious operands ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FindAllSuspicious
 Current hotkey: @<FindAllSuspicious>

This command searches for all suspicious operands and presents a list of them.
You may use this list to examine the operands and modify them as needed.

 See also @0:569[suspicious operands]
          @0:568[Search] submenu
#WRAP
Load PDB debug information file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadPdbFile
 Current hotkey: @<LoadPdbFile>

This command loads a PDB file.

If the program being disassembled has a companion PDB file, then
this command may be used to load information from the PDB file into the
database.

By default IDA uses in-house code to parse and load PDB files. However, our
code can not parse old v2.0 PDB files. For them, IDA can fall back to using
Microsoft DLLs (the default is "do not fall back"). Please read more
in cfg/pdb.cfg.

Command line switch '-Opdb:option1:option2' overrides for ida session the value in cfg/pdb.cfg.

List of options▄

  off    : disable PDB
  pdbida : uses Hex-rays in-house code to parse and load PDB files.
  msdia  : uses Microsoft DLLs to parse and load PDB files.
           only available on Windows, for Linux/Macos you need to configure
           win32_remote.exe or win64_remote64.exe server in cfg/pdb.cfg
  fallback   : fallback from pdbida to msdia for the old 2.0 format
  nofallback : no fallback to msdia

Example▄

  -Opdb:off

Ida will not load PDB plugin for this session.

See also▄
        @0:430[Load... submenu] commands.
        @0:1457[Debugger module list] command.o1Environment variables ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following environment variables are used by IDA:

TMP or TEMP     Specifies the directory where the temporary files will
                be created.
                Default: C:\TEMP

EDITOR          The name of the preferred text editor.

IDALOG          Specifies the name of the log file. Everything appearing
                in the message window will be dumped there.
                Default: none

IDALOG_SILENT   Suppress all output to the message window.
                If the IDALOG variable is set, messages will continue to
                be written to the log file. Otherwise, they will be lost.

IDADIR          Specifies the IDA directory.
                Default: the directory where IDA executable is located

IDA_LOADALL     The selected loader will load all segments without asking

IDAUSR          Specifies the directory for user-specific settings.
                Default: Windows:  %APPDATA%/Hex-Rays/IDA Pro
                         Linux:    $HOME/.idapro
                         Mac OS X: $HOME/.idapro

                This variable can contain multiple paths, in which case they must
                be separated by the platform's path separator character (i.e., ';'
                on Windows, and ':' on Linux & Mac OS X.)

          NOTE: Using %IDAUSR% for loading plugins.

                %IDAUSR% will be considered when scanning for plugins: for
                each directory component of %IDAUSR%, IDA will iterate on
                files in its "plugins" subdirectory, in alphabetical order.

                Plugins with the same case-insensitive file name (without
                extension) are considered to be duplicates and are ignored;
                only the first plugin with a given name will be considered.
                Thus, let's say %IDAUSR% is set to "C:\my_idausr", and a file
                "C:\my_idausr\plugins\DWARF.py" exists, then
                "C:\my_idausr\plugins\DWARF.py" will be picked up first while
                "%IDADIR%\plugins\dwarf.dll" will be considered conflicting,
                and thus ignored.

                In addition, in each directory, IDA first looks for plugins
                with the native extension (e.g., ".dll" on Windows) and only
                then looks for files with extensions corresponding to
                extension languages (e.g., ".idc", ".py", ...)
                Consequently if two files, say "foo.dll" and "foo.py", are
                present in the same directory, "foo.dll" will be picked first,
                and "foo.py" will be considered conflicting, and thus ignored.

          NOTE: Using %IDAUSR% for overriding configuration.

                %IDAUSR% will be considered when looking for configuration
                files, after the config file found in %IDADIR%\cfg has been
                read.

                After %IDADIR%\cfg\<filename> has been read & applied, for
                each directory component of %IDAUSR%, IDA will look for
                cfg/<filename> in it, and, if found, read & apply its
                contents as well.

                This enables users to have their own small, fine-tuned
                configuration files containing just the bits they wanted to
                override, stored in one (or more) folder(s) of their choosing.

          NOTE: Using %IDAUSR% for specifying themes

                %IDAUSR% will be considered when scanning for themes: for
                each directory component of %IDAUSR%, IDA will iterate on
                subdirectories in its "themes" subdirectory.

          NOTE: Using %IDAUSR% for providing additional loaders, processor
                modules, .til files, .sig and .ids files

                %IDAUSR% will also be considered when building the list of
                existing loaders, processor modules, .til, .sig and .ids files.
                The following directories will be inspected:
                       %IDAUSR%\loaders
                       %IDAUSR%\procs
                       %IDAUSR%\til\<arch-name>
                       %IDAUSR%\sig\<arch-name>
                       %IDAUSR%\ids\<platform-name>

IDA_MINIDUMP    (Windows only) If IDA crashes, it creates a minidump file with
                the MiniDumpWrite(). Use this environment variable to specify
                MiniDump flags (a combination of MINIDUMP_TYPE flags as a
                hexadecimal number).
                If set to "NO", IDA will not write a dump.

IDA_MDMP_INIT   (Windows only) Let IDA load dbghlp.dll on startup so it is
                used for crash dump file generation in case of a crash. If
                not set, IDA will load dbghlp.dll dynamically (if needed).
                Using this option may cause the Windbg debugger plugin to
                malfunction in case its dbghlp.dll does not match the one
                loaded by IDA.

IDA_NOEH        If set, disable IDA's own exception handler and let all
                possible crashes to be handled by the OS or active debugger.
                It is useful if you're debugging a crash in a plugin or
                processor module.

IDAIDS          Specifies the directory with the IDS files.
                Default: %IDADIR%\IDS

IDASGN          Specifies the directory with the SIG files.
                Default: %IDADIR%\SIG

IDATIL          Specifies the directory with the TIL files.
                Default: %IDADIR%\TIL

IDAIDC          Specifies the directory with the IDC files.
                Default: %IDADIR%\IDC

IDA_LIBC_PATH   Useful only on Android remote host. Specifies the exact
                path to the system libc.so

IDA_SKIP_SYMS   Useful only on Linux host. Turns off loading of
                exported symbols for the main executable file at the start
                of a debugging session

IDA_NONAMES     Disables the name resolution

IDA_NO_HISTORY  Disables updating file history

IDA_NORELOC     Disables processing of the relocation information
                for some file formats

IDA_NOEXP       Disables processing of the export information
                for some file formats

IDA_NOTLS       Disables processing of the TLS entries for some file formats

H8_NOSIZER      Disables the display of the operand sizes for H8 module

IDA_LOADALL     Load all segments of the input file without further
                confirmations

IDA_DEBUGBREAKPROCESS (Windows only) IDA debugger will use the
                DebugBreakProcess() API to break into the process. Otherwise
                it will instead attempt to set temporary breakpoints for
                all threads.

IDA_NO_REBASE   IDA Debugger will not rebase the program when debugging.
                (This will be in effect even if the debugger plugin implements
                the rebase_if_required_to callback)

IDABXPATHMAP    Variables related to the Bochs debugger.
IDABXENVMAP     See plugins/bochs/startup.* for more details.

IDA_NOWIN       (Text MS Windows version only)
                Bypass the code trying to find out the foreground window.
                This code causes problems under WINE.

IDA_DONT_SWITCH_SCREENS
                (text version only)
                Tells IDA to keep only one screen even during local
                debugging sessions. For local debugging sessions,
                IDA keeps by default one screen for the
                debugged application and one screen for itself.

IDA_NOAUTOCOMP  Do not autodetect compiler for name demangling.
                If this variable is absent and the current compiler
                is one of MS, Borland and Watcom, the compiler
                is autodetected.

IDA_ELF_PATCH_MODE Overrides patch mode for the new ELF files.
                If this variable is defined, it must contain a number.
                Each bit of this number corresponds to an option from the
                following list:

   0: Replace PIC form of 'Procedure Linkage Table' to non PIC form
   1: Direct jumping from PLT (without GOT) regardless of its form
   2: Convert PIC form of loading '_GLOBAL_OFFSET_TABLE_[]' of address
   3: Obliterate auxiliary bytes in PLT & GOT for 'final autoanalysis'
   4: Natural form of PIC GOT address loading in relocatable file
   5: Unpatched form of PIC GOT references in relocatable file
   6: Mark 'allocated' objects as library-objects (MIPS only)

IDA_DYLD_SHARED_CACHE_SLIDE Mach-O loader: specify the dyld shared
                cache image ASLR slide value (hexadecimal) or
                'search' for automatic detection.
                If not set, slide is assumed to be 0 (unslid image).

The following variables are used to fine-tune the Linux version of IDA:

TVLOG    the name of the log-file
         if it is not defined, use syslog with LOG_WARNING priority

TERM     the terminal definition (see terminfo)

TVHEADLESS disable all output (for i/o redirection)
         if this variable defined, the TVOPT variable is ignored
         This environment variable also works also in graphical versions of
         IDA. When set, the graphical interface will not restore desktops,
         toolbars or show the main window.

TVOPT    the enduser flags. Has many subfields delimited by commas ','.
     noX11   - when libX11.so is not compatible
     noGPM   - when libgpm.so is not compatible
     ansi    -
          OR
     mono    - when the terminfo data of your display does not declare
               it as having the ANSI-color support
     ign8    - ignore '8bit as meta key' in the terminfo description
     xtrack  - if your xterm-emulator in telnet client does not support
               mode 1002 (only 1000), set this flag
     alt866  - do not encode pseudographic symbols (for the console with
               alt-font loaded)
     cyrcvt= - cyrilic conversion (oem/koi8r).
               possible values are:
       linux   - for linux russian users and PuTTY (in/out koi8r)
       kwin    - output in koi8 and input in cp1251 - any telnet
       windows - for many telnet and any linux users (in/out 1251)

 Client name | Terminal   | TVOPT  | Client settings
 ------------|------------|--------|---------------------------------------
             |            |        |
 SecureCRT   |xterm-scokey| xtrack | Emulation->Terminal: xterm,
             |            |        | Emulation->keyboard: either the
             |            |        |   built-in keyboard, either custom
             |            |        |                  'xt-sco.key' file
             |            |        | Advanced->Terminaltype: xterm-scokey
             |            |        |
 SecureCRT   |   xterm    | xtrack | Emulation->Terminal: xterm+internal kbd
             |            |        |
             |            |        |
 Putty       |xterm-scokey|   -    | Terminal,Keyboard: Control?, Standard,
             |            |        |                    SCO, Normal, Normal
             |            |        |
 Putty       |   xterm    |   -    | Terminal,Keyboard: ControlH, Standard,
             |            |        |                    ~num, Normal, Normal
             |            |        |
 Console     |   linux    |   -    | default
             |            |        |
 X11:xterm   |   xterm    |   -    | default

We recommend to use the 'xterm-scokey' terminal type for remote clients.

When the terminal type is xterm-scokey, add  the following string
to /etc/inputrc (or to ~/.inputrc):

"\e[.": delete char

When working on the console without GPM installed, append "noGPM" to TVOPT.

Russian users should append the following settings to the above:

                  | _APPEND_  TO TVOPT  | _APPEND_ TO Client Settings
 -----------------|---------------------|----------------------------
 Console          | alt866,cyrcvt=linux |
                  |                     |
 X11              | cyrcvt=linux        |
                  |                     |
 Putty            | cyrcvt=linux        | Window,Translation: use font in
                  |                     |           both ANSI and OEM modes
                  |                     |
 SecureCRT        |                     |
   with koi8font  |                     |
    and kbd-hook  | cyrcvt=linux        |
    with koi8font | cyrcvt=kwin         |
   with ANSI-font | cyrcvt=windows      |
                  |                     |
    The best settings for russian users on the console are:
         setfont alt-8x16.psf.gz -m koi2al
         loadkey ru-ms.map
         export TVOPT=cyrcvt=linux,alt866

¿WRAP
Display function flow chart ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: GraphFunc
 Current hotkey: @<GraphFunc>

This command displays the flow chart of the current function.

The colored edges of the flow chart represent the outcome of
conditional jump instructions. Green means that the condition
is satisfied, red means not satisfied.

See also @0:1378[View|Graphs] submenu.©WRAP
Display function call graph ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CallFlow
 Current hotkey: @<CallFlow>

This command displays the graph of all function calls in the program.

The functions are represented as nodes. The calls are represented as
edges between nodes. Instructions outside functions are ignored.

See also @0:1378[View|Graphs] submenu.WRAP
Graphs submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are commands to draw various graphs:

  @0:1376[Display function flow-chart]
  @0:1377[Display function call graph]
  @0:1389[Display chart of xrefs to addresses]
  @0:1390[Display chart of xrefs from addresses]
  @0:1391[Display user-defined chart of xrefs]

IDA uses an external program to display graphs.
The program name is wingraph32.exe and it is located in the
current directory.

The user can change the name of this program using the
GRAPH_VISUALIZER parameter in the @0:419[IDA.CFG] file.

The user can zoom the graph and move it around the window.

See also @0:583[View] submenu.±WRAP
Strings window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenStrings
 Current hotkey: @<OpenStrings>

This command opens the string window.

The string window contains all strings in the program. However, if a range
of addresses was selected before opening the window, only the selected
range will be examined for strings.

You can setup the list parameters by right-clicking
(or pressing Ctrl-U in the text version) on the list.

The list always contains strings defined in the program regardless
of the settings in this dialog box, but the user can ask IDA to display
strings not yet explicitly defined as strings.

The following parameters are available:

Display only defined strings

        If checked, IDA will display only strings explicitly marked
        as string items (using the @0:454[create string literal] command).
        In this case, the other checkboxes are ignored.

Ignore instructions/data definitions

        If checked, IDA will ignore instruction/data definitions
        and will try to treat them as strings. If it can build a string
        with the length greater than the minimal length, the string
        will be displayed in the list.
        This setting is ignored if 'only defined strings' is on.

Strict ASCII (7-bit) strings

        If checked, only strings containing exclusively 7-bit characters
        (8th bit must be zero) will be added to the list. Please note that
        the user can specify which characters are accepted in the strings
        by modifying the StrlitChars parameter in the @0:419[ida.cfg] file.
        This setting is ignored if 'only defined strings' is on.

Allowed string types

        Allows the user to specify the string types included in the list.
        This setting is ignored if 'only defined strings' is on.

Minimal string length

        The minimal length the string must have to be added to the list.


See also @0:1356[View|Open subviews] submenu.AWRAP
Convert operand to floating point number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpFloat
 Current hotkey: @<OpFloat>

This command makes the current operand type floating point.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.¸WRAP
Edit|Operand types|Offset submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 @0:467[Convert operand to offset (data segment)]
 @0:468[Convert operand to offset (code segment)]
 @0:469[Convert operand to offset (any segment)]
 @0:470[Convert operand to offset (user-defined base)]
 @0:472[Convert operand to struct offset]

See also @0:458[Edit|Operand types] submenu.ÝWRAP
Edit|Operand types|Number submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 @0:460[Convert operand to number]
 @0:461[Convert operand to hex number]
 @0:462[Convert operand to decimal number]
 @0:464[Convert operand to octal number]
 @0:463[Convert operand to binary number]
 @0:1380[Convert operand to floating point number]
 @0:1510[Toggle leading zeroes]

See also @0:458[Edit|Operand types] submenu.WRAP
Function calls window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenCallers
 Current hotkey: @<OpenCallers>

This command opens the function calls window.

All functions who call the current function are displayed at
the top of the window.

All functions called from the current function are displayed at
the bottom of the window.

The list is automatically refreshed when the cursor is moved
to another function.

See also @0:1356[View|Open subviews] submenu.£WRAP
Notepad ▄
 ▀▀▀▀▀▀▀▀

 Action    name: OpenNotepad
 Current hotkey: @<OpenNotepad>

Opens a notepad window for the general notes about the
current database. The entered notes will be saved in the current database.

Alt-T hotkey can be used to search for a text and Ctrl-T to repeat the last search.

The notepad is available only in the GUI version.

See also @0:1356[View|Open subviews] submenu.[WRAP
Arrows window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In the graphical version, there is a small window with arrows on the
left of the disassembly. These arrows represent the execution flow,
namely the branch and jump instructions.
The arrow color can be:

        - red: means that the arrow source and destination do not
        belong to the same function. Usually, the branches are
        within functions and the red color will conspicuously
        represent branches from or to different functions.
        - black: the currently selected arrow. The selection
        is made by moving to the beginning or the end of the
        arrow using the Up or Down keys or left-clicking on the arrow
        start or the arrow end. The selection is
        not changed by pressing the PageUp, PageDown, Home, End keys or using
        the scrollbar. This allows to trace the selected arrow far away.
        - grey: all other arrows

The arrow thickness can be:

        - thick: a backward arrow. Backward arrows usually represent
        loops. Thick arrows represent the loops in a clear and
        notable manner.
        - thin: forward arrows.

Finally, the arrows can be solid or dotted. The dotted arrows
represent conditional branches when the solid arrows represent
unconditional branches.

You can resize the arrows window using a vertical splitter or even fully hide it.
If it is hidden, the arrows window will not be visible on the screen but you
can reveal it by dragging the splitter to the right. IDA remembers the current arrow
window size in the registry when you close the disassembly window.
ÎWRAP
Highlighting identifiers ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In the graphical version, IDA highlights the identifier under the cursor.
For example, if the cursor is on the "EAX" register, then all occurrences of "EAX"
will be displayed with the yellow background. This feature is meant to
make the program analysis easier by highlighting the interesting parts of
the disassembly. For example, if the user wants to see all references to "EAX",
he just clicks on any "EAX" on the screen and all of them will be highlighted.

The selection is made by pressing the Up, Down, Left, Right keys or
by simply clicking on the identifier.

The selection is not changed by pressing the PageUp, PageDown, Home, End keys, using
the scrollbar, or pressing the Alt-Up, Alt-Down, Ctrl-Up, Ctrl-Down keys.

The Alt-Up and Alt-Down keys perform a search of the currently selected identifier
backward or forward respectively.

The Ctrl-Up and Ctrl-Down keys scroll the disassembly text.

IDA does not highlight the segment names at the line prefix because
it is not very useful.

It is possible to turn off the highlight. The appropriate checkbox is in
the @0:1304[Options, General, Browser] tab.
QWRAP
Hide all items▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: HideAll
 Current hotkey: @<HideAll>

This command allows you to hide:

  - all functions and hidden ranges if invoked in the disassembly window
  - all structures if invoked in the structures window
  - all enums if invoked in the enums window

IDA will display only the header of the hidden items.

If you want to see hidden items on the screen, you may use
@0:600[unhide] command or @0:601[enable]
the display of the hidden items.

See also @0:1388[Unhide all] command.

See also @0:583[Edit|View] submenu¯WRAP
Unhide all items▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: UnhideAll
 Current hotkey: @<UnhideAll>

This command allows you to unhide:

  - all segments, functions, and hidden ranges if invoked in
    the disassembly window
  - all structures if invoked in the structures window
  - all enums if invoked in the enums window

See also @0:1387[Hide all] command.

See also @0:583[Edit|View] submenuÕWRAP
Display chart of xrefs to addresses ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChartXrefsTo
 Current hotkey: @<ChartXrefsTo>

This command displays the graph of code and data xrefs to
current address/range of selected addresses in the program.

The addresses are represented as nodes. The xrefs are represented as
edges between nodes.

See also @0:1378[View|Graphs] submenu.)WRAP
Display chart of xrefs from addresses ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChartXrefsFrom
 Current hotkey: @<ChartXrefsFrom>

This command displays the graph of code xrefs from the
current address/range of selected addresses in the program.

In this direction, data xrefs aren't analyzed to avoid overloaded graphs.

The addresses are represented as nodes. The xrefs are represented as
edges between nodes.

See also @0:1378[View|Graphs] submenu.WRAP
Display used-defined chart of xrefs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChartXrefsUser
 Current hotkey: @<ChartXrefsUser>

This command displays a user-defined graph of xrefs from/to the
current address/range of selected addresses in the program.

The direction of the xrefs to analyze can be chosen.
If the Recursive flag is checked, all found xrefs are themselves
analyzed to find new xrefs.
You can choose to search for xrefs to new referenced addresses
only in the current direction.
Only External, data xrefs, xrefs from library functions and to
library functions can possibly be ignored.

A recursion depth can be specified.
If 'Print recursion dots' is checked, and a function has others xrefs
outside of the range defined by the 'recursion depth' setting, small
nodes containing dots are printed.

The 'Print comments' flag causes the generated function node to also
contain the function comment.

The addresses are represented as nodes. The xrefs are represented as
edges between nodes.
The used colors are the same as in IDA.

See also @0:1378[View|Graphs] submenu.WRAP
Create a new structure from current data▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CreateStructFromData
 Current hotkey: @<CreateStructFromData>

This command defines a new structure from data already defined.
The new structure is created with adequate data types, and each member
uses the current data name if it is available.

This command is available only in the graphical version of IDA.

See also @0:490[Edit|Structs] submenu.
pWRAP
Jump to the specified file offset ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpFileOffset
 Current hotkey: @<JumpFileOffset>

IDA will ask you for a target file offset. This command jumps to the address
corresponding to this specified file offset.
If this file offset corresponds to a valid address then:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the corresponding address.

The @0:539[Jump back] command (usually Esc) will return you back.

See also

         @0:543[Jump] submenu
MWRAP
Del hidden range ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelHiddenRange
 Current hotkey: @<DelHiddenRange>

This command allows you to delete a hidden range of disassembly
(previously defined by using the @0:599[hide] command).

See also @0:599[hide] command.

See also @0:583[Edit|View] submenuLWRAP
Debugger submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the debugger commands:

  @0:1396[Debugger window]
  @0:1443[Tracing submenu]
  @0:1423[Thread list]
  @0:1457[Module list]
  @0:1397[Start process]
  @0:1452[Attach to process...]
  @0:1398[Process options]
  @0:1399[Pause process]
  @0:1400[Terminate process]
  @0:1453[Detach from process]
  @0:1470[Take memory snapshot]
  @0:1697[Manual memory regions]
  @0:1401[Step into]
  @0:1402[Step over]
  @0:1442[Run until return]
  @0:1403[Run to cursor]
  @0:1471[Set current ip]
  @0:1472[Show application screen]
  @0:1454[Breakpoints]
  @0:1272[Source view]
  @0:1325[Watch view (source level)]
  @0:1455[Watches (assembler level)]
  @0:1443[Tracing]
  @0:1413[Debugger options]
  @0:1461[Switch debugger...]

See also

  @0:428[Menu Bar]
  @0:1463[How to launch remote debugging]
  @0:1078[Debugger for macOS]
  @0:1329[Debugger for Bochs]
  @0:1335[Remote GDB debugger]
  @0:1677[Remote iOS debugger]
  @0:1520[WinDbg debugger]
  @0:1639[Replayer debugger]
  @0:1652[PIN Tracer]
  @0:1669[Dalvik debugger]
ÝWRAP
Debugger window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Debugger
 Current hotkey: @<Debugger>

Opens the debugger window.

In this window, you can view the register values for the selected thread.
The debugger always selects the thread where the latest debugging event occurred.

For most registers, we have two different boxes:

       - the first box (on the left) indicates the current value of the register.
         Blue indicates that the value has changed since the last debugging event.
         Purple indicates that the value has been modified by the user.
         A popup menu is available on this control, offering different commands.

       - the second box (on the right) shows the current value of the register,
         interpreted like an address (if possible).

For a segment register, we only have one box indicating the current value.

For the flags register, we have one box indicating the current value,
and small boxes indicating the status of the most important flags.

A popup menu is accessible everywhere in the window, which allows the user to show or
hide different parts of the window: toolbar, thread list and available register classes.

See also @0:1395[Debugger] submenu.ÑWRAP
Start process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessStart
 Current hotkey: @<ProcessStart>

This command starts the process in the debugger.
If the process was suspended, it will continue its execution.

 See also @0:1452[Attach to process...]
          @0:1398[Process options]
          @0:1399[Pause process]
          @0:1400[Terminate process]
          @0:1453[Detach from process]
          @0:1395[Debugger] submenu.>WRAP
Process options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupProcess
 Current hotkey: @<SetupProcess>

This dialog box allows to specify different settings related to the
process being debugged.

Application

        Host application to launch.
        When the debugging target (== 'input file') is an executable file, this field is equal to the 'input file'.
        If this field is wrong, IDA will not be able to launch the program.
        For remoting debugging, this field denotes a remote file.

Input file

        The input file used to create the database.
        For remoting debugging, this field denotes a remote file.

Directory

        Directory to start the application. If empty, then the current directory
        will be used.
        For remoting debugging, this field denotes a remote directory.

Parameters

        Optional parameters to pass to the debugged application (or the host application)
        when it starts. This field may be empty.
        The standard input/output/error channels can be redirected using
        the bash shell notations. for example: >output 2>&1

Hostname

        If entered, denotes the name of the remote host with the application
        to debug. In this case, a remote IDA server on this host must be launched.
        Click @0:1463[here] to see the list of remote servers.

Port

        The port number of the remote server

Password

        Optional password to protect your server from strangers connecting to
        it and running arbitrary commands. The same password switch must be
        specified on the remote server.

The hostname, port, and password are not available for debuggers connected locally
to the computer.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1463[How to launch remote debugging]pWRAP
Pause process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessPause
 Current hotkey: @<ProcessPause>

This command pauses a running process.
Please note that it is not always possible to pause a process executing
the system code.

 See also @0:1397[Start process]
          @0:1400[Terminate process]
          @0:1395[Debugger] submenu.YWRAP
Terminate process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessTerminate
 Current hotkey: @<ProcessTerminate>

This command terminates the debugged process.

 See also @0:1397[Start process]
          @0:1399[Pause process]
          @0:1453[Detach from process]
          @0:1395[Debugger] submenu.3WRAP
Step into ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadStepInto
 Current hotkey: @<ThreadStepInto>

This command executes one assembler instruction at a time,
stepping into functions.

 See also @0:1402[Step over]
          @0:1442[Run until return]
          @0:1395[Debugger] submenu.ÚWRAP
Step over ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadStepOver
 Current hotkey: @<ThreadStepOver>

This command executes one assembler instruction at a time,
stepping over procedures while executing them as a single unit.

Internally, in the case of a function call, IDA setups a temporary
breakpoint on the instruction following this function call.

 See also @0:1401[Step into]
          @0:1442[Run until return]
          @0:1395[Debugger] submenu._WRAP
Run to cursor ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadRunToCursor
 Current hotkey: @<ThreadRunToCursor>

This command executes instructions until the instruction under  the
cursor is reached.

Internally, IDA setups a temporary breakpoint on the instruction under
the cursor.

 See also @0:1395[Debugger] submenu.WRAP
Breakpoints list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Breakpoints
 Current hotkey: @<Breakpoints>

Opens the breakpoints window.

In this window, you can view information related to existing breakpoints.
Breakpoints are saved in the database, and restored as soon as possible
(once the memory becomes writeable).

The 'Pass count' column indicates how many times the program needs to hit the
breakpoint before being suspended (0 means "always suspend").

 See also @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.¸WRAP
Add breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointAdd
 Current hotkey: @<BreakpointAdd>

This command adds a breakpoint at the current address.
If an instruction exists at this address, an instruction breakpoint is created.
Otherwise, IDA offers to create a hardware breakpoint and allows the user
to @0:1407[edit breakpoint settings]. Hardware breakpoints can be
either real hardware breakpoints or @0:1648[page breakpoints].

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu
          @0:1648[Page breakpoints].
lWRAP
Delete breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointDel
 Current hotkey: @<BreakpointDel>

This command deletes an existing breakpoint at the current address.

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.oWRAP
Edit breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointEdit
 Current hotkey: @<BreakpointEdit>

This command opens a dialog box to edit an existing breakpoint.

Location

  The breakpoint location: either an absolute address, a symbol name,
  a module+offset combination, or a source file name and a line number.
  The exact location syntax depends on the breakpoint kind: absolute, module
  relative, symbolic, or source code.

Condition

  This @0:162[IDC] expression will be evaluated each time the breakpoint
  is reached. If the expression returns true (non-zero), the debugger will execute the
  selected actions. Please note that you can use the register names in the
  IDC scripts when the debugger is active. Tests like this are allowed,
  for example: EAX == EBX+5 or get_wide_dword(ESP+0x10) == 34

  You can also use the "..." button to enter a multiline condition, or specify
  another scripting language to use. See @0:1488[here] for
  more info.

Settings

  Enabled:
        If the breakpoint is enabled or disabled. Disabled breakpoints
        are not written to the debugged process.

  Hardware:
        If enabled, IDA will use a hardware breakpoint. The breakpoint
        mode and size must be specified for them (see below).

  Module relative:
        The breakpoint location is stored as a combination of a module
        name and an offset. This kind of breakpoint is useful for
        DLLs that are loaded to various addresses because their addresses
        cannot be calculated in advance. Example: kernel32+0x1234

  Symbolic:
        The breakpoint location is stored as a combination of a symbol
        name and a possible offset. This kind of breakpoint is useful for
        symbols that can be imported from different DLLs because their addresses
        cannot be calculated in advance. Example: myfunc+44

  Source code:
        The breakpoint location is stored as a combination of a source file
        name and a line number. Can be used only if the source code of the
        debugged application is available. Example: myfile.cpp:55

  Low level condition:
        Evaluate the condition on the remote computer. Such conditions are
        faster, especially during remote debugging, because there is no
        network traffic between IDA and the remote computer on each
        breakpoint hit. @0:144[More details]

Actions

  Break:
        Suspend the debugged application

  Trace:
        Add a new entry to the trace log

  Refresh debugger memory:
        By default IDA does not refresh the memory config before evaluating
        a breakpoint condition. This option enables the refresh.
        To refresh it manually, call @0:1214[refresh_debugger_memory]

  Enable tracing:
        Enable tracing when the breakpoint hits. This is different from trace
        breakpoints (where only a new entry is added to the trace log).

  Disable tracing:
        Disable tracing when the breakpoint fires.

  Tracing type:
        @0:1446[Instruction], @0:1447[Function] and @0:1628[Basic block] level tracing types can be selected
        for breakpoints where enable/disable tracing have been selected.

Hardware breakpoint size

        Number of bytes to watch: 1, 2 or 4 bytes for normal hardware breakpoints.
        Any size for @0:1648[page breakpoints].

Hardware breakpoint mode

        The access type the breakpoint will react: read/write, write, execute.

In the case of Intel hardware breakpoints, some limitations are enforced (in contrast with
@0:1648[page breakpoints]).
It is impossible to create more than 4 hardware breakpoints.
The address of the breakpoint must be aligned appropriately:

  - 2-byte breakpoints must be word-aligned.
  - 4-byte breakpoints must be dword-aligned.

Please note that hardware breakpoints occur AFTER the instruction execution
while software breakpoints occur BEFORE the instruction.

Usually, it is easier to use software breakpoints, except if:

  - we want to be sure the memory is not modified by the debugger
  (instruction breakpoints modify the debugged process memory).

  - we want to detect accesses to data bytes.

  - the specified address is write protected (really rare!).

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1488[Breakpoint conditions]
          @0:1404[Breakpoints] submenu
          @0:162[Index of IDC functions]WRAP
Rebase program ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Rebase program
 Current hotkey: @<RebaseProgram>

The whole program will be shifted by the specified amount of bytes in the memory.
The following options are available (we strongly recommend to leave them
turned on):

 Fix up relocations

        This option allows IDA to modify the references
        to/from the relocated segment(s). If it is turned
        off, the references might be wrong after the move.

 Rebase the whole image

        This option is accessible only if the whole program
        is selected. It allows IDA to adjust internal
        variables on the whole program.

Please note rebasing the program might remove user-defined xrefs.

See also @0:506[Edit|Segments] submenu.¥WRAP
Watch list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: WatchList
 Current hotkey: @<WatchList>

Opens the assembler level watch list window.

In this window you can view memorized watches.
A watch allows the user to continuously see the value of a defined item.

 See also @0:1410[Add watch]
          @0:1411[Delete watch]
          @0:1455[Watches] submenu
          @0:1325[Source level watchies]aWRAP
Add watch ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: AddWatch
 Current hotkey: @<AddWatch>

This command adds a watch at the current address.
The watch is visible in the @0:1409[Watch list window].

 See also @0:1409[Watch list]
          @0:1411[Delete watch]
          @0:1455[Watches] submenu
          @0:1325[Source level watchies](WRAP
Delete watch ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelWatch
 Current hotkey: @<DelWatch>

This command deletes an existing watch.

 See also @0:1409[Watch list]
          @0:1410[Add watch]
          @0:1455[Watches] submenu
          @0:1325[Source level watchies]ùWRAP
Stack trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: StackTrace
 Current hotkey: @<StackTrace>

Opens the stack trace window.

This window displays the function calls that brought the current instruction.

The top of the Stack Trace window lists the last function called by the program.
Below this is the listing for the previously called functions.
Each line indicates the name of the function which called the function represented
by the previous line.

Double clicking on a line jumps to the exact address of the instruction realizing
this call.

Currently, IDA uses the EBP frame pointer values to gather the stack trace information.
It will fail for functions using other methods for the frame.

 See also @0:1443[Tracing] submenu.{WRAP
Debugger options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupDebugger
 Current hotkey: @<SetupDebugger>

This dialog box allows to specify different settings related to the debugger.

Events

  - Suspend on debugging start

      If selected, the debugger will suspend directly once the debugging
      starts.

  - Evaluate event condition on exit

      If selected, the debugger will evaluate the event condition immediately
      before closing the debugging session (once we receive PROCESS_EXITED or
      PROCESS_DETACHED event)

  - Suspend on process entry point

      If selected, the debugger will insert a temporary breakpoint
      at the main entry point of the debugged application.

  - Suspend on thread start/exit

      If selected, the debugger will suspend if a new thread starts
      or if an existing thread terminates.

  - Suspend on library load/unload

      If selected, the debugger will suspend if a new library is
      loaded or if a previously loaded library is unloaded.

  - Suspend on debugging message

      If selected, the debugger will suspend if the debugged application
      generates a message destined to the debugger.

Event condition

      When one or more debug events (see above) are checked then this
      option is used to specify a condition. In the following example,
      the debugger will suspend the process whenever a module with the
      name test.dll is loaded:

 get_event_id() == LIB_LOADED && strstr(get_event_module_name(), "test.dll") != -1

Log

  - Segment modifications

      If selected, the debugger will print information regarding
      segment modifications (creation, deletion, or resizing of
      segments) since the last event. Note that the debugger
      doesn't continuously track segment modifications, but detects
      those only if a debugging event occurs.

  - Thread start/exit

      If selected, the debugger will print a message if a new thread
      starts or if an existing thread terminates.

  - Library load/unload

      if Selected, the debugger will print a message if a new library is
      loaded or if a previously loaded library is unloaded.

  - Breakpoint

      If selected, the debugger will print a message if the debugged process
      reaches a breakpoint.

  - Debugging message

      If selected, the debugger will print debugging messages from
      the application.

Options

  - Reconstruct the stack

      If selected, the debugger will try to reconstruct the chain of stack
      frames, based on information available on the stack and in the
      @0:488[function stack variables].

  - Show debugger breakpoint instructions

      If selected, the debugger will show breakpoint instructions inserted
      by the debugger itself. This function is mainly useful if the user
      wants to see the real content of the memory.

  - Use hardware temporary breakpoints

      If selected, IDA will try to use hardware breakpoints for the temporary
      breakpoints used to implement the "step over" and "run to" functionality.
      This feature is useful when debugging read-only or self-modifying code,
      since it does not change the contents of the memory.
      IDA will fall back to software breakpoints if the attempt to set a
      hardware breakpoint fails.

  - Autoload PDB files

      If selected, IDA will invoke the PDB plugin to try to load PDB symbols
      for every new module loaded into process.

  - Set as just-in-time debugger

      If changed from off to on, IDA will try to register itself as a
      just-in-time debugger (invoked by the system in case of application
      crashes) on dialog close.

Edit exceptions

      This button allows the user to @0:1414[setup]
      how the debugger will react to specific exceptions.

Reload exceptions

      This button reloads the exception table from the exceptions.cfg
      file.

 See also @0:1395[Debugger] submenu.WRAP
Exceptions  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

This dialog box allows to setup how the debugger will react to specific exceptions.
For each exception, two settings can be specified, simply by selecting the desired exception,
and clicking the 'Edit' button in the popup menu.

Suspend program

        Specify whether the debugger will suspend when the exception occurs.
        If 'Passed to' == application and the application handles
        the exception successfully, the execution will not be suspended
        regardless of the 'Suspend' value.

Passed to

        Specify whether the exception will be passed to the application itself
        or handled by the debugger. If the debugged program contains exception
        handling code, it is better to select 'Application'.

Report

  Warn

        Show a warning message with the exception information.

  Log

        Instead of displaying a warning message, log to the output window the exception
        information.

  Silent

        Do not show a warning message nor log to the output window.

For new exceptions being added by the "Insert" command, you have to specify
the exception name and code. These values must be unique, the name cannot be empty, and
the code cannot be zero.

 See also @0:1395[Debugger] submenu.WRAP
Exports window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenExports
 Current hotkey: @<OpenExports>

This command opens the exports window.

You can use @0:427[list viewer] commands in this window.

See also @0:1356[View|Open subviews] submenu.WRAP
Imports window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenImports
 Current hotkey: @<OpenImports>

This command opens the imports window.

You can use @0:427[list viewer] commands in this window.

See also @0:1356[View|Open subviews] submenu.¹WRAP
Debugging with OpenOCD ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Make sure the following line is present in the .cfg file for your target:

 gdb_port 3333

Edit the port number if necessary.
Specify that port in the process options and use the Debugger, Attach command.

Tips:

  Use the @0:1523[GDB command line] to send commands directly to OpenOCD interpreter.

Back to @0:1335[Remote GDB Debugger]$WRAP
Desktops ▄
▀▀▀▀▀▀▀▀▀▀

IDA saves different settings in desktops: the main window configuration,
the toolbars configuration, and the configuration of all database windows.

Different desktops are available:

 <Database>
     this desktop configuration is stored in the database itself,
     and is automatically loaded each time you open this database.
     IDA also automatically saves the current desktop configuration
     to this desktop if you close and save the database.

 <Database debugger>
     this desktop configuration is also stored in the database,
     and is loaded each time you start the debugger.
     As for the <Database> desktop, IDA automatically saves the current
     desktop configuration to this desktop once the debugger stops.

 <Default>
     this desktop configuration is stored in the registry,
     and is loaded each time you start IDA without opening a database,
     or the first time you create a new database.

 <Default debugger>
     this desktop configuration is stored in the registry,
     and is loaded the first time you start the debugger.

  named desktops
     these desktop configurations are stored in the registry,
     and can be loaded manually by the user during the disassembly
     or the debugging.

Notice IDA will use a default configuration for main windows and toolbars
if the screen resolution changed.

See also

         @0:1419[Load desktop...] command
         @0:1420[Save desktop...] command
         @0:1421[Delete desktop...] command
         @0:1422[Reset desktop] command
ÈWRAP
Load desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands show all available desktops (stored in the database or in the registry).
Pressing <Enter> loads the desktop configuration from the selected @0:1418[desktop].
Pressing <Del> deletes the selected @0:1418[desktop].

See also

         @0:1418[Desktops]
         @0:1420[Save desktop...] command
         @0:1421[Delete desktop...] command
         @0:1422[Reset desktop] command6WRAP
Save desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command saves the current desktop configuration to a @0:1418[desktop].

If you enter a name, IDA saves the current configuration to a named desktop
in the database or registry.

If you select 'Default', IDA saves the current configuration to the <Default>
or <Default debugger> desktop (if the debugger is active) in the registry.

See also

         @0:1418[Desktops]
         @0:1419[Load desktop...] command
         @0:1421[Delete desktop...] command
         @0:1422[Reset desktop] command8WRAP
Delete desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command deletes a @0:1418[desktop] containing a desktop configuration.

See also

         @0:1418[Desktops]
         @0:1419[Load desktop...] command
         @0:1420[Save desktop...] command
         @0:1422[Reset desktop] commandWRAP
Reset desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command resets all windows (IDA main window and database windows)
by loading the original IDA disassembly desktop or debugger desktop
(if the debugger is active).

See also

         @0:1418[Desktops]
         @0:1419[Load desktop...] command
         @0:1420[Save desktop...] command
         @0:1421[Delete desktop...] commandâWRAP
Thread list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Threads
 Current hotkey: @<Threads>

Opens the threads window.

In this window, you can view all the threads of the debugged process.
Double clicking on a thread jumps to its current instruction (available only
if the process has been suspended). Double clicking also changes the current
thread for the hlpHelpDebugger[CPU] window.

The right click brings a popup menu, where you can suspend or resume threads.
The following thread states are possible:

  - Running: the thread is running
  - Ready: the thread is ready to run but the application has been suspended
  - Suspended: the thread has been suspended by the user

 See also @0:1395[Debugger] submenu.@0:417[]
Unknown switch '-%c''@0:141[]
Please enter header file name recalc_spd▄
 ▀▀▀▀▀▀▀▀▀▀▀

Recalculate SP delta for an instruction that stops execution.
     cur_ea  - linear address of the current instruction
returns: 1 - new stkpnt is added, 0 - nothing is changed

success recalc_spd(cur_ea);
* loader_input_t.getz▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Read a zero terminated string from the input file
     pos     - file position to read from
     maxsize - maximal size of the string
Returns: a string or 0

string loader_input_t.getz(long pos, long maxsize);
>@0:636[]
Switch '%s' can be used only when loading a new file)Database for file '%s' has been loaded.
WIDA is analysing the input file...
You may start to explore the input file right now.
 process_ui_action▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Invokes an IDA UI action by name
     name    - Name of the command
     flags   - Reserved. Must be zero.
returns: 1-ok, 0-failed

long process_ui_action(string name, long flags);
6You can't disassemble file with such an extension: %sfWRAP
String encodings ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA Qt can display program strings using different encodings. You can
specify default encodings for all strings or override the encoding of a specific
string.

The following encodings can be used:

<default> - the default encoding for this string type (8-bit or 16-bit)

<no conversion> - the string bytes are printed using the current
system encoding (after translating with XlatAsciiOutput array in the @0:419[configuration] file).

Windows codepages (e.g. 866, CP932, windows-1251)

Charset names (e.g. Shift-JIS, UTF-8, Big5)

You can add new encodings to the list using the context menu item Insert (Ins hotkey).

On Linux/OS X, you can run "iconv -l" to see the available encodings. Please note that some
encodings are not supported on all systems.

See also @0:613[Options] submenu. Something is wrong with IDA.KEYR@0:421[]
Sorry, the demo version can't load old databases.
Press F1 for details.eThe demonstration version has expired. Please visit https://www.hex-rays.com to get a newer version.$@0:637[]
Can't find input file '%s'?Database for '%s' already exists. Do you want to overwrite it?YHIDECANCEL
All previous disassembly will be lost. Are you sure you wish to overwrite it?"@0:1465[]
Malformed plugin optionWRAP
FLIRT collision: the function with the given name already exists ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        It means that IDA recognized the function as coming
        from a standard library but there already was another function
        with the same name in the program.

 What to do:
        Examine the function and rename it as you wish.
WRAP
Run until return ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadRunUntilReturn
 Current hotkey: @<ThreadRunUntilReturn>

This command executes assembler instructions and stops on the instruction
immediately following the instruction that called the current function.

Internally, IDA executes each instruction in the current function until
a 'return from function' instruction is reached.

 See also @0:1401[Step into]
          @0:1402[Step over]
          @0:1395[Debugger] submenu.èWRAP
Tracing submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the commands to use the tracing features of the debugger.

  @0:1629[Trace management]
  @0:1444[Tracing window]
  @0:1445[Clear trace]
  @0:1446[Instruction tracing]
  @0:1447[Function tracing]
  @0:1628[Basic block tracing]
  @0:1448[Add write trace]
  @0:1449[Add read/write trace]
  @0:1450[Add execution trace]
  @0:1412[Stack trace]
  @0:1451[Tracing Options]

See also @0:1395[Debugger] submenu.²WRAP
Tracing window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: TracingWindow
 Current hotkey: @<TracingWindow>

Opens the 'Tracing' window.

In this window, you can view some information related to all traced events.
The tracing events are the information saved during the execution of a program.
Different type of trace events are available: @0:1446[instruction tracing events] ,
@0:1447[function tracing events] and @0:1448[write],
@0:1449[read/write] or @0:1450[execution tracing events].

During the execution, the list of traced events is disabled, as it couldn't
be continuously synchronized with the execution without rendering the whole
tracing very slow.

If a '=' character is displayed in the 'Thread' and 'Address' columns, it indicates that the trace event
occurred in the same thread and at the same address as the previous trace event.

 See also @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.¿WRAP
Clear trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ClearTrace
 Current hotkey: @<ClearTrace>

This command removes all trace events from the @0:1444[Tracing window].
It also removes any loaded trace file used for @0:1634[diffing] against the currently loaded
trace.

 See also @0:1444[Tracing window]
          @0:1634[Diff to binary trace]
          @0:1629[Trace management]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.
WRAP
Instruction tracing  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleTraceInstructions
 Current hotkey: @<ToggleTraceInstructions>

This command starts instruction tracing.
You can then use all the debugger commands as usual: the debugger will save all the
modified register values for each instruction.

When you click on an instruction trace event in the 'Tracing' window,
IDA displays the corresponding register values preceding the execution
of this instruction. In the 'Result' column of the @0:1444[Tracing window], you
can also see which registers were modified by this instruction.
By using this information, you can for example quickly determine which instruction
modified a specific register, or you can even backtrace the execution flow.
Note that the IP register is never printed in the 'Result' column, although it is usually
modified by almost any instruction (except perhaps some prefixed instructions like REP MOVSB, ...).

Internally, the debugger runs the current thread step by step
to properly obtain all the required register values.
This explains why instruction tracing is slower than a normal execution.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.WRAP
Function tracing ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleTraceFunctions
 Current hotkey: @<ToggleTraceFunctions>

This command starts function tracing.
You can then use all debugger commands as usual: the debugger will save all
addresses where a call to a function or a return from a function occurred.

Internally, the debugger runs the current thread step by step
to properly detect all function calls and returns.
This explains why functions tracing is slower than a normal execution.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.WRAP
Add write trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: WriteTraceAdd
 Current hotkey: @<WriteTraceAdd>

This command adds a write trace to the current address.

Each time the given address will be accessed in write mode,
the debugger will add a trace event to the @0:1444[Tracing window].

In fact, write traces are nothing more than breakpoints with special properties: they don't stop
and they simply add a trace event when the breakpoints are reached.

Internally, the debugger will add a hardware breakpoint on the given address,
so all the restrictions for @0:1407[hardware breakpoints] are also valid
for write traces.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.3WRAP
Add read/write trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ReadWriteTraceAdd
 Current hotkey: @<ReadWriteTraceAdd>

This command adds a read/write trace to the current address.

Each time the given address will be accessed in read or write mode,
the debugger will add a trace event to the @0:1444[Tracing window].

In fact, read/write traces are nothing more than breakpoints with special properties: they don't stop
and they simply add a trace event when the breakpoints are reached.

Internally, the debugger will add a hardware breakpoint on the given address,
so all the restrictions for @0:1407[hardware breakpoints] are also valid
for read/write traces.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.ÀWRAP
Add execution trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExecTraceAdd
 Current hotkey: @<ExecTraceAdd>

This command adds an execution trace to the current address.

Each time the instruction at the given address will be run,
the debugger will add a trace event to the @0:1444[Tracing window].

In fact, execution traces are nothing more than breakpoints with special properties: they don't stop
and they simply add a trace event when the breakpoints are reached.

Internally, the debugger will add a breakpoint instruction at the given address.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.ûWRAP
Tracing options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupTracing
 Current hotkey: @<SetupTracing>

This dialog box allows you to specify different settings related to the tracing features.


Trace buffer size

  This setting indicates how many tracing events can fit in the trace buffer.
  If the debugger must insert a new event and the buffer is full,
  the oldest tracing event will be removed.
  However, if you specify a size of 0, the buffer size isn't limited.
  Notice that, for example, in the case of an instructions trace,
  all executed instructions could be logged, which would quickly fill
  up the memory!

Trace file

  If a filename is specified, all future traced events will be appended to it.

Trace directory

  The directory were trace files for the current database will be saved. If not
  specified, the IDB directory will be used.

Stop condition

  This @0:162[IDC] expression will be evaluated before the execution
  of each instruction. If the expression returns true, the debugger will
  suspend the execution. Please note that you can use register names in
  the condition.

Tracing

  - Trace over debugger segments

      If selected, the debugger will not go step by step in debugger segments
      (segments not available in the database).

  - Trace over library functions

      If selected, the debugger will not go step by step in library functions.

  Enabling these options will speed up the execution, as many instructions
  (from debugger segments and/or library functions) will not be traced.
  Disabling these options can quickly fill the @0:1444[Tracing window], as all
  instructions in DLLs and system functions will be executed step by step.
  Notice that both options influence the way instruction and function tracings
  will work.
  Internally, the debugger proceeds like this:
  - memorize the return address associated with the last executed call
    instruction in database segments (the previously saved one is overwritten).
  - setup a temporary breakpoint on this address once the IP is in a debugger
    segment or library function, disable step by step, and run the thread.
  - reenable step by step once this temporary breakpoint is reached.

  - Do not log already logged IP

      If selected, already executed instructions will not be logged if
      they are executed again.

  - Skip loops

      If selected, tracing will be temporarily disabled for some loops
      constructs.

Highlight

  - Highlight instructions in IDA views

    If selected, recorded instructions will be displayed in IDA views (disassembly
    views) with a different background color.

  - Main color

    The main background color for traced instructions.

  - Diff color

    The background color for the instructions recorded and being diffed against the
    currently loaded trace.

Instruction tracing

  - Log if same IP

    If selected, the debugger will also log all register modifications occurring
    during the execution of prefixed instructions like REP MOVSB, ...

Function tracing

  - Log return instructions

      If selected, the debugger will also log function returns.
      If disabled, only function calls are logged.

Basic block tracing

  - Log basic block instructions

      If selected, all instructions from the current basic block will be logged
      and displayed in the 'Tracing' window, instead of only the last instruction of
      the basic block.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1443[Tracing] submenu.WRAP
Attach to process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessAttach
 Current hotkey: @<ProcessAttach>

This command displays running processes corresponding to
the disassembled file in the database and allows the user
to choose a process to attach to.

 See also @0:1397[Start process]
          @0:1398[Process options]
          @0:1399[Pause process]
          @0:1400[Terminate process]
          @0:1453[Detach from process]
          @0:1395[Debugger] submenu.µWRAP
Detach from process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessDetach
 Current hotkey: @<ProcessDetach>

This command detaches the debugger from the debugged process.
Note: this command is only available on Windows XP or Windows 2003 Server !

 See also @0:1397[Start process]
          @0:1399[Pause process]
          @0:1400[Terminate process]
          @0:1395[Debugger] submenu.'WRAP
Breakpoints submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the commands to use the debugger breakpoints.

  @0:1404[Breakpoints list]
  @0:1405[Add breakpoint]
  @0:1407[Edit breakpoint]
  @0:1406[Delete breakpoint]

See also @0:1395[Debugger] submenu.WRAP
Watches submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the commands to use the debugger watches (assembler level).

  @0:1409[Watch list]
  @0:1410[Add watch]
  @0:1411[Del watch]

See also @0:1395[Debugger] submenu
         @0:1325[Source level watchies]ÄWRAP
Specify instruction color ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ColorInstruction
 Current hotkey: @<ColorInstruction>

This command allows you to specify the background color for the current
instruction or data item.

Only GUI version supports different background colors.
Specifying a non-defined custom color will reset the instruction color.

See also @0:530[Edit|Other] submenu.íWRAP
Module list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Modules
 Current hotkey: @<Modules>

Opens the modules window.

This window lists all the modules loaded by the debugged process.
Double click on a module to see the list of its exported names.

The right click menu allows for loading debug information for the current module.
For that, select the "Load debug symbols" command from the popup menu.
If IDA manages to find and load the corresponding debug information file,
it will import all symbols from it into the database. Currently, only @0:1374[PDB]
files are supported. The operation result is displayed in the @0:584[message window].

 See also @0:1395[Debugger] submenu.
          @0:1374[Load PDB files] command.?
 +-------------------------------------------------------------------------+
 |      This file was generated by The Interactive Disassembler (IDA)      |
 |           Copyright (c) 2024 Hex-Rays, <support@hex-rays.com>           |
 | %s |
 +-------------------------------------------------------------------------+

WWRAP
Switch debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SwitchDebugger
 Current hotkey: @<SwitchDebugger>

This command allows the user to select a debugger if there are several debuggers
available for the current database. For example, Window32 program can be debugged
with a remote or a local debugger.
\Credits ▄
 ▀▀▀▀▀▀▀▀

IDA is a complex and multifunctional software.
It contains some third party code with the license requiring to be mentioned in the documentation.
Below is the list:

-------------------------------------------------------------------------------
XML patterns from Ghidra Software Reverse Engineering Framework

@0:1730[Apache License v2.0 for Ghidra XML patterns]

-------------------------------------------------------------------------------
The LLVM Project is under the Apache License v2.0 with LLVM Exceptions:

@0:1731[Apache License v2.0 with LLVM Exceptions]

-------------------------------------------------------------------------------
LZFSE decompressor

Copyright (c) 2015-2016, Apple Inc. All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

1.  Redistributions of source code must retain the above copyright notice,
    this list of conditions and the following disclaimer.

2.  Redistributions in binary form must reproduce the above copyright notice,
    this list of conditions and the following disclaimer in the documentation
    and/or other materials provided with the distribution.

3.  Neither the name of the copyright holder(s) nor the names of any contributors
    may be used to endorse or promote products derived from this software without
    specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.

-------------------------------------------------------------------------------
Minimal LZMA Project (minlzma)

MIT License

Copyright (c) 2020 Alex Ionescu

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

-------------------------------------------------------------------------------
Portions of NDK by Alex Ionescu

The NDK is Copyright ©2005-2012 Alex Ionescu.
GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999


-------------------------------------------------------------------------------
IDAPython plugin by Gergely Erdelyi

Copyright (c) 2004-2008 Gergely Erdelyi <dyce@d-dome.net>. All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.

3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.

-------------------------------------------------------------------------------
InfoZIP libraries

  Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler

  This software is provided 'as-is', without any express or implied
  warranty.  In no event will the authors be held liable for any damages
  arising from the use of this software.

  Permission is granted to anyone to use this software for any purpose,
  including commercial applications, and to alter it and redistribute it
  freely, subject to the following restrictions:

  1. The origin of this software must not be misrepresented; you must not
     claim that you wrote the original software. If you use this software
     in a product, an acknowledgment in the product documentation would be
     appreciated but is not required.
  2. Altered source versions must be plainly marked as such, and must not be
     misrepresented as being the original software.
  3. This notice may not be removed or altered from any source distribution.

  Jean-loup Gailly        Mark Adler
  jloup@gzip.org          madler@alumni.caltech.edu


-------------------------------------------------------------------------------
PCRE2 library: @0:1686[BSD License]

-------------------------------------------------------------------------------
DSP56K analyzer part of DSP56K module

  Copyright (c) 1998 Miloslaw Smyk
  All rights reserved.
  Support for DSP 563xx added by Ivan Litvin

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:
  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.
  3. All advertising materials mentioning features or use of this software
     must display the following acknowledgement:
       This product includes software developed by Miloslaw Smyk
  4. The name of the author may not be used to endorse or promote products
     derived from this software without specific prior written permission

  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
TVision port to Linux is partially based on modifications
made by Sergio Sigala

  All changes copyright (c) 1997 Sergio Sigala, Brescia, Italy.
  All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:
  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.

  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
COIN/Clp library

  Copyright (C) 2002, International Business Machines
  Corporation and others.

  @0:14[Common Public License v1.0]

-------------------------------------------------------------------------------
CCTOOLS package from Apple


  @0:1163[APPLE PUBLIC SOURCE LICENSE]
  Version 2.0 - August 6, 2003

-------------------------------------------------------------------------------
DEX loader and Dalvik processor module use portions of code from
the Android project "libdex":

  Copyright (C) 2008 The Android Open Source Project

  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.

-------------------------------------------------------------------------------
Libdwarf library:

  Copyright (C) 2000,2002,2003,2004,2005 Silicon Graphics, Inc. All Rights Reserved.
  Portions Copyright (C) 2008-2010 Arxan Technologies, Inc. All Rights Reserved.
  Portions Copyright (C) 2009-2011 David Anderson. All Rights Reserved.
  Portions Copyright (C) 2010 SN Systems Ltd. All Rights Reserved.

  This program is free software; you can redistribute it and/or modify it
  under the terms of version 2.1 of the GNU Lesser General Public License
  as published by the Free Software Foundation.

-------------------------------------------------------------------------------
Qt libraries:

  http://doc.qt.io/qt-5/licensing.html

  The source code of Qt used in IDA is available upon request at support@hex-rays.com

-------------------------------------------------------------------------------
MD5 checksum:
 * This code implements the MD5 message-digest algorithm.
 * The algorithm is due to Ron Rivest.  This code was
 * written by Colin Plumb in 1993, no copyright is claimed.
 * This code is in the public domain; do with it what you wish.

-------------------------------------------------------------------------------
SHA256 checksum:
 Copyright (c) 2002, Dr Brian Gladman, Worcester, UK.   All rights reserved.

 LICENSE TERMS

 The free distribution and use of this software in both source and binary
 form is allowed (with or without changes) provided that:

   1. distributions of this source code include the above copyright
      notice, this list of conditions and the following disclaimer;

   2. distributions in binary form include the above copyright
      notice, this list of conditions and the following disclaimer
      in the documentation and/or other associated materials;

   3. the copyright holder's name is not used to endorse products
      built using this software without specific written permission.

 ALTERNATIVELY, provided that this notice is retained in full, this product
 may be distributed under the terms of the GNU General Public License (GPL),
 in which case the provisions of the GPL apply INSTEAD OF those given above.

 DISCLAIMER

 This software is provided 'as is' with no explicit or implied warranties
 in respect of its properties, including, but not limited to, correctness
 and/or fitness for purpose.

-------------------------------------------------------------------------------
AES encryption/decryption (used only to decrypt some input files):
 *  FIPS-197 compliant AES implementation
 *
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.

-------------------------------------------------------------------------------
Blowfish encryption/decryption (used only to decrypt some input files):
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.

-------------------------------------------------------------------------------
MinHook - The Minimalistic API Hooking Library for x64/x86
Copyright (C) 2009-2017 Tsuda Kageyu.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

================================================================================
Portions of this software are Copyright (c) 2008-2009, Vyacheslav Patkov.
================================================================================
Hacker Disassembler Engine 32 C
Copyright (c) 2008-2009, Vyacheslav Patkov.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
Hacker Disassembler Engine 64 C
Copyright (c) 2008-2009, Vyacheslav Patkov.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
IDA Floating has the client code for Flexera's Flexnet:
 Copyright (c) 1997-2017 Flexera Software LLC. All Rights Reserved.

-------------------------------------------------------------------------------
inja C++ template engine

MIT License

Copyright (c) 2018-2021 Berscheid

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

-------------------------------------------------------------------------------
 __|  |   __|     |   | |  JSON for Modern C++
|  |  |__   |  |  | | | |  version 3.10.5
|_____|_____|_____|_|___|  https://github.com/nlohmann/json

Licensed under the MIT License <http://opensource.org/licenses/MIT>.
SPDX-License-Identifier: MIT
Copyright (c) 2013-2022 Niels Lohmann <http://nlohmann.me>.

Permission is hereby  granted, free of charge, to any  person obtaining a copy
of this software and associated  documentation files (the "Software"), to deal
in the Software  without restriction, including without  limitation the rights
to  use, copy,  modify, merge,  publish, distribute,  sublicense, and/or  sell
copies  of  the Software,  and  to  permit persons  to  whom  the Software  is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE  IS PROVIDED "AS  IS", WITHOUT WARRANTY  OF ANY KIND,  EXPRESS OR
IMPLIED,  INCLUDING BUT  NOT  LIMITED TO  THE  WARRANTIES OF  MERCHANTABILITY,
FITNESS FOR  A PARTICULAR PURPOSE AND  NONINFRINGEMENT. IN NO EVENT  SHALL THE
AUTHORS  OR COPYRIGHT  HOLDERS  BE  LIABLE FOR  ANY  CLAIM,  DAMAGES OR  OTHER
LIABILITY, WHETHER IN AN ACTION OF  CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE  OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

-------------------------------------------------------------------------------
   Demangler for the Rust programming language
   Copyright (C) 2016-2023 Free Software Foundation, Inc.
   Written by David Tolnay (dtolnay@gmail.com).
   Rewritten by Eduard-Mihai Burtescu (eddyb@lyken.rs) for v0 support.

This file is part of the libiberty library.
Libiberty is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.

In addition to the permissions in the GNU Library General Public
License, the Free Software Foundation gives you unlimited permission
to link the compiled version of this file into combinations with other
programs, and to distribute those combinations without any restriction
coming from the use of this file.  (The Library Public License
restrictions do apply in other respects; for example, they cover
modification of the file, and distribution when not linked into a
combined executable.)

Libiberty is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Library General Public License for more details.

You should have received a copy of the GNU Library General Public
License along with libiberty; see the file COPYING.LIB.
If not, see <http://www.gnu.org/licenses/>.

@0:1742[GNU Lesser General Public License v2.1 for libiberty]
>
WRAP
Remote debugging ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

1. Launch a remote IDA debugger server on the remote host. The remote
server is started from the command line and accepts command line parameters.
You can specify a password if you want to protect your debugger server
from strangers. For example, to launch the server under MS Windows, you could enter:

        win32_remote -Pmy_secret_password

2. Specify the remote debugger parameters in the Debugger, @0:1398[Process options].
The file paths must be valid on the remote host. Do not forget to specify
the same password as you have specified when launching the server. For example,
to debug notepad.exe on the remote computer remote.host.com:

        Application: c:\windows\notepad.exe
        Input file:  c:\windows\notepad.exe
        Directory:   c:\windows
        Hostname:    remote.host.com
        Port:        23946
        Password:    my_secret_password

3. The rest of debugging is the same as with local debugging.

 NOTE

The debugger server can handle one debugger session at once. If you need
to debug several applications simultaneously, launch several servers at different
network ports.

The following debugger servers are shipped with IDA

 File name             Target system         Debugged programs
 ------------------    ------------------    ----------------------------
 android_server        ARM Android           32-bit ELF files
 android_server64      AArch64 Android       64-bit ELF files
 android_x64_server    x86 Android 32-bit    32-bit ELF files
 android_x86_server    x86 Android 64-bit    64-bit ELF files
 armlinux_server       ARM Linux             32-bit ELF files
 armlinux_server64     AArch64 Linux         64-bit ELF files
 linux_server          Linux 32-bit          32-bit ELF files
 linux_server64        Linux 64-bit          64-bit ELF files
 mac_server            Mac OS X              32-bit Mach-O files (x86)
 mac_server64          Mac OS X/macOS 11     64-bit Mach-O files (x64)
 mac_server_arm64      ARM macOS 11          64-bit Mach-O files (arm64)
 mac_server_arm64e     ARM macOS 11          64-bit Mach-O files (arm64e)
 win32_remote.exe      MS Windows 32-bit     32-bit PE files
 win64_remote64.exe    MS Windows 64-bit     64-bit PE files

An appropriate server must be started on the remote computer before
starting a debug session.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1217[Debugger for Linux]
          @0:1078[Debugger for macOS]
          @0:145[Debugger for Android native code]
          @0:1677[Remote iOS debugger]çWRAP
Reset Hidden Messages ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command resets the state of all questions and messages
the user hid by checking the "Don't show this message again" checkbox.2WRAP
Plugin options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The -O command line switch allows the user to pass options to the plugins.
A plugin which uses options should call the get_plugin_options() function
to get them.

Since there may be many plugins written by independent programmers,
each options will have a prefix -O in front of the plugin name.

For example, a plugin named "decomp" should expect its parameters
to be in the following format:

        -Odecomp:option1:option2:option3

In this case, get_plugin_options("decomp") will return the "option1:option2:option3"
part of the options string.

If there are several -O options in the command line,
they will be concatenated with ':' between them.

List of plugins recognizing '-O' switch

  @0:1476[Conversion options]
  @0:1675[DWARF]
  @0:1478[Golang]
  @0:1760[Find Functions]
  @0:1732[Lumina]
  @0:1687[Objective-C]
  @0:1374[Pdb]
  @0:1477[Rust]
  @0:1479[Swift]
  hexrays : https://hex-rays.com/products/decompiler/manual/batch.shtml

This switch is not available in the IDA Home edition.
}

//------------------------------------------------------------------------
// Information about segmentation

static Segments(void)
{
}

//------------------------------------------------------------------------
// Information about patches

static Patches_%d(void)
{
  auto x;
#define id x

WRAP
Take memory snapshot ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: TakeSnapshot
 Current hotkey: @<TakeSnapshot>

This command copies the contents of the process memory to the database.
It is available during a debugging session.

The memory contents will be copied to the database.
The user may specify that only the segments with the 'loader'
attribute will be saved in the database.

The segments with the loader attribute are created by the
input file loader and usually contain information from the input file.
However, in some cases (like attaching to an existing process),
there will not be any loader segments because the input file was not
loaded by IDA.

To be able to make a partial snapshot in this case and other similar cases,
the user can set or clear the 'loader' attribute of the desired segments
using the
@0:514[edit segment] command.

After applying this command, the user can terminate the debugging
process and continue to analyze the program in the database.

Please note that it is possible to save the database without
taking a memory snapshot. Such a database might be used to keep global
information about the program like the breakpoint information, notes, etc.
However, we recommend to take a memory snapshot of at least the 'loader'
segments because it will allow to save also information about the program
functions, names, comments, etc.

See also @0:1395[Debugger] submenu.qWRAP
Set current ip▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadSetCurrentIp
 Current hotkey: @<ThreadSetCurrentIp>

This command sets the instruction pointer of the current suspended thread
to the current cursor location.

It is accessible only when the debugger is active and the process is suspended.

 See also @0:1395[Debugger] submenu.UWRAP
Show application screen▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowUserScreen
 Current hotkey: @<ShowUserScreen>

This command displays the application screen.

It is useful for the text mode debugger.

When the debugged application runs in the same window as IDA itself,
the application output is hidden by IDA windows. This command allows
to see the application screen in this case.

To return to IDA display, press any key.

This command is available when the application is suspended or finished.

 See also @0:1395[Debugger] submenu. }

static Functions_%d(void)
{
WRAP
Create INC File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceInc
 Current hotkey: @<ProduceInc>

Please enter a file name for the assembler include file. IDA will write
the information about the defined types (structures and enums) to this file.

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce assembler
include files.

See also other @0:438[Produce output file] commands.kWRAP
Database conversion from idb to i64▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Historically, there were ida and idat to deal with 32 bits binaries.
Then 64 bits binaries make an appearance to our world and this is how ida64 and ida64 were born.

Hex-rays decided to remove ida, mainly to simplify the product and the code base.
It was done in two steps
- make ida64 fully usable with 32 bits binaries
- offer a tool to migrate dabase from idb (32 bits) to i64 (64 bits) format

Main usage▄

  ida64 foo.idb

This command converts foo.idb to foo.i64 on the fly. The user can immediately
start working with the database.
If foo.i64 already exists, IDA will ask if it should be overwritten or not.
Please note foo.idb is left untouched by the upgrade.

List of the available command line switches▄

  --cvt64 automatically confirms the following question:
        'You passed 32bit IDB file foo.idb to ida64.
        Do you wish to convert it to 64bit database?'

  -Ocvt64 options:
        overwrite=yes/no/ask -yes: overwrite the existing i64 database
                              no: immediately exit if the i64 database exists
                              ask: ask the user what to do if the i64 database exists
                              default: ask
        restart=yes/no/ask  - yes: automatically open the converted database in IDA
                              no: exit after the conversion
                              ask: ask the user if the converted database should be opened
                              default: yes
        privmove=yes/no/ask - move privrange beyond 32bit addrspace after
                              conversion?
                              default: yes, which means to automatically move
                              the privrange to 0xFF00000000000000

Example▄

  idat64 --cvt64 -Ocvt64:overwrite=no:restart=no

This command automatically converts foo.idb and exits at the end of the conversion.
If foo.i64 already exists, the conversion will not be performed.
Since this command uses idat64, it can be used for batch processing.
èWRAP
Rust plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀

The binaries produced by the Rust compiler have some peculiarities which make them difficult to analyze, such as:

  - non-standard calling conventions
  - non-terminated string literals
  - unusual name mangling scheme

By default, Rust plugin is enabled if one of the following condition is true

  - one address is named 'rust_begin_unwind'
  - the string 'rustc-' can be found somewhere in the program
    If the segment '.rodata' exists, the search is limited to this segment

String literal analysis▄

Rust plugin walks to all addresses in segment with name ending in "__const", ".rodata" or ".rdata" and creates string literals on xref

  - on dref, the string literal is set up to the next dref
  - on cref, Rust tries to retrieve length from nearby instructions
    Arm, Risc-V and pc proc module benefit from this

To force the string literal detection:

  idaapi.load_and_run_plugin("rust", 1)


Demangling name▄

Rust plugin also offers the possibility to configure a demangler library for rust.
By default the plugin will use the librustdemangle library that is shipped with IDA.
You can disable this feature in 'Edit>Plugin>Rust language helper' or specify another library to use.

See cfg/rust.cfg for the possible options

List of '-Orust' options▄

  - on  : enable rust plugin for this session of IDA
  - off : disable rust plugin for this session of IDA

Example▄

  -Orust:off

This disable the plugin for this session of Ida.
VWRAP
Golang plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Golang binaries are by default statically linked and full of metadata therefore a lot can be gained from annotating a Golang binary's contents using recovered metadata.

Detection▄

The golang plugin's analysis only happens by default if the input file is detected as a Golang file.
There are multiple mechanisms in place to detect that:

 - if a Golang startup signature matches the entry point (PC-only)
 - if the Golang plugin detects a Golang-specific segment name
 - if the elf loader finds a "Go" note in the input file
 - on PE files: if certain Golang symbol names or a Go build id signature is found

Analysis▄

The metadata parsed by the golang plugin falls under two main categories:

 - function information (e.g. name, package, range) retrieved from the pclntab
 - type information (e.g. name, package, layout, size) retrieved from the typelinks table

The package paths of functions and types are used to create folders.
This analysis will occur upon `ev_newfile` (when a new file has been loaded) if Golang has been detected.

Actions▄

  `golang:detect_and_parse` (Edit>Other)

This action is useful to force a full search of the binary for Golang metadata.
It will first attempt to parse a pclntab at the current address, if this is unsuccessful it will perform a full search of the binary for the pclntab's signature and parse it if found.
In addition, it will also attempt to locate and parse the type information.

Calling Conventions▄

Golang has its own calling convention(s), denoted in IDA as `__golang`.
In fact, Golang has two different calling conventions: a stack-based CC (abi0) and a newer register-based CC (abiinternal).
The version of Golang and thus which calling convention to use will be automatically inferred from metadata structures; It is also controllable through the `force_regabi` command line option.

List of `-Ogolang` options▄

Command line options take precedence over config file options.

  force                         try to force the analysis
                                (no detection step needed)
  off                           disable the plugin
  no_rtypes                     do not import any types
  rname_len2                    force the reflect type name format to go1.17
                                and later (varint encoding: 1-10 bytes)
  rname_len1                    force the reflect type name format to before
                                go1.17 (2 bytes)
  import_lnnums                 recover file names & line numbers from pclntab
  no_func_end_from_pcval_tabs   do not derive a function's end from pclntab
                                metadata
  force_regabi[=on|=off]        override calling convention version
                                 `=off`: will force the stack-based CC
                                 `=on`/no value: will force
                                 the register-based CC

See cfg/golang.cfg for available configuration options.


Examples▄

forcing analysis and register-based calling convention

  -Ogolang:force:force_regabi

disabling the plugin

  -Ogolang:off'WRAP
Swift plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Demangling▄

The swift plugin uses libSwiftDemangle to demangle Swift names.
Note that IDA already had a built-in swift demangler, but it was becoming difficult to maintain. In the long-term we hope to fully deprecate IDA's custom swift demangler in favor of libSwiftDemangle.

However, the new approach still hasn't been fully integrated into IDA, so there may be times when IDA's old swift demangler produces more desirable results.

'cfg/swift.cfg' file presents all the options

'-Oswift' command line switches can be used to enable or disable some plugin options.

List of options▄

  - <demangler_path> : use specific libSwiftDemangle library
  - -d : use the built-in IDA swift demangler (legacy)
  - +d : use libSwiftDemangle swift demangler
  - -m : don't present metadata in nice way
  - +m : present metadata in nice way
  - -e : don't import enumeration types
  - +e : import enumeration types
  - -s : don't import structure types
  - +s : import structure types
  - -v : don't set variable type based on mangled names
  - +v : set variable type based on mangled names
  - -f : don't set function prototype based on mangled names
  - +f : set function prototype based on mangled names
  - -g : don't group functions in folders corresponding to modules
  - +g : group functions in folders corresponding to modules

Examples▄

  -Oswift:-g

Do not group functions into folders.


  -Oswift:/tmp/libSwiftDemangle_custom.dylib

Use /tmp/libSwiftDemangle_custom.dylib as the libSwiftDemangle library.KWRAP
Search for next string with error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpError
 Current hotkey: @<JumpError>

This commands searches for the 'error' operands.
Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

        - reference to an unexisting address
        - illegal offset base
        - unprintable character constant
        - invalid structure or enum reference
        - and so on...

See also @0:568[Search] submenurWRAP
Find all errors ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FindAllErrors
 Current hotkey: @<FindAllErrors>

This command searches for all strings containing any error and presents
a list of them.
You may use this list to examine errors and correct them as needed.

 See also @0:1481[string with error]
          @0:568[Search] submenu
-Unloading information about segmentation...
2Unloading information about instructions/data...
}Unloading information about segment registers...

//-------------------------------------------------------------------------IDC execution has been cancelled by the userWRAP
Breakpoint conditions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can use the "Condition" field of the breakpoint properties to enter
an expression which is evaluated when the breakpoint is hit. It can be either
an actual condition or just any valid code in @0:162[IDC]
or another supported scripting language syntax. By using the "..." button, you
can open a multi-line editor for the conditition and switch the scripting language
used for evaluating it.

Expressions

  If you enter an expression, the result will be used to determine whether
  the selected actions are executed. Some examples of IDC expressions:

  Check if EAX is equal to 5:

    EAX==5

  Check if the first argument to the function is 1:

    get_wide_dword(ESP)==1

  Interpret the second argument to the function as a pointer to Unicode string, print it,
  and return 0 (so that the execution continues immediately):

    msg("Filename: %s\n", get_strlit_contents(get_wide_dword(ESP+4), -1, STRTYPE_UNICODE)), 0

  Set EAX to 0 and continue:

    EAX=0,0

Statements

  You can enter several statements in the multi-line editor. If the last one is a 'return' statement,
  it is used as the result of the condition. Otherwise the condition is assumed to return 0.

 See also @0:1404[Breakpoints list]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu
          @0:162[Index of IDC functions]
?Attempt to call a database related function without a databaseShow ~s~trings@0:1379[]
Setup string window

  <~D~isplay only defined strings:C>
  <~I~gnore instructions/data definitions:C>
  <~S~trict ASCII (7-bit) strings:C>>

  Allowed string types
  <~C~ (zero terminated):C>
  <~P~ascal:C>
  <Pascal, ~2~ byte length:C>
  <~U~nicode:C>
  <Pascal, ~4~ byte length:C>
  <Pascal Unicode, 2 byte length:C>
  <Pascal Unicode, 4 byte length:C>>

  <~M~inimal string length:D::5::>

	WRAP
Scattered argument locations ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

On x64 and other processors the compiler sometimes passes structures and
unions partially on registers and partially on the stack. Consider the
following structure:

  #pragma pack(push, 4)
  struct struc_1
  {
    char c1;
    short s2;
    char c3;
    int i4;
  };
  #pragma pack(pop)

In binary form it looks like this:

  00000000 struc_1         struc ; (sizeof=0xC)
  00000000 c1              db ?
  00000001                 db ? ; undefined
  00000002 s2              dw ?
  00000004 c3              db ?
  00000005                 db ? ; undefined
  00000006                 db ? ; undefined
  00000007                 db ? ; undefined
  00000008 i4              dd ?
  0000000C struc_1         ends

If we have this function prototype:

  void myfunc(struc_1 s);

the 64bit GNU compiler will pass the structure like this:

  RDI: c1, s2, and c3
  RSI: i4

Since compilers can use such complex calling conventions, IDA needs some
mechanism to describe them. Scattered argument locations are used for that.
The above calling convention can be described like this:

  void __usercall myfunc(struc_1 s@<0:rdi.1, 2:rdi^2.2, 4:rdi^4.1, 8:rsi.4>);

It reads:

  1 byte  at offset 0 of the argument is  passed in the byte 0 of RDI
  2 bytes at offset 2 of the argument are passed in the byte 1,2 of RDI
  1 byte  at offset 4 of the argument is  passed in the byte 3 of RDI
  4 bytes at offset 8 of the argument are passed starting from the byte 0 of RSI

In other words, the following syntax is used:

  argoff:register^regoff.size

where

  argoff - offset within the argument
  register - register name used to pass part of the argument
  regoff - offset within the register
  size - number of bytes

The regoff and size fields can be omitted if there is no ambiguity.

If the register is not specified, the expression describes a stack location:

  argoff:^stkoff.size

where

  argoff - offset within the argument
  stkoff - offset in the stack frame (the first stack argument is at offset 0)
  size - number of bytes

Please note that while IDA checks the argument location specifiers for soundness,
it cannot perform all checks and some wrong locations may be accepted. In
particular, IDA in general does not know the register sizes and accepts any
offsets within them and any sizes.

See also @0:1361[Set type] command.
~F~low chartF~u~nction callsXrefs ~t~o
Xrefs f~r~omU~s~er xrefs chart...	~G~raphsBase class must be a structure'Named bitfields cannot be of zero size?Create segment (%0*a-%0*a, sel %0*a):
Illegal segment bitness.Û
WRAP
Instant debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The -r command line switch is used to run the built-in
debugger without creating a database in advance.
The format is this switch is:

  -rdebname{params}:pass@hostname:port+pid

The explanation of the fields:

  debname       Debugger name. Should contain the debugger
                module name. Examples: win32, linux. This prefix
                can be shortened or even completely
                omitted if there is no ambiguity
  params        Optional parameter for the debugger module
                The parameters from the appropriate configuration file
                can be specified here, separated by semicolons.
  pass          Password for the remote debugger server
  hostname      Host name or address of the remote debugger server.
                IPv6 addresses need to be enclosed in [].
  port          Port number to use to connect to the debugger server
  pid           PID of the process to attach

All fields except the first one are optional. Also, the pid field can be specified
as '+'. IDA will display the process list to attach.
See examples below for typical command lines:

  ida -rwin32 file args
        Run 'file' with command line 'args' in the local debugger
        We have to specify the debugger name to avoid ambiguities.
  ida -rwindbg+450
        Attach to process 450 on the local machine using the windbg backend
  ida -rl:hippy@mycom:4567+
        Connect to the remote linux computer 'mycom' at port 4567 using the
        password 'hippy' and display the list of processes running on it.
        Allow the user to select a process and attach to it.
  ida -rl@mycom /bin/ls e*
        Run '/bin/ls' command on the 'mycom' computer using the remote
        debugger server on Linux. Use an empty password and the
        default port number. Pass "e*" as the parameter to /bin/ls.
  ida -rl@mycom whobase.idb
        Run '/usr/bin/who' command on the 'mycom' computer using the
        remote linux debugger server. Use an empty password and the
        default port number. IDA will extract the name of the
        executable from the whobase.idb file in the local current
        directory. If the database does not exist, then this command
        will fail.
  ida "-rwindbg{MODE=1}@com:port=\\.\pipe\com_1,baud=115200,pipe,reconnect+"
        Attach using windbg in kernel mode. The connection string is
        "com:port=\\.\pipe\com_1,baud=115200,pipe,reconnect". A mini database
        will be created on the fly.

When the -r switch is used, IDA works with the databases in the following way:

        - if a database corresponding to the input file exists and
        the -c switch has not been specified, then IDA will use the
        database during the debugging session

        - otherwise, a temporary database will be created

Temporary databases contain only meta-information about the debugged process
and not the memory contents. The user can make a
@0:1470[memory snapshot]
any time before the process stops. If IDA detects that a command will cause the process to exit or detach IDA,
it will propose to make a snapshot.

The rest of the command line is passed to the launched process.

In the case there is no input file (when attaching to an existing process, for example),
then the temporary database is created in the standard temporary directory.
For Windows, this directory is usually "Local Setting\Temp" in the user
profile directory.

See also

  @0:1463[How to launch remote debugging]É get_debugger_event_cond▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Return the debugger event condition

returns: event condition

string get_debugger_event_cond();
¾WRAP
Create HTML File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceHtml
 Current hotkey: @<ProduceHtml>

Please enter a file name for the HTML file. IDA will write
the disassembled text to this file.

If you've selected a range on the screen using @0:420[Drop Anchor]
command, IDA will write only the selected range (from the
current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce HTML
files. This command is available only in the graphical version of IDA.

See also other @0:438[Produce output file] commands.¾ set_debugger_event_cond▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set a new debugger event condition

string set_debugger_event_cond(string condition);
Bad alignment valueinternal: continue to match¡ typeinfo.size▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Return the type size in bytes
0xFFFFFFFF is the size cannot be calculated

long typeinfo.size();
 Macro was not previously pushed9WRAP
Toggle leading zeroes ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleLeadingZeroes
 Current hotkey: @<ToggleLeadingZeroes>

This command displays or hides the leading zeroes of the current operand.
Example: if the instruction looked like this:

        and     ecx, 40h

then after applying the command it will look like this:

        and     ecx, 00000040h

If you prefer to see leading zeroes in all cases, then open the
@0:596[calculator]
and enter the following expression:

        @0:285[set_inf_attr](INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) | INFFL_LZERO);

This will toggle the default for the current database and all numbers
without leading zeroes will become numbers with leading zeroes, and vice versa.

See also @0:1382[Edit|Operand types|Number] submenu.~T~oggle leading zeroesgWRAP
Load TDS debug information file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadTdsFile
 Current hotkey: @<LoadTdsFile>

This command loads a TDS file.

If the program being disassembled has a companion TDS file, this command may be used to load information from the TDS file into the
database.

The TDS file must be placed in the same directory together with the input file.

The LoadTdsFile command launches a special plugin TDS.DLL which can be run manually
using Edit->Plugins submenu.

See also @0:430[Load... submenu] commands.~T~DS file...Not enough memoryBad file handleu get_strlit_contents▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get string contents
     ea   - linear address
     len  - string length. -1 means to calculate the max string length
     type - the string type (one of @0:283[STRTYPE_...] constants)
Returns: string contents or empty string

string get_strlit_contents(long ea, long len, long type);
 parse_decls▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Parse many type declarations
     input -  file name or C declarations (depending on the flags)
     flags -  combination of PT_... constants or 0
returns: number of errors

long parse_decls(string input, long flags);
îWRAP
Locals view (source level) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This window displays the values of the variables that are local to the current
functions (register and stack based).
  <Loadi~n~g options:C>4>
nWRAP
WinDbg Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The WinDbg debugger plugin uses Microsoft's Debugging Engine COM interfaces from the Debugging Tools package.

To use the WinDbg debugger plugin, the following steps must be carried out:

  - Please download the latest debugging tools from
  http://www.microsoft.com/whdc/devtools/debugging/default.mspx

  - Configure the debugger specific options in
        Debugger Options, Set specific options.

  Windbg debugger plugin has the following configuration options:

  - The Debugging Tools folder: This should be configured to point to the same
  folder where Microsoft Debugging Tools are installed. The plugin will try to
  guess where the tools are, but if it fails, a manual intervention will be required.
  If this option is not set, then the plugin will try to use dbgeng.dll from
  MS Windows system folder, while normal debug operations will work, extensions will not.

  - Kernel mode debugging: Check this option when debugging the kernel.

  - User-mode debugging: Check this option to debug MS Windows applications.

  - Non-Invasive debugging: Check this option to enable attaching to user-mode
  processes non-invasively

  - Kernel mode debugging with reconnect and initial break: Select this option
  when debugging a kernel and when the connection string contains 'reconnect'. This option
  will assure that the debugger breaks as soon as possible after a reconnect.

  - Output flags: These flags tell the debugging engine which kind of output
  messages to display and which to omit


The WinDbg debugger plugins has the following features:

  - Send commands to the debugger engine when the debugging session starts.
  Use the "." key to switch to the command line and start typing commands.
  Please note that while it is possible to send any command to the engine, only the
  commands that change the execution status should not be used:
  go ("g"), step ("t"), step into ("p"), etc...

  - Symbol information: If the symbol path is configured properly, then the
  debugger engine will fetch debug symbols from the appropriate location (symbol server, cache, etc...)
  For example, setting the following environment variable before starting IDA:
  _NT_SYMBOL_PATH=srv*c:\pdb_cache*http://msdl.microsoft.com/download/symbols
  will allow the debug engine/windbg debugger plugin to automatically try to
  fetch and use the symbol information.

  - Multi-processor support: Debugger Engine will create a virtual thread for
  each processor that it finds. Similarly, IDA will present these processors as threads.

  - Remote debugging support: It is possible to use the process server "dbgsrv.exe"
  to enable remote debugging. For example:

    1. Run "dbgsrv -t tcp:port=PORT_NUM,server=HOST_NAME"

    2. Verify that the server is correctly running by listing all process
    servers on the given HOST_NAME:

      cdb -QR \\HOST_NAME

    3. Finally, run IDA and specify the following connection string:
      tcp:port=PORT_NUM,server=HOST_NAME

  - Use WinDbg extensions: it is possible to use the extension commands that
  usually work with WinDbg. Make sure that the "Debugging Tools folder" setting
  is properly set so that this feature works.

  - Kernel Debugging: It is possible to debug the kernel the same way as it is
  done with WinDbg. Simply setup the target kernel and configure the WinDbg
  plugin by checking the "kernel mode debugging" option and by typing a correct
  connection string. If the user detaches from a kernel session (using Debugger/Detach Process),
  the debugged kernel will resume. However, if the user selects Debugger/Terminate Process,
  the kernel will be suspended (it will wait until another client attaches to it).

  - Dump files support: It is possible to load into IDA dump files generated either
  manually (using the ".dump" command) or crash dumps generated from a crashed process or kernel.
  Please refer check the @0:1529[windmp file loader] reference.

  After the dump has been loaded, it is possible to run the debugger and investigate about
  the crash by typing Windbg commands into the command line window.
  For example, one could check the call-stack or use any other Windbg extension.

  - External breakpoints: it is possible to use the command line to create breakpoints
  that are not supported by IDA but supported by the debugging engine: in that
  case, all unknown (external) breakpoints will suspend IDA when they trigger.


The WinDbg debugger can be used to debug local programs as well as remote programs.
This is controlled via the connection string in the "Process Option" dialog.
If it is left blank,it means that a local debugging is in effect. Otherwise, a debug engine compatible connection
string is expected.
IDA will display an error message if the connection string could not be accepted:
in that case, try using the same connection string with "cdb", or "windbg" and see
if it works.

The WinDbg debugger module adds a new menu item: Debugger, WinDbg command.
It can be used to send arbitrary commands to the debugger engine. The command output is
displayed in the message window.

@0:712[Additional IDC functions provided by the WinDbg debugger]
ÞWRAP
Debugging with QEMU ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Run QEMU with -s switch to enable its GDB stub. The default port number is 1234. If desired,
the -p command line switch can be used to change it. The -S command line switch causes
the execution to be suspended at startup.
For example:

 qemu.exe -s -S -L . -m 128 -hda linux.img -soundhw all -localtime -M pc

For better debugging, make sure to set the following options in
@0:1522[GDB Debugger options]:

 Software breakpoints at EIP+1: disabled
 Use CS:IP in real mode: enabled (when debugging 16-bit (real-mode) code)

In other aspects debugging with QEMU is the same as debugging for other targets.

Back to @0:1335[Remote GDB Debugger]
ÈWRAP
Remote GDB Debugger options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Max packet size

        Maximum packet size supported by the GDB stub (in bytes).
        Some stubs can crash on big packets, e.g. memory reads. IDA
        will try to split such requests in smaller chunks so that
        replies should fit in this size. You can enter -1 to
        autodetect (in this case IDA will use the size of the
        "g" packet reply as the max packet size).

Timeout

        Default timeout in milliseconds for remote GDB stub responses.
        Some targets can be slow to respond, so increase this value
        when having problems, e.g. with disappearing memory bytes.

Run a program before starting debugging

        Check to enable @0:1587[external program options].

Processor

        This option is only visible when @0:1502[starting debugger without a database].
        Use it to specify on which CPU the target is running. For some processors you can also
        specify the endianness.

Software breakpoints at EIP+1

        Most GDB stubs for x86 report software breakpoint hits with EIP one byte after
        the breakpoint address. However, some emulators report the actual breakpoint
        address. This option allows IDA to recognize such situations.
        Recommendations: uncheck for QEMU, check for others.

Use CS:IP in real mode

        When debugging real-mode (16-bit) code, the stub can send either
        just 16 bits of IP register or the full EIP (CS<<4 + IP).
        Enable this option in the former case.
        Recommendations: check for QEMU, uncheck for others.

See also

  @0:1502[Instant debugger]
  @0:1335[Remote GDB Debugger]
MWRAP
Command line ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

At the bottom of the main IDA window, just above the status bar there is a input
field. It can be used to enter various commands. By default, it accepts IDC commands,
but plugins may register themselves as command language providers for it.

Currently, the following command line providers exist:

  - @0:157[idc]
  - python plugin
  - bochs debugger
  - windbg debugger
  - GDB debugger

When these plugins are active, they will process the entered commands.
The current command language can be changed by clicking on the button to the left
of the input field. The current language can be set as default by choosing "Default CLI"
from the context menu of the command line.

The command line input field can be activated by pressing '.'. Esc switches back to the previous window.
³ op_flt▄
 ▀▀▀▀▀▀▀

Convert operand to a floating-point number
(for the explanations of 'ea' and 'n' please see @0:696[op_bin]())

success op_flt(long ea, int n);
# move_segm▄
 ▀▀▀▀▀▀▀▀▀▀

Move a segment to a new address
This function moves all information to the new address
It fixes up address sensitive information in the kernel
The total effect is equal to reloading the segment to the target address
     ea    - any address within the segment to move
     to    - new segment start address
     flags - combination MFS_... constants
returns: MOVE_SEGM_... error code

long move_segm(long ea, long to, long flags);

#define MSF_SILENT    0x0001    // don't display a "please wait" box on the screen
#define MSF_NOFIX     0x0002    // don't call the loader to fix relocations
#define MSF_LDKEEP    0x0004    // keep the loader in the memory (optimization)
#define MSF_FIXONCE   0x0008    // valid for @0:1526[rebase_program](): call loader only once
#define MSF_NETDELTA  0x0010    // change inf.netdelta if possible
#define MSF_PRIORITY  0x0020    // loader segments will overwrite any existing debugger segments when moved.
#define MSF_NETNODES  0x0080    // move netnodes instead of changing inf.netdelta (this is slower)

#define MOVE_SEGM_OK           0     // all ok
#define MOVE_SEGM_PARAM       -1     // The specified segment does not exist
#define MOVE_SEGM_ROOM        -2     // Not enough free room at the target address
#define MOVE_SEGM_IDP         -3     // IDP module forbids moving the segment
#define MOVE_SEGM_CHUNK       -4     // Too many chunks are defined, can't move
#define MOVE_SEGM_LOADER      -5     // The segment has been moved but the loader complained
#define MOVE_SEGM_ODD         -6     // Can't move segments by an odd number of bytes
#define MOVE_SEGM_ORPHAN      -7     // Orphan bytes hinder segment movement
#define MOVE_SEGM_DEBUG       -8     // Debugger segments cannot be moved
#define MOVE_SEGM_SOURCEFILES -9     // Source files ranges of addresses hinder segment movement
#define MOVE_SEGM_MAPPING     -10    // Memory mapping ranges of addresses hinder segment movement
#define MOVE_SEGM_INVAL       -11    // Invalid argument (delta/target does not fit the address space)
º rebase_program▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Rebase the whole program by 'delta' bytes
     delta - number of bytes to move the program
     flags - combination of @0:1525[MFS_...] constants
             it is recommended to use MSF_FIXONCE so that the loader takes
             care of global variables it stored in the database
returns: error code @0:1525[MOVE_SEGM_...]

long rebase_program(long delta, long flags);
ã set_storage_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set storage type
     start_ea - starting address
     end_ea   - ending address
     stt     - new storage type, one of STT_VA and STT_MM
returns: 0 - ok, otherwise internal error code

long set_storage_type(long start_ea, long end_ea, long stt);

#define STT_VA 0  // regular storage: virtual arrays, an explicit flag for each byte
#define STT_MM 1  // memory map: sparse storage. useful for huge objects
.Some items overlap the specified address rangWRAP
Windmp file loader ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Windmp loader module can load *.dmp files into IDA for static analysis.

For the Windmp loader to function properly, one need to specify the path to
MS Debugger Engine Library (dbgeng.dll). This option can be set in CFG\IDA.CFG
under the DBGTOOLS key.
If this value is not set then Windmp will try to detect the path.

Windmp can be used to load big dump files, however that will result in a huge database,
therefore is possible to manually load a given input file:

  - Load modules segments only: If used, Windmp will only load segments related to
  the loaded modules and skips all other memory segments

  - Do not load symbol names: If symbol path is configured properly, then Windmp will
  fetch and rename all known addresses; you can skip this step by not loading symbol names.

  - Skip segments greater than: It skips segments with a given size, resulting in faster loading speed.
  If this value is zero then this option will not be used.

In addition to static analysis it is possible to run the dump file under the
@0:1520[windbg debugger module].
5The current processor does not support 'short float',Cannot convert idc object to idc basic typeVariable is not an idc objectY get_tinfo▄
 ▀▀▀▀▀▀▀▀▀▀

Get type information of function/variable as 'typeinfo' object
     ea - the address of the object
     type_name - name of a named type
returns: typeinfo object, 0 - failed
The typeinfo object has one mandatory attribute: typid

typeinfo get_tinfo(long ea);
typeinfo get_tinfo(string type_name);
+Cannot post inc/dec a calculated attributeNo such class id: %dNo such class: '%s'0Circular dependecy on classes has been detectedNo such attribute: %s'The 'this' argument cannot be modified+An construtor method cannot return a valueAttempt to call a non-function!No type information is availableð getattr▄
 ▀▀▀▀▀▀▀▀

Get object attribute
     self  - object
     attr  - attribute name
This function gets the attribute value without calling __getattr__()
Thread-safe function.

any getattr(object self, string attr);
7 setattr▄
 ▀▀▀▀▀▀▀▀

Set object attribute
     self  - object
     attr  - attribute name
     value - value
This function sets the attribute value without calling __setattr__()
Returns false: self is not an object
Thread-safe function.

success setattr(object self, string attr, any value);
º hasattr▄
 ▀▀▀▀▀▀▀▀

Does an object attribute exist?
     self  - object
     attr  - attribute name
Thread-safe function.

success hasattr(object self, string attr);
¯ delattr▄
 ▀▀▀▀▀▀▀▀

Del object attribute
     self  - object
     attr  - attribute name
Thread-safe function.

success delattr(object self, string attr);
¿ firstattr▄
 ▀▀▀▀▀▀▀▀▀▀

Get the first object attribute
     self  - object
If there are no attributes, returns 0
Thread-safe function.

string firstattr(object self);
¹ lastattr▄
 ▀▀▀▀▀▀▀▀▀

Get the last object attribute
     self  - object
If there are no attributes, returns 0
Thread-safe function.

string lastattr(object self);
ï nextattr▄
 ▀▀▀▀▀▀▀▀▀

Get the next object attribute
     self  - object
     attr  - current attribute name
If there are no more attributes, returns 0
Thread-safe function.

string nextattr(object self, string attr);
ó prevattr▄
 ▀▀▀▀▀▀▀▀▀

Get the previois object attribute
     self  - object
     attr  - current attribute name
If there are no more attributes, returns 0
Thread-safe function.

string prevattr(object self, string attr);
³ loader_input_t.getc▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Read one byte from the input file
Returns -1 if no more bytes

long loader_input_t.getc();
3Cannot call application without an active debugger loader_input_t.readbytes▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Read a multibyte value from the input file
     result - reference to the variable that will hold the result
     size   - size of the value. Usually is: 1, 2, 4, 8
     be     - treat bytes as big-endian?
Returns: 0:ok, -1:failure

long loader_input_t.readbytes(vref result, long size, long be);
(Function type is not available or wrong/Wrong number of arguments for application call=Calling application is not supported by the current debugger&Appcall: failed to hide existing bptsî strfill▄
 ▀▀▀▀▀▀▀▀

Return string filled with the specified character
     chr - character to fill with
     len - number of characters
Returns: filled string
Thread-safe function.

string strfill(long chr, long len);
!Appcall: could not map arguments¥ trim▄
 ▀▀▀▀▀

Remove trailing zero bytes from a string
     str - input string
Returns: trimmed string
Thread-safe function.

string trim(string str);
 Could not dereference a pointerBad type informationIllegal variable reference Cannot create reference to '%s'Superfluous & for a function!A variable reference is required$[] operator cannot be used for '%s'"Cannot use [] operator on scalars'Appcall: functions cannot be converted loader_input_t.close▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Close the input file

void loader_input_t.close();
k loader_input_t▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Open an input file for reading
     filename - name of the file to open
     is_remote- !=0 means to open a file on the remote computer
                (possible only during remote debugging)
Returns loader_input_t object or 0

loader_input_t open_loader_input(string filename, long is_remote);
¡ dbg_appcall▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Call application function
     ea - address to call
     type - type of the function to call. can be specified as:
             - declaration string. example: "int func();"
             - typeinfo object. example: get_tinfo(ea)
             - zero: the type will be retrieved from the idb
     ... - arguments of the function to call
Returns: the result of the function call
If the call fails because of an access violation or other exception,
a runtime error will be generated (it can be caught with try/catch)
In fact there is rarely any need to call this function explicitly.
IDC tries to resolve any unknown function name using the application labels
and in the case of success, will call the function. For example:
     _printf("hello\n")
will call the application function _printf provided that there is
no IDC function with the same name.

anyvalue dbg_appcall(ea, type, ...);

// Set/get appcall options
#define set_appcall_options(x) set_inf_attr(INF_APPCALL_OPTIONS, x)
#define get_appcall_options()  get_inf_attr(INF_APPCALL_OPTIONS)

#define APPCALL_MANUAL 0x0001   // Only set up the appcall, do not run it.
                                // you should call @0:1573[cleanup_appcall]() when finished
#define APPCALL_DEBEV  0x0002   // Return debug event information
                                // If this bit is set, exceptions during appcall
                                // will generate idc exceptions with full
                                // information about the exception
#define APPCALL_TIMEOUT 0x0004  // dbg_appcall with timeout
                                // The timeout value in milliseconds is specified
                                // in the high 2 bytes of the 'options' argument:
                                // If timed out, exception message will contain "timeout".
#define SET_APPCALL_TIMEOUT(x) ((x<<16)|0x0004) // dbg_appcall with timeout

With dbg_appcall, it is possible to call an arbitrary function from the
debugged application without any special measures like dll injection or
modifying the process memory. The call can be simplified to func(args), if the
function name is a valid identifier. For example, given this:

        verinfo = object();
        verinfo.dwOSVersionInfoSize = sizeof("OSVERSIONINFOA");

the following dbg_appcall:

        GetVersionExA(&verinfo);

will call create an instance of OSVERSIONINFOA in the application memory
and call GetVersionExA with a pointer to it. After the call, it will convert the
OSVERSIONINFO instance into an IDC object. The verinfo variable will contain:

object
  __at__:        18FEB0h
  dwBuildNumber:        7600.
  dwMajorVersion:          6.
  dwMinorVersion:          1.
  dwOSVersionInfoSize:
  dwPlatformId:            2.
  szCSDVersion: "\x00\x00\x00\x00..."


The __at__ attribute tells us the address of the structure. If this particular
case it is not very useful since the object was temporary, but in other cases
it could be useful.

dbg_appcall converts IDC objects to C objects and vice versa. The conversion is
controlled by the type information. The following rules control the conversion:

 PLAIN SCALARS:

  - if the target type a plain scalar type (not a pointer),
    a simple conversion is done, with sign extension or truncation.
    For example, an IDC value of -1 is converted into an __int32(0xFFFFFFFF).
    For example, an IDC value of 0x555 is converted into an __int8(0x55).

 POINTERS:

  - if the target type a pointer and the corresponding idc value is a string,
    the string is accepted as the pointed object. It is simply copied to the
    process memory without any modifications. There will be a terminating zero
    after the string.

    If the corresponding idc value a number, its value is used as the pointer
    value. To create pointers to numbers, use the & operator.

    If the corresponding idc value is not a string, it is converted to C
    and a pointer to the converted object will be used to initialize the pointer.

 STRUCTURES:

  - if the target type is a structure, ida tries to initialize its fields one by
    one, by accessing the corresponding attributes. For example, in the above
    sample only the dwOSVersionInfoSize attribute exists, and its corresponding
    field will be initialized with its value. If a field does not exist,
    the corresponding field will be initialized with zeroes.

 ARRAYS:

  - each array element is initialized individually, expect if the corresponding
    idc value is a string. In this case, the string value is used as the value
    of the whole array. It is the user's responsibility to prepare a valid
    string that will represent an array in this case.

Some more examples. Calling printf is very easy:

  auto n = 5;
  auto s = "short";
  _printf("Hello world, number is %d, string is %s\n", n, s);

Calling sscanf will require using the & operator:

  auto x;
  auto nsuccess = _sscanf(s, "%d", &x);

Structures can be passed by ref without & because they are always
passed by reference:

  verinfo = object();
  GetVersionExA(verinfo);


All calling conventions, including @0:1361[__usercall], are supported.

For calls that generate exceptions, single stepping is possible using
the APPCALL_MANUAL bit.
í cleanup_appcall▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Cleanup the current appcall
This function can be used to terminate the current @0:1572[dbg_appcall] that was
started with APPCALL_MANUAL

success cleanup_appcall();
^ object.store▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Convert the object into a C structure and store it into the idb or a buffer
 typeinfo - description of the C structure. Can be specified
            as a declaration string or result of @0:1533[get_tinfo]() or
            similar functions
 dest     - address (ea) to store the C structure
            OR a reference to a destination string
 flags    - combination of PIO_.. bits

void object.store(typeinfo, dest, flags);

#define PIO_NOATTR_FAIL 0x0004 // missing attributes are not ok
#define PIO_IGNORE_PTRS 0x0008 // do not follow pointers

 object.retrieve▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Retrieve a C structure from the idb or a buffer and convert it into an object
 typeinfo - description of the C structure. Can be specified
            as a declaration string or result of @0:1533[get_tinfo]() or
            similar functions
 src      - address (ea) to retrieve the C structure from
            OR a string buffer previously packed with the store method
 flags    - combination of @0:1574[PIO_...] bits

void object.retrieve(typeinfo, src, flags);
: loader_input_t.gets▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Read one line of text from the input file
     maxsize - maximal size of the line
Returns: one line of text or 0
If the input file contains zeroes, the line will be truncated at them

string loader_input_t.gets(long maxsize);
2WRAP
IDC: classes ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Classes can be declared the following way:

  class name
  {
    method1(...) {}
    ...
  };

Inside the class, method functions are declared without the 'static' keyword.
The method with the name of the class is the class constructor. For example:

  class myclass
  {
     myclass(x,y)
     {
       print("myclass constructor has been called with two arguments: ", x, y);
       this.x = x;
       this.y = x;
     }
     ~myclass()
     {
       print("destructor has been called: ", this);
     }
  };

Inside the class methods, the 'this' variable can be used to refer to the current
object.

Only one constructor per class is allowed.

Class instances are created like this:

  o = myclass(1, 2);

And object attributes (or fields) are accessed like this:

  print(o.x);
  o.y = o.x + 1;

A new attribute is created upon assigning to it:

  o.new_attr = 1;

Accessing an unexisting attribute generates an exception, which can be @0:89[caught].

The following special method names exist:

  __setattr__(attr, value)
    This method is called when an object attribute is assigned a new value.
    Instead of assigning a value, this method can do something else.
    To modify a class attribute from this method, please use the setattr()
    global function.
    Compare with: Python __setattr__ method

  __getattr__(attr)
    This method is called when an object attribute is accessed for reading.
    Instead of simply returning a value, this method can do something else,
    for example to calculate the attribute on the fly. To retrieve a
    attribute from this function, use the getattr() global function.
    Compare with: Python __getattr__ method

Simple class inheritance is support. Derived classed are declared like this:

  class derived : base
  {
    ...
  };

Here we declare the 'derived' class that is derived from the 'base' class.
For derived classes, the base class constructor can be called explicitly:

  class derived : base
  {
    derived() : base(args...)
    {
    }
  };

If the base class constructor is not called explicitly, IDA will call
it implicitly, without any arguments.

It is possible to call base class methods using full names:

    base::func(this, args...);

The 'this' argument must be passed explicitly in this case.

When there are no more references to an object, it is automatically destroyed.
We use a simple reference count algorithm to track the object use.
Circularly dependent objects are not detected: they are never destroyed.

The following built-in object classes exist:

  - object: the default base class for all new classes. When the base class
    is not specified, the new class will inherit from 'object'
    This class has no fields and no special constructor. It has the following
    methods:

     @0:1574[void object.store(typeinfo, ea, flags)]
     @0:1575[void object.retrieve(typeinfo, ea, flags)]

  - exception: class used to report exceptions. It has the following attributes:

    file - source file name where the exception occurred
    func - current function name
    line - line number
    pc   - program counter value (internal to idc)

    Runtime errors are reported as exceptions too. They are two more fields:

    qerrno      - runtime error code
    description - printable error description

    This class has no special constructor and has no methods.

  - typeinfo: class used to represent type info. It has the following attributes:

    type        - binary encoded type string
    fields      - field names for the type (e.g. structure member names)
    name        - (optional) variable/function name

    Human readable form of the typeinfo can be obtained by calling the
    @0:1647[print()] method. The type size can be calculated
    using the @0:1508[size()] method.

  - @0:1581[loader_input_t]: class to read files.
ÒWRAP
IDC: Slices ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

The slice operator can be applied IDC objects are strings.

For strings, the slice operator denotes a substring:

  str[i1:i2] - substring from i1 to i2. i2 is excluded
  str[idx]   - one character substring at 'idx'.
               this is equivalent to str[idx:idx+1]
  str[:idx]  - substring from the beginning of the string to idx
               this is equivalent to str[0:idx]
  str[idx:]  - substring from idx to the end of the string
               this is equivalent to str[idx:0x7fffffff]

Any indexes that are out of bounds are silently adjusted to correct values.
If i1 >= i2, empty string is returned. Negative indexes are used to
denote positions counting from the end of the string.


String slices can be used on the right side of an assignment. For example:

  str[0:2] = "abc";

will replace 2 characters at the beginning of the string by "abc".

For objects, the slice operator denotes a subset of attributes. It can be
used to emulate arrays:

  auto x = object();
  x[0] = value1;
  x[1] = "value2";

x[i1:i2] denotes all attributes with numeric values between i1 and i2 (i2 is excluded).

Any non-numeric attributes are ignored by the slice operator.
Û get_field_ea▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Get address of the specified field using the type information
     ea         - address of the structure
     field_name - name of the structure field
If the database contains a structure at the specified ea and the
type information is present, this function will return the address of the
structure field.

long get_field_ea(long ea, string field_name);

For example:

  .data:00413060 errtable        dd 1   ; oscode
  .data:00413060                 dd 16h ; errnocode


        msg("address is: %x\n", _errtable.errnocode);

prints 413064.
The "_errtable.errnocode" expression is essentially a shortcut for:

get_field_ea(get_name_ea_simple("_errtable"), "errnocode")
< sizeof▄
 ▀▀▀▀▀▀▀

Calculate the size of a type
     type - type to calculate the size of
            can be specified as a typeinfo object (e.g. the result of get_tinfo())
            or a string with C declaration (e.g. "int")
returns: size of the type or -1 if error

long sizeof(typeinfo type);
WRAP
IDC: loader_input_t class ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The loader_input_t class can read from input files.
It has the following methods:

    @0:93[long read(vref buf, long size);]
    @0:95[long size();]
    @0:96[long seek(long pos, long whence);]
    @0:1302[long tell();]
    @0:1576[string gets(long maxsize);]
    @0:1427[string getz(long pos, long maxsize);]
    @0:1551[long getc();]
    @0:1553[long readbytes(vref result, long size, long mf);]
    @0:1570[void close();]

Instances of this class can be created by calling the @0:1571[open_loader_input] function.

See other IDC @0:1577[classes].
WRAP
IDC: Constants ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following constants can be used in IDC:

 - long numbers (32-bit for 32-bit version of IDA
            and 64-bit for 64-bit version of IDA)

    12345 - decimal constants
    0x444 - hex constants
    01236 - octal constants
    0b110 - binary constants
    'c'   - character constants

  Any numeric constant may have 'u' and 'l' suffixes, they are ignored.

 - 64-bit numbers. To declare a 64-bit constant, use 'i64' suffix:

   123i64

   Also, if a constant does not fit 32-bits, it will automatically be
   stored as a 64-bit constant.

 - strings. Strings are declared using the double quotes. The backslash
   character can be used to as an escape:

   "string"
   "string\nwith four embedded \x0\x00\000\0 zeroes"

   Multiple string constants in a row will be automatically concatenated:

   "this" " is" " one " "string"

- set_target_assembler▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set target assembler
     asmidx - index of the target assembler in the array of assemblers
              for the current processor.
Returns: 1 - success, 0 - failure.

long set_target_assembler(long asmidx);
Wrong destructor name,Destructors may not have explicit argumentsNo such base classÛWRAP
External programs and GDB Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The "Run a program before debugging" option in @0:1522[Remote GDB Debugger options]
allows to automatically run a program (such as a debugging server) when starting a debugging
session. If you enable it, the following options become available:

Command line

        Command line of the program to run. The following special symbols can be used:

        %i: input file name from the @0:1398[Process options] dialog
        %p: port number from the @0:1398[Process options] dialog
        %e: file name of a temporary ELF file created from the database contents

Initial SP

        IDA will set the SP (or a similar register) after connecting to the server

Choose a configuration

        Load one of the pre-defined configurations (command line, memory map and SP value)
        described in the gdb_arch.cfg file.

Memory map

        Edit the memory map for the external server. It will be used during debugging.


One use of these options is to @0:1588[debug small code snippets] using the QEMU emulator.

See also

  @0:1522[Remote GDB Debugger options]
  @0:1395[Debugger] submenu.
ÛWRAP
Debugging code snippets with QEMU ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Using the @0:1587["Run external program"] option it is easy to debug small
ARM, MIPS or PowePC code snippets directly from inside IDA.

1) Download and install QEMU. Win32 builds can be downloaded from http://homepage3.nifty.com/takeda-toshiya/qemu/.

2) Edit cfg\gdb_arch.cfg file and change the "set QEMUPATH" line to point to the install directory of QEMU.

3) In @0:1522[Remote GDB Debugger options] (Debugger|Debugger options, Set specific options), enable "Run a program before debugging".

4) Click "Choose a configuration" and choose a predefined configuration. Choose "for snippets", if mentioned.

5) If necessary, edit the command line or memory map.

6) Click OK, OK to confirm and close the options dialog.

7) In Debugger|Process options make sure that Hostname is set to "localhost" and port is non-zero.

8) Select the code range to emulate or at least the first instruction. Alternatively, you can rename the starting address "ENTRY" and end address as "EXIT".

9) Choose Debugger|Run or press F9.

IDA will write the database into an ELF file (if %e was specified), start QEMU with the specified command line and connect to its GDB stub.
It will set the SP and PC values so that the code can be stepped through.

NOTE

While it can be very useful, QEMU emulation has certain limitations:

1) the memory map is usually fixed at compile time. So if your program addresses
intersect some of the system regions as specified by the memory map,
IDA will refuse to start debugging. In that case, you can either rebase the
program so that it fits into RAM regions or check other QEMU board configurations
for a compatible memory layout.

2) the emulation starts at the system (kernel) level when there is no OS loaded.
That means that system calls and imported functions will not work.

3) the hardware access will only work to the extent emulated by QEMU. If the
code you are emulating does not match the chosen board configuration of QEMU,
the code accessing the hardware most likely will not work properly, if at all.

See also
  @0:1587[External programs and GDB Debugger]
  @0:1335[Remote GDB Debugger]
ð find_custom_data_format▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get id of a custom data format
     name - name of the custom data format
Returns: id or -1

long find_custom_data_format(string name);
úWRAP
Jump to next function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpNextFunc
 Current hotkey: @<JumpNextFunc>

This command searches the start of the next function and
jumps to the found address.
WRAP
Jump to previous function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpPrevFunc
 Current hotkey: @<JumpPrevFunc>

This command searches the start of the previous function and
jumps to the found address.
 send_dbg_command▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Send arbitrary command to the debugger engine.
Returns: the command output.

Note: this function is available for the following debuggers:
windbg, gdb, bochs

string send_dbg_command(string cmd);
\WRAP
Jump to cross reference from current location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpXrefFrom
 Current hotkey: @<JumpXrefFrom>

This command shows you a list of cross-references from the current location: you can jump to the selected one by pressing Enter.

Click @0:1305[here] to see the description of the cross reference dialog box.

See also

         @0:543[Jump] submenu
         @0:564[Jump to Cross References]
         @0:565[Jump to Cross References to Operand]~C~ross reference from...Recent scr~i~pts...0 read_dbg_byte▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get value of program byte using the debugger memory
     ea - linear address
returns: value of byte. Throws an exception on failure.
Thread-safe function (may be called only from the main thread and debthread)

long read_dbg_byte(long ea);
B read_dbg_word▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get value of program word (2 bytes) using the debugger memory
     ea - linear address
returns: the value of the word. Throws an exception on failure.
Thread-safe function (may be called only from the main thread and debthread)

long read_dbg_word(long ea);
U read_dbg_dword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get value of program double word (4 bytes) using the debugger memory
     ea - linear address
returns: the value of the quadro word. Throws an exception on failure.
Thread-safe function (may be called only from the main thread and debthread)

long read_dbg_dword(long ea);
T read_dbg_qword▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get value of program quadro word (8 bytes) using the debugger memory
     ea - linear address
returns: the value of the quadro word. If failed, throws an exception
Thread-safe function (may be called only from the main thread and debthread)

long read_dbg_qword(long ea);
` get_bytes▄
 ▀▀▀▀▀▀▀▀▀▀

Return the specified number of bytes of the program
      ea - linear address
      size - size of buffer in normal 8-bit bytes
      use_dbg - use debugger memory or just the database
returns: 0-failure
         or a string containing the read bytes

string get_bytes(long ea, long size, long use_dbg);
WRAP
Set operand type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetOpType
 Current hotkey: @<SetOpType>

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does
not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin.
Setting operand type is most useful in case of indirect calls: the decompiler will use the type information
to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

        int (*func)(int param1, char param2);

To delete a type declaration, enter an empty string.

For details on possible calling conventions, see @0:1361[Set function/item type...] menu item description.

See also

         @0:1361[Set function/item type...]Set operand ~t~ype...Ó exec_idc▄
 ▀▀▀▀▀▀▀▀▀

Compile and execute IDC statement(s)
     input  - IDC statement(s)
returns: 1 - ok, otherwise throws an exception
Thread-safe function.

long exec_idc(string input);
.Destructor name does not match the class nameþ get_item_head▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Get starting address of the item
     ea - linear address
returns: the starting address of the item
         if the current address is unexplored, returns 'ea'

long get_item_head(long ea);
B begin_type_updating▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Begin type updating. Use this function if you
plan to call AddEnumConst or similar type modification functions
many times or from inside a loop

     utp - (one of UTP_... consts)
returns: none

success begin_type_updating(long utp);
 end_type_updating▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

End type updating. Refreshes the type system
at the end of type modification operations

     utp  - (one of UTP_... consts)
returns: none

success end_type_updating(long utp);
1Pointer to structure required on left side of ->'%s' is not member of '%s')idc_func_table.get_unkvar is not defined)idc_func_table.set_unkvar is not defined*idc_func_table.calc_sizeof is not defined[ read_dbg_memory▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Read from debugger memory
     ea - linear address
     size - size of data to read
returns: data as a string. If failed, If failed, throws an exception
Thread-safe function (may be called only from the main thread and debthread)

string read_dbg_memory(long ea, long size);
T write_dbg_memory▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Write to debugger memory
     ea - linear address
     data - string to write
returns: number of written bytes (-1 - network/debugger error)
Thread-safe function (may be called only from the main thread and debthread)

long write_dbg_memory(long ea, string data);
Ù rename▄
 ▀▀▀▀▀▀▀

rename a file
     oldname - existing file name
     newname - new file name
returns: error code from the system
Thread-safe function.

long rename(string oldname, string newname);
² unlink▄
 ▀▀▀▀▀▀▀

delete a file
     filename - existing file/dir name
returns: error code from the system
Thread-safe function.

long unlink(string filename);
Þ mkdir▄
 ▀▀▀▀▀▀

create a directory
     dirname - directory name
     mode    - file permissions (for unix)
returns: error code from the system
Thread-safe function.

long mkdir(string dirname, long mode);
²WRAP
Apply patches to input file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ApplyPatches
 Current hotkey: @<ApplyPatches>

Apply previously @0:526[patched] bytes back to the input file.
If the "Restore" option is selected then the original bytes will be applied to the input file.

See also

         @0:526[Edit|Patch core] submenu.
         @0:443[Produce DIF file]
!A~p~ply patches to input file...Check for free updates...®WRAP
Take database snapshot ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SaveBaseSnap
 Current hotkey: @<SaveBaseSnap>

This command takes a database snapshot. The snapshot can be later restored from
the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also @0:1622[View database snapshot manager] commands.ÐWRAP
Database snapshot manager ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSnapMan
 Current hotkey: @<ShowSnapMan>

This command shows the database snapshot manager. In this dialog, it is possible to
restore previously saved snapshots, rename or delete them.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also @0:1621[Take database snapshot] commands.Take database snapsho~t~Database snapshot ~m~anagerÂ getn_thread▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Get the ID of a thread
     idx - number of thread, is in range 0..get_thread_qty()-1
returns: -1 if failure

long getn_thread(long idx);
WRAP
Proximity view ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


Starting from IDA v6.2, the callgraph of a program can be displayed in a
graph form.

In the proximity view, the current address, the callers and the callees
are represented as a collection of nodes linked together with edges. Nodes
represent functions and data references (global variables, strings, etc..)
and edges represent code or data cross-references between them.

To open the proximity view press the '-' key to zoom out and switch to the
callgraph of the address under cursor.

Only the address names (function names or data labels) are displayed in the proximity view, but not the
disassembly, nonetheless, hovering the mouse over a node will display brief disassembly listing in a
resizable hint window. To see the complete disassembly listing switch to text or graph mode by pressing
'+' or Space respectively.

When disassembling new files, IDA will display a dialog offering to switch to proximity view
when applicable. It is possible to turn off this dialog and not show it again.

In the proximity view there are 3 types of nodes: Function nodes, data nodes
and auxiliar nodes. Function nodes are rectangular and they have a toolbar.
Those nodes are used to display the callers or callees of the current
central node (or any of his parents or children). Data nodes
are rectangular nodes (without a toolbar) and they are used to display the
data references (global variables, strings, etc...) to/from the current
central node or any of his parents and children.

Please select one of the following topic to learn more about graphs:

 - @0:241[Selections in graphs]
 - @0:281[Zooming graphs]
 - @0:1117[Scrolling graphs]
 - @0:1130[Graph overview window]
 - @0:1142[Graph colors]
 - @0:19[Graph options]
WRAP
FLIRT match indecision: reference to function expected ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA matched code bytes against at least one
        signature entry, but failed finding expected
        cross-references at certain offsets in the code.

        Consider the following .pat file contents:

                5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _test ^000F _my_fun0
                5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _smuk ^000F _my_fun1

        Now, turn that .pat file into a signature (.sig) file, telling
        sigmake to include function references into signature
        (using the -r switch).
        Then, apply that .sig file to a binary that you are
        examining.
        If IDA recognizes the 0x15-bytes long pattern in the binary, it
        will check that, at offset 0xF from the start of the match,
        a call to either "_my_fun0" or "_my_fun1" is performed.

        If either one of the two is found, then that code will
        be named "test", or "smuk", respectively.
        Otherwise, a SIGFNREF problem will be signalled.

 What to do:
        Examine the code pointed to by the address at the given
        offset (i.e., 0xF) and try and determine whether
        that function could be "_my_fun0", or "_my_fun1".
        If so, name it accordingly and re-apply the signature.

        An alternative is to generate the signature (.sig)
        file without the cross-references to functions
        (i.e., dropping the '-r' switch).
        But beware of collisions: a pattern like the
        one above will inevitably create a collision, since the
        pattern bytes are similar for the two entries.
5WRAP
Basic block tracing ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleTraceBasicBlocks
 Current hotkey: @<ToggleTraceBasicBlocks>

This command starts basic block tracing.
You can then use all debugger commands as usual: the debugger will save all
addresses where a temporary basic block breakpoint was reached.

Internally, the debugger runs the current thread normally, setting temporary
breakpoints in the last instruction of every basic block of every function
referenced from the current function and also at any call instruction in
the middle of the traced basic blocks.

Basic block tracing is slower than normal execution but faster than
instruction or function tracing.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.WRAP
Trace management ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Recorded traces can be managed from the @0:1444[Tracing window].
Traces are saved in a directory specified in the
@0:1451[tracing options] dialog.

Saved binary trace files can be loaded, saved and replayed with the new replayer debugger module,
diffed against other traces (to spot differences between executions) or displayed in a proximity
view (displaying the execution call graph).

  @0:1444[Tracing window]
  @0:1445[Clear trace]
  @0:1446[Instruction tracing]
  @0:1447[Function tracing]
  @0:1628[Basic block tracing]
  @0:1448[Add write trace]
  @0:1449[Add read/write trace]
  @0:1450[Add execution trace]
  @0:1412[Stack trace]
  @0:1451[Tracing Options]

See also @0:1395[Debugger] submenu.íWRAP
Select trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Load a binary trace file in the 'Tracing' window.

This command displays all the saved trace files that correspond
to the MD5 of the current IDB and allows the user to load one of them. The
traces can be replayed with the @0:1639[replayer debugger], inspected manually in the
disassembly view or displayed as a callgraph in a proximity view.

 See also @0:1445[Clear Trace]
    @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]6WRAP
Other options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Show a dialog with additional options for managing trace files

This command displays a window with all the available commands to manage trace files.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]TWRAP
Edit trace description ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Show the description of a binary trace file

This command displays a window with the description of a selected binary trace file and
allows to edit it.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]
,WRAP
Remove binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete a binary trace file from disk

This command displays a window to select a recorded trace file to delete from disk.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]©WRAP
Diff to binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Diff the currently loaded trace against a recorded trace

This command displays a window to select a trace file to diff against the currently
loaded trace, displayed in the 'Tracing' window.

If highlight options are enabled in @0:1451[Tracing Options], instructions
from the currently loaded trace will be displayed with the background "main color"
and instructions from the diff trace file will be displayed with the "diff color". Common
instructions will be highlighted with an average of the two.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]
ÃWRAP
Import binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Import a binary trace file from a different IDB

This command allows to import binary trace files recorded for an IDB with
a different MD5. For example, it can be used to load recorded traces from a malware
sample which is practically the same, but differs in a few bytes.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]¸WRAP
Export binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Export to a binary trace file all events displayed in the 'Tracing' window

This command exports to a binary trace file the current trace being displayed in the
@0:1444[Tracing window]. The trace can be loaded later, removed or diffed
against other trace files.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1633[Remove binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]tWRAP
Export trace to text file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Export to a text file all events displayed in the 'Tracing' window

This command exports the current trace being displayed in the @0:1444[Tracing window]
to a text file.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1633[Remove binary trace]
          @0:1637[Export trace to text file]
EWRAP
Show trace callgraph ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Show the callgraph of the loaded trace in a proximity view

This command displays the callgraph of the currently loaded trace in a proximity view.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1633[Remove binary trace]
          @0:1638[Show trace callgraph]

WRAP
Replayer debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The replayer debugger is a pseudo-debugger used to replay recorded traces.

The replayer debugger supports replaying traces recorded with any of the currently
supported debuggers, ranging from local Linux or win32 debuggers to remote GDB targets.
Currently supported targets include x86, x86_64, ARM, MIPS and PPC.

To use the replayer debugger you will need first to record a trace by enabling
@0:1446[instruction tracing], @0:1447[function tracing]
or @0:1628[basic block tracing] with another debugger. Then, after
@0:1630[loading] a recorded trace in the @0:1444[Tracing window],
select the replay debugger from the debugger's dropdown list and start the debugger normally
as you would do with any other debugger.

One of the advantages of the replay debugger module over re-executing the debuggee is
that in the replayer debugger it is possible to step not only forward, but
also backwards, making it easier to analyze what happened during the execution
of the recorded trace.

There are two types of traces that can be replayed: instruction level traces or partial traces.
Instruction level traces are recorded by enabling @0:1446[instruction tracing] and
partial traces are recorded using either @0:1447[function tracing] or
@0:1628[basic block] tracing. When a trace is recorded with instruction tracing enabled all
register values are saved. With basic block or function level tracing only the instruction pointer
is saved. Additionally, in basic block tracing the register values are also saved when the last instruction
of a basic block is reached or a call in the middle of a basic block is about to be executed.

The replayer debugger module adds a new menu item: Debugger, Step Back command.
It can be used to step back to the previous instruction when replaying a recorded trace.

@0:710[Additional IDC functions provided by the replayer debugger]
	Bad type0Can dereference only VT_LONG or VT_PVOID values*Specified type and value are incompatibleToo wide enum, cannot handleL get_member_id▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get member id
     id         - structure type ID
     member_offset - member offset. The offset can be
                     any offset in the member. For example,
                     is a member is 4 bytes long and starts
                     at offset 2, then 2, 3, 4, 5 denote
                     the same structure member.
returns: -1 if bad structure type ID is passed or there is
         no member at the specified offset.
         otherwise returns the member id.

long get_member_id(long id, long member_offset);
1The specified max length count has been exceeded÷ format_cdata▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Format value(s) as a C/C++ data initializers
     outvec - reference to the output object
              after the call will contain array of strings
     value  - value to format
     type   - type of the data to format
     options- optional object, which may have the attributes PTV_...
                     'ptvf' - combination of PTV_... constants:
                     'flags'      number representation (e.g. hex_flag(), dec_flags(), etc)
                     'max_length' max length of the formatted text (0 means no limit)
                     'arrbase'    for arrays: the first element of array to print
                     'arrnelems'  for arrays: number of elements to print
                     'margin'     length of one line (0 means to print everything on one line)
                     'indent'     how many spaces to use to indent nested structures/arrays
     info   - object to store additional information about the generated lines
              after the call will contain array of objects, each of which has:
                     'ea' - address of the line
                     'type' - typeinfo of the line (may include label for the line as 'name')
              may be specified as 0 if this info is not required
Returns: error code

long format_cdata(object &outvec, anyvalue value, typeinfo type, object options, object &info);

#define PTV_DEREF  0x0001  // take value to print from the database.
                           // its address is specified by value.num (default)
#define PTV_QUEST  0x0002  // print '?' for uninited data
#define PTV_EMPTY  0x0004  // return empty string for uninited data (default)
#define PTV_CSTR   0x0008  // print constant strings inline (default)
#define PTV_EXPAND 0x0010  // print only top level on separate lines
                           // max_length applies to separate lines
                           // margin is ignored
#define PTV_LZHEX  0x0020  // print hex numbers with leading zeroes
#define PTV_STPFLT 0x0040  // fail on bad floating point numbers
                           // (if not set, just print ?flt for them)
#define PTV_SPACE  0x0080  // add spaces after commas and around braces (default)
#define PTV_DEBUG  0x0100  // format output for debugger
c typeinfo.print▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Print typeinfo in a human readable form
  flags - optional parameter, combination of PRTYPE_... bits
The typeinfo object must have the "typid" attribute
If the "name" attribute is present, it will be used in the output too
If failed, returns 0

string typeinfo.print(flags);

#define PRTYPE_1LINE   0x0000 // print to one line
#define PRTYPE_MULTI   0x0001 // print to many lines
#define PRTYPE_TYPE    0x0002 // print type declaration (not variable declaration)
#define PRTYPE_PRAGMA  0x0004 // print pragmas for alignment
#define PRTYPE_SEMI    0x0008 // append ; to the end
#define PRTYPE_CPP     0x0010 // use c++ name (only for print_type2)
#define PRTYPE_DEF     0x0020 // tinfo_t: print definition, if available
#define PRTYPE_NOARGS  0x0040 // tinfo_t: do not print function argument names
#define PRTYPE_NOARRS  0x0080 // tinfo_t: print arguments with #FAI_ARRAY as pointers
#define PRTYPE_NORES   0x0100 // tinfo_t: never resolve types (meaningful with PRTYPE_DEF)
#define PRTYPE_RESTORE 0x0200 // tinfo_t: print restored types for #FAI_ARRAY and #FAI_STRUCT
#define PRTYPE_NOREGEX 0x0400 // do not apply regular expressions to beautify name
#define PRTYPE_COLORED 0x0800 // add color tag COLOR_SYMBOL for any parentheses, commas and colons
#define PRTYPE_METHODS 0x1000 // tinfo_t: print udt methods
WRAP
Page breakpoints ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Page breakpoints are memory access breakpoints that can be set to detect
when the application reads, writes, or executes code/data in a specific
memory range. Page breakpoints are very similar to hardware breakpoints
but there is no limitation on the number of page breakpoints that can be
set or their size, in contrast with normal hardware breakpoints.

Memory access breakpoints are implemented by removing page permissions according
to the specified type of the page breakpoint to be added (for example, for a
write page breakpoint, the write permission will be removed from the page).
When the access violation exception occurs because the application
tries to access the specific memory region, IDA reports a breakpoint hit.

As page breakpoints can be set for a small part of a memory page but the
permissions of the whole page must be changed, page breakpoints can slow
down the debugger because many access violation exceptions may be generated.
If the application accesses memory outside of the desired range but on the
same page, the generated exception must be silently handled and the
application resumed. Specifically, page breakpoints in the code segment can slow
down the debugger very much.

Memory access breakpoints are supported since IDA version 6.3 for the following
debuggers:

Win32

  Page breakpoints are supported for both local and remote debugging
  of 32 and 64bit applications.

WinDbg

  Page breakpoints are supported only for local debugging of 32-bit applications.

Bochs

  Page breakpoints are supported for both of 32 and 64bit applications.
  Page breakpoints in the bochs debugger are just like normal hardware
  breakpoints but with no limit on the number of breakpoints or their size.
  Please note that hardware breakpoints in the bochs debugger occur AFTER the
  instruction is executed while regular page breakpoints occur BEFORE the
  instruction is actually executed.

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.
 Step Tracing Options▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Get step current tracing options
// Returns combination of ST_... constants

long get_step_trace_options();

// Set step current tracing options.
//      options - combination of ST_... constants

void set_step_trace_options(long options);

#define ST_OVER_DEBUG_SEG 0x01 // step tracing will be disabled when IP is in a debugger segment
#define ST_OVER_LIB_FUNC  0x02 // step tracing will be disabled when IP is in a library function
#define ST_ALREADY_LOGGED 0x04 // step tracing will be disabled when IP is already logged
#define ST_SKIP_LOOPS     0x08 // step tracing will try to skip loops already recorded
#define ST_DIFFERENTIAL   0x10 // tracing: log only new instructions
 Trace file functions▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Load a previously recorded binary trace file
//       filename - trace file
success load_trace_file(string filename);

// Save current trace to a binary trace file
//       filename - trace file
//       description - trace description
success save_trace_file(string filename, string description);

// Check the given binary trace file
//       filename - trace file
success is_valid_trace_file(string filename);

// Diff current trace buffer against given trace
//       filename - trace file
success diff_trace_file(string filename);

// Clear the current trace buffer
void clear_trace();

// Update the trace description of the given binary trace file
//       filename - trace file
//       description - trace description
success set_trace_file_desc(string filename, string description);

// Get the trace description of the given binary trace file
//       filename - trace file
string get_trace_file_desc(string filename);

 Trace events functions▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Return the total number of recorded events
long get_tev_qty();

// Return the address of the specified event
//       tev - event number
long get_tev_ea(long tev);

// Return the type of the specified event (TEV_... constants)
//       tev - event number
long get_tev_type(long tev);

#define TEV_NONE  0 // no event
#define TEV_INSN  1 // an instruction trace
#define TEV_CALL  2 // a function call trace
#define TEV_RET   3 // a function return trace
#define TEV_BPT   4 // write, read/write, execution trace
#define TEV_MEM   5 // memory layout changed
#define TEV_EVENT 6 // debug event

// Return the thread id of the specified event
//       tev - event number
long get_tev_tid(long tev);

// Return the register value for the specified event
//       tev - event number
//       reg - register name (like EAX, RBX, ...)
long get_tev_reg(long tev, string reg);

// Return the number of memory addresses recorded for the specified event
//       tev - event number
long get_tev_mem_qty(long tev);

// Return the memory pointed by 'index' for the specified event
//       tev - event number
//       idx - memory address index
string get_tev_mem(long tev, long idx);

// Return the address pointed by 'index' for the specified event
//       tev - event number
//       idx - memory address index
string get_tev_mem_ea(long tev, long idx);

// Return the address of the callee for the specified event
//       tev - event number
long get_call_tev_callee(long tev);

// Return the return address for the specified event
//       tev - event number
long get_ret_tev_return(long tev);

// Return the address of the specified TEV_BPT event
//       tev - event number
long get_bpt_tev_ea(long tev);
ÁWRAP
PIN debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

The PIN debugger is a remote debugger plugin used to record execution traces. It
allows to record traces on Linux and Windows (x86 and x86_64) from any of the
supported IDA platforms (Windows, Linux and MacOSX). Support for MacOSX targets
is not yet available. Please see the section @0:1653[PIN support for MacOSX]
for more details on this subject.

To use the PIN debugger plugin the following steps must be carried out:

  - Download the appropriate version of PIN from http://www.pintool.org

  - @0:1655[Build the PIN tool]

  - Configure the debugger specific options in
    Debugger Options, Set specific options.

  PIN debugger plugin has the following configuration options:

  - PIN Binary Path: Full path to the pin binary.
  - PIN Tool Path: Directory where the idadbg.so or .dll PIN tool resides.
  - Tracing options:
    - Instruction tracing: trace individual instructions
    - Basic block tracing: trace basic blocks
    - Function tracing: trace functions
    - Recording of register values: record register values or not. If
      this option is disabled, only EIP/RIP will be recorded.
  - PIN Tool options:
    - Autolaunch pin for "localhost": When this option is set and
    the host name specified in Debugger, Process Options is "localhost", the PIN
    tool will be executed by IDA. Otherwise IDA expects the PIN tool to be
    already running and listening. Please refer to
    @0:1654[Connecting a remote PIN tool instance from IDA] for more details.
    - Debug mode: This flag allows one to see what's happening in the PIN tool
    side. It prints out some debugging information.
    - Extra-arguments: Additional command line arguments to be used when
    constructing the command line to launch PIN locally. The extra arguments can
    be added before the PIN tool specification (before '-t /path/to/pin/tool) or
    after the PIN tool (after '-t /path/to/pin/tool' but before '-- application').
    Please consult the section "Command Line Switches" of the Intel PIN manual
    for more details.

Optionally you can launch PIN yourself and connect to it from IDA. See
@0:1654[Connecting a remote PIN tool instance from IDA] for more
details.
¤WRAP
PIN support for MacOSX ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Recording traces on MacOSX target is not supported yet. Versions equal or prior to
2.12-55942 does not have support for the API PIN_SpawnInternalThread, which is
needed by IDA to communicate with the PIN tool.

However, it's possible to record traces from a Linux or Windows target using the
MacOSX version of IDA.
üWRAP
Connecting a remote PIN tool instance from IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For local debugging the PIN tool can be automatically launched by IDA.
For remote debugging it must be launched manually, as in the following example:

  $ /path/to/pin -t /path/to/idadbg/lib -p PORT -- APPLICATION [ARGUMENTS]

Where PORT is the port that the PIN tool will listen for incoming connections
from IDA. APPLICATION is the target application to be traced and the optional
parameter ARGUMENTS are the arguments to be passed to the target application.
Please note that on Win64 it may be required to specify the path to
specific x64 binary instead to the pin.bat batch file.

To attach to an already running process instead of starting a new one a command
like the following one must be executed:

  $ /path/to/pin -pid PID -t /full/path/to/idadbg/lib/with.extension -p PORT

Where PID is the pid of the running process to attach and PORT the port that the
PIN tool will listen for incoming connections.

The hostname and port where the PIN tool is listening for incoming connections
should be specified in IDA. See the Debugger, Process options dialog.

After successfully launching the PIN tool the IDA debugger can be launched
by pressing F9 or selecting Debugger, Start Process.

PIN accepts the following optional environment variables and command
line arguments:

  - Environment variables:
    IDAPIN_DEBUG: Set this environment variable to 1 or higher to print
    debugging information.

  - Command line arguments:
    -p number: Port where the PIN tool will listen for incoming connections from IDA
    -idadbg [0|1|2]: Same as the IDAPIN_DEBUG environment variable
WRAP
Building the PIN tool ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Before using the PIN tracer the PIN tool module (distributed only in source code
form) must be built as the Intel PIN license disallows redistributing PIN tools
in binary form.

Please refer to

https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf

to learn how to build our PIN tool.

~T~racingTrace ~w~indow~C~lear trace~I~nstruction tracing~B~asic block tracing~F~unction tracingAdd write trac~e~Add ~r~ead/write traceAdd e~x~ecution traceTracing ~o~ptions...Expected identifier-Function return types cannot have attributesIllegal type qualifier?WRAP
Dalvik debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Dalvik debugger is a plugin to debug Android applications written for the Dalvik Virtual Machine. It includes the source level debugging too.

Dalvik debugger specific options:

    ADB executable

        IDA needs to know where the 'adb' utility resides, and tries various
        methods to locate it automatically. Usually IDA finds the path to adb,
        but if it fails then we can define the ANDROID_SDK_HOME or the
        ANDROID_HOME environment variable to point to the directory where the
        Android SDK is installed to. Or set the path to 'adb' here.

    Emulator/device serial number

        If multiple emulator/device instances are running, you must specify
        the target instance to connect to.

    Package name

        Set the package name for the application as specified in
        AndroidManifest.xml. It is a mandatory option to start an application.
        If you plan to use "Attach to process" debugger action then you may
        leave this field empty.


    Activity

        If your want to start an application using the "Start process"
        debugger action then you have to set this option too. Copy it from
        AndroidManifest.xml. If you plan to use the "Attach to process"
        debugger action then you may leave this field empty.

    Command line arguments

        Every object inside Dalvik VM has an ID. It is the 64-bit number.
        If you want to see it in "Locals"/"Watches" windows then set this
        checkbox.

Source-level debugging

    In order to use source-level debugging you have to set paths to the
    application source code files. Do it using "Options/Sources path"
    menu item.

    Our dalvik debugger presumes that the application sources reside
    in the current (".") directory.  If this is not the case, you can
    map current directory (".") to the directory where the source files
    are located.

List of special things about our Dalvik debugger:

  - In Dalvik there is no stack and there is no SP register.
    The only available register is IP.
  - The method frame registers and slots (v0, v1, ...) are represented as
    local variables in IDA.
    We can see them in the Debugger/Debugger Windows/Locals window
  - The stack trace is available from "Debugger/Windows/Stack trace"
  - When the application is running, it may execute some system code.
    If we break the execution by clicking on the "Cancel" button,
    quite often we may find ourselves outside of the application,
    in the system code. The value of the IP register is 0xFFFFFFFF in this
    case, and stack trace shows only system calls and a lot of 0xFFFFFFFFs.
    It means that IDA could not locate the current execution position inside
    the application. We recommend to set more breakpoints inside the
    application, resume the execution and interact with application by
    clicking on its windows, selecting menu items, etc.
    The same thing can occur when we step out the application or
    step into the system code. In the last case we can use "Run until
    return" debugger command to return to the application code.

Locals window

    IDA considers the method frame registers, slots, and
    variables (v0, v1, ...) as local variables.
    To see their values we have to open the "Locals" window
    from the "Debugger/Debugger windows/Locals" menu item.

    If the information about the frame is available (the symbol table is
    intact) then IDA shows the method arguments, the method local variables
    with names and other non-named variables.
    Otherwise some variable values will not be displayed because IDA
    does not know their types. Variables without type information are
    marked with "Bad type" in the "Locals" window.
    To see the variable value in this case please use the "Watches" window.

Watches window

    To open the "Watches" window please select the "Debugger/Windows/Watches"
    menu item. In this window we can add any variable to watch its value.

    Please note that we have to specify type of variable if it is not known.
    Use C-style casts:
        (Object*)v0
        (String)v6
        (char*)v17
        (int)v7

    We do not need to specify the real type of an object variable,
    the "(Object*)" cast is enough.  IDA can derive the real object type
    itself.

    ATTENTION! An incorrect type may cause the Dalvik VM to crash.

    There is not much we can do about it. Our recommendation is to never
    cast an integer variable to an object type, the Dalvik VM usually
    crashes if we do that. But the integer cast "(int)" is safe in practice.

    Keeping the above in the mind, do not leave the cast entries
    in the "Watches" window for a long time. Delete them before any
    executing instruction that may change the type of the watched variable

See also @0:1395[Debugger] submenu.Missing return typeWRAP
Export data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀


  "Export data" dialog can export binary data into different formats.E~x~port data...>% Dalvik debugger extension functions▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Get local variable or function argument value
//       name - variable name ("v0", "v1", ... or user defined name)
auto dalvik_get_local(string name);

// Get typed local variable value
//       name - variable name ("v0", "v1", ... or user defined name)
//       wanted_type - Java VM's representation of type signature
auto dalvik_get_local_typed(string name, string wanted_type);

// Get object instance field value
//       oid - object id
//       name - object field name
auto dalvik_get_instance_fld(int64 oid, string name);

// Get number or array elements
//       oid - array object id
long dalvik_get_array_size(int64 oid);

// Get array element by index
//       oid - object id
//       idx - element index
auto dalvik_get_array_elem(int64 oid, long idx);

// ----------------------------------------------------------------------------
// Low-level functions providing access to (parts of) the Java(tm) Debug Wire
// Protocol (JDWP). These functions try to follow the interface of
// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html
// as closely as possible. In general they return IDC objects that have
// attributes named according to the documentation. If repeated information is
// returned (ClassesBySignature, AllClasses, AllThreads, ...), the resulting IDC
// object (amongst other possible named attributes) directly contains an array
// that can be accessed by means of the [] operator.
// ----------------------------------------------------------------------------

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_VirtualMachine_Version
// Returns the JDWP version implemented by the target VM. The version string format is implementation dependent.
auto JDWP_VirtualMachine_Version();

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_VirtualMachine_ClassesBySignature
// Returns reference types for all the classes loaded by the target VM which
// match the given signature. Multple reference types will be returned if two
// or more class loaders have loaded a class of the same name. The search is
// confined to loaded classes only; no attempt is made to load a class of the
// given signature.
auto JDWP_VirtualMachine_ClassesBySignature(string signature);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_VirtualMachine_AllClasses
// Returns reference types for all classes currently loaded by the target VM.
auto JDWP_VirtualMachine_AllClasses();

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_VirtualMachine_AllThreads
// Returns all threads currently running in the target VM . The returned list
// contains threads created through java.lang.Thread, all native threads
// attached to the target VM through JNI, and system threads created by the
// target VM. Threads that have not yet been started and threads that have
// completed their execution are not included in the returned list.
auto JDWP_VirtualMachine_AllThreads();

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_VirtualMachine_IDSizes
// Returns the sizes of variably-sized data types in the target VM.The returned
// values indicate the number of bytes used by the identifiers in command and
// reply packets.
auto JDWP_VirtualMachine_IDSizes();

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ReferenceType_Signature
// Returns the JNI signature of a reference type. JNI signature formats are
// described in the Java Native Inteface Specification.
//
// For primitive classes the returned signature is the signature of the
// corresponding primitive type; for example, "I" is returned as the signature
// of the class represented by java.lang.Integer.TYPE.
auto JDWP_ReferenceType_Signature(long refType);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ReferenceType_Methods
// Returns information for each method in a reference type. Inherited methods
// are not included. The list of methods will include constructors (identified
// with the name "<init>"), the initialization method (identified with the name
// "<clinit>") if present, and any synthetic methods created by the compiler.
// Methods are returned in the order they occur in the class file.
auto JDWP_ReferenceType_Methods(long refType);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ReferenceType_Fields
// Returns information for each field in a reference type. Inherited fields are
// not included. The field list will include any synthetic fields created by the
// compiler. Fields are returned in the order they occur in the class file.
auto JDWP_ReferenceType_Fields(long refType);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ReferenceType_NestedTypes
// Returns the classes and interfaces directly nested within this type. Types
// further nested within those types are not included.
auto JDWP_ReferenceType_NestedTypes(long refType);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ReferenceType_SourceFile
// Returns the name of source file in which a reference type was declared.
auto JDWP_ReferenceType_SourceFile(long refType);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ReferenceType_Instances
// Returns instances of this reference type. Only instances that are reachable
// for the purposes of garbage collection are returned.
// Since JDWP version 1.6. Requires canGetInstanceInfo capability - see
// CapabilitiesNew.
auto JDWP_ReferenceType_Instances(long refType, int maxInstances);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_Method_VariableTable
// Returns variable information for the method. The variable table includes
// arguments and locals declared within the method. For instance methods,
// the "this" reference is included in the table. Also, synthetic variables
// may be present.
auto JDWP_Method_VariableTable(long refType, long methodId);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_Method_Bytecodes
// Retrieve the method's bytecodes as defined in The Java Virtual Machine
// Specification. Requires canGetBytecodes capability - see CapabilitiesNew.
auto JDWP_Method_Bytecodes(long refType, long methodId);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_Method_VariableTableWithGeneric
// Returns variable information for the method, including generic signatures
// for the variables. The variable table includes arguments and locals
// declared within the method. For instance methods, the "this" reference is
// included in the table. Also, synthetic variables may be present. Generic
// signatures are described in the signature attribute section in The Java
// Virtual Machine Specification. Since JDWP version 1.5.
auto JDWP_Method_VariableTableWithGeneric(long refType, long methodId);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ObjectReference_ReferenceType
// Returns the runtime type of the object. The runtime type will be a class or
// an array.
auto JDWP_ObjectReference_ReferenceType(long object);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_StringReference_Value
// Returns the characters contained in the string.
auto JDWP_StringReference_Value(long stringObject);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ThreadReference_Frames
// Returns the current call stack of a suspended thread. The sequence of frames
// starts with the currently executing frame, followed by its caller, and so
// on. The thread must be suspended, and the returned frameID is valid only
// while the thread is suspended.
auto JDWP_ThreadReference_Frames(long thread, int startFrame, int length);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ThreadReference_ThreadGroup
// Returns the thread group that contains a given thread.
auto JDWP_ThreadReference_ThreadGroup(long thread);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ArrayReference_Length
// Returns the number of components in a given array.
auto JDWP_ArrayReference_Length(long arrayObject);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_ArrayReference_GetValues
// Returns a range of array components. The specified range must be within the
// bounds of the array.
auto JDWP_ArrayReference_GetValues(long arrayObject, int firstIndex, int length);

// https://docs.oracle.com/javase/8/docs/platform/jpda/jdwp/jdwp-protocol.html#JDWP_StackFrame_GetValues
// Returns the value of one local variable in a given frame. The variable must
// be visible at the frame's code index. Even if local variable information is
// not available, values can be retrieved if the front-end is able to determine
// the correct local variable index. (Typically, this index can be determined
// for method arguments from the method signature without access to the local
// variable table information.)
//
// MODIFIED to only query one local variable at a time.
auto JDWP_StackFrame_GetValue(long thread, long frame, int slot, byte sigbyte);
çWRAP
Generate a FLIRT signature file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: makesig:create_signature
 Current hotkey: Ctrl-Shift-F12

This command generate a FLIRT signature file.
A function is eligible when then name don't start with "sub_".

 File: Pathname for the signature file
 Library name: identifier, shown in the description of @0:588[Signature]

 Collect functions
  - All: Generate signature for all functions in the idb that are eligible
  - Selected: Generate a signature only for the selection in @0:639[Functions]

 Collisions
  - Ignore: don't add collision FLIRT signature
            will delete the Exclusion file if it exists
  - Deal with manually: if there is collisions, a window will open to manage
                        the collisions

Two or three files are generated:

 - Signature file: The output file
 - Pattern file:   Filename is Signature filename with extension replaced
                   with "pat"
 - Exclusion File: Filename with extension replaced by "exc"
                   Only present if you want to deal with collision and there
                   is any.

The last two files can be deleted once the signature file is generated.
WRAP
DWARF plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀▀


The DWARF plugin will search for DWARF-encoded debug information either in the input file, or a "companion" file (using a strategy similar to that of GDB), when some is found, will extract the following:

  - type information
  - function names, prototypes, local variables
  - global variables names & types

In addition, the DWARF plugin provides source-level debugging.

Dialog box▄

  Global name               : create global names based on DWARF informations
  Functions                 : Create functions based on DWARF informations
  Use function bounds       : Uses DWARF to determine functions boundaries
  Types (uncheck for speed) : Create types, needed for Apply calling
                              convention or Function prototype are definitive
  Apply calling convention  : DWARF will try and guess the calling convention
                              instead of using platform default calling
                              convention. Needed for Allow __usercall
  Allow __usercall          : If DWARF detects __usercall, allow to use it. If
                              not allowed, the default calling convention for
                              the platform will be used
  Function prototypes are definitive: Decompiler will not try to change the
                                     prototype if set. Use this with caution
  Import file names/line numbers: Import all information

'cfg/dwarf.cfg' file presents in details all the options

List of '-Odwarf' options▄

 - off : disable the plugin for the current session
 - import_lnnums=1 : import file name and line number into idb> print_decls▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Print types in a format suitable for use in a header file
     ordinals - comma-separated list of type ordinals
     flags    - combination of PDF_... constants or 0
returns: string containing the type definitions

string print_decls(string ordinals, long flags);

#define PDF_INCL_DEPS  0x1 // include dependencies
#define PDF_DEF_FWD    0x2 // allow forward declarations
#define PDF_DEF_BASE   0x4 // include base types: __int8, __int16, etc..
#define PDF_HEADER_CMT 0x8 // prepend output with a descriptive comment
]WRAP
Remote iOS Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Remote iOS Debugger allows for debugging iOS applications directly from IDA.

IDA's iOS debugger acts as a client to Apple's debugserver. So, you must ensure that
the debugserver is already installed on your device for the debugger to work.

See: https://www.hex-rays.com/products/ida/support/tutorials/ios_debugger_tutorial.pdf

for a detailed tutorial on getting started with iOS.

See also @0:1335[Remote GDB Debugger]
         @0:1078[Debugger for macOS]
         @0:1463[How to launch remote debugging]
Dump view historyÓWRAP
Center current line in window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CenterInWindow
 Current hotkey: @<CenterInWindow>Expected string literal7Function arguments cannot contain forward declarations
   <~M~emory mapping:B:4:::>
8 get_fixup_target_flags▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

get fixup target flags
     ea - address to get information about
returns: 0 - no fixup at the specified address
         otherwise returns fixup flags:

long get_fixup_target_flags(long ea);

#define FIXUPF_REL      0x1  // fixup is relative to the linear address
#define FIXUPF_EXTDEF   0x2  // target is a location (otherwise - segment)
#define FIXUPF_UNUSED   0x4  // fixup is ignored by IDA
#define FIXUPF_CREATED  0x8  // fixup was not present in the input file
ÑWRAP
Copy field info to pointers▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CopyFieldsToPointers
 Current hotkey: @<CopyFieldsToPointers>

This command scans the current struct variable and renames the locations
pointed by offset expressions unless they already have a non-dummy name.

It also copies the type info from the struct members to pointed locations.

See also @0:490[Edit|Structs] submenu.
"Please specify the reference type×PCRE2 LICENCE ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀
PCRE2 LICENCE
-------------

PCRE2 is a library of functions to support regular expressions whose syntax
and semantics are as close as possible to those of the Perl 5 language.

Release 10 of PCRE2 is distributed under the terms of the "BSD" licence, as
specified below. The documentation for PCRE2, supplied in the "doc"
directory, is distributed under the same terms as the software itself. The data
in the testdata directory is not copyrighted and is in the public domain.

The basic library functions are written in C and are freestanding. Also
included in the distribution is a just-in-time compiler that can be used to
optimize pattern matching. This is an optional feature that can be omitted when
the library is built.


THE BASIC LIBRARY FUNCTIONS
---------------------------

Written by:       Philip Hazel
Email local part: ph10
Email domain:     cam.ac.uk

University of Cambridge Computing Service,
Cambridge, England.

Copyright (c) 1997-2016 University of Cambridge
All rights reserved.


PCRE2 JUST-IN-TIME COMPILATION SUPPORT
--------------------------------------

Written by:       Zoltan Herczeg
Email local part: hzmester
Emain domain:     freemail.hu

Copyright(c) 2010-2016 Zoltan Herczeg
All rights reserved.


STACK-LESS JUST-IN-TIME COMPILER
--------------------------------

Written by:       Zoltan Herczeg
Email local part: hzmester
Emain domain:     freemail.hu

Copyright(c) 2009-2016 Zoltan Herczeg
All rights reserved.


THE "BSD" LICENCE
-----------------

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.

    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.

    * Neither the name of the University of Cambridge nor the names of any
      contributors may be used to endorse or promote products derived from this
      software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

EndÜWRAP
Objective-C Analysis Plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The objc plugin performs Objective-C specific analysis on the database.

For an overview of what the plugin can do, see the menu options in Edit>Other>Objective-C,
or the config options in objc.cfg.


Type Information

The bulk of the plugin's work is done at file load time, when it will parse all
Objective-C type information embedded in the binary, and use this to create
tinfo_t structures for all known classes and construct prototypes for all known
methods.

This analysis can be invoked manually at any time with:

  Edit>Other>Objective-C>Reload Objective-C info

Or:

  idaapi.load_and_run_plugin("objc", 1)

You can also disable objc analysis at load time with command line option:

  -Oobjc:+l

Or check the "Lazy mode" option in:

  Edit>Other>Objective-C>Objective-C Options...


Decompilation

The plugin will also perform Objective-C analysis during decompilation.

When a function is decompiled, the plugin will analyze any calls to objc_msgSend,
and use the arguments to determine if objc_msgSend will ultimately invoke one of
the methods in the current database.

If such a situation is detected, the plugin will replace the call to objc_msgSend with
a call to the target method, and add an xref to the method. This is done in the hopes that
continued use of the decompiler will improve call graphs for Objective-C binaries.

If the target method has type information, then the return type can be used to refine
the types of local variables in the pseudocode, which in turn could lead to more method
calls being detected, and so on.

You can disable objc analysis in the pseudocode with command line option:

  -Oobjc:-h

Or uncheck the "Enable decompiler plugin for Objective-C" option in:

  Edit>Other>Objective-C>Objective-C Options...


Debugging

objc also provides tools for dynamic analysis.

During debugging, you can analyze objc info for a specific library
by right-clicking in the Modules window and selecting "Load debug info".

This operation can also be performed programmatically with:

  n = idaapi.netnode()
  n.create("$ objc")
  n.supset(1, "/module/path", 'R')
  idaapi.load_and_run_plugin("objc", 3)

If you prefer that objc does not perform analysis during "Load debug info",
(say if DWARF information is available for a module and you prefer that),
you can disable this functionality with command line option:

  -Oobjc:-s

Or by unchecking the "Enable SIP for Objective-C" option in:

  Edit>Other>Objective-C>Objective-C Options...


Step Into Message

The plugin also implements a "step into" debugger action for Objective-C.

If you use this action before a call to objc_msgSend, objc will try to calculate
the address of method that is being invoked, and break at the method address
rather than step into the objc_msgSend function itself.

You can perform this action with shortcut:

  Shift+O

Or via the menu option:

  Debugger>Run until message received

Or programmatically with:

  idaapi.load_and_run_plugin("objc", 2)

This action can be very useful, but you must be careful. When invoked, the action
will automatically run to the address of objc_msgSend, analyze its arguments,
then continue to the target method.

If there is no subsequent call to objc_msgSend in the program, you will lose control
of the process. It is best to use this action only when you are sure that IP is
in the vicinity of an objc_msgSend call.


NSConcreteStackBlock
--------------------

The objc plugin can also be used to analyze Apple binaries that make heavy
use of blocks: https://clang.llvm.org/docs/Block-ABI-Apple.html

The analysis involves identifying NSConcreteStackBlock instances on the stack,
and creating a specialized Block_layout structure to apply to the function's
stack frame.

The end result transforms the following sequence of statements:

  loc_BF60:                                 Block_layout_BF60 v1;
    v1 = _NSConcreteStackBlock;             v1.isa        = _NSConcreteStackBlock;
    v2 = 0x...;                             v1.flags      = 0x...;
    v3 = 0;                                 v1.reserved   = 0;
    v4 = __block_invoke;             =>     v1.invoke     = __block_invoke;
    v5 = &__block_descriptor_tmp;           v1.descriptor = &__block_descriptor_tmp;
    v6 = ...                                v1.lvar1      = ...
    v7 = ...                                v1.lvar2      = ...
    ...                                     ...
    func(&v1);                              func(&v1);

Already this cleans up the analysis quite a lot, but more importantly this new
Block_layout_BF60 structure will be applied to the prototype of __block_invoke,
which can heavily improve the pseudocode.

Block analysis can be performed on the database with:

  Edit>Other>Objective-C>Analyze stack-allocated blocks (entire database)

Or programmatically with:

  idaapi.load_and_run_plugin("objc", 5)

You can also perform block analysis on a specific function:

  Edit>Other>Objective-C>Analyze stack-allocated blocks (current function)

Or with shortcut:

  Ctrl+Shift+S

Or programmatically:

  n = idaapi.netnode()
  n.create("$ objc")
  n.altset(1, 0xBF60, 'R') # the address can be any address within the function
  idaapi.load_and_run_plugin("objc", 5)

These actions work in both the disassembly and pseudocode windows,
but note that you must refresh the pseudocode with F5 for the changes
to take full effect.

Also, please note that this feature makes use of the microcode in the hexrays SDK,
so you must have the decompiler in order to use it.


NSConcreteGlobalBlock
---------------------

Global blocks (i.e. blocks that don't make use of local variables) are much easier
to analyze, and simply involve identifying references to NSConcreteGlobalBlock in
the __const segment.

Global blocks are analyzed automatically at load time, but the analysis
can be performed manually at any time with:

  Edit>Other>Objective-C>Re-analyze global block functions

Or:

  idaapi.load_and_run_plugin("objc", 4)


Command Line
------------

Here's a summary of the command-line arguments that can be passed to objc:

objc features can be enabled or disabled using '+' or '-', followed by one of the following characters:

  v: verbose mode
  s: source info provider
  h: hexrays decompiler analysis
  l: lazy mode

For example, -Oobjc:+v:+l:-s will enable verbose and lazy mode, and will disable the objc SIP.


See also @0:1078[Debugger for macOS]
         @0:1677[Remote iOS debugger]
         @0:1705[DYLD Shared Cache Utils]
îWRAP
Kernel analysis options 3▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Enable EH analysis

  If this option is set on, IDA uses EH information of the binary for
  more detailed analysis.

Enable RTTI analysis

  If this option is set on, IDA tries to detect C++ Run-Time Type
  Identification and does additional analysis based on this information.

Enable macros

  This option is disabled if the processor module does not support macros.

  If this option is on, IDA will combine several instructions into one macro
  instruction.
  For example for the ARM processor,

      ADRP Rx, label@PAGE
      ADD  Rx, Rx, label@PAGEOFF

  will be replaced by

      ADRL Rx, label

Merge strlits

  if the analysis option "Create string literals if data xref exists" is set
  and the target string literal ends at the existing one (without a
  termination character), IDA will merge these strlits into one.

See also @0:621[analysis options 1] @0:622[analysis options 2]»@0:1688[]
Kernel analysis options 3
%/
<Enable ~E~H analysis           :C>
<Enable ~R~TTI analysis         :C>
<Enable ~m~acros                :C1>
<Merge ~s~trlits                :C>>

"Only classes may have destructorsy
WRAP
C++ type details ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can parse and handle simple C++ class declarations. It cannot parse
templates and other complex constructs but simple standard cases can be parsed.

If a C++ class contains virtual functions, IDA will try to rebuild the
virtual function table (VFT) for the class. The VFT will be linked to the
class by the name: if the class is called "A", the VFT type will be "A_vtbl".

Let us consider the following class hierarchy:

  class A { virtual int f(); int data; };
  class B : public A { virtual int g(); };

IDA will create the following structures:

  struct __cppobj A {A_vtbl *__vftable;int data;}
  struct A_vtbl {int (*f)(A *__hidden this);}
  struct __cppobj B : A {}
  struct B_vtbl {int (*f)(A *__hidden this);
                 int (*g)(B *__hidden this);}

Please note that the VFT pointer in the class A has a special name: "__vftable".
This name allows IDA to recognize the pointer as a VFT pointer and treat it
accordingly.

Another example of more complex class hierarchy:

  class base1 { virtual int b1(); int data; };
  class base2 { virtual int b2(); int data; };
  class der2 : public base2 { virtual int b2(); int data; };
  class derived : public base1, public der2 { virtual int d(); };

Compiling in 32-bit Visual Studio mode yields the following layout:

  class derived size(20):
        +---
   0    | +--- (base class base1)
   0    | | {vfptr}
   4    | | data
        | +---
   8    | +--- (base class der2)
   8    | | +--- (base class base2)
   8    | | | {vfptr}
  12    | | | data
        | | +---
  16    | | data
        | +---
        +---

IDA will generate the following types:

  struct __cppobj base1 {base1_vtbl *__vftable /*VFT*/;int data;};
  struct /*VFT*/ base1_vtbl {int (*b1)(base1 *__hidden this);};
  struct __cppobj base2 {base2_vtbl *__vftable /*VFT*/;int data;};
  struct /*VFT*/ base2_vtbl {int (*b2)(base2 *__hidden this);};
  struct __cppobj der2 : base2 {int data;};
  struct /*VFT*/ der2_vtbl {int (*b2)(der2 *__hidden this);};
  struct __cppobj derived : base1, der2 {};
  struct /*VFT*/ derived_vtbl {int (*b1)(base1 *__hidden this);
                               int (*d)(derived *__hidden this);};

The 'derived' class will use 2 VFTs:

  offset 0: derived_vtbl
  offset 8: der2_vtbl

IDA and Decompiler can use both VFTs and produce nice code for virtual calls.

Please note that the VFT layout will be different in g++ mode and IDA
can handle it too. Therefore it is important to have the target compiler
set correctly.

It is possible to build the class hierarchy manually. Just abide by the
following rules:

  - VFT pointer must have the "__vftable" name
  - VFT type must follow the "CLASSNAME_vtbl" pattern

C++ classes are marked with "__cppobj" keyword, it influences the class layout.
However, this keyword is not required for VFT types.

In the case of a multiple inheritance it is possible to override a virtual
table for a secondary base class by declaring a type with the following name:
"CLASSNAME_XXXX_vtbl" where XXXX is the offset to the virtual table
inside the derived (CLASSNAME) class.

Example: if in the above example we add one more function

        virtual int derived::b2();

then we need one more virtual table. Its name must be "derived_0008_vtbl".
Please note that our parser does not create such vtables, you have to do it
manually.

 See also @0:1259[Local types window]
(Shifted pointers cannot have zero delta#Too big delta of a shifted pointerShifted pointer cannot be voidûWRAP
Shifted pointers ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Sometimes in binary code we can encounter a pointer to the middle of a structure.
Such pointers usually do not exist in the source code but an optimizing
compiler may introduce them to make the code shorter or faster.

Such pointers can be described using shifted pointers. A shifted pointer
is a regular pointer with additional information about the name of the
parent structure and the offset from its beginning. For example:

        struct mystruct
        {
          char buf[16];
          int dummy;
          int value;            // <- myptr points here
          double fval;
        };
        int *__shifted(mystruct,20) myptr;

The above declaration means that myptr is a pointer to 'int' and if we
decrement it by 20 bytes, we will end up at the beginning of 'mystruct'.

Please note that IDA does not limit parents of shifted pointers to structures.
A shifted pointer after the adjustment may point to any type except 'void'.

Also, negative offsets are supported too. They mean that the pointer points
to the memory before the structure.

When a shifted pointer is used with an adjustment, it will be displayed with
the 'ADJ' helper function. For example, if we refer to the memory 4 bytes further,
it can be represented like this:

        ADJ(myptr)->fval

Shifted pointers are an improvement compared to the CONTAINING_RECORD macro
because expressions with them are shorter and easier to read.

See also @0:1361[Set type] command.Duplicate __shifted modifierWRAP
Manual memory regions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ManualRegions
 Current hotkey: @<ManualRegions>

This command open a window with manual memory regions. In this window the user
can manipulate memory region definitions: add or delete them.

Some debugger backends (e.g. the gdb backend) do not provide memory layout
information. IDA needs this information in order to show the memory contents.
When this information is not available, the user must specify it.

The defined memory regions will be accessible when the debugger is active.
The user will be able to see the memory contents in the disassembly windows.

If no memory information is provided by the user nor by the debugger backend,
IDA will assume that entire memory space is accessible. However, it is better
to specify memory layout more precisely.

See also @0:1395[Debugger] submenu.WRAP
Lumina Submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu contains actions to work with the Lumina server:

    @0:1699[Pull all metadata]
    @0:1700[Push all metadata]
    @0:1701[View all metadata]
    @0:1702[Pull current function metadata]
    @0:1702[Push current function metadata]

To learn more about Lumina, please read:

  https://www.hex-rays.com/products/ida/lumina
ûWRAP
Pull all metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands retrieves @0:1704[metadata] about the current database from Lumina.

IDA will calculate checksums for all non-trivial functions in the database
and send it to Lumina. This information will be used to match and retrieve
metadata, which will be automatically applied.

Please note that this may overwrite your changes, so taking a database snapshot
and saving the database before invoking this command is a good idea.

By non-trivial functions we mean:

  - long enough functions (>=16 bytes)
  - non-library functions
  - non-imported functions (functions with real body)

See also @0:1701[View all metadata], which allows the user
to interactively apply metadata.
bWRAP
Push all metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands sends @0:1704[metadata] about the current database to Lumina.

IDA will calculate checksums for all non-trivial functions in the database,
extract metadata about them, and send it to Lumina. The metadata includes
function names and types, user comments, operand types, etc.

If Lumina already has metadata about the involved functions, it will be replaced
only if the new metadata is better and more complete.

Only functions with non-trivial names are pushed by this command.

See also @0:1698[Lumina submenu]
EWRAP
View all metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands retrieves @0:1704[metadata] about the current database from Lumina.

IDA will calculate checksums for all non-trivial functions in the database
and send it to Lumina. This information will be used to match and retrieve
metadata. After that IDA will display list of matched functions.

The user can then select the desired metadata and apply it to the database.
If the result is not satisfactory, it is possible to revert the changes.

Once the window is closed, it is not possible to revert the changes anymore.

At the bottom of the window there are convenience buttons to apply or
revert all available metadata.

See also @0:1699[Pull all metadata], which automatically
applied all retrieved metadata.

See also @0:1698[Lumina submenu]
WRAP
Pull current function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands tries to retrieve @0:1704[metadata] about the current function from Lumina.
If successful, the metadata will be automatically applied.

See also @0:1698[Lumina submenu]
ÓWRAP
Push current function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands sends @0:1704[metadata] about the current function to Lumina.

See also @0:1698[Lumina submenu]
WRAP
Lumina Metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Metadata currently consists of the following information:

  - function address, name, prototype
  - function frame layout
  - stack variables
  - user-defined sp change points
  - representation of instruction operands
  - function and instruction comments

We plan to add more information to metadata in the future.

See also @0:1698[Lumina submenu]
ª	WRAP
DYLD Shared Cache Utils ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This plugin (nicknamed "dscu" for brevity) is essentially just an extension of
the Mach-O loader. It allows you to manually load modules from a dyldcache
that were not loaded when first opening the cache in IDA (the plugin is only activated
after using the "single module" option for a dyldcache).

For a quick overview of the dscu functionality, see menu File>Load file>DYLD Shared Cache Utils.


Loading Modules
---------------

There are a few ways to manually load a module from the cache:

1) Use File>Load file>DYLD Shared Cache Utils>Load module... and choose which module to load

2) Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'

3) Programatically:

  n = idaapi.netnode()
  n.create("$ dscu")
  n.supset(2, "/usr/lib/libobjc.A.dylib")
  idaapi.load_and_run_plugin("dscu", 1)


Loading Sections
----------------

dscu also allows you to load a subset of a given module.

Any section from any of the dyldcache's submodules can be loaded individually.
This is especially useful when analyzing Objective-C code, since often times it is
convenient to only load Objective-C info from a given module without loading all
of its code.

For example, if you see a pointer to a selector string that has not been loaded:

  ADRP  X8, #0x1AECFF7F9@PAGE
  ADD   X1, X8, #0x1AECFF7F9@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0

Right-click on "0x1AECFF7F9" and dscu will provide you with two options:

  Load UIKitCore:__objc_methname
  Load UIKitCore

The UIKitCore module is huge, so perhaps you don't want to load the entire thing,
but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname",
dscu will load only these selector strings into the database:

  ADRP  X8, #sel_alloc@PAGE ; "alloc"
  ADD   X1, X8, #sel_alloc@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0

This operation is much faster, and still provides a lot of benefit to the analysis.

Sections can also be loaded via:

  File>Load file>DYLD Shared Cache Utils>Load section...

or programmatically with:

  node = idaapi.netnode()
  node.create("$ dscu")
  node.altset(3, 0x1AECFF7F9) # address can be any address in the section
  idaapi.load_and_run_plugin("dscu", 2)


See also @0:1687[Objective-C Analysis Plugin]
         @0:1078[Debugger for macOS]
         @0:1677[Remote iOS debugger]
UndoRedo
Disable undoShow undo history
WRAP
Undo an action ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Undo
 Current hotkey: @<Undo>

This command reverts the database to the state before executing the last
user action. It is possible to apply Undo multiple times, in this case
multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that
were made to the database after executing the user action and including the ones
that are not connected to the user action. For example, if a third party plugin
modified the database during or after the user action, this modification will
be reverted. In theory it is possible to go back in time to the very beginning
and revert the database to the state state that was present immediately after
performing the very first user action. However, in practice the undo buffers
overflow because of the changes made by autoanalysis. @0:620[Autoanalysis]
generates copious amounts of undo data. Also please note that maintaining undo
data during autoanalysis slows it down a bit. In practice it is not a big deal
because the limit on the undo data is reached quite quickly (in a matter of minutes).
Therefore, if during analysis the user does not perform any actions that modify
the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis,
just turn off the UNDO_DURING_AA parameter in @0:419[ida.cfg].

The configuration file @0:419[ida.cfg] has 2 more undo-related parameters:

  UNDO_MAXSIZE  max size of undo buffers; default: 128MB
                once this limit is reached, the undo info about the oldest
                user action will be forgotten.

  UNDO_DEPTH    max number of user actions to remember; default: 1000000
                if set to 0, the undo feature will be unavailable.

Since there is a limit on the size of undo buffers, any action, even the tiniest,
may become non-undoable after some time. This is true because the analysis
or plugins may continue to modify the database and overflow the buffers.
Some massive actions, like deleting a segment, may be non-undoable just
because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script
variables will not change their values because of Undo. Also nothing external to
the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming
from a breakpoint cannot be undone.

See also
        @0:1711[Redo]
        @0:1712[Reset Undo]
        @0:1713[Disable Undo]
        @0:1714[Open undo history]
WRAP
Redo an action ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Redo
 Current hotkey: @<Redo>

This command reverts the previously issued @0:1710[Undo] command.
It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after
the last Undo command, including the eventual useful modifications made by the
autoanalysis. In other words, the entire database is modified to get to the
exact state that it had before executing the last Undo command.

See also
        @0:1710[Undo]
        @0:1712[Reset Undo]
        @0:1713[Disable Undo]
        @0:1714[Open undo history]
xWRAP
Clear undo history ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ResetUndo
 Current hotkey: @<ResetUndo>

This command clears the undo history. After it the Undo and Redo commands
become unavailable. However, once the user performs a new action, IDA will
again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user
action to revert yet, IDA does not maintain undo buffers and this speeds up
the analysis.

See also
        @0:1710[Undo]
        @0:1711[Redo]
        @0:1713[Disable Undo]
        @0:1714[Open undo history]
'WRAP
Disable undo ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DisableUndo
 Current hotkey: @<DisableUndo>

This command completely disables the undo feature.

See also
        @0:1710[Undo]
        @0:1711[Redo]
        @0:1712[Reset Undo]
        @0:1714[Open undo history]
PWRAP
Show undo history ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowUndoHistory
 Current hotkey: @<ShowUndoHistory>

This command opens a window with the undo history. It is available from
the Views, Open subviews submenu.

Double clicking on a line reverts the database to the state before the
corresponding action.

It is possible to truncate the undo history by using the corresponding context menu command.
The undo information for the selected action will be removed together with the
information about all preceding actions.

The redoable user actions are displayed in italics.
The current position in the undo buffers is displayed in bold, it
usually denotes the first redoable user action.

See also
        @0:1710[Undo]
        @0:1711[Redo]
        @0:1712[Reset Undo]
        @0:1713[Disable Undo]
Run currently selected scriptReset filters@0:1720[]
Address bookmarks}WRAP
IDA View bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]yWRAP
Structs bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]qWRAP
Enums bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]Open bookmarksÿWRAP
Bookmarks window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenBookmarks
 Current hotkey: @<OpenBookmarks>

This command opens the bookmarks window. This window lets
the user jump to a specific place in the listing.
HExplicit locations, if present, should be given for all stack arguments!Duplicate __spoils specificationmWRAP
Find breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointFind
 Current hotkey: @<BreakpointFind>

Open the breakpoints window if needed, then find current breakpoint in it.

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.WRAP
IDAClang plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The IDAClang plugin is shipped with IDA, and it provides the ability
to parse header files that contain arbitrarily complex C/C++/Objective-C
source code using the @0:1367[Load C header] action.

To enable the IDAClang parser, go to Options>Compiler>Source parser, and select "clang".
Then use 'File>Load file>Parse C header file' to invoke the parser on a given source file.

Since IDAClang is based on the third-party libclang parser, it can only parse standalone
source files that contain valid C/C++/Objective-C syntax.

See also @0:1367[Load C header] command.ÇWRAP
Function flags▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following flags can be set in function properties:

Does not return

The function does not return to caller (for example, calls a process exit function or has an infinite loop).
If no-return analysis is enabled in @0:621[Kernel Options], IDA will not analyze bytes
following the calls to this function.

Far function

On processors which distinguish near and far functions (e.g. PC x86), mark the function as 'far'.
This may affect the size of the special @0:488[stack frame] field reserved for the return address,
as well as analysis of calls to this function.

Library func

Mark the function as part of compiler runtime library code. This flag is usually set when applying @0:436[FLIRT signatures]

Static func

Mark the function as static. Currently this flag is not used by IDA and is simply informational.

BP based frame

Inform IDA that the function uses a frame pointer (BP/EBP/RBP on PC) to access @0:488[local variables].
The operands of the form  [BP+xxx] will be automatically converted to @0:474[stack variables].

BP equal to SP

Frame pointer points to the bottom of the stack instead of at the beginning of the local variables area as is typical.

Fuzzy SP

Function changes SP by an unknown value, for example: and esp, 0FFFFFFF0h

Outlined code

The function is not a real function but a fragment of multiple functions' common instruction sequence extracted by the compiler
as a code size optimization (sometimes called "code factoring"). During decompilation, body of the function
will be expanded at the call site.

See also

         @0:483[Edit|Functions] submenu.
         @0:485[Edit a function]
         @0:687[Append function tail...]
Ì,Apache License for Ghidra ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.

   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.

   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.

   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.

   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

   END OF TERMS AND CONDITIONS

   APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

   Copyright [yyyy] [name of copyright owner]

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.;Apache License for LLVM ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

==============================================================================
The LLVM Project is under the Apache License v2.0 with LLVM Exceptions:
==============================================================================

                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

    1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.

    2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.

    3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.

    4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

    5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.

    6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.

    7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

    8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

    9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

    END OF TERMS AND CONDITIONS

    APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

    Copyright [yyyy] [name of copyright owner]

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.


---- LLVM Exceptions to the Apache 2.0 License ----

As an exception, if, as a result of your compiling your source code, portions
of this Software are embedded into an Object form of such source code, you
may redistribute such embedded portions in such Object form without complying
with the conditions of Sections 4(a), 4(b) and 4(d) of the License.

In addition, if you combine or link compiled forms of this Software with
software that is licensed under the GPLv2 ("Combined Software") and if a
court of competent jurisdiction determines that the patent provision (Section
3), the indemnity provision (Section 9) or other Section of the License
conflicts with the conditions of the GPLv2, you may retroactively and
prospectively choose to deem waived or otherwise exclude such Section(s) of
the License, but only in their entirety and only with respect to the Combined
Software.

==============================================================================
Software from third parties included in the LLVM Project:
==============================================================================
The LLVM Project contains third party software which is under different license
terms. All such code will be identified clearly using at least one of two
mechanisms:
1) It will be in a separate directory tree with its own `LICENSE.txt` or
   `LICENSE` file at the top containing the specific license and restrictions
   which apply to that software, or
2) It will contain specific license and restriction terms at the top of every
   file.

==============================================================================
Legacy LLVM License (https://llvm.org/docs/DeveloperPolicy.html#legacy):
==============================================================================
University of Illinois/NCSA
Open Source License

Copyright (c) 2007-2019 University of Illinois at Urbana-Champaign.
All rights reserved.

Developed by:

    LLVM Team

    University of Illinois at Urbana-Champaign

    http://llvm.org

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal with
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimers.

    * Redistributions in binary form must reproduce the above copyright notice,
      this list of conditions and the following disclaimers in the
      documentation and/or other materials provided with the distribution.

    * Neither the names of the LLVM Team, University of Illinois at
      Urbana-Champaign, nor the names of its contributors may be used to
      endorse or promote products derived from this Software without specific
      prior written permission.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE
SOFTWARE.ÉWRAP
Lumina options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Lumina dialog box options▄

This options tab allows for modification of Lumina credentials and use settings.

Use the public server

        Sets host and port to the default public server hosted by Hex-Rays.
        No username or password is required.

Use a private server

        Allows for setting the name/address and port of a private server.
        If username and password credentials are needed, they can be specified here.

Automatically use Lumina server for analysis

        Instructs IDA to fetch function metadata from the current Lumina server,
        after the initial auto-analysis is complete. This helps with the recognition
        of known functions stored in the database of the Lumina server.


Lumina command line options ▄

Command line switch '-Olumina' overrides for ida session the primary server and '-Osecondary_lumina' the secondary one.

List of options▄

         host: lumina server host
         port: lumina server port
         user: username for authentification on private lumina
         pass: password for authentification on private lumina
         proxy_host: proxy host
         proxy_port: proxy port
         proxy_user: username for authentification on proxy
         proxy_pass: password for authentification on proxy

Example▄

  -Osecondary_lumina:host=lumina.hex-rays.com:port=443

Use the public lumina as secondary server for this ida session TRUNC▄
 ▀▀▀▀▀▀

Fix the address according to actual program bitness
#define TRUNC(ea) (inf_is_64bit() ? (ea) : ((ea) & 0xFFFFFFFF))
å TO_LONG▄
 ▀▀▀▀▀▀▀▀

Sign extend, if necessary, the value according to actual program bitness
#ifdef __EA64__
#define TO_LONG(x) (inf_is_64bit() ? (x) : (((x) << 32) >> 32))
#else
#define TO_LONG(x) (x)
#endif
LWRAP
picture_search ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

picture_search is a plugin that allows you to search for, and
inspect pictures that are embedded in the binary.

The key feature of the plugin is the "Search for pictures"
action, available in the @0:568["Search"] menu,
that will scan the entire binary (or the selection if there is one)
for so-called "magic" numbers of well-known image types
(PNG, JPEG, ...), and present the results in a tabular fashion:

                 [Address]         |[Format]
        .noptrdata:0000000000511620|GIF89a
        .noptrdata:00000000005133E0|PNG
        .noptrdata:0000000000517460|JPEG
        .noptrdata:000000000051ADA0|BMP

Note: at this point, pictures have not been decoded yet; the plugin
has merely spotted what looks like the start of pictures.
Decoding will only happen when triggering any of the following actions.

Double-clicking any row of that list will show the picture
directly in IDA. Opening the context menu will reveal even more
possibilities: open the picture in the OS's default viewer,
save it, jump to its start address...

In addition to this very handy scanning feature, the plugin will
add the "Open picture" action to the disassembly listing's
context menu when the current position happens to be near data
that matches the well-known image types' magic numbers.
BAUTOHIDE SESSION
Create a segment (%0*a-%0*a):
bad segment start.@AUTOHIDE SESSION
Create a segment (%0*a-%0*a):
bad segment end.æ set_database_flag▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Set database flag
     flags - DBFL_... bits
see also @0:1303[save_database]() (definition of the DBFL_... bits)

void set_database_flag(long flags);
è clr_database_flag▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Clear database flag
     flags - DBFL_... bits
see also @0:1303[save_database]() (definition of the DBFL_... bits)

void clr_database_flag(long flags);
Show register value/ Local types information and manipulation helpers▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

// Enum type information
class enum_type_data_t
{
  // tattr_enum, see TAENUM_... flags
  attribute taenum_bits;

  // enum member sizes (shift amount) and style, see BTE_... constants
  attribute bte;

  // number of enum members
  attribute member_cnt;

  // add enum constant
  success add_constant(string name, string name, uint64 value, string comment=nullptr);
};

// Get named local type TID
//       name - type name
// returns: TID or BADADDR
long get_named_type_tid(string name);

// Get numbered local type TID
//       ord - type ordinal
// returns: TID or BADADDR
long get_numbered_type_tid(long ord);

// create type enum
//       enum_name - type name
//       ei - enum type data of type enum_type_data_t
//       enum_width - the width of a enum element, allowed values: 0 (unspecified),1,2,4,8
//       sign - enum signess (any from TYPE_SIGN_... constants)
//       convert_to_bitmask - try convert enum to bitmask enum (0-false or 1-true)
//       enum_cmt - enum type comment
// returns: enum TID
long create_enum_type(
        string enum_name,
        object ei,
        long enum_width,
        long sign,
        long convert_to_bitmask,
        string enum_cmt=nullptr);
// type signedness
#define TYPE_SIGN_NO_SIGN        0  // no sign, or unknown
#define TYPE_SIGN_TYPE_SIGNED    1  // signed type
#define TYPE_SIGN_TYPE_UNSIGNED  2  // unsigned type
hGNU Lesser General Public License v2.1 for libiberty ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

                  GNU LESSER GENERAL PUBLIC LICENSE
                       Version 2.1, February 1999

 Copyright (C) 1991, 1999 Free Software Foundation, Inc.
     51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

[This is the first released version of the Lesser GPL.  It also counts
 as the successor of the GNU Library Public License, version 2, hence
 the version number 2.1.]

                            Preamble

  The licenses for most software are designed to take away your
freedom to share and change it.  By contrast, the GNU General Public
Licenses are intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users.

  This license, the Lesser General Public License, applies to some
specially designated software packages--typically libraries--of the
Free Software Foundation and other authors who decide to use it.  You
can use it too, but we suggest you first think carefully about whether
this license or the ordinary General Public License is the better
strategy to use in any particular case, based on the explanations below.

  When we speak of free software, we are referring to freedom of use,
not price.  Our General Public Licenses are designed to make sure that
you have the freedom to distribute copies of free software (and charge
for this service if you wish); that you receive source code or can get
it if you want it; that you can change the software and use pieces of
it in new free programs; and that you are informed that you can do
these things.

  To protect your rights, we need to make restrictions that forbid
distributors to deny you these rights or to ask you to surrender these
rights.  These restrictions translate to certain responsibilities for
you if you distribute copies of the library or if you modify it.

  For example, if you distribute copies of the library, whether gratis
or for a fee, you must give the recipients all the rights that we gave
you.  You must make sure that they, too, receive or can get the source
code.  If you link other code with the library, you must provide
complete object files to the recipients, so that they can relink them
with the library after making changes to the library and recompiling
it.  And you must show them these terms so they know their rights.

  We protect your rights with a two-step method: (1) we copyright the
library, and (2) we offer you this license, which gives you legal
permission to copy, distribute and/or modify the library.

  To protect each distributor, we want to make it very clear that
there is no warranty for the free library.  Also, if the library is
modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others.

  Finally, software patents pose a constant threat to the existence of
any free program.  We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a
restrictive license from a patent holder.  Therefore, we insist that
any patent license obtained for a version of the library must be
consistent with the full freedom of use specified in this license.

  Most GNU software, including some libraries, is covered by the
ordinary GNU General Public License.  This license, the GNU Lesser
General Public License, applies to certain designated libraries, and
is quite different from the ordinary General Public License.  We use
this license for certain libraries in order to permit linking those
libraries into non-free programs.

  When a program is linked with a library, whether statically or using
a shared library, the combination of the two is legally speaking a
combined work, a derivative of the original library.  The ordinary
General Public License therefore permits such linking only if the
entire combination fits its criteria of freedom.  The Lesser General
Public License permits more lax criteria for linking other code with
the library.

  We call this license the "Lesser" General Public License because it
does Less to protect the user's freedom than the ordinary General
Public License.  It also provides other free software developers Less
of an advantage over competing non-free programs.  These disadvantages
are the reason we use the ordinary General Public License for many
libraries.  However, the Lesser license provides advantages in certain
special circumstances.

  For example, on rare occasions, there may be a special need to
encourage the widest possible use of a certain library, so that it becomes
a de-facto standard.  To achieve this, non-free programs must be
allowed to use the library.  A more frequent case is that a free
library does the same job as widely used non-free libraries.  In this
case, there is little to gain by limiting the free library to free
software only, so we use the Lesser General Public License.

  In other cases, permission to use a particular library in non-free
programs enables a greater number of people to use a large body of
free software.  For example, permission to use the GNU C Library in
non-free programs enables many more people to use the whole GNU
operating system, as well as its variant, the GNU/Linux operating
system.

  Although the Lesser General Public License is Less protective of the
users' freedom, it does ensure that the user of a program that is
linked with the Library has the freedom and the wherewithal to run
that program using a modified version of the Library.

  The precise terms and conditions for copying, distribution and
modification follow.  Pay close attention to the difference between a
"work based on the library" and a "work that uses the library".  The
former contains code derived from the library, whereas the latter must
be combined with the library in order to run.

                  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License Agreement applies to any software library or other
program which contains a notice placed by the copyright holder or
other authorized party saying it may be distributed under the terms of
this Lesser General Public License (also called "this License").
Each licensee is addressed as "you".

  A "library" means a collection of software functions and/or data
prepared so as to be conveniently linked with application programs
(which use some of those functions and data) to form executables.

  The "Library", below, refers to any such software library or work
which has been distributed under these terms.  A "work based on the
Library" means either the Library or any derivative work under
copyright law: that is to say, a work containing the Library or a
portion of it, either verbatim or with modifications and/or translated
straightforwardly into another language.  (Hereinafter, translation is
included without limitation in the term "modification".)

  "Source code" for a work means the preferred form of the work for
making modifications to it.  For a library, complete source code means
all the source code for all modules it contains, plus any associated
interface definition files, plus the scripts used to control compilation
and installation of the library.

  Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope.  The act of
running a program using the Library is not restricted, and output from
such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it).  Whether that is true depends on what the Library does
and what the program that uses the Library does.
  
  1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
appropriate copyright notice and disclaimer of warranty; keep intact
all the notices that refer to this License and to the absence of any
warranty; and distribute a copy of this License along with the
Library.

  You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.

  2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:

    a) The modified work must itself be a software library.

    b) You must cause the files modified to carry prominent notices
    stating that you changed the files and the date of any change.

    c) You must cause the whole of the work to be licensed at no
    charge to all third parties under the terms of this License.

    d) If a facility in the modified Library refers to a function or a
    table of data to be supplied by an application program that uses
    the facility, other than as an argument passed when the facility
    is invoked, then you must make a good faith effort to ensure that,
    in the event an application does not supply such function or
    table, the facility still operates, and performs whatever part of
    its purpose remains meaningful.

    (For example, a function in a library to compute square roots has
    a purpose that is entirely well-defined independent of the
    application.  Therefore, Subsection 2d requires that any
    application-supplied function or table used by this function must
    be optional: if the application does not supply it, the square
    root function must still compute square roots.)

These requirements apply to the modified work as a whole.  If
identifiable sections of that work are not derived from the Library,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works.  But when you
distribute the same sections as part of a whole which is a work based
on the Library, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.

Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Library.

In addition, mere aggregation of another work not based on the Library
with the Library (or with a work based on the Library) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.

  3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library.  To do
this, you must alter all the notices that refer to this License, so
that they refer to the ordinary GNU General Public License, version 2,
instead of to this License.  (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.)  Do not make any other change in
these notices.

  Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.

  This option is useful when you wish to copy part of the code of
the Library into a program that is not a library.

  4. You may copy and distribute the Library (or a portion or
derivative of it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you accompany
it with the complete corresponding machine-readable source code, which
must be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange.

  If distribution of object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the
source code from the same place satisfies the requirement to
distribute the source code, even though third parties are not
compelled to copy the source along with the object code.

  5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library".  Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.

  However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library".  The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.

  When a "work that uses the Library" uses material from a header file
that is part of the Library, the object code for the work may be a
derivative work of the Library even though the source code is not.
Whether this is true is especially significant if the work can be
linked without the Library, or if the work is itself a library.  The
threshold for this to be true is not precisely defined by law.

  If such an object file uses only numerical parameters, data
structure layouts and accessors, and small macros and small inline
functions (ten lines or less in length), then the use of the object
file is unrestricted, regardless of whether it is legally a derivative
work.  (Executables containing this object code plus portions of the
Library will still fall under Section 6.)

  Otherwise, if the work is a derivative of the Library, you may
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.

  6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.

  You must give prominent notice with each copy of the work that the
Library is used in it and that the Library and its use are covered by
this License.  You must supply a copy of this License.  If the work
during execution displays copyright notices, you must include the
copyright notice for the Library among them, as well as a reference
directing the user to the copy of this License.  Also, you must do one
of these things:

    a) Accompany the work with the complete corresponding
    machine-readable source code for the Library including whatever
    changes were used in the work (which must be distributed under
    Sections 1 and 2 above); and, if the work is an executable linked
    with the Library, with the complete machine-readable "work that
    uses the Library", as object code and/or source code, so that the
    user can modify the Library and then relink to produce a modified
    executable containing the modified Library.  (It is understood
    that the user who changes the contents of definitions files in the
    Library will not necessarily be able to recompile the application
    to use the modified definitions.)

    b) Use a suitable shared library mechanism for linking with the
    Library.  A suitable mechanism is one that (1) uses at run time a
    copy of the library already present on the user's computer system,
    rather than copying library functions into the executable, and (2)
    will operate properly with a modified version of the library, if
    the user installs one, as long as the modified version is
    interface-compatible with the version that the work was made with.

    c) Accompany the work with a written offer, valid for at
    least three years, to give the same user the materials
    specified in Subsection 6a, above, for a charge no more
    than the cost of performing this distribution.

    d) If distribution of the work is made by offering access to copy
    from a designated place, offer equivalent access to copy the above
    specified materials from the same place.

    e) Verify that the user has already received a copy of these
    materials or that you have already sent this user a copy.

  For an executable, the required form of the "work that uses the
Library" must include any data and utility programs needed for
reproducing the executable from it.  However, as a special exception,
the materials to be distributed need not include anything that is
normally distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies
the executable.

  It may happen that this requirement contradicts the license
restrictions of other proprietary libraries that do not normally
accompany the operating system.  Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.

  7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
library, provided that the separate distribution of the work based on
the Library and of the other library facilities is otherwise
permitted, and provided that you do these two things:

    a) Accompany the combined library with a copy of the same work
    based on the Library, uncombined with any other library
    facilities.  This must be distributed under the terms of the
    Sections above.

    b) Give prominent notice with the combined library of the fact
    that part of it is a work based on the Library, and explaining
    where to find the accompanying uncombined form of the same work.

  8. You may not copy, modify, sublicense, link with, or distribute
the Library except as expressly provided under this License.  Any
attempt otherwise to copy, modify, sublicense, link with, or
distribute the Library is void, and will automatically terminate your
rights under this License.  However, parties who have received copies,
or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance.

  9. You are not required to accept this License, since you have not
signed it.  However, nothing else grants you permission to modify or
distribute the Library or its derivative works.  These actions are
prohibited by law if you do not accept this License.  Therefore, by
modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Library or works based on it.

  10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the
original licensor to copy, distribute, link with or modify the Library
subject to these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with
this License.

  11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Library at all.  For example, if a patent
license would not permit royalty-free redistribution of the Library by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Library.

If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply,
and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system which is
implemented by public license practices.  Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.

This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.

  12. If the distribution and/or use of the Library is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Library under this License may add
an explicit geographical distribution limitation excluding those countries,
so that distribution is permitted only in or among countries not thus
excluded.  In such case, this License incorporates the limitation as if
written in the body of this License.

  13. The Free Software Foundation may publish revised and/or new
versions of the Lesser General Public License from time to time.
Such new versions will be similar in spirit to the present version,
but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number.  If the Library
specifies a version number of this License which applies to it and
"any later version", you have the option of following the terms and
conditions either of that version or of any later version published by
the Free Software Foundation.  If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.

  14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission.  For software which is
copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this.  Our
decision will be guided by the two goals of preserving the free status
of all derivatives of our free software and of promoting the sharing
and reuse of software generally.

                            NO WARRANTY

  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

                     END OF TERMS AND CONDITIONS

           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
possible use to the public, we recommend making it free software that
everyone can redistribute and change.  You can do so by permitting
redistribution under these terms (or, alternatively, under the terms of the
ordinary General Public License).

  To apply these terms, attach the following notices to the library.  It is
safest to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least the
"copyright" line and a pointer to where the full notice is found.

    <one line to give the library's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>

    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
    License as published by the Free Software Foundation; either
    version 2.1 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    Lesser General Public License for more details.

    You should have received a copy of the GNU Lesser General Public
    License along with this library; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

Also add information on how to contact you by electronic and paper mail.

You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the library, if
necessary.  Here is a sample; alter the names:

  Yoyodyne, Inc., hereby disclaims all copyright interest in the
  library `Frob' (a library for tweaking knobs) written by James Random Hacker.

  <signature of Ty Coon>, 1 April 1990
  Ty Coon, President of Vice

That's all there is to it!

tWRAP
Data representation: enum member ▄

Syntax:

  __enum(enum_name)

Instead of a plain number, a symbolic constant from the specified enum will be used.
The enum can be a regular enum or a bitmask enum. For bitmask enums, a bitwise
combination of symbolic constants will be printed.
If the value to print cannot be represented using the specified enum, it will
be displayed in red.

Example:

   enum myenum { A=0, B=1, C=3 };
   short var __enum(myenum);

   If `var` is equal to 1, it will be represented as "B"

Another example:

   enum mybits __bitmask { INITED=1, STARTED=2, DONE=4 };
   short var __enum(mybits);

   If `var` is equal to 3, it will be represented as "INITED|STARTED"

This annotation is useful if the enum size is not equal to the variable size.
Otherwise using the enum type for the declaration is better:

   myenum var;  // is 4 bytes, not 2 as above
ÆData representation: offset expression ▄

Syntax:

  __offset(type, base, tdelta, target)
  __offset(type, base, tdelta)
  __offset(type, base)
  __offset(type|AUTO, tdelta)
  __offset(type)
  __off

where

type is one of:

  OFF8       8-bit full offset
  OFF16      16-bit full offset
  OFF32      32-bit full offset
  OFF64      64-bit full offset
  LOW8       low 8 bits of 16-bit offset
  LOW16      low 16 bits of 32-bit offset
  HIGH8      high 8 bits of 16-bit offset
  HIGH16     high 16 bits of 32-bit offset

The type can also be the name of a custom refinfo.

It can be combined with the following keywords:

  RVAOFF     based reference (rva)
  PASTEND    reference past an item
             it may point to an nonexistent address
  NOBASE     forbid the base xref creation
             implies that the base can be any value
             nb: base xrefs are created only if the offset base
             points to the middle of a segment
  SUBTRACT   the reference value is subtracted from the base value instead of
             (as usual) being added to it
  SIGNEDOP   the operand value is sign-extended (only supported for
             REF_OFF8/16/32/64)
  NO_ZEROS   an opval of 0 will be considered invalid
  NO_ONES    an opval of ~0 will be considered invalid
  SELFREF    the self-based reference

The base, target delta, and the target can be omitted. If the base is BADADDR,
it can be omitted by combining the type with AUTO:

  __offset(type|AUTO, tdelta)

Zero based offsets without any additional attributes and having the size
that corresponds the current application target (e.g. REF_OFF32 for a 32-bit
bit application), the shoft __off form can be used.

Examples:

  A 64-bit offset based on the image base:

  int var __offset(OFF64|RVAOFF);

  A 32-bit offset based on 0 that may point to an non-existing address:

  int var __offset(OFF32|PASTEND|AUTO);

  A 32-bit offset based on 0x400000:

  int var __offset(OFF32, 0x400000);

  A simple zero based offset that matches the current application bitness:

  int var __off;

This annotation is useful the type of the pointed object is unknown or
the variable size is different from the usual pointer size. Otherwise
it is better to use a pointer:

  type *var;
Data representation: string ▄

Syntax:

  __strlit(strtype, "encoding")
  __strlit(strtype, char1, char2, "encoding")
  __strlit(strtype)

where strtype is one of:

  C          Zero terminated string, 8 bits per symbol
  C_16       Zero terminated string, 16 bits per symbol
  C_32       Zero terminated string, 32 bits per symbol
  PASCAL     Pascal string: 1 byte length prefix, 8 bits per symbol
  PASCAL_16  Pascal string: 1 byte length prefix, 16 bits per symbol
  LEN2       Wide Pascal string: 2 byte length prefix, 8 bits per symbol
  LEN2_16    Wide Pascal string: 2 byte length prefix, 16 bits per symbol
  LEN4       Delphi string: 4 byte length prefix, 8 bits per symbol
  LEN4_16    Delphi string: 4 byte length prefix, 16 bits per symbol

It may be followed by two optional string termination characters (only for C).
Finally, the string encoding may be specified, as the encoding name or
"no_conversion" if the string encoding was not explicitly specified.

Example:

  A zero-terminated string in windows-1252 encoding:

  char array[10] __strlit(C,"windows-1252");

  A zero-terminated string in utf-8 encoding:

  char array[10] __strlit(C,"UTF-8");
ëData representation: structure offset ▄

Syntax:

  __stroff(structname)
  __stroff(structname, delta)

Instead of a plain number, the name of a struct or union member will be used.
If delta is present, it will be subtracted from the value before converting
it into a struct/union member name.

Example:

  An integer variable named `var` that hold an offset from the beginning of
  the `mystruct` structure:

  int var __stroff(mystruct);

  If mystruct is defined like this:

  struct mystruct
  {
    char a;
    char b;
    char c;
    char d;
  }

  The value 2 will be represented as `mystruct.c`

Another example:

  A structure offset with a delta:

  int var __stroff(mystruct, 1);

  The value 2 will be represented as `mystruct.d-1`
cData representation: custom data type and format ▄

Syntax:

  __custom(dtid, fid)

where dtid is the name of a custom data type and fid is the name of a
custom data format. The custom type and format must be registered by a plugin
beforehand, at the database opening time. Otherwise custom data type and format
ids will be displayed instead of names.
åData representation: tabular form ▄

Syntax:

  __tabform(flags)
  __tabform(flags,lineitems)
  __tabform(flags,lineitems,alignment)
  __tabform(,lineitems,alignment)
  __tabform(,,alignment)

This keyword is used to format arrays.
The following flags are accepted:

  NODUPS do not use the `dup` keyword
  HEX    use hexadecimal numbers to show array indexes
  OCT    use octal numbers to show array indexes
  BIN    use binary numbers to show array indexes
  DEC    use decimal numbers to show array indexes

It is possible to combine NODUPS with the index radix: NODUPS|HEX

The `lineitems` and `alignment` attributes have the meaning described for
the @0:455[create array] command.

Example:

  Display the array in tabular form, 4 decimal numbers on a line, each number
  taking 8 positions. Display indexes as comments in hexadecimal:

  char array[16] __tabform(HEX,4,8) __dec;

  A possible array may look like:

  dd   50462976, 117835012, 185207048, 252579084; 0
  dd  319951120, 387323156, 454695192, 522067228; 4
  dd  589439264, 656811300, 724183336, 791555372; 8
  dd  858927408, 926299444, 993671480,1061043516; 0Ch

Without this annotation, the `dup` keyword is permitted, number of items on a
line and the alignment are not defined.
Focus other widget~D~elete type...De~l~ete type...-Field '%s' contains illegal zero-sized array%s~A~dd type...Edit ~t~ype...o parse_decl▄
 ▀▀▀▀▀▀▀▀▀▀▀

Parse one type declaration
     input -  a C declaration
     flags -  combination of PT_... constants or 0
              PT_FILE should not be specified in flags (it is ignored)
returns: typeinfo object or num 0

typeinfo parse_decl(string input, long flags);

#define PT_FILE   0x0001  // input is a file name (otherwise a string containing type declarations)
#define PT_SILENT 0x0002  // silent mode
#define PT_PAKDEF 0x0000  // default pack value
#define PT_PAK1   0x0010  // #pragma pack(1)
#define PT_PAK2   0x0020  // #pragma pack(2)
#define PT_PAK4   0x0030  // #pragma pack(4)
#define PT_PAK8   0x0040  // #pragma pack(8)
#define PT_PAK16  0x0050  // #pragma pack(16)
#define PT_HIGH   0x0080  // assume high level prototypes
                          // (with hidden args, etc)
#define PT_LOWER  0x0100  // lower the function prototypes
#define PT_REPLACE 0x0200 // replace the old type
#define PT_RAWARGS 0x0400 // leave argument names unchanged
                          // (do not remove underscores)
#define PT_RELAXED 0x1000 // accept references to unknown namespaces
 set_numbered_type▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Store a type in the til.
'name' may be nullptr for anonymous types.
To replace the existing type use #NTF_REPLACE
     ordinal -  slot number (1...NumberOfLocalTypes), for 0 the new ordinal will be allocated
     name    -  type name
     type    -  serialized type string
     fields  -  serialized type fields
     cmt     -  main type comment
     fldcmts -  serialized type field comments
     sclass  -  type storage class

tinfo_code_t set_numbered_type(
        long ordinal,
        long ntf_flags,
        string name,
        string type,
        string fields="",
        string cmt="",
        string fldcmts="",
        long sclass=0);
#define NTF_REPLACE    0x0004   // replace original type
§ tinfo_errstr▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Helper function to convert an error code into a printable string.

string tinfo_errstr(tinfo_code_t code);
J}

static LocalTypes_%d() 
{
  auto p_type, p_fields, p_cmt, p_fldcmts;

àWRAP
Patfind plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Patfind plugin makes it possible to automatically find functions in binary files.

It relies on bit pattern definitions for typical function starts and function ends.

Those bit patterns are defined in XML files, based on Ghidra's function patterns format.
A collection of bit pattern files is provided for the commonly used CPU architectures.

It is possible to add new architectures by simply adding a new XML file, just like the other XML files.

It's also possible to add, remove or change existing patterns for better matching.

Configuration ▄

'cfg/patfind.cfg' file presents all the options

The config file also contains the documentation on how to use or change the XML pattern files.

If desired, new XML files can be added to the 'cfg/ghidra_patterns/' directory.

'-Opatfind' command line switches can be used to select the type of run differently for this session of IDA.

List of options▄

  autorun=0 : don't automatically search for bit pattern
  autorun=1 : search for bit pattern only on binary like files
  autorun=2 : search for bit pattern on any input file

Examples▄

  -Opatfind:autorun=0

Disable the autorun of Patfind plugin for this session¹
WRAP
Borland RTTI descriptors plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This plugin allows you to create/delete/view Borland RTTI descriptors.

These descriptors appear in programs written on BCC++ or Borland C++ Builder or Borland Delphi.

The plugin is available for 32 bits binaries for PE or OMF format.

Dialog box▄

  - List RTTI descriptors      : Displays the list of recognized RTTI
                                 descriptors. IDA automatically recognizes
                                 most descriptors. The list will include only
                                 the descriptors specified by the 'RTTI type'
                                 radiobuttons. You can also delete any
                                 descriptor from list.
  - List RTTI problems        :  Displays the list of problematic RTTI
                                 descriptors. The list will include only the
                                 descriptors specified by the 'RTTI type'
                                 radiobuttons. You can also delete any
                                 descriptor from list.
  - Delete list of descriptors : Delete the whole list of RTTI descriptors.
  - Delete list of problems    : Delete the whole list of problematic RTTI
                                 descriptors.
  - Create C++ descriptor      : Manually invoke creation of a C++ descriptor
                                 at the current cursor location.
  - Create Pascal descriptor   : Manually invoke creation of a Pascal
                                 descriptor at the current cursor location.
  - Create Pascal or C++ descriptor : Manually invoke creation of a Pascal or
                                      C++ descriptor at the current cursor
                                      location. This action tries to create a
                                      Pascal descriptor. If it fails, then it
                                      tries to create a C++ descriptor.

  - RTTI type radiobutton group : Controls which descriptors will appear in
                                  the displayed lists.
                                  Options are :
                                    * Include C++
                                    * Include Pascal
                                    * Include both

   - Create recursive : If this option is set, then IDA tries to create
                        descriptors recursively: if a created descriptor
                        refers to another unknown descriptor, then it will be
                        created and so on.

Configuration▄

This plugin may be also called with a parameter. See plugins.cfg for the possibles values. @0:1763[]
Local Types bookmarksWRAP
Local Types bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]¹WRAP
Inspecting a type library ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Provide the ability to inspect the types present in a type library.
View type library contents;@0:544[]
Jump to type offset

  <~J~ump offset:m:+:32::>

Add type memberEdit argument locatioëWRAP
Edit the argument location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Allow to edit argument or return value location.
 .!--------------------------------------------------------------5Intersection forbidden while already in intersection:Range forbidden while already in intersection or in range)Range operator expects a codepoint firstBad codepoint value*Codepoint forbidden while in intersection(Unexpected state for handling codepoint"Unexpected category at this pointUnexpected block at this pointInvalid block nameInvalid category nameExpected a second dot-Expected an identifier, or negation operator6Expected a category as second operand of intersectionUnrecognized identifier6Character or string literals only accept ASCII values)Unexpected CURRENT_CULTURE at this pointOIntersections require that the first operand be something else than a category!Unexpected culture at this pointInvalid culture name+Culture is not a Unicode block, nor a file*Failed to serialize type declaration '%s'Show trace infoShow overlay infoClear traceClear overlayLoad trace
Load overlaySave traceExport trace to text fileChange trace descriptionToggle diffSynchronize ~t~o idbSynchronize ~t~o idb, and jump~U~nsync from idbExport to header fileMap to another type...Compact types...~S~uspend thread~R~esume threadLoad debug ~s~ymbols~J~ump to module base~A~nalyze module~B~reak on access	Setup...Move segment(s)Break on accessCreate folder...

C-like formatShow selection onlytilist form test...	Re~n~ame
mochaa / idapro rpm

Products

About

Resources

Contact Gemfury
