HF…h
,¿hÊhÕhäh
iiCi9—†—Ø#£4£R£}£Œ£¤£¶£գ꣤.¤D¤b¤¤¤¤º¤̤ߤ𤥥9¥F¥שú©ª#ª3ªKª[ª“ª§ª¾ªçª««8«d««¢«ūá«ý«¬8¬c¬„¬ ¬»¬ڬ
­5­d­Ÿ­׭®+®Y®w®±®֮ó®¯4¯H¯p¯ŷӷ¸.¸O¸i¸w¸¸¾¸ù¸+¹S¹¹þ¹ºAº‹º±ºîº»»6»d»­»ü»
¼*¼q¼œ¼½¼Ѽ(½f½¹½
¾ƾ€¿տ]ÀÒÀ9ÁZÁƒÁ©ÁÙÁÂÓ&
}(
™(
Ý(
“.
ý1
2
\2
c4
ª4
Ü4
ÿ4
'5
M5
“5
Ÿ5
³5
Í6
ú6
58
Y8
t9

:
(<
'>
,?
A
ÃB
ÄK
N
ÕN
™P
dT
V
%V
jW
œX
%[
Ó[
È]
˜^
ó_
b
c
Zi
—l
#x
j{
€
g€
b£
Ç
UÍ
wÐ
Ó
Lå
®ç
Hì
†î
úð
*ò
Ió
Šõ

ú
¾þ
÷yZ

ñ§ˆ7§%Z"ç$r'ÿ)i.0A4U6Ë7Ü8½:©<3BÖDÅF>JYOÐW>ZÀ`’dHj,m¹o*rËtcwŽy}|]ƒ¶‰Ž ý¤ò·½IÃçÄNÇH˿̋иÖÌÙìÛ ß’íYïàðLöNú®ýOVL
u›u¾B#Ü$Â&)(G)o+»0Ì8×<ˆAþFIòNÐYùZ»\á`‰bˆfj‘tÕwt€±„ŠQŽ$‘O• ˜-™*œǟQ¢%¤Œ©e¬¼­¯4°]²͵ݸL»¶½@ÀíÁÂÅ‹ÈËOÍ0ÎúÏuÑÕÓoÕØGÚ¼Û²ÞÍáä æIèÞé¼ë³ïô'õBö÷íøý¾þD<G@˜A2CÊDƒFLHALÚSV€\^D`cAfÖln÷p…r¹søwWz«}|€h’••;žͪ͟ë°e¾´ÂÈÅÖ<ÚRÞý#s
OÌ*^,ž-Õ/x13®8P;ø<?žCºDdIªJåK
OÈPƒQæS
U9U[UwUšU¹UñUVDVbVßX-\—^ _¿_a˜bd8gAgJgSg^gigrg|gˆgg™g§g´gÀgÊgágùgh-hGh_hyh•h°hÀhÓhähûhi*i:iCiPiYicilixi•i«i½iÑißiýij"j/jAjYjqjj™j±jÉjájùjk2kSkmk€kžk®k¾kÎkêkÿkll4lMl\lhlwllžl³lÅlÜlólm m3mFmamum…m–m¤m²mÆmØmémümnn*n@nQndn€n’n´nÎnãnìnõnÿnoo'o9oFoXosoƒo›o·oÔoóo
pp3pCpXpmpƒp›p³pÈpÝpùpq,qAqXqtq‹q¤q·q×qúqr=rPr[rerqrrŒrªrÈrårss s+s9sEsXsks{sŽsœs¯sÅsÙsíst%tOttt‡tštªt¼tÏtØtãtøtuu(u9uJu[ujuzuˆu•u«u¹uÃuÏuÛuðuÿuvv.v>vUvgv{v‘vªv¾vÒvàvîvúvww)w:wLwcwxw‰ww®w¿wÖwîwx%x>xVxËxîxòxy>ydy‹y±yày!zGzkz˜zÍz{D{ƒ{´{&|•|Ì|9}f}“}¿}æ}7~n~Ø~m§ɀð‚D‚…‚ ‚߂ƒQƒ„ƒ³ƒփûƒI„„¹„ð„ …X…‘…Ӆõ…†'†H†n†‡G÷ˆc‰ù‰>Š‰Š²ŠpŒGŽ[ŽuŽ·Ž׎r•ɕVn˜®›ƞ)ŸòŸĠú “¤,¨ê¨ϩø®߰÷°±Y±†±S²ճõ³´¡µŵ׵¶K¶_¶PºVºº­ºƺ꺻7»d»†»¾»ë»¼Š¼¼+½ï½S¾¾¨¾¿¾â¾ø¾¿ïÁ8ÂËÂ@ÄdÆŒÆÝÆÇ2Ç\Ç@Èû˱ÎÉÎçÎ|ÏЎЮÑMÒçتÜÒÝ…ßIàpá—âñã€äå)è4èsèè¯èÒè½é§êÔêåêëëoë³ëÈëôëïüòóA4AQA\AgAJBÑB&C€C¤CÊC
D8DXDƒD£DûDWEÆEØE]GŸGäGHH¯HºHäHýHIIúIÍLèLNM¢M÷MqN¨OmPQX™X±XìX$YCYcYŒY±YÌYéYZ[Z|Z™ZÂZ-[Q[~[”[÷[\D\‚\¥\²^t`œ`º`è`
ali|iÐi$jjâj4k‹k¬kÝklmÅnônÿno>o±o
pépSq°qrcr½rærs+s>sw0wXwƒwȁº†ʆg‡{‡ˆÉŒµŒ÷Œ3	šק°Ô%áfééñé?ê˜êëxë•ë
ðñƒøüÇüáüýEYŽ"E£F & G k?°?Ü?@cF:KÃV¬X\^ebd7i¨šSœʞ}¦(zªY¬]®°_¶/»‚½3¿
Á5ÃÐÇîÉ`̯ÍýÑÜÖ¯Øïßaá¼âñãÍå.ç´énìÜí(ÿ?æIsn	ë0 ë!(Û),M-ã.Ç1ç12P2{2Ô23t6–6ê6Q7w7¸7878L:Z<D>øB¹E¿KDOKS€WB[7j;lòmo;p
rðt1v'xíyF{×ؘâãµçAèâè‘îð[ò}òœôÍû·
		8	K	˜		;	o	î		„ 	Å 	Ö 	m"	,	,	*,	7,	F,	^,	i,	Š,	³,	ô,	Ñ:	‘=	§=	Å=	ç=	A	4A	C	­C	ÁC	ÓC	ÃD	àD	Y	î[	¸b	ÿe	/f	³j	êj	k	8k	ek	|k	’k	Äk	Ük	l	2l	Sl	vl	«l	Õl	m	Em	mm	m	²m	Ém	æm	n	'n	Jn	pn	”n	½n	Õn	o	o	õs	Ò|	Î}	Þ~	<	X	n	ý„	…	E…	x…	•…		ë…	†	ˇ	î‡	
ˆ	º‰	Œ‹	§‹	ŋ	Ȓ	\š	“ž	¥¡	”¤	̦	"©	P«	û®	1	z´	ð¶	7¹	”À	ŸÀ	ÑÀ	ýÀ	Á	OÁ	ÔÉ	—Ò	=Ô	;Û	×Ü	ãÜ	ôÜ	Ý	Ý	4Ý	IÝ	]Ý	vÝ	ŽÝ	¥Ý	»Ý	êÝ	Þ	Dñ	Zñ	ßñ	òñ	Ûö	eý	Äÿ	Øÿ	­
Ç


!

ô

ñ
Ï(
¿,
|-
 -
;
E;
j;
‹;
ˆA
§A
<E
ÕF
ÒI
6L
}O
›P
pQ
S
Ë\
Ò\
Ù\
è\
ü\
Šg
j
l
¹m
q
+q
;q
Yq
Øq
Sr
Ær
×r
Øs
"t
Et
´u
8x


ϫ
\ç
'í
uò
¹ò
ûò
ó
˜[_ÖgllYo¾p¥uºuÍuàuvv$v5vvc{†@†Ά‰‡¦‡ã‡ý‡ˆ‰‰V‰’‰½‰Ӊÿ‰)ŠMŠnŠƒŠ›Š³ŠâŠ‹4‹l‹—‹è‹Œ"ŒOŒ{ŒŽŒ¯ŒLՌãŒóŒ8Sax™­ōލñŽŽ-ŽEŽXŽlŽwŽ‰Ž›Ž°Ž֎ìŽ÷Ž$<HF	No Error	OS error
Disk is fullRead attempt past file endFile is too large,@0:690[]
File is not a virtual array file?!ô-WRAP
 Common Public License Version 1.0 ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
Common Public License Version 1.0

THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS COMMON PUBLIC
LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.

1. DEFINITIONS

"Contribution" means:

    a) in the case of the initial Contributor, the initial code and
documentation distributed under this Agreement, and

    b) in the case of each subsequent Contributor:

    i) changes to the Program, and

    ii) additions to the Program;

    where such changes and/or additions to the Program originate from and are
distributed by that particular Contributor. A Contribution 'originates' from a
Contributor if it was added to the Program by such Contributor itself or anyone
acting on such Contributor's behalf. Contributions do not include additions to
the Program which: (i) are separate modules of software distributed in
conjunction with the Program under their own license agreement, and (ii) are not
derivative works of the Program.

"Contributor" means any person or entity that distributes the Program.

"Licensed Patents " mean patent claims licensable by a Contributor which are
necessarily infringed by the use or sale of its Contribution alone or when
combined with the Program.

"Program" means the Contributions distributed in accordance with this Agreement.

"Recipient" means anyone who receives the Program under this Agreement,
including all Contributors.

2. GRANT OF RIGHTS

    a) Subject to the terms of this Agreement, each Contributor hereby grants
Recipient a non-exclusive, worldwide, royalty-free copyright license to
reproduce, prepare derivative works of, publicly display, publicly perform,
distribute and sublicense the Contribution of such Contributor, if any, and such
derivative works, in source code and object code form.

    b) Subject to the terms of this Agreement, each Contributor hereby grants
Recipient a non-exclusive, worldwide, royalty-free patent license under Licensed
Patents to make, use, sell, offer to sell, import and otherwise transfer the
Contribution of such Contributor, if any, in source code and object code form.
This patent license shall apply to the combination of the Contribution and the
Program if, at the time the Contribution is added by the Contributor, such
addition of the Contribution causes such combination to be covered by the
Licensed Patents. The patent license shall not apply to any other combinations
which include the Contribution. No hardware per se is licensed hereunder.

    c) Recipient understands that although each Contributor grants the licenses
to its Contributions set forth herein, no assurances are provided by any
Contributor that the Program does not infringe the patent or other intellectual
property rights of any other entity. Each Contributor disclaims any liability to
Recipient for claims brought by any other entity based on infringement of
intellectual property rights or otherwise. As a condition to exercising the
rights and licenses granted hereunder, each Recipient hereby assumes sole
responsibility to secure any other intellectual property rights needed, if any.
For example, if a third party patent license is required to allow Recipient to
distribute the Program, it is Recipient's responsibility to acquire that license
before distributing the Program.

    d) Each Contributor represents that to its knowledge it has sufficient
copyright rights in its Contribution, if any, to grant the copyright license set
forth in this Agreement.

3. REQUIREMENTS

A Contributor may choose to distribute the Program in object code form under its
own license agreement, provided that:

    a) it complies with the terms and conditions of this Agreement; and

    b) its license agreement:

    i) effectively disclaims on behalf of all Contributors all warranties and
conditions, express and implied, including warranties or conditions of title and
non-infringement, and implied warranties or conditions of merchantability and
fitness for a particular purpose;

    ii) effectively excludes on behalf of all Contributors all liability for
damages, including direct, indirect, special, incidental and consequential
damages, such as lost profits;

    iii) states that any provisions which differ from this Agreement are offered
by that Contributor alone and not by any other party; and

    iv) states that source code for the Program is available from such
Contributor, and informs licensees how to obtain it in a reasonable manner on or
through a medium customarily used for software exchange. 

When the Program is made available in source code form:

    a) it must be made available under this Agreement; and

    b) a copy of this Agreement must be included with each copy of the Program. 

Contributors may not remove or alter any copyright notices contained within the
Program.

Each Contributor must identify itself as the originator of its Contribution, if
any, in a manner that reasonably allows subsequent Recipients to identify the
originator of the Contribution.

4. COMMERCIAL DISTRIBUTION

Commercial distributors of software may accept certain responsibilities with
respect to end users, business partners and the like. While this license is
intended to facilitate the commercial use of the Program, the Contributor who
includes the Program in a commercial product offering should do so in a manner
which does not create potential liability for other Contributors. Therefore, if
a Contributor includes the Program in a commercial product offering, such
Contributor ("Commercial Contributor") hereby agrees to defend and indemnify
every other Contributor ("Indemnified Contributor") against any losses, damages
and costs (collectively "Losses") arising from claims, lawsuits and other legal
actions brought by a third party against the Indemnified Contributor to the
extent caused by the acts or omissions of such Commercial Contributor in
connection with its distribution of the Program in a commercial product
offering. The obligations in this section do not apply to any claims or Losses
relating to any actual or alleged intellectual property infringement. In order
to qualify, an Indemnified Contributor must: a) promptly notify the Commercial
Contributor in writing of such claim, and b) allow the Commercial Contributor to
control, and cooperate with the Commercial Contributor in, the defense and any
related settlement negotiations. The Indemnified Contributor may participate in
any such claim at its own expense.

For example, a Contributor might include the Program in a commercial product
offering, Product X. That Contributor is then a Commercial Contributor. If that
Commercial Contributor then makes performance claims, or offers warranties
related to Product X, those performance claims and warranties are such
Commercial Contributor's responsibility alone. Under this section, the
Commercial Contributor would have to defend claims against the other
Contributors related to those performance claims and warranties, and if a court
requires any other Contributor to pay any damages as a result, the Commercial
Contributor must pay those damages.

5. NO WARRANTY

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON AN
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF TITLE,
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Each
Recipient is solely responsible for determining the appropriateness of using and
distributing the Program and assumes all risks associated with its exercise of
rights under this Agreement, including but not limited to the risks and costs of
program errors, compliance with applicable laws, damage to or loss of data,
programs or equipment, and unavailability or interruption of operations.

6. DISCLAIMER OF LIABILITY

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST
PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE OF ANY RIGHTS
GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7. GENERAL

If any provision of this Agreement is invalid or unenforceable under applicable
law, it shall not affect the validity or enforceability of the remainder of the
terms of this Agreement, and without further action by the parties hereto, such
provision shall be reformed to the minimum extent necessary to make such
provision valid and enforceable.

If Recipient institutes patent litigation against a Contributor with respect to
a patent applicable to software (including a cross-claim or counterclaim in a
lawsuit), then any patent licenses granted by that Contributor to such Recipient
under this Agreement shall terminate as of the date such litigation is filed. In
addition, if Recipient institutes patent litigation against any entity
(including a cross-claim or counterclaim in a lawsuit) alleging that the Program
itself (excluding combinations of the Program with other software or hardware)
infringes such Recipient's patent(s), then such Recipient's rights granted under
Section 2(b) shall terminate as of the date such litigation is filed.

All Recipient's rights under this Agreement shall terminate if it fails to
comply with any of the material terms or conditions of this Agreement and does
not cure such failure in a reasonable period of time after becoming aware of
such noncompliance. If all Recipient's rights under this Agreement terminate,
Recipient agrees to cease use and distribution of the Program as soon as
reasonably practicable. However, Recipient's obligations under this Agreement
and any licenses granted by Recipient relating to the Program shall continue and
survive.

Everyone is permitted to copy and distribute copies of this Agreement, but in
order to avoid inconsistency the Agreement is copyrighted and may only be
modified in the following manner. The Agreement Steward reserves the right to
publish new versions (including revisions) of this Agreement from time to time.
No one other than the Agreement Steward has the right to modify this Agreement.
IBM is the initial Agreement Steward. IBM may assign the responsibility to serve
as the Agreement Steward to a suitable separate entity. Each new version of the
Agreement will be given a distinguishing version number. The Program (including
Contributions) may always be distributed subject to the version of the Agreement
under which it was received. In addition, after a new version of the Agreement
is published, Contributor may elect to distribute the Program (including its
Contributions) under the new version. Except as expressly stated in Sections
2(a) and 2(b) above, Recipient receives no rights or licenses to the
intellectual property of any Contributor under this Agreement, whether
expressly, by implication, estoppel or otherwise. All rights in the Program not
expressly granted under this Agreement are reserved.

This Agreement is governed by the laws of the State of New York and the
intellectual property laws of the United States of America. No party to this
Agreement will bring a legal action under this Agreement more than one year
after the cause of action arose. Each party waives its rights to a jury trial in
any resulting litigation.K@0:692[]
Virtual Array: Too high VA version
(press F1 for the explanation);
AUTOHIDE REGISTRY
HIDECANCEL
The databases used in IDA up to 4.8 were limited in their size.
The maximal database size was 512MB.
Since programs grow to occupy all available memory
we removed this limitation and switched to a new database format.

Database '%s' is in the old format. Do you want IDA to upgrade it?^
WRAP
Graph options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Use graph view by default

        IDA switches to graph mode for each 'jump' command.

Enable graph animation

        Animate the graph layout, movement, and group collapsing/uncollapsing.
        While animation takes time, it gives the user some idea what's going on.

Draw node shadows

        Display shadows for each graph node. Shadows are not displayed
        for really huge or ridiculously small nodes.

Auto fit graph into window

        Zoom the graph so that it occupies the whole window.

Fit window max zoom level 100%

        The 'fit window' command maximal zoom level is 100%.

Re-layout graph if nodes overlap

        IDA recomputes the graph layout if a node overlap is detected.
        The presence of a custom layout (if the user has displaced
        some graph nodes) effectively turns off this option.

Re-layout graph upon screen refresh

        IDA recomputes the graph layout at each screen refresh.
        Turning this option off accelerates IDA but then
        a manual layout might be required after some operations.

Truncate at the right margin

        All nodes at truncated at the right margin. The right @0:605[margin]
        is specified in the Options, General, Disassembly tab.
        This option narrows the graph but hides some information
        by truncating long lines.

Lock graph layout

        Locks the graph layout by ignoring attempts to displace
        nodes. This prevents the creation of custom layouts that might lead
        to ugly graph layouts when nodes change their sizes.

PROXIMITY VIEW

Show data references

        Show data cross-referenced items in proximity view.

Hide library functions

        Do not show data or code cross-references to library functions,
        only show cross-referenced local functions.

Unlimited children recursion

        Recurse until there are no more callees (children) of the currently
        selected central node and all of his children.

Recurse into library functions

        Displays children data or code cross-references from library
        functions.

Max parents recursion

        Maximum recursion level for displaying parents of the currently
        selected central node. The value '0' disables parents recursion.

Max children recursion

        Maximum recursion level for displaying children of the currently
        selected central node. The value '0' means no maximum recursion
        level.

Max nodes per level

        Maximum number of nodes to show per level of children and parents.


Back to @0:42[graph view] or @0:1626[proximity view]Bad digit '%c'Bad floating point constant)Floating point constant conversion error
No separatorNon-terminated stringToo long stringNon-terminated char constantBad character '%c'Too long identifier '%s''Bad or ill-formed preprocessor commandBad #include syntaxMax depth of includes is 32Can't open include file '%s'!getstr() function is not definedEnd of file reachedMisplaced #elseMisplaced #endifMissing #endifBad macro usageBad # of macro argumentsIDC function '%s' is busy#error: %sWRAP
Graph view ▄
 ▀▀▀▀▀▀▀▀▀▀▀
Starting from IDA v5.0, the disassembly can be displayed in a graph form.

In the graph view, the current function is represented as a collection of
nodes linked together with edges. Nodes represent basic blocks and edges
represent code cross-references between them.

Only code items are visible in the graph view, data items are hidden. To
display them, switch to text mode by pressing Space. The graph view
is available for the instructions belonging to functions. IDA
automatically switches to text mode if the current item cannot be
displayed in graph mode. It also displays a warning, which we
recommend to hide away as soon as you become familiar with the concept.

The Space key can be used to toggle between the graph and text views.

Please select one of the following topic to learn more about graphs:

 - @0:85[The current node]
 - @0:241[Selections in graphs]
 - @0:1160[Customizing graph layout]
 - @0:281[Zooming graphs]
 - @0:1117[Scrolling graphs]
 - @0:1129[Graph node groups]
 - @0:1130[Graph overview window]
 - @0:1142[Graph colors]
 - @0:19[Graph options]
 - @0:1159[Various graph hints]

!Missing while statement for a doMissing semicolonMissing braket '['Missing colonSyntax error near: %sMissing brace6Function '%s' is too large (max compiled size is 64k)Misplaced 'break'Misplaced 'continue''Variable '%s' has already been definedVariable '%s' is undefinedToo complex programIllegal catch variable '%s'*Bad number of arguments for function '%s'Too many local variables!Illegal postfix/prefix operation!Function declaration is expectedVariable name is expectedIDC type conversion errorInvalid storage class!Abstract declaration is expected)Abstract declaration is not allowed hereTypedefs cannot be initializedToo many type declaratorsUndefined type name '%s'Type '%s' is already defined.The current type cannot be signed or unsigned)The current type cannot be short or long-The current type cannot be const or volatile9The current type cannot be signed/unsigned or short/long6Arrays of voids and arrays of functions are forbidden,Functions cannot return functions or arrays$Negative sized arrays are forbidden,Size of previous array dimension is unknownVoid type is forbidden here8Function arguments cannot contain structure definitions#A new type cannot be declared hereConflicting type modifiersBitfield size is invalid$Size of the type is unknown or zeroToo big alignment&This construct is allowed only in C++SWRAP
The current node ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

There are two concepts: the current node and the selected nodes. The
node with the keyboard cursor is considered as the current node. If the
user clicks on the graph background, the keyboard cursor will disappear
and there will be no current node. In the absence of the current node,
IDA uses the last valid address for the user commands (like
@0:457[rename] and similar commands). For example, if the user
invokes the 'rename' command by pressing N and if there is no current node,
IDA will still display the 'rename' dialog box for the last valid
address.

Clicking on the node title will make the clicked node the current one. The
keyboard cursor will be moved to the clicked node. Any selection of the
disassembly text will be cancelled upon switching the current node.

The default color for the title of the current node is dark gray.

In addition to the obvious method of clicking with the mouse left-button
to select the current node, IDA supports many other methods:

 - Clicking with the mouse wheel selects the clicked node and centers
   the clicked point in the window
 - Keyboard arrows can be used to move from one node to another. When
   the keyboard cursor reaches the node border and the user presses
   the arrow once more, IDA finds a node in the specified direction
   and makes it the current.
 - The Ctrl-Up key displays the list of nodes referring to the current
   node and allows jumping to them. The Ctrl-Down key does the same
   with the referenced nodes.
 - Pressing '5' on the keypad positions the keyboard cursor at
   the window center
 - Left-click on an edge makes one of its ends (source or destination)
   the current node. The node farthest from the click point is selected
 - Ctrl-click on an edge jumps to its destination
 - Alt-click on an edge jumps to its source

Clicking with the mouse on the node text (disassembly listing) has the
usual meaning: IDA will move the keyboard cursor to the clicked
location. It is also possible to select the disassembly listing within
one node.

Back to @0:42[graph view]Zero divide/Attempt to call non-existent external function(Attempt to call undefined function '%s'Exception in external functionAppcall: cleanup failedAppcall: %sApplication is running,Floating point operation underflow/overflow9Floating point value doesn't fit into 32bit long integer0@0:426[]
You've entered an invalid address: %s.&@0:424[]
%s is not a valid identifier,@0:422[]
You've entered invalid segment: %s{@0:421[]
IDA - The Interactive Disassembler

%sVersion %s %s

Copyright (c) 2025 Hex-Rays
https://www.hex-rays.com
The key file is not found.$Cannot be used to provide servicesH@0:421[]
This feature doesn't work in the demonstration version, sorry.$Field '%s' has already been defined;@0:1136[]
ZZZZZZZZZZZZString to search (case-insensitive)
Can't read file '%s'Can't write file '%s'Can't create file '%s',HIDECANCEL
Save the current window as '%s'?GThe current window '%s' is modified. Do you want to save its contents?MHIDECANCEL
The current window is modified. Do you want to save its contents?Search failed.Enter file name to save toEReplace a string

<Pattern    :q:79:32::>
<Replace to :q:79:32::>


)Find a string

<Pattern    :q:79:50::>

Replace occurrence at (%d,%d)?@0:1415[]
ExportsU@0:501[]
Bad enum name '%s'. Probably the name is invalid or is used in the program.<HIDECANCEL
@0:502[]
Do you really want to delete enum '%s'?Q@0:503[]
Add enum member

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>

R@0:504[]
Edit enum member

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>

·@0:503[]
Add bit field definition

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>
  <~M~ask :N::40::>

  For wide fields you may specify the mask name
  <Ma~s~k name:q::40::>

¸@0:504[]
Edit bit field definition

  Enum:  %A

  <~N~ame :q::40::>
  <~V~alue:N::40::>
  <~M~ask :N::40::>

  For wide fields you may specify the mask name
  <Ma~s~k name:q::40::>

SBad enum member name '%s'. Probably the name is invalid or is used in the program.†Bad enum member mask %08a. The specified mask should not intersect with any existing mask in the enum. Zero masks are prohibited too.sBad enum member mask (%08a) and value (%08a) combination. All bits set in the value should be set in the mask too.e@0:503[]
Bad enum member value 0x%a. There are too many (256) constants with this value in the enum.internal error: bad enum id %a'@0:479[]
Enter ENUM repeatable comment$@0:479[]
Enter ENUM regular comment.@0:479[]
Enter enum member repeatable comment+@0:479[]
Enter enum member regular commentËdWRAP
x64 MSVC C++ Exception Handler for the Decompiler ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Hex-Rays' support for exceptions in Microsoft Visual C++/x64 incorporates the C++ exception metadata for functions into their decompilation, and presents the results to the user via built-in constructs in the decompilation (`try`, `catch`, `__wind`, `__unwind`). When the results cannot be presented entirely with these constructs, they will be presented via helper calls in the decompilation.

The documentation describes:

  1. Background behind C++ exception metadata. It is recommended that users read this first.
  2. Interactive operation via the GUI, configuration file, and keyboard shortcuts.
  3. A list of helper calls that may appear in the output.
  4. A note about the boundaries of `try` and `__unwind` regions.
  5. Miscellaneous notes about the plugin.

# TRY, CATCH, AND THROW

The C++ language provides the `try` scoped construct in which the developer expects that an exception might occur. `try` blocks must be followed by one or more scoped `catch` constructs for catching exceptions that may occur within. `catch` blocks may use `...` to catch any exception. Alternatively, `catch` blocks may name the type of an exception, such as `std::bad_alloc`. `catch` blocks with named types may or may not also catch the exception object itself. For example, `catch(std::bad_alloc *v10)` and `catch(std::bad_alloc *)` are both valid. The former can access the exception object through variable `v10`, whereas the latter cannot access the exception object.

C++ provides the `throw` keyword for throwing an exception, as in `std::bad_alloc ba; throw ba;`. This is represented in the output as (for example) `throw v10;`. C++ also allows code to rethrow the current exception via `throw;`. This is represented in the output as `throw;`.

# WIND AND UNWIND

Exception metadata in C++ binaries is split into two categories: `try` and `catch` blocks, as discussed above, and so-called `wind` and `unwind` blocks. C++ does not have `wind` and `unwind` keywords, but the compiler creates these blocks implicitly. In most binaries, they outnumber `try` and `catch` blocks by about 20 to 1.

Consider the following code, which may or may not throw an `int` as an exception at three places:

  void may_throw() {
    // Point -1
    if(rand() % 2)
      throw -1;

    string s0 = "0";

    // Point 0
    if(rand() % 2)
      throw 0;

    string s1 = "1";

    // Point 1
    if(rand() % 2)
      throw 1;

    // Point 2
    printf("%s %s\n",
      s0.c_str(),
      s1.c_str());

    // Implicit
    // destruction
    s1.~string();
    s0.~string();
  }

If an exception is thrown at point -1, the function exits early without executing any of its remaining code. As no objects have been created on the stack, nothing needs to be cleaned up before the function returns.

If an exception is thrown at point 0, the function exits early as before. However, since `string s0` has been created on the stack, it needs to be destroyed before exiting the function. Similarly, if an exception is thrown at point 1, both `string s1` and `string s0` must be destroyed.

These destructor calls would normally happen at the end of their enclosing scope, i.e. the bottom of the function, where the compiler inserts implicitly-generated destructor calls. However, since the function does not have any `try` blocks, none of the function's remaining code will execute after the exception is thrown. Therefore, the destructor calls at the bottom will not execute. If there were no other mechanism for destructing `s0` and/or `s1`, the result would be memory leaks or other state management issues involving those objects. Therefore, the C++ exception management runtime provides another mechanism to invoke their destructors: `wind` blocks and their corresponding `unwind` handlers.

`wind` blocks are effectively `try` blocks that are inserted invisibly by the compiler. They begin immediately after constructing some object, and end immediately before destructing that object. Their `unwind` blocks play the role of `catch` handlers, calling the destructor upon the object when exceptional control flow would otherwise cause the destructor call to be skipped.

Microsoft Visual C++ effectively transforms the previous example as follows:

  void may_throw_transformed() {
    if(rand() % 2)
      throw -1;

    string s0 = "0";

    // Implicit try
    __wind {
      if(rand() % 2)
        throw 0;

      string s1 = "1";

      // Implicit try
      __wind {
        if(rand() % 2)
          throw 1;

        printf("%s %s\n",
          s0.c_str(),
          s1.c_str());
      }
      // Implicit catch
      __unwind {
        s1.~string();
      }
      s1.~string();
    }
    // Implicit catch
    __unwind {
      s0.~string();
    }
    s0.~string();
  }

`unwind` blocks always re-throw the current exception, unlike `catch` handlers, which may or may not re-throw it. Re-throwing the exception ensures that prior `wind` blocks will have a chance to execute. So, for example, if an exception is thrown at point 1, after the `unwind` handler destroys `string s1`, re-throwing the exception causes the unwind handler for point 0 to execute, thereby allowing it to destroy `string s0` before re-throwing the exception out of the function.

# STATE NUMBERS AND INSTRUCTION STATES

As we have discussed, the primary components of Microsoft Visual C++ x64 exception metadata are `try` blocks, `catch` handlers, `wind` blocks, and `unwind` handlers. Generally speaking, these elements can be nested within one another. For example, in C++ code, it is legal for one `try` block to contain another, and a `catch` handler may contain `try` blocks of its own. The same is true for `wind` and `unwind` constructs: `wind` blocks may contain other `wind` blocks (as in the previous example) or `try` blocks, and `try` and `catch` blocks may contain `wind` blocks.

Exceptions must be processed in a particular sequence: namely, the most nested handlers must be consulted first. For example, if a `try` block contains another `try` block, any exceptions occurring within the latter region must be processed by the innermost `catch` handlers first. Only if none of the inner `catch` handlers can handle the exception should the outer `try` block's catch handlers be consulted. Similarly, as in the previous example, `unwind` handlers must destruct their corresponding objects before passing control to any previous exception handlers (such as `string s1`'s `unwind` handler passing control to `string s0`'s `unwind` handler).

Microsoft's solution to ensure that exceptions are processed in the proper sequence is simple. It assigns a "state number" to each exception-handling construct. Each exception state has a "parent" state number whose handler will be consulted if the current state's handler is unable to handle the exception. In the previous example, what we called "point 0" is assigned the state number 0, while "point 1" is assigned the state number 1. State 1 has a parent of 0. (State 0's parent is a dummy value, -1, that signifies that it has no parent.) Since `unwind` handlers always re-throw exceptions, if state 1's `unwind` handler is ever invoked, the exception handling machinery will always invoke state 0's `unwind` handler afterwards. Because state 0 has no parent, the exception machinery will re-throw the exception out of the current function. This same machinery ensures that the catch handlers for inner `try` blocks are consulted before outer `try` blocks.

There is only one more piece to the puzzle: given that an exception could occur anywhere, how does the exception machinery know which exception handler should be consulted first? I.e., for every address within a function with C++ exception metadata, what is the current exception state? Microsoft C++/x64 binaries provide this information in the `IPtoStateMap` metadata tables, which is an array of address ranges and their corresponding state numbers.

# GUI OPERATION

This support is fully automated and requires no user interaction. However, the user can customize the display of C++ exception metadata elements for the global database, as well as for individual functions.

# GLOBAL SETTINGS

Under the `Edit->Other->C++ exception display settings` menu item, the user can edit the default settings to control which exception constructs are shown in the listing. These are saved persistently in the database (i.e., the user's choices are remembered after saving, closing, and re-opening), and can also be adjusted on a per-function basis (described later).

The settings on the dialog are as follows:

* Default output mode. When the plugin is able to represent C++ exception constructs via nice constructs like `try`, `catch`, `__wind`, and `__unwind` in the listings, these are called "structured" exception states. The plugin is not always able to represent exception metadata nicely, and may instead be forced to represent the metadata via helper calls in the listing (which are called "unstructured" states). As these can be messy and distracting, users may prefer not to see them by default. Alternatively, the user may prefer to see no exception metadata whatsoever, not even the structured ones. This setting allows the user to specify which types of metadata will be shown in the listing.
* Show wind states. We discussed wind states and unwind handlers in the background material. Although these states can be very useful when reverse engineering C++ binaries (particularly when analyzing constructors), displaying them increases the amount of code in the listing, and sometimes the information they provide is more redundant than useful. Therefore, this checkbox allows the user to control whether they are shown by default.
* Inform user of hidden states. The two settings just discussed can cause unstructured and/or wind states to be omitted from the default output. If this checkbox is enabled, then the plugin will inform the user of these omissions via messages at the top of the listing, such as this message indicating that one unstructured wind state was omitted:
```
// Hidden C++ exception states: #wind_helpers=1
```

There are three more elements on the settings dialog; most users should never have to use them. However, for completeness, we will describe them now.

* Warning behavior. When internal warnings occur, they will either be printed to the output window at the bottom, or shown as a pop-up warning message box depending on this setting.
* Reset per-function settings. The next section will discuss how the display settings described above can be customized on a per-function basis. This button allows the user to erase all such saved settings, such that all functions will use the global display settings the next time they are decompiled.
* Rebuild C++ metadata caches. Before the plugin can show C++ exception metadata in the output, it must pre-process the metadata across the whole binary. Doing so crucially relies upon the ability to recognize the `__CxxFrameHandler3` and `__CxxFrameHandler4` unwind handler functions when they are referenced by the binary's unwind metadata. If the plugin fails to recognize one of these functions, then it will be unable to display C++ exception metadata for any function that uses the unrecognized unwind handler(s). 

If the user suspects that a failure like this has taken place -- say, because they expect to see a `try`/`catch` in the output and it is missing, and they have confirmed that the output was not simply hidden due to the display settings above -- then this button may help them to diagnose and repair the issue. Pressing this button flushes the existing caches from the database and rebuilds them. It also prints output to tell the user which unwind handlers were recognized and which ones were not. The user can use these messages to confirm whether the function's corresponding unwind handler was unrecognized. If it was not, the user can rename the unwind handler function to something that contains one of the two aforementioned names, and then rebuild the caches again. 

Note that users should generally not need to use this button, as the plugin tries several methods to recognize the unwind handlers (such as FLIRT signatures, recognizing import names, and looking at the destination of "thunk" functions with a single `jmp` to a destination function). If the user sees any C++ exception metadata in the output, this almost always means that the recognition worked correctly. This button should only be used by experienced users as a last resort. Users are advised to save their database before pressing this button, and only proceed with the changes if renaming unwind handlers and rebuilding the cache addresses missing metadata in the output.

# CONFIGURATION

The default options for the settings just described are controlled via the `%IDADIR%/cfg/eh34.cfg` configuration file. Editing this file will change the defaults for newly-created databases (but not affect existing databases).

# PER-FUNCTION SETTINGS

As just discussed, the user can control which C++ exception metadata is displayed in the output via the global menu item. Users can also customize these settings on a per-function basis (say, by enabling display of wind states for selected functions only), and they will be saved persistently in the database.

When a function has C++ exception metadata, one or more items will appear on Hex-Rays' right click menu. The most general one is "C++ exception settings...". Selecting this menu item will bring up a dialog that is similar to the global settings menu item with the following settings:

* Use global settings. If the user previously changed the settings for the function, but wishes that the function be shown via the global settings in the future, they can select this item and press "OK". This will delete the saved settings for the function, causing future decompilations to use the global settings.
* This function's output mode. This functions identically to "Default output mode" from the global settings dialog, but only affects the current function.
* Show wind states. Again, identical to the global settings dialog item.

There is a button at the bottom, "Edit global settings", which is simply a shortcut to the same global settings dialog from the `Edit->Other->C++ exception display settings` menu item.

The listing will automatically refresh if the user changes any settings.

Additionally, there are four other menu items that may or may not appear, depending upon the metadata present and whether the settings caused any metadata to be hidden. These menu items are shortcuts to editing the corresponding fields in the per-function settings dialog just discussed. They are:

* Show unstructured C++ states. If the global or per-function default output setting was set to "Structured only", and the function had unstructured states, this menu item will appear. Clicking it will enable display of unstructured states for the function and refresh the decompilation.
* Hide unstructured C++ states. Similar to the above.
* Show wind states. If the global or per-function "Show wind states" setting was disabled, and the function had wind states, this menu item will appear. Clicking it will enable display of wind states for the function and refresh the decompilation.
* Hide wind states. Similar to the above.

# KEYBOARD SHORTCUTS

The user can change (add, remove, or edit) the keyboard shortcuts for the per-function settings right-click menu items from the `Edit->Options->Shortcuts` dialog. The names of the corresponding actions are:

* "C++ exception settings": `eh34:func_settings`
* "Show unstructured C++ states": `eh34:enable_unstructured`
* "Hide unstructured C++ states": `eh34:disable_unstructured`
* "Show wind states": `eh34:enable_wind`
* "Hide wind states": `eh34:disable_wind`
* The global settings dialog: `eh34:config_menu`

# HELPER CALLS

Hex-Rays' Microsoft C++ x64 exception support tries to details about exception state numbers as much as possible. However, compiler optimizations can cause binaries to diverge from the original source code. For example, inlined functions can produce `goto` statements in the decompilation despite there being none in the source. Optimizations can also cause C++ exception metadata to differ from the original code. As a result, it is not always possible to represent `try`, `catch`, `wind`, and `unwind` constructs as scoped regions that hide the low-level details.

In these cases, Hex-Rays' Microsoft C++ x64 exception support will produce helper calls with informative names to indicate when exception states are entered and exited, and to ensure that the user can see the bodies of `catch` and `unwind` handlers in the output. The user can hover their mouse over those calls to see their descriptions. They are also catalogued below.

The following helper calls are used when exception states have multiple entrypoints, or multiple exits:

  `__eh34_enter_wind_state(s1, s2) : switch state from parent state s1 to child wind state s2`
  `__eh34_enter_try_state(s1, s2) : switch state from parent state s1 to child try state s2`
  `__eh34_exit_wind_state(s1, s2) : switch state from child wind state s1 to parent state s2`
  `__eh34_exit_try_state(s1, s2) : switch state from child try state s1 to parent state s2`

The following helper calls are used when exception states had single entry and exit points, but could not be represented via `try` or `__wind` keywords:

  `__eh34_wind(s1, s2) : switch state from parent state s1 to child state s2; a new c++ object that requires a dtr has been created`
  `__eh34_try(s1, s2) : switch state from parent state s1 to child state s2; mark beginning of a try block`

The following helper calls are used to display `catch` handlers for exception states that could not be represented via the `catch` keyword:

  `__eh34_catch(s) : beginning of catch blocks at state s; s corresponds to the second argument of the matching try call(if present)`
  `__eh34_catch_type(s, \"handler_address\") : a catch statement for the type described at \"address\"`
  `__eh34_catch_ellipsis(s) : \"catch all\" statement`

The following helper calls should be removed, but if you see them, they signify the boundary of a `catch` handler:

  `__eh34_try_continuation(s, i, ea) : end of catch handler `i` for state `s`, returning to address `ea``
  `__eh34_caught_type(s, \"handler_address\") : a pairing call for __eh34_catch_type when catch handler has no continuation`
  `__eh34_caught_ellipsis(s) : \"caught all\", paired with __eh34_catch_ellipsis when catch handler has no continuation`

The following helper calls are used to display `unwind` handlers for exception states that could not be represented via the `__unwind` keyword:

  `__eh34_unwind(s) : destruct the c++ object created immediately before entering state s; s corresponds to the second argument of the matching wind call(if present)`

The following helper calls are used to signify that an `unwind` handler has finished executing, and will transfer control to a parent exception state (or outside of the function):

  `__eh34_continue_unwinding(s1, s2) : after unwinding at child state s1, switch to parent state s2 and perform its unwind or catch action`
  `__eh34_propagate_exception_into_caller(s1, s2) : after unwinding at child state s1, switch to root state s2; this corresponds to the exception being propagated into the calling function`

The following helper call is used when the exception metadata did not specify a function pointer for an `unwind` handler, which causes program termination:

  `__eh34_no_unwind_handler(s) : the state s did not have an unwind handler, which causes program termination in the event that an exception reaches it`

The following helper calls are used to signify that Hex-Rays was unable to display an exception handler in the decompilation:

  `__eh34_unwind_handler_absent(s, ea) : could not inline unwind handler at ea for wind state s`
  `__eh34_catch_handler_absent(s, i, ea) : could not inline i'th catch handler at ea for try state s`
From Microsoft Visual Studio versions 2005 (toolchain version 8.0) to 2017 Service Pack 2 (version 14.12), the compiler emitted detailed metadata that precisely defined the boundaries of all exception regions within C++ functions. This made binary files large, and not all of the metadata was strictly necessary for the runtime library to handle C++ exceptions correctly.

Starting from MSVC 2017 Service Pack 3 (version 14.13), the compiler began applying optimizations to reduce the size of the C++ exception metadata. An official Microsoft blog entry entitled ["Making C++ Exception Handling Smaller on x64"](https://devblogs.microsoft.com/cppblog/making-cpp-exception-handling-smaller-x64/) describes the first change as "dropping metadata for regions of code that cannot throw and folding logically identical states". (Version 14.23 later introduced the `__CxxFrameHandler4` metadata format to compress the metadata further.)

As a result of these changes, the C++ exception metadata in MSVC 14.13+ binaries is no longer fully precise. Exception states are frequently reported as beginning physically after where the source code would indicate. In order to produce usable output, Hex-Rays employs mathematical optimization algorithms to reconstruct more detailed C++ exception metadata configurations that can be displayed in a nicer format in the decompilation. These algorithms improve the listings by producing more structured regions and fewer helper calls in the output, but they introduce further imprecision as to the true starting and ending locations of exception regions when compared to the source code. They are an integral part of Hex-Rays C++/x64 Windows exception metadata support and cannot be disabled.

The takeaway is that, when processing MSVC 14.13+ binaries, Hex-Rays C++/x64 Windows exception support frequently produces `try` and `__unwind` blocks that begin and/or end earlier and/or later than what the source code would indicate, were it available. This has important consequences for vulnerability analysis.

For example, given accurate exception boundary information, the destructor for a local object would ordinarily be situated after the end of that object's `__wind` and `__unwind` blocks, as in:

  Object::Constructor(&v14);
  __wind
  {
    // ...
  }
  __unwind
  {
    Object::Destructor(&v14);
  }
  // HERE: destructor after __wind region
  Object::Destructor(&v14);

Yet, due to the imprecise boundary information, Hex-Rays might display the destructor as being inside of the `__wind` block:

  Object::Constructor(&v14);
  __wind
  {
    // ...
    // HERE: destructor inside of __wind region
    Object::Destructor(&v14);
  }
  __unwind
  {
    Object::Destructor(&v14);
  }

The latter output might indicate that `v14`'s destructor would be called twice if its destructor were to throw an exception. However, this indication is simply the result of imprecise exception region boundary information. In short, users should be wary of diagnosing software bugs or security issues based upon the positioning of statements nearby the boundaries of `try` and `__wind` blocks. The example above indicates something that might appear to be a bug in the code -- a destructor being called twice -- but is in fact not one.

These considerations primarily apply when analyzing C++ binaries compiled with MSVC 14.13 or greater. They do not apply as much to binaries produced by MSVC 14.12 or earlier, when the compiler emitted fully precise information about exception regions.

Although Hex-Rays may improve its detection of exception region boundaries in the future, because modern binaries lack the ground truth of older binaries, the results will never be fully accurate. If the imprecision is unacceptable to you, we recommend permanently disabling C++ metadata display via the `eh34.cfg` file discussed previously.

# MISCELLANEOUS

Hex-Rays' support for exceptions in Microsoft Visual C++/x64 only works after auto-analysis has been completed. Users can explore the database and decompile functions as usual, but no C++ exception metadata will be shown. Users are advised to refresh any decompilation windows after auto-analysis has completed.

If users have enabled display of wind states, they may see empty `__wind` or `__unwind` constructs in the output. Usually, this does not indicate an error occurred; this usually means that the region of the code corresponding the `wind` state was very small or contained dead code, and Hex-Rays normal analysis and transformation made it empty.

Starting in IDA 9.0, IDA's auto-analysis preprocesses C++ exception metadata differently than in previous versions. In particular, on MSVC/x64 binaries, `__unwind` and `catch` handlers are created as standalone functions, not as chunks of their parent function as in earlier versions. This is required to display the exception metadata correctly in the decompilation. For databases created with older versions, the plugin will still show the outline of the exception metadata, but the bodies of the `__unwind` and `catch` handlers will be displayed via the helper calls `__eh34_unwind_handler_absent` and `__eh34_catch_handler_absent`, respectively. The plugin will also print a warning at the top of the decompilation such as `Absent C++ exception handlers: #catch=1 (pre-9.0 IDB)` in these situations. Re-creating the IDB with a newer version will solve those issues, although users might still encounter absent handlers in new databases (rarely, and under different circumstances).
¨
WRAP
Create C header file▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceHeader
 Current hotkey: @<ProduceHeader>

This command saves all definitions in the local types window into a C header
file

Please note that that types created in the structures window will not
be saved unless they are synchronized with the local types

See also other @0:438[Produce output file] commands.Create C ~h~eader file...BThread-unsafe function '%s' cannot be called from non-main thread´WRAP
Low level breakpoint conditions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Low level breakpoint conditions can be used to speed up the debugger.
They are evaluated like this:

  - in case of remote debugging, the condition is evaluated on the remote
    computer. The following actions are bypassed:
      - sending of the breakpoint event to the local computer
      - switching from debthread to the main thread
      - updating internal IDA structures and caches
      - updating the screen

  - in case of local debugging, the condition is evaluated at low level.
    The following actions are bypassed:
      - switching from debthread to the main thread
      - updating internal IDA structures and caches
      - updating the screen

In both cases, there is a significant speed up. This improvement imposes
some limitations on the breakpoint condition:

  - only IDC expressions can be used for low level conditions
  - only functions marked as 'thread-safe' may be called
  - only entire registers can be accessed (e.g. EAX is ok but AL is not)

Essentially this means that the only available functions are:

  - read/write process registers
  - read/write process memory
  - file i/o
  - auxiliary string and object functions
  - msg() function (for debugging the breakpoint conditions)

Low level breakpoint conditions are available only for Win32, Linux, Mac,
and Android debuggers.
hWRAP
Android debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Android debugger has the following particularities and limitations:

- Android on ARM is supported (not on x86)

- Both ARM and Thumb mode code is supported

- Multithreaded applications can be debugged. However, since the operating
  system does not report thread deaths, they are reported only when
  the debugger notices that the thread is missing (for example, because
  there is an error when we try to suspend it)

- Apparently Android reports applications that are currently executing
  a system call as executing "LDMFD SP!, {R4,R7}" before the syscall.
  Once the syscall completes, the next instruction is reached.

- Hardware breakpoints are not supported.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1463[How to launch remote debugging]@0:586[]
FunctionsH      Function name               Segment   Start    Length  RFLSBMICDV@0:485[]
Edit function

  <~N~ame of function:q::32::>
  <~S~tart address   :$::18::>
  <~E~nd address     :$::18::>    <D~o~es not return:C>
  <~C~olor           :K::8::>     <~F~ar function:C>
                                  <~L~ibrary func:C>
  Enter size of (in bytes)        <S~t~atic func:C>
  <Local ~v~ariables area:N::18::><~B~P based frame:C>
  <Saved ~r~egisters     :N::18::><BP e~q~uals to SP:C>
  <~P~urged bytes        :N::18::><Fu~z~zy SP:C>
  <Frame pointer ~d~elta :N::18::><O~u~tlined code:C>>

EHIDECANCEL
Are you sure you want to delete the selected function(s)?0A function must start with an instruction (%s).!Could not find a function at %s.&Can't set a function '%s' start to %s$Can't set a function '%s' end to %sD@0:695[]
Sorry, cannot add the selection to the function definition
@0:1118[]@0:1416[]
Imports
@0:242[]
Load Binary or User-Defined Format file
%/%*
  File name: %A

  <~B~inary file:R>>

  <~L~oading segment:N::18::> (in paragraphs)
  <Loading  ~o~ffset:N::18::>

  Processor: %1A
  <Change ~p~rocessor:B2:-1::::>

  <Analy~s~is options:B:2::::>

  <~C~reate segments:C>>

+@0:242[]
Load File
%/%*
  Load file %A as
9
  <~B~inary file:R>3>

  <~L~oading segment:N::18::> (EXE & BIN)
  <Loading  ~o~ffset:N::18::> (BIN)

  <~C~reate segments:C>      (BIN)  Processor: %1A
  <Load ~r~esources:C>              <Change ~p~rocessor:B2:-1::::>
  <Rename DLL en~t~ries:C>
  <~M~anual load:C>                 <Analy~s~is options:B:2::::>
"  <~F~ill segment gaps:C>4> (NE)

WRAP
Packed Files ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Sometimes, executable files are shipped in a packed form. It means
that to disassemble these files you need to unpack them.

IDA displays this message if the relocation table of the input MZ executable file is
empty.—WRAP
Bad Relocation Table ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Relocation table has references beyond program limits.WRAP
Additional information at the end of file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The file being loaded is not completely loaded to memory by the
operating system. This may be because:
        - the file is overlayed; IDA does not know this type of overlays
        - the file has debugging information attached to its end
        - the file has other type of information at the end

Anyway, IDA will not load the additional information.
ý
WRAP
Overlayed files ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Some EXE files are built with overlays.
This means that the whole file is
not loaded into the memory at the start of
the program, but only a part of it. Other
parts are loaded by the program itself
into the dynamic memory or over some
subroutines of the program.  This fact
leads to many difficulties when you
disassemble such a program.

Currently,  IDA knows about overlays created by Borland and Microsoft C
and Pascal compilers.
WRAP
Error loading overlays ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

One of the following occurred:

        - overlay stub is not found
        - overlay relocation data is incorrect

i.e. the input file structure is bad.
à
WRAP
Maximal number of segments is reached ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

When IDA tried to delete bytes outside of any segment, the maximal number
of contiguous chunks is reached. This is NOT a fatal error.

Some bytes outside of any segment will be present => the output text
will be incorrect because of these bytes. However, you can delete them in the
output text using a text editor.
³
WRAP
Cannot generate executable file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA produces executable files only for:
  - MS DOS .exe
  - MS DOS .com
  - MS DOS .drv
  - MS DOS .sys
  - general binary
  - Intel Hex Object Format
  - MOS Technology Hex Object Format

Furthermore, external loaders may or may not support the creation of user-defined
input file formats.
ÿWRAP
Bad input file format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 The input file does not conform to the following definitions:

Intel Hex Object Format
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This is the default format.  This format is
line  oriented  and  uses only printable ASCII characters except for
the carriage return/line feed at the end of each line.  Each line in
the file assumes the following format:

 :NNAAAARRHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHCCTT

Where:

All fields marked 'hex' consist of two  or  four  ASCII  hexadecimal
digits  (0-9,  A-F).  A maximum of 24 data bytes will be represented
on each line.

 :      = Record Start Character
 NN     = Byte Count (hex)
 AAAA   = Address of first byte (hex)
 RR     = Record Type (hex, 00 except for last record which is 01)
 HH     = Data Bytes (hex)
 CC     = Check Sum (hex)
 TT     = Line Terminator (carriage return, line feed)

The last line of the file will be a record conforming to  the  above
format with a byte count of zero (':00000001FF').

The checksum is defined as:

        sum      =  byte_count + address_hi + address_lo +
                        record_type + (sum of all data bytes)
        checksum =  ((-sum) & ffh)

MOS  Technology  Hex Object Format
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
This format is line oriented and
uses  only  printable  ASCII  characters  except  for  the  carriage
return/line  feed  at  the  end of each line.  Each line in the file
assumes the following format:

 ;NNAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHCCCCTT

Where:

All fields marked 'hex' consist of two  or  four  ASCII  hexadecimal
digits  (0-9,  A-F).  A maximum of 24 data bytes will be represented
on each line.

 ;      = Record Start Character
 NN     = Byte Count (hex)
 AAAA   = Address of first byte (hex)
 HH     = Data Bytes (hex)
 CCCC   = Check Sum (hex)
 TT     = Line Terminator (carriage return, line feed)

The last line of the file will be a record with a byte count of zero
(';00').

The checksum is defined as:

        sum      =  byte_count + address_hi + address_lo +
                        (sum of all data bytes)
        checksum =  (sum & ffffh)
TWRAP
Choose mark number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows you to mark a location so that afterwards you can
jump to the marked location immediately. Select any line from the list.
The selected line will be used for mark description.
Afterwards, you will be able to jump to the marked location using <Alt-J> key.

You can use <Up>, <Down>, <PgUp>, <PgDn>, <Home>, <End> keys. If you
select the first line of the list, nothing will be selected.

Press <Enter> to select line, <Esc> to cancel.

See also:
 @0:227[How to jump to the marked location]¹WRAP
Enter mark description ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Mark description is any text line. The description is for your information only.Â
WRAP
Choose marked location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows you to jump to the previously marked location.
Select any line. You will jump to the selected location.

You can use <Up>, <Down>, <PgUp>, <PgDn>, <Home>, <End> keys. If you
select the first line of the list, nothing will be selected.

Press <Enter> to select line, <Esc> to cancel.

See also:
 @0:225[How to mark a location]ÉWRAP
Cannot rename a location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

It might be because of one of the following reasons:

1. The name is ill-formed:

        - it is a reserved word
          NOTE: IDA does not allow the use of register names as byte names.
        - it contains bad characters.
          The list of allowed characters is specified in IDA.CFG
        - it starts with a reserved prefix. Some prefixes are used
          by IDA to generate names. See @0:609[Names Representation]
          dialog for the list of prefixes.

2. The name is already used in the program. Try to use another @0:424[name].
   In order to know where the name is used, you can try to jump to it using
   @0:545[Jump to the Named Location]

3. The address cannot have a name:

     - IDA refuses to rename tail bytes (i.e. the second, third...
       bytes of instruction/data).
     - the address does not belong to the program
š
WRAP
Cannot find file segmentation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


The database is empty or corrupt. Unfortunately, all information has been lost.

Please use a backup copy of the database if there is any.

If you have previously saved your database into a text file,
you can load it. See the @0:444[Dump database] command for explanations.#  <~F~ill segment gaps:C>4> (OMF)
C
WRAP
Negative Offsets ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

A segment cannot have bytes with negative offset from the segment base.
Example:
        if a segment base is 0x3000, this segment can have a
        start address above or equal to 0x30000, but it cannot
        have a start address 0x2FFFF.0
WRAP
Cannot move segment start address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA cannot change the segment start address if some instructions/data would occur outside
of the segment. @0:456[Undefine] this instructions/data first.‡WRAP
Cannot move segment start address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA cannot change the segment start address because this segment with the
new start address would overlap another adjacent segment. For example,
the following situation:

  seg_a  starts at 0x0000 ends at 0x1000
  seg_b  starts at 0x1000 ends at 0x2000
  seg_c  starts at 0x2000 ends at 0x3000

If you ask to change seg_c so that it starts at 0x500, you'll see this
error message, because the new seg_c would overlap seg_b.

Please note that the end address never belongs to the segment in IDA.
¬WRAP
Cannot Create Database ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Most probably your disk is full or some disk I/O error occurred.ó
WRAP
Database is not closed ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The database was not closed after the last IDA session. Most probably
this happened due to a power fault, unexpected reboot of the computer,
or another abnormal session termination.

You may try to repair the database but the best solution would be to
use the intact packed database or use a backup.

The repairing may fail to recover the database.

See also the @0:444[Dump database] command.
ÎWRAP
Obsolete Database Format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Please use an old version of IDA. The current
version of IDA does not support this database.
Y
WRAP
The Name List is Empty ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows you to select a name from the user defined names.
It means that no such names are defined now, or that all user-defined names are hidden.
To give a name to the location,
use @0:457[Rename] or @0:531[Rename any] commands.WRAP
Upgrading IDA database ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If IDA finds out that your database has an old format, it will try to upgrade
the database to a new format.
The upgrade process is completely automatic, no user intervention
is needed. However, after upgrading your database, you will not be able to
work with it using old versions of IDA. That is why IDA asks your
confirmation before upgrading the database.

This feature works only for databases starting from IDA version 2.05.
WRAP
Unexpected Database Format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Database format is newer than expected.
That is because you are using an old version of IDA. The only thing you can do
is to get a new version of IDA.<WRAP
Imported module is not found ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

  IDA did not find the specified module in:
    - the current directory
    - the operating system directory (see switch @0:417[-W]
      and configuration file parameters @0:419[WINDIR,OS2DIR])

  OR
        - the module cannot be accepted because:
        - the module name (recorded in the file) doesn't match
          the expected name
        - the module does not contains any exported names (all exported functions
          are exported by ordinal numbers)

Entries imported by ordinal entries will not be commented. If IDA finds a module,
all entries that are imported by ordinal will be commented like this:

  KERNEL_91:
                retf            ; INITTASK
                                  ^^^^^^^^^
                                  comment

This comment will be propagated (@0:480[repeated]) to all
locations which call this
entry:

                call    far ptr KERNEL_91 ; INITTASK


IDA searches all files named "modulename.*" for the module.
If you know that the imported module resides in another directory,
copy it to your current directory. If the module file name is different
from "modulename.*",
rename it. After the database is loaded, you can
delete the copied module.

IDA also looks for file "modulename.ids"
  in the current directory
  in the IDS subdirectory of the directory where IDA.EXE resides
  in the PATHed directories

You can create such a file yourself. For an example, look at DOSCALLS.IDS
in the IDS subdirectory.
;WRAP
Selections in graphs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Many graph operations are applied to the selected nodes. The current
node is considered to be part of the node selection for all operations.

The graph nodes can be selected using the mouse. To select many nodes at
once, press and hold the Ctrl key during the mouse operation. The Alt
key removes nodes from the current selection.

Internally, IDA keeps track of the selected nodes and edge layout points.
Edge layout points are the points where edges are bent. If the current
selection is moved in the graph, the selected edge layout points are
moved too.

The default color for the title of the selected nodes is light gray.
Other node titles are displayed with white color.

Back to @0:42[graph view] or @0:1626[proximity view]ŠWRAP
Load file dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Below is the description of dialog box fields:

 Load address - the paragraph where the file will be loaded.
                Meaningful only for EXE and binary files. For new exe
                files, please use 'manual load' feature.
 Load offset  - relevant only for binary files.
                specifies offset of the first byte from the start of
                the first segment. For example, if load offset=0x2700 and
                load address=0x1000, the first byte of the file will
                be at 1000:2700.
 DLL directory - path where IDA will look up referenced DLL files.
                Note that if IDA finds .IDS file, it does not look for
                .DLL file.
 Create segments        - relevant for binary files.
                          If not checked, IDA does not create segments.
 Load resources         - If not checked, IDA does not load resources from
                          NE files.
 Rename DLL entries     - If not checked, IDA makes repeatable comments
                          for entries imported by ordinals. Otherwise,
                          IDA renames the entries to meaningful names.
 Manual load            - relevant only for NE,LE,LX,ELF files.
                          If checked, IDA will ask loading addresses
                          and selectors for each object of the file.
                          For experienced users only!
 Fill segment gaps      - relevant only for COFF & OMF files.
                          If checked, IDA will fill gaps between
                          segments, creating one big chunk.
                          This option facilitates loading of big
                          object files.
 Make imports section   - relevant only for PE files.
                          If checked, IDA will convert .idata section
                          definitions to "extrn" directives and truncate it.
                          Unfortunately, sometimes there are some additional
                          data in .idata section so you'll need to disable
                          this feature if some information is not loaded
                          into the database.
 Create FLAT group      - relevant only for IBM PC PE files.
                          If checked, IDA will automatically create FLAT
                          group and use its selector as the default value
                          for the segment registers.
 Code segment           - If checked, IDA creates a code but not a data
                          segment. Relevant for processors with different
                          code/data segment addressing schemes (for
                          example, Atmel AVR).
 Loading options        - relevant only ELF,JAVA files.
                          If checked, IDA will ask additional loader
                          options. For experienced users only!
EWRAP
PE .idata section has additional data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If "create imports section" in the file loading dialog is checked,
IDA will convert .idata section definitions to "extrn"
directives and truncate it so it will not contain empty lines.

Unfortunately, sometimes there is some additional data in .idata
section so you'll need to disable this feature if some information is
not loaded into the database.

IDA tries to detect additional data in .idata section automatically.

If you disable conversion of .idata section to a segment with "extrn"
directives, you will see

somename        dd      ?

instead of

        extrn   somename

directives.

Another impact is that the .idata segment will not be truncated in any way.
®WRAP
Zooming graphs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The graph can be zoomed in and out. There are several ways of zooming the graph:

 - Use Ctrl-Wheel. The current mouse position will be the zoom center
   point (i.e. this point will not move during the zoom operation)
 - Use the predefined 'Zoom 100%' and 'Fit window' commands. They are
   available from the right-click menu or by their shortcuts: '1' and
   'W' respectively. The current mouse position is the zoom center
   point for the 'zoom 100%' command.
 - Use Ctrl-KeypadPlus or Ctrl-KeypadMinus keys. The current keyboard
   cursor is the zoom center for these commands.
 - Use Ctrl-Shift-drag. This lets you draw a rectangle to which IDA
   will zoom.

There are two options linked to the graph zooming:

 - Auto fit graph to window: will fit the current graph to the window
   size. Default: off
 - Fit window max zoom level 100%: the 'fit window' command does not
   use zoom levels higher than 100%. Default: on

The zoom level is never greater than 1000% and less than 1%.
IDA remembers the current zoom level for each location in the navigation
history.

Back to @0:42[graph view] or @0:1626[proximity view]K  <Make ~i~mports section:C> (PE&XBE)
  <Create FLAT ~g~roup:C>4>    (PE)
ù"WRAP
Menu system ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

@0:428[Main Menu Bar]

  @0:429[File]
    @0:430[Load file]
      @0:431[Reload input file]
      @0:432[Script file]
      @0:433[Binary file]
      @0:434[IDS file]
      @0:435[Debug information file]
      @0:1374[PDB debug information file]
      @0:1512[TDS debug information file]
      @0:436[FLIRT signature file]
      @0:1367[C header file]
    @0:437[Script command]
    @0:438[Produce output file]
      @0:439[Generate MAP file]
      @0:440[Generate ASM file]
      @0:1475[Generate INC file]
      @0:441[Generate LST file]
      @0:442[Generate EXE file]
      @0:443[Generate DIF file]
      @0:1504[Generate HTML file]
      @0:1674[Generate SIG file]
      @0:1251[Generate flow chart GDL file]
      @0:1252[Generate call graph GDL file]
      @0:444[Dump database to IDC file]
      @0:445[Dump typeinfo to IDC file]
      @0:141[Create C header file]
    @0:447[Save database]
    @0:448[Save database as...]
    @0:1621[Take database snapshot...]
    @0:449[Abort]
    @0:450[Quit]
  @0:451[Edit]
    @0:420[Anchor]
    @0:1671[Export data]
    @0:1710[Undo]
    @0:1711[Redo]
    @0:452[instruction]
    @0:453[data]
    @0:454[strlit]
    @0:455[array]
    @0:456[undefine]
    @0:457[Rename]
    @0:458[Operand types]
      @0:1381[Offset]
        @0:467[Convert operand to offset (data segment)]
        @0:468[Convert operand to offset (code segment)]
        @0:469[Convert operand to offset (any segment)]
        @0:470[Convert operand to offset (user-defined base)]
        @0:472[Convert operand to struct offset]
      @0:1382[Number]
        @0:460[Convert operand to number]
        @0:461[Convert operand to hex number]
        @0:462[Convert operand to decimal number]
        @0:464[Convert operand to octal number]
        @0:463[Convert operand to binary number]
        @0:1380[Convert operand to floating point number]
        @0:1510[Toggle leading zeroes]
      @0:465[Convert operand to character]
      @0:466[Convert operand to segment]
      @0:473[Convert operand to symbolic constant (enum member)]
      @0:474[Convert operand to stack variable]
      @0:475[Change operand sign]
      @0:476[Bitwise negate operand]
      @0:477[User-defined operand]
      @0:1601[Set operand type]
    @0:478[Comments]
      @0:479[Create a regular comment]
      @0:480[Create a repeatable comments]
      @0:481[Create additional comment lines]
    @0:483[Functions]
      @0:484[Create function...]
      @0:485[Edit function...]
      @0:687[Append function tail...]
      @0:688[Remove function tail...]
      @0:486[Delete function...]
      @0:487[Set function end]
      @0:488[Define stack variables...]
      @0:489[Change stack pointer...]
      @0:1346[Rename register...]
      @0:1361[Set function/item type...]
    @0:490[Structures]
      @0:491[Add struct type...]
      @0:1370[Duplicate struct type...]
      @0:492[Del struct type]
      @0:493[Insert gap...]
      @0:494[Delete gap...]
      @0:495[Edit struct type...]
      @0:496[Declare struct var]
      @0:497[Force zero field offset]
      @0:498[Select union member...]
      @0:1392[Create struct type from data...]
    @0:506[Segments]
      @0:507[Create a new segment...]
      @0:513[Delete a segment...]
      @0:514[Change segment attributes...]
      @0:520[Move a segment...]
      @0:1408[Rebase program...]
      @0:521[Change segment translation...]
      @0:522[Set default segment register value...]
      @0:523[Change segment register value...]
    @0:526[Patch core]
      @0:527[Patch core...]
      @0:529[Assemble...]
      @0:1618[Apply patches to input file...]
    @0:530[Other]
      @0:533[Alignment...]
      @0:534[Manual instruction...]
      @0:1456[Color instruction...]
      @0:535[Hide/show border]
    @0:536[Plugins]
      @0:1761[Borland RTTI]
      @0:1675[DWARF]
      @0:1478[Golang]
      @0:1760[Find Functions]
      @0:1687[Objective-C]
      @0:1374[Pdb]
      @0:1477[Rust]
      @0:1479[Swift]
      @0:140[x64 MSVC C++ Exception Handler for the Decompiler]
    @0:543[Jump]
    @0:538[Jump immediate]
    @0:539[Jump back]
    @0:540[Undo last jump back]
    @0:541[Empty navigation stack]
    @0:544[Jump to address]
    @0:545[Jump to named location]
    @0:546[Jump to segment start]
    @0:547[Jump to segment register change point]
    @0:548[Jump to problematic location]
    @0:582[Mark location]
    @0:563[Jump to marked position]
    @0:564[Jump to cross reference]
    @0:565[Jump to cross reference to operand]
    @0:566[Jump to function]
    @0:567[Jump to entry point]
    @0:1393[Jump to file offset]
  @0:568[Search for]
    @0:569[suspicious operands]
    @0:1481[string with error]
    @0:570[instruction bytes]
    @0:571[data bytes]
    @0:572[unexplored bytes]
    @0:573[explored bytes]
    @0:574[immediate operand values]
    @0:576[substring in the text representation]
    @0:579[substring in the binary image of the file]
    @0:581[instructions not belonging to any function]
    @0:1373[find all suspicious operands]
    @0:1482[find all errors]
    @0:623[Search direction]
    @0:1460[Find register definition]
    @0:1460[Find register use]
  @0:583[View]
    @0:1356[Open subviews...]
      @0:585[Open disassembly window]
      @0:1415[Open exports window]
      @0:1416[Open imports window]
      @0:586[Open functions window]
      @0:587[Open names window]
      @0:588[Open signatures window]
      @0:589[Open segments window]
      @0:590[Open segment registers window]
      @0:591[Open selectors window]
      @0:592[Open cross references window]
      @0:593[Open structures window]
      @0:1259[Open local types window]
      @0:595[Open problems window]
      @0:1358[Open type libraries window]
      @0:1379[Open strings window]
      @0:1383[Open function calls window]
      @0:1384[Open notepad]
      @0:1714[Open undo history]
    @0:1378[Graphs...]
      @0:1377[Display function call graph]
      @0:1389[Display chart of xrefs to addresses]
      @0:1390[Display chart of xrefs from addresses]
      @0:1391[Display user-defined chart of xrefs]
    @0:596[Calculator]
    @0:597[View segment registers]
    @0:598[View internal flags]
    @0:1622[Database snapshot manager]
    @0:599[Hide]
    @0:600[Unhide]
    @0:1394[Del hidden range]
    @0:1387[Hide all]
    @0:1388[Unhide all]
    @0:601[Setup hidden items...]
  @0:1395[Debugger]
    @0:1396[Debugger window]
    @0:1423[Thread list]
    @0:1457[Module list]
    @0:1397[Start process]
    @0:1452[Attach to process...]
    @0:1398[Process options]
    @0:1399[Pause process]
    @0:1400[Terminate process]
    @0:1453[Detach from process]
    @0:1470[Take memory snapshot]
    @0:1697[Manual memory regions]
    @0:1401[Step into]
    @0:1402[Step over]
    @0:1442[Run until return]
    @0:1403[Run to cursor]
    @0:1471[Set current ip]
    @0:1472[Show application screen]
    @0:1454[Breakpoints]
      @0:1404[Breakpoint list]
      @0:1405[Add breakpoint]
      @0:1407[Edit breakpoint]
      @0:1488[Breakpoint conditions]
      @0:1406[Delete breakpoint]
      @0:1648[Page breakpoints]
    @0:1272[Source view]
      @0:1325[Watch view (source level)]
      @0:1518[Local variables]
    @0:1455[Watches (assembler level)]
      @0:1409[Watch list]
      @0:1410[Add watch]
      @0:1411[Del watch]
    @0:1443[Tracing]
      @0:1629[Trace management]
      @0:1444[Tracing window]
        @0:1630[Select trace]
        @0:1631[Other options]
        @0:1632[Edit trace description]
        @0:1634[Diff to binary trace]
        @0:1633[Remove binary trace]
        @0:1635[Import binary trace]
        @0:1636[Export binary trace]
        @0:1637[Export trace to text file]
        @0:1638[Show trace callgraph]
      @0:1445[Clear trace]
      @0:1446[Instruction tracing]
      @0:1447[Function tracing]
      @0:1628[Basic block tracing]
      @0:1448[Add write trace]
      @0:1448[Add write trace]
      @0:1449[Add read/write trace]
      @0:1450[Add execution trace]
      @0:1412[Stack trace]
      @0:1451[Tracing Options]
    @0:1413[Debugger options]
    @0:1461[Switch debugger...]
  @0:1698[Lumina]
  @0:604[Options]
    @0:605[Text representation...]
    @0:1369[Comments...]
    @0:607[Representation of cross references...]
    @0:608[Assembler directives...]
    @0:609[Names representation...]
    @0:611[Demangled C++ names...]
    @0:1354[Compiler...]
    @0:613[STRLIT string style...]
    @0:614[String options...]
    @0:615[Colors...]
    @0:616[Dump/normal View]
    @0:617[Setup data types...]
    @0:618[Processor type...]
    @0:619[Target assembler...]
    @0:620[Analysis options...]
    @0:1371[Miscellaneous...]
  @0:624[Windows]
    @0:1419[Load desktop...]
    @0:1420[Save desktop...]
    @0:1421[Delete desktop...]
    @0:1422[Reset desktop]
    @0:1464[Reset hidden messages...]
    @0:625[Set video mode...]
    @0:626[External help]
    @0:627[Keyboard layout]$Apache License v2.0 ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

1. Definitions.

"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.

"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.

"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.

"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.

"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."

"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.

2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.

4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:

(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and

(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and

(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and

(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.

You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.

6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.

8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.

9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONSÔWRAP
The Interactive Disassembler Help Index ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For additional information and tutorial please visit
https://www.hex-rays.com/products/ida

  @0:415[Main Idea]

  @0:358[Menu system]

  @0:1462[Credits]

Basics

  @0:417[Command line switches]
  @0:419[Configuration file]
  @0:1375[Environment variables]
  @0:418[Keyboard Macros]
  @0:596[Calculator]
  @0:524[Segment Register Change Points]
  @0:549[Problems List]
  @0:420[Anchor]
  @0:416[Background Analysis]
  @0:1395[Debugger]

Windows

  @0:585[Disassembly window]
  @0:42[Graph view]
  @0:1626[Proximity view]
  @0:1385[Arrows window]
  @0:584[Message window]
  @0:1415[Exports window]
  @0:1416[Imports window]
  @0:589[Segments window]
  @0:587[Names window]
  @0:586[Functions window]
  @0:593[Structures window]
  @0:488[Stack variables window]
  @0:595[Problems window]
  @0:1358[Type libraries window]
  @0:1259[Local types window]
  @0:588[Signatures window]
  @0:592[Cross-references window]
  @0:591[Selectors window]
  @0:590[Segment registers window]
  @0:1379[Strings window]
  @0:1383[Function calls window]

How to...

  @0:1463[How to launch remote debugging]
  @0:427[How To Use List Viewer]
  @0:425[How to use the Notepad]
  @0:424[How to Enter an Identifier]
  @0:422[How to Enter a Segment Value]
  @0:426[How to Enter an Address]
  @0:423[How to Enter a Number]

@0:1345[Miscellaneous]
 WRAP
Main Idea ▄
 ▀▀▀▀▀▀▀▀▀▀

IDA is an interactive disassembler, which means that the user
takes active participation in the disassembly process.
IDA is not an automatic analyzer of programs.
IDA will give you hints about suspicious instructions, unsolved
problems etc. It is your job to inform IDA how to proceed.

If you are using IDA for the very first time, here are some commands that
you will find very useful:

  - convert to @0:452[instruction] : the hotkey is "C"
  - convert to @0:453[data] : the hotkey is "D"

All the changes that you made are saved to disk. When you run IDA again,
all the information on the file being disassembled is read from the disk, so that you can resume your work.

For other commands please refer to the @0:428[menu] system and the help.—WRAP
Background Analysis ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can analyze a program when it is not occupied performing
an action you prompted. You disassemble a program together with IDA, but your requests have priority.

The state of background analysis is shown on the upper right-hand corner
of the screen.

You can @0:620[disable] autoanalysis, but in this case
some functions of IDA will produce strange results (e.g. if you try to
convert data into instructions, IDA will NOT trace all the threads of
control flow and the data will be converted into instructions only on
the screen...)

See also @0:620[analysis options].
:WRAP
Command line switches ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can be launched with one of the following command lines:

        ida input-file        (Start graphical interface)
        idat input-file       (Start text interface)

The following command line switches are recognized:

 -a     disable @0:416[auto analysis]. (-a- enables it)
 -A     autonomous mode. IDA will not display dialog boxes.
        Designed to be used together with -S switch.
 -b#### loading address, a hexadecimal number, in paragraphs
        (a paragraph is 16 bytes)
 -B     batch mode. IDA will generate .IDB and .ASM files automatically
 -c     disassemble a new file (delete the old database)
 -C#### set @0:1354[compiler] in format name:abi
 -ddirective
        A configuration directive which must be processed at the first
        pass. Example: -dVPAGESIZE=8192
 -Ddirective
        A configuration directive which must be processed at the second
        pass.
 -f     disable FPP instructions (IBM PC only)
 -h     help screen
 -i#### program entry point (hex)
 -I#    set IDA as just-in-time debugger (0 to disable and 1 to enable)
 -L#### name of the log file
 -M     disable mouse (text only)
 -O#### @0:1465[options] to pass to plugins.
        This switch is not available in the IDA Home edition.
 -o#### specify the output database (implies -c)
 -p#### @0:618[processor type]
 -P+    compress database (create zipped idb)
 -P     pack database (create unzipped idb)
 -P-    do not pack database (not recommended, see @0:449[Abort] command)
 -r###  immediately run the built-in debugger
        format of this switch is explained @0:1502[here]
 -R     load MS Windows exe file resources
 -S###  Execute a script file when the database is opened.
        The script file extension is used to determine which extlang
        will run the script.
        It is possible to pass command line arguments after the script name.
        For example: -S"myscript.idc argument1 \"argument 2\" argument3"

        The passed parameters are stored in the "ARGV" global IDC variable.
        Use "ARGV.count" to determine the number of arguments.
        The first argument "ARGV[0]" contains the script name.

        This switch is not available in the IDA Home edition.

 -T###  interpret the input file as the specified file type
        The file type is specified as a prefix of a file type
        visible in the 'load file' dialog box
        To specify archive member put it after the colon char,
        for example: -TZIP:classes.dex
        You can specify any nested paths:
        -T<ftype>[:<member>{:<ftype>:<member>}[:<ftype>]]
        IDA does not display the 'load file' dialog in this case
 -t     create an empty database.
 -W###  specify MS Windows directory
 -x     do not create segmentation
        (used in pair with @0:444[Dump database] command)
        this switch affects EXE and COM format files only.
 -z     debug:
                00000001 drefs
                00000002 offsets
                00000004 flirt
                00000008 idp module
                00000010 ldr module
                00000020 plugin module
                00000040 ids files
                00000080 config file
                00000100 check heap
                00000200 licensing
                00000400 demangler
                00000800 queue
                00001000 rollback
                00002000 already data or code
                00004000 type system
                00008000 show all notifications
                00010000 debugger
                00020000 debugger appcall
                00040000 source-level debugger
                00080000 accessibility
                00100000 network
                00200000 full stack analysis (simplex method)
                00400000 handling of debug info (e.g. pdb, dwarf)
                00800000 lumina
 -?     this screen (works for the text version)
 ?      this screen (works for the text version)
 -h     this screen (works for the text version)
 -H     this screen (works for the text version)
 --help this screen (works for the text version)


For batch mode, IDA must be invoked with the following command line:

        ida -B input-file

which is equivalent to:

        ida -c -A -Sanalysis.idc input-file

The text interface (idat.exe/idat) is better for batch mode because it uses less
system resources. However, please note that regular plugins are not automatically loaded
in batch mode because the analysis.idc file quits and the kernel has no chance to load them.

For more information, please see the analysis.idc file in the IDC subdirectory.
`WRAP
Keyboard macros ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can define a keyboard macro to automate frequent keystroke sequences.
They are defined in the same manner as in the Borland IDE:

        - Press Alt--
        - Press <key> - macro name
        - Enter macro body
        - Press Alt-=

All macros are lost when you @0:450[exit] IDA.
If you want to have a static macro which is not lost when you quit IDA,
then write it down into IDATUI.CFG file. The format of a macro definition
is explained @0:419[here].

NOTE: keyboard macros are available only in the text version of IDA.
˜WRAP
Configuration files ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The configuration files are searched first in %IDADIR%\cfg, then in
%IDAUSR%\cfg.

See documentation about the @0:1375[IDAUSR] environment variable.

In the configuration files, you can use C,C++ style comments and include files.
If no file is found, IDA uses default values. IDA uses the following
configuration files:

 _IDA.CFG_    - general config file
 _IDATUI.CFG_ - text mode interface config file
 _IDAGUI.CFG_ - graphics mode interface config file

In the IDATUI.CFG, you can define the hotkeys and keyboard macros for the text version
of IDA.
Syntax:

        "ActionName" = Value

where value may be:

        a string:       "Ctrl-F5"
        a char:         'F'
        a scancode:     0x4900
        zero:           0

Zero scancode disables the hotkey.

To define the keyboard macros:

     MACRO key { key1 key2 key3 ... keyN }

where key is a string (key name), char or a scancode.
Example:

        MACRO   "Alt-W" // this sample macro jumps to "start" label
        {
                "Ctrl-G"
                's' 't' 'a' 'r', 't'
                "Enter"
        }
<WRAP
Anchor ▄
 ▀▀▀▀▀▀▀

Some IDA commands such as selecting a portion of file to output or specifying a segment to move need an anchor.

To drop the anchor, you can either use the Alt-L key or the Shift-<arrow> combination, which is more convenient.
You can also drop the anchor with the mouse by simply clicking and dragging it.

After you've dropped the anchor, you can navigate freely using arrows, etc.
Any command that uses the anchor, raises it.

The anchored range is displayed with another color.

When you exit from IDA, the anchor value is lost.rWRAP
Demonstration Version Constraints ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The demo version works only with new databases and doesn't save the disassembly
results in an IDB file.

Unlike the full version, it cannot create .ASM and .LST files.

The demo version will accept only some file formats as input.
Currently, the supported file formats are: PE, ELF, Mach-O

Note that it will stop working after a while: this is a demo, not a full version, isn't it? :)

For information about the full version please visit
https://www.hex-rays.com/products/ida
.
WRAP
How to Enter a Segment Value ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You must enter a segment base value as a hexadecimal number or a segment name.
IDA will warn you if you enter an invalid segment.

You may enter a segment register name too.
WRAP
How to Enter a Number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can enter any 'C' expression with constants. Long arithmetic will
be used for calculations.

In these expressions, you can use all the names that you have created in your
program.
?WRAP
How to Enter an Identifier ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

An identifier is a name which starts with a letter and contains
only letters and digits. The list of allowed characters
is specified in config file @0:419[IDA.CFG]. All names are case-sensitive.

Maximal length of a name is specified in the configuration file too:

        MAX_NAME_LENGTH=120     // Maximal length of new names

Default is 120.

Some assemblers have a shorter name length limit, beware!

IDA will warn you if you enter an illegal name.
uWRAP
How to enter text ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 In the text version of IDA, you can use the following keys:

 Enter          starts a new line
 Ctrl-Enter     finishes the input
 Esc            cancels the input
 F1             gives some help

                                        Shift-<arrow>  Select
 Ctrl-L         Search Again            Shift-Ins       Paste
 Ctrl-O         Indent Mode             Shift-Del       Cut
 Ctrl-T         Delete Word             Ctrl-Ins        Copy
 Ctrl-U         Undo                    Ctrl-Del        Clear
 Ctrl-Y         Delete Line             Ctrl-K B        Start Select
 Ctrl-Left      Word Left               Ctrl-K H        Hide Select
 Ctrl-Right     Word Right
 Ctrl-PgUp      Text Start              Ctrl-Q A        Replace
 Ctrl-PgDn      Text End                Ctrl-Q F        Search
                                        Ctrl-Q H        Delete Line Start
                                        Ctrl-Q Y        Delete Line End

Input containing only whitespaces is equal to an empty input.

Do not forget that you can also use the clipboard.»WRAP
How to Enter an Address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You should enter an address as a hexadecimal number or a location name. When
you enter the address in the hexadecimal format, you can omit
the segment part of the address and the current segment will be used.
Addresses beyond the program limits are invalid.

Also, you can enter a location name with a displacement:

        name+5

And finally you can specify a relative address:

        +10             0x10 bytes further
        -5              5 bytes backwards

If the entered string cannot be recognized as a hexadecimal number or location name,
IDA will try to interpret it as an expression using the current script interpreter.
The default interpreter is IDC.

Special addresses:

        $ - current location (depends on the current @0:619[assembler])

Examples:

        456             current segment, offset 0x456
        5E              current segment, offset 0x5E
        3000:34         segment 0x3000,  offset 0x34
        ds:67           segment pointed by ds, offset 0x67
        0:4000000       @0:508[linear address] 0x4000000
        start           a location with name 'start'7WRAP
How To Use List Viewers in IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following commands work in the list viewers:

1. All usual movement keys: PgUp,PgDn,Home,End and arrows.

2. It is possible to position to a line simply by typing in the desired
   line number.

3. It is possible to position on a line by typing in its beginning.
   In this case the user can use:
        Backspace key to erase the last character typed in.
        Ctrl-Enter to find another line with the same prefix.
   Please note that List Viewer ignores the prefix of a line up to the last
   backslash (\\) or slash (/) if it exists.

4. Alt-T         search for a substring (case-insensitive)
   Ctrl-T        repeat last search

5. If the list is not in dialog mode, you can use the following keys:
   Enter         jump to the selected item in the last IDA View window
   Ctrl-E        edit the current item
   Del           delete the current item
   Ins           insert a new item
   Ctrl-U        refresh information in the window

6. Quick filtering is available using Ctrl-F. More complex filters can be
   defined with a right click (only the GUI mode).

7. The list can be sorted by any column by clicking on it. Please note that
   maintaining a frequently modified list sorted can be very time consuming,
   so try not to sort non-modal lists during the initial analysis.
   (sorting is available only in the GUI mode).

8. Right-click may show additional functionality for the list viewer.

Esc or Enter close modal list viewers.

WRAP
Main Menu Bar ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

All IDA commands are available from the followings menus:

 @0:429[File]
 @0:451[Edit]
 @0:543[Jump]
 @0:568[Search]
 @0:583[View]
 @0:1395[Debugger]
 @0:1698[Lumina]
 @0:604[Options]
 @0:624[Windows]
pWRAP
File submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

In this submenu you can:

  @0:430[Load file]           Load file
  @0:437[Script command] Execute a script command
  @0:438[Produce output file] Generate output file
  @0:446[OS shell]            Execute OS commands
  @0:447[Save database]       Save database in packed form
  @0:448[Save database as...] Save database in packed form in another file
  @0:1621[Take database snapshot] Take database snapshot
  @0:449[Abort]               Abort - do not save changes
  @0:450[Quit]                Quit to DOS - save changes

See also @0:428[Menu Bar] submenus.ß
WRAP
File|Load file submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to load additional files into the database.

  @0:431[Reload input file]
  @0:432[Script file]
  @0:433[Binary file]
  @0:434[IDS file]
  @0:435[Debug information file]
  @0:1374[PDB debug information file]
  @0:1512[TDS debug information file]
  @0:436[FLIRT signature file]
  @0:1367[C header file]

See also @0:429[other File... submenu] commands.¸WRAP
Reload the input file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ReloadFile
 Current hotkey: @<ReloadFile>

This command reloads the same input file into the database.
IDA tries to retain as much information as possible in the database.
All the names, comments, segmentation information and similar will be retained.

Only the values of individual bytes will be changed.

This command works for some input file types only: if the file was loaded into the database with special settings, this command
may fail. In this case, use @0:444[Dump database to IDC file]
command and reload the file manually.

See also @0:430[Load... submenu] commands.Û
WRAP
Execute Script File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Execute
 Current hotkey: @<Execute>

You can execute any script file supported by the built-in scripting engine (IDC or Python),
or a scripting language added by a plugin. The scripting language to use is selected by the file name extension of the script.

See also

         @0:437[Immediate execution] of script commands
         @0:430[Load... submenu] commands.´
WRAP
Load additional file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadFile
 Current hotkey: @<LoadFile>

This command loads a binary file. The new file is added
to the current database and all existing information is
retained.

The file content will appear as unexplored bytes in the program.

This command only allows you to load binary files.

See also @0:430[Load... submenu] commands.ßWRAP
Load IDS file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadIdsFile
 Current hotkey: @<LoadIdsFile>

This command loads an IDS file.

An IDS file contains information about well-known functions (such as
functions from MS Windows API), namely:

        - their names
        - their ordinal number in the DLL
        - an eventual informative comment
        - the number of parameters passed on the stack
        - the number of parameters purged when returning

IDS files are automatically loaded if they are found in the IDS
directory. This command allows you to load an IDS file from any
directory, even after the main file has been loaded into the
database.

See also @0:430[Load... submenu] commands.­WRAP
Load debug information file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadDbgFile
 Current hotkey: @<LoadDbgFile>

This command loads a DBG file.

If the program being disassembled has a companion DBG file, then
this command may be used to load information from a DBG file into the
database. IDA loads DBG files automatically if it can find them
in the directory with the input file.

The built-in debug information loader cannot load NB10 format files and PDB files.
To load those files, please use a special plugin PDB.DLL which can be run manually
using Edit->Plugins submenu. This plugin uses MS Windows DLLs to load the
debug information and therefore has the following limitations:

        - it works only under MS Windows
        - it will load only PDBs compatible with the currently
          installed IMAGEHLP.DLL

See also @0:430[Load... submenu] commands.nWRAP
Load FLIRT signature file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadSigFile
 Current hotkey: @<LoadSigFile>

This command allows you to apply an additional signature file
to the program.

A signature file contains patterns of standard runtime functions.
With their help, IDA is able to recognize the standard functions and
names them accordingly.

IDA attempts to detect the necessary signature files automatically but unfortunately, this is not always possible.
This command adds the specified signature file into the planned signature files queue.

Signature files reside in the subdirectories of the SIG directory. Each
processor has its own subdirectory. The name of the subdirectory
is equivalent to the name of the processor module file (z80 for z80.w32, for example).
Note: IBM PC signatures are located in the SIG directory itself.
Note: the IDASGN environment variable can be used to specify
the location of the signatures directory.

There is another way to load a signature file: you may insert/delete signature
files in the following way:

        - open the signatures window
        - press Ins to insert a signature file to the queue
        - press Del to delete a signature file from the queue

This is a preferred way of applying signatures because useful
information, such as the number of identified functions is displayed
in the signature window.

NOTE: FLIRT works only for the processors with normal byte size. The byte
size must be equal to 8 (processors with wide bytes like AVR or DSP56K are
not supported)

See also @0:430[Load... submenu] commands.|
WRAP
Script command ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExecuteLine
 Current hotkey: @<ExecuteLine>

You can enter and execute a small script written
in the built-in IDC language or any other registered extlang.

See also

         Execute @0:432[script file] command
         @0:429[File... submenu] commands
         How to use @0:425[notepad].3WRAP
File|Produce output files  submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to produce various output files.
It also allows you to unload the database.

The text file-producing operations below will make use of
@0:1371[the currently-selected encoding] for output files.

 @0:439[Generate MAP file]
 @0:440[Generate ASM file]
 @0:1475[Generate INC file]
 @0:441[Generate LST file]
 @0:442[Generate EXE file]
 @0:443[Generate DIF file]
 @0:1504[Generate HTML file]
 @0:1674[Generate SIG file]
 @0:1251[Generate flow chart GDL file]
 @0:1252[Generate call graph GDL file]
 @0:444[Dump database to IDC file]
 @0:445[Dump typeinfo to IDC file]
 @0:141[Create C header file]

See also @0:429[other File... submenu] commands.‹WRAP
Create MAP File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceMap
 Current hotkey: @<ProduceMap>

Please enter a file name for the map. IDA will write the following
information about this file:

  - current segmentation
  - list of names sorted by values

You may disable the generation of the segmentation information.
You may also enable or disable @0:609[dummy] names in the output file.

You can use this map file for your information, and also for debugging (for example, Periscope from Periscope
Company or Borland's Turbo Debugger can read this file).

See also other @0:438[Produce output file] commands.‰WRAP
Create ASM File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceAsm
 Current hotkey: @<ProduceAsm>

Please enter a file name for the assembler text file. IDA will write
the disassembled text to this file.

If you have selected a range on the screen using @0:420[Drop Anchor]
command, IDA will write only the selected range (from the
current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce assembler
files.

See also other @0:438[Produce output file] commands.‹WRAP
Create LST File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceLst
 Current hotkey: @<ProduceLst>

Enter a file name for the assembler listing file. IDA will write
the disassembled text to this file.

If you've selected a range on the screen using @0:420[Drop Anchor]
command, IDA will write only the selected range (from the
current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce assembler
listing files.

See also other @0:438[Produce output file] commands.hWRAP
Create Executable File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceExe
 Current hotkey: @<ProduceExe>

Enter a file name for the new executable file. Usually this
command is used after patching (see commands @0:527[Patch byte] and
@0:527[Patch word]) to obtain a patched version of the file.

IDA produces executable files only for:

  - MS DOS .exe
  - MS DOS .com
  - MS DOS .drv
  - MS DOS .sys
  - general binary
  - Intel Hex Object Format
  - MOS Technology Hex Object Format

For other file formats please create a @0:443[difference] file.

NOTE: only @0:527[Patch byte/word] commands affect the executable
file contents, other commands
(including @0:477[User-Specified String for the #th Operand])
will not affect the content of the disassembled file.

EXE files: Output files will have the same EXE-header and relocation table as
the input file. IDA will fill unused ranges of the EXE file (e.g.
between relocation table and loadable pages) with zeroes.

See also

         @0:438[File|Produce output file] submenu,
         @0:526[Edit|Patch core] submenu.²
WRAP
Create Difference File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceDiff
 Current hotkey: @<ProduceDiff>

This command will prompt you for a filename and then will create a
plain text difference file of the following format:

 comment

 filename
 offset: oldval  newval

See also

         @0:438[File|Produce output file] submenu,
         @0:526[Edit|Patch core] submenu."WRAP
Dump database to IDC file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DumpDatabase
 Current hotkey: @<DumpDatabase>

This command saves current IDA database into a text file.

You can use it as a safety command:

  - to protect your work from disasters
  - to migrate information into new database formats of IDA.

This command is used when you want to switch to a new version
of IDA. Usually each new version of IDA has its own database
format. To create a new format database, you need:

  1. to issue the 'Dump...' command for the old
     database (using old version of IDA). You will
     get an IDC file containing all information
     from your old database.
  2. to reload your database using new IDA with switch -x.
  3. to compile and execute the IDC file with command
    'Execute IDC file' (usually F2)

Please note that this command does not save everything to text file.
Any information about the local variables will be lost!

See also other @0:438[Produce output file] commands.WRAP
Dump typeinfo to IDC file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DumpTypes
 Current hotkey: @<DumpTypes>

This command saves information about the user-defined types from the IDA
database into a text file.

Information about enums, structure types and other user-defined types
is saved in a text form as an IDC program.

You can use this command to migrate the type definitions from one
database to another.

See also other @0:438[Produce output file] commands.t
WRAP
Invoke OS Shell ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Shell
 Current hotkey: @<Shell>

By using this command, you can temporarily quit to the operating system.

This command is not available in the MS DOS version.

The database is left open when you use this command, so be careful.

See also @0:429[other File... submenu] commands.
WRAP
Save database ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SaveBase
 Current hotkey: @<SaveBase>

This command saves and packs the current database.

See also @0:429[other File... submenu] commands.
         @0:448[Save database as...] command.ß
WRAP
Save database as... ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SaveBaseAs
 Current hotkey: @<SaveBaseAs>

This command saves and packs the current database.
IDA will prompt you to enter a new name for the database file. Databases
are saved with an .IDB extension.
Use this command if you don't want to overwrite an earlier database.

See also

         @0:429[other File... submenu] commands.
         @0:447[Save database] command.ê
WRAP
Abort IDA ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: Abort
 Current hotkey: @<Abort>

This command terminates the current IDA session.
The Abort command is not available if the database was not packed.

        IDA will NOT save changes to the disk. ▄
        ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See also

         @0:429[other File... submenu] commands.
         @0:450[Quit] command.ˆWRAP
Exit IDA ▄
 ▀▀▀▀▀▀▀▀▀

 Action    name: Quit
 Current hotkey: @<Quit>

This command terminates the current IDA session. IDA will
write all changes to the disk and will close all databases.

You can enable/disable database packing. When the database is packed,
it consists of one file with IDB extension. When the database is not
packed, it consists of several files on the disk.
If packing is disabled, in the next session you cannot @0:449[abort] IDA.
We do not recommend to leave the database in the unpacked form because
you will not have a backup copy.

You can also perform garbage collection on the database before packing it.
The garbage collection removes the unused database pages, making it smaller.
However, IDA needs some free database pages when it works,therefore it will
allocate them again when you reuse the database. Removing and adding
free pages takes time and, what is most important, it changes the database
control blocks.

Use garbage collection only when you do not intend to work with the
database in the near future.

IDA will remember all information about the screen, cursor
position, jump stack, etc.
The following information
will be lost:

        @0:418[keystroke macros],
        the @0:420[anchor] position

To resume a disassembly session simply type: "ida file"

See also

         @0:429[other File... submenu] commands.
         @0:449[Abort] command.¡WRAP
Edit submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows the user to modify text representation
and to patch the file. It also has the commands to control the
analysis:

 @0:420[Anchor]
 @0:1671[Export data]
 @0:1710[Undo]
 @0:1711[Redo]

 @0:452[Convert to instruction]
 @0:453[Convert to data]
 @0:454[Convert to STRLIT string]
 @0:455[Convert to array]
 @0:456[Undefine]
 @0:457[Rename]

 @0:458[Operand types] submenu
 @0:478[Comments] submenu

 @0:483[Functions] submenu
 @0:490[Structures] submenu
 @0:506[Segments] submenu
 @0:526[Patch program] submenu
 @0:530[Other] submenu
 @0:536[Plugins] submenu

See also @0:428[Menu Bar] submenus.í
WRAP
Convert to instruction ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeCode
 Current hotkey: @<MakeCode>

This command converts the current unexplored bytes to instruction(s).
IDA will warn you if it is not possible.

If you have selected a range using the @0:420[anchor], all the bytes from this range
will be converted to instructions.

If you apply this command to an instruction, it will be reanalyzed.

See also
 @0:451[Edit] submenuwWRAP
Convert to data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeData
 Current hotkey: @<MakeData>

This command converts the current unexplored bytes to data.
If it is not possible, IDA will warn you.

Multiple using of this command will change the data type:

 db -> dw -> dd -> float -> dq -> double -> dt -> packreal -> octa \;
 ^                                                                 |;
 \---------<----------------<--------------<-----------------------/;

You may remove some items from this list using @0:617[setup data] command.

If the @0:619[target assembler] does not support double words or another
data type, it will be skipped.

 To create a structure variable, use @0:496[Declare struct var] command.
 To create an array, use @0:455[Array] command.
 To convert back, use @0:456[Undefine] command.

See also
 @0:451[Edit] submenuWRAP
Convert to string literal ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeStrlit
 Current hotkey: @<MakeStrlit>

This command converts the current unexplored bytes to a string.

The set of allowed characters is specified in the @0:419[configuration]
file, parameter StrlitChars. Character '\0' is not allowed in any case.
If the current @0:619[assembler] does not allow characters above 0x7F,
characters with high bit set are not allowed.

If the @0:420[anchor] has been dropped, IDA will take for the string
all characters between the current cursor position and the anchor.

Use the @0:420[anchor] if the string starts a disallowed character.

This command also generates a @0:424[name] for the string.
In the @0:419[configuration] file, you can specify the
characters allowed in names (NameChars).

You can change the literal string length using @0:455[Array] command.

The GUI version allows you to assign a special hotkey to create
Unicode strings. To do so, change the value of the StringUnicode
parameter in the IDAGUI.CFG file.

Pascal Strings ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

To create Pascal style strings (with first byte indicating string
length) use @0:613[Set String Style] command.

See also
 @0:451[Edit] submenuuWRAP
Convert to array ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeArray
 Current hotkey: @<MakeArray>

This command allows you to create arrays and change their sizes.

The arrays are created in 2 simple steps:

  1. Create the first element of array using the data
     definition commands (@0:453[data], @0:454[string], @0:496[structs])
  2. Apply the array command to the created data item.

Enter array size in current array elements (not bytes).
The suggested array size is the minimum of the following values:

        - the address of the next item with a cross reference
        - the address of the next user-defined name

For string literals, you can use this command to change the length of the string.

The dialog box contains the following fields:

Items on a line (meaningless for string literals):

        0               place maximal number of items on a line
        other value     number of items on a line

Please note that the @0:605[margin] parameter affects the number of
items on a line too.

Alignment (meaningless for string literals):

        -1              do not align items
        0               align automatically
        other value     width of each item

 Signed elements:       if checked, IDA treats all elements as signed numbers.
                        only meaningful for numbers (not for offsets and
                        segments and strings)

 Display indexes:       if checked, IDA will display the indexes of array
                        elements in the form of comments (0,1,2...)

 Create as array:       if not checked, IDA will create a separate item for
                        each array element. Useful for creating huge arrays.
                        If the box is unchecked when this command is
                        applied to string literals, IDA will create many
                        string literals instead of one big string.

If applied to a variable-sized structure, this command is used
to specify the overall size of the structure. You cannot create arrays of
variable-sized structures.

See also

 @0:451[Edit] submenu
 @0:423[How to Enter a Number].lWRAP
Undefine a byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeUnknown
 Current hotkey: @<MakeUnknown>

This command deletes the current instruction or data, converting
it to 'unexplored' bytes. IDA will delete the subsequent instructions if
there are no more references to them (functions are never deleted).

If you have selected a range using the @0:420[anchor], all the bytes in this range
will be converted into 'unexplored' bytes. In this case, IDA will not delete
any other instructions even if there are no references to them after the deletion.

See also
 @0:451[Edit] submenu€WRAP
Give Name to the Location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeName
 Current hotkey: @<MakeName>

This command gives name/renames/deletes @0:424[name] for the current
item.

To delete a name, simply give an empty name.

If the current item is referenced, you cannot delete its name. Even if you
try, IDA will generate a @0:609[dummy] name.

Local name

  The name is considered to be defined only in the current function.
  Please note that IDA does not check the uniqueness of the local names
  in the whole program. However, it does verify that the name is unique for the
  function.

Include in name list

  Here you can also include/remove the name from the @0:545[name list].
  If the name is hidden, you will not see it in @0:587[names window].

Public name

  You can declare a name as a public (global) name. If the current
  assembler supports the "public" directive, IDA will use it.
  Otherwise, the publicness of the name will be displayed as a comment.

Autogenerated name

  An autogenerated name will appear in a different color.
  if the item is indefined, it will disappear automatically .

Weak name

  You can declare a name as a weak name. If the current
  assembler supports the "weak" directive, IDA will use it.
  Otherwise, the weakness of the name will be displayed as a comment.

Create name anyway

  If this flag is on, and if the specified name already exists,
  IDA will try to variate the specified name by appending a suffix to it.

See also

         @0:451[Edit] submenu.
         @0:424[How to Enter an Identifier].
         @0:609[Names representation].ÐWRAP
Edit|Operand types submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to change the operand types
to offsets, numbers, chars, etc.
Use it to make disassembled text more understandable.

 @0:1381[Convert operand to offset]
 @0:1382[Convert operand to number]
 @0:465[Convert operand to character]
 @0:466[Convert operand to segment]
 @0:473[Convert operand to enum]
 @0:474[Convert operand to stack variable]
 @0:475[Change operand sign]
 @0:476[Bitwise negate operand]
 @0:477[User-defined operand]
 @0:1601[Set operand type]

If IDA suspects that an operand can be represented as something different
from a plain number, it will mark the operand as "suspicious" and show it in red.
Use these commands to delete @0:569[suspicious] marks.

Some of these commands can be applied to a selected range.
Click @0:459[here] to learn about the rules applied to such
operations.

See also @0:451[Edit] submenu.´WRAP
Perform en masse operation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If you have selected a range before applying an operand conversion
command, IDA will display a dialog box.

You can choose a range of operands to perform an en masse operation:

 ALL OPERANDS
 -----------

The operation will be performed on all
operands as a toggle. For example, if you
ask to convert to a character, then all
non-character operands will become characters,
and all character operands will become non-chars.

 OPERAND VALUE RANGE
 -------------------

The operation will be performed on the @0:569[void] operands
which contain immediate numbers in the specified range.

 ... OPERANDS
 ------------

This selection will convert all operands with the specified type to
undefined operands.
Example: all characters become non-characters.

 NOT ... OPERANDS
 ---------------

This selection allows to convert all operands that do not have the specified type
to the specified type. Example: all non-characters to characters.

 NOT TYPED OPERANDS
 -----------------

This selection allows to convert all operands without any type to the specified
type. Example: all operands with no type to characters.

 APPLY ONLY IF POSSIBLE
 ---------------------

IDA will check whether an operand can be represented with the specified type
(as a character constant, for example), and perform type conversion only if
the check is successful.
âWRAP
Convert operand to number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpNumber
 Current hotkey: @<OpNumber>

This command converts immediate operand(s) type of the
current instruction/data to a number. That way, you can
delete @0:569[suspicious] mark of the item.

The number is represented in the default radix for the current processor
(usually hex, but octal for PDP-11, for example).

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.‹WRAP
Convert operand to hexadecimal number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpHex
 Current hotkey: @<OpHex>

This command converts immediate operand(s) type of the
current instruction/data to hex number. So you can
delete @0:569[suspicious] mark of the item.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.oWRAP
Convert operand to decimal number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpDecimal
 Current hotkey: @<OpDecimal>

This command converts the immediate operand(s) type of the
current instruction/data to decimal. Therefore, it
becomes a 'number'.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.ŸWRAP
Convert operand to binary number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpBinary
 Current hotkey: @<Opbinary>

This command makes the current instruction or data operand type binary.
IDA always uses 123b notation for binary numbers even if the current
assembler does not support binary numbers.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.–WRAP
Convert operand to octal number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpOctal
 Current hotkey: @<OpOctal>

This command makes the current instruction or data operand type octal.
IDA always uses 123o notation for octal numbers even if the current
assembler does not support octal numbers.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.)WRAP
Convert operand to character ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpChar
 Current hotkey: @<OpChar>

This command converts immediate operand(s) type of the
current instruction/data to character.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:458[Edit|Operand types] submenu.íWRAP
Convert operand to segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpSegment
 Current hotkey: @<OpSegment>

This command converts the immediate operand(s) type of the
current instruction/data to segment base. The segment bases are usually
displayed like this:

        mov     ax, seg dseg


When you use this command, IDA deletes the @0:477[manually] entered operand.

If IDA cannot find a segment whose base is equal to the operand value,
it simply displays it as hex number.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:458[Edit|Operand types] submenu.ÞWRAP
Convert operand to offset (data segment) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpOffset
 Current hotkey: @<OpOffset>

This command converts the immediate operand of the
current instruction/data to an offset from the current data segment (DS).

If current DS value is unknown (or equal 0xFFFF) IDA
will warn you -- it will beep. In this case, you have to
define DS register value for the current byte. The
best way to do it is:

  - @0:547[jump to segment register change point]
  - @0:523[change value of DS]
  - @0:539[return]

or you can @0:522[change default value] of DS for the current
segment.

If you want to delete offset definition, you can use
this command again - it works as trigger.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

To create offsets to structure members use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no offset]
          @0:469[offset by any segment]
          @0:470[offset by any user-specified base]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter the operand manually] command.
          @0:1601[Set operand type]WWRAP
Convert operand to offset (code segment) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpOffsetCs
 Current hotkey: @<OpOffsetCs>

This command converts the immediate operand of the
current instruction/data to an offset from the current segment (CS).

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise, it
will be left unmodified.


If this command is applied to a structure member in the @0:593[structure window],
then IDA will create an "automatic offset". An automatic offset is an offset
with the base equal to 0xFFFFFFFF. This base value means that the actual
value of the base will be calculated by IDA when a structure instance is
created.

To create offsets to structure members, use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no offset]
          @0:469[offset by any segment]
          @0:470[offset by any user-specified base]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]
WRAP
Convert operand to offset (any segment) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpAnyOffset
 Current hotkey: @<OpAnyOffset>

This command converts the immediate operand of the
current instruction/data to an offset from any segment.

IDA will ask to choose a base segment for the offset.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

To create offsets to structure members use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no]
          @0:468[offset by current segment]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]ÜWRAP
Convert operand to offset (user-defined base) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpUserOffset
 Current hotkey: @<OpUserOffset>

This command converts the immediate operand of the
current instruction/data to a complex offset expression.

Please click here to learn more about @0:471[complex offsets].

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the an operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

If the offset base is specified as 0xFFFFFFFF, then IDA will create "an automatic offset".
Automatic offsets mean that the actual value of the base will be calculated by IDA.

The following offset attributes are available:

  Treat the base address as a plain number

        if checked, IDA will treat the base address as a number.
        In this case, IDA will not create a cross-reference to it
        and the base address will be printed as a number,
        not as an offset expression.

  Offset points past the main object

        Offsets of this type point past an object end.
        They do not cause an object created/deletion.

  Use image base as offset base

        These offsets are based on the image base.
        There is no need to explicitly specify the offset base.
        These offsets are displayed in a concise form:
          rva func
        instead of
          offset func - imagebase
        If you intend to reassemble the output file, execute the
        following IDC statement:
        set_inf_attr(INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) & ~INFFL_ALLASM);

  Subtract operand value

        Use this option when the operand value should be substracted
        from the base to get the target address. In this case the displayed
        expression will be displayed as
          offset base - target
        instead of the usual
          offset target - base

  Signed operand

        Use this option if the operand should be interpreted
        as a signed value. This option is only available for OFF_REF8,
        OFF_REF16, OFF_REF32 and OFF_REF64 offset types.

  Operand value of 0 is invalid

        If the operand value is 0, the value will be highlighted in red.

  Operand value of NOT 0 is invalid

        If the operand value is zero's complement (i.e. all bits are set),
        the value will be highlighted in red.
        For example a OFF_REF16 with an operand value of 0xFFFF would be invalid.

  Use the current address as the offset base

        The offset base is dynamically calculated and is equal to the address of
        the current element:
          - for standalone items: their start address
          - for arrays: the start of the array element
          - for structures: the start of the structure field
        The offset expression is displayed in the following concise form:
          offset target - $
        where "$" denotes the start of the element (and is @0:619[assembler]-dependent).


To create offsets to structure members use @0:472[Convert to struct offset]
command.

See also:

          @0:467[offset by data segment/no]
          @0:468[offset by current segment]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type][WRAP
Complex Offset Expression ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

A complex offset expression looks like

        offset target + delta - offset base

It is specified by:

        - type (OFF16, OFF32, LOW16, etc.)
        - base
        - optional target
        - optional delta from target

The relationship between these parameters is
(the formula is given for full offsets):

        operand_value = target + delta - base

  or (the same relationship in a different form):

        target = operand_value - delta + base

You always have to specify the offset type and base.
Usually, the delta is equal to zero.
For the full offset type you may omit the offset target, which is recommended.
In this case, IDA will calculate it automatically.
However, if you specify the offset target, make sure that the relationship
between the parameters still holds.
For the half offset types, you have to specify the target because
there is no way to calculate it.

The offset types:

  8-bit full offset            :
  16-bit full offset           :
  32-bit full offset           :

    The full offsets are regular offset expressions like

        offset label

    They can occupy 8, 16, or 32 bits.
    You have to specify the offset base for these offsets.

  low 8 bits of 16-bit offset  :

    Only the low 8 bits of the offset. IDA will represent them as

        (offset label) & 0xFF

  low 16 bits of 32-bit offset :

    Only the low 16 bits of the offset. IDA will represent them as

        (offset label) & 0xFFFF

  high 8 bits of 16-bit offset :

    Only the high 8 bits of the offset. IDA will represent them as

        offset label >> 8

  high 16 bits of 32-bit offset:

    Only the high 17 bits of the offset. IDA will represent them as

        offset label >> 16

See also @0:470[offset by any user-specified base]óWRAP
Convert operand to structure offset ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpStructOffset
 Current hotkey: @<OpStructOffset>

 GUI version:
 ------------

This command permits to convert all immediate operands of instructions in a
range selection to a path of offsets through a structure and its possible sub unions.
If no selection is active, IDA will simply permit to convert the current operand.
In this case, it will display a simple dialog box the same way as the text version (see below).

You can select the desired register in the drop-down list: all operands relative
to this register will be added to the 'Offsets' list. A special empty line in the
drop-down list is used to directly work on immediate values.
Checkboxes in the 'Offsets' list allow you to select which operand you indeed
want to modify. By default, IDA will select only undefined operands, to avoid
overwriting previous type definitions. This list is sorted by operand value, by
instruction address and finally by operand number. You can easily see the instructions
related to the operand by moving the mouse over it, and wait for a hint to be
displayed.

The 'Structures and Unions' tree will contain all selectable structures, and sub unions.
Once you select or move over a structure, the 'Offsets' list updates itself for each
checked offset: the computed name of the operand is displayed, according to the selected
structure in the tree. An icon is also drawn, to easily know if a specific structure
matchs the offset or not, or if the offset is too big for the selected structure.
The structures who match the most offsets will be near the top of the tree.
You can also move your mouse over structures in the tree to obtain an interesting hint.

A '?' icon can also appear, if the offset can be specialized by selecting an union
member. In this case, if you expand the structure in the tree, you can select the adequate
union member simply by checking the desired radio button. IDA automatically corrects
the related name in the 'Offsets' list.

The 'Offset delta' value represents the difference between the structure start and the
pointer value. For example, if you have an operand 4 and want to convert in into an
expression like "mystruct.field_6-2", then you have to enter 2 as the delta.
Usually the delta is zero, i.e. the pointer points to the start of the structure.

The 'Hide sub structures without sub unions' option (checked by default) avoids to
add unnecessary sub structures to the tree, to keep it as small as possible. If you
uncheck this option, all sub structures will be added to the tree.

By default, IDA displays the structure member at offset 0. To change this behaviour, you
can directly disable the 'Force zero offset field' in the 'Options' frame. Later zero offsets
can be forced using @0:497[Edit, Structs, Force zero offset] menu item.

 Text version:
 -------------

This command converts immediate operand(s) type of the
current instruction/data to an offset within the specified structure.
Before using this command, you have to @0:491[define] a structure type.

First of all, IDA will ask a so-called "struct offset delta". This value
represents the difference between the structure start and the pointer value.
For example, if you have an operand 4 and want to convert in into an expression
like "mystruct.field_6-2", then you have to enter 2 as the delta.
Usually the delta is zero, i.e. the pointer points to the start of the structure.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
offsets. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the an operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

By default IDA doesn't display the structure member at offset 0.
To change this behaviour, use @0:497[Force zero field offset] command.

Moreover, if there are several possible representations (this can happen if
unions are used), select the desired representation using the
@0:498[Select union member...] command.

See also:

          @0:467[offset by data segment/no]
          @0:468[offset by current segment]
          @0:469[offset by any segment]
          @0:470[offset by any user-specified base]
          @0:1381[Edit|Operand types|Offset] submenu.
          @0:477[Enter #th operand manually] command.
          @0:1601[Set operand type]›WRAP
Convert operand to symbolic constant (enum) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpEnum
 Current hotkey: @<OpEnum>

This command converts immediate operand(s) type of the
current instruction/data to an enum member.
Before using this command, you have to @0:501[define] an enumeration type.

If the selected enum is a bitfield, IDA will try to build a bitfield
expression to represent the constant. Please note that for bitfields having
multiple constants with the same value some expressions won't be possible.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
symbolic constants. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to offset, otherwise it
will be left unmodified.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise all other operands will be
affected.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]¸WRAP
Convert operand to stack variable ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpStackVariable
 Current hotkey: @<OpStackVariable>

This command converts immediate operand(s) type of the
current instruction to an offset to stack variables, i.e. a local variable
or function argument in the stack.

You need to @0:488[define] stack variables before using this command.

If the current operand is based on the value of the stack pointer ([ESP+xxx])
and the SP value is traced incorrectly, then you need to correct SP value
using @0:489[change stack pointer] command.

If a range is selected using the @0:420[anchor], IDA will perform
'en masse' conversion. It will convert
immediate operands of all instructions in the selected range to
stack variables. However, IDA will ask you first the lower and upper limits of
immediate operand value. If the operand value is >= lower limit and
<= upper limit then the operand will be converted to stack variable, otherwise it
will be left unmodified.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise all other operands will be
affected.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:488[Define stack variables...]œ
WRAP
Change operand sign ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChangeSign
 Current hotkey: @<ChangeSign>

This command changes the sign of the current operand.
Please note that not all operands can change their sign.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]eWRAP
Bitwise negate operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BitwiseNegate
 Current hotkey: @<BitwiseNegate>

This command bit-wisely negates the current operand.
Please note that not all types of operands can be negated.
It is not possible to negate and change @0:475[sign] of an operand simultaneously.

This command works only if the current @0:619[assembler] supports the bitwise negation operation.

See also:

          @0:458[Edit|Operand types] submenu.
          @0:477[Enter #th operand manually] commands.
          @0:1601[Set operand type]øWRAP
User-defined operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ManualOperand
 Current hotkey: @<ManualOperand>

You may specify any string instead of an operand if IDA does not represent
the operand in the desired form. In this case, IDA will simply display the
specified string in the instruction instead of the default operand.

The current operand (under the cursor) will be affected.

You can use this command not only with instructions but with data
items too.

IDA proposes the previous manual operand as the default value in the input form.

To delete the manual operand and revert back to the default text, specify an empty string.

IDA automatically deletes manually entered operands when you
change operand representation using operand @0:458[types] submenu.

NOTE: A text offset reference is generated if you use a label in the program as the operand string.
In other cases no cross-references are generated.

See also @0:458[Edit|Operand types] submenu.u
WRAP
Edit|Comments submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate different kinds of comments.
Use them to make the disassembled text more understandable.

 @0:479[Create a regular comment]
 @0:480[Create a repeatable comments]
 @0:481[Create additional comment lines]

See also @0:451[Edit] submenu.ÊWRAP
Create a regular comment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeComment
 Current hotkey: @<MakeComment>

If you stand at the function start and your cursor is
on a function name, IDA will ask you to enter a function comment.

If you stand at the segment start and your cursor is
on a segment name, IDA will ask you to enter a segment comment.

If this command is issued in the
@0:593[structures window], it allows you to change the comment of a structure, or
structure member. If the cursor is on the structure name, it will be changed, otherwise
the member name will be changed.
Otherwise, this command allows you to enter a normal indented comment for
the current item.

You can show/hide all comments in @0:1369[Comments Dialog].

See also

        "How to use the @0:425[notepad]"
         @0:478[Edit|Comments] submenu
         @0:480[Repeatable comments]
         How to use the @0:425[notepad]+WRAP
Create a repeatable comment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeRptCmt
 Current hotkey: @<MakeRptCmt>

This command allows you to enter a repeatable comment. A repeatable
comment will appear attached to the current item and all other items
referencing it.

If you stand at the function start, IDA will ask you to enter a function comment.

If this command is issued in the
@0:593[structures window], it allows you to change the comment of a structure or
structure member. If the cursor is on the structure name, the structure comment
will be changed, otherwise the member comment will be changed.

Otherwise, this command allows you to enter a repeatable comment for
the current item.

You cannot enter repeatable segment comments.

All items that refer to the current item will have this comment by default.

Note that if you have defined both comment types (@0:479[regular] and repeatable),
the regular comment will be displayed for the current item and the repeatable
comment will be displayed for all items that refer to the current item, if
they do not have their own comments.

The repeatable comments may be used to describe subroutines, data items etc.,
because all calls to the subroutine will have the repeatable comment.

You can show/hide all comments in the @0:1369[Comments Dialog].

You can show and hide repeatable comments in the @0:1369[Comments Dialog].

See also

        "How to use the @0:425[notepad]"
         @0:478[Edit|Comments] submenu
         @0:479[Regular comments]WRAP
Create additional comment lines ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action                 Name
 ------                 ----
 edit anterior lines    MakeExtraLineA
 edit posterior lines   MakeExtraLineB

If you want to enter multi-line comments or additional instructions,
you can use this feature of IDA.

There are two kinds of extra lines: the ones generated before the instruction line
and the ones generated after the instruction line.

Do not forget that the maximal number of lines for an item is 500.

IDA does not insert a comment symbol at the beginning of the lines.

See also

        "How to use the @0:425[notepad]"
        @0:478[Edit|Text|Comments] submenu.
        @0:425[How to use the Notepad]WRAP
Functions submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate functions in the disassembly:

      @0:484[Create function...]
      @0:485[Edit function...]
      @0:687[Append function tail...]
      @0:688[Remove function tail...]
      @0:486[Delete function...]
      @0:487[Set function end]
      @0:488[Define stack variables...]
      @0:489[Change stack pointer...]
      @0:1346[Rename register...]
      @0:1361[Set function/item type...]

See also @0:451[Edit] submenu.2WRAP
Create Function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeFunction
 Current hotkey: @<MakeFunction>

This command defines a new function in the disassembly text.

You can specify function boundaries using the @0:420[anchor].
If you don't specify any, IDA will try to find the boundaries automatically:

   - function start point is equal to the current cursor position;
   - function end point is calculated by IDA.

A function cannot contain references to undefined instructions.
If a function has already been defined at the specified addresses,
IDA will jump to its start address, showing you a warning message.

A function must start with an instruction.

See also

         @0:483[Edit|Functions] submenu.
         @0:485[Edit a function]
         @0:486[Delete a function]pWRAP
Edit Function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditFunction
 Current hotkey: @<EditFunction>

Here you can change function bounds, its name and @0:1729[flags].
In order to change only the function end address, you can use @0:487[FunctionEnd]
command.

If the current address does not belong to any function, IDA beeps.

This command allows you to change the function frame parameters too.
You can change sizes of some parts of frame structure.

IDA considers the stack as the following structure:

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- BP
      | local variables              |
      +------------------------------+  <- SP

For some processors or functions, BP may be equal to SP. In other words, it can
point to the bottom of the stack frame.

You may specify the number of bytes in each part of the stack frame. The size of the
return address is calculated by IDA (possibly depending on the far function @0:1729[flag]).

"Purged bytes" specifies the number of bytes added to SP upon function return.
This value will be used to calculate the SP changes at call sites (used in some
calling conventions, such as __stdcall in Windows 32-bit programs.)

"BP based frame" allows IDA to automatically convert [BP+xxx] operands
to @0:474[stack variables].

"BP equal to SP" means that the frame pointer points to the bottom of the stack.
It is usually used for the processors which set up the stack frame with EBP and ESP
both pointing to the bottom of the frame (for example MC6816, M32R).

If you press <Enter> even without changing any parameter,IDA will reanalyze the function.

Sometimes, EBP points to the middle of the stack frame.
FPD (frame pointer delta) is used to handle such situations.
FPD is the value substracted from the EBP before accessing variables.
An example:

           push    ebp
           lea     ebp, [esp-78h]
           sub     esp, 588h
           push    ebx
           push    esi
           lea     eax, [ebp+74h]

      +------------------------------+
      | function arguments           |
      +------------------------------+
      | return address               |
      +------------------------------+
      | saved registers (SI,DI,etc)  |
      +------------------------------+  <- typical BP
      |                              |
      |                              |
      |                              |  <- actual BP
      | local variables              |
      |                              |
      |                              |
      |                              |
      +------------------------------+  <- SP

In our example, the saved registers area is empty (since EBP has been initialized
before saving EBX and ESI). The difference between the 'typical BP'
and 'actual BP' is 0x78 and this is the value of FPD.

After specifying FPD=0x78 the last instruction of the example becomes

           lea     eax, [ebp+78h+var_4]

where var_4 = -4

Most of the time, IDA calculates the FPD value automatically. If it fails, the user can specify
the value manually.

If the value of the stack pointer is modified in an unpredictable way,
(e.g. "and esp, -16"), then IDA marks the function as "fuzzy-sp".

If this command is invoked for an imported function, then a simplified dialog
box will appear on the screen.

See also

         @0:1729[Function flags]
         @0:484[Make a function]
         @0:486[Delete a function]
         @0:483[Edit|Functions] submenu.Å
WRAP
Delete Function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelFunction
 Current hotkey: @<DelFunction>

Deleting a function deletes only information about a function, such as
information about stack variables, comments, function type, etc.

The instructions composing the function will remain intact.

See also

         @0:483[Edit|Functions] submenu.
         @0:484[Make a function]
         @0:485[Edit a function]…
WRAP
Set Function End ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FunctionEnd
 Current hotkey: @<FunctionEnd>


This command changes the current or previous function bounds so that its end
will be set at the cursor. If it is not possible, IDA beeps.

See also @0:483[Edit|Functions] submenu.
         @0:484[Make a function]
         @0:485[Edit a function]jWRAP
Stack Variables Window ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenStackVariables
 Current hotkey: @<OpenStackVariables>

This command opens the stack variables window for the current function.

The stack variables are internally represented as a structure. This structure
consists of two parts: local variables and function arguments.

You can modify stack variable definitions here:
add/delete/define stack variables, enter comments for them.

There may be two special fields in this window: " r" and " s".
They represent the size of the function return address and
of the saved registers in bytes.
You cannot modify them directly. To change them, use
@0:485[edit function] command.

Offsets at the line prefixes represent offsets from the frame pointer register (BP).
The window indicator at the lower left corner of the window displays
offsets from the stack pointer.

In order to create or delete a stack variable, use data definitions
commands (@0:453[data], @0:454[strlit], @0:455[array], @0:456[undefine], @0:457[Rename]).
Also you may define @0:479[regular] or @0:480[repeatable] comments.

The defined stack variables may be used in the program by converting
operands to @0:474[stack variables].

Esc closes this window.

See also

         @0:483[Edit|Functions] submenu.
         @0:474[Convert to stack variable]WRAP
Change Stack Pointer ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChangeStackPointer
 Current hotkey: @<ChangeStackPointer>

This command allows you to specify how the stack pointer (SP)
is modified by the current instruction.

You cannot use this command if the current instruction does not belong to
any @0:484[function].

You will need to use this command only if IDA was not able to trace the value of the SP register.
Usually IDA can handle it but in some special cases it fails.
An example of such a situation is an indirect call of a function that
purges its parameters from the stack. In this case, IDA has no
information about the function and cannot properly trace the value of SP.

Please note that you need to specify the _difference_ between the old and
new values of SP.

The value of SP is used if the current function accesses local variables
by [ESP+xxx] notation.

See also

         @0:483[Edit|Functions] submenu.
         @0:474[Convert to stack variable]^WRAP
Structures submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Commands of this submenu are available in the
@0:593[structures window].
Only @0:496[Declare struct var...] is available in
the disassembly window.

      @0:491[Add a struct type...]
      @0:1370[Duplicate struct type...]
      @0:492[Delete a struct type...]
      @0:493[Insert gap...]
      @0:494[Delete gap...]
      @0:495[Edit a struct type...]
      @0:496[Declare struct var...]
      @0:497[Force zero field offset]
      @0:498[Select union member...]
      @0:1392[Create struct type from data...]
      @0:1684[Copy field info to pointers...]

Use regular commands to specify struct and union members,
their types, comments, etc.

A union is a special kind of structure. Use structure definition commands to
manipulate unions.

See also @0:451[Edit] submenu.ŸWRAP
Define a new structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AddStruct
 Current hotkey: @<AddStruct>

This command defines a new structure or a new union.
The new structure is created with zero length. You will have to add structure
members using @0:490[structure] manipulation commands.

If the entered structure name denotes a standard structure type from a loaded
type library, then its definition will be automatically used. In this
case, the value of the 'create union' checkbox will be ignored.

This command is available when you open a structures @0:593[window].

You can add new members to the structure using the following commands:

        command         hotkey
        -------         ------
    @0:453[make data]            D
    @0:454[make strlit]           A
    @0:455[make array]           *
    @0:457[rename]               N

You may also insert/delete undefined bytes into the middle of the structure
by using @0:493[expand] and @0:494[shrink] commands.

"Create before current structure" means that the new structure will be
placed immediately before the current structure type. Otherwise, the new
structure is placed after the current structure.

"Don't include in the list" means that the structure will not be included
in the list of the structures which appears when the user applies the structure
definition, for example, when he creates a variable of this structure type.
We recommend to mark this checkbox when you have defined all variables of
this structure type and want to reduce the number of choices in the list.

See also @0:490[Edit|Structs] submenu.
         @0:424[How to Enter an Identifier]
WRAP
Delete a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelStruct
 Current hotkey: @<DelStruct>

This command deletes the current structure.
Beware, when you delete a structure, all references to it will be destroyed as well.
Even if you recreate it later, you'll have to specify again all references
to it.

You may use this command to delete unions also.

This command is available when you open a structures @0:593[window].

See also @0:490[Edit|Structs] submenu.
ô
WRAP
Expand a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExpandStruct
 Current hotkey: @<ExpandStruct>

This command expands the current structure by inserting undefined bytes
at the cursor location. The cursor must not be at the end of the structure.
To define a member at the end of the structure, just use normal data
definition commands.

This command is available when you open a structure @0:593[window].

See also @0:490[Edit|Structs] submenu.
Ã
WRAP
Shrink a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShrinkStruct
 Current hotkey: @<ShrinkStruct>

This command shrinks the current structure by deleting undefined bytes
at the cursor location. The cursor must be at an undefined byte. IDA will
ask the user the number of bytes to remove.

This command is available when you open a structure @0:593[window].

See also @0:490[Edit|Structs] submenu.
|WRAP
Edit a structure ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditStruct
 Current hotkey: @<EditStruct>

This command allows the user to change the structure alignment

Structure alignment is used to calculate the number of padding bytes at the end of the
structure. For example, if alignment is 4 and the last field is a byte at offset 11h,
IDA will add 3 bytes of padding so that the struct size is 14h (multiple of 4).

The alignment must be a power of 2.

This command is available in the Structures @0:593[window].

See also @0:490[Edit|Structs] submenu.
         @0:423[How to Enter a Number].
äWRAP
Declare a structure variable ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeStructVar
 Current hotkey: @<MakeStructVar>

This command declares a variable of the specified structure type.

IDA will ask you to choose a structure type. You must have some structure
types @0:491[defined] in order to use this command.

If the @0:619[target assembler] supports it, IDA will display the
structure in terse form (using just one line).
To uncollapse a terse structure variable use the @0:600[Unhide] command.

You can also use this command to declare a structure field in another structure
(i.e. nested structures are supported too).

See also @0:490[Edit|Structs] submenu.
$WRAP
Force zero field offset ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ZeroStructOffset
 Current hotkey: @<ZeroStructOffset>

This command forces IDA to display a full structure member name
even if the offset of the member is equal to zero.

If used twice, the command cancels itself.

Example: Suppose we have the following structure:

        xxx     struc
        a       db ?
        b       db ?
        c       db ?
        xxx     ends

        dloc    xxx ?

  Normally IDA displays references to it like this:

        mov     eax, offset dloc
        mov     eax, offset dloc.b

  If you force IDA, then it displays member 'a':

        mov     eax, offset dloc.a
        mov     eax, offset dloc.b

See also @0:490[Edit|Structs] submenu.
ØWRAP
Select union member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SelectUnionMember
 Current hotkey: @<SelectUnionMember>

This command tells IDA how to display references to a union from the current
cursor location.

Example:
  Suppose we have the following union:

        xxx     union
        a       db ?
        b       dw ?
        c       dd ?
        ends   xxx

        dloc    xxx ?

  Normally, IDA displays references to "dloc" like this:

        mov     al,  byte ptr dloc
        mov     eax, word ptr dloc

  After using this command, IDA can display the union members:

        mov     al,  dloc.b
        mov     eax, dloc.d

See also @0:490[Edit|Structs] submenu.
GWRAP
Bitfields ▄
 ▀▀▀▀▀▀▀▀▀▀

There is a special kind of enums: bitfields.
A bitfield is an enum divided into bit groups. When you define a new symbolic constant
in a bitfield, you need to specify the group to which the constant will belong
to. By default, IDA proposes groups containing one bit each.
If a group is not defined yet, it is automatically created when the first
constant in the group is defined. For example:

        name    CONST1
        value   0x1
        mask    0x1

will define a constant named CONST1 with value 1 and will create a group containing
only one bit. Another example. Let's consider the following definitions:

 #define OOF_SIGNMASK    0x0003
 #define   OOFS_IFSIGN   0x0000
 #define   OOFS_NOSIGN   0x0001
 #define   OOFS_NEEDSIGN 0x0002
 #define OOF_SIGNED      0x0004
 #define OOF_NUMBER      0x0008
 #define OOF_WIDTHMASK   0x0030
 #define   OOFW_IMM      0x0000
 #define   OOFW_16       0x0010
 #define   OOFW_32       0x0020
 #define   OOFW_8        0x0030
 #define OOF_ADDR        0x0040
 #define OOF_OUTER       0x0080
 #define OOF_ZSTROFF     0x0100

How do we describe this?

   name           value    mask   maskname

   OOFS_IFSIGN   0x0000   0x0003 OOF_SIGNMASK
   OOFS_NOSIGN   0x0001   0x0003 OOF_SIGNMASK
   OOFS_NEEDSIGN 0x0002   0x0003 OOF_SIGNMASK
 OOF_SIGNED      0x0004   0x0004
 OOF_NUMBER      0x0008   0x0008
   OOFW_IMM      0x0000   0x0030 OOF_WIDTHMASK
   OOFW_16       0x0010   0x0030 OOF_WIDTHMASK
   OOFW_32       0x0020   0x0030 OOF_WIDTHMASK
   OOFW_8        0x0030   0x0030 OOF_WIDTHMASK
 OOF_ADDR        0x0040   0x0040
 OOF_OUTER       0x0080   0x0080
 OOF_ZSTROFF     0x0100   0x0100


If a mask consists of more than one bit, it can have a name and a comment.
A mask name can be set when a constant with the mask is being defined.
IDA will display the mask names in a different color.

In order to use a bitfield in the program, just convert an instruction
operand to @0:473[enum]. IDA will display the operand like this:

        mov     ax, 70h

will be replaced by

        mov     ax, OOFS_IFSIGN or OOFW_8 or OOF_ADDR
‚WRAP
Add/Edit an enum ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AddEnum
 Current hotkey: @<AddEnum>

 Action    name: EditEnum
 Current hotkey: @<EditEnum>

These commands allow you to define and to edit an enum type.
You need to specify:

        - name of enum
        - its serial number (1,2...)
        - representation of enum members

Each enum has its ID and a serial number. The ID is a number used to
refer to the enum, while a serial number is used to order enums
during output. Changing the serial number moves the enum to another place.

The serial number of an enum is displayed at the lower left corner of the window.

You can specify any number as a serial number,
IDA will move the enum to the specified place.

        1 - the current enum becomes the first enum
        2 - the current enum becomes the second enum
        ...

You also need to specify representation of enum constants. You may choose
from various number bases (hex,dec,oct,bin) and character constants.

You may specify the element width or leave it zero. Zero means the element
width is not specified. The allowed widths are the powers of 2 in the range of 1..64.

Please note that you can create @0:500[bitfield] definitions here
by checking the "bitfield" checkbox.

These command is available when you open the types @0:1259[window].

See also

         @0:423[How to Enter a Number].
˜
WRAP
Delete an enum type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelEnum
 Current hotkey: @<DelEnum>

This command deletes the current enum.
Beware, when you delete an enum all references to it will be destroyed.
Even if you recreate it later, you'll have to specify again all references
to it.

This command is available when you open the enums @0:1259[window].
ä
WRAP
Define an enum member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AddConst
 Current hotkey: @<AddConst>

This command allows you to define an enum member. An enum member
is a symbolic constant. You have to specify its name and value.
You cannot define more than 256 constants with the same value in an enum.

If the current enum is a bitfield, you need to specify the bitmask.
To learn about bitmasks, read about @0:500[bitfields].
e
WRAP
Edit an enum member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditConst
 Current hotkey: @<EditConst>

This command allows you to rename an enum member. An enum member
is a symbolic constant. Its name must be unique in the program.

To rename an enum type name, position the cursor over the name of the enum.

WRAP
Delete an enum member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelConst
 Current hotkey: @<DelConst>

Please remember that deleting a member also deletes all the information
about the member, including comments, member name etc.
&WRAP
Edit|Segments submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate segments of the program:

 @0:507[Create a new segment...]
 @0:513[Delete a segment...]
 @0:514[Change segment attributes...]
 @0:520[Move a segment...]
 @0:1408[Rebase program...]
 @0:521[Change segment translation...]

 @0:522[Set default segment register value...]
 @0:523[Change segment register value...]

See also:

 @0:525[How to choose a segment]
 @0:546[How to jump to a segment]
 @0:451[Edit] submenu.JWRAP
Create a new segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CreateSegment
 Current hotkey: @<CreateSegment>

This command allows you to create a new segment.

If you select a range using the @0:420[anchor], IDA will propose the start
address and the end address of the selection as defaults for the segment bounds.

You need to specify at least:

    - the segment start address
    - the segment end address (excluded from the range)
    - the segment base

Click @0:508[here] to learn about addressing model used in IDA.

If "sparse storage" is set, IDA will use special sparse storage method
for the segment. This method is recommended for huge segments.
Later, it is possible to change the storage method of any region using
'set_storage_type' IDC function.

If another segment already exists at the specified address,
the existing segment is truncated and the new segment lasts from the
specified start address to the next segment
(or specified end address, whichever is lower). If the old and the new segments
have the same base address, instructions/data will not be discarded by IDA.
Otherwise, IDA will discard all instructions/data of the new segment.

An additional segment may be created by IDA to cover the range after the end of the new segment.

See also @0:506[Edit|Segments] submenu.WRAP
IDA address space concepts ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Internally, IDA has 32-bit linear address space (IDA64 uses 64-bit address space).
The internal addresses are called "linear addresses". The input program
is loaded into this linear address space.

Please note that usually the linear addresses are not used in the program
directly.
During disassembling, we use so-called "virtual addresses", which
are calculated by the following formula:

        VirtualAddress = LinearAddress - (SegmentBase << 4);

We see that the SegmentBase determines what addresses will be
displayed on the screen. More than that, IDA allows to create
several segments with the same virtual address in them. For this,
you just need to create segments with correct segment base values.

Normally a SegmentBase is a 16bit quantity.
To create a segment with base >= 0x10000, you need to use
@0:591[selectors]. However, if you try to create a segment
with a segment base >= 0x10000, IDA will automatically choose appropriately
a free selector and setup for the new segment.

All SegmentBases are looked up in the @0:591[selector] table.

There are some address restrictions in IDA.

There is a range of addresses that are used for internal housekeeping. This
range can be specified by the configuration variable PRIVRANGE (start address
and size). It is not recommended to use these addresses for other purposes.

There is also one address which must never be used in the disassembly.
It is the 'all ones' address, or -1. Internally, it is used as a BADADDR (bad address).
No address or address range can include BADADDR.

 Click @0:509[here] to see an example of segment creation
 (simple case - IBM PC)

 Click @0:510[here] to see an example of segment creation
 (simple case - Z80)

 Click @0:511[here] to see another example of segment creation
 (automatically chosen selector)

 Click @0:512[here] to see another example of segment creation
 (user-defined selector)

See also @0:521[How to change segment translation]	WRAP
Create segment - simple case (PC) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IBM PC case
-----------

Suppose we need to create a segment occupying addresses F000:1000..F000:2000
Let's calculate linear addresses:

        start = (0xF000 << 4) + 0x1000 = 0xF1000
        end   = (0xF000 << 4) + 0x2000 = 0xF2000

The segment base must be selected so that the first offset in our segment
will be 0x1000. Let's find it using the following equation:

        VirtualAddress = LinearAddress - (SegmentBase << 4);
        0x1000         = 0xF1000 - (base << 4);

After solving this equation, we see that the segment base is equal to 0xF000.
(you see, this is really a very simple case :) )

Now, we can create a segment entering:

        segment start address:  0xF1000
        segment end address:    0xF2000
        segment base:           0xF000

Please note that the end address never belongs to the segment in IDA.

Go back to @0:508[addressing space concepts]¯WRAP
Create segment - simple case (Z80) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Z80 case
 --------

Suppose we need to create a segment occupying virtual addresses 8000-C000.
Since we are free to place our segment anywhere in the linear address space,
we choose the linear addresses at our convenience. Let's say we choose
a linear address 0x20000:

        start = 0x20000
        end   = start + 0x4000 = 0x24000

The segment base must be selected so that the virtual address in our segment
will be 0x8000. Let's find it using the following equation:

        VirtualAddress = LinearAddress - (SegmentBase << 4);
        0x8000         = 0x20000 - (base << 4);
        base << 4      = 0x20000 - 0x8000
        base << 4      = 0x18000
        base           = 0x1800

After solving this equation, we see that the segment base is equal to 0x1800.

Now we can create a segment entering:

        segment start address:  0x20000
        segment end address:    0x24000
        segment base:           0x1800


Please note that the end address never belongs to the segment in IDA.

Go back to @0:508[addressing space concepts]tWRAP
Create segment - automatically chosen selector case ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Suppose we need to create a segment occupying linear addresses 200000-200C00
and the virtual addresses must have be 0000..0C00. If we simply
enter

        segment start address:  0x200000
        segment end address:    0x200C00
        segment base:           0x20000

Then IDA will notice that the segment base is too big and does not
fit into 16bits. Because of this IDA will find a free selector (let's
say it has found selector number 5), define it to point at paragraph
0x20000 and create a segment. After all this we will have:

        - a new selector is defined (5 -> 0x20000)
        - a new segment is created. Its attributes:
                start = 0x200000
                end   = 0x200C00
                base  = 5

The first virtual address in the segment will be 0:

        VirtualAddress = LinearAddress - (SelectorValue(SegmentBase) << 4)
                       = 0x200000      - (SelectorValue(5) << 4)
                       = 0x200000      - (0x20000 << 4)
                       = 0x200000      - 0x200000
                       = 0

Please note that the end address never belongs to the segment in IDA.

Go back to @0:508[addressing space concepts]WRAP
Create segment - user-defined selector case ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If the @0:511[previous] example we saw how IDA allocates a selector
automatically. You could make it yourself:

1. Create a selector. For this, open the @0:591[selectors window]
and press Ins. Enter a selector number and its value.

2. Create a segment. Specify the selector number as the segment base.

Go back to @0:508[addressing space concepts]×WRAP
Delete a segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: KillSegment
 Current hotkey: @<KillSegment>

This command allows you to delete a segment.

IDA will ask your the permission to disable the addresses occupied by the segment.
If you allow this operation, all information about the segment will
be deleted. In other words, IDA will discard the information about
instructions or data, comments etc.

If you check the "disable addresses" checkbox, IDA will mark the addresses
occupied by the segment as "nonexistent" in the program. You will lose *ALL*
information, including byte values.

It is impossible to disassemble the content of addresses not located in any
segment, therefore you must create a new segment if you want to resume the
disassembly of that part of the code.

You can also edit (see below) an adjacent segment to @0:514[expand] it to those
addresses.

IDA will ask your the permission to disable addresses occupied by the segment.
If you give your permission, information about the segment will be
deleted, otherwise IDA will discard information about instruction/data,
comments etc, but retain byte values so that you will be able to create
another segment afterwards.

To disassemble the addresses occupied by the segment, you need to create a
new segment again (i.e. you cannot disassemble bytes without a segment).
You can also @0:514[expand] another adjacent segment to
these addresses.

See also @0:506[Edit|Segments] submenu.Ü
WRAP
Change segment attributes ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EditSegment
 Current hotkey: @<EditSegment>

This command allows you to change segment attributes.
You can change all attributes except the segment base. To change the segment
base, you have to delete the segment and create it again.

Please use the following links to learn about the segment attributes:

      @0:515[How to change segment name]
      @0:517[How to change segment class]
      @0:516[How to change segment addressing mode (16/32)]
      @0:518[How to change segment alignment]
      @0:519[How to change segment combination]

Changing the segment class may change the segment type.

MOVE ADJACENT SEGMENTS: means that the previous and next segments will
be shrunk or expanded to fill gaps between segments.
Click @0:628[here] for more information.

DISABLE ADDRESSES: if set, when a segment is shrunk,
all information about bytes going out of the segment will be completely removed..
Otherwise, IDA will discard information about instructions/data,
comments etc, but will retain byte values so that another segment can be
created later and it will use the existing byte values.

If IDA creates 2 segments where only
one segment must exist, you may try
the following sequence:

        - @0:513[delete] one segment. Choose one with
          bad segment base value. Do not disable addresses occupied
          by the segment being deleted.
        - change bounds of another segment.

Note that the @0:507[create] segment command changes the boundaries of
the overlapping segment automatically.

Segments with the 'debugger' attribute are the segments whose memory contents
are not saved in the database. Usually, these segments are created by the
debugger to reflect the current memory state of the program.

However, the user can modify this attribute.

If it is cleared, then the segment will permanently
stay in the database after closing the debugger session. The database will reflect the
state of the segment which was at the time when the status is changed.

If it is set, then the segment will become a temporary segment and
will be deleted at the end of the debugging session.

The "debugger segment" checbkox is available only during debugging sessions.

The 'loader' segments are the segment created by the file loader. The
segment having this attribute are considered to be part of the input file.

A segment with the 'debugger' attribute set and the 'loader' attribute
not set is considered to be an ephemeral segment.
Such segments are not analyzed automatically by IDA.

"Segment permissions" group box can be used to modify Segment access permissions (Read/Write/Execute)

See also @0:506[Edit|Segments] submenu.'
WRAP
Change Segment Name ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Enter a new name for the segment.
A segment name is up to 8 characters long.
IDA does check if the length is ok.
Try to give mnemonic names for the segments.

See also other @0:514[SegEdit] form fields.À
WRAP
Change Segment Addressing ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can choose between 16-bit and 32-bit segment addressing.

IDA will delete all instructions and data in the segment if the segment
address is changed.

Never do it if you are not sure. It may have irreversible consequences,
all instructions/data will be converted to undefined bytes.

See also other @0:514[SegEdit] form fields.$WRAP
Segment Class Name ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The segment class name identifies the segment with a class name
(such as CODE, FAR_DATA, or STACK). The linker places segments with
the same class name into a contiguous range of memory in the runtime
memory map.

Changing the segment class changes only the segment definition
on the screen. There are the following predefined segment class names:

        CODE    -       Pure code
        DATA    -       Pure data
        CONST   -       Pure data
        BSS     -       Uninitialized data
        STACK   -       Uninitialized data
        XTRN    -       Extern definitions segment

If you change segment class and the segment type is "Regular",
then the segment type will be changed accordingly.

In order to set the segment type "Regular", you should change the segment
class to "UNK".

NOTE: Segment class names are never deleted. Once you
define a segment class name, you cannot reuse it as a name of another object.

See also other @0:514[SegEdit] form fields.¦
WRAP
Change Segment Alignment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Alignment:  select between abs,byte,word,dword,para,page

You can specify the segment alignment for the selected
segment. By default, IDA assumes 'byte' alignment.

Changing the alignment changes only the segment definition
on the screen. Nothing else will happen.

See also other @0:514[SegEdit] form fields.ýWRAP
Change Segment Combination ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Combination

A field that describes how the linker can combine the
segment with other segments. Under MS-DOS, segments with
the same name and class can be combined in two ways: they
can be concatenated to form one logical segment, or they
can be overlapped. In the latter case, they have either the
same start address or the same end address, and they
describe a common range in memory. Values for the field
are:

  Private. Do not combine with any
           other program segment.
  Public.  Combine by appending at
           an offset that meets the
           alignment requirement.

  Stack.   Combine as for Public.
           This combine type forces
           byte alignment.

  Common.  Combine by overlay using
           maximum size.


Changing segment combination changes only the segment definition
on the screen. Nothing else will happen.

See also other @0:514[SegEdit] form fields.„WRAP
Move a segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MoveSegment
 Current hotkey: @<MoveSegment>

This command allows you to move segment(s) to another address.
Use it if the segment(s) are loaded at a wrong address.

This command shifts (moves) the selected segments in the memory to the target address.
There must be enough free space at the target address for the segments.

All information in the segment will be moved to the new address, but since the
addresses change, the disassembly might be not valid anymore (especially if the
program is moved to the wrong addresses and the relocation information is not
available).

 Fix up relocations

        This option allows IDA to modify the references
        to/from the relocated segment(s). If it is turned
        off, the references might be wrong after the move.


See also @0:506[Edit|Segments] submenu.
WRAP
Change segment translation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SegmentTranslation
 Current hotkey: @<SegmentTranslation>

A segment translation is a sequence of other segments to use
when resolving the references to instructions from the current segment.
Only code references are affected by the segment translation. Data references
can be redirected to the desired addresses by modifying the data segment
register.

This feature is available only for selected processors
(it is not available for IBM PC processors).

We hope it is easier to give an example than to give a formal definition.
Suppose we have 3 segments:

                start   end
        A       0000    1000
        B       1000    2000
        C       3000    4000

The instruction

        call    1000

in the segment C obviously refers to the segment B while the instruction

        call    500

refers to the segment A.

However, IDA does not try to link these references unless you tell it to do so:
include the segments A and B into a translation list of the segment C.
It means that you have to create a translation list

        A B

for the segment C.

Below is a more complicated example:

                start   end
        A       0000    1000
        B       1000    2000
        C       1000    2000
        D       3000    4000
        E       3000    4000

translations

        B:      A
        C:      A
        D:      A B
        E:      A C

allow you to emulate overlays (the first set is A B D, the second A C E)

IMPORTANT NOTE1: If you use the segment translations, make sure that all
segments have unique segment bases. If two segments are placed in the linear
address space so that
they must have the same segment base, you may assign different
@0:591[selectors] with equal values to them.

IMPORTANT NOTE2:
IDA supports only one translation list per segment.
This translation is applied by default to all instruction in the segment.
If the segment uses other mappings, then these individual mappings
can be specified for each instruction separately by using the
@0:469[make offset] commands.

IMPORTANT NOTE3:
Since only code references are affected by the segment translations,
try to create the RAM segment at its usual place (i.e. its linear
address in IDA corresponds to its address in the processor memory).
This will make all data references to it to be correct without any
segment translation. For the data references to other segments you'll
need to use the @0:469[make offset] command for each
such reference.

See also

         @0:508[addressing space concepts]
         @0:506[Edit|Segments] submenu.BWRAP
Set Default Segment Register Value ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetSegmentRegisterDefault
 Current hotkey: @<SetSegmentRegisterDefault>

Relevant only for processors with the segment registers.

You can specify a default value of a segment register for the current segment.
When you change the default value, IDA will reanalyze the segment,
taking the default value when it cannot determine the actual value
of the register. This takes time, so do not be surprised if references
are not corrected immediately.

To specify a value other than the default value of a segment register, you can
use @0:523[change segment register value] command.

 See also @0:506[Edit|Segments] submenu.
 See also @0:422[How to enter segment value].WRAP
Change Segment Register Value ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetSegmentRegister
 Current hotkey: @<SetSegmentRegister>

Relevant only for processors with the segment registers.
Currently this command works for IBM PC, TMS320C2, Intel80196, and PowerPC processors.

This command creates or updates a segment register
@0:524[change point].

See @0:547[jump to segment register change point] for more info.

ALPHA DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For Alpha processors, the user must enter the difference between the real GP value
and the start of
the GOT (global offset table). For example:

         .got
         ....
         ; gp points here
 label:

If you want to specify that a register points to "label", you must
calculate and enter the difference "label-.got" as the register value.

ARM DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The ARM processor module has a virtual segment register T which reflects the
state of the T bit of the processor state register (PSR). Therefore, the value
of this register controls THUMB/ARM mode. If its value is not zero, then
the disassembly will be in the thumb mode.

POWER PC DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For PowerPC processors, the user must enter an offset from the beginning of
the TOC to the TOC entry which contains the address of the target. An example:

 TOC:    .toc
         ....
 sometc: .tc sometc[tc], datachunk

If you want to specify that a register points to "datachunk", you must
calculate and enter the difference "sometc-TOC" as the register value.
You can change the TOC value in the processor specific options (which is accessible
from the analysis options).

INTEL 80196 DISASSEMBLY ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For Intel 80196NP/NU processors, the user must enter the value of WSR or WSR1
register. IDA will automatically take the new value into account.

 See also @0:506[Edit|Segments] submenu.
 See also @0:422[How to enter segment value].
 See also @0:423[How to Enter a Number].;WRAP
Segment Register Change Points ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

When IDA encounters an instruction which changes a segment
register, it creates a segment register change point.
So, mostly change points are maintained by IDA itself. IDA assumes that
the segment registers do not change their values between change
points. If you find out that IDA failed to locate a segment register change,
or if you want to change a register value,
you can create a change point using @0:523[Change Segment Register]
command. You can change the value of a segment register
using @0:522[Set default segment register value] command too.

IDA classifies the change points. In the list of the change points,
you can see the following postfixes after the register values:

 a (auto)     - Created by IDA. May be changed by IDA afterwards.
 u (by user)  - Created by user. IDA will not change it.

IDA generates the appropriate 'assume' instructions for the
change points if it was not disabled
by @0:608[the corresponding command].YWRAP
Choose segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can display a list of the program segments.
Each segment is represented by a line in the list.
Please note that the end address of the segment never belongs to the segment in IDA.

The following segment attributes are visible:

  Name          Segment name
  Start         Virtual start address
  End           Virtual end address (address past the end of the segment)
  R             'R': readable,      '.': not readable,   '?':unknown
  W             'W': writable,      '.': not writable,   '?':unknown
  X             'X': executable,    '.': not executable, '?':unknown
  D             'D': debugger only, '.': regular
  L             'L': created by loader, '.': no
  Align         Segment alignment
  Base          Segment base selector or address
  Type          Segment type
  Class         Segment class
  AD            Segment addressing width

The rest of the columns display the default values of the segment registers
for the segment.

By default, the cursor is located on the current segment.

You can use normal cursor movement keys and the mouse.
You can also search for the segment by pressing Alt-T, or directly jump to the desired line by typing in its number.

Press <Enter> to select line, <Esc> to cancel the selection.

See also @0:506[other segment related commands]CWRAP
Edit|Patch core  submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to patch the image of the input file.
More precisely, IDA never modifies the input file. The image of the input file
which was loaded to the database will be modified.

You can modify the image of the input file:

        - change a byte
        - change a word
        - enter an assembler instruction (only for IBM PC)

IDA will display the original value, the current value and file offset.
If the file offset is equal to 0xFFFFFFFF then the current byte comes
from a compressed page (LX/LE/NE iterated pages, for example) and/or it is
not possible to tell the file position.

You can create a @0:443[difference] file and use an external tool to apply the patches
or you can apply the @0:1618[patches] directly to the file using IDA.

The following commands are available:

 @0:527[Patch byte or word]
 @0:529[Assemble...]
 @0:1618[Apply patches to input file...]

See also:

 @0:442[Produce EXE file]
 @0:443[Produce DIF file]
 @0:451[Edit] submenu.
ÑWRAP
Patching the Image ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: PatchByte, PatchWord
 Current hotkey: @<PatchByte>, @<PatchWord>

You can modify the executable file and eventually @0:442[generate a new] file.

If you patch bytes, then you may enter multiple bytes.
Follow this @0:528[link] to learn about format of the input
string.

If this command is invoked when the debugger is active, then IDA will
modify the memory and the database. If the database does not contain the patched
bytes, then only the process memory will be modified.

You can create a @0:443[difference] file too.

See also

         @0:526[Edit|Patch core] submenu.
         @0:423[How to Enter a Number].
)Binary string format ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

It is possible to enter a sequence of the following items:

  - a number in the selected radix (hexadecimal, decimal or octal)
  - a string constant: "string"
  - a Unicode string constant: L"unicode string"
  - a question mark '?' to ignore variable bytes

The sequence must be separated by a space or a comma.

An entered number will occupy the minimal number of bytes it fits in
with the restriction that the number of bytes is a power of 2 (1, 2, or 4 bytes).

Two question marks without a space between them are the same as one question mark.
One question mark corresponds to one CPU byte. One CPU byte may consist of
multiple octets for a wide-byte CPU, like TMS320C28.

Example:

  CD 21          - bytes 0xCD, 0x21
  21CD           - bytes 0xCD, 0x21 (the order depends on the endiannes)
  "Hello", 0     - the null terminated string "Hello"
  L"Hello"       - 'H', 0, 'e', 0, 'l', 0, 'l', 0, 'o', 0
  B8 ? ? ? ? 90  - byte 0xB8, 4 bytes with any value, byte 0x90

ÏWRAP
Assemble an instruction  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Assemble
 Current hotkey: @<Assemble>

This command allows you to assemble instructions. Currently, only the IBM PC
processors provide an assembler, nonetheless, plugin writers can extend or totally
replace the built-in assembler by writing their own.

The assembler requires to enclose all memory references into square brackets.
For example:

        mov ax, [counter]

Also, the keyword 'offset' must not be used. Instead of

        mov eax, offset name

you must write

        mov eax, name

See also

         @0:526[Edit|Patch core] submenu.
         @0:423[How to Enter a Number].
WRAP
Edit|Other Submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

      @0:533[Create alignment directive...]
      @0:534[Manual instruction...]
      @0:1456[Color instruction...]
      @0:535[Hide/show border]

See also @0:451[Edit] submenu.ûWRAP
Rename Any Address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeAnyName
 Current hotkey: @<MakeAnyName>

This command gives name/renames/deletes @0:424[name] for the
specified address. This is a more powerful variant of @0:457[Rename] command.

To delete a name, simply give an empty name.

If the specified address is referenced, you cannot delete its name.
Even if you try it, IDA will generate a @0:609[dummy] name.

This command is available only from the @0:587[name window].

For an explanation about the dialog box entries, please see the @0:457[Rename current address] command.

See also

         @0:530[Edit|Other] submenu.
         @0:424[How to Enter an Identifier].
         @0:609[Names representation].›WRAP
Create alignment directive ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MakeAlignment
 Current hotkey: @<MakeAlignment>

This command allows you to create an alignment directive.
The alignment directive will replace a number of useless bytes
inserted by the linker to align code and data to paragraph boundary
or any other address which is equal to a power of two.

You can select a range to be converted to an alignment directive.
If you have selected a range, IDA will try to determine a
correct alignment automatically.

There are at least two requirements for this command to work:
        - there must be enough unexplored bytes at the current address.
        - an alignment directive must always end at an address
          which is divisible by a power or two.

See also

         @0:530[Edit|Other] submenu
         @0:426[How to Enter an Address].ˆWRAP
Specify instruction representation manually ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ManualInstruction
 Current hotkey: @<ManualInstruction>

This command allows you to specify the representation of an instruction
or data in the program.

Use it if IDA cannot represent the current instruction as desired.
If the instruction itself is ok and only one operand is misrepresented,
then use @0:477[Enter operand manually] command.

To delete the manual representation, specify an empty string.

See also @0:530[Edit|Other] submenu.Ò
WRAP
Hide/unhide a border ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleBorder
 Current hotkey: @<ToggleBorder>

This command allows you to hide a thin border which is like the one generated
automatically by IDA between instructions and data.
If the border was already hidden, then it is displayed again.

Note that you can hide all borders at once
in the @0:1369[Comments Dialog].

See also @0:530[Edit|Other] submenueWRAP
Plugin modules ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

A plugin module is a module written on C++ that provides additional
functionality to IDA.

Usually, a plugin is invoked through a hotkey or the menu system.
The registered and loaded plugins will appear in a special Edit|Plugins submenu.
A plugin may provide better analysis, automation of tedious tasks, etc.

The plugin modules reside in the "plugins" subdirectory of IDA.
IDA is able to find and load all the plugins from this directory
automatically.

However, you can write a configuration file and tell IDA how to load
plugins. To do so, you need to modify the "plugins.cfg" file in the
"plugins" subdirectory.

The format of this file is simple:

Empty lines and lines starting with ';' are comment lines.
Other lines must have the following structure:

           menuname filename hotkey arg

 Example:

           Undefine undef    Alt-U  0

If the filename doesn't include the file extension or the directory,
IDA will add them. The plugin modules have the following extensions:

        Windows:        *.dll
        Linux:          *.so
        Mac:            *.dylib

Note: plugins compiled with support for 64-bit address space, will
feature a '64' suffix before the extension. E.g., 'pdb64.dll'

For more details, see information on individual plugin modules.

See also @0:451[Edit] submenu.×WRAP
Jump Immediate ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpEnter
 Current hotkey: @<JumpEnter>

By pressing <Enter> you navigate in the program in the same
way as in a hypertext (the way the web browsers and help screens use).

This is the easiest way to explore the program: just position the cursor
at the desired name and press "@<JumpEnter>".

Your current address is saved in the @0:542[jump stack].

The @0:539[Jump back] command (usually Esc) will return you back.

If the cursor is at a stack variable, a window with
@0:488[stack variables] is opened and the definition of the
stack variable is displayed.

See also

         @0:543[Jump] submenu
         @0:541[Empty Stack] command.U
WRAP
Jump back ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: Return
 Current hotkey: @<Return>

This command brings you back to the previous position in the history.
It takes positions from @0:542[Jumps Stack].

See also

         @0:543[Jump] submenu
         @0:540[Undo "jump back"] command.
         @0:541[Empty Stack] command.W
WRAP
Undo the last 'Return' Command ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: UndoReturn
 Current hotkey: @<UndoReturn>

This command cancels the last @0:539[Jump back] command.

See also

         @0:543[Jump] submenu
         @0:541[Empty navigation stack] command.
WRAP
Empty navigation stack ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: EmptyStack
 Current hotkey: @<EmptyStack>

This command clears the @0:542[jump stack].

See also

         @0:543[Jump] submenu
         @0:539[Jump back] command.'WRAP
Jumps Stack ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Each IDA Window has its own jump stack. This stack keeps the cursor locations.
Many IDA commands use the jump stack, i.e. they save the old cursor position to
the stack. For example, when you are at the address 3000:0100 and press
the Ctrl-C key (find instruction), the 3000:0100 is saved into the jump stack
and the search is started. Afterwards, you can return to the old position
using @0:539[Jump back] command.

You can clear the jump stack using the @0:541[Empty stack]
menu command.
nWRAP
Jump submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

In this menu, you can select a command to jump to the specified
location in the file.  Jumps are very fast and your previous
position is saved. This submenu contains the following items:

 @0:538[Jump immediate]
 @0:539[Jump back]
 @0:540[Undo last jump back]
 @0:541[Empty navigation stack]
 @0:544[Jump to address]
 @0:545[Jump to named location]
 @0:546[Jump to segment start]
 @0:547[Jump to segment register change point]
 @0:548[Jump to problematic location]
 @0:582[Mark location]
 @0:563[Jump to marked position]
 @0:564[Jump to cross reference]
 @0:565[Jump to cross reference to operand]
 @0:566[Jump to function]
 @0:567[Jump to entry point]
 @0:1393[Jump to file offset]

See also

        @0:568[Search] menu for fast navigating.
        @0:542[Jumps Stack] concept.
        @0:428[Menu Bar] submenusWRAP
Jump to the specified address ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpAsk
 Current hotkey: @<JumpAsk>

This command jumps to the specified address in the program.
IDA will ask you for the target address.
You can enter a name or an address as a hexadecimal number
with or without a segment.
If you enter a valid address then:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

In the structure and enum views, the cursor will be moved to the corresponding
offset in the current type.

See also

         @0:543[Jump] submenu
         @0:426[How to Enter an Address].mWRAP
Jump to the named location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpName
 Current hotkey: @<JumpName>

This command allows you to jump to a name definition by selecting it
from the list of the names.

IDA will display the list of the names (sorted by addresses)
and you can choose a name.
@0:609[Dummy] names (generated by IDA) are not listed.
Hidden names are not listed either. You can control which names are listed
in the @0:609[Names representation] dialog box.

See also

         @0:543[Jump] submenu
         @0:427[How to use the lister].hWRAP
Jump to the specified segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpSegment
 Current hotkey: @<JumpSegment>

This command jumps to the start of the selected segment.
IDA will ask you to select the target segment.
After:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

See also:

        @0:525[How to choose a segment]
        @0:506[Other segment related commands]
        @0:543[Jump] submenuˆWRAP
Jump to the specified segment register change point ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpSegmentRegister
 Current hotkey: @<JumpSegmentRegister>

This command jumps to the selected
@0:524[Segment Register Change Point].
IDA will ask you to select a target change point.
And after:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

See also @0:543[Jump] submenu.«
WRAP
Jump to a problematic location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpQ
 Current hotkey: @<JumpQ>

This command allows you to jump to a problematic location.
IDA will display the @0:549[Problems List] and will allow you
to select a problem.

The @0:539[Jump back] command (usually Esc) will return you back.

See also @0:543[Jump] submenu.ÓWRAP
Problems List ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following problems may occur:

 NOOFFSET @0:550[Cannot find offset base]
 NONAME   @0:551[Cannot find name]
 NOFORCED @0:552[Cannot find alternative string for an operand]
 NOCMT    @0:553[Cannot find comment]
 NOREF    @0:554[Cannot find references]
 INDIRJMP @0:555[Indirect execution flow]
 NODISASM @0:556[Cannot disassemble]
 ALREADY  @0:557[Already data or code]
 BOUNDS   @0:558[Execution flows beyond limits]
 OVERFLOW @0:559[Too many lines]
 BADSTACK @0:1368[Failed to trace the value of the stack pointer]
 LOOKHERE @0:560[Attention! Probably erroneous situation]
 DECISION @0:561[Decision to convert to instruction/data is made by IDA]
 ROLLBACK @0:562[The decision made by IDA was wrong and rolled back]
 COLISION @0:1441[FLIRT collision: the function with the given name already exists]
 SIGFNREF @0:1627[FLIRT match indecision: reference to function expected]


See also @0:543[Jump] submenu.ÇWRAP
Problem: Cannot find offset base ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item has an operand marked as an offset,
        but IDA cannot find the offset base in the database.

 Possible reason(s):
        The database is probably corrupted.
        This may occur if the database was corrupted and repaired.

 What to do:
        Mark the operand again as an offset. Use one of the following
        commands:
         @0:467[Convert to offset (DS)]
         @0:468[Convert to offset (CS)]
         @0:469[Convert to offset by any segment]
         @0:470[Convert to offset by any user-specified base]
zWRAP
Problem: Cannot find name ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        Two reasons can cause this problem:
          1.Reference to an illegal address is made in the program being
            disassembled;
          2.IDA couldn't find a name for the address but
            it must exist.
 What to do:
        1. If this problem is caused by a reference to an illegal address
            - try to enter the operand @0:477[manually]
            - or make the illegal address legal by @0:507[creating] a new segment.
        2. Otherwise, the database is corrupt.
FWRAP
Problem: Cannot find alternative string for an operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item has an operand marked as entered manually,
        but IDA cannot find the manually entered string in the database.

 Possible reason(s):
        The database is corrupt.

 What to do:
        Enter the operand manually again. Use one of the following
        commands:
         @0:477[User-defined operand]ßWRAP
Problem: Cannot find comment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

        Should not happen!
        Please inform the author if you encounter this problem.
È
WRAP
Problem: Cannot find references ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item is marked as referenced from other place(s) in the
        program, but IDA cannot find any reference to it.

 Possible reason(s):
        The database is corrupt.

 What to do:
        Database is corrupt, the best thing to do is
           to @0:444[reload] the database.y
WRAP
Problem: Indirect execution flow ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        Actually, this is not a problem. IDA warns you
        that here it encountered an indirect jump and
        couldn't follow the execution.

 What to do:
        Nothing, this entry is just for your information^WRAP
Problem: Cannot disassemble ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA cannot represent the specified bytes as an instruction.

 Possible reason(s):
        1. The specified bytes do not form an instruction.
        2. The current @0:618[processor] type is incorrect.

 What to do:
        If you are sure that the specified bytes contain an instruction,
        you can try to change @0:618[processor] type and
        mark these bytes as an instruction using the following command:
         @0:452[Convert to instruction]˜
WRAP
Problem: Already data or code ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA cannot convert this byte(s) to an @0:452[instruction]
        or @0:453[data] because it would overlap another instruction.

 What to do:
        Make the following overlapping instruction or data 'unexplored'
        using @0:456[undefine] command.ªWRAP
Problem: Execution flows beyond limits ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA encountered a jump or call instruction to an illegal address.
        Namely:
          - jump/call beyond program segments
          - near jump/call beyond the current segment
 What to do:
        1. Enter the operand @0:477[manually]
        2. or Create a new @0:507[segment] making the illegal address legal
        3. or Change the current segment bounds using one of the following:
              @0:514[How to change segment attributes]
              @0:520[How to move a segment]*WRAP
Problem: Too many lines ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The current item (instruction or data) occupies more lines
        on the screen than it is allowed by the current configuration.

 What to do:
        1. If the current item is an @0:455[array] or @0:454[String literal], try to divide it.
     or 2. Delete @0:481[Additional comment lines]
     or 3. Disable @0:607[cross-references] display
     or 4. Increase the limit in IDA.CFG, the parameter name is MAX_ITEM_LINES.
s
WRAP
Problem: Attention! Probably erroneous situation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        This is a generic problem message. IDA uses it when no more detailed
        information is available or the problem is processor-specific.
ôWRAP
Problem: Decision to convert to instruction/data is made by IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        In fact, this is not exactly a problem: IDA collects all the locations
        where it has decided to convert undefined bytes to
        instructions or data even if they don't have
        any references to them. We consider this decision as dangerous
        and therefore we provide you with a way to examine all such places.

 What to do:
        Examine the result of conversion and modify the instructions
        or data if IDA has made a wrong conversion.
WRAP
Problem: The decision made by IDA was wrong and rolled back ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        This problem occurs when IDA has converted unexplored bytes to
        instruction(s) and later found that the decision was wrong.
        For example:

                mov     ax, bx
                db 0FFh, 0FFh

        0FFh, 0FFh cannot be converted to an instruction, therefore
        the "mov" instruction cannot be here.

        In this case, IDA automatically destroys the instruction(s)
        and enlists the address as problematic.

 What to do:
        Examine the end result and modify it accordingly.
PWRAP
Jump to previously marked position ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpPosition
 Current hotkey: @<JumpPosition>

This command jumps to the selected position.
IDA will ask you to select a target position.
After:
  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the specified address.

The @0:539[Jump back] command (usually Esc) will return you back.

You can mark the position using @0:582[Mark Position] command.

See also @0:543[Jump] submenu.ÿ
WRAP
Jump to cross reference ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpXref
 Current hotkey: @<JumpXref>

This command shows you a list of cross-references to the current location: you can jump to the selected one by pressing Enter.

Click @0:1305[here] to see the description of the cross reference dialog box.

See also

         @0:543[Jump] submenu
         @0:1593[Jump to Cross Reference From]
         @0:565[Jump to Cross References to Operand]'WRAP
Jump to cross references to operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpOpXref
 Current hotkey: @<JumpOpXref>

This command shows you a list of cross-references to the current operand: you can jump to the selected one by pressing Enter.

Click @0:1305[here] to see the description of the cross reference dialog box.

See also

         @0:543[Jump] submenu
         @0:564[Jump to Cross References]
         @0:1593[Jump to Cross Reference From]“
WRAP
Jump to function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpFunction
 Current hotkey: @<JumpFunction>

This command shows you a list of functions: you can jump to the selected one by pressing Enter.

See also

        @0:1590[Jump to next function]
        @0:1591[Jump to previous function]
        @0:543[Jump] submenu
        @0:639[How to choose a function]Ü
WRAP
Jump to Entry Point ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpEntryPoint
 Current hotkey: @<JumpEntryPoint>

This command shows you a list of entry points: you can jump to the selected one by pressing Enter.

The list of entry points is created at the database creation time.
It is not modified after that (for example, renaming an exported function does
not change the list of entry points).

See also @0:543[Jump] submenu.õWRAP
Search submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In this menu, you can select a command to search for something
in the disassembly.  Searches are relatively slow and your previous
position is saved in the @0:542[jump stack].

You can search for:

   @0:569[suspicious operands] (instructions that need your attention)
   @0:570[instructions]
   @0:571[data bytes]
   @0:572[unexplored bytes]
   @0:573[explored bytes]
   @0:574[immediate operand values]
   @0:576[substring in the text representation]
   @0:579[substring in the binary image of the file]
   @0:581[bytes not belonging to any function]
   @0:1373[find all suspicious operands]
   @0:1481[string with error]
   @0:1482[find all errors]
   @0:1735[pictures (i.e., raster images)]

 in both @0:623[directions] (up and down).

You can search for an item under cursor:

   @0:1460[find register definition]
   @0:1460[find register use]

See also

        @0:543[Jump] menu for fast navigating.
        @0:428[Menu Bar] submenus]WRAP
Search for next suspicious operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpSuspicious
 Current hotkey: @<JumpSuspicious>

Suspicious operands are the operands that need your attention
because they contain an immediate value that could be a
number or an offset. IDA does not know about it, so it marks these
instructions as 'suspicious'.  You can change the suspiciousness of the operands
using @0:606[set lower limit of suspicious operands] and
@0:606[set upper limit of suspicious operands] commands.

Data arrays are considered to be suspicious if the first element of the
data array is within the lower and upper suspicious limits. Values of other
elements are not examined.

You can disable the display of the 'suspicious' marks in the @0:1369[Comments Dialog].

NOTE: We strongly recommend that before producing an ASM file you go
through all 'suspicious' marks and get rid of them.  After this you have
a certain level of confidence that the file has been
disassembled correctly.

See also @0:568[Search] submenu
WRAP
Search for next code ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpCode
 Current hotkey: @<JumpCode>

This command searches for the first @0:452[instruction] in the
@0:623[current direction].

See also @0:568[Search] submenu
WRAP
Search for next data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpData
 Current hotkey: @<JumpData>

This command searches for the first @0:453[defined data] item in the
@0:623[current direction].

See also @0:568[Search] submenuI
WRAP
Search for next unexplored byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpUnknown
 Current hotkey: @<JumpUnknown>

This command searches for the first @0:456[unexplored] byte in the
@0:623[current direction].

See also @0:568[Search] submenu^
WRAP
Search for next explored byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpExplored
 Current hotkey: @<JumpExplored>

This command searches for the first defined byte
(@0:452[instruction] or @0:453[data]) in the
@0:623[current direction].

See also @0:568[Search] submenu+WRAP
Search for next instruction/data with the specified operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AskNextImmediate
 Current hotkey: @<AskNextImmediate>

This command searches for the first instruction or data byte
that contains the specified immediate value. The command is
relatively slow (but much faster than the text search), because it disassembles each instruction to
find the operand values.

If the immediate value in an instruction has been logically or bitwise negated,
then this command will check against the modified value. Example:

        mov al, -2

will be found if the user searches for the immediate value 2 but
not when he searches for 0xFE.

If the checkbox "any untyped value" is checked, then the "value" field is ignored.
IDA will look for all immediate values without type in this case.

See also

         @0:568[Search] submenu
         @0:423[How to Enter a Number].¢
WRAP
Repeat search for instruction/data with the specified operand ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpImmediate
 Current hotkey: @<JumpImmediate>

This command repeats @0:574[search for immediate] command.

See also @0:568[Search] submenu„WRAP
Search for substring in the disassembly ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AskNextText
 Current hotkey: @<AskNextText>

This command searches for the specified substring in the text
representation of the disassembly.
This command is a slow command, because it
disassembles each instruction to get the text representation.
IDA will show its progress on the @0:620[indicator].
You can interrupt this command pressing Ctrl-Break.

You may search for @0:578[regular expressions] too.

If a range is selected using @0:420[anchor], IDA will search
for the specified substring in the range.

Note that this command searches the same as what you see on your
screen (and not in binary image).

For binary search, look at @0:579[Search for substring in the file]

See also @0:568[Search] submenuW
WRAP
Repeat search for substring in the disassembly ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpText
 Current hotkey: @<JumpText>

This command repeats @0:576[search for text] command.

See also @0:568[Search] submenuh8WRAP
REGULAR EXPRESSION SYNTAX SUMMARY ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The full syntax and semantics of the regular expressions that are supported by PCRE2 are described in the pcre2pattern documentation. This document contains a quick-reference summary of the syntax.

QUOTING


  \x         where x is non-alphanumeric is a literal x
  \Q...\E    treat enclosed characters as literal



ESCAPED CHARACTERS

This table applies to ASCII and Unicode environments.

  \a         alarm, that is, the BEL character (hex 07)
  \cx        "control-x", where x is any ASCII printing character
  \e         escape (hex 1B)
  \f         form feed (hex 0C)
  \n         newline (hex 0A)
  \r         carriage return (hex 0D)
  \t         tab (hex 09)
  \0dd       character with octal code 0dd
  \ddd       character with octal code ddd, or backreference
  \o{ddd..}  character with octal code ddd..
  \U         "U" if PCRE2_ALT_BSUX is set (otherwise is an error)
  \uhhhh     character with hex code hhhh (if PCRE2_ALT_BSUX is set)
  \xhh       character with hex code hh
  \x{hhh..}  character with hex code hhh..

Note that \0dd is always an octal code. The treatment of backslash followed by a non-zero digit is complicated; for details see the section "Non-printing characters" in the pcre2pattern documentation, where details of escape processing in EBCDIC environments are also given.

When \x is not followed by {, from zero to two hexadecimal digits are read, but if PCRE2_ALT_BSUX is set, \x must be followed by two hexadecimal digits to be recognized as a hexadecimal escape; otherwise it matches a literal "x". Likewise, if \u (in ALT_BSUX mode) is not followed by four hexadecimal digits, it matches a literal "u".

CHARACTER TYPES


  .          any character except newline;
               in dotall mode, any character whatsoever
  \C         one code unit, even in UTF mode (best avoided)
  \d         a decimal digit
  \D         a character that is not a decimal digit
  \h         a horizontal white space character
  \H         a character that is not a horizontal white space character
  \N         a character that is not a newline
  \p{xx}     a character with the xx property
  \P{xx}     a character without the xx property
  \R         a newline sequence
  \s         a white space character
  \S         a character that is not a white space character
  \v         a vertical white space character
  \V         a character that is not a vertical white space character
  \w         a "word" character
  \W         a "non-word" character
  \X         a Unicode extended grapheme cluster

\C is dangerous because it may leave the current matching point in the middle of a UTF-8 or UTF-16 character. The application can lock out the use of \C by setting the PCRE2_NEVER_BACKSLASH_C option. It is also possible to build PCRE2 with the use of \C permanently disabled.

By default, \d, \s, and \w match only ASCII characters, even in UTF-8 mode or in the 16-bit and 32-bit libraries. However, if locale-specific matching is happening, \s and \w may also match characters with code points in the range 128-255. If the PCRE2_UCP option is set, the behaviour of these escape sequences is changed to use Unicode properties and they match many more characters.

GENERAL CATEGORY PROPERTIES FOR \p and \P


  C          Other
  Cc         Control
  Cf         Format
  Cn         Unassigned
  Co         Private use
  Cs         Surrogate

  L          Letter
  Ll         Lower case letter
  Lm         Modifier letter
  Lo         Other letter
  Lt         Title case letter
  Lu         Upper case letter
  L&         Ll, Lu, or Lt

  M          Mark
  Mc         Spacing mark
  Me         Enclosing mark
  Mn         Non-spacing mark

  N          Number
  Nd         Decimal number
  Nl         Letter number
  No         Other number

  P          Punctuation
  Pc         Connector punctuation
  Pd         Dash punctuation
  Pe         Close punctuation
  Pf         Final punctuation
  Pi         Initial punctuation
  Po         Other punctuation
  Ps         Open punctuation

  S          Symbol
  Sc         Currency symbol
  Sk         Modifier symbol
  Sm         Mathematical symbol
  So         Other symbol

  Z          Separator
  Zl         Line separator
  Zp         Paragraph separator
  Zs         Space separator



PCRE2 SPECIAL CATEGORY PROPERTIES FOR \p and \P


  Xan        Alphanumeric: union of properties L and N
  Xps        POSIX space: property Z or tab, NL, VT, FF, CR
  Xsp        Perl space: property Z or tab, NL, VT, FF, CR
  Xuc        Univerally-named character: one that can be
               represented by a Universal Character Name
  Xwd        Perl word: property Xan or underscore

Perl and POSIX space are now the same. Perl added VT to its space character set at release 5.18.

SCRIPT NAMES FOR \p AND \P

Ahom, Anatolian_Hieroglyphs, Arabic, Armenian, Avestan, Balinese, Bamum, Bassa_Vah, Batak, Bengali, Bopomofo, Brahmi, Braille, Buginese, Buhid, Canadian_Aboriginal, Carian, Caucasian_Albanian, Chakma, Cham, Cherokee, Common, Coptic, Cuneiform, Cypriot, Cyrillic, Deseret, Devanagari, Duployan, Egyptian_Hieroglyphs, Elbasan, Ethiopic, Georgian, Glagolitic, Gothic, Grantha, Greek, Gujarati, Gurmukhi, Han, Hangul, Hanunoo, Hatran, Hebrew, Hiragana, Imperial_Aramaic, Inherited, Inscriptional_Pahlavi, Inscriptional_Parthian, Javanese, Kaithi, Kannada, Katakana, Kayah_Li, Kharoshthi, Khmer, Khojki, Khudawadi, Lao, Latin, Lepcha, Limbu, Linear_A, Linear_B, Lisu, Lycian, Lydian, Mahajani, Malayalam, Mandaic, Manichaean, Meetei_Mayek, Mende_Kikakui, Meroitic_Cursive, Meroitic_Hieroglyphs, Miao, Modi, Mongolian, Mro, Multani, Myanmar, Nabataean, New_Tai_Lue, Nko, Ogham, Ol_Chiki, Old_Hungarian, Old_Italic, Old_North_Arabian, Old_Permic, Old_Persian, Old_South_Arabian, Old_Turkic, Oriya, Osmanya, Pahawh_Hmong, Palmyrene, Pau_Cin_Hau, Phags_Pa, Phoenician, Psalter_Pahlavi, Rejang, Runic, Samaritan, Saurashtra, Sharada, Shavian, Siddham, SignWriting, Sinhala, Sora_Sompeng, Sundanese, Syloti_Nagri, Syriac, Tagalog, Tagbanwa, Tai_Le, Tai_Tham, Tai_Viet, Takri, Tamil, Telugu, Thaana, Thai, Tibetan, Tifinagh, Tirhuta, Ugaritic, Vai, Warang_Citi, Yi.

CHARACTER CLASSES


  [...]       positive character class
  [^...]      negative character class
  [x-y]       range (can be used for hex characters)
  [[:xxx:]]   positive POSIX named set
  [[:^xxx:]]  negative POSIX named set

  alnum       alphanumeric
  alpha       alphabetic
  ascii       0-127
  blank       space or tab
  cntrl       control character
  digit       decimal digit
  graph       printing, excluding space
  lower       lower case letter
  print       printing, including space
  punct       printing, excluding alphanumeric
  space       white space
  upper       upper case letter
  word        same as \w
  xdigit      hexadecimal digit

In PCRE2, POSIX character set names recognize only ASCII characters by default, but some of them use Unicode properties if PCRE2_UCP is set. You can use \Q...\E inside a character class.

QUANTIFIERS


  ?           0 or 1, greedy
  ?+          0 or 1, possessive
  ??          0 or 1, lazy
  *           0 or more, greedy
  *+          0 or more, possessive
  *?          0 or more, lazy
  +           1 or more, greedy
  ++          1 or more, possessive
  +?          1 or more, lazy
  {n}         exactly n
  {n,m}       at least n, no more than m, greedy
  {n,m}+      at least n, no more than m, possessive
  {n,m}?      at least n, no more than m, lazy
  {n,}        n or more, greedy
  {n,}+       n or more, possessive
  {n,}?       n or more, lazy



ANCHORS AND SIMPLE ASSERTIONS


  \b          word boundary
  \B          not a word boundary
  ^           start of subject
                also after an internal newline in multiline mode
                (after any newline if PCRE2_ALT_CIRCUMFLEX is set)
  \A          start of subject
  $           end of subject
                also before newline at end of subject
                also before internal newline in multiline mode
  \Z          end of subject
                also before newline at end of subject
  \z          end of subject
  \G          first matching position in subject



MATCH POINT RESET


  \K          reset start of match

\K is honoured in positive assertions, but ignored in negative ones.

ALTERNATION


  expr|expr|expr...



CAPTURING


  (...)           capturing group
  (?<name>...)    named capturing group (Perl)
  (?'name'...)    named capturing group (Perl)
  (?P<name>...)   named capturing group (Python)
  (?:...)         non-capturing group
  (?|...)         non-capturing group; reset group numbers for
                   capturing groups in each alternative



ATOMIC GROUPS


  (?>...)         atomic, non-capturing group



COMMENT


  (?#....)        comment (not nestable)



OPTION SETTING


  (?i)            caseless
  (?J)            allow duplicate names
  (?m)            multiline
  (?s)            single line (dotall)
  (?U)            default ungreedy (lazy)
  (?x)            extended (ignore white space)
  (?-...)         unset option(s)

The following are recognized only at the very start of a pattern or after one of the newline or \R options with similar syntax. More than one of them may appear.   (*LIMIT_MATCH=d) set the match limit to d (decimal number)

  (*LIMIT_RECURSION=d) set the recursion limit to d (decimal number)
  (*NOTEMPTY)     set PCRE2_NOTEMPTY when matching
  (*NOTEMPTY_ATSTART) set PCRE2_NOTEMPTY_ATSTART when matching
  (*NO_AUTO_POSSESS) no auto-possessification (PCRE2_NO_AUTO_POSSESS)
  (*NO_DOTSTAR_ANCHOR) no .* anchoring (PCRE2_NO_DOTSTAR_ANCHOR)
  (*NO_JIT)       disable JIT optimization
  (*NO_START_OPT) no start-match optimization (PCRE2_NO_START_OPTIMIZE)
  (*UTF)          set appropriate UTF mode for the library in use
  (*UCP)          set PCRE2_UCP (use Unicode properties for \d etc)

Note that LIMIT_MATCH and LIMIT_RECURSION can only reduce the value of the limits set by the caller of pcre2_match(), not increase them. The application can lock out the use of (*UTF) and (*UCP) by setting the PCRE2_NEVER_UTF or PCRE2_NEVER_UCP options, respectively, at compile time.

NEWLINE CONVENTION

These are recognized only at the very start of the pattern or after option settings with a similar syntax.

  (*CR)           carriage return only
  (*LF)           linefeed only
  (*CRLF)         carriage return followed by linefeed
  (*ANYCRLF)      all three of the above
  (*ANY)          any Unicode newline sequence



WHAT \R MATCHES

These are recognized only at the very start of the pattern or after option setting with a similar syntax.

  (*BSR_ANYCRLF)  CR, LF, or CRLF
  (*BSR_UNICODE)  any Unicode newline sequence



LOOKAHEAD AND LOOKBEHIND ASSERTIONS


  (?=...)         positive look ahead
  (?!...)         negative look ahead
  (?<=...)        positive look behind
  (?<!...)        negative look behind

Each top-level branch of a look behind must be of a fixed length.

BACKREFERENCES


  \n              reference by number (can be ambiguous)
  \gn             reference by number
  \g{n}           reference by number
  \g{-n}          relative reference by number
  \k<name>        reference by name (Perl)
  \k'name'        reference by name (Perl)
  \g{name}        reference by name (Perl)
  \k{name}        reference by name (.NET)
  (?P=name)       reference by name (Python)



SUBROUTINE REFERENCES (POSSIBLY RECURSIVE)


  (?R)            recurse whole pattern
  (?n)            call subpattern by absolute number
  (?+n)           call subpattern by relative number
  (?-n)           call subpattern by relative number
  (?&name)        call subpattern by name (Perl)
  (?P>name)       call subpattern by name (Python)
  \g<name>        call subpattern by name (Oniguruma)
  \g'name'        call subpattern by name (Oniguruma)
  \g<n>           call subpattern by absolute number (Oniguruma)
  \g'n'           call subpattern by absolute number (Oniguruma)
  \g<+n>          call subpattern by relative number (PCRE2 extension)
  \g'+n'          call subpattern by relative number (PCRE2 extension)
  \g<-n>          call subpattern by relative number (PCRE2 extension)
  \g'-n'          call subpattern by relative number (PCRE2 extension)



CONDITIONAL PATTERNS


  (?(condition)yes-pattern)
  (?(condition)yes-pattern|no-pattern)

  (?(n)               absolute reference condition
  (?(+n)              relative reference condition
  (?(-n)              relative reference condition
  (?(<name>)          named reference condition (Perl)
  (?('name')          named reference condition (Perl)
  (?(name)            named reference condition (PCRE2)
  (?(R)               overall recursion condition
  (?(Rn)              specific group recursion condition
  (?(R&name)          specific recursion condition
  (?(DEFINE)          define subpattern for reference
  (?(VERSION[>]=n.m)  test PCRE2 version
  (?(assert)          assertion condition



BACKTRACKING CONTROL

The following act immediately they are reached:

  (*ACCEPT)       force successful match
  (*FAIL)         force backtrack; synonym (*F)
  (*MARK:NAME)    set name to be passed back; synonym (*:NAME)

The following act only when a subsequent match failure causes a backtrack to reach them. They all force a match failure, but they differ in what happens afterwards. Those that advance the start-of-match point do so only if the pattern is not anchored.   (*COMMIT)       overall failure, no advance of starting point

  (*PRUNE)        advance to next starting character
  (*PRUNE:NAME)   equivalent to (*MARK:NAME)(*PRUNE)
  (*SKIP)         advance to current matching position
  (*SKIP:NAME)    advance to position corresponding to an earlier
                  (*MARK:NAME); if not found, the (*SKIP) is ignored
  (*THEN)         local failure, backtrack to next alternation
  (*THEN:NAME)    equivalent to (*MARK:NAME)(*THEN)



CALLOUTS

  (?C)            callout (assumed number 0)
  (?Cn)           callout with numerical data n
  (?C"text")      callout with string data

The allowed string delimiters are ` ' " ^ % # $ (which are the same for the start and the end), and the starting delimiter { matched with the ending delimiter }. To encode the ending delimiter within the string, double it.
>WRAP
Search for substring in the file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AskBinaryText
 Current hotkey: @<AskBinaryText>

This command searches for the specified substring in the file being
disassembled. This command can be used for fast lookups of text
strings in the executable file or even to find references to a data.
You can interrupt it pressing Ctrl-Break.

If a range is selected using @0:420[anchor], IDA will search
for the specified substring in the range.

The substring is specified like this:

        "This is substring to search"

i.e. in the double-quotes. Also you can specify individual byte values as
numbers:

        6A 10

Follow this @0:528[link] to learn more about the format of the input
string.

For example, if you want to find a reference to the following string:

 35F2:106A      db 'Hello',0

you could search for number 106A in the file.

See also

         @0:528[the input string format]
         @0:576[search for text] command.
         @0:568[Search] submenuO
WRAP
Repeat search for substring in the file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpBinaryText
 Current hotkey: @<JumpBinaryText>

This command repeats @0:579[search for text in core] command.

See also @0:568[Search] submenu˜
WRAP
Search for bytes not belonging to any function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpNotFunction
 Current hotkey: @<JumpNotFunction>

This command searches for the first byte not belonging to any function
in the
@0:623[current direction].

See also @0:568[Search] submenu–
WRAP
Mark Position ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: MarkPosition
 Current hotkey: @<MarkPosition>

You can mark certain locations of the file to be able to @0:563[jump] to
them quickly. Text description of the location may help to find
a desired location easily.

First select a slot for the mark, then enter a
description for the location.

See also @0:543[Jump] submenu.·
WRAP
View submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are commands to open various windows, display information etc.

  @0:1356[Open subviews...]
  @0:1378[Graphs...]

  @0:596[Calculator]
  @0:597[View segment registers]
  @0:598[View internal flags]

  @0:599[Hide]
  @0:600[Unhide]
  @0:1394[Del hidden range]
  @0:1387[Hide all]
  @0:1388[Unhide all]
  @0:601[Setup hidden items...]

See also @0:428[Menu Bar] submenus.Ç
WRAP
Message Window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA opens a special non-closable window at the start.
This window is called "message window".
In this window you see various IDA messages.

If the message window is hidden behind other windows, you
will not see the IDA messages.

You can duplicate all messages appearing in this window to a file.
For this, you have to define an environment variable:

        set IDALOG=logfile
óWRAP
Disassembly window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: WindowOpen
 Current hotkey: @<WindowOpen>

The "WindowOpen" command opens a new window with the disassembly.
IDA automatically opens one disassembly window at the start.

If the current location is an instruction belonging to a function,
then the @0:42[graph view] is available. You can toggle between
the text and graph view using the Space key. You can also switch to
proximity view by zooming out to the callgraph using the '-' key.

Use the disassembly @0:451[editing] commands to improve the listing.

Use Shift-<arrows> or Alt-L to drop @0:420[anchor].
If you have a mouse, you can drop the anchor with it too.

A double click of the mouse is equivalent to the <Enter> key.

To the left of disassembly, there is an @0:1385[arrows window] (GUI version).
Also the GUI version @0:1386[highlights] the current identifier.

 See also @0:1356[View|Open subviews] submenu
          @0:414[Main Help Index]
—WRAP
Functions window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenFunctions
 Current hotkey: @<OpenFunctions>

A list of all functions in the program is displayed.
You can @0:484[add], @0:486[delete], @0:485[modify] functions
using @0:427[list] viewer commands.

Listed for each function are:

        - function name
        - segment that contains the function
        - offset of the function within the segment
        - function length in bytes
        - size (in bytes) of local variables + saved registers
        - size (in bytes) of arguments passed to the function

The last column of this window has the following format:

        R - function returns to the caller
        F - far function
        L - library function
        S - static function
        B - BP based frame. IDA will automatically convert
            all frame pointer [BP+xxx] operands to stack
            variables.
        T - function has type information
        = - Frame pointer is equal to the initial stack pointer
            In this case the frame pointer points to the bottom of the frame
        M - reserved
        S - reserved
        I - reserved
        C - reserved
        D - reserved
        V - reserved

If a function has its color set, its line is colored using the specified color.
Otherwise library and lumina functions are colored with the corresponding
color. Otherwise the line is not colored.

A bold font is used for functions that have definite (user-specified) prototype.
Also some plugins too may set this flag. Such prototypes are taken as is
by the decompiler, while other prototypes are considered only as a starting
point during decompilation.

It is possible to automatically synchronize the function list with the active
disassembler, pseudocode, or hex view. For that right click on the function
list and select "Turn on synchronization".

See also @0:1356[View|Open subviews] submenu.4WRAP
Names window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenNames
 Current hotkey: @<OpenNames>

This command opens the @0:457[names] window.

You can use @0:427[list viewer] commands in this window.

The GUI version displays a small icon for each name:

        L (dark blue)   - library function
        F (dark blue)   - regular function
        C (light blue)  - instruction
        A (dark green)  - string literal
        D (light green) - data
        I (purple)      - imported name


See also @0:1356[View|Open subviews] submenu.nWRAP
Signatures window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenSignatures
 Current hotkey: @<OpenSignatures>

This command opens the signatures window.

For each signature, the following is displayed:

        - name of file with the signature
        - state of signature:
                - Planned: the signature will be applied
                - Current: the signature is being applied
                - Applied: the signature has been applied
        - number of functions found using the signature
        - description of the signature

You can modify the planned signatures list here:
add/delete library modules to be used during the disassembling.

You cannot delete an applied signature from the list.

To add a signature to the list for the application press <Ins>.
You will see a list of signatures that can be applied to the program being
disassembled.

Text version: Not all signature files will be displayed (for example,
32 bit signatures will not be shown for a 16 bit program). If you want
to see the full list of signatures, select the first line of the list
saying SWITCH TO FULL LIST OF SIGNATURES.

Signature files reside in the subdirectories of the SIG directory. Each
processor has its own subdirectory. The name of the subdirectory
is equal to the name of the processor module file (z80 for z80.w32, for example).
Note: IBM PC signatures are located in the SIG directory itself.
Note: the IDASGN environment variable can be used to specify
the location of the signatures directory.

See also

         @0:1356[View|Open subviews] submenu.
         @0:427[How To Use List Viewer]™
WRAP
Segments window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSegments
 Current hotkey: @<ShowSegments>

This command opens the segments window. The format of this window
is explained @0:525[here].

You can use @0:427[list viewer] commands in this window.

In order to change the selector values, use @0:591[selectors] window.

See also @0:1356[View|Open subviews] submenu.'WRAP
Segment registers window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSegmentRegisters
 Current hotkey: @<ShowSegmentRegisters>

This command opens the segment registers window.
The window will contain segment register
@0:524[change points]
list.

You can use @0:427[list viewer] commands in this window.

Depending on the current processor type, you will see
DS,ES,SS with or without FS,GS.

See also
         @0:506[Edit|Segments] submenu.
         @0:1356[View|Open subviews] submenu.ÂWRAP
Selectors window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSelectors
 Current hotkey: @<ShowSelectors>

This command opens the selector window. Here you can change
the "selector to base" mapping. The selector table is used
to look up the selector values when @0:508[calculating] the addresses that
are visible in the disassembly listing.

You can use @0:427[list viewer] commands in this window:

        - jump to the paragraph pointed by the selector
        - add a new selector
        - delete selector (if it is not used by any segment)
        - change selector value (this leads to reanalysis of all program)

See also @0:1356[View|Open subviews] submenu.7WRAP
Cross references window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenXrefs
 Current hotkey: @<OpenXrefs>

This command opens the cross-references window. This window contains
all references to the current location.

You can use @0:427[list viewer] commands in this window.

You can add and delete cross references here too by pressing Ins or Del.
Right clicking on the mouse will work too.

Add a cross reference: the from and to address, as well as the xref type should be specified.

Del a cross reference: if the 'undefine if no more xrefs' is check, then the instruction
at the target address will be undefined upon the deletion of the last xref.
IDA undefines instructions only if they do not start a function.

See also @0:1356[View|Open subviews] submenu.“WRAP
Structures window▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenStructures
 Current hotkey: @<OpenStructures>

This command opens the structure definitions window.

You can modify structure definitions here: add/rename/delete structures,
add/delete/define structure members.

Each structure must have a unique name. A field name must be unique in the
structure. In order to create or delete a field, use data definitions
commands (@0:453[data], @0:454[string literal], @0:455[array], @0:456[undefine], @0:457[Rename]).
You may also define @0:479[regular] or @0:480[repeatable] comments.

In order to modify member types, use commands from the @0:458[Edit|Operand types...] submenu.
For example, to convert a structure member to an offset, use one of the following
commands:

      @0:468[Convert to offset (automatic)]
      @0:467[Convert to offset (from a segment base)]
      @0:470[Convert to offset (complex offset expression)]

Some struct types in this window are created automatically by IDA. They are
copies of some local types. Such structs are displayed in gray. They are
considered as C-level types. As soon as the user edits such a type, it becomes
an ASM-level type. Read @0:1042[more].

In the structure header IDA displays the following info:

  - the structure size in bytes
  - the alignment
  - for C level types: copyof_XX where XX is the ordinal type number.
  - for ASM level types: mappedto_XX where XX is the ordinal type number.
    It is possible to jump to the corresponding local type by pressing Enter.
  - for types copied from standard type libraries: "standard type"

See also @0:1356[View|Open subviews] submenu.·
WRAP
Problems window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenProblems
 Current hotkey: @<OpenProblems>

This command opens the problems window.
The problem window contains the @0:549[list] of all problems encountered by
IDA during disassembling the program.

You can jump to a problem by pressing Enter. The selected problem will
be deleted from the list.

See also @0:1356[View|Open subviews] submenu.fWRAP
Calculator ▄
 ▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Calculate
 Current hotkey: @<Calculate>

A simple calculator is provided. You can enter constant C-style
expressions. Syntax of the expressions is the same is the syntax of
IDC expressions.
The result is displayed in the message window in three
forms: hexadecimal,decimal and character.

All the names created during a disassembly may be used in these
expressions. IDA can also pick up the name or number under the
cursor and to store it into the input line.

See also

         @0:583[View] submenu.
         @0:423[How to Enter a Number].Œ
WRAP
View segment registers ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowRegisters
 Current hotkey: @<ShowRegisters>

This command displays segment register contents in
the @0:584[message window].

You may use this command to refresh the disassembly window too.

See also

         @0:506[Edit|Segments] submenu.
         @0:583[View] submenu.2
WRAP
View Internal Flags ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowFlags
 Current hotkey: @<ShowFlags>

This command displays the internal flag values for the current item.
The information appears in the @0:584[message window].

See also @0:583[View] submenu.=WRAP
Hide ▄
 ▀▀▀▀▀

 Action    name: Hide
 Current hotkey: @<Hide>

This command allows you to hide a part of disassembly.
You can hide a function, a segment, or create a special
hidden range.

If a range is specified, a special hidden range is created on
this range.

If the cursor is on the segment name at the start of the segment,
the segment will be hidden.
IDA will display only the header of the hidden segment.

If the cursor is on a structure variable and if the target assembler has the
'can display terse structures or the INFFL_ALLASM' bit on, then
the structure will be collapsed into one line and displayed in the terse form.

Otherwise, the current function will be hidden.
IDA will display only the header of the hidden function.

If there is no current function then IDA will beep.

If you want to see hidden items on the screen, you may use
@0:600[unhide] command or @0:601[enable]
the display of the hidden items.
If you want to delete a previously created hidden range, you
may use @0:1394[del hidden range] command.

See also @0:583[Edit|View] submenu]WRAP
Unhide ▄
 ▀▀▀▀▀▀▀

 Action    name: Unhide
 Current hotkey: @<Unhide>

This command allows you to unhide a hidden part of disassembly.

If the cursor is on the hidden function name,
the function will be unhidden.

If the cursor is on the terse structure variable, the structure
will be uncollapsed and displayed in the regular form.

If the cursor is on the hidden range, the hidden range
will be unhidden.

If the cursor is on the hidden segment name,
the segment will be unhidden.

See also @0:599[hide] command and @0:601[setup hidden] command.

See also @0:583[Edit|View] submenuRWRAP
Setup hidden items ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupHidden
 Current hotkey: @<SetupHidden>

This command allows you to toggle the display of @0:599[hidden] items.

Automatically hide library functions

        This option hides the functions recognized by FLIRT.
        If will have an effect only from the time when the option is set.

Display hidden instructions

        If this option is set, IDA will display all the instructions
        as unhidden even if they were hidden.

Display hidden functions

        If this options is set, IDA will display all the functions
        as unhidden even if they were hidden.

Display hidden segments

        If this options is set, IDA will display all the segments
        as unhidden even if they were hidden.

See also @0:583[View] submenu.ÏWRAP
Options Submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to change various options and settings:

    @0:605[Text representation...]
    @0:1369[Comments...]
    @0:607[Representation of cross references...]
    @0:1713[Disable history]
    @0:1712[Clear undo history]
    @0:608[Assembler directives...]
    @0:609[Names representation...]
    @0:611[Demangled C++ names...]
    @0:1354[Compiler...]
    @0:613[String styles...]
    @0:614[String options...]
    @0:615[Colors...]
    @0:616[Dump/normal View]
    @0:617[Setup data types...]

    @0:618[Processor type...]
    @0:619[Target assembler...]

    @0:620[Analysis options...]

See also @0:428[Menu Bar] submenus.êWRAP
Text Representation Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command changes the look of the disassembly.
Here you can change the values of the following checkboxes/input fields:

Line prefixes

        This checkbox enables or disables line prefixes display.
        Line prefix is the address of the current byte:

         3000:1000      mov ax, bx
         ^^^^^^^^^

        @0:419[IDA.CFG] parameter: SHOW_LINEPREFIXES

Number of opcode bytes

        Opcode bytes are shown below:

         3000:1000 55           push    bp
                   ^^^^^^^^^

        The opcode is the operation code of the current instruction.
        For the data items, the opcodes are elements of data directives.
        Sometimes there is not enough place to display all bytes of an item
        (of a large array, for example). In this case, IDA will display just
        the few first bytes of the item. For the code items, IDA will try
        to display all bytes of the instruction, even if it requires adding
        more lines just for the opcode bytes. If this behavior is not desired,
        the number of opcode bytes can be specified as a negative value.
        A negative value -N means to display N opcode bytes on a line but
        never display empty lines just for the opcode bytes.
        By default, IDA does not display the opcodes.

        @0:419[IDA.CFG] parameter: OPCODE_BYTES

Use segment names

        This option controls the appearance of the segment names in the
        addresses. Example (codeseg has base 3000):

           Enabled:     codeseg:0034
           Disabled:    3000:0034

        @0:419[IDA.CFG] parameter: USE_SEGMENT_NAMES

Segment addresses

        Marking this checkbox, you can disable segment addresses in the
        disassembly. IDA will show only offsets. Example:

           Enabled:     codeseg:0034
           Disabled:    0034

        @0:419[IDA.CFG] parameter: SHOW_SEGMENTS

Function offsets

        This option controls the appearance of the line prefixes.
        If it is enabled, the addresses will be displayed as offsets
        from a function beginning. Example:

           Enabled:     somefunc+0x44
           Disabled:    cseg:0x4544

Right margin

        This option controls the length of disassembly lines for data
        directives.

        @0:419[IDA.CFG] parameter: MAX_DATALINE_LENGTH

Instruction indention

        You can change indention of disassembled instructions:

                         mov ax, bx
         <-------------->
            indention

        @0:419[IDA.CFG] parameter: INDENTION

Display bad instruction <BAD> marks

        Some assemblers do not understand some instructions even if they
        must. For example, the Z80 processor has several undocumented
        instructions and many assemblers fail to recognize them. IDA knows
        about this fact and tries to produce an output that can be compiled
        without errors, so it replaces such instructions with data bytes.

        The problem is more severe with Intel 80x86 processors: the same
        instruction can be coded differently. There are 2 operation codes
        for ADD instruction, etc. The worst thing is that the different
        operation codes have different lengths. If the assembler used to
        compile a file and your assembler produce different operation codes,
        you may obtain completely different output files.

        That is why IDA can mark such instructions as <BAD> and replace them
        with data bytes. Example:

           Enabled:
                        db 0Fh,86h,7Eh,0,0,0 ; <BAD> jbe     loc_0_205
                        db 0Fh,82h,78h,0,0,0 ; <BAD> jb      loc_0_205
                        db 0Fh,83h,72h,0,0,0 ; <BAD> jnb     loc_0_205
           Disabled:
                        jbe     loc_0_205
                        jb      loc_0_205
                        jnb     loc_0_205

        @0:419[IDA.CFG] parameter: SHOW_BAD_INSTRUCTIONS

Use tabulations in output

        You can disable the tab chars (0x09) in the output file if you do not
        like them. By default, IDA produces output files with tab chars.

        @0:419[IDA.CFG] parameter: USE_TABULATION

low suspicious limit
high suspicious limit

        Click @0:606[here] to get information about these fields.

Display stack pointer

        If this option is set, IDA will display the value of
        the stack pointer in the line prefix.

        @0:419[IDA.CFG] parameter: SHOW_SP

See also @0:604[Options] submenu.+WRAP
Low & High Suspicious Operand Limits ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If IDA suspects that an operand can be represented as something different
from a plain number, it will mark the operand as "suspicious" and display
it in red/orange.

Two values control the definition of suspiciousness.  An operand is 'suspicious' if
it has an immediate value between low and high 'suspicious' limits.
The comparison is always unsigned, i.e. in the instruction

        mov ax,[bp-2]

  the immediate operand is 0xFFFE, not -2.


IDA uses a simple heuristic to determine initial suspiciousness limits.
You may change these limits any time you want.

See also

         @0:1369[Comments Dialog]
         @0:423[How to Enter a Number].¤WRAP
Cross References Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA maintains cross-references automatically. Of course, when IDA starts to
disassemble a new file, the cross-references will not appear immediately;
they will be collected during background @0:416[analysis].

This command changes the representation of cross references.

Display segments in xrefs

        This checkbox enables or disables segments in cross references:

           Enabled:     ; CODE XREF: 3000:1025
           Disabled:    ; CODE XREF: 1025

Display xref type mark

        If this option is disabled, IDA will not display "CODE"
        or "DATA" in the cross-references.

        @0:419[IDA.CFG] parameter: SHOW_XREF_TYPES

Display function offsets

        This option controls the appearance of the cross-reference addresses.
        If it is enabled, the addresses will be displayed as offsets
        from a function beginning. Example:

           Enabled:     somefunc+0x44
           Disabled:    cseg:0x4544

        @0:419[IDA.CFG] parameter: SHOW_XREF_FUNC

Display xref values

        If this option is disabled, IDA will just display the presence
        of cross-references, like this:

                ; CODE XREF: ...

        @0:419[IDA.CFG] parameter: SHOW_XREF_VALUES

Right margin

        Determines the maximal length of a line with the cross references.

        @0:419[IDA.CFG] parameter: MAX_XREF_LENGTH

Cross reference depth

        This value "how many bytes of an object to look at to collect
        cross references". For example we have an array:

                A       db 100 dup(0)

        If some instruction refers to the 5-th element of the array:

                mov     al,A+5

         with TD=3      we'll have no xrefs displayed
         with TD=10     we'll have this xref

        @0:419[IDA.CFG] parameter: MAX_TAIL

Number of xrefs to display

        Determines the maximal number of the cross references to display.
        You may keep this value low because you can access all xrefs by
        using the @0:564[Jump to cross reference] command.

        @0:419[IDA.CFG] parameter: SHOW_XREFS

See also @0:604[Options] submenu.
WRAP
Assembler Directives Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command enables/disables the generation of some assembler directives,
namely:

        assume directive
        origin directive

Sometimes (when you do not intend to assemble the output file), you may want
to disable their generation.

See also @0:604[Options] submenu.þ
WRAP
Names Representation ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetNameType
 Current hotkey: @<SetNameType>

Dummy names are automatically generated by IDA. They are used to denote
subroutines, program locations and data.

Dummy names have various prefixes depending on the item type and value:

  sub_          instruction, subroutine start
  locret_       'return' instruction
  loc_          instruction
  off_          data, contains offset value
  seg_          data, contains segment address value
  asc_          data, string literal
  byte_         data, byte
  word_         data, 16-bit
  dword_        data, 32-bit
  qword_        data, 64-bit
  byte3_        data, 3 bytes
  xmmword_      data, 128-bit
  ymmword_      data, 256-bit
  packreal_     data, packed real
  flt_          floating point data, 32-bit
  dbl_          floating point data, 64-bit
  tbyte_        floating point data, 80-bit
  stru_         structure
  custdata_     custom data type
  algn_         alignment directive
  unk_          unexplored byte

You can change representation of dummy names.
IDA supports several types of dummy names:

  0     loc_0_1234     segment base address relative to program base address
                       & offset from the segment base
  1     loc_1000_1234  segment base address & offset from the segment base
  2     loc_dseg_1234  segment name & offset from the segment base
  3     loc_0_11234    segment relative to base address & full address
  4     loc_1000_11234 segment base address & full address
  5     loc_dseg_11234 segment name & full address
  6     loc_12         full address
  7     loc_0012       full address (at least 4 digits)
  8     loc_00000012   full address (at least 8 digits)
  9     dseg_1234      the same as 2, but without data type specifier
 10     loc_1          enumerated names (loc_1,loc_2,loc_3...)

If you have selected names type 10 (enumerated names), you may
renumber them using a checkbox. The process is relatively fast, surprisingly.

The best representation for MS DOS programs is #0,
for 16-bit processors - #7, and for 32-bit processors - #8.
You can change dummy names type any time you want.

You can also set up types of names included in the @0:545[name list].
IDA knows about the following types of names:

        - normal names
        - public names
        - weak public or extern names
        - autogenerated (meaningful) names.
        - dummy (meaningless) names.

Dummy names may be public or weak, but they never appear in the list of names.
You can specify the type of a name when you create or @0:457[modify] it.

You can also set maximal length of new names. Old names will not be
affected by this parameter.

See also:

  @0:457[Rename] command
  @0:604[Options] submenuWRAP
Demangled Names ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


 Action    name: SetDemangledNames
 Current hotkey: @<SetDemangledNames>

IDA can demangle mangled C++ names of the most popular C++ compilers:

        - Microsoft
        - Borland
        - Watcom
        - Visual Age
        - GNU

The demangled names are represented in two
forms: short and long form. The short form is used when a name is used as a
reference, the long form is used at the declaration.

You can set how demangled C++ names must be represented:

        - as comments. this representation allows you to obtain
          recompilable source text
        - instead of mangled names. this representation makes the output
          more readable. the disadvantage is that you cannot recompile the
          output
        - don't display demangled names.

You can setup short and long forms of demangled names. Short form is used
when a reference to the name is made; long form is used at the declaration.

To make demangled names more readable, we introduce the possibility to
suppress pointer modifiers (near/far/huge).

To demangle GNU C v3.x names, the "Assume GCC v3.x names" checkbox should be set,
otherwise such names might not be demangled.
furthermore, to make the demangled name more compact, unsigned types may be displayed
as uchar, uint, ushort, ulong. The same with signed basic types.

If the "Override type info" checkbox is set, the demangled name overrides the
type information if both are present.


See also @0:612[How to customize demangled names]x
WRAP
Customize Demangled Names ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

All your changes will be saved in the current database. If you want to change the
form of demangled names for all new databases, then you need to edit
the @0:419[configuration] file,
variables 'ShortNameForm' and 'LongNameForm'.
Below is the list of all checkboxes with examples (spaces are inserted only
for the ease of understanding):

Only main name

        on:     func;
        off:    static void __pascal func(void) const;

No underscores in calling conventions

        on:     void   pascal func(void);
        off:    void __pascal func(void);

No calling conventions for parameters and __based()

        on:  void         func(int (*          f2)(void));
        off: void __cdecl func(int (* __pascal f2)(void));

No return type of functions

        on:         func(void);
        off:    int func(void);

No "based()" specifier

        on:   int                            a;
        off:  int __based(__segname("DATA")) a;
        on:   void __based(void) *b;
        off:  void               *b;
        on:   int __based(__self) (*p)(void);
        off:  int                 (*p)(void);

No calling conventions

        on:     void          func(void);
        off:    void __pascal func(void);

No postfix const

        on:     void aclass::func(void);
        off:    void aclass::func(void) const;

No access keywords

        on:             void func(void);
        off:    private void func(void);

No throw descriptions

        on:     void func(void);
        off:    void func(void) throw(Class::Member);

No static and virtual keywords

        on:                    void aclass::func(void);
        off:    static virtual void aclass::func(void);

No UDT keywords

        on:            A & func(      A *,      B *);
        off:     class A & func(class A *, enum B *);

No const and volatile keywords

        on:     char       * func(void);
        off:    char const * func(void);

No __closure keyword

        Do not display '__closure'

No __unaligned keyword

        Do not display '__unaligned'

No __pin/__box/__gc

        Do not display '__pin', '__box', '_gc'

Suppress pointer modifiers

     Selection    16Names     Description
     ---------    -------     -----------
     near           Yes     Do not display 'near'
     near/__ptr64           Do not display 'near' and '__ptr64'
     far            Yes     Do not display 'far'
     all, 16bit     Yes     Do not display any modifiers
     huge           Yes     Do not display 'huge'
     __ptr64                Do not display '__ptr64'
     Display all    Yes     Display all modifiers
     Display none   Auto    Do not display any modifiers

     16bit means that the demangler will assume that
     names were generated by 16bit compilers. Otherwise,
     it will assume names generated by 32/64 bit compilers.

Quash j_

        This option allows IDA to demangle a name even if it was formed
        by adding j_ prefix to a mangled name. The prefix j_ will simply
        be thrown away.

Transfer j_

        This option also allows IDA to demangle names with prefix j_.
        Unlike the previous option, this one will show the prefix
        in the demangled name.

Ignore postfix _nn

        This option allows IDA to demangle names formed by adding
        postfix _nn to a mangled name (n is any digit).
MWRAP
String literal style dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetStrlitStyle
 Current hotkey: @<SetStrlitStyle>

With this dialog you can setup string styles and also create a new
string immediately at the current location.

The following string styles are defined:

      C-style (zero-terminated)
      DOS style ($ terminated)
      Pascal style (one byte length prefix)
      Wide pascal (two-byte length prefix)
      Delphi (four-byte length prefix)
      Unicode (UTF-16)
      Unicode pascal style (two-byte length prefix)
      Unicode wide pascal style (four-byte length prefix)
      Character terminated

If you select "character terminated" string style then you may
specify up to 2 termination characters. The string will be terminated
by any of these characters. If the second character
is equal to 0, then it is ignored.

In IDA Qt you can also set a specific encoding to be used to display the string,
or change the defaults for all strings. See @0:1433[string encodings].

See also @0:604[Options] submenu.^WRAP
String options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This dialog sets up the string literals options:

Generate names

        If this option is set, IDA will give meaningful names to
        newly created string literals.

Names prefix

        This prefix will be used to form the string name.

Mark as autogenerated

        If a name is marked as @0:609[autogenerated], it will be
        displayed in a different color and will be included in the
        @0:545[list] of names depending on the current setting.

Generate serial names

        IDA can generate serial names for string literals, i.e.

                pref_001,pref_002,pref_003 etc...

        To enable serial names generation, specify
        prefix for names,starting serial number and number of leading zeroes.

        Each time you @0:454[create] a string literal, IDA generates
        a new serial name and assigns it to the string.

String literal next line char

        This symbol, when encountered in the string, will make
        IDA start a new line in the string representation in the
        disassembly. Usually it is the line feed character ('\n').

Comment string literal references:

        This option tells IDA to display the contents of the string
        literal next to the instruction or offset that refers to the string.

See also @0:604[Options] submenu.¯WRAP
Color configuration ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This dialog allows you to customize the color settings.

 GUI version:
 ------------

IDA keeps the color configuration in the registry. There are 3 predefined
schemes. The user can modify the existing schemes or add his own schemes.
New schemes should be added to the "themes" subdirectory in IDA.

 Text version:
 -------------

IDA keeps colors in file IDACOLOR.CF. This file may reside in the IDA
directory or in the current directory. It is a binary file.
IDA automatically saves all your changes into this file.

If the current item line prefix has "black on black" color, then
the current item will not be highlighted. The same is with current line
color - if it is "black on black", the current line will not be highlighted.

You can change the colors using the Customize button.
You may have up to 4 different color palettes and switch between them
on fly. The color palette is saved in IDACOLOR.CF file.

Each line prefix has its own color code depending on the current item:
(the fourth color palette values are shown)

 Line prefixes
   Library function             BRIGHT CYAN ON BLUE
   Regular function             WHITE ON BLUE
   Instruction                  BROWN ON BLUE
   Data                         WHITE ON BLUE
   Unexplored                   WHITE ON BLACK
   Externs                      BRIGHT MAGENTA ON BLUE
   Current item                 BRIGHT BLUE ON BLUE
   Current line                 YELLOW ON BLUE
   Default                      BLACK ON BLACK (not used)

If the "current item" or "current line" are BLACK ON BLACK, then
they will not be highlighted.

The rest of the line is colored with the following codes:

 Keywords
   Instruction                  WHITE ON BLUE
   Directive                    YELLOW ON BLUE
   Macro name                   MAGENTA ON BLUE
   Register name                WHITE ON BLUE
   Other                        WHITE ON BLUE

 Names
   Dummy data                   WHITE ON BLUE
   Dummy code                   WHITE ON BLUE
   Dummy unexplored             MAGENTA ON BLUE
   Hidden                       GREY ON BLUE
   Library function             BRIGHT CYAN ON BLUE
   Local variable               GREEN ON BLUE
   Regular data                 YELLOW ON BLUE
   Regular code                 YELLOW ON BLUE
   Regular unexplored           RED ON BLUE
   Demangled                    BRIGHT GREEN ON BRIGHT BLUE
   Segment name                 YELLOW ON BLUE
   Imported name                LIGHT MAGENTA ON BLUE

 Constants
   Suspicious                   BRIGHT RED ON BLUE
   Char in instruction          BRIGHT CYAN ON BLUE
   String in instruction        BRIGHT CYAN ON BLUE
   Number in instruction        BRIGHT GREEN ON BLUE
   Char in data                 BRIGHT GREEN ON BLUE
   String in data               BRIGHT GREEN ON BLUE
   Number in data               WHITE ON BLUE

 Xrefs
   Code                         GREEN ON BLUE
   Data                         CYAN ON BLUE
   Code to tail                 BRIGHT RED ON BLUE
   Data to tail                 MAGENTA ON BLUE

 Comments
   Automatic                    BROWN ON BLUE
   Regular                      BRIGHT WHITE ON BLUE
   Repeatable                   BROWN ON BLUE
   Extra line                   YELLOW ON BLUE

 Other
   Punctuation                  WHITE ON BLUE
   Opcode bytes                 BRIGHT GREEN ON BLUE
   Manual operand               BRIGHT WHITE ON BLUE
   Errors                       RED ON BLACK
   Selected                     BLACK ON WHITE
   Default                      YELLOW ON BLUE

(Other,Default) color code is used if a token has no color attached to it.

See also @0:604[Options] submenu.uWRAP
Dump/normal View ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleDump
 Current hotkey: @<ToggleDump>

This command switches the current disassembly window mode between
dump mode and normal mode.
Initially all disassembly windows are in normal mode
so you can see instructions and data.
When you are in dump mode, no instructions or data are displayed.
All bytes of the program will be dumped
on the screen as plain bytes and in ASCII.
This command may be useful when you want to find something in the program visually.
Do not forget that many commands continue to work in dump mode.
For example, you can use binary @0:579[search] command.

The text version supports only paragraph aligned addressing in the view.
Switching to the hex dump view and back may change the cursor position in the disassembly listing.

See also @0:604[Options] submenu.WRAP
Setup data types ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupData
 Current hotkey: @<SetupData>

This command allows you to select the data types used in the round-robin
carousel in @0:453[MakeData] command.

Valid data types are:

        - byte
        - word          (2 bytes)
        - double word   (4 bytes)
        - float         (4 bytes)
        - quadro word   (8 bytes)
        - double        (8 bytes)
        - long double   (10 or 12 bytes)
        - packed real   (10 or 12 bytes)
        - octa word     (16 bytes)

Naturally, not all data types are usable for all processors. For example,
Intel 8051 processor doesn't have the 'double word' type.

Furthermore, this command allows you to select a data type for the current undefined
item and convert it to data.

Please note that if the current processor does not support a data
type, you cannot assign it even if you have selected it.
If you unselect all data types, IDA will use the 'byte' type.

See also @0:604[Options] submenu.©"WRAP
Processor Type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetProcessor
 Current hotkey: @<SetProcessor>


Valid processor types are:

  type      description
  ----      -----------

  8086    - Intel 8086                   ┐
  80286r  - Intel 80286 real mode        │
  80286p  - Intel 80286 protected mode   │
  80386r  - Intel 80386 real mode        │
  80386p  - Intel 80386 protected mode   │
  80486r  - Intel 80486 real mode        │
  80486p  - Intel 80486 protected mode   │
  80586r  - Intel Pentium & MMX real mode│ (IBM PC family)
  80586p  - Intel Pentium & MMX prot mode│
  80686p  - Intel Pentium Pro & MMX      │
  k62     - AMD K6-2 with 3DNow!         │
  p2      - Intel Pentium II             │
  p3      - Intel Pentium III            │
  athlon  - AMD K7                       │
  p4      - Intel Pentium 4              │
  metapc  - Disassemble all IBMPC opcodes┘
  8085    - Intel 8085                   ┐
  z80     - Zilog 80                     │
  z180    - Zilog 180                    │ (Zilog 80 family)
  z380    - Zilog 380                    │
  64180   - Hitachi HD64180              │
  gb      - Gameboy                      ┘
  z8      - Zilog 8                        (Zilog 8 family)
  860xr   - Intel 860 XR                 ┐ (Intel 860 family)
  860xp   - Intel 860 XP                 ┘
  8051    - Intel 8051                     (Intel 51 family)
  80196   - Intel 80196                  ┐ (Intel 80196 family)
  80196NP - Intel 80196NP, NU            ┘
  m6502   - MOS 6502                     ┐ (MOS Technology 65xx family)
  m65c02  - MOS 65c02                    ┘
  pdp11   - DEC PDP/11                     (PDP family)
  68000   - Motorola MC68000             ┐
  68010   - Motorola MC68010             │
  68020   - Motorola MC68020             │
  68030   - Motorola MC68030             │
  68040   - Motorola MC68040             │ (Motorola 680x0 family)
  68330   - Motorola CPU32 (68330)       │
  68882   - Motorola MC68020 with MC68882│
  68851   - Motorola MC68020 with MC68851│
  68020EX - Motorola MC68020 with both   │
  colfire - Motorola ColdFire            │
  68K     - Motorola MC680x0 all opcodes ┘
  6800    - Motorola MC68HC00            ┐
  6801    - Motorola MC68HC01            │
  6803    - Motorola MC68HC03            │
  6301    - Hitachi HD 6301              │
  6303    - Hitachi HD 6303              │
  6805    - Motorola MC68HC05            │ (Motorola 8bit family)
  6808    - Motorola MC68HC08            │
  6809    - Motorola MC68HC09            │
  6811    - Motorola MC68HC11            ┘
  6812    - Motorola MC68HC12
  hcs12   - Motorola MC68HCS12
  6816    - Motorola MC68HC16
  java    - java                           (Java family)
  ppc     - PowerPC big endian           ┐
  ppcl    - PowerPC little endian        ┘ (PowerPC family)
  arm     - ARM little endian            ┐ (@0:1350[ARM] family)
  armb    - ARM big endian               ┘
  tms320c2- TMS320C2x series             ┐ (TMS 16bit addressing family)
  tms320c5- TMS320C5x series             ┘
  tms320c6- TMS320C6x series             ┐ (TMS VLIW family)
  tms320c3- TMS320C3x series             ┘
  tms32054- TMS320C54xx series
  tms32055- TMS320C55xx series
  sh3     - Renesas SH-3 (little endian) ┐
  sh3b    - Renesas SH-3 (big endian)    │ (Renesas SuperH series)
  sh4     - Renesas SH-4 (little endian) │
  sh4b    - Renesas SH-4 (big endian)    │
  sh2a    - Renesas SH-2A (big endian)   ┘
  avr     - ATMEL AVR                      (ATMEL family)
  mipsl   - MIPS little endian           ┐ (MIPS family:R2000, R3000, R4000,
  mipsb   - MIPS big endian              │ R4200, R4300,  R4400, R4600,
  mipsrl  - MIPS & RSP little            │ R8000, R10000)
  mipsr   - MIPS & RSP big               │
  r5900l  - MIPS R5900 little            ┘
  r5900r  - MIPS R5900 big               ┘
  h8300   - H8/300x in normal mode       ┐
  h8300a  - H8/300x in advanced mode     │ (Hitachi H8 family)
  h8s300  - H8S in normal mode           │
  h8s300a - H8S in advanced mode         ┘
  h8500   - H8/500                         (Hitachi H8/500 family)
  pic12cxx- Microchip PIC 12-bit (12xxx) ┐
  pic16cxx- Microchip PIC 14-bit (16xxx) │ (PIC family)
  pic18cxx- Microchip PIC 16-bit (18xxx) ┘
  sparcb  - SPARC big endian             ┐
  sparcl  - SPARC little endian          ┘ (SPARC family)
  alphab  - DEC Alpha big endian         ┐
  alphal  - DEC Alpha little endian      ┘ (ALPHA family)
  hppa    - HP PA-RISC big endian          (HP PA-RISC family)
  dsp56k  - Motorola DSP 5600x           ┐
  dsp561xx- Motorola DSP 561xx           │ (DSP 56K family)
  dsp563xx- Motorola DSP 563xx           │
  dsp566xx- Motorola DSP 566xx           ┘
  c166    - Siemens C166                 ┐
  c166v1  - Siemens C166 v1 family       │
  c166v2  - Siemens C166 v2 family       │ (C166 family)
  st10    - SGS-Thomson ST10             │
  super10 - Super10                      ┘
  st20    - SGS-Thomson ST20/C1            (ST20 family)
  st20c4  - SGS-Thomson ST20/C2-C4
  st7     - SGS-Thomson ST7                (ST7 family)
  ia64l   - Intel Itanium little endian  ┐
  ia64b   - Intel Itanium big endian     ┘ (IA64 family)
  cli     - Microsoft.Net platform
  net     - Microsoft.Net platform (alias)
  i960l   - Intel 960 little endian      ┐
  i960b   - Intel 960 big endian         ┘ (i960 family)
  f2mc16l - Fujitsu F2MC-16L             ┐
  f2mc16lx- Fujitsu F2MC-16LX            ┘ (Fujitsu F2MC family)
  78k0    - NEC 78k/0
  78k0s   - NEC 78k/0s
  m740    - Mitsubishi 8-bit
  m7700   - Mitsubishi 16-bit            ┐
  m7750   - Mitsubishi 16-bit            ┘ (Mitsubishi 16-bit family)
  m32r    - Mitsubishi 32-bit            ┐
  m32rx   - Mitsubishi 32-bit extended   ┘ (Mitsubishi 32-bit family)
  st9     - STMicroelectronics ST9+
  fr      - Fujitsu FR family
  m7900   - Mitsubishi M7900
  kr1878  - Angstrem KR1878
  ad218x  - Analog Devices ADSP
  oakdsp  - Atmel OAK DSP
  tricore - Infineon Tricore
  ebc     - EFI Bytecode
  msp430  - Texas Instruments MSP430

You can change processor type only within the current family. If you have
selected IBM PC family, you cannot select Zilog 80 family
and vice versa.

Processor modules can accept additional options that can be passed on the commandline with the -p switch.
Currently only the @0:1350[ARM] module supports it. For example, -parm:ARMv7-A will turn on options specific for the
ARMv7-A architecture, such as NEON instruction set.

For information about additional processor modules, please visit
our web page at https://www.hex-rays.com/products/ida/processors.shtml

Please note that when you change the processor type, IDA may change the
@0:619[target assembler], so check it out.

You may get a message saying that IDA does not know the specified
processor if IDA fails to load the corresponding processor module.

        Windows IDA uses .dll file extension
        Linux IDA uses .so file extension
        Mac IDA uses .dylib file extension

NOTE: modules compiled with support for 64-bit address space, will
feature a '64' suffix before the extension. E.g., 'pc64.dll'

NOTE: Changing the processor type leads to reanalysis of the whole program.
Sometimes this is useful.

NOTE: when you load a new processor module, all @0:416[analysis]
options are reset to the values specified in
the @0:419[configuration] file.

IDA determines the default processor using the input file extension and the
contents of the input file.
The table which describes the input file extensions and the corresponding
processor types is located in @0:419[IDA.CFG] file and looks like this:

 DEFAULT_PROCESSOR = {
 /* Extension   Processor */
  "com" :       "8086"                  // IDA will try the specified
  "exe" :       "80386r"                // extensions if no extension is
  "dll" :       "80386r"                // given.
  "drv" :       "80386r"
  "o"   :       "68000"
  "prc" :       "68000"                 // PalmPilot programs
  "axf" :       "arm"
  "h68" :       "68000"                 // MC68000 for *.H68 files
  "i51" :       "8051"                  // i8051   for *.I51 files
  "sav" :       "pdp11"                 // PDP-11  for *.SAV files
  "rom" :       "z80"                   // Z80     for *.ROM files
  "cla" :       "java"                  // Java classes
  "class":      "java"                  // Java classes
  "s19":        "6811"
  "*":          "80386p"                // Default processor
}

If you want to change the default processor type, you need to change this table.
You may add/delete rows in this table.

See also:
  @0:604[Options] submenu.
  @0:1350[ARM] processor specifics.
$WRAP
Specify Target Assembler ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetAssembler
 Current hotkey: @<SetAssembler>

This command allows you to change the target assembler, i.e. the assembler
for which the output is generated. You select the target assembler from
a menu. The menu items depend on the current @0:618[processor type].

NOTE: Currently, IDA supports only a generic assembler
for 80x86 processors. We recommend the use of Borland's TASM to compile the
output assembler files.NWRAP
Analysis options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetAuto
 Current hotkey: @<SetAuto>

This command allows you to disable and enable the autoanalysis
and its indicator.

Usually, the auto analysis is enabled.
Disable it if you are sure that it will help you.

Here you can change various kernel analysis @0:621[options 1]
and @0:622[options 2] and @0:1688[options 3],
change the processor type (if the processor module supports several types), or
the assembler style.
If the current @0:618[processor] has options, there will also be a button
to change processor-specific options.
If the current @0:618[processor] supports memory mapping, there will
also be a button to change the memory mapping ranges.

The analysis indicator is located in the bottom left corner of the main IDA window (upper right corner in text version).
Possible values of the indicator:

 "          " empty indicator means that the indicator is turned off.
 AU:  idle    Autoanalysis is finished.
 AU:disabled  Autoanalysis is disabled.
 FL:<address> execution flow is being traced
 PR:<address> a function is being created
 TL:<address> a function tail is being created
 SP:<address> the stack pointer is being traced
 AC:<address> the address is being analyzed
 LL:<number>  a signature file is being loaded
 L1:<address> the first pass of FLIRT
 L2:<address> the second pass of FLIRT
 L3:<address> the third pass of FLIRT
 TP:<address> type information is being applied
 FI:<address> the final pass of autoanalysis
 WF:<address> weak execution flow is being traced
 ??:<address> the address becomes unexplored
  @:<number>  indication of various activity

Hint: you can right-click the analysis indicator to quickly disable or enable it, or to reanalyze the program.

See also @0:604[Options] submenu.
         @0:416[auto analysis explanation].
ÚWRAP
Kernel analysis options 1▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Trace execution flow

  This option allows IDA to trace execution flow and convert all
  references bytes to @0:452[instructions].

Mark typical code sequences as code

  IDA knows some typical code sequences for each processor.
  For example, it knows about typical sequence

          push    bp
          mov     bp, sp

  If this option is enabled, IDA will search for all typical sequences
  and convert them to instructions even if there are no references
  to them. The search is performed at the loading time.

Locate and create jump tables

  This option allows IDA to try to guess the address and size of jump
  tables. Please note that disabling this option will not disable
  the recognition of C-style typical switch constructs.

Control flow to data segment is ignored

  If set, IDA will not analyze code reference targets in
  pure data segments. Usually pure data segments have some
  instructions (e.g. thunk functions), that's why this option
  is set off by default. For Mach-O files, it is set on
  because pure data segment do not contain instructions in them.

Analyze and create all xrefs

  If this option is disabled, IDA will not thoroughly analyze the program: it
  will simply trace execution flow, nothing more (no xrefs, no additional
  checks, etc)

Delete instructions with no xrefs

  This option allows IDA to undefine instructions without any xrefs to them.
  For example, if you @0:456[undefine] an instruction at the start of a
  function, IDA will trace execution flow and delete all instructions
  that lose references to them.

Create function if data xref data->code32 exists

  If IDA encounters a data reference from DATA segment to 32bit
  CODE segment, it will check for the presence of meaningful
  (disassemblable) instruction at the target. If there is an
  instruction, it will mark it as an instruction and will create
  a function there.

Create functions if call is present

  This option allows IDA to create @0:484[function] (proc) if a call
  instruction is present. For example, the presence of:

          call loc_1234

  leads to creation of a function at label loc_1234

Create function tails

  This option allows IDA to find and append separately located
  function tails to function definitions.

Create stack variables

  This option allows IDA to automatically create stack variables and
  function parameters.

Propagate stack argument information

  This option propagates the stack argument information
  (the type and the name) to the caller's stack. If the caller is
  called, then the information will be propagated further through
  the whole program. Currently, the type propagation is really
  simple and non-intelligent: the first encountered type for
  a stack variable will be used.

Propagate register argument information

  This option propagates the register argument information
  (the type and the name) to the caller. If the caller is
  also called, then the information will be propagated further through
  the whole program.

Trace stack pointer

  This option allows IDA to @0:489[trace] the value of the SP register.

Perform full stack pointer analysis

  This option allows IDA to perform the stack pointer
  analysis using the simplex method. This option is valid
  only for the IBM PC processor.

Perform 'no-return' analysis

  This option allows IDA to perform the control flow
  analysis and determine functions which do not return to
  their callers. The 'exit()' function, for example, does not
  return to its caller.

Try to guess member function types

  If set, IDA will guess member function types using the demangled
  names. Please note that this rule may occasionally produce wrong
  results, for example, for static member functions. IDA has no
  means of distinguishing them from non-static member functions.
  If clear, IDA will guess only types of non-member functions.

See also @0:622[analysis options 2] @0:1688[analysis options 3]
{WRAP
Kernel analysis options 2▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Truncate functions upon code deletion

  Truncate functions when the code at the function end gets deleted.
  If this option is turned off, IDA does not modify function
  definitions when code is deleted.

Create string literals if data xref exists

  If IDA encounters a data reference to an undefined item, it checks for the
  presence of the string literal at the target. If the length of the candidate
  string literal is big enough (more than 4 chars in 16bit or data
  segments; more than 16 chars otherwise), IDA will automatically create
  a @0:454[string literal].

Check for unicode strings

  This option allows IDA to check for the presence of the unicode
  strings in the program and creates them if necessary.
  IDA will check for the unicode strings only if the @0:613[string style]
  is set to "C-style (0 terminated)" or "Unicode".

Create offsets and segments using fixup info

  IDA will use relocation information to make the disassembly
  nicer. More precisely, it will convert all data items with
  relocation information to words or dwords like this:

          dd offset label
          dw seg seg000

  If an instruction has a relocation information attached to it,
  IDA will convert its immediate operand to an offset or segment:

          mov     eax, offset label

  You can display the relocation information attached to the current
  item by using show @0:598[internal] flags command.

Create offset if data xref to seg32 exists

  If IDA encounters a data reference to 32bit segment and the target
  contains 32bit value which can be represented as an offset expression,
  IDA will convert it to an offset.

Convert 32bit instruction operand to offset

  This option works only in 32bit and 64bit segments.
  If an instruction has an immediate operand and the operand
  can be represented as a meaningful offset expression, IDA will
  convert it to an offset. However, the value of immediate operand
  must be higher than 0x10000.

Automatically convert data to offsets

  This option allows IDA to convert all newly created data items
  to offsets if the following conditions are satisfied:
    - the offset target is a valid address in the program
    - the target address is higher than 0x20
    - the target does not point into the middle of an item
    - if the target is code, the execution does not flow to it
      from the previous instruction
    - the data is dword (4 bytes) in a 32-bit segment
      or qword(8 bytes) in a 64-bit segment
    - the segment type is not special (extern, communal, abs...)

Use flirt signatures

  Allows usage of FLIRT technology

Comment anonymous library functions

  This option appends a comment to anonymous library functions.
  The comment consists of the description of the FLIRT signature
  which has recognized the function and marked it as coming
  from a library.

Multiple copy library function recognition

  This option allows FLIRT to recognize several copies of the same
  function in the program.

Automatically hide libary functions

  This option hides the functions recognized by FLIRT.
  It will have effect only from the time it is set.

Rename jump functions as j_...

  This option allows IDA to rename simple functions containing only

          jmp somewhere

  instruction to "j_somewhere".

Rename empty functions as nullsub_...

  This option allows IDA to rename empty functions containing only
  a "return" instruction as "nullsub_..."
  (... is replaced by a serial number: 0,1,2,3...)

Coagulate data at the final pass

  This option is meaningful only if "Make final analysis pass"
  is enabled. It allows IDA to convert @0:456[unexplored] bytes
  to data arrays in the non-code segments.

Coagulate code at the final pass

  This option is meaningful only if "Make final analysis pass"
  is enabled. It allows IDA to convert @0:456[unexplored] bytes
  to data arrays in the code segments.

Make final analysis pass

  This option allows IDA to coagulate all @0:456[unexplored] bytes
  by converting them to data or instructions.

See also @0:621[analysis options 1] @0:1688[analysis options 3]

WRAP
Set Direction for Searches ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetDirection
 Current hotkey: @<SetDirection>

The current direction for searches is displayed in the right
upper corner of the screen. Using this command, you can toggle
the display.

See also

         @0:568[Search] submenu,
         @0:604[Options] submenu.
>
WRAP
Windows submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu allows you to manipulate windows on the screen.
You can also:

    @0:625[Set video mode...] (text version)
    @0:626[Invoke external help]
    @0:627[Consult keyboard layout] (text version)

See also @0:428[Menu Bar] submenus.5WRAP
Set Video Mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetVideoMode
 Current hotkey: @<SetVideoMode>

This command changes the current video mode.
The list of allowed video modes is kept in the
IDATUI.CFG file, the SCREEN_MODES parameter.

Please note that there are two instances in this variable:
one for MS-DOS and another for Windows.

If you use the MS DOS version, you need to specify the screen mode numbers
valid for you video card in SCREEN_MODES. Otherwise, this command will not
work.

See also @0:624[Windows] submenu.¡
WRAP
Invoke external help ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExternalHelp
 Current hotkey: @<ExternalHelp>

This command invokes an external help.

In the MS Windows version of IDA, it starts WinHelp with the parameter
taken from the cursor location.

The HELPFILE parameter in IDATUI.CFG/IDAGUI.CFG points to the help file name.

See also @0:624[Windows] submenu. 
WRAP
Keyboard layout ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: KeyboardHelp
 Current hotkey: @<KeyboardHelp>

This command displays the current keyboard layout.

You can change the layout in the configuration file

        IDATUI.CFG (for the text version)
        IDAGUI.CFG (for the GUI version)

This command is available in the text version only.

See also @0:624[Windows] submenu.’WRAP
Moving The Segment Start ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

When you edit the segment boundaries, you can check the "move the adjacent segments"
checkbox.

IDA will try to shrink/expand the previous
segment in order to move the beginning of the selected segment.
Of course, you cannot move the start of the segment 'too far':

  - the segment must have at least 1 byte
  - the start address of the segment must be less than the end of the segment
  - no segments can be killed during moving
  - the segment cannot have bytes with negative offsets

You cannot shrink a segment to zero bytes. A segment must have
at least one byte.

This command is mostly used when IDA does not detect the boundary
between segments correctly.

Sometimes, IDA creates 2 segments where only
one segment must exist. In this case, you should not use this command.
Use the following sequence instead:

        - @0:513[delete] one segment.
          Choose the one with the bad segment base value.
          Do not disable addresses occupied by the segment being deleted.
        - change boundaries of the other segment.

Caution: moving the first segment of the program will
delete all information about the bytes between the old start of the segment
and the new start of the segment!

See also another command that changes segment bounds:

 @0:514[Edit Segment]
 @0:506[Edit|Segments] submenu. WRAP
Deleting a Segment ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If you want to delete the segment, please mark 'CONFIRM DELETION' checkbox

Disable addresses checkbox ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

        CAUTION: ALL INFORMATION ABOUT THE SEGMENT WILL BE LOST!

If you disable the addresses occupied by the segment, all information
about these addresses will be lost. You will not see them on the screen anymore.

Otherwise, the segment will be deleted, but its data will remain unchanged.
You can create another segment(s) for these addresses using
@0:507[Create a New Segment] command.
¦
WRAP
Auto analysis is not completed ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

As long as auto analysis is not completed, the IDA database is not consistent:

  - not all @0:607[cross-references] are found
  - not all @0:452[instructions] are disassembled
  - not all @0:453[data] items are explored

See also:
  @0:416[auto analysis]
  @0:620[setup auto analysis]WRAP
Silent mode of IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In this mode, IDA will not display dialog boxes on the screen.
Instead, it will assume the default answer and proceed.
For example, if you press @<Quit>, IDA will promptly exit to OS
without asking for any confirmation.

To return to normal mode you will need to execute an IDC function:

        batch(0);

i.e. disable batch "silent" mode. To execute a script command, select
@0:437[File|Script command...] menu item or press @<ExecuteLine> hotkey.
†WRAP
Rename a structure/member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA maintains separate namespaces for each structure. For example, you can define
something like this:

 xxx    struc
 xxx    db ?
 xxx    struc

Beware, usually
assemblers have one common namespace and do not allow the mentioned above example.

An empty name cannot be specified.

This command is available when you open a structure @0:593[window].

If the cursor is on the structure name at the beginning of the structure definition,
IDA proposes to rename the structure. Otherwise, IDA proposes to rename a structure
field.

If a structure is being renamed, the option "Don't include in the list" means
that the structure will not be included
in the list of the structures which appears when the user applies the structure
definition (for example, when the user creates a variable of this structure type).
We recommend to mark this checkbox when you have defined all variables of
this structure type and want to reduce the number of choices in the list.

See also @0:490[Edit|Structs] submenu.
         @0:424[How to Enter an Identifier]

WRAP
Delete a structure member ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Please remember that deleting a member deletes also all information
about this member, including comments, member name etc.

See also @0:490[Edit|Structs] submenu.
¨WRAP
Unpacked database is dangerous▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

First of all, you may lose all information because you will not have a backup
copy of the database. IDA makes modifications to the unpacked database
and if some unexpected condition occurs, the unpacked database
is usually damaged. IDA is able to repair this database, but some information
could be irreversibly lost, leading to disastrous consequences.

The only advantage of the unpacked database is that it is loaded very fast.
the same way, exiting IDA is fast too.

If packing is disabled, the @0:449[abort] command will not be available
the next time the database is loaded.

We strongly discourage using unpacked databases.

To disable this prompt in the future, simply modify ASK_EXIT_UNPACKED parameter in IDATUI.CFG or IDAGUI.CFG file.

Please note that when the "File -> Save as" is used with an unpacked database, IDA
will continue to use the unpacked database and not the newly created database (the saved as one).
In this case, please close and re-open the newly created database to ensure that IDA will use it
instead of the original database.
D
WRAP
Database Is Empty ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Although the database exists, it is empty.
Please delete it and start over.

If you have previously saved your database into a text file,
you can load it. See @0:444[Dump database] command for explanations.

See also @0:417[IDA usage help]9
WRAP
Illegal Usage of the Switch ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Not all switches can be used when you
start IDA for the second or more time.
Below are valid switches:

 -a     disable @0:416[auto analysis]
 -d     debug

See also @0:417[IDA usage help]&WRAP
Cannot find input File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA has tried to find a file with the extensions mentioned
in the @0:419[IDA.CFG] file, but could not find anything.

The default extension table looks like this:

 Extension    Processor

  "com" :       ""
  "exe" :       ""
  "dll" :       ""
  "drv" :       ""
  "sys" :       ""
  "bin" :       ""
  "ovl" :       ""
  "ovr" :       ""
  "ov?" :       ""
  "nlm" :       ""
  "lan" :       ""
  "dsk" :       ""
  "obj" :       ""
  "prc" :       "68000"
  "axf" :       "arm710a"
  "h68" :       "68000"
  "i51" :       "8051"
  "sav" :       "pdp11"
  "rom" :       "z80"
  "cla*":       "java"
  "s19":        "6811"
  "epoc":       "arm"
  "o":          ""

See also @0:417[IDA usage help]¹
WRAP
Patched Bytes Are Skipped ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Some bytes in program memory have no corresponding byte in the executable
file. For example, uninitialized data is not kept in the file.
OS/2 Warp and Window support compressed pages.

In this case, IDA cannot create a full difference file. It shows the skipped
byte addresses along with their values in the message window.
¹WRAP
List of Functions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can use @0:427[list viewer] commands in this window.
Here is the @0:586[format] of this window.
aWRAP
Patched bytes have relocation information ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

If a byte has relocation information attached to it, then
the value of this byte is changed when the file is loaded into
the memory by the system loader or linker.
Therefore, it doesn't make much sense (and sometimes it is simply illegal)
to modify the byte.

We recommend to return the original value of the byte(s).

You can see the relocation information attached to an item by using the
@0:598[show internal flags] command.
"
WRAP
No Segment for the current byte ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Some commands cannot be applied to the addresses without a segment.

Create a segment first. You can do this using the
@0:507[CreateSegment] command.-Argument location has already been specified 
  <~D~LL directory:q:64:20::>
@0:618[]
Choose processor!Please press a key for macro...
Macro definition cancelled.
6@0:1133[]
You can't redefine the keys Alt-- and Alt-=!Defining macro for the key '%s'
.@0:1134[]
Already recording a macro for '%s'!Macro for '%s' is defined.
{WRAP
Append Function Tail ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: AppendFunctionTail
 Current hotkey: @<AppendFunctionTail>

This command appends an arbitrary range of the program to a function definition.
A range must be selected before applying this command. This range must not
intersect with other function chunks (however, an existing tail can be
added to multiple functions).

IDA will ask to select the parent function for the selection and will
append the range to the function definition.

See also

         @0:483[Edit|Functions] submenu.
         @0:688[Remove function tail]LWRAP
Remove Function Tail ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: RemoveFunctionTail
 Current hotkey: @<RemoveFunctionTail>

This command removes the function tail at the cursor from a function definition.

If there are several parent functions for the current function tail range,
IDA will ask to select the parent function(s) to remove the tail from.

After the confirmation, the current function tail range will be removed from the
selected function definition.

If the parent was the only owner of the current tail, then the tail will be destroyed.
Otherwise it will still be present in the database. If the removed parent was the owner
of the tail, then another function will be selected as the owner.

See also

         @0:483[Edit|Functions] submenu.
         @0:687[Append function tail]hWRAP
Empty input file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The input file doesn't contain any instructions or data, i.e. there is
nothing to disassemble.

Some file formats allow the situation when the file is not empty
but it doesn't contain anything to disassemble. For example,
COFF/OMF/EXE formats could contain a file header which just declares that
there are no executable sections in the file.

There could be type information, compiler options and other auxiliary
information in the file. This is the reason why the file doesn't look empty
but IDA doesn't find anything to disassemble.

WRAP
Not a virtual array file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The most probable error is that you tried to use an incompatible version
of IDA. Starting from IDA 2.0 beta2 the format of virtual files was changed.
Illegal argument location %sT
WRAP
Virtual Array: Too high VA version ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The most probable error is that you tried to open database with old version of IDA.
Please use newer version of IDA to open this database.

WRAP
Cannot create segment registers range ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error happens because of the database corruption.
Try to finish your work as soon as possible and generate
the text source file.

The best choice would be to restore from a backup because the
database is corrupted.
q
WRAP
Cannot assign to Segment Register ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error happens because of the database corruption.
Try to finish your work as soon as possible and generate
the text source file.

The best choice would be to restore from a backup because the
database is corrupted.
+WRAP
Cannot add the selection to the function definition ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error message means that the selection cannot be added to the function.
It may be because of the following:

  - the specified function does not exist or it is not a function entry chunk

  - the selection crosses boundaries of the existing function chunks.
  the selection must not intersect with the existing function chunks
  or must be equal to a function tail chunk.

  - the selection crosses segment boundaries

  - the selection is in a special segment (imports, exports, ...)

  - the selection crosses boundaries of instructions or data

Correct your selection and try again.~F~ile~E~dit~J~ump	Searc~h~	~W~indow~V~iewDeb~u~g
~O~ptionsHelpOt~h~er~F~unctions~S~egments
S~t~ructs~E~nums~A~dd struct type...~C~opy struct type...~D~elete struct type...~E~xpand struct type...~S~hrink struct type...Edi~t~ struct type...Declare struct ~v~ar...~F~orce zero field offsetSe~l~ect union member...Add e~n~um...De~l~ete enum...Ed~i~t enum...~A~dd enum member...~E~dit enum member...~D~el enum member...~R~esize/move~Z~oom~P~revious~N~ext~C~lose~T~ile
C~a~scadeReset ~h~idden messages...~S~et video mode...~E~xternal help~K~eyboard layout~L~oad fileExecute script ~c~ommand...~P~roduce output fileOS s~h~ellAbo~u~t...~S~ave databaseSa~v~e database as...~A~bort - do not save~Q~uit & saveProduce ~M~AP file...Produce ~A~SM file...Produce ~I~NC file...Produce ~L~ST file...Produce ~E~XE file...Produce ~D~IF file...D~u~mp database to IDC file...Dump ~t~ypeinfo to IDC file...~R~eload the input fileS~c~ript file...~A~dditional binary file...~I~DS file...~D~BG file...~P~DB file...~F~LIRT signature file...C ~h~eader file...Jump immediate
Jump back~U~ndo last jump backEmpty navigation stack
~A~ddress...
~N~ame...
~S~egment...Se~g~ment register...
~P~roblem...Mar~k~ position...C~l~ear mark...~M~arked position...~C~ross reference...Cross ~x~ref to operand...~F~unction...~E~ntry point...F~i~le offset...find all void o~p~erandsfind al~l~ errorsnext '~v~oid'~n~ext 'error'next ~c~odenext ~d~atanext ~u~nexplorednext ~e~xplored~i~mmediate...next i~m~mediate
~t~ext...next te~x~ttext in c~o~re...next text in co~r~enot ~f~unctionSearch direction(Re)~n~ame any address...~J~ump table... Create ~a~lignment directive...~M~anual instruction...Hide/show ~b~order~C~ode~D~ata~A~SCIIArra~y~...~U~ndefineRe~n~ame...~P~atch programCo~m~ments~O~perand types~T~ext representation...Comm~e~nts...C~r~oss references...Assembler d~i~rectives...String literals ~s~tyle...Strin~g~ literals options...~C~olors...~N~ame representation...De~m~angled names...Compi~l~er...D~u~mp/normal viewSetup ~d~ata types~P~rocessor type...Target ~a~ssembler...Analysis ~o~ptions...~M~ake function...~E~dit function...Append function ~t~ail...Remo~v~e function tail...~D~elete function...~S~et function endStac~k~ variables...~C~hange stack pointer...~R~ename register...Set function t~y~pe...Enter comment...Enter ~r~epeatable comment...!Retrieve ~p~redefined comment...Edit extra ~a~nterior lines... Edit extra p~o~sterior lines...~F~loating point	~B~inaryOcta~l~
~D~ecimal~H~exadecimal	~N~umber~O~ffset by data segment/NoOffset by ~c~urrent segmentOffset by ~a~ny segment...~U~ser-defined offset...Struc~t~ offset...	~O~ffset	~N~umberCha~r~acter
~S~egmentEnu~m~ member...Stac~k~ variableChange si~g~nBit~w~ise negateM~a~nual...~N~ew segment...~D~elete segment...~E~dit segment...~M~ove segment...~R~ebase program... Change segment ~t~ranslation...(~S~et default segment register value...#Change segment register ~v~alue...Change ~b~yte...Change ~w~ord...~A~ssemble...~O~pen subviewsInternal ~f~lags~H~ide	Unh~i~de~D~el hidden range	Hide allUnhide allSetup hidden items...Vie~w~ file...~E~dit file...~C~alculate...
Show segregs~D~isassemblyF~u~nctions~S~egmentsSegment ~r~egistersSe~l~ectors~N~ames
~E~xports
~I~mportsCr~o~ss references
Struc~t~ures~P~roblems
Si~g~naturesT~y~pe librariesStart processAttach to process...~P~ause processTerminate processDetach from processTa~k~e memory snapshotToggle breakpoint~E~dit breakpoint~A~dd watch~D~el watch
Step into
Step overRun until returnRun to cursorSet current ipShow app screenOpen ~C~PU registersOpen ~b~reakpointsOpen ~w~atchesOpen ~s~tacktraceOpen ~t~hreadsOpen ~m~odulesP~r~ocess options...Deb~u~gger options...Select debugger... No hot key is defined for '%s'!Current Processor: %s
Target Assembler: %s
sActions %s and %s have the same hotkey %s (%#x)
Please edit the configuration files (ida%cui.cfg or idauser%c.cfg)!Setting screen mode 0x%04X (%s)
-$@0:443[]
Please enter DIF file name$@0:439[]
Please enter MAP file name$@0:440[]
Please enter ASM file name%@0:1475[]
Please enter INC file name$@0:441[]
Please enter LST file name-@0:431[]
Please enter name of the input file?@0:431[]
Sorry, the input file of this type cannot be reloaded$@0:442[]
Enter binary file name for"Binary file %s has been created.
+@0:444[]
Please enter the unload file name3Variadic functions must have at least one argument6@0:432[]
Please enter the script file name to execute=@0:444[]
Please enter the IDC file name to dump the database=@0:445[]
Please enter the IDC file name to dump the typeinfo/@0:448[]
Please enter a new database file namep@0:527[]
Patch Bytes

 Address        %N
 File offset    %N
 Original value %q
 <~V~alues         :q:80:50::>

m@0:527[]
Patch Word

 Address        %N
 File offset    %N
 Original value %L

 <~V~alue (word)  :L::18::>

5@0:527[]
Please enter new value for the current wordkHIDECANCEL
@0:630[]
Auto analysis is not completed, the result may be inaccurate. Do you want to continue?+@0:433[]
Select an additional file to load+@0:434[]
Please select an IDS file to load*@0:435[]
Please select a DBG file to load%Please enter floating point constantOHIDECANCEL
The output database %s already exists. Do you want to overwrite it?5Some other instruction/data is already defined at %sh@0:529[]
Assemble instruction

 Previous line: %q
 Address      : %N:%N
 <~I~nstruction :q:1000:40::>

<Sorry, this processor module doesn't support the assembler.UThe FLIRT signature file '%s' has been put into the queue and will be applied later.8@0:640[]
The patched bytes have relocation information! 
Generate MAP file
    Include in the map file:

  <#Include segmentation information in the map#~S~egmentation information:C>
  <#Include dummy names in the map#D~u~mmy names :C>
  <#Demangle names if possible#~D~emangle names  :C>
  <#Include local names in the map#~L~ocal names :C>>

%
@0:1372[]
Load Additional Binary File

  File name: %A

  <~L~oading segment     :N::10::> (in paragraphs)
  <Loading  ~o~ffset     :N::10::>
  <~F~ile offset in bytes:N::10::>
  <~N~umber of bytes     :N::10::> (0 means maxmimum)

  <Create ~s~egments     :C>
  <~C~ode segment        :C>>

*@0:1125[]
Cannot open for write file '%s'&Write error, may be the disk is full??%s: generating assembler file for the address range %08a-%08a
Writing include file %s
=%s: generating listing file for the address range %08a-%08a
3Assembler file has been created, total %lu lines.
;Assembler include file has been created, total %lu lines.
1Listing file has been created, total %lu lines.
-Map file has been created, total %lu lines.
!Output file '%s' already exists.#Difference file has been created.
L@0:638[]
Some patched bytes are skipped, see the message window for detailsR@0:421[]
Sorry, the demo version cannot produce asm files.
Press F1 for details.Creating the output file.5@0:222[]
This type of output files is not supported..startitem 0
@0:523[]
Segment Register Value

6startitem 0
@0:522[]
Segment Default Register Value

7@0:544[]
Jump to address

  <~J~ump address:$::32::>

@@0:1393[]
Jump to file offset

  <~J~ump file offset:M::32::>

 @0:546[]
Choose segment to jump @0:547[]
Choose address to jumpChoose a name@0:567[]
Choose an entry point$@0:639[]
Choose function to jump to¨@0:520[]
Move segment

Segment: %A
Start address: %N
End address: %N

<~T~arget address:N::12::>

<#Correct relocatable references#~F~ix up the relocated segment:C>>

§@0:520[]
Move multiple segments

Start address: %N
End address: %N

<~T~arget address:N::12::>

<#Correct relocatable references#~F~ix up the relocated segments:C>>

4
STARTITEM 1
@0:1408[]
Rebase the whole program

%/Please enter the new

<~A~ddress of the first segment:R1>
<~S~hift delta:R2>
<~I~mage base:R3>4>

<~V~alue:N5:511:12::>

<#Correct relocatable references#~F~ix up the program:C>
<#Adjust internal variables to reflect the shift#~R~ebase the whole image:C>>

jHIDECANCEL
@0:628[]
You are about to change the segment '%s' bounds (%08a-%08a) to (%08a-%08a). Continue?”HIDECANCEL
@0:508[]
The segment '%s' addressing mode will be changed to %d-bit. ALL INFORMATION about instructions/data WILL BE LOST! Are you sure?C@0:507[]
Segment end address is invalid or less than start addressI@0:507[]
Bad segment base: segment would have bytes with negative offset'@0:507[]
Invalid segment start address¼
@0:507[]
Create a new segment
%/

 Start address and end address should be valid.
         End address > Start address

<Segment ~n~ame    :q:511:12::>
<~S~tart address   :N::12::> C-notation:
<~E~nd   address   :N::12::>   hex is 0x...
<~B~ase            :N::12::> in paragraphs
<Cl~a~ss           :q:511:12::> (class is any text)

<~1~6-bit segment  :R10>  <#Recommended for huge segments#Use s~p~arse storage:C>>
<~3~2-bit segment  :R11>>

Õ
@0:507[]
Create a new segment
%/

 Start address and end address should be valid.
         End address > Start address

<Segment ~n~ame    :q:511:18::>
<~S~tart address   :N::18::> C-notation:
<~E~nd   address   :N::18::>   hex is 0x...
<~B~ase            :N::18::> in paragraphs
<Cl~a~ss           :q:511:18::> (class is any text)

<~1~6-bit segment  :R10>  <#Recommended for huge segments#Use s~p~arse storage:C>>
<~3~2-bit segment  :R11>
<~6~4-bit segment  :R12>>

@0:589[]
Segments@0:525[]
Choose segment@@0:521[]
Enter segment translation list (list of segment names)Segment translation list: %s
™@0:629[]
Delete Segment

CAUTION: ALL INFORMATION ABOUT THE SEGMENT WILL BE LOST!
Segment %A (%N-%N)

<~C~ONFIRM DELETION:C>>

<~D~isable addresses:C>>
ªWRAP
Assembler level and C level types▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In order to provide intuitive yet powerful interface to types IDA introduces
two kinds of types:

  - Assembler level types
  - C level types

Assembler level types are the ones defined by the user using the
@0:593[Struct] or @0:1259[Types] views.

Since the user has to specify manually the member offset and other attributes,
IDA considers the member offsets to be fixed for them and never shifts members
of such types. If a member of struct becomes too big and does not fit the struct
anymore, IDA will delete it.

The types defined in the @0:1259[Local types] window are considered
as C level types. For them IDA automatically calculates the member offsets and
if necessary may shift members and change the total struct size.

The user may change the type level by simply editing the type from the appropriate
window. For example, if a C level type is edited from the @0:593[Struct]
view, IDA will consider such a type as an Assembler level type in the future.

 In the struct/enum view:
  Assembler level types are displayed using regular colors.
  C level types are displayed in gray, as if they are disabled (but they are not).

 In the local types view:
  C level types are displayed using regular colors.
  Assembler level types are displayed in gray, as if they are disabled (but they are not).
©@0:514[]
Change segment combination

 <~0~ Private:R>
 <~1~ Group:R>
 <~2~ Public:R>
 <~3~ Reserved:R>
 <~4~ Public:R>
 <~5~ Stack:R>
 <~6~ Common:R>
 <~7~ Public:R>>

ö@0:514[]
Change segment alignment

 <~A~bs:R>
 <~B~yte:R>
 <~W~ord:R>
 <~D~ouble word (4 bytes):R>
 <~Q~uadro word (8 bytes):R>
 <~P~aragraph (16 bytes):R>
 <~3~2 bytes:R>
 <~6~4 bytes:R>
 <Pag~e~ (256 bytes):R>
 <~4~096 bytes:R>
 <~G~roup:R>>

«
@0:1369[]
Comment representation

<Co~m~ment indention:D::3::>

<Display '~s~uspicious' marks       :C>
<Display ~e~mpty lines              :C>
<Display borders bet~w~een data/code:C>
<Display ~b~asic blocks             :C>
<Display ~c~omments                 :C>
<Display ~r~epeatable comments      :C>
<Display ~a~uto comments            :C>
<Display s~o~urce lines             :C>
<Display ~t~ry block lines          :C>>

>@0:605[]
Text representation
 ┌<Line ~p~refixes:C>> ┌───────────────────────────────┐
┌┴──────┐ ┌──────────┴─┐  <Number of opco~d~e bytes :D::2::>
1000:0FE4               ;---------------------------
1000:0FE4
1000:0FE4               loc_0_FE4:
1000:0FE4 90                         nop     ;
└┬─┘<~U~se segment names:C>           │       ;   <Mar~g~in :D::4::>
 │  <~S~egment addresses:C>           │          (length of arguments of
 └──<~F~unction offsets :C>>           │           data directives)
<I~n~struction indention :D::3::> ─────┘
<Use ~t~abulations in output:C> <~l~ow  susp. limit:N::10:@0:606[]>
<Display st~a~ck pointer    :C>> <~h~igh susp. limit:N::10:@0:606[]>

@0:607[]
Cross-reference representation

<Display se~g~ments in xrefs:C>────────────────────────┐
<Display xref ~t~ype mark   :C>──────────────────┐     │
<Display ~f~unction offsets :C>                  │     │
<Display xref ~v~alues      :C>>                  │     │
                                               ┌┴──┐ ┌┴─┐
1000:0FE4 90                         nop     ; CREF: 1000:0FE0        |
                                                                      │
<Right ~m~argin             :D::8::> (max length of line with xrefs)┘
<Cross reference ~d~epth    :N::18::>

Number of xrefs to display
    <in d~i~sasembly :D::8::>
    <in ~s~truct/enum:D::8::>

a@0:608[]
Assembler directives
  <##Generate##~A~SSUME directives:C>
  <.~O~RG   directives:C>>

Ç@0:601[]
Setup the display of hidden items

   <Automatically hide ~l~ibrary functions:C>>

   <Display hidden ~i~nstructions:C>
   <Display hidden ~f~unctions:C>
   <Display hidden ~s~egments:C>>

Ð@0:620[]
Background analysis

   <~A~nalysis enabled:C>
   <~I~ndicator enabled:C>>

   <Kernel analyzer options ~1~:B:0:::>

   <Kernel analyzer options ~2~:B:1:::>

   <Kernel analyzer options ~3~:B:2:::>
4
   <~P~rocessor specific analysis options:B:3:::>
—@0:621[]
Kernel analysis options 1

<~T~race execution flow                            :C>
<~M~ark typical code sequences as code             :C>
<~L~ocate and create jump tables                   :C>
<Control flo~w~ to data segment is ignored         :C>
<~A~nalyse and create all xrefs                    :C>
<~D~elete instructions with no xrefs               :C>
<Create function ~i~f data xref data->code32 exists:C>
<Create ~f~unctions if call is present             :C>
<Create function ~t~ails                           :C>
<Create ~s~tack variables                          :C>
<Propagate ~s~tack argument information            :C>
<Propagate ~r~egister argument information         :C>
<Trace stack ~p~ointer                             :C>
<Perform full stack ~p~ointer analysis             :C>
<Perform '~n~o-return' analysis                    :C>
<Try to ~g~uess member function types              :C>>

—@0:622[]
Kernel analysis options 2

<Truncate ~f~unctions upon code deletion           :C>
<Create string literal if data ~x~ref exists       :C>
<Check for ~u~nicode strings                       :C>
<~C~reate offsets and segments using fixup info    :C>
<Create ~o~ffset if data xref to seg32 exists      :C>
<Convert ~3~2bit instruction operand to offset     :C>
<Automatically convert data to ~o~ffsets           :C>
<~U~se flirt signatures                            :C>
<Comment ~a~nonymous library functions             :C>
<~M~ultiple copy library function recognition      :C>
<Automatically ~h~ide library functions            :C>
<~R~ename jump functions as j_...                  :C>
<Rename ~e~mpty functions as nullsub_...           :C>
<Coagulate ~d~ata segments in the final pass       :C>
<~C~oagulate code segments in the final pass       :C>
<Make fi~n~al analysis pass                        :C>>

¼@0:609[]
Names
%/
<~D~ummy name representation:E1:75:75:1::>
  <~R~enumber:C2>>

<##Types of names included in the list of names##~N~ormal:C>
<~P~ublic:C>
<~A~utogenerated:C>
<~W~eak:C>>
ã@0:611[]
Demangled C++ names
<##Show demangled C++ names as##~C~omments:R>
<~N~ames:R>
<~D~on't demangle:R>>

<~A~ssume GCC v3.x names:C>>

<~O~verride type info:C>>

<Setup ~s~hort names:B:0:::> <Setup ~l~ong  names:B:1:::>

'startitem 2
@0:612[]
Demangled C++ names
<#Inhibit everything except the main name#Demangled C++ names##Only ~m~ain name          :C>  <##Suppress pointer modifiers##~n~ear:R>
<#No underscores in calling convention names (__cdecl, __pascal, etc)#No und~e~rscores in cc:C>   <near/__ptr64 :R>
<#No calling conventions for parameters and __based()#~R~emove some calling conv:C>   <~f~ar          :R>
<#No return type of functions#No return t~y~pe:C>   <all, ~1~6bit   :R>
<No "~b~ased"() specifier:C>   <~h~uge         :R>
<#Remove all calling conventions#Remove all ~c~alling conv:C>   <__ptr~6~4       :R>
<#No postfix const in member function declarations#No ~p~ostfix const:C>   <Display all  :R>
<#No public/private/protected keywords#No access keyw~o~rds:C>   <Display none:R>>
<No thro~w~ descriptions:C>
<#No static and virtual keywords#No static and ~v~irtual:C>     <si~g~ned int as 'sint'  :c>
<#No class/struct/union/enum keywords#No u~d~t keywords :C>     <~u~nsigned int as 'uint':c>
<#No const and volatile keywords#No const and volati~l~e:C>     <spaces af~t~er commas   :c>>
<No __clo~s~ure keyword:C>
<No __un~a~ligned keyword:C>    <#Remove 'j_' prefix in names#~Q~uash j_    :c>
<#No __pin/__box/__gc for MS.Net#No __pin/__bo~x~/__gc:C>>   <Transfer ~j~_ :c>>

<~I~gnore postfix _nn (duplicate):C>>

å
@0:614[]
String literal options
%/%*
 <~G~enerate names:C>>       <Names pre~f~ix  :q:15:15::>
 <#Forces start of next line#Next ~l~ine char :N::5::>   <~M~ark as autogenerated:C>>
                             <Generate ~s~erial names:C>>

 Defaults                  Serial names
   <~T~ype :b::::>        <~N~umber :D::6::>
   8-bit  <            :B100::::>   <~W~idth  :D::6::>
   16-bit <            :B101::::>
   32-bit <            :B102::::>

 <~C~omment string references:C>>

Search direction: up
Search direction: down
F@0:596[]
Evaluate expression

<Expression :q::50::>

%A
%A
%A
%A
%A

+The key file '%s' is expired or corrupted.Ë@0:615[]
Color configuration

  <Palette ~1~:R>
  <Palette ~2~:R>
  <Palette ~3~:R>
  <Palette ~4~:R>1>  <~C~ustomize:B:0:::>

  <~E~nable syntax highlighting:C>>
  <Highlight current ~i~dentifier:C>>

€
@0:574[]
Search Immediate

  This command searches for the specified
  value in the instruction operands
  and data items.

  <~V~alue to search:N::18::>

  <#Find any operand value (excluding zero) which has no type or sign#~A~ny untyped value:C>
  <#Search up if checked. Search down otherwise#Search ~U~p:C>
  <#Find all occurrences and display a list#~F~ind all occurrences:C>>

Searching %s for value %a...
'Searching %s for untyped immediate...

@0:579[]
Binary search
%/%*

Enter binary search string:
  <~S~tring:q100:1000:40::>
  <#Perform case-sensitive search#Match ~c~ase:C>           <~H~ex:r>
  <#Search ~U~p:C>                                          <~D~ecimal:r>
  <#Find all occurrences and display a list#~F~ind all occurrences:C>> <~O~ctal:r>>
  <#Encoding of input strings literals#String e~n~coding:b101:0:33::>

"Search completed. Found at %08a.
Search failed.
7Searching %s CASE-SENSITIVELY for binary string %s...
9Searching %s CASE-INSENSITIVELY for binary string %s...
@0:548[]
ProblemsïWRAP
Intel/ARM macOS debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

On macOS, the suggested approach is to use @0:1463[Remote debugging] with one of the mac_server*
binaries that are shipped with IDA - even when debugging apps on your local machine.

Using a standalone debug server application makes it easier to get around the codesigning and debugging restrictions
that are built into macOS. Note that this is also the approach used by lldb. Internally lldb uses a dedicated debugserver
that implements the core debugger engine - so IDA does the same.

It is possible to use the Local Mac OS X Debugger in ida.app, but you must run IDA as root.

For a deeper dive into macOS debugging, see our tutorial: https://www.hex-rays.com/wp-content/static/tutorials/mac_debugger_primer2/mac_debugger_primer2.html

 See also @0:1463[How to launch remote debugging]
          @0:1395[Debugger] submenu
          @0:1397[Start process]
          @0:1677[Remote iOS debugger]9.1)@0:481[]
Enter additional anterior lines*@0:481[]
Enter additional posterior lines@0:479[]
Enter comment"@0:480[]
Enter repeatable comment*@0:480[]
Enter repeatable SEGMENT comment@0:479[]
Enter SEGMENT comment+@0:480[]
Enter repeatable FUNCTION comment @0:479[]
Enter FUNCTION comment6@0:605[]
Repeatable comments are hidden, unhide them.+@0:479[]
Comments are hidden, unhide them.@0:639[]
Choose a function€%s: The function has undefined instruction/data at the specified address.
Your request has been put in the autoanalysis queue.
6The function is already defined, start address at %s
gFormat '%s (%s)' is not compatible with the selected processor ('%s'), disassembly might be erroneous
Â@0:1346[]
Rename register
%/
  <~S~tart address:N1:1000:20::>
  <~E~nd address  :N2:1000:20::>
  <~O~ld name     :q3:511:20::>
  <~N~ew name     :i4:511:20::>
  <~C~omment      :q5:1000:40::>

bHidden range

  ~S~tart address: %$
  ~E~nd address: %$

  <~N~ame :q::20::>
  <~C~olor:K::6::>

*@0:534[]
Enter instruction representation'@0:472[]
Choose a structure for offset@0:473[]
Choose enum!@0:496[]
Choose a structure typeStruct size is zero @0:469[]
Choose base for offsetÓSTARTITEM 1
@0:470[]
Enter reference information

<type radio buttons>

  <~B~ase address  :N::32::>
  <Treat the base address as a plain ~n~umber:C>
  <#This offset may point PAST object end#Offset points ~p~ast the main object:C>
  <#RVA keyword will be used to keep the listing concise#Use ~i~mage base as offset base:C>
  <#Operand value is subtracted from the base instead of being added#~S~ubtract operand value:C>
  <#Operand value is interpeted as a signed value#Si~g~ned operand:C>
  <Operand value of 0 is invalid:C>
  <#Zero's complement is invalid, independent of size#Operand value of NOT 0 is invalid:C>
  <Use ~c~urrent address as offset base:C>>

  <~T~arget address:N::32::>
  <Target ~d~elta  :N::32::>

GPlease specify the reference target address for this type of reference‘It is not necessary to specify the target address for full offsets because it can be calculated by IDA. Do you want to reset the target address?s
@0:459[]
Convert to "%s" en masse

  Apply to:
        <~A~ll operands:R>
        <Operand value ~r~ange:R>
        <%s ~o~perands:R>
        <~N~ot %s operands:R>
        <Not ~t~yped operands:R>>

        <A~p~ply only if possible:C>>

 Please enter lower and upper limits
    of the value range (inclusive)

     <~L~ower value:N::18::>
     <~U~pper value:N::18::>

"@0:455[]
Convert to array
%/%*
  %A  :%$
  %A  :%$

  Array element size   : %D
  Maximal possible size: %D
  Current array size   : %D
  Suggested array size : %D

  <~A~rray size             :D::18::> (in elements)
  <~I~tems on a line        :D::18::> (0-max)
  <Element print ~w~idth    :D::18::> (-1-none,0-auto)

  <##Options##Use "~d~up" construct:C>    <##Indexes##D~e~cimal    :R>
  <Si~g~ned elements    :C>    <~H~exadecimal:R>
  <Displa~y~ indexes    :C>    <~O~ctal      :R>
  <Create as a~r~ray    :C57>55>   <~B~inary     :R>56>

&@0:533[]
Create alignment directive

OCreate segment (%0*a-%0*a, sel %0*a):
Failed to create segment registers area.%@0:498[]
Choose union representation,@0:1361[]
Please enter the type declaration(@0:1367[]
Select C header file to parseâ@0:472[]
Struct offset delta

  Operand value: %D

  The delta is the difference between the pointer
  to the structure and the structure start.
  If you don't know what to enter, leave 0.

  <Struct offset ~d~elta:D::18::>

¹WRAP
Scrolling graphs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The user can pan (shift) the graph by clicking with the left mouse
button on the graph background and dragging it. In the rare case when
there is no graph background visible on the screen, the Shift-click can
be used to move the graph. This can happen on very high zoom levels,
when the current node occupies the whole window.

The mouse wheel scrolls the graph vertically. If the Alt key is pressed,
it will scroll the graph horizontally.

The Page Up and Page Down keys scroll the graph vertically. The keyboard
arrows can scroll the graph if they reach the node border and cannot
jump to another node in the specified direction.

Scrolling the graph does not change the keyboard cursor position.
As soon as the graph is refreshed on the screen, IDA will scroll the
graph so that the keyboard cursor becomes visible.

Back to @0:42[graph view] or @0:1626[proximity view]´WRAP
How to use the help subsystem ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following keys exist:
  F1            this screen
  @0:414[Shift-F1]      help index
  Ctrl-F1       IDC index
  Tab           next highlighted phrase
  Shift-Tab     prev highlighted phrase
  Enter         follow a link
  Backspace     previous help screen
  F5            zoom help window
  Esc           close help window

  arrows        one step movement
  PgUp          Page Up
  PgDn          Page Down
  Ctrl-PgUp     top of the window
  Ctrl-PgDn     bottom of the window
  Home          start of the line
  End           logical end of the line
Wrong argument numberFloating license options...“WRAP
Disk Read Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This error may occur when IDA tries to read past the end of the file.
‰WRAP
Can't Open File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The file probably does not exist or it is set to
read-only.
…WRAP
Cannot Create File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This file probably exists but is read-only.

WRAP
Disk Write Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The most probable case is that the disk is full.

As IDA analyzes the input file, the database grows in size.
In the absence of free space on the disk IDA may abruptly stop and exit
with an error message.
WRAP
Disk Positioning Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Please inform our technical support if this happens.˜WRAP
Graph node groups ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Any number of nodes can be collapsed into a single synthetic node. Such
a synthetic node contains a user-provided text instead of normal
disassembly listing. The 'group' command is available from the
right-click menu if there are selected nodes.

Even a single node can be used to create a group. This feature can be used to
collapse huge nodes into something manageable or to hide a group that consists of
one node.

After creating a group, IDA automatically refreshes the graph layout. If a
custom layout was present, it is not applied to the reduced graph.
However, the existing custom layout is not destroyed and will be re-used
as soon as the user switches to the full graph by deleting the group or
uncollapsing it.

The node groups can be nested: synthetic nodes can be used to create
other groups. This feature allows reducing the graph into a single node.
Each node can belong to only one group at a time.

Groups can be uncollapsed to display the original node content. The node
frames of the current uncollapsed group (the one with the mouse pointer)
are displayed with a special color. The default group frame color is
yellow. This way, the existing uncollapsed groups can be visualized by
hovering the mouse over the graph nodes.

There are also commands to collapse and uncollapse all groups in the
graph. They are available from the right click menu.

To edit the contents of synthetic nodes, use the 'set node text' button
on the node title. The 'rename' command can be used too.

IDA automatically remembers the graph groups and their state for each function.

Back to @0:42[graph view]ÁWRAP
Graph overview window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA has a small graph overview window. It displays the whole graph in
the zoom out form and gives the user an idea about which part of the graph is visualized
on the main window.

Clicking on the graph overview window visualizes different parts of the
graph in the main window. It is also possible to click and drag the
focus frame - the main window will be refreshed accordingly.

The graph overview window is visible only in the graph view node. As
soon as another non-modal window gets focus, the graph overview is
closed. It automatically opens when a graph view is activated.

The graph overview is displayed by default. To hide it, right click on
the main toolbar background and select Navigation, Graph overview menu
item.

The graph overview window can be resized to accommodate really huge graphs.

Back to @0:42[graph view] or @0:1626[proximity view]&
WRAP
Not enough memory available to complete operation. ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Unfortunately IDA ran out of memory. There is nothing we can do about it now.±
WRAP
How to move/resize windows ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Keyboard:

Arrows,Home,End,PgUp,PgDn move the window.
All keys with Shift resize the window.
Ctrl key in the combination with other keys
move/resize the window faster.

Mouse:

To move: point to title of the window and drag to the new location.

To resize: point to the right lower corner of the window and drag.ÂWRAP
Bad Macro ▄
 ▀▀▀▀▀▀▀▀▀▀

It is impossible to redefine the Alt-- and Alt-= keys
because they are used to define other macros.

Please choose another key for the macro.%
WRAP
Already recording a macro for... ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

It is impossible to define 2 macros at the same time.
Please finish definition of the first macro
(press Alt-=) and after that define the other one.%
WRAP
Entering String for Search ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Please enter any string to search.

The search will be case-insensitive and the search direction will be forward.

If the substring is not found, the cursor will not move.
X
WRAP
Bad BIOS & DOS Comments Base ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA cannot use this database (ida.int) because

        - it does not exist or
        - it is corrupt

In this case IDA will not generate new automatic comments on DOS and BIOS
interrupts and port I/O instructions.WRAP
Internal Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The comment database is corrupted.
IDA will not generate comment(s).‘WRAP
bTree Error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Normally this error should not occur, please inform our technical support
about it.
WRAP
Graph colors ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Graph edges can have several colors. In graph view:

 - Blue: a normal edge
 - Green: if the jump is taken (its condition is satisfied)
 - Red: if the jump is not taken
 - Blinking: when in the debugger, the edge that will be followed blinks

And, in proximity view:

 - Blue: Code cross-reference edge
 - Gray: Data cross-reference edge

IDA highlights the current mouse items. If the mouse is hovered over an
edge, it is highlighted. If the mouse is hovered over a node, all
adjacent edges are highlighted. To turn off the highlighting, specify
the 'current edge' color as an undefined custom color.

The 'highlighted edge' and 'foreign node' colors are not used yet.

Back to @0:42[graph view] or @0:1626[proximity view]	@0:584[]=@0:1131[]
Not enough memory available to complete operation.
@0:1132[].              Name                Address Pub!@0:237[]
The name list is empty.é@0:457[]
Rename address

  Address: %N
  <~N~ame :q::32::>

       <~L~ocal name:C>
       <~I~nclude in name list:C>
       <~P~ublic name:C>
       <~A~utogenerated name:C>
       <~W~eak name:C>
       <~C~reate name anyway:C>>

èstartitem 1
@0:531[]
Rename any address

  <A~d~ress   :q::32::>

  <~N~ew name :q::32::>

       <~L~ocal name:C>
       <~I~nclude in name list:C>
       <~P~ublic name:C>
       <~A~utogenerated name:C>
       <~W~eak name:C>>

+@0:531[]
Please enter a valid old address.@0:587[]
Names!Concatenating mismatched strings@0:591[]
SelectorsPDefine a selector

  <~S~elector:N::6::>
  <~V~alue (in paragraphs) :N::18::>

BHIDECANCEL
Do you really want to delete the selected selector(s)?Reset undo history*Jump to Line

  <~L~ine number:D::18::>


WRAP
Various graph hints ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

1) The following actions can improve the speed of graph drawing:

 - Turn off animation
 - Turn off node shadows
 - Specify identical top and bottom background colors
 - Turn off 'relayout' options (might lead to stale graph contents)
 - Turn off the graph overview window

2) Printing the graph: the 'print' command is available at the
graph toolbar. The graph toolbar is visible by default but if you have
saved a @0:1420[custom desktop] configuration in the past,
it will not be visible. To set it on, check the View, Toolbars, Graph view menu item.

3) Working with huge graphs: do not forget about the node groups and use them
to make the graph simpler.

Back to @0:42[graph view]úWRAP
Customizing graph layout ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Each node has a title bar with title buttons. The title bar can be used
to displace the node. Displacing nodes  or edges creates a custom layout. The
custom layouts are automatically saved in the database. If there is a
custom layout for the function, IDA never destroys it without your
explicit permission. This behavior has its drawbacks: when the nodes are
resized (because of added comments, for example), the old layout will be
retained and the nodes could overlap. In this case, the user can ask IDA
to redo the layout or manually move the overlapping nodes. To avoid
displacing nodes inadvertently, turn on the @0:19[lock graph layout] option.

The user can also click on the edge layout points (edge bending points) and drag
them. If two edge layout points are too close, one of them will be deleted.
To create new edge layout points, use Shift-DoubleClick on the edge.

Back to @0:42[graph view]
Illegal return value locationðMWRAP
APPLE PUBLIC SOURCE LICENSE ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
APPLE PUBLIC SOURCE LICENSE
Version 2.0 - August 6, 2003

Please read this License carefully before downloading this software.
By downloading or using this software, you are agreeing to be bound by
the terms of this License. If you do not or cannot agree to the terms
of this License, please do not download or use the software.

1. General; Definitions. This License applies to any program or other
work which Apple Computer, Inc. ("Apple") makes publicly available and
which contains a notice placed by Apple identifying such program or
work as "Original Code" and stating that it is subject to the terms of
this Apple Public Source License version 2.0 ("License"). As used in
this License:

1.1 "Applicable Patent Rights" mean: (a) in the case where Apple is
the grantor of rights, (i) claims of patents that are now or hereafter
acquired, owned by or assigned to Apple and (ii) that cover subject
matter contained in the Original Code, but only to the extent
necessary to use, reproduce and/or distribute the Original Code
without infringement; and (b) in the case where You are the grantor of
rights, (i) claims of patents that are now or hereafter acquired,
owned by or assigned to You and (ii) that cover subject matter in Your
Modifications, taken alone or in combination with Original Code.

1.2 "Contributor" means any person or entity that creates or
contributes to the creation of Modifications.

1.3 "Covered Code" means the Original Code, Modifications, the
combination of Original Code and any Modifications, and/or any
respective portions thereof.

1.4 "Externally Deploy" means: (a) to sublicense, distribute or
otherwise make Covered Code available, directly or indirectly, to
anyone other than You; and/or (b) to use Covered Code, alone or as
part of a Larger Work, in any way to provide a service, including but
not limited to delivery of content, through electronic communication
with a client other than You.

1.5 "Larger Work" means a work which combines Covered Code or portions
thereof with code not governed by the terms of this License.

1.6 "Modifications" mean any addition to, deletion from, and/or change
to, the substance and/or structure of the Original Code, any previous
Modifications, the combination of Original Code and any previous
Modifications, and/or any respective portions thereof. When code is
released as a series of files, a Modification is: (a) any addition to
or deletion from the contents of a file containing Covered Code;
and/or (b) any new file or other representation of computer program
statements that contains any part of Covered Code.

1.7 "Original Code" means (a) the Source Code of a program or other
work as originally made available by Apple under this License,
including the Source Code of any updates or upgrades to such programs
or works made available by Apple under this License, and that has been
expressly identified by Apple as such in the header file(s) of such
work; and (b) the object code compiled from such Source Code and
originally made available by Apple under this License.

1.8 "Source Code" means the human readable form of a program or other
work that is suitable for making modifications to it, including all
modules it contains, plus any associated interface definition files,
scripts used to control compilation and installation of an executable
(object code).

1.9 "You" or "Your" means an individual or a legal entity exercising
rights under this License. For legal entities, "You" or "Your"
includes any entity which controls, is controlled by, or is under
common control with, You, where "control" means (a) the power, direct
or indirect, to cause the direction or management of such entity,
whether by contract or otherwise, or (b) ownership of fifty percent
(50%) or more of the outstanding shares or beneficial ownership of
such entity.

2. Permitted Uses; Conditions & Restrictions. Subject to the terms
and conditions of this License, Apple hereby grants You, effective on
the date You accept this License and download the Original Code, a
world-wide, royalty-free, non-exclusive license, to the extent of
Apple's Applicable Patent Rights and copyrights covering the Original
Code, to do the following:

2.1 Unmodified Code. You may use, reproduce, display, perform,
internally distribute within Your organization, and Externally Deploy
verbatim, unmodified copies of the Original Code, for commercial or
non-commercial purposes, provided that in each instance:

(a) You must retain and reproduce in all copies of Original Code the
copyright and other proprietary notices and disclaimers of Apple as
they appear in the Original Code, and keep intact all notices in the
Original Code that refer to this License; and

(b) You must include a copy of this License with every copy of Source
Code of Covered Code and documentation You distribute or Externally
Deploy, and You may not offer or impose any terms on such Source Code
that alter or restrict this License or the recipients' rights
hereunder, except as permitted under Section 6.

2.2 Modified Code. You may modify Covered Code and use, reproduce,
display, perform, internally distribute within Your organization, and
Externally Deploy Your Modifications and Covered Code, for commercial
or non-commercial purposes, provided that in each instance You also
meet all of these conditions:

(a) You must satisfy all the conditions of Section 2.1 with respect to
the Source Code of the Covered Code;

(b) You must duplicate, to the extent it does not already exist, the
notice in Exhibit A in each file of the Source Code of all Your
Modifications, and cause the modified files to carry prominent notices
stating that You changed the files and the date of any change; and

(c) If You Externally Deploy Your Modifications, You must make
Source Code of all Your Externally Deployed Modifications either
available to those to whom You have Externally Deployed Your
Modifications, or publicly available. Source Code of Your Externally
Deployed Modifications must be released under the terms set forth in
this License, including the license grants set forth in Section 3
below, for as long as you Externally Deploy the Covered Code or twelve
(12) months from the date of initial External Deployment, whichever is
longer. You should preferably distribute the Source Code of Your
Externally Deployed Modifications electronically (e.g. download from a
web site).

2.3 Distribution of Executable Versions. In addition, if You
Externally Deploy Covered Code (Original Code and/or Modifications) in
object code, executable form only, You must include a prominent
notice, in the code itself as well as in related documentation,
stating that Source Code of the Covered Code is available under the
terms of this License with information on how and where to obtain such
Source Code.

2.4 Third Party Rights. You expressly acknowledge and agree that
although Apple and each Contributor grants the licenses to their
respective portions of the Covered Code set forth herein, no
assurances are provided by Apple or any Contributor that the Covered
Code does not infringe the patent or other intellectual property
rights of any other entity. Apple and each Contributor disclaim any
liability to You for claims brought by any other entity based on
infringement of intellectual property rights or otherwise. As a
condition to exercising the rights and licenses granted hereunder, You
hereby assume sole responsibility to secure any other intellectual
property rights needed, if any. For example, if a third party patent
license is required to allow You to distribute the Covered Code, it is
Your responsibility to acquire that license before distributing the
Covered Code.

3. Your Grants. In consideration of, and as a condition to, the
licenses granted to You under this License, You hereby grant to any
person or entity receiving or distributing Covered Code under this
License a non-exclusive, royalty-free, perpetual, irrevocable license,
under Your Applicable Patent Rights and other intellectual property
rights (other than patent) owned or controlled by You, to use,
reproduce, display, perform, modify, sublicense, distribute and
Externally Deploy Your Modifications of the same scope and extent as
Apple's licenses under Sections 2.1 and 2.2 above.

4. Larger Works. You may create a Larger Work by combining Covered
Code with other code not governed by the terms of this License and
distribute the Larger Work as a single product. In each such instance,
You must make sure the requirements of this License are fulfilled for
the Covered Code or any portion thereof.

5. Limitations on Patent License. Except as expressly stated in
Section 2, no other patent rights, express or implied, are granted by
Apple herein. Modifications and/or Larger Works may require additional
patent licenses from Apple which Apple may grant in its sole
discretion.

6. Additional Terms. You may choose to offer, and to charge a fee for,
warranty, support, indemnity or liability obligations and/or other
rights consistent with the scope of the license granted herein
("Additional Terms") to one or more recipients of Covered Code.
However, You may do so only on Your own behalf and as Your sole
responsibility, and not on behalf of Apple or any Contributor. You
must obtain the recipient's agreement that any such Additional Terms
are offered by You alone, and You hereby agree to indemnify, defend
and hold Apple and every Contributor harmless for any liability
incurred by or claims asserted against Apple or such Contributor by
reason of any such Additional Terms.

7. Versions of the License. Apple may publish revised and/or new
versions of this License from time to time. Each version will be given
a distinguishing version number. Once Original Code has been published
under a particular version of this License, You may continue to use it
under the terms of that version. You may also choose to use such
Original Code under the terms of any subsequent version of this
License published by Apple. No one other than Apple has the right to
modify the terms applicable to Covered Code created under this
License.

8. NO WARRANTY OR SUPPORT. The Covered Code may contain in whole or in
part pre-release, untested, or not fully tested works. The Covered
Code may contain errors that could cause failures or loss of data, and
may be incomplete or contain inaccuracies. You expressly acknowledge
and agree that use of the Covered Code, or any portion thereof, is at
Your sole and entire risk. THE COVERED CODE IS PROVIDED "AS IS" AND
WITHOUT WARRANTY, UPGRADES OR SUPPORT OF ANY KIND AND APPLE AND
APPLE'S LICENSOR(S) (COLLECTIVELY REFERRED TO AS "APPLE" FOR THE
PURPOSES OF SECTIONS 8 AND 9) AND ALL CONTRIBUTORS EXPRESSLY DISCLAIM
ALL WARRANTIES AND/OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF
MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR
PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NONINFRINGEMENT OF THIRD
PARTY RIGHTS. APPLE AND EACH CONTRIBUTOR DOES NOT WARRANT AGAINST
INTERFERENCE WITH YOUR ENJOYMENT OF THE COVERED CODE, THAT THE
FUNCTIONS CONTAINED IN THE COVERED CODE WILL MEET YOUR REQUIREMENTS,
THAT THE OPERATION OF THE COVERED CODE WILL BE UNINTERRUPTED OR
ERROR-FREE, OR THAT DEFECTS IN THE COVERED CODE WILL BE CORRECTED. NO
ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY APPLE, AN APPLE
AUTHORIZED REPRESENTATIVE OR ANY CONTRIBUTOR SHALL CREATE A WARRANTY.
You acknowledge that the Covered Code is not intended for use in the
operation of nuclear facilities, aircraft navigation, communication
systems, or air traffic control machines in which case the failure of
the Covered Code could lead to death, personal injury, or severe
physical or environmental damage.

9. LIMITATION OF LIABILITY. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO
EVENT SHALL APPLE OR ANY CONTRIBUTOR BE LIABLE FOR ANY INCIDENTAL,
SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR RELATING
TO THIS LICENSE OR YOUR USE OR INABILITY TO USE THE COVERED CODE, OR
ANY PORTION THEREOF, WHETHER UNDER A THEORY OF CONTRACT, WARRANTY,
TORT (INCLUDING NEGLIGENCE), PRODUCTS LIABILITY OR OTHERWISE, EVEN IF
APPLE OR SUCH CONTRIBUTOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY
REMEDY. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY OF
INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY
TO YOU. In no event shall Apple's total liability to You for all
damages (other than as may be required by applicable law) under this
License exceed the amount of fifty dollars ($50.00).

10. Trademarks. This License does not grant any rights to use the
trademarks or trade names "Apple", "Apple Computer", "Mac", "Mac OS",
"QuickTime", "QuickTime Streaming Server" or any other trademarks,
service marks, logos or trade names belonging to Apple (collectively
"Apple Marks") or to any trademark, service mark, logo or trade name
belonging to any Contributor. You agree not to use any Apple Marks in
or as part of the name of products derived from the Original Code or
to endorse or promote products derived from the Original Code other
than as expressly permitted by and in strict compliance at all times
with Apple's third party trademark usage guidelines which are posted
at http://www.apple.com/legal/guidelinesfor3rdparties.html.

11. Ownership. Subject to the licenses granted under this License,
each Contributor retains all rights, title and interest in and to any
Modifications made by such Contributor. Apple retains all rights,
title and interest in and to the Original Code and any Modifications
made by or on behalf of Apple ("Apple Modifications"), and such Apple
Modifications will not be automatically subject to this License. Apple
may, at its sole discretion, choose to license such Apple
Modifications under this License, or on different terms from those
contained in this License or may choose not to license them at all.

12. Termination.

12.1 Termination. This License and the rights granted hereunder will
terminate:

(a) automatically without notice from Apple if You fail to comply with
any term(s) of this License and fail to cure such breach within 30
days of becoming aware of such breach;

(b) immediately in the event of the circumstances described in Section
13.5(b); or

(c) automatically without notice from Apple if You, at any time during
the term of this License, commence an action for patent infringement
against Apple; provided that Apple did not first commence
an action for patent infringement against You in that instance.

12.2 Effect of Termination. Upon termination, You agree to immediately
stop any further use, reproduction, modification, sublicensing and
distribution of the Covered Code. All sublicenses to the Covered Code
which have been properly granted prior to termination shall survive
any termination of this License. Provisions which, by their nature,
should remain in effect beyond the termination of this License shall
survive, including but not limited to Sections 3, 5, 8, 9, 10, 11,
12.2 and 13. No party will be liable to any other for compensation,
indemnity or damages of any sort solely as a result of terminating
this License in accordance with its terms, and termination of this
License will be without prejudice to any other right or remedy of
any party.

13. Miscellaneous.

13.1 Government End Users. The Covered Code is a "commercial item" as
defined in FAR 2.101. Government software and technical data rights in
the Covered Code include only those rights customarily provided to the
public as defined in this License. This customary commercial license
in technical data and software is provided in accordance with FAR
12.211 (Technical Data) and 12.212 (Computer Software) and, for
Department of Defense purchases, DFAR 252.227-7015 (Technical Data --
Commercial Items) and 227.7202-3 (Rights in Commercial Computer
Software or Computer Software Documentation). Accordingly, all U.S.
Government End Users acquire Covered Code with only those rights set
forth herein.

13.2 Relationship of Parties. This License will not be construed as
creating an agency, partnership, joint venture or any other form of
legal association between or among You, Apple or any Contributor, and
You will not represent to the contrary, whether expressly, by
implication, appearance or otherwise.

13.3 Independent Development. Nothing in this License will impair
Apple's right to acquire, license, develop, have others develop for
it, market and/or distribute technology or products that perform the
same or similar functions as, or otherwise compete with,
Modifications, Larger Works, technology or products that You may
develop, produce, market or distribute.

13.4 Waiver; Construction. Failure by Apple or any Contributor to
enforce any provision of this License will not be deemed a waiver of
future enforcement of that or any other provision. Any law or
regulation which provides that the language of a contract shall be
construed against the drafter will not apply to this License.

13.5 Severability. (a) If for any reason a court of competent
jurisdiction finds any provision of this License, or portion thereof,
to be unenforceable, that provision of the License will be enforced to
the maximum extent permissible so as to effect the economic benefits
and intent of the parties, and the remainder of this License will
continue in full force and effect. (b) Notwithstanding the foregoing,
if applicable law prohibits or restricts You from fully and/or
specifically complying with Sections 2 and/or 3 or prevents the
enforceability of either of those Sections, this License will
immediately terminate and You must immediately discontinue any use of
the Covered Code and destroy all copies of it that are in your
possession or control.

13.6 Dispute Resolution. Any litigation or other dispute resolution
between You and Apple relating to this License shall take place in the
Northern District of California, and You and Apple hereby consent to
the personal jurisdiction of, and venue in, the state and federal
courts within that District with respect to this License. The
application of the United Nations Convention on Contracts for the
International Sale of Goods is expressly excluded.

13.7 Entire Agreement; Governing Law. This License constitutes the
entire agreement between the parties with respect to the subject
matter hereof. This License shall be governed by the laws of the
United States and the State of California, except that body of
California law concerning conflicts of law.

Where You are located in the province of Quebec, Canada, the following
clause applies: The parties hereby confirm that they have requested
that this License and all related documents be drafted in English. Les
parties ont exige que le present contrat et tous les documents
connexes soient rediges en anglais.

EXHIBIT A.

"Portions Copyright (c) 1999-2003 Apple Computer, Inc. All Rights
Reserved.

This file contains Original Code and/or Modifications of Original Code
as defined in and that are subject to the Apple Public Source License
Version 2.0 (the 'License'). You may not use this file except in
compliance with the License. Please obtain a copy of the License at
http://www.opensource.apple.com/apsl/ and read it before using this
file.

The Original Code and all software distributed under the License are
distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
Please see the License for the specific language governing rights and
limitations under the License."$  <~F~ill segment gaps:C>4> (COFF)
@0:590[]
Segment Registers	@0:593[]	@0:488[]á@0:491[]
Create structure/union
%*
  <~S~tructure name:q::32::>

  <Create ~b~efore current structure:C>
  <~I~nclude in the list            :C>
  <Create ~u~nion                   :C>>

  <~A~dd standard structure:B:0:::>

…@0:491[]
Can't create a structure/union named '%s'. Probably the name is invalid or is used in the program or in the type libraries.S@0:495[]
Edit Structure

  Structure name: %A

  <~A~lignment           :N::5::>

X@0:632[]
Rename Structure

  <~S~tructure name:q::32::>

  <~I~nclude in the list:C>>

"@0:632[]
Enter struct member name$@0:1323[]
Enter stack variable nameAHIDECANCEL
@0:492[]
Do you really want to delete structure '%s'?)@0:479[]
Enter STRUCT repeatable comment@0:479[]
Enter STRUCT comment)@0:479[]
Enter member repeatable comment@0:479[]
Enter member commentVBad local name '%s'. Probably the name is invalid or is already used in the function.ZBad structure field name '%s'. Probably the name is invalid or is used in this structure.mBad field offset %04a. Either the field size is too big or another field is present at the specified offset.Bad field size.ƒ
@0:455[]
Struct field size

  Current offset       : %$
  Next defined item at : %$

  Array element width  : %D
  Maximal possible size: %D
  Current array size   : %D

  <Array ~s~ize     :D::18::> (in elements)
  <~I~tems on a line:D::18::> (0-max)
  <~A~lignment      :D::18::> (-1-none,0-auto)

  <Use "~d~up" construct:C>
  <Si~g~ned elements    :C>
  <Displa~y~ indexes    :C>>

@@0:493[]
Expand struct

  <~N~umber of bytes to add :D::18::>

C@0:494[]
Shrink struct

  <~N~umber of bytes to remove :D::18::>

™@0:489[]
Change SP value

  Current SP value     : %A%N

  <~D~IFFERENCE between old and new SP:n::18::>
  (the current instruction modifies SP value)

Choose enum @0:469[]
Choose base for offset	@0:414[](internal error in lnar: too many lines!Pattern is not found.
	@0:417[]~F~ind breakpointÜYou have just loaded a binary file.


IDA cannot identify the entry point automatically as
there is no standard of binaries.


Please move to what you think is an entry point
and press 'C' to start the autoanalysis.ÑWRAP

The input file is now loaded in the database. IDA is now busy
analysing it. You may either wait until the initial analysis is
over or immediately start exploring the disassembly. Some parts
of the file are probably still displayed as bytes : IDA has
probably not explored them yet. You may manually speed up the
analysis and convert those bytes into instructions. Move the cursor
cursor over the first undefined byte and press C.

When the initial analysis is over, IDA will beep. Use F6 to
toggle between the message and the disassembly window. A few useful
keys to get you started.

At the cursor position

  C converts bytes to code
  D converts bytes to data
  U undefines byte

Press Esc to close this window.Wrong argument attributed@0:641[]
This command can't be applied to the addresses without a segment. Create a segment first.
RThis command is not allowed for the current processor. Please choose another one.SHIDECANCEL
@0:449[]
You are about to discard all changes and quit to OS. Continue?xHIDECANCEL
@0:634[]
Leaving the database in unpacked form is dangerous. You may lose all data. Do you want to continue?5
@0:450[]
Save database
%/
  DEBUG SESSION IN PROCESS. IT WILL BE TERMINATED.

  IDA will save all changes to the disk.

  <Do~n~'t pack database:R>
  <Pack database (~S~tore):R>
  <Pack database (Compressed ~f~ile):R>2>

  <~C~ollect garbage:C3>
  <~D~ON'T SAVE the database:C1>
  <~T~ake memory snapshot:C4>ÃAdd Cross Reference

  <From :$::32::>
  <To   :$::32::>

  <Call Far    :R>
  <Call Near   :R>
  <Jump Far    :R>
  <Jump Near   :R>
  <Offset      :R>
  <Write access:R>
  <Read access :R>>


¯Delete Cross Reference

  <From :$::32::>
  <To   :$::32::>

  <#Delete the item at the target address if we delete the last xref to it#~U~ndefine if no more references:C>>

aWRAP
Linux debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Linux debugger has the following particularities and limitations:

- The debugger server can handle only one IDA client at a time

- By default, the 64-bits debugger will try to load "libunwind-x86_64.so.8"
  and "libunwind-ptrace.so.0" in order to help with stack recovery.

- ARMLinux: hardware breakpoints are not supported

- ARMLinux: The THUMB mode is not supported

- Configure the debugger specific options (for 64 bits only) in
    Debugger Options, Set specific options.

  - Path to libunwind:
    - "libunwind-x64_64.so.8" (the default): the debugger will try to load
      libunwind "libunwind-x86_64.so.8" + "libunwind-ptrace.so.0" pair
      using the regular 'ld' search path.
    - "libunwind-x64_64.so" (note the lack of ".8" at the end): like the
      default, except the debugger will look for "libunwind-x86_64.so"
      and "libunwind-ptrace.so" (this is particularly useful for working
      with libunwind "dev" packages)
    - absolute path to libunwind-x64_64.so.8 or libunwind-x64_64.so: Linux debugger
      will try to load libunwind only from the provided path.
    - absolute path to "libunwind-x64_64.so[.8]": the debugger will try
      to load the two libraries from there (the absolute path to
      "libunwind-ptrace.so[.0]" will be derived from that of
      "libunwind-x64_64.so[.8]")
    - left blank: don't use libunwind to collect stack traces.

  By default this is set to libunwind-x86_64.so meaning the default
  path will be used to load libunwind-x86_64.so(.8) and libunwind-ptrace.so(.0). If an absolute
  path is provided, both libraries will be loaded from this path. If left emtpy, the call
  stack will be analysed by Ida and not libunwind.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1463[How to launch remote debugging]Loading registers...
Creating segments...
9Checking that segments for all addresses are created...
6@0:216[]
The input file seems to be packed, continue?Reading relocation table...
@0:217[]
Bad relocation table'@0:219[]
File has overlays. Load them?#Marking typical code sequences...
Illegal spoiled registerToo many spoiled registersDuplicate spoiled registerSCan't read input file (file structure error?), only part of file will be loaded...Possible file format: %s (%s)
%s: incompatible version!
'Constant '%s' has already been definedi@0:240[]
File %s can't be used to rename imports of module '%s'. Probably it does not have named exports"File %s is used for module %s...
+apply_ids_entry %lx: can't create functionUninitialized valuea@0:689[]
File %s doesn't contain any instructions or data, i.e. there is nothing to disassemble.!Produce ~f~low chart GDL file...(@0:1139[]
Can't use BIOS comments base.<@0:1140[]
BIOS comments internal error: database is corrupt!Produce call graph ~G~DL file...WRAP
Produce flow chart GDL file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceFuncGdl
 Current hotkey: @<ProduceFuncGdl>

This command creates a GDL (graph description file) with the
flow chart of the current function.

If there is an active selection, its flow chart will be generated.

IDA will ask for the output file name. Regardless of the specified extension,
the .GDL extension will be used.

See also other @0:438[Produce output file] commands.À
WRAP
Produce call graph GDL file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceCallGdl
 Current hotkey: @<ProduceCallGdl>

This command creates a GDL (graph description file) with the
graph of the function calls.

IDA will ask for the output file name. Regardless of the specified extension,
the .GDL extension will be used.

See also other @0:438[Produce output file] commands.&@0:1504[]
Please enter HTML file name@0:225[]
Choose mark number,Conflicting access rights of the base class @0:227[]
Choose marked location`WRAP
Local types window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenLocalTypes
 Current hotkey: @<OpenLocalTypes>

Each database has a local type library embedded into it.
This type library (til) is used to store types that are local to the current database.
They are usually created by @0:1367[parsing] a header file.

This command opens the local types window. The user can manipulate local types
here:

  - the existing types can be modified (the default hotkey is Ctrl-E)
  - the existing types can be deleted (the default hotkey is Del)
  - new types can be added (the default hotkey is Ins)

Please note that Ins can be used to add many types at once. For that the user
just needs to enter multiple declarations, one after another in the dialog box.

However, Ctrl-E permits for editing of one type at a time. This may cause
problems with complex structure types with nested types. Nested types will not
be saved by Ctrl-E.

If the edited type corresponds to an idb type (struct or enum), then
the corresponding type will be automatically synchronized. If the user modifies
an idb type in the struct/enum windows, the corresponding local type will
be updated too. So the type synchronization works both ways.

Some types in this list are created automatically by IDA. They are
copies of the types defined in the @0:593[Struct] or @0:1259[Types] views.
Such types are displayed using in gray, as if they are disabled.

Types displayed in black are considered as C level types. Read @0:1042[more].

Each type in the local type library has an ordinal number and may have a name.

Be careful when deleting existing types because if there are references to
them, they will be invalidated.

A local type can be mapped to another type. Such an operation deletes the existing
type and redirects all its references to the destination type. Circular dependencies
are forbidden. In the case of a user mistake, a mapped type can be deleted and recreated
with the correct information.

 See also @0:1356[View|Open subviews] submenu.
          @0:1358[Type libraries window]
          @0:1691[C++ type details]Lo~c~al typesR@0:228[]
%a: can't rename byte as '%s' because the name '%s' is a register name.
R@0:228[]
%a: can't rename byte as '%s' because it contains a bad character '%s'.
Y@0:228[]
%a: can't rename byte as '%s' because the name is already used in the program.
a@0:228[]
%a: can't rename byte as '%s' because this byte can't have a name (it is a tail byte).
P@0:228[]
%a: can't rename byte as '%s' because the name has a reserved prefix.
UIDA did not find any occurrence of '%s' in the forced operand(s) (bad xref from %a)
Missing default argument value/@0:229[]
SEGMENT: Can't find file segmentation-%3d. Creating a new segment  (%0*a-%0*a) ...
@0:457[]
Rename address

  Address: %N
  <~N~ame :q::32::>

       <~I~nclude in name list:C>
       <~P~ublic name:C>
       <~A~utogenerated name:C>
       <~W~eak name:C>
       <~C~reate name anyway:C>
       <~L~ibrary function:C>
       <~M~ark as decompiled:C>>

¦
WRAP
Source code view ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


This window shows the contents of a source code file. IDA automatically
opens source views provided that proper mapping of the source code paths
is specified in "Options, Source paths".

This window may also display a decompilation result because it is considered
as a source code. This can be useful if the source files are not available.
-     Request for reanalysing (%08a-%08a) ...	 ... OK

 ... FAILED
.     Deleting segment        (%0*a-%0*a) ...
q@0:231[]
Can't move the segment "%s" start from %0*a to %0*a:
The segment would have bytes with negative offsetsZ@0:233[]
Can't move the segment start address (%0*a->%0*a): would overlap another segmentÚAUTOHIDE SESSION
Create segment (%0*a-%0*a, sel %0*a):
segment base or start addresses are invalid. The segment would have negative offsets.
(wrong selector values too can lead to this error. check the selector table)hAUTOHIDE SESSION
Create a segment (%0*a-%0*a, sel %0*a):
IDP module disallowed creation of the segment.[AUTOHIDE SESSION
Create a segment (%0*a-%0*a, sel %0*a):
cannot trim the previous segment.gAUTOHIDE SESSION
Create a segment (%0*a-%0*a, sel %0*a):
cannot allocate varray chunk for the segment.HAUTOHIDE SESSION
Create a segment (%0*a-%0*a):
cannot create a segment.XAUTOHIDE SESSION
Create a segment (%0*a-%0*a):
end address is lower than start address.'@0:234[]
Fatal: Can't create database.#Alignment cannot be specified here@0:1141[]
%s: bTree error: %sRefresh ~m~emoryÒWRAP
Refresh memory ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: RefreshMemcfg
 Current hotkey: @<RefreshMemcfg>

This command refreshes the segments and memory contents in IDA.
It is available only during a debugging session.
NOTE: this command is currently hidden from the user interface because IDA
does synchronize with the process memory automatically.

Please note that IDA itself tries to keep the program segments in sync
with the debugged process. However, in order to accelerate the debugger,
the synchronization is done only at major events, for example when dynamic library
gets loaded or unloaded or a thread is created or deleted. If the memory
configuration is changed because of a simple system call (think of VirtualAlloc),
IDA might miss it. Use the "refresh memory" command in these cases.

Note2: when IDA detects a discrepancy in the segments, it will
automatically synchronize with the process.

See also @0:1395[Debugger] submenu.Illegal enum base type size&@0:1299[]
Bad VA header (end < start))Variadic functions cannot be __userpurgeC
WRAP
Browser options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This tab of IDA Options dialog allows for editing of hint and identifier highlight
related settings. There are two groups of settings.

The first group is for hints that are displayed when the mouse is hovered
over some text.

The second group is for highlighting.

Number of lines for identifier hints

        Specifies how tall the hint window will be initially.
        IDA may decide to display less lines than specified if the hint is
        small. The user can resize the hint window using the mouse wheel.

Delay for identifier hints

        Milliseconds that pass before the hint appears when the user
        hovers the mouse pointer over an identifier

Mouse wheel resizes hint window

        Permit to resize the hint window by using the mouse wheel.
        Can be turned off if the user does not want to resize the hints.

No hints if debugger is active

        Hints will be disabled when the debugger is active. This may be
        useful to speed of debugging: calculating hints for zero filled
        ranges can be very expensive


Auto highlight the current identifier

        Highlight the current identifier everywhere on the screen.
        IDA tries to determine if the current identifier denotes a register.
        In this case it will highlight references to other parts of the
        register. For example, if "AL" is highlighted, IDA will also highlight
        "AH", "AX", and "EAX" (if the current processor is x86).

Unhide collapsed items automatically when jumping to them (gui only)

        If this option is set on, IDA will automatically
        uncollapse hidden functions if the user decides to jump
        to them. As soon as the user quits the function by pressing
        Esc, the function is automatically collapsed again.

Lazy jumps (gui only)

        If this option is set on, IDA will not redraw the
        disassembly window if the jump target is already on the screen.
        In this case, it will just move the cursor to the specified
        address. This option leads to less screen redraws and
        less jumpy behaviour.

Number of items in navigation stack drop-down menus

        Specifies the number of entries in the drop-down menu for the 'Jump'
        toolbar

Number of lines for auto scroll

        Specifies how many lines force automatic scrolling of the
        disassembly view

Caret blinking interval

        Specifies how fast the input caret blinks (in milleseconds).
        Must be greater than or equal to 500, or zero.
        Zero means to disable blinking

ðWRAP
Cross reference attributes ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The cross reference dialog displays a list of references to the various items.
Each line has the following attributes:

Direction
        Up or Down. Meaningful for program address; denotes where the
        reference comes from, from the lower addresses than the reference
        target (down) or from higher addresses (up).

Type

        The following types exist:

          o - offset, the address of the item is taken
          r - read access
          w - write access
          t - textual referenced (used for manually specified operands)
          i - informational (e.g. a derived class refers to its base class)
          J - far (intersegment) jump
          j - near (intrasegment) jump
          P - far (intersegment) call
          p - near (intrasegment) call
          ^ - ordinary flow
          s - xref from a structure
          m - xref from a structure member
          k - xref from a stack variable

Address

        For 'xrefs to' dialogs: where the reference comes from (source)
        For 'xrefs from' dialogs: where the reference goes to (destination)

Text

        Additional info about the cross reference
Next function›}

//------------------------------------------------------------------------
// Information about bytes

static Bytes_%d(void)
{
  auto x;
#define id x

Previous function’
  bytes   pages size description
--------- ----- ---- --------------------------------------------
%9lu %5u %4u allocating memory for b-tree...
²
WRAP
Rename a stack variable ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command allows the user to rename a stack variable. Enter an identifier
for the stack variable and press Enter.

Internally, stack variables are represented as structure fields. IDA creates
a new structure type for each function frame.

See also @0:490[Edit|Structs] submenu.
         @0:424[How to Enter an Identifier]
)Argument location %s is not allowed here™WRAP
Watch view (source level) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In this window the user can view values of selected variables.

Global variables (data item names) as well as variables that are local
to the current function can be added by pressing Ins.

Expressions can be added to the view as well, they will be considered as IDC
expressions.

Expressions may have a type cast at the beginning. For example

(int)0x12345678

means that the contents of the memory at the address 0x12345678 should be
displayed as an integer. Note: to display strings use "char[]" as the typo.

See also @0:1272[Source code view]
*__thiscall requires at least one argument@@0:544[]
Jump to structure offset

  <~J~ump offset:M:+:32::>

:@0:544[]
Jump to enum offset

  <~J~ump offset:M::32::>

ÔWRAP
Bochs debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Bochs debugger plugin uses the Bochs internal command line debugger.
For more about the internal debugger: http://bochs.sourceforge.net/doc/docbook/user/internal-debugger.html

To use the Bochs debugger plugin, the following steps must be carried out:

  - Download and install Bochs v2.6.x from:
        http://bochs.sourceforge.net/getcurrent.html

    For Mac OS or Linux, please refer to the following guide:
        https://www.hex-rays.com//products/ida/support/tutorials/debugging_bochs_linux.pdf

  - Open or create an IDB file in IDA and select the Bochs debugger

  - Configure the debugger specific options in
        Debugger Options, Set specific options.
    One of three possible modes of operation can be selected: image, idb, or pe.

Because the debugger plugin uses the Bochs command line debugger, it has the
following limitations:

  - Breakpoints: the Bochs debugger has the limit of 10 physical, 10
    virtual, and 10 linear breakpoints. Since IDA uses some breakpoints
    for its own purposes, only 20 breakpoints can be set by the user

  - Watchpoints: the Bochs debugger has the limit of 16 read and 16 write
    watchpoints

  - FPU registers, MMX, XMM, control, task and segment registers cannot be modified

There are ways to overcome some of the limitations mentioned above by downloading
Bochs source code and modifying it. For example, the number of allowed breakpoints
can be increased.

The Bochs debugger configuration dialog box has the following entries:

  BOCHSRC
    This is the path to the Bochs configuration file template. It contains
    special variables prefixed with "$". These variables should not be
    modified or changed by the user, as they are automatically filled by the
    plugin. Other entries can be modified as needed.

  Operation mode
    The user can choose between @0:1330[Disk Image],
    @0:1331[IDB] and @0:1332[PE] operation modes.

  Delete image files upon session end
    If enabled, IDA will automatically delete the Bochs disk images used for
    the debugging session (this option only applies to IDB and PE operation modes).
    If the plugin (in IDB operation mode) finds a previously created image, it verifies that it
    corresponds to the database and uses it as is. Unchecking this option
    for the IDB operation mode will speed up launching the debugger.

  64-bit emulation
    This options enables 64bit emulation. It is only present in the 64-bit version of IDA.
    By default, the Bochs plugin will try to detect whether to choose 32 or 64-bit emulation.

Default configuration parameters are taken from ida\cfg\dbg_bochs.cfg.

The Bochs debugger module adds a new menu item: Debugger, Bochs Command.
It can be used to send arbitrary commands to Bochs. The command output is
displayed in the message window (there is also an IDC counterpart of this function,
please refer to "startup.idc" file). This command is very useful but may interfere
with IDA, especially if the user modifies breakpoints or resume execution outside IDA.

 See also:
        @0:1330[Disk Image operation mode]
        @0:1331[Bochs IDB operation mode]
        @0:1332[Bochs PE operation mode]
        @0:1333[Bochs plugin operation mode FAQ]
Ì
WRAP
Bochs Disk Image operation mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The disk image operation mode is used to run Bochs with any Bochs disk image.

A simple way to get started is to launch IDA and disassemble the bochsrc file
associated with your disk image. IDA will recognize bochsrc files, parse the contents,
determine the associated disk image and create a new database containing the first
sector of the disk image (usually the boot sector).

The database does not have to correspond to the disk image: it could in fact start as an empty database,
then user could convert the needed segments to loader segments for later analysis.
The following script can be used for that purpose:

        attrs = get_segm_attr(desired__segment__start, SEGATTR_FLAGS);
        attrs = (attrs & ~SFL_DEBUG) | SFL_LOADER;
        set_segm_attr(desired__segment__start, SEGATTR_FLAGS, attrs);

If the disk image switches to protected mode with memory paging enabled, IDA
will use the page table mapping to display segments. For 16-bit applications, IDA
automatically creates a default DOS memory map (Interrupt vector table, Bios Data Area, User Memory and BIOS ROM).
Also, the Bochs Debugger plugin will try to guess the debugger segment bitness, nonetheless the user can edit the bitness manually.

Moreover, the Bochs internal debugger provides the ability to add hardware like breakpoints,
known as watchpoints, but the addresses must be physical addresses.
In order to use the disk image operation mode in a more convenient way, the plugin will convert the virtual
addresses to physical addresses (if page table information is present) before adding the hardware breakpoint.
This mechanism will not always work, please check the @0:1333[FAQ] for more information.
For hardware breakpoint on execute, the plugin will use the selected address as-is and create a physical breakpoint.

The following parameters can be specified for the disk image operation mode:

  - The bochsrc file which contains the configuration for the Bochs virtual machine in question.
    The bochsrc file should be entered in:
    Debugger -> Process Options -> Application (other fields are ignored)

  - Use virtual breakpoints when protected mode is enabled:
    This parameter is set in the Debugger Specific options.
    It will allow the plugin to use "vb" command to create
    virtual breakpoints (using cs:eip), instead of using the "lb" which
    creates linear breakpoints (using only "eip"). It is useful when
    debugging code where the "cs" segment selector base is not zero.

This is a small example on how to debug a given disk image:

1. Prepare the needed bochs virtual machine files (bochsrc, disk image, floppy image if needed, etc...)

2. Load the bochsrc file into IDA. IDA will automatically create a database.

(Step 2, is optional. It is possible to use a database of your choice, but remember to point
its "Debugger->Process Options->Input file" to the bochsrc file)

3. Make sure the "Disk image" operation mode is selected
(If Step 2 was used, then Disk image operation mode will be selected automatically)

4. Enable "Debugger Options->Suspend on debugging start", and start debugging!

In the disk image operation mode, the Bochs debugger plugin does not handle or report exceptions, if they must be caught
and handled, please put breakpoints in the IDT or IVT entries.

 See also:
        @0:1329[Bochs debugger]
        @0:1333[Bochs plugin operation mode FAQ]
'WRAP
Bochs IDB operation mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The IDB operation mode, as its name implies, takes the current database as the input and runs it
under the Bochs debugger. This mode can be used to debug any x86 32 or 64-bit code.
Please note that the code executes with privilege ring 3.

The following parameters can be specified in the IDB operation mode:

  - Entry address: the address where the execution starts.
    This parameter can be specified in three ways (listed in order of
    precedence):
      - by renaming the desired location as "ENTRY" (global name)
      - by selecting an address range with the mouse or keyboard.
        The selection start address is used as the entry point
      - by positioning the cursor at a given position and running the
        debugger

  - Exit address (optional): the address where the execution ends.
    This parameter can be specified in two ways:
      - by renaming the desired location as "EXIT" (global name). Please note that
        the emulation will stop at the item following the exit label.
      - by selecting an address range with the mouse or keyboard
        The selection end address is used as the exit point
    If the exit address is not specified, the execution will continue until
    an exception occurs. However, if the exit address is reached, the debugger
    will ask the user if emulation should be continued or not.

  - Startup stack size: number of KBs to allocate for the stack segment.
    The stack segment is automatically created and named as "STACK".

It may also prove useful to enable the "Debugger Setup/Suspend on debugging start" so
that IDA automatically suspends the process before executing the first instruction.

While debugging, exceptions may occur and are caught by IDA. Please note that
these exceptions are raw machine exceptions. For example, instead of an access
violation exception, a page fault exception is generated.

 See also:
        @0:1329[Bochs debugger]
        @0:1333[Bochs plugin operation mode FAQ]
	$WRAP
Bochs PE operation mode ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The PE operation mode can be used to load PE files and debug them in a MS Windows like environment.

The current limitations include:

  - Thread or process manipulation are not supported

  - Limited support for PE+

  - We provide implementations of a limited number of system calls. Feel
    free to implement missing functions using IDC scripts or DLLs.

  - LoadLibrary() will fail on unknown DLLs: the list of desired DLLs must
    be specified before running the debugger in the startup.idc file

  - Limited emulation environment: IDA does not emulate the complete MS Windows
    operating system: it just provides the basic environment for a
    32bit PE file to run (please check the features below). There are many
    ways how the debugged program can detect that it runs in an emulated
    environment.

PE executables feature list:

- SEH support: we try to mimic MS Windows as much as possible. For example, the
ICEBP instruction is a privileged instruction, but Windows reports back a single
step exception. Similarly, MS Windows does not distinguish between 0xCC and 0xCD 0x03,
so when an exception occurs, it reports that the exception address is always
one byte before the trap. So if it was an INT 0x3 (CD03), the exception address
will point to the 0x03 (in the middle of the instruction).

- TLS callbacks: TLS callbacks are normally parsed by IDA and presented as
entry points. They will be called by the debugger before jumping to the main
entry point of the application. Turning on the "Debugger Setup/Suspend on debugging start"
may be a good idea since it will make all this logic clearly visible.

- Emulation of NT structures: Some malware do not use GetProcAddress() or
GetModuleHandle(). Instead, they try to parse the system structures and deduce these values.
For this we also provide and build the basic structure of TIB, PEB, PEB_LDR_DATA,
LDR_MODULE(s) and RTL_USER_PROCESS_PARAMETERS. Other structures can be built
in the bochs_startup() function of the startup.idc file.

PE/PE+ executables feature list:

- Extensible API emulation: The user may provide an implementation of a any API function
using scripts. The plugin supports IDC language by default, but if there are any other registered
and active external languages, then external language will be used. Currently, the plugin ships with
preconfigured IDC and Python scripts (please refer to startup.idc/startup.py).

It is also possible to take a copy of all the API and startup scripts and place them next to the database in question.
This will tell the Bochs debugger plugin that these scripts are to be used with the current database directory.
Such mechanism makes it possible to customize API/startup scripts for different databases.

In the following example, kernel32!GlobalAlloc is implemented via IDC like this:

 (file name: api_kernel32.idc)
 ///func=GlobalAlloc entry=k32_GlobalAlloc purge=8
 static k32_GlobalAlloc()
 {
   eax = BochsVirtAlloc(0, BochsGetParam(2), 1);
   return 0;
 }
 ///func=GlobalFree entry=k32_GlobalFree purge=4
 static k32_GlobalFree()
 {
   eax = BochsVirtFree(BochsGetParam(1), 0);
   return 0;
 }

A simple MessageBoxA replacement can be:

 (file name: api_user32.idc)
 ///func=MessageBoxA entry=messagebox purge=0x10
 static messagebox()
 {
   auto param2; param2 = BochsGetParam(2);
   msg("MessageBoxA has been called: %s\n",
        get_strlit_contents(param2, -1, STRTYPE_C));

   // Supply the return value
   eax = 1;

   // Continue execution
   return 0;
 }

To access the stack arguments passed to a given IDC function, please use the BochsGetParam() IDC function.

For a full reference on using IDC to implement API calls, please refer to ida\plugins\bochs\api_kernel32.idc file.

- Remap a DLL path (from the startup.idc script):

    /// map /home/johndoe/sys_dlls/user32.dll=d:\winnt\system32\user32.dll
    /// map /home/johndoe/sys_dlls/kernel32.dll=d:\winnt\system32\kernel32.dll

- Specify additional DLL search path (and optionally change the mapping):

    /// map /home/johndoe/sys_dlls/=d:\winnt\system32
  Or:

    /// map c:\projects\windows_xpsp2_dlls\=c:\windows\system32
  Or just as a search path without mapping:

    /// map c:\program files\my program
  You need to add the appropriate terminating slashes

- Redefine the environment variables: the environment variables can be redefined in startup.idc

    /// env PATH=c:\windows\system32\;c:\programs    /// env USERPROFILE=c:\Users\Guest

  In Linux, if no environment variable is defined in the startup file then no environment strings will be present.
  In Windows, we take the environment variables from the system if none were defined.

- Use native code: it is possible to write a custom Win32/64 DLL and map it into the process space.

Existing APIs can then be redirected to custom written functions. For example:

  ///func=GetProcAddress entry=bochsys.BxGetProcAddress
  ///func=ExitProcess entry=bochsys.BxExitProcess
  ///func=GetModuleFileNameA entry=bochsys.BxGetModuleFileNameA
  ///func=GetModuleHandleA entry=bochsys.BxGetModuleHandleA

Here we redirect some functions to bochsys.dll that modify the memory space of the application.
Please note that bochsys.dll is a special module, IDA is aware of it.
Custom functions are declared like this:

  (file name: api_kernel32.idc)
  ///func=GetCommandLineA entry=mydll.GetCommandLineA purge=0

Then in startup.idc file, the following line must be added:

   /// load mydll.dll

Custom DLLs are normal DLLs that can import functions from any other DLL. However,
it is advisable that the custom DLL is kept small in size and simple, by not linking it
to the runtime libraries.

- Helper IDC functions: a set of helper IDC functions are available when the
debugger is active. For more information, please refer to "startup.idc".

- Less demanding PE loader: Most PE files can be loaded and run, including
system drivers, DLL and some PE files that cannot be run by the operating system.

- Dependency resolution: In the PE operation mode, the plugin will recursively load all DLLs referenced
by the program. All DLLs that are not explicitly marked with "stub" in startup.idc
will be loaded as is. It is important to "stub" all system DLLs for faster loading.
The PE loader creates empty stubs for undefined functions in stubbed DLLs.
For example, the following line defines a stub that will always return 0 for CreateFileA:

  /// func=CreateFileA retval=0

Since CreateFileA is mentioned in the IDS files and IDA knows how many bytes it purges
from the stack, there is no need to specify the "purge" value. For other functions
that are not known to IDA, a full definition line would look like:

  /// func=FuncName purge=N_bytes retval=VALUE

- Startup and Exit scripts: It is possible to assign IDC functions that run when the debugging
session starts or is about to terminate (before the application continues from
the PROCESS_EXITED event). In addition to running code at startup, the startup
script serves a role in telling the PE loader which DLLs are to be mapped for
the current debugging session. For example:

  /// stub ntdll.dll
  /// stub kernel32.dll
  /// stub user32.dll
  /// stub shell32.dll
  /// stub shlwapi.dll
  /// stub wininet.dll

These lines list the DLLs that will be used during the debugging session.
IDA creates empty stubs for all functions from these DLLs. Non-trivial implementations
of selected functions can be specified in api_xxxx.idc files, where xxxx is the module name.

API and startup scripts are searched first in the current directory and then
in the ida/plugins/bochs directory.

- Memory allocation limit: The PE loader has a simple memory manager. It is
used for the initial memory allocation at the loading stage and for dynamic memory allocation
during the debugging session. No memory limits are applied at the loading stage:
the loader will load all modules regardless of their size. However, when the
debugging session starts, a limit applies on how much memory can be dynamically
allocated. This limit is specified in the debugger specific options as "Max allocatable
memory". Memory allocation will fail once this limit is reached.

Some notes on bochsys.dll:

- BxIDACall: This exported function is used as a trap to suspend the code execution
in Bochs and perform some actions in IDA. For example, when the target calls
kernel32.VirtualAlloc, it is redirected to bochsys.BxVirtualAlloc, which calls BxIDACall,
which triggers IDA:

  kernel32.VirtualAlloc -> bochsys.BxVirtualAlloc -> BxIDACall -> IDA bochs plugin

A breakpoint can be set on this function to monitor all API calls that are
handled by IDA.

- BxUndefinedApiCall: This exported function is executed when the application
calls an unimplemented function. Setting a breakpoint on it will allow discovering
unimplemented functions and eventually implementing them as IDC or
DLL functions. It can also be used to determine when unpacking/decryption
finishes (provided that all functions used by the unpacker have been defined).

 See also:
        @0:1329[Bochs debugger]
        @0:1333[Bochs plugin operation mode FAQ]

WRAP
Bochs debugger FAQ ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


General:

- How are breakpoints treated by IDA Bochs Plugin: Bochs debugger does not use
breakpoints by inserting 0xCC at the given address. Instead, since it is an
emulator, it constantly compares the current instruction pointer against the
breakpoint list. Data breakpoints are supported by Bochs and are known as "watchpoints".
If the user creates hardware breakpoints, IDA will automatically create Bochs watchpoints.

- How to select the Bochs operation mode programmatically: using IDC: it is possible to use
process_config_line() function to pass a key=value. For example, process_config_line("DEFAULT_MODE=1")
will select the disk image operation mode. (Please refer to cfg\dbg_bochs.cfg for list of configurable options).

- When debugging, IDA undefines instructions: if the "Debugger options / Reconstruct stack" is checked and
the stack pointer is in the same segment as the currently executing code, then IDA might undefine instructions.
To solve this program, uncheck the reconstruct stack option.

- How to convert from physical to linear addresses and vice versa: Bochs internal debugger provides two useful
commands for this: "info tab" and "page".

Disk image operation mode:

- Data/Software breakpoints are not always triggered: During a debugging session, when a breakpoint
is created while the protected mode/paging is enabled, the page table information is used to translate addresses
and correctly create the breakpoint. When debugging session is started again, IDA cannot access translation tables
to re-create the same breakpoint, thus the breakpoint will be created without any translation information (it will be treated as physical addresses)
This is why those breakpoints are not triggered. As a workaround, we suggest disabling those breakpoints and re-enable
them when paging is enabled. This problem can also arise when the "use virtual breakpoints" option is enabled.

IDB/PE operation mode:

- Cannot map VA: Sometimes, IDA may display a message stating that a given VA could
not be mapped. This mainly happens because both IDB/PE operation modes use virtual
addresses from 0x0 to 0x9000 and from 0xE0000000 to 0xFFFFFFFF internally.
To solve the problem, please rebase the program to another area:

  - IDB operation mode: use Edit, Segment, Rebase program
  - PE operation mode: rebase the input file using a third party utility

PE operation mode:

- Dynamic DLL loading: sometimes, when running a program, the plugin may attempt to load
a DLL that is not declared in the stub or load section of the startup script.
In this case, please write down the name of the DLL, then add it to the startup script,
and restart the debug session.
It is possible to create a local copy, next to your database, of startup scripts so
that these scripts will be used with this database only.

- Disk image loading slow: The disk image produced in the PE operation mode can be as big as 20MB. The reason
for this slow loading is most probably because the plugin tries to load all referenced DLLs instead of stubbing them.
To fix this, when the process starts, please take note of the loaded DLLs list (using IDA / Modules List) then
add the desired module names in the startup.* / "stub" section.

 See also:
        @0:1329[Bochs debugger]
?WRAP
Remote GDB Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Remote GDB Debugger module allows for debugging code using the GDB remote serial protocol.
For this, the debuggee must contain a so-called "GDB stub" that controls the
execution and handles the remote protocol commands. There are many implementations
of such stubs available with different capabilities. The module has been tested
with the following GDB stubs:

 @0:1343[gdbserver]: Windows (Cygwin), Linux (ARM, MIPS, PowerPC)
 @0:1357[VMWare]: x86 (16/32 bit)
 @0:1521[QEMU]: x86 (16/32 bit), ARM, MIPS, PowerPC
 @0:1417[OpenOCD]: ARM

It is quite possible that the module will work with other stubs.
Note that only x86, ARM, MIPS and PowerPC processors are supported at the moment.

Some GDB stubs support so-called "monitor" commands. For example, VMWare stub
can return extra info about system registers. Use the command line at the bottom
of the main IDA window to send such commands. The output will be displayed in the message window.
Hint: most stubs have a "help" command (if they support any commands at all).

The module also makes the following function available from IDC:

     string send_dbg_command(string command);

 NOTE

When using @0:1502[instant debugging], you will need to tell IDA on which CPU the
target is running. This is done in the @0:1522[Remote GDB Debugger options] dialog,
available via "Debugger specific options" button in the Process options dialog shown when you
choose Remote GDB Debugger from the Run or Attach menu.

 NOTE

Many GDB stubs do not report the address that triggered a hardware breakpoint.
In this case, IDA will report a memory breakpoint hit as a generic TRAP signal.
Examine the previous instruction to see if it referenced a memory location
with breakpoint. When continuing from such a breakpoint, choose not to pass
the signal to the program.

 NOTE

IDA can be used together with a J-Link debug probe from SEGGER Microcontroller GmbH:

https://segger.com/jlink-debug-probes.html

See also

  @0:1522[Remote GDB Debugger options]
  @0:1395[Debugger] submenu.5@0:693[]
Can't create segment registers area at %08aR@0:694[]
Can't assign to Segment Register at %08a (%s=%04a). Trying to recover...Linternal error (please inform support): can't create segment register areasW@0:236[]
Fatal: the format of the database is obsolete. Use a previous version of IDA.…AUTOHIDE REGISTRY
HIDECANCEL
@0:238[]
The format of the database is obsolete (%d). IDA will now upgrade it into format %d. Continue?W@0:239[]
Fatal: the database format is newer than expected. Use a new version of IDA.
@0:635[]
Database is emptyvWRAP
Debugging with gdbserver ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

gdbserver is a GDB stub implemented as a separate program. It runs a program to be debugged
or attaches to a process and then waits for commands.
The remote GDB debugger module has been tested with gdbserver available with Cygwin
and Linux.

To debug a specific program from the start, run the following command:

    gdbserver localhost:23946 <program>

and then choose Debugger,Attach,<process running on target> in IDA.

To debug a running process:

    gdbserver --multi localhost:23947

then choose Debugger,Attach,<enter PID to attach> in IDA and enter the PID of
the process to attach to.

Another method of debugging a running process is:

    gdbserver localhost:23947 --attach <PID>

then choose Debugger,Attach,<process running on target> in IDA.

To start a program from inside IDA, first launch the debugger server:

    gdbserver --multi localhost:23947

Then use Debugger,Start process or Debugger,Run in IDA.

 NOTE

The --multi option is only available in GDB 6.8 or higher.

Back to @0:1335[Remote GDB Debugger]

Bad keyboard assignment

Keyboard definition syntax is:

        "ActionName" = Value

  where value may be:

        a string:       "Ctrl-F5"
        a char:         'F'
        a scancode:     0x4900
        zero:           0

  Zero scancode disables the hot key.
eVarious dialog help messages ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

@0:216[Packed Files]
@0:217[Bad Relocation Table]
@0:218[Additional information at the end of file]
@0:219[Overlayed files]
@0:220[Error loading overlays]
@0:221[Maximal number of segments is reached]
@0:222[Cannot generate executable file]
@0:223[Bad input file format]
@0:225[Choose mark number]
@0:226[Enter mark description]
@0:227[Choose marked location]
@0:1720[IDA View bookmarks]
@0:1721[Structs bookmarks]
@0:1722[Enums bookmarks]
@0:228[Cannot Rename a Byte]
@0:229[Cannot find file segmentation]
@0:231[Negative Offsets]
@0:232[Cannot move segment start address]
@0:233[Cannot move segment start address]
@0:234[Cannot Create Database]
@0:235[DataBase is not closed]
@0:236[Obsolete Database Format]
@0:237[The Name List is Empty]
@0:238[Upgrading IDA database]
@0:239[Unexpected Database Format]
@0:240[Imported module is not found]
@0:242[Load file dialog]
@0:243[PE .idata section has additional data]
@0:575[Repeat search for instruction/data with the specified operand]
@0:577[Repeat search for substring in the disassembly]
@0:580[Repeat search for substring in the file]
@0:628[Moving Segment]
@0:629[Deleting a Segment]
@0:630[Auto analysis is not completed]
@0:631[Silent mode of IDA]
@0:632[Rename a structure/member]
@0:633[Delete a structure member]
@0:634[Unpacked database is dangerous]
@0:635[Database Is Empty]
@0:636[Illegal Usage of the Switch]
@0:637[Cannot Find Input File]
@0:638[Patched Bytes Are Skipped]
@0:639[Patched bytes have relocation information]
@0:641[No Segment for the current byte]
@0:689[Empty Program]
@0:1372[Load additional binary file]
@0:640[Patching Relocation Bytes]
@0:690[NotVaFile]
@0:692[VaTooHighVersion]
@0:1418[Desktops]
@0:693[Can't create segment registers range]
@0:694[Cannot assign to Segment Register]üWRAP
Rename register ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: RenameRegister
 Current hotkey: @<RenameRegister>

This command allows you to rename a processor general register to some
meaningful name. While this is not used very often on IBM PCs,
it is especially useful on RISC processors with lots of registers.

For example, a general register R9 is not very meaningful and a name like
'CurrentTime' is much better.

This command can be used to define a new register name as well as to remove it.
Just move the cursor on the register name and press enter.
If you enter the new register name as an empty string, then the definition
will be deleted.

If you have selected a range before using this command, then the definition will
be restricted to the selected range. But in any case, the definition cannot
cross the function boundaries.

You cannot use this command if the current instruction does not belong to
any @0:484[function].

See also

         @0:483[Edit|Functions] submenu.D'=' not found

By configuration file syntax here must be '=' sign.
Expected a string value%Bad character translation table size;WRAP
ARM processor specifics ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Since architecture version v4 (introduced in ARM7 cores), ARM processors
have a new 16-bit instruction set called Thumb (the original 32-bit
set is referred to as "ARM"). Since these two sets have different instruction
encodings and can be mixed in one segment, we need a way to specify
how to disassemble instructions.
For this purpose, IDA uses a virtual segment register named 'T'.
If its value is 0, then ARM mode is used. Otherwise, Thumb mode is used.
ARM is the default mode. Please note that if you change the value
of T register for a range, IDA will destroy all instructions in that range
because their disassembly is no longer correct.

IDA use UAL (Unified Assembly Language) syntax by default which uses the same
syntax for both ARM and Thumb mode. If necessary, legacy assembler syntax can be
selected in @0:620[Analysis options].

To decode Aarch64 (ARM64) instructions the segment with instructions must be
@0:514[set to 64-bit].

Processor options for ARM ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Simplify instructions

      If this option is on, IDA will simplify instructions and replace
      them by clearer pseudo-instructions
      For example,

              MOV     PC, LR

      is replaced by

              RET

Disable pointer dereferencing

      If this option is on, IDA will not use =label syntax for
      loads from literal pools.
      For example,

                    LDR     R1, =dst
                    ...
      off_0_1003C   DCD dst

      will be shown as

                    LDR     R1, off_0_1003C

No automatic ARM-Thumb switch

      If this option is on, IDA will not propagate
      ARM-Thumb modes automatically when following jumps and calls.

Disable BL jumps detection

      Some ARM compilers in Thumb mode use BL (branch-and-link)
      instead of B (branch) for long jumps, since BL has more range.
      By default, IDA tries to determine if BL is a jump or a call.
      You can override IDA's decision using commands in Edit/Other menu
      (Force BL call/Force BL jump).
      If your target does not use this trick, you can set this option
      and IDA will always treat BL as a call.

Scattered MOVT/MOVW pairs analysis
      A pair of MOVT and MOVW instructions can be used to load any 32-bit constant
      into a register without having to use the literal pool. For example:
      MOVW R1, #0xABA2
      MOVT R1, #0x32AA
      is simplified by IDA into
      MOV  R1, 0x32AAABA2
      (unless macro creation is @0:1688[turned off])

      However, if there is an unrelated instruction between them, such
      simplification is not possible. If you enable the conversion, then IDA will try to
      convert operands of even scattered instructions. The example above could be represented as:

      MOVW  R1, #:lower16:0x32AAABA2
      [other instructions]
      MOVT  R1, #:upper16:0x32AAABA2

      It is possible to select how aggressively IDA should try to handle such pairs:
      leave them as is, convert only if the result a valid address, or try to
      convert all pairs even if the result does not look like a valid address.

Edit ARM architecture options

      This button allows you to edit various features of the ARM architecture.
      This will affect the disassembly of some instructions depending on whether
      the selected architecture supports them. For details, see the ARM Architecture Reference Manual.



Command-line options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

      You can configure the architecture options from the command line.
      For that, use the -parm:<option1[;option2...]> switch.
      The following options are accepted:

      ARMv<N>  - base ARM architecture version (e.g. ARMv4, ARMv4T,
                 ARMv5TE, ..., ARMv7-M, ARMv7-A)
       or

      <name>   - ARM core name (e.g. ARM7TDMI, ARM926EJ-S, PXA270,
                Cortex-M3, Cortex-A8)

      Additionally, a special name "armmeta" can be used to enable decoding of all known instructions.

      The options above will set some default values that can be adjusted further:

      NoVFP/VFPv<N>           - disable or enable support for VFP
                                instructions (e.g. VFPv3).
      NoNEON/NEON/NEON-FMA    - disable or enable support for NEON
                                (aka Advanced SIMD) instructions.
      NoThumb/Thumb/Thumb-2   - disable or enable support for Thumb (16-bit)
                                or Thumb-2 (16/32-bit) instructions.
      NoARM/ARM               - disable or enable support for ARM
                                instructions.
      XScale                  - support for XScale-specific instructions.
                                Implies ARMv5TE.
      NoWMMX/WMMXv1/WMMXv2    - support for Intel Wireless MMX
                                extensions (v1 or v2). Implies XScale.

See

      @0:523[Change segment register value]
      @0:522[Set default segment register value]

commands to learn how to specify the segment register value.Expected a number3The specified value isn't within the allowed range’WRAP
Compiler ▄
 ▀▀▀▀▀▀▀▀▀

 Action    name: SetupCompiler
 Current hotkey: @<SetupCompiler>

This dialog box allows the user to specify the compiler used to create the
program along with the memory model, default calling convention, ABI and other
parameters.

Please note that while some combinations of the parameters are meaningless,
IDA doesn't check them for validity. It is up to the user to specify a correct
combination.

IDA tries to determine the correct values automatically.

The include directories are a list of directories that look for the standard C headers.
This parameter is used during parsing @0:1367[C header files].
The directories must be separated by ';' in MS Windows and ':' in Linux.
The predefined macros field has the same format and is used similarly.
Please note that IDA doesn't define any compiler-specific macros by default.

See also @0:604[Options] submenu!Expected YES/NO or ON/OFF values\WRAP
Open subviews ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are commands to open various windows, display information etc.

  @0:585[Open disassembly window]
  @0:1415[Open exports window]
  @0:1416[Open imports window]
  @0:586[Open functions window]
  @0:587[Open names window]
  @0:588[Open signatures window]
  @0:589[Open segments window]
  @0:590[Open segment registers window]
  @0:591[Open selectors window]
  @0:592[Open cross references window]
  @0:593[Open structures window]
  @0:1259[Open local types window]
  @0:595[Open problems window]
  @0:1358[Open type libraries window]
  @0:1379[Open strings window]
  @0:1383[Open function calls window]
  @0:1384[Open notepad]
  @0:1714[Open undo history]

Some windows allow you to manipulate the window contents by
using the @0:427[list] viewer commands.

See also @0:583[View] submenu.¡WRAP
Debugging with VMWare ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

VMWare Workstation 6.5 is recommended for debugging, though earlier versions may work too.
Only 32-bit debugging is supported.

In order to enable debugging with GDB protocol, add the following lines to the .vmx
file of the virtual machine:

   debugStub.listen.guest32 = "TRUE"
   debugStub.hideBreakpoints= "TRUE"

To debug the VM startup, use:

   monitor.debugOnStartGuest32 = "TRUE"

Please note that the execution will start in the BIOS.

To accept connections from remote computers, the following line must be specified:

   debugStub.listen.guest32.remote = "TRUE"

VMWare Workstation will listen on port 8832.

Tips:

Since the GDB server does not report the memory layout, it must be specified manually.
For example, to debug BIOS startup code, create a 16-bit segment from F0000 to 10000 with base F000.

Use the @0:1523[GDB command line] to get extra info about the registers.
For example, use "r cr0" to see current value of the cr0 register or "r cs" to see the base, limit
and other attributes of the CS selector in protected mode.

Back to @0:1335[Remote GDB Debugger]ÆWRAP
Type libraries window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenTypeLibraries
 Current hotkey: @<OpenTypeLibraries>

This command opens the type libraries window.
Here the user can load and unload standard type libraries.

The standard type libraries contain type definitions from the standard
C header supplied with compilers. Usually, IDA tries to determine the target
compiler and its type libraries automatically but if it fails, this window
allows you to load the appropriate type library.

Furthermore, don't forget to specify the compiler and memory model in
the @0:1354[compiler setup] dialog box.

See also @0:1356[View|Open subviews] submenu.Too long string valuePage size should be power of 2"WRAP
Set function/item type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetType
 Current hotkey: @<SetType>

This command allows you to specify the type of the current item.

If the cursor is located on a name, the type of the named item
will be edited. Otherwise, the current function type (if there is a function)
or the current item type (if it has a name) will be edited.

The function type must be entered as a C declaration. Hidden arguments (like
'this' pointer in C++) should be specified explicitly. IDA will use the type
information to comment the disassembly with the information about function arguments.
It can also be used by the Hex-Rays decompiler plugin for better decompilation.

Here is an example of a function declaration:

        int main(int argc, const char *argv[]);

To delete a type declaration, please enter an empty string.

IDA supports the user-defined calling convention. In this calling convention,
the user can explicitly specify the locations of arguments and the return value.
For example:

        int __usercall func@<ebx>(int x, int y@<esi>);

denotes a function with 2 arguments: the first argument is passed on the stack
(IDA automatically calculates its offset) and the second argument is passed
in the ESI register and the return value is stored in the EBX register.
Stack locations can be specified explicitly:

        int __usercall runtime_memhash@<^12.4>(void *p@<^0.4>, int q@<^4.4>, int r@<^8.4>)

There is a restriction for a __usercall function type: all stack locations
should be specified explicitly or all are automatically calculated by IDA.
General rules for the user defined prototypes are:

  - the return value must be in a register.
    Exception: stack locations are accepted for the __golang and __usercall calling conventions.

  - if the return type is 'void', the return location must not be specified

  - if the argument location is not specified, it is assumed to be
    on the stack; consequent stack locations are allocated for such arguments

  - it is allowed to declare nested declarations, for example:
    int **__usercall func16@<eax>(int *(__usercall *x)@<ebx>
                                             (int, long@<ecx>, int)@<esi>);
    Here the pointer "x" is passed in the ESI register;
    The pointed function is a usercall function and expects its second
    argument in the ECX register, its return value is in the EBX register.
    The rule of thumb to apply in such complex cases is to specify the
    the registers just before the opening brace for the parameter list.

  - registers used for the location names must be valid for the current
    processor; some registers are unsupported (if the register name is
    generated on the fly, it is unsupported; inform us about such cases;
    we might improve the processor module if it is easy)

  - register pairs can be specified with a colon like <edx:eax>

  - for really complicated cases @0:1492[this syntax] can be used.

IDA also understands the "__userpurge" calling convention. It is the same
thing as __usercall, the only difference is that the callee cleans the
stack.

The name used in the declaration is ignored by IDA.

If the default calling convention is __golang then explicit specification
of stack offsets is permitted. For example:

   int __usercall myfunc<^8>(__int64 arg<^0>);

Function declarations may have the __spoils keyword. It is used to specify
the list of registers spoiled by the function. The syntax is the following:

   int __spoils<eax, bh> func(int x);

If the __spoils keyword is present, the specified list overrides the standard
spoiled list. For x86, the standard spoiled list is <eax, edx, ecx>.
The list of spoiled registers may be empty.

IDA also understands some attributes in declarations. For example:

  __attribute__((format(printf,2,3)))
  int myprnt(int id, const char *format, ...);

This declaration means that myprnt is a print-like function; the format
string is the second argument and the variadic argument list starts at the
third argument.

Below is the full list of attributes that can be handled by IDA. Please look
up the details in the corresponding compiler help pages.

  packed        pack structure/union fields tightly, without gaps
  aligned       specify the alignment
  noreturn      declare as not returning function
  ms_struct     use microsoft layout for the structure/union
  format        possible formats: printf, scanf, strftime, strfmon

For data declarations, the following custom __attribute((annotate(X))) keywords
have been added. The control the representation of numbers in the output:

  __bin         unsigned binary number
  __oct         unsigned octal number
  __hex         unsigned hexadecimal number
  __dec         signed decimal number
  __sbin        signed binary number
  __soct        signed octal number
  __shex        signed hexadecimal number
  __udec        unsigned decimal number
  __float       floating point
  __char        character
  __segm        segment name
  __enum()      @0:1743[enumeration member (symbolic constant)]
  __off         offset expression (a simpler version of __offset)
  __offset()    @0:1744[offset expression]
  __strlit()    @0:1745[string]
  __stroff()    @0:1746[structure offset]
  __custom()    @0:1747[custom data type and format]
  __invsign     inverted sign
  __invbits     inverted bitwise
  __lzero       add leading zeroes
  __tabform()   @0:1748[tabular form]

The following additional keywords can be used in type declarations:

  _BOOL1        a boolean type with explicit size specification (1 byte)
  _BOOL2        a boolean type with explicit size specification (2 bytes)
  _BOOL4        a boolean type with explicit size specification (4 bytes)
  __int8        a integer with explicit size specification (1 byte)
  __int16       a integer with explicit size specification (2 bytes)
  __int32       a integer with explicit size specification (4 bytes)
  __int64       a integer with explicit size specification (8 bytes)
  __int128      a integer with explicit size specification (16 bytes)
  _BYTE         an unknown type; the only known info is its size: 1 byte
  _WORD         an unknown type; the only known info is its size: 2 bytes
  _DWORD        an unknown type; the only known info is its size: 4 bytes
  _QWORD        an unknown type; the only known info is its size: 8 bytes
  _OWORD        an unknown type; the only known info is its size: 16 bytes
  _TBYTE        10-byte floating point value
  _UNKNOWN      no info is available
  __pure        pure function: always returns the same value and does not
                modify memory in a visible way
  __noreturn    function does not return
  __usercall    user-defined calling convention; see above
  __userpurge   user-defined calling convention; see above
  __golang      golang calling convention
  __swiftcall   swift calling convention
  __spoils      explicit spoiled-reg specification; see above
  __hidden      hidden function argument; this argument was hidden in the
                source code (e.g. 'this' argument in c++ methods is hidden)
  __return_ptr  pointer to return value; implies hidden
  __struct_ptr  was initially a structure value
  __array_ptr   was initially an array
  __unused      unused function argument
  __cppobj      a c++ style struct; the struct layout depends on this keyword
  __ptr32       explicit pointer size specification (32 bits)
  __ptr64       explicit pointer size specification (64 bits)
  __shifted     @0:1695[shifted pointer] declaration
  __high        high level prototype (does not explicitly specify
                hidden arguments like 'this', for example)
                this keyword may not be specified by the user but
                IDA may use it to describe high level prototypes
  __bitmask     a bitmask enum, a collection of bit groups

See also

         @0:483[Edit|Functions] submenu.CSyntax error
Configuration file syntax is:
        KeyWord = Value*Illegal keyword in the configuration file&Illegal type of value for the keyword]WRAP
Load C header ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadHeaderFile
 Current hotkey: @<LoadHeaderFile>

This command allows you to apply type declarations from a C header file
to the program.

IDA reads and parses the specified header file as a C compiler does.
In other words, it mimics the front-end of a C compiler with some restrictions:

        - only type declarations are allowed. The function definitions
          in the input file are skipped
        - not all C++ header files are not supported, only simple classes can
          be parsed
        - the compiler specific predefined macros are not defined,
          you have to define them manually in the header file

Don't forget to specify the compiler and memory model in
the @0:1354[compiler setup] dialog box before loading a header file.

All type declarations found in the input file are stored in the current
database in the form of a type library. These type declarations can be used
to define new structure and enumeration definitions by pressing "Add standard structure"
or "Add standard enum" buttons in the
@0:501[Add enum type...] and
@0:491[Add struct type...]
dialog boxes.

In the case of an error in the input file, the error messages appear in
the message window. In any case, the function declarations that are already parsed
are not deleted from the database.
IDA stops parsing the input file when 20 errors occur.

IDA 7.7 introduced an
@0:1728[alternative header file parser]
based on libclang.

See also @0:430[Load... submenu] commands.
         @0:1259[Local types window]
         @0:1728[IDAClang plugin]ÕWRAP
Problem: Failed to trace the value of the stack pointer ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        The value of the stack pointer at the end of the function is different
        from its value at the start of the function. IDA checks for the
        difference only if the function is ended by a "return" instruction.
        The most probable cause is that stack tracing has failed.
        This problem is displayed in the disassembly listing with
        the "sp-analysis failed" comment.

 What to do:
        1. Examine the value of @0:489[stack pointer] at various
           locations of the function and try to find out why the stack tracing
           has failed. Usually, it fails because some called function changed the
           stack pointer (by purging the input parameters, for example)
        2. If you have found the offending function, @0:485[change] its
           attributes (namely, number of bytes purged upon return).
        3. Another way is to specify manually how the stack pointer is
           modified. See @0:489[Change stack pointer] command
‡WRAP
Comments Dialog ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command changes the look of the disassembly comments.
Here you can change the values of the following checkboxes/input fields:

Comment indention

        You can change indention of comments:

                mov ax, bx                      ; this is a comment
        <-------------------------------------->
                       indention

        @0:419[IDA.CFG] parameter: COMMENTS_INDENTION

Display of 'suspicious' marks

        This option enables or disables @0:606[suspicious] marks display.
        Usually the suspicious marks are disabled because IDA displays the suspicious
        operands in red/orange anyway.

        @0:419[IDA.CFG] parameter: SHOW_SUSPICOUS

Display of empty lines

        This option enables or disables the presence of the autogenerated
        empty lines in the disassembly. It could be useful to decrease
        the number of the blank lines on the screen increasing amount
        of information on it.

        @0:419[IDA.CFG] parameter: SHOW_EMPTYLINES

Display of basic blocks

        This option enables or disables the presence of the autogenerated
        empty lines at the end of basic blocks in the disassembly.

        @0:419[IDA.CFG] parameter: SHOW_BASIC_BLOCKS

Display borders between data/code

        This command enables or disables the presence of the autogenerated
        border lines in the disassembly. It could be useful to decrease
        the number of the blank lines on the screen increasing amount
        of information on it. A border line looks like this:

         ;---------------------------------------------------------

        Note that you can hide a particular border by using @0:535[hide border] command.

        @0:419[IDA.CFG] parameter: SHOW_BORDERS

Display comments

        If this option is disabled, IDA will not show any comments.

Display repeatable comments

        This command enables or disables the @0:480[repeatable comments] display.

        @0:419[IDA.CFG] parameter: SHOW_REPEATABLE_COMMENTS

Display auto comments

        Autocomments are predefined comments for all instructions.
        If you forgot the meaning of a certain instruction, you can use
        this command to get comments to all lines of the screen.

        IDA does not give comments to very simple instructions such as
        'mov' instruction and does not override existing comments.

        @0:419[IDA.CFG] parameter: SHOW_AUTOCOMMENTS

Display source lines

        This options controls the presence of the source line number
        information in the disassembly. Some object files have this
        information.

        @0:419[IDA.CFG] parameter: SHOW_SOURCE_LINNUM

Display try block lines

       This option controls the display of the try block information
       in the disassembly.

       @0:419[IDA.CFG] parameter: SHOW_TRYBLOCKS

See also @0:604[Options] submenu.ç
WRAP
Duplicate a structure type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CopyStruct
 Current hotkey: @<CopyStruct>

This command duplicate the current structure type.
The new structure type will have the same members as the current one
but its name will be autogenerated (something like struc_333)

By default the new structure type will be placed after the current
structure type.

See also @0:490[Edit|Structs] submenu.
®Miscellaneous Options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Editor

        A text editor is to be used when the user decides to edit an
        IDC script using the IDC toolbar.

Navigation band refresh interval (milliseconds)

        Specifies how often the navigation band will be refreshed.
        IDA tries to minimize the number of redrawings because they
        could be really time and processor consuming (imagine
        a huge program, 50-100 megabytes of code. it would
        take a long time to refresh information on the navigation
        band because the whole program will be examined to
        determine how to draw the band). If this option is set to 0,
        the navigation band is refreshed only when the cursor is
        moved far enough to reflect its movement on the band.

Convert already defined bytes

        Determines how IDA should behave when user operations
        would end up redefining some already-defined bytes

Associate .IDB file extension with IDA

        Whether or not the .IDB extension should be associated,
        at the OS-level, with IDA

Enable autocomplete in forms

        Determines whether input fields should provide an auto-complete
        combo box by default

Output files encoding

       The encoding used to generate output text files from IDA
       The value '<default>' means that the IDB's default 8 bit-per-unit
       encoding will be used.
WRAP
Load Additional Binary File  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Below is the description of dialog box fields:

 Load segment    - The paragraph where the file will be loaded.
 Load offset     - Specifies offset of the first byte from the start of
                   the first segment. For example, if load offset=0x2700
                   and load segment=0x1000, the first byte of the file will
                   be at 1000:2700, or in linear addressing, 0x12700.
 File offset     - Offset in the input file to load bytes from.
 Number of bytes - Number of bytes to load from the file.
                   0 means load as many as possible.
 Create segments        - If not checked, IDA does not create segments.
 Code segment           - If checked, IDA creates a code segment.
                          relevant for processors which have different
                          code/data segment addressing schemes (for
                          example, Atmel AVR).
«
WRAP
Find all suspicious operands ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FindAllSuspicious
 Current hotkey: @<FindAllSuspicious>

This command searches for all suspicious operands and presents a list of them.
You may use this list to examine the operands and modify them as needed.

 See also @0:569[suspicious operands]
          @0:568[Search] submenu
#WRAP
Load PDB debug information file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadPdbFile
 Current hotkey: @<LoadPdbFile>

This command loads a PDB file.

If the program being disassembled has a companion PDB file, then
this command may be used to load information from the PDB file into the
database.

By default IDA uses in-house code to parse and load PDB files. However, our
code can not parse old v2.0 PDB files. For them, IDA can fall back to using
Microsoft DLLs (the default is "do not fall back"). Please read more
in cfg/pdb.cfg.

Command line switch '-Opdb:option1:option2' overrides for ida session the value in cfg/pdb.cfg.

List of options▄

  off    : disable PDB
  pdbida : uses Hex-rays in-house code to parse and load PDB files.
  msdia  : uses Microsoft DLLs to parse and load PDB files.
           only available on Windows, for Linux/Macos you need to configure
           win32_remote.exe or win64_remote64.exe server in cfg/pdb.cfg
  fallback   : fallback from pdbida to msdia for the old 2.0 format
  nofallback : no fallback to msdia

Example▄

  -Opdb:off

Ida will not load PDB plugin for this session.

See also▄
        @0:430[Load... submenu] commands.
        @0:1457[Debugger module list] command.o1Environment variables ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following environment variables are used by IDA:

TMP or TEMP     Specifies the directory where the temporary files will
                be created.
                Default: C:\TEMP

EDITOR          The name of the preferred text editor.

IDALOG          Specifies the name of the log file. Everything appearing
                in the message window will be dumped there.
                Default: none

IDALOG_SILENT   Suppress all output to the message window.
                If the IDALOG variable is set, messages will continue to
                be written to the log file. Otherwise, they will be lost.

IDADIR          Specifies the IDA directory.
                Default: the directory where IDA executable is located

IDA_LOADALL     The selected loader will load all segments without asking

IDAUSR          Specifies the directory for user-specific settings.
                Default: Windows:  %APPDATA%/Hex-Rays/IDA Pro
                         Linux:    $HOME/.idapro
                         Mac OS X: $HOME/.idapro

                This variable can contain multiple paths, in which case they must
                be separated by the platform's path separator character (i.e., ';'
                on Windows, and ':' on Linux & Mac OS X.)

          NOTE: Using %IDAUSR% for loading plugins.

                %IDAUSR% will be considered when scanning for plugins: for
                each directory component of %IDAUSR%, IDA will iterate on
                files in its "plugins" subdirectory, in alphabetical order.

                Plugins with the same case-insensitive file name (without
                extension) are considered to be duplicates and are ignored;
                only the first plugin with a given name will be considered.
                Thus, let's say %IDAUSR% is set to "C:\my_idausr", and a file
                "C:\my_idausr\plugins\DWARF.py" exists, then
                "C:\my_idausr\plugins\DWARF.py" will be picked up first while
                "%IDADIR%\plugins\dwarf.dll" will be considered conflicting,
                and thus ignored.

                In addition, in each directory, IDA first looks for plugins
                with the native extension (e.g., ".dll" on Windows) and only
                then looks for files with extensions corresponding to
                extension languages (e.g., ".idc", ".py", ...)
                Consequently if two files, say "foo.dll" and "foo.py", are
                present in the same directory, "foo.dll" will be picked first,
                and "foo.py" will be considered conflicting, and thus ignored.

          NOTE: Using %IDAUSR% for overriding configuration.

                %IDAUSR% will be considered when looking for configuration
                files, after the config file found in %IDADIR%\cfg has been
                read.

                After %IDADIR%\cfg\<filename> has been read & applied, for
                each directory component of %IDAUSR%, IDA will look for
                cfg/<filename> in it, and, if found, read & apply its
                contents as well.

                This enables users to have their own small, fine-tuned
                configuration files containing just the bits they wanted to
                override, stored in one (or more) folder(s) of their choosing.

          NOTE: Using %IDAUSR% for specifying themes

                %IDAUSR% will be considered when scanning for themes: for
                each directory component of %IDAUSR%, IDA will iterate on
                subdirectories in its "themes" subdirectory.

          NOTE: Using %IDAUSR% for providing additional loaders, processor
                modules, .til files, .sig and .ids files

                %IDAUSR% will also be considered when building the list of
                existing loaders, processor modules, .til, .sig and .ids files.
                The following directories will be inspected:
                       %IDAUSR%\loaders
                       %IDAUSR%\procs
                       %IDAUSR%\til\<arch-name>
                       %IDAUSR%\sig\<arch-name>
                       %IDAUSR%\ids\<platform-name>

IDA_MINIDUMP    (Windows only) If IDA crashes, it creates a minidump file with
                the MiniDumpWrite(). Use this environment variable to specify
                MiniDump flags (a combination of MINIDUMP_TYPE flags as a
                hexadecimal number).
                If set to "NO", IDA will not write a dump.

IDA_MDMP_INIT   (Windows only) Let IDA load dbghlp.dll on startup so it is
                used for crash dump file generation in case of a crash. If
                not set, IDA will load dbghlp.dll dynamically (if needed).
                Using this option may cause the Windbg debugger plugin to
                malfunction in case its dbghlp.dll does not match the one
                loaded by IDA.

IDA_NOEH        If set, disable IDA's own exception handler and let all
                possible crashes to be handled by the OS or active debugger.
                It is useful if you're debugging a crash in a plugin or
                processor module.

IDAIDS          Specifies the directory with the IDS files.
                Default: %IDADIR%\IDS

IDASGN          Specifies the directory with the SIG files.
                Default: %IDADIR%\SIG

IDATIL          Specifies the directory with the TIL files.
                Default: %IDADIR%\TIL

IDAIDC          Specifies the directory with the IDC files.
                Default: %IDADIR%\IDC

IDA_LIBC_PATH   Useful only on Android remote host. Specifies the exact
                path to the system libc.so

IDA_SKIP_SYMS   Useful only on Linux host. Turns off loading of
                exported symbols for the main executable file at the start
                of a debugging session

IDA_NONAMES     Disables the name resolution

IDA_NO_HISTORY  Disables updating file history

IDA_NORELOC     Disables processing of the relocation information
                for some file formats

IDA_NOEXP       Disables processing of the export information
                for some file formats

IDA_NOTLS       Disables processing of the TLS entries for some file formats

H8_NOSIZER      Disables the display of the operand sizes for H8 module

IDA_LOADALL     Load all segments of the input file without further
                confirmations

IDA_DEBUGBREAKPROCESS (Windows only) IDA debugger will use the
                DebugBreakProcess() API to break into the process. Otherwise
                it will instead attempt to set temporary breakpoints for
                all threads.

IDA_NO_REBASE   IDA Debugger will not rebase the program when debugging.
                (This will be in effect even if the debugger plugin implements
                the rebase_if_required_to callback)

IDABXPATHMAP    Variables related to the Bochs debugger.
IDABXENVMAP     See plugins/bochs/startup.* for more details.

IDA_NOWIN       (Text MS Windows version only)
                Bypass the code trying to find out the foreground window.
                This code causes problems under WINE.

IDA_DONT_SWITCH_SCREENS
                (text version only)
                Tells IDA to keep only one screen even during local
                debugging sessions. For local debugging sessions,
                IDA keeps by default one screen for the
                debugged application and one screen for itself.

IDA_NOAUTOCOMP  Do not autodetect compiler for name demangling.
                If this variable is absent and the current compiler
                is one of MS, Borland and Watcom, the compiler
                is autodetected.

IDA_ELF_PATCH_MODE Overrides patch mode for the new ELF files.
                If this variable is defined, it must contain a number.
                Each bit of this number corresponds to an option from the
                following list:

   0: Replace PIC form of 'Procedure Linkage Table' to non PIC form
   1: Direct jumping from PLT (without GOT) regardless of its form
   2: Convert PIC form of loading '_GLOBAL_OFFSET_TABLE_[]' of address
   3: Obliterate auxiliary bytes in PLT & GOT for 'final autoanalysis'
   4: Natural form of PIC GOT address loading in relocatable file
   5: Unpatched form of PIC GOT references in relocatable file
   6: Mark 'allocated' objects as library-objects (MIPS only)

IDA_DYLD_SHARED_CACHE_SLIDE Mach-O loader: specify the dyld shared
                cache image ASLR slide value (hexadecimal) or
                'search' for automatic detection.
                If not set, slide is assumed to be 0 (unslid image).

The following variables are used to fine-tune the Linux version of IDA:

TVLOG    the name of the log-file
         if it is not defined, use syslog with LOG_WARNING priority

TERM     the terminal definition (see terminfo)

TVHEADLESS disable all output (for i/o redirection)
         if this variable defined, the TVOPT variable is ignored
         This environment variable also works also in graphical versions of
         IDA. When set, the graphical interface will not restore desktops,
         toolbars or show the main window.

TVOPT    the enduser flags. Has many subfields delimited by commas ','.
     noX11   - when libX11.so is not compatible
     noGPM   - when libgpm.so is not compatible
     ansi    -
          OR
     mono    - when the terminfo data of your display does not declare
               it as having the ANSI-color support
     ign8    - ignore '8bit as meta key' in the terminfo description
     xtrack  - if your xterm-emulator in telnet client does not support
               mode 1002 (only 1000), set this flag
     alt866  - do not encode pseudographic symbols (for the console with
               alt-font loaded)
     cyrcvt= - cyrilic conversion (oem/koi8r).
               possible values are:
       linux   - for linux russian users and PuTTY (in/out koi8r)
       kwin    - output in koi8 and input in cp1251 - any telnet
       windows - for many telnet and any linux users (in/out 1251)

 Client name | Terminal   | TVOPT  | Client settings
 ------------|------------|--------|---------------------------------------
             |            |        |
 SecureCRT   |xterm-scokey| xtrack | Emulation->Terminal: xterm,
             |            |        | Emulation->keyboard: either the
             |            |        |   built-in keyboard, either custom
             |            |        |                  'xt-sco.key' file
             |            |        | Advanced->Terminaltype: xterm-scokey
             |            |        |
 SecureCRT   |   xterm    | xtrack | Emulation->Terminal: xterm+internal kbd
             |            |        |
             |            |        |
 Putty       |xterm-scokey|   -    | Terminal,Keyboard: Control?, Standard,
             |            |        |                    SCO, Normal, Normal
             |            |        |
 Putty       |   xterm    |   -    | Terminal,Keyboard: ControlH, Standard,
             |            |        |                    ~num, Normal, Normal
             |            |        |
 Console     |   linux    |   -    | default
             |            |        |
 X11:xterm   |   xterm    |   -    | default

We recommend to use the 'xterm-scokey' terminal type for remote clients.

When the terminal type is xterm-scokey, add  the following string
to /etc/inputrc (or to ~/.inputrc):

"\e[.": delete char

When working on the console without GPM installed, append "noGPM" to TVOPT.

Russian users should append the following settings to the above:

                  | _APPEND_  TO TVOPT  | _APPEND_ TO Client Settings
 -----------------|---------------------|----------------------------
 Console          | alt866,cyrcvt=linux |
                  |                     |
 X11              | cyrcvt=linux        |
                  |                     |
 Putty            | cyrcvt=linux        | Window,Translation: use font in
                  |                     |           both ANSI and OEM modes
                  |                     |
 SecureCRT        |                     |
   with koi8font  |                     |
    and kbd-hook  | cyrcvt=linux        |
    with koi8font | cyrcvt=kwin         |
   with ANSI-font | cyrcvt=windows      |
                  |                     |
    The best settings for russian users on the console are:
         setfont alt-8x16.psf.gz -m koi2al
         loadkey ru-ms.map
         export TVOPT=cyrcvt=linux,alt866

©
WRAP
Display function call graph ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CallFlow
 Current hotkey: @<CallFlow>

This command displays the graph of all function calls in the program.

The functions are represented as nodes. The calls are represented as
edges between nodes. Instructions outside functions are ignored.

See also @0:1378[View|Graphs] submenu.uWRAP
Graphs submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are commands to draw various graphs:

  @0:1377[Display function call graph]
  @0:1389[Display chart of xrefs to addresses]
  @0:1390[Display chart of xrefs from addresses]
  @0:1391[Display user-defined chart of xrefs]

IDA uses an external program to display graphs.
The program name is wingraph32.exe and it is located in the
current directory.

The user can change the name of this program using the
GRAPH_VISUALIZER parameter in the @0:419[IDA.CFG] file.

The user can zoom the graph and move it around the window.

See also @0:583[View] submenu.±WRAP
Strings window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenStrings
 Current hotkey: @<OpenStrings>

This command opens the string window.

The string window contains all strings in the program. However, if a range
of addresses was selected before opening the window, only the selected
range will be examined for strings.

You can setup the list parameters by right-clicking
(or pressing Ctrl-U in the text version) on the list.

The list always contains strings defined in the program regardless
of the settings in this dialog box, but the user can ask IDA to display
strings not yet explicitly defined as strings.

The following parameters are available:

Display only defined strings

        If checked, IDA will display only strings explicitly marked
        as string items (using the @0:454[create string literal] command).
        In this case, the other checkboxes are ignored.

Ignore instructions/data definitions

        If checked, IDA will ignore instruction/data definitions
        and will try to treat them as strings. If it can build a string
        with the length greater than the minimal length, the string
        will be displayed in the list.
        This setting is ignored if 'only defined strings' is on.

Strict ASCII (7-bit) strings

        If checked, only strings containing exclusively 7-bit characters
        (8th bit must be zero) will be added to the list. Please note that
        the user can specify which characters are accepted in the strings
        by modifying the StrlitChars parameter in the @0:419[ida.cfg] file.
        This setting is ignored if 'only defined strings' is on.

Allowed string types

        Allows the user to specify the string types included in the list.
        This setting is ignored if 'only defined strings' is on.

Minimal string length

        The minimal length the string must have to be added to the list.


See also @0:1356[View|Open subviews] submenu.AWRAP
Convert operand to floating point number ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpFloat
 Current hotkey: @<OpFloat>

This command makes the current operand type floating point.

When you use this command, IDA deletes the @0:477[manually] entered operand.

If the cursor is on the first operand (the cursor is before ',')
then the first operand will be affected; otherwise, all other operands will be
affected.

See also @0:1382[Edit|Operand types|Number] submenu.¸
WRAP
Edit|Operand types|Offset submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 @0:467[Convert operand to offset (data segment)]
 @0:468[Convert operand to offset (code segment)]
 @0:469[Convert operand to offset (any segment)]
 @0:470[Convert operand to offset (user-defined base)]
 @0:472[Convert operand to struct offset]

See also @0:458[Edit|Operand types] submenu.Ý
WRAP
Edit|Operand types|Number submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 @0:460[Convert operand to number]
 @0:461[Convert operand to hex number]
 @0:462[Convert operand to decimal number]
 @0:464[Convert operand to octal number]
 @0:463[Convert operand to binary number]
 @0:1380[Convert operand to floating point number]
 @0:1510[Toggle leading zeroes]

See also @0:458[Edit|Operand types] submenu.WRAP
Function calls window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenCallers
 Current hotkey: @<OpenCallers>

This command opens the function calls window.

All functions who call the current function are displayed at
the top of the window.

All functions called from the current function are displayed at
the bottom of the window.

The list is automatically refreshed when the cursor is moved
to another function.

See also @0:1356[View|Open subviews] submenu.£
WRAP
Notepad ▄
 ▀▀▀▀▀▀▀▀

 Action    name: OpenNotepad
 Current hotkey: @<OpenNotepad>

Opens a notepad window for the general notes about the
current database. The entered notes will be saved in the current database.

Alt-T hotkey can be used to search for a text and Ctrl-T to repeat the last search.

The notepad is available only in the GUI version.

See also @0:1356[View|Open subviews] submenu.[WRAP
Arrows window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In the graphical version, there is a small window with arrows on the
left of the disassembly. These arrows represent the execution flow,
namely the branch and jump instructions.
The arrow color can be:

        - red: means that the arrow source and destination do not
        belong to the same function. Usually, the branches are
        within functions and the red color will conspicuously
        represent branches from or to different functions.
        - black: the currently selected arrow. The selection
        is made by moving to the beginning or the end of the
        arrow using the Up or Down keys or left-clicking on the arrow
        start or the arrow end. The selection is
        not changed by pressing the PageUp, PageDown, Home, End keys or using
        the scrollbar. This allows to trace the selected arrow far away.
        - grey: all other arrows

The arrow thickness can be:

        - thick: a backward arrow. Backward arrows usually represent
        loops. Thick arrows represent the loops in a clear and
        notable manner.
        - thin: forward arrows.

Finally, the arrows can be solid or dotted. The dotted arrows
represent conditional branches when the solid arrows represent
unconditional branches.

You can resize the arrows window using a vertical splitter or even fully hide it.
If it is hidden, the arrows window will not be visible on the screen but you
can reveal it by dragging the splitter to the right. IDA remembers the current arrow
window size in the registry when you close the disassembly window.
ÎWRAP
Highlighting identifiers ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In the graphical version, IDA highlights the identifier under the cursor.
For example, if the cursor is on the "EAX" register, then all occurrences of "EAX"
will be displayed with the yellow background. This feature is meant to
make the program analysis easier by highlighting the interesting parts of
the disassembly. For example, if the user wants to see all references to "EAX",
he just clicks on any "EAX" on the screen and all of them will be highlighted.

The selection is made by pressing the Up, Down, Left, Right keys or
by simply clicking on the identifier.

The selection is not changed by pressing the PageUp, PageDown, Home, End keys, using
the scrollbar, or pressing the Alt-Up, Alt-Down, Ctrl-Up, Ctrl-Down keys.

The Alt-Up and Alt-Down keys perform a search of the currently selected identifier
backward or forward respectively.

The Ctrl-Up and Ctrl-Down keys scroll the disassembly text.

IDA does not highlight the segment names at the line prefix because
it is not very useful.

It is possible to turn off the highlight. The appropriate checkbox is in
the @0:1304[Options, General, Browser] tab.
QWRAP
Hide all items▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: HideAll
 Current hotkey: @<HideAll>

This command allows you to hide:

  - all functions and hidden ranges if invoked in the disassembly window
  - all structures if invoked in the structures window
  - all enums if invoked in the enums window

IDA will display only the header of the hidden items.

If you want to see hidden items on the screen, you may use
@0:600[unhide] command or @0:601[enable]
the display of the hidden items.

See also @0:1388[Unhide all] command.

See also @0:583[Edit|View] submenu¯
WRAP
Unhide all items▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: UnhideAll
 Current hotkey: @<UnhideAll>

This command allows you to unhide:

  - all segments, functions, and hidden ranges if invoked in
    the disassembly window
  - all structures if invoked in the structures window
  - all enums if invoked in the enums window

See also @0:1387[Hide all] command.

See also @0:583[Edit|View] submenuÕ
WRAP
Display chart of xrefs to addresses ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChartXrefsTo
 Current hotkey: @<ChartXrefsTo>

This command displays the graph of code and data xrefs to
current address/range of selected addresses in the program.

The addresses are represented as nodes. The xrefs are represented as
edges between nodes.

See also @0:1378[View|Graphs] submenu.)WRAP
Display chart of xrefs from addresses ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChartXrefsFrom
 Current hotkey: @<ChartXrefsFrom>

This command displays the graph of code xrefs from the
current address/range of selected addresses in the program.

In this direction, data xrefs aren't analyzed to avoid overloaded graphs.

The addresses are represented as nodes. The xrefs are represented as
edges between nodes.

See also @0:1378[View|Graphs] submenu.™WRAP
Display used-defined chart of xrefs ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ChartXrefsUser
 Current hotkey: @<ChartXrefsUser>

This command displays a user-defined graph of xrefs from/to the
current address/range of selected addresses in the program.

The direction of the xrefs to analyze can be chosen.
If the Recursive flag is checked, all found xrefs are themselves
analyzed to find new xrefs.
You can choose to search for xrefs to new referenced addresses
only in the current direction.
Only External, data xrefs, xrefs from library functions and to
library functions can possibly be ignored.

A recursion depth can be specified.
If 'Print recursion dots' is checked, and a function has others xrefs
outside of the range defined by the 'recursion depth' setting, small
nodes containing dots are printed.

The 'Print comments' flag causes the generated function node to also
contain the function comment.

The addresses are represented as nodes. The xrefs are represented as
edges between nodes.
The used colors are the same as in IDA.

See also @0:1378[View|Graphs] submenu.WRAP
Create a new structure from current data▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CreateStructFromData
 Current hotkey: @<CreateStructFromData>

This command defines a new structure from data already defined.
The new structure is created with adequate data types, and each member
uses the current data name if it is available.

This command is available only in the graphical version of IDA.

See also @0:490[Edit|Structs] submenu.
pWRAP
Jump to the specified file offset ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpFileOffset
 Current hotkey: @<JumpFileOffset>

IDA will ask you for a target file offset. This command jumps to the address
corresponding to this specified file offset.
If this file offset corresponds to a valid address then:

  - the current address is saved in the @0:542[jump stack].
  - the cursor is positioned to the corresponding address.

The @0:539[Jump back] command (usually Esc) will return you back.

See also

         @0:543[Jump] submenu
M
WRAP
Del hidden range ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelHiddenRange
 Current hotkey: @<DelHiddenRange>

This command allows you to delete a hidden range of disassembly
(previously defined by using the @0:599[hide] command).

See also @0:599[hide] command.

See also @0:583[Edit|View] submenuLWRAP
Debugger submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the debugger commands:

  @0:1396[Debugger window]
  @0:1443[Tracing submenu]
  @0:1423[Thread list]
  @0:1457[Module list]
  @0:1397[Start process]
  @0:1452[Attach to process...]
  @0:1398[Process options]
  @0:1399[Pause process]
  @0:1400[Terminate process]
  @0:1453[Detach from process]
  @0:1470[Take memory snapshot]
  @0:1697[Manual memory regions]
  @0:1401[Step into]
  @0:1402[Step over]
  @0:1442[Run until return]
  @0:1403[Run to cursor]
  @0:1471[Set current ip]
  @0:1472[Show application screen]
  @0:1454[Breakpoints]
  @0:1272[Source view]
  @0:1325[Watch view (source level)]
  @0:1455[Watches (assembler level)]
  @0:1443[Tracing]
  @0:1413[Debugger options]
  @0:1461[Switch debugger...]

See also

  @0:428[Menu Bar]
  @0:1463[How to launch remote debugging]
  @0:1078[Debugger for macOS]
  @0:1329[Debugger for Bochs]
  @0:1335[Remote GDB debugger]
  @0:1677[Remote iOS debugger]
  @0:1520[WinDbg debugger]
  @0:1639[Replayer debugger]
  @0:1652[PIN Tracer]
  @0:1669[Dalvik debugger]
ÝWRAP
Debugger window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Debugger
 Current hotkey: @<Debugger>

Opens the debugger window.

In this window, you can view the register values for the selected thread.
The debugger always selects the thread where the latest debugging event occurred.

For most registers, we have two different boxes:

       - the first box (on the left) indicates the current value of the register.
         Blue indicates that the value has changed since the last debugging event.
         Purple indicates that the value has been modified by the user.
         A popup menu is available on this control, offering different commands.

       - the second box (on the right) shows the current value of the register,
         interpreted like an address (if possible).

For a segment register, we only have one box indicating the current value.

For the flags register, we have one box indicating the current value,
and small boxes indicating the status of the most important flags.

A popup menu is accessible everywhere in the window, which allows the user to show or
hide different parts of the window: toolbar, thread list and available register classes.

See also @0:1395[Debugger] submenu.Ñ
WRAP
Start process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessStart
 Current hotkey: @<ProcessStart>

This command starts the process in the debugger.
If the process was suspended, it will continue its execution.

 See also @0:1452[Attach to process...]
          @0:1398[Process options]
          @0:1399[Pause process]
          @0:1400[Terminate process]
          @0:1453[Detach from process]
          @0:1395[Debugger] submenu.>WRAP
Process options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupProcess
 Current hotkey: @<SetupProcess>

This dialog box allows to specify different settings related to the
process being debugged.

Application

        Host application to launch.
        When the debugging target (== 'input file') is an executable file, this field is equal to the 'input file'.
        If this field is wrong, IDA will not be able to launch the program.
        For remoting debugging, this field denotes a remote file.

Input file

        The input file used to create the database.
        For remoting debugging, this field denotes a remote file.

Directory

        Directory to start the application. If empty, then the current directory
        will be used.
        For remoting debugging, this field denotes a remote directory.

Parameters

        Optional parameters to pass to the debugged application (or the host application)
        when it starts. This field may be empty.
        The standard input/output/error channels can be redirected using
        the bash shell notations. for example: >output 2>&1

Hostname

        If entered, denotes the name of the remote host with the application
        to debug. In this case, a remote IDA server on this host must be launched.
        Click @0:1463[here] to see the list of remote servers.

Port

        The port number of the remote server

Password

        Optional password to protect your server from strangers connecting to
        it and running arbitrary commands. The same password switch must be
        specified on the remote server.

The hostname, port, and password are not available for debuggers connected locally
to the computer.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1463[How to launch remote debugging]p
WRAP
Pause process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessPause
 Current hotkey: @<ProcessPause>

This command pauses a running process.
Please note that it is not always possible to pause a process executing
the system code.

 See also @0:1397[Start process]
          @0:1400[Terminate process]
          @0:1395[Debugger] submenu.Y
WRAP
Terminate process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessTerminate
 Current hotkey: @<ProcessTerminate>

This command terminates the debugged process.

 See also @0:1397[Start process]
          @0:1399[Pause process]
          @0:1453[Detach from process]
          @0:1395[Debugger] submenu.3
WRAP
Step into ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadStepInto
 Current hotkey: @<ThreadStepInto>

This command executes one assembler instruction at a time,
stepping into functions.

 See also @0:1402[Step over]
          @0:1442[Run until return]
          @0:1395[Debugger] submenu.Ú
WRAP
Step over ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadStepOver
 Current hotkey: @<ThreadStepOver>

This command executes one assembler instruction at a time,
stepping over procedures while executing them as a single unit.

Internally, in the case of a function call, IDA setups a temporary
breakpoint on the instruction following this function call.

 See also @0:1401[Step into]
          @0:1442[Run until return]
          @0:1395[Debugger] submenu._
WRAP
Run to cursor ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadRunToCursor
 Current hotkey: @<ThreadRunToCursor>

This command executes instructions until the instruction under  the
cursor is reached.

Internally, IDA setups a temporary breakpoint on the instruction under
the cursor.

 See also @0:1395[Debugger] submenu.„WRAP
Breakpoints list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Breakpoints
 Current hotkey: @<Breakpoints>

Opens the breakpoints window.

In this window, you can view information related to existing breakpoints.
Breakpoints are saved in the database, and restored as soon as possible
(once the memory becomes writeable).

The 'Pass count' column indicates how many times the program needs to hit the
breakpoint before being suspended (0 means "always suspend").

 See also @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.¸WRAP
Add breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointAdd
 Current hotkey: @<BreakpointAdd>

This command adds a breakpoint at the current address.
If an instruction exists at this address, an instruction breakpoint is created.
Otherwise, IDA offers to create a hardware breakpoint and allows the user
to @0:1407[edit breakpoint settings]. Hardware breakpoints can be
either real hardware breakpoints or @0:1648[page breakpoints].

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu
          @0:1648[Page breakpoints].
l
WRAP
Delete breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointDel
 Current hotkey: @<BreakpointDel>

This command deletes an existing breakpoint at the current address.

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.JWRAP
Edit breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointEdit
 Current hotkey: @<BreakpointEdit>

This command opens a dialog box to edit an existing breakpoint.

Location

  The breakpoint location: either an absolute address, a symbol name,
  a module+offset combination, or a source file name and a line number.
  The exact location syntax depends on the breakpoint kind: absolute, module
  relative, symbolic, or source code.

Condition

  This IDC expression will be evaluated each time the breakpoint
  is reached. If the expression returns true (non-zero), the debugger will execute the
  selected actions. Please note that you can use the register names in the
  IDC scripts when the debugger is active. Tests like this are allowed,
  for example: EAX == EBX+5 or get_wide_dword(ESP+0x10) == 34

  You can also use the "..." button to enter a multiline condition, or specify
  another scripting language to use. See @0:1488[here] for
  more info.

Settings

  Enabled:
        If the breakpoint is enabled or disabled. Disabled breakpoints
        are not written to the debugged process.

  Hardware:
        If enabled, IDA will use a hardware breakpoint. The breakpoint
        mode and size must be specified for them (see below).

  Module relative:
        The breakpoint location is stored as a combination of a module
        name and an offset. This kind of breakpoint is useful for
        DLLs that are loaded to various addresses because their addresses
        cannot be calculated in advance. Example: kernel32+0x1234

  Symbolic:
        The breakpoint location is stored as a combination of a symbol
        name and a possible offset. This kind of breakpoint is useful for
        symbols that can be imported from different DLLs because their addresses
        cannot be calculated in advance. Example: myfunc+44

  Source code:
        The breakpoint location is stored as a combination of a source file
        name and a line number. Can be used only if the source code of the
        debugged application is available. Example: myfile.cpp:55

  Low level condition:
        Evaluate the condition on the remote computer. Such conditions are
        faster, especially during remote debugging, because there is no
        network traffic between IDA and the remote computer on each
        breakpoint hit. @0:144[More details]

Actions

  Break:
        Suspend the debugged application

  Trace:
        Add a new entry to the trace log

  Refresh debugger memory:
        By default IDA does not refresh the memory config before evaluating
        a breakpoint condition. This option enables the refresh.
        To refresh it manually, call the IDC 'refresh_debugger_memory' function.

  Enable tracing:
        Enable tracing when the breakpoint hits. This is different from trace
        breakpoints (where only a new entry is added to the trace log).

  Disable tracing:
        Disable tracing when the breakpoint fires.

  Tracing type:
        @0:1446[Instruction], @0:1447[Function] and @0:1628[Basic block] level tracing types can be selected
        for breakpoints where enable/disable tracing have been selected.

Hardware breakpoint size

        Number of bytes to watch: 1, 2 or 4 bytes for normal hardware breakpoints.
        Any size for @0:1648[page breakpoints].

Hardware breakpoint mode

        The access type the breakpoint will react: read/write, write, execute.

In the case of Intel hardware breakpoints, some limitations are enforced (in contrast with
@0:1648[page breakpoints]).
It is impossible to create more than 4 hardware breakpoints.
The address of the breakpoint must be aligned appropriately:

  - 2-byte breakpoints must be word-aligned.
  - 4-byte breakpoints must be dword-aligned.

Please note that hardware breakpoints occur AFTER the instruction execution
while software breakpoints occur BEFORE the instruction.

Usually, it is easier to use software breakpoints, except if:

  - we want to be sure the memory is not modified by the debugger
  (instruction breakpoints modify the debugged process memory).

  - we want to detect accesses to data bytes.

  - the specified address is write protected (really rare!).

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1488[Breakpoint conditions]
          @0:1404[Breakpoints] submenu
WRAP
Rebase program ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Rebase program
 Current hotkey: @<RebaseProgram>

The whole program will be shifted by the specified amount of bytes in the memory.
The following options are available (we strongly recommend to leave them
turned on):

 Fix up relocations

        This option allows IDA to modify the references
        to/from the relocated segment(s). If it is turned
        off, the references might be wrong after the move.

 Rebase the whole image

        This option is accessible only if the whole program
        is selected. It allows IDA to adjust internal
        variables on the whole program.

Please note rebasing the program might remove user-defined xrefs.

See also @0:506[Edit|Segments] submenu.¥
WRAP
Watch list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: WatchList
 Current hotkey: @<WatchList>

Opens the assembler level watch list window.

In this window you can view memorized watches.
A watch allows the user to continuously see the value of a defined item.

 See also @0:1410[Add watch]
          @0:1411[Delete watch]
          @0:1455[Watches] submenu
          @0:1325[Source level watchies]a
WRAP
Add watch ▄
 ▀▀▀▀▀▀▀▀▀▀

 Action    name: AddWatch
 Current hotkey: @<AddWatch>

This command adds a watch at the current address.
The watch is visible in the @0:1409[Watch list window].

 See also @0:1409[Watch list]
          @0:1411[Delete watch]
          @0:1455[Watches] submenu
          @0:1325[Source level watchies](
WRAP
Delete watch ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DelWatch
 Current hotkey: @<DelWatch>

This command deletes an existing watch.

 See also @0:1409[Watch list]
          @0:1410[Add watch]
          @0:1455[Watches] submenu
          @0:1325[Source level watchies]ùWRAP
Stack trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: StackTrace
 Current hotkey: @<StackTrace>

Opens the stack trace window.

This window displays the function calls that brought the current instruction.

The top of the Stack Trace window lists the last function called by the program.
Below this is the listing for the previously called functions.
Each line indicates the name of the function which called the function represented
by the previous line.

Double clicking on a line jumps to the exact address of the instruction realizing
this call.

Currently, IDA uses the EBP frame pointer values to gather the stack trace information.
It will fail for functions using other methods for the frame.

 See also @0:1443[Tracing] submenu.{WRAP
Debugger options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupDebugger
 Current hotkey: @<SetupDebugger>

This dialog box allows to specify different settings related to the debugger.

Events

  - Suspend on debugging start

      If selected, the debugger will suspend directly once the debugging
      starts.

  - Evaluate event condition on exit

      If selected, the debugger will evaluate the event condition immediately
      before closing the debugging session (once we receive PROCESS_EXITED or
      PROCESS_DETACHED event)

  - Suspend on process entry point

      If selected, the debugger will insert a temporary breakpoint
      at the main entry point of the debugged application.

  - Suspend on thread start/exit

      If selected, the debugger will suspend if a new thread starts
      or if an existing thread terminates.

  - Suspend on library load/unload

      If selected, the debugger will suspend if a new library is
      loaded or if a previously loaded library is unloaded.

  - Suspend on debugging message

      If selected, the debugger will suspend if the debugged application
      generates a message destined to the debugger.

Event condition

      When one or more debug events (see above) are checked then this
      option is used to specify a condition. In the following example,
      the debugger will suspend the process whenever a module with the
      name test.dll is loaded:

 get_event_id() == LIB_LOADED && strstr(get_event_module_name(), "test.dll") != -1

Log

  - Segment modifications

      If selected, the debugger will print information regarding
      segment modifications (creation, deletion, or resizing of
      segments) since the last event. Note that the debugger
      doesn't continuously track segment modifications, but detects
      those only if a debugging event occurs.

  - Thread start/exit

      If selected, the debugger will print a message if a new thread
      starts or if an existing thread terminates.

  - Library load/unload

      if Selected, the debugger will print a message if a new library is
      loaded or if a previously loaded library is unloaded.

  - Breakpoint

      If selected, the debugger will print a message if the debugged process
      reaches a breakpoint.

  - Debugging message

      If selected, the debugger will print debugging messages from
      the application.

Options

  - Reconstruct the stack

      If selected, the debugger will try to reconstruct the chain of stack
      frames, based on information available on the stack and in the
      @0:488[function stack variables].

  - Show debugger breakpoint instructions

      If selected, the debugger will show breakpoint instructions inserted
      by the debugger itself. This function is mainly useful if the user
      wants to see the real content of the memory.

  - Use hardware temporary breakpoints

      If selected, IDA will try to use hardware breakpoints for the temporary
      breakpoints used to implement the "step over" and "run to" functionality.
      This feature is useful when debugging read-only or self-modifying code,
      since it does not change the contents of the memory.
      IDA will fall back to software breakpoints if the attempt to set a
      hardware breakpoint fails.

  - Autoload PDB files

      If selected, IDA will invoke the PDB plugin to try to load PDB symbols
      for every new module loaded into process.

  - Set as just-in-time debugger

      If changed from off to on, IDA will try to register itself as a
      just-in-time debugger (invoked by the system in case of application
      crashes) on dialog close.

Edit exceptions

      This button allows the user to @0:1414[setup]
      how the debugger will react to specific exceptions.

Reload exceptions

      This button reloads the exception table from the exceptions.cfg
      file.

 See also @0:1395[Debugger] submenu.WRAP
Exceptions  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

This dialog box allows to setup how the debugger will react to specific exceptions.
For each exception, two settings can be specified, simply by selecting the desired exception,
and clicking the 'Edit' button in the popup menu.

Suspend program

        Specify whether the debugger will suspend when the exception occurs.
        If 'Passed to' == application and the application handles
        the exception successfully, the execution will not be suspended
        regardless of the 'Suspend' value.

Passed to

        Specify whether the exception will be passed to the application itself
        or handled by the debugger. If the debugged program contains exception
        handling code, it is better to select 'Application'.

Report

  Warn

        Show a warning message with the exception information.

  Log

        Instead of displaying a warning message, log to the output window the exception
        information.

  Silent

        Do not show a warning message nor log to the output window.

For new exceptions being added by the "Insert" command, you have to specify
the exception name and code. These values must be unique, the name cannot be empty, and
the code cannot be zero.

 See also @0:1395[Debugger] submenu.
WRAP
Exports window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenExports
 Current hotkey: @<OpenExports>

This command opens the exports window.

You can use @0:427[list viewer] commands in this window.

See also @0:1356[View|Open subviews] submenu.
WRAP
Imports window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenImports
 Current hotkey: @<OpenImports>

This command opens the imports window.

You can use @0:427[list viewer] commands in this window.

See also @0:1356[View|Open subviews] submenu.¹
WRAP
Debugging with OpenOCD ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Make sure the following line is present in the .cfg file for your target:

 gdb_port 3333

Edit the port number if necessary.
Specify that port in the process options and use the Debugger, Attach command.

Tips:

  Use the @0:1523[GDB command line] to send commands directly to OpenOCD interpreter.

Back to @0:1335[Remote GDB Debugger]$WRAP
Desktops ▄
▀▀▀▀▀▀▀▀▀▀

IDA saves different settings in desktops: the main window configuration,
the toolbars configuration, and the configuration of all database windows.

Different desktops are available:

 <Database>
     this desktop configuration is stored in the database itself,
     and is automatically loaded each time you open this database.
     IDA also automatically saves the current desktop configuration
     to this desktop if you close and save the database.

 <Database debugger>
     this desktop configuration is also stored in the database,
     and is loaded each time you start the debugger.
     As for the <Database> desktop, IDA automatically saves the current
     desktop configuration to this desktop once the debugger stops.

 <Default>
     this desktop configuration is stored in the registry,
     and is loaded each time you start IDA without opening a database,
     or the first time you create a new database.

 <Default debugger>
     this desktop configuration is stored in the registry,
     and is loaded the first time you start the debugger.

  named desktops
     these desktop configurations are stored in the registry,
     and can be loaded manually by the user during the disassembly
     or the debugging.

Notice IDA will use a default configuration for main windows and toolbars
if the screen resolution changed.

See also

         @0:1419[Load desktop...] command
         @0:1420[Save desktop...] command
         @0:1421[Delete desktop...] command
         @0:1422[Reset desktop] command
È
WRAP
Load desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands show all available desktops (stored in the database or in the registry).
Pressing <Enter> loads the desktop configuration from the selected @0:1418[desktop].
Pressing <Del> deletes the selected @0:1418[desktop].

See also

         @0:1418[Desktops]
         @0:1420[Save desktop...] command
         @0:1421[Delete desktop...] command
         @0:1422[Reset desktop] command6WRAP
Save desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command saves the current desktop configuration to a @0:1418[desktop].

If you enter a name, IDA saves the current configuration to a named desktop
in the database or registry.

If you select 'Default', IDA saves the current configuration to the <Default>
or <Default debugger> desktop (if the debugger is active) in the registry.

See also

         @0:1418[Desktops]
         @0:1419[Load desktop...] command
         @0:1421[Delete desktop...] command
         @0:1422[Reset desktop] command8
WRAP
Delete desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command deletes a @0:1418[desktop] containing a desktop configuration.

See also

         @0:1418[Desktops]
         @0:1419[Load desktop...] command
         @0:1420[Save desktop...] command
         @0:1422[Reset desktop] command”
WRAP
Reset desktop ▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command resets all windows (IDA main window and database windows)
by loading the original IDA disassembly desktop or debugger desktop
(if the debugger is active).

See also

         @0:1418[Desktops]
         @0:1419[Load desktop...] command
         @0:1420[Save desktop...] command
         @0:1421[Delete desktop...] commandâWRAP
Thread list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Threads
 Current hotkey: @<Threads>

Opens the threads window.

In this window, you can view all the threads of the debugged process.
Double clicking on a thread jumps to its current instruction (available only
if the process has been suspended). Double clicking also changes the current
thread for the hlpHelpDebugger[CPU] window.

The right click brings a popup menu, where you can suspend or resume threads.
The following thread states are possible:

  - Running: the thread is running
  - Ready: the thread is ready to run but the application has been suspended
  - Suspended: the thread has been suspended by the user

 See also @0:1395[Debugger] submenu.@0:417[]
Unknown switch '-%c''@0:141[]
Please enter header file name>@0:636[]
Switch '%s' can be used only when loading a new file)Database for file '%s' has been loaded.
WIDA is analysing the input file...
You may start to explore the input file right now.
6You can't disassemble file with such an extension: %sfWRAP
String encodings ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA Qt can display program strings using different encodings. You can
specify default encodings for all strings or override the encoding of a specific
string.

The following encodings can be used:

<default> - the default encoding for this string type (8-bit or 16-bit)

<no conversion> - the string bytes are printed using the current
system encoding (after translating with XlatAsciiOutput array in the @0:419[configuration] file).

Windows codepages (e.g. 866, CP932, windows-1251)

Charset names (e.g. Shift-JIS, UTF-8, Big5)

You can add new encodings to the list using the context menu item Insert (Ins hotkey).

On Linux/OS X, you can run "iconv -l" to see the available encodings. Please note that some
encodings are not supported on all systems.

See also @0:613[Options] submenu. Something is wrong with IDA.KEYR@0:421[]
Sorry, the demo version can't load old databases.
Press F1 for details.eThe demonstration version has expired. Please visit https://www.hex-rays.com to get a newer version.$@0:637[]
Can't find input file '%s'?Database for '%s' already exists. Do you want to overwrite it?YHIDECANCEL
All previous disassembly will be lost. Are you sure you wish to overwrite it?"@0:1465[]
Malformed plugin optionWRAP
FLIRT collision: the function with the given name already exists ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        It means that IDA recognized the function as coming
        from a standard library but there already was another function
        with the same name in the program.

 What to do:
        Examine the function and rename it as you wish.
WRAP
Run until return ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadRunUntilReturn
 Current hotkey: @<ThreadRunUntilReturn>

This command executes assembler instructions and stops on the instruction
immediately following the instruction that called the current function.

Internally, IDA executes each instruction in the current function until
a 'return from function' instruction is reached.

 See also @0:1401[Step into]
          @0:1402[Step over]
          @0:1395[Debugger] submenu.è
WRAP
Tracing submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the commands to use the tracing features of the debugger.

  @0:1629[Trace management]
  @0:1444[Tracing window]
  @0:1445[Clear trace]
  @0:1446[Instruction tracing]
  @0:1447[Function tracing]
  @0:1628[Basic block tracing]
  @0:1448[Add write trace]
  @0:1449[Add read/write trace]
  @0:1450[Add execution trace]
  @0:1412[Stack trace]
  @0:1451[Tracing Options]

See also @0:1395[Debugger] submenu.²WRAP
Tracing window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: TracingWindow
 Current hotkey: @<TracingWindow>

Opens the 'Tracing' window.

In this window, you can view some information related to all traced events.
The tracing events are the information saved during the execution of a program.
Different type of trace events are available: @0:1446[instruction tracing events] ,
@0:1447[function tracing events] and @0:1448[write],
@0:1449[read/write] or @0:1450[execution tracing events].

During the execution, the list of traced events is disabled, as it couldn't
be continuously synchronized with the execution without rendering the whole
tracing very slow.

If a '=' character is displayed in the 'Thread' and 'Address' columns, it indicates that the trace event
occurred in the same thread and at the same address as the previous trace event.

 See also @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.¿WRAP
Clear trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ClearTrace
 Current hotkey: @<ClearTrace>

This command removes all trace events from the @0:1444[Tracing window].
It also removes any loaded trace file used for @0:1634[diffing] against the currently loaded
trace.

 See also @0:1444[Tracing window]
          @0:1634[Diff to binary trace]
          @0:1629[Trace management]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.
WRAP
Instruction tracing  ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleTraceInstructions
 Current hotkey: @<ToggleTraceInstructions>

This command starts instruction tracing.
You can then use all the debugger commands as usual: the debugger will save all the
modified register values for each instruction.

When you click on an instruction trace event in the 'Tracing' window,
IDA displays the corresponding register values preceding the execution
of this instruction. In the 'Result' column of the @0:1444[Tracing window], you
can also see which registers were modified by this instruction.
By using this information, you can for example quickly determine which instruction
modified a specific register, or you can even backtrace the execution flow.
Note that the IP register is never printed in the 'Result' column, although it is usually
modified by almost any instruction (except perhaps some prefixed instructions like REP MOVSB, ...).

Internally, the debugger runs the current thread step by step
to properly obtain all the required register values.
This explains why instruction tracing is slower than a normal execution.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.ƒWRAP
Function tracing ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleTraceFunctions
 Current hotkey: @<ToggleTraceFunctions>

This command starts function tracing.
You can then use all debugger commands as usual: the debugger will save all
addresses where a call to a function or a return from a function occurred.

Internally, the debugger runs the current thread step by step
to properly detect all function calls and returns.
This explains why functions tracing is slower than a normal execution.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.WRAP
Add write trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: WriteTraceAdd
 Current hotkey: @<WriteTraceAdd>

This command adds a write trace to the current address.

Each time the given address will be accessed in write mode,
the debugger will add a trace event to the @0:1444[Tracing window].

In fact, write traces are nothing more than breakpoints with special properties: they don't stop
and they simply add a trace event when the breakpoints are reached.

Internally, the debugger will add a hardware breakpoint on the given address,
so all the restrictions for @0:1407[hardware breakpoints] are also valid
for write traces.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.3WRAP
Add read/write trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ReadWriteTraceAdd
 Current hotkey: @<ReadWriteTraceAdd>

This command adds a read/write trace to the current address.

Each time the given address will be accessed in read or write mode,
the debugger will add a trace event to the @0:1444[Tracing window].

In fact, read/write traces are nothing more than breakpoints with special properties: they don't stop
and they simply add a trace event when the breakpoints are reached.

Internally, the debugger will add a hardware breakpoint on the given address,
so all the restrictions for @0:1407[hardware breakpoints] are also valid
for read/write traces.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.ÀWRAP
Add execution trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ExecTraceAdd
 Current hotkey: @<ExecTraceAdd>

This command adds an execution trace to the current address.

Each time the instruction at the given address will be run,
the debugger will add a trace event to the @0:1444[Tracing window].

In fact, execution traces are nothing more than breakpoints with special properties: they don't stop
and they simply add a trace event when the breakpoints are reached.

Internally, the debugger will add a breakpoint instruction at the given address.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.óWRAP
Tracing options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetupTracing
 Current hotkey: @<SetupTracing>

This dialog box allows you to specify different settings related to the tracing features.


Trace buffer size

  This setting indicates how many tracing events can fit in the trace buffer.
  If the debugger must insert a new event and the buffer is full,
  the oldest tracing event will be removed.
  However, if you specify a size of 0, the buffer size isn't limited.
  Notice that, for example, in the case of an instructions trace,
  all executed instructions could be logged, which would quickly fill
  up the memory!

Trace file

  If a filename is specified, all future traced events will be appended to it.

Trace directory

  The directory were trace files for the current database will be saved. If not
  specified, the IDB directory will be used.

Stop condition

  This IDC expression will be evaluated before the execution
  of each instruction. If the expression returns true, the debugger will
  suspend the execution. Please note that you can use register names in
  the condition.

Tracing

  - Trace over debugger segments

      If selected, the debugger will not go step by step in debugger segments
      (segments not available in the database).

  - Trace over library functions

      If selected, the debugger will not go step by step in library functions.

  Enabling these options will speed up the execution, as many instructions
  (from debugger segments and/or library functions) will not be traced.
  Disabling these options can quickly fill the @0:1444[Tracing window], as all
  instructions in DLLs and system functions will be executed step by step.
  Notice that both options influence the way instruction and function tracings
  will work.
  Internally, the debugger proceeds like this:
  - memorize the return address associated with the last executed call
    instruction in database segments (the previously saved one is overwritten).
  - setup a temporary breakpoint on this address once the IP is in a debugger
    segment or library function, disable step by step, and run the thread.
  - reenable step by step once this temporary breakpoint is reached.

  - Do not log already logged IP

      If selected, already executed instructions will not be logged if
      they are executed again.

  - Skip loops

      If selected, tracing will be temporarily disabled for some loops
      constructs.

Highlight

  - Highlight instructions in IDA views

    If selected, recorded instructions will be displayed in IDA views (disassembly
    views) with a different background color.

  - Main color

    The main background color for traced instructions.

  - Diff color

    The background color for the instructions recorded and being diffed against the
    currently loaded trace.

Instruction tracing

  - Log if same IP

    If selected, the debugger will also log all register modifications occurring
    during the execution of prefixed instructions like REP MOVSB, ...

Function tracing

  - Log return instructions

      If selected, the debugger will also log function returns.
      If disabled, only function calls are logged.

Basic block tracing

  - Log basic block instructions

      If selected, all instructions from the current basic block will be logged
      and displayed in the 'Tracing' window, instead of only the last instruction of
      the basic block.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1628[Basic block tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1443[Tracing] submenu.WRAP
Attach to process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessAttach
 Current hotkey: @<ProcessAttach>

This command displays running processes corresponding to
the disassembled file in the database and allows the user
to choose a process to attach to.

 See also @0:1397[Start process]
          @0:1398[Process options]
          @0:1399[Pause process]
          @0:1400[Terminate process]
          @0:1453[Detach from process]
          @0:1395[Debugger] submenu.µ
WRAP
Detach from process ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProcessDetach
 Current hotkey: @<ProcessDetach>

This command detaches the debugger from the debugged process.
Note: this command is only available on Windows XP or Windows 2003 Server !

 See also @0:1397[Start process]
          @0:1399[Pause process]
          @0:1400[Terminate process]
          @0:1395[Debugger] submenu.'
WRAP
Breakpoints submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the commands to use the debugger breakpoints.

  @0:1404[Breakpoints list]
  @0:1405[Add breakpoint]
  @0:1407[Edit breakpoint]
  @0:1406[Delete breakpoint]

See also @0:1395[Debugger] submenu.
WRAP
Watches submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Here are the commands to use the debugger watches (assembler level).

  @0:1409[Watch list]
  @0:1410[Add watch]
  @0:1411[Del watch]

See also @0:1395[Debugger] submenu
         @0:1325[Source level watchies]Ä
WRAP
Specify instruction color ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ColorInstruction
 Current hotkey: @<ColorInstruction>

This command allows you to specify the background color for the current
instruction or data item.

Only GUI version supports different background colors.
Specifying a non-defined custom color will reset the instruction color.

See also @0:530[Edit|Other] submenu.íWRAP
Module list ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Modules
 Current hotkey: @<Modules>

Opens the modules window.

This window lists all the modules loaded by the debugged process.
Double click on a module to see the list of its exported names.

The right click menu allows for loading debug information for the current module.
For that, select the "Load debug symbols" command from the popup menu.
If IDA manages to find and load the corresponding debug information file,
it will import all symbols from it into the database. Currently, only @0:1374[PDB]
files are supported. The operation result is displayed in the @0:584[message window].

 See also @0:1395[Debugger] submenu.
          @0:1374[Load PDB files] command.?

 +-------------------------------------------------------------------------+
 |      This file was generated by The Interactive Disassembler (IDA)      |
 |           Copyright (c) 2025 Hex-Rays, <support@hex-rays.com>           |
 | %s |
 +-------------------------------------------------------------------------+

ô
WRAP
Find the register definition ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FindRegisterDefinition
 Current hotkey: @<FindRegisterDefinition>

This command searches for the first definition of the register under cursor.
It looks for a definition in the current function, starting from the current
address towards _lower_ addresses, ignoring control flow.

 See also @0:1460[Find the register use]
          @0:568[Search] submenu
Ä
WRAP
Find the register use ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FindRegisterUse
 Current hotkey: @<FindRegisterUse>

This command searches for the first use of the register under cursor.
It looks for a use in the current function, starting from the current
address towards _higher_ addresses, ignoring control flow.

 See also @0:1459[Find the register definition]
          @0:568[Search] submenu
W
WRAP
Switch debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SwitchDebugger
 Current hotkey: @<SwitchDebugger>

This command allows the user to select a debugger if there are several debuggers
available for the current database. For example, Window32 program can be debugged
with a remote or a local debugger.
]Credits ▄
 ▀▀▀▀▀▀▀▀

IDA is a complex and multifunctional software.
It contains some third party code with the license requiring to be mentioned in the documentation.
Below is the list:


-------------------------------------------------------------------------------
Xdelta version 3

https://github.com/jmacd/xdelta

Xdelta version 3 is a C library and command-line tool for delta compression
using VCDIFF/RFC 3284 streams.

@0:370[Apache License v2.0]

-------------------------------------------------------------------------------
XML patterns from Ghidra Software Reverse Engineering Framework

@0:1730[Apache License v2.0 for Ghidra XML patterns]

-------------------------------------------------------------------------------
The LLVM Project is under the Apache License v2.0 with LLVM Exceptions:

@0:1731[Apache License v2.0 with LLVM Exceptions]

-------------------------------------------------------------------------------
LZFSE decompressor

Copyright (c) 2015-2016, Apple Inc. All rights reserved.

Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

1.  Redistributions of source code must retain the above copyright notice,
    this list of conditions and the following disclaimer.

2.  Redistributions in binary form must reproduce the above copyright notice,
    this list of conditions and the following disclaimer in the documentation
    and/or other materials provided with the distribution.

3.  Neither the name of the copyright holder(s) nor the names of any contributors
    may be used to endorse or promote products derived from this software without
    specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.

-------------------------------------------------------------------------------
Minimal LZMA Project (minlzma)

MIT License

Copyright (c) 2020 Alex Ionescu

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

-------------------------------------------------------------------------------
Portions of NDK by Alex Ionescu

The NDK is Copyright ©2005-2012 Alex Ionescu.
GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999


-------------------------------------------------------------------------------
IDAPython plugin by Gergely Erdelyi

Copyright (c) 2004-2008 Gergely Erdelyi <dyce@d-dome.net>. All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.

3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.

-------------------------------------------------------------------------------
InfoZIP libraries

  Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler

  This software is provided 'as-is', without any express or implied
  warranty.  In no event will the authors be held liable for any damages
  arising from the use of this software.

  Permission is granted to anyone to use this software for any purpose,
  including commercial applications, and to alter it and redistribute it
  freely, subject to the following restrictions:

  1. The origin of this software must not be misrepresented; you must not
     claim that you wrote the original software. If you use this software
     in a product, an acknowledgment in the product documentation would be
     appreciated but is not required.
  2. Altered source versions must be plainly marked as such, and must not be
     misrepresented as being the original software.
  3. This notice may not be removed or altered from any source distribution.

  Jean-loup Gailly        Mark Adler
  jloup@gzip.org          madler@alumni.caltech.edu


-------------------------------------------------------------------------------
PCRE2 library: @0:1686[BSD License]

-------------------------------------------------------------------------------
DSP56K analyzer part of DSP56K module

  Copyright (c) 1998 Miloslaw Smyk
  All rights reserved.
  Support for DSP 563xx added by Ivan Litvin

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:
  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.
  3. All advertising materials mentioning features or use of this software
     must display the following acknowledgement:
       This product includes software developed by Miloslaw Smyk
  4. The name of the author may not be used to endorse or promote products
     derived from this software without specific prior written permission

  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
TVision port to Linux is partially based on modifications
made by Sergio Sigala

  All changes copyright (c) 1997 Sergio Sigala, Brescia, Italy.
  All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:
  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.

  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
COIN/Clp library

  Copyright (C) 2002, International Business Machines
  Corporation and others.

  @0:14[Common Public License v1.0]

-------------------------------------------------------------------------------
CCTOOLS package from Apple


  @0:1163[APPLE PUBLIC SOURCE LICENSE]
  Version 2.0 - August 6, 2003

-------------------------------------------------------------------------------
DEX loader and Dalvik processor module use portions of code from
the Android project "libdex":

  Copyright (C) 2008 The Android Open Source Project

  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.

-------------------------------------------------------------------------------
Libdwarf library:

  Copyright (C) 2000,2002,2003,2004,2005 Silicon Graphics, Inc. All Rights Reserved.
  Portions Copyright (C) 2008-2010 Arxan Technologies, Inc. All Rights Reserved.
  Portions Copyright (C) 2009-2011 David Anderson. All Rights Reserved.
  Portions Copyright (C) 2010 SN Systems Ltd. All Rights Reserved.

  This program is free software; you can redistribute it and/or modify it
  under the terms of version 2.1 of the GNU Lesser General Public License
  as published by the Free Software Foundation.

-------------------------------------------------------------------------------
Qt libraries:

  http://doc.qt.io/qt-5/licensing.html

  The source code of Qt used in IDA is available upon request at support@hex-rays.com

-------------------------------------------------------------------------------
MD5 checksum:
 * This code implements the MD5 message-digest algorithm.
 * The algorithm is due to Ron Rivest.  This code was
 * written by Colin Plumb in 1993, no copyright is claimed.
 * This code is in the public domain; do with it what you wish.

-------------------------------------------------------------------------------
SHA256 checksum:
 Copyright (c) 2002, Dr Brian Gladman, Worcester, UK.   All rights reserved.

 LICENSE TERMS

 The free distribution and use of this software in both source and binary
 form is allowed (with or without changes) provided that:

   1. distributions of this source code include the above copyright
      notice, this list of conditions and the following disclaimer;

   2. distributions in binary form include the above copyright
      notice, this list of conditions and the following disclaimer
      in the documentation and/or other associated materials;

   3. the copyright holder's name is not used to endorse products
      built using this software without specific written permission.

 ALTERNATIVELY, provided that this notice is retained in full, this product
 may be distributed under the terms of the GNU General Public License (GPL),
 in which case the provisions of the GPL apply INSTEAD OF those given above.

 DISCLAIMER

 This software is provided 'as is' with no explicit or implied warranties
 in respect of its properties, including, but not limited to, correctness
 and/or fitness for purpose.

-------------------------------------------------------------------------------
AES encryption/decryption (used only to decrypt some input files):
 *  FIPS-197 compliant AES implementation
 *
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.

-------------------------------------------------------------------------------
Blowfish encryption/decryption (used only to decrypt some input files):
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.

-------------------------------------------------------------------------------
MinHook - The Minimalistic API Hooking Library for x64/x86
Copyright (C) 2009-2017 Tsuda Kageyu.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

================================================================================
Portions of this software are Copyright (c) 2008-2009, Vyacheslav Patkov.
================================================================================
Hacker Disassembler Engine 32 C
Copyright (c) 2008-2009, Vyacheslav Patkov.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
Hacker Disassembler Engine 64 C
Copyright (c) 2008-2009, Vyacheslav Patkov.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:

 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-------------------------------------------------------------------------------
IDA Floating has the client code for Flexera's Flexnet:
 Copyright (c) 1997-2017 Flexera Software LLC. All Rights Reserved.

-------------------------------------------------------------------------------
inja C++ template engine

MIT License

Copyright (c) 2018-2021 Berscheid

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

-------------------------------------------------------------------------------
 __|  |   __|     |   | |  JSON for Modern C++
|  |  |__   |  |  | | | |  version 3.10.5
|_____|_____|_____|_|___|  https://github.com/nlohmann/json

Licensed under the MIT License <http://opensource.org/licenses/MIT>.
SPDX-License-Identifier: MIT
Copyright (c) 2013-2022 Niels Lohmann <http://nlohmann.me>.

Permission is hereby  granted, free of charge, to any  person obtaining a copy
of this software and associated  documentation files (the "Software"), to deal
in the Software  without restriction, including without  limitation the rights
to  use, copy,  modify, merge,  publish, distribute,  sublicense, and/or  sell
copies  of  the Software,  and  to  permit persons  to  whom  the Software  is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE  IS PROVIDED "AS  IS", WITHOUT WARRANTY  OF ANY KIND,  EXPRESS OR
IMPLIED,  INCLUDING BUT  NOT  LIMITED TO  THE  WARRANTIES OF  MERCHANTABILITY,
FITNESS FOR  A PARTICULAR PURPOSE AND  NONINFRINGEMENT. IN NO EVENT  SHALL THE
AUTHORS  OR COPYRIGHT  HOLDERS  BE  LIABLE FOR  ANY  CLAIM,  DAMAGES OR  OTHER
LIABILITY, WHETHER IN AN ACTION OF  CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE  OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

-------------------------------------------------------------------------------
   Demangler for the Rust programming language
   Copyright (C) 2016-2023 Free Software Foundation, Inc.
   Written by David Tolnay (dtolnay@gmail.com).
   Rewritten by Eduard-Mihai Burtescu (eddyb@lyken.rs) for v0 support.

This file is part of the libiberty library.
Libiberty is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.

In addition to the permissions in the GNU Library General Public
License, the Free Software Foundation gives you unlimited permission
to link the compiled version of this file into combinations with other
programs, and to distribute those combinations without any restriction
coming from the use of this file.  (The Library Public License
restrictions do apply in other respects; for example, they cover
modification of the file, and distribution when not linked into a
combined executable.)

Libiberty is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Library General Public License for more details.

You should have received a copy of the GNU Library General Public
License along with libiberty; see the file COPYING.LIB.
If not, see <http://www.gnu.org/licenses/>.

@0:1742[GNU Lesser General Public License v2.1 for libiberty]
¿	WRAP
Remote debugging ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

1. Launch a remote IDA debugger server on the remote host. The remote
server is started from the command line and accepts command line parameters.
You can specify a password if you want to protect your debugger server
from strangers. For example, to launch the server under MS Windows, you could enter:

        win32_remote -Pmy_secret_password

2. Specify the remote debugger parameters in the Debugger, @0:1398[Process options].
The file paths must be valid on the remote host. Do not forget to specify
the same password as you have specified when launching the server. For example,
to debug notepad.exe on the remote computer remote.host.com:

        Application: c:\windows\notepad.exe
        Input file:  c:\windows\notepad.exe
        Directory:   c:\windows
        Hostname:    remote.host.com
        Port:        23946
        Password:    my_secret_password

3. The rest of debugging is the same as with local debugging.

 NOTE

The Linux debugger server can handle one debugger session at once. If you need
to debug several applications simultaneously, launch several servers at different
network ports.

The following debugger servers are shipped with IDA

 File name             Target system         Debugged programs
 ------------------    ------------------    ----------------------------
 android_server32      ARM Android           32-bit ELF files
 android_server        AArch64 Android       64-bit ELF files
 android_x64_server    x86 Android 32-bit    32-bit ELF files
 android_x86_server    x86 Android 64-bit    64-bit ELF files
 armlinux_server32     ARM Linux             32-bit ELF files
 armlinux_server       AArch64 Linux         64-bit ELF files
 linux_server          Linux 64-bit          64-bit ELF files
 mac_server            Mac OS X/macOS 11     64-bit Mach-O files (x64)
 mac_server_arm        ARM macOS 11          64-bit Mach-O files (arm64)
 mac_server_arme       ARM macOS 11          64-bit Mach-O files (arm64e)
 win32_remote32.exe    MS Windows 32-bit     32-bit PE files
 win64_remote.exe      MS Windows 64-bit     64-bit PE files

An appropriate server must be started on the remote computer before
starting a debug session.

 See also @0:1397[Start process]
          @0:1395[Debugger] submenu
          @0:1217[Debugger for Linux]
          @0:1078[Debugger for macOS]
          @0:145[Debugger for Android native code]
          @0:1677[Remote iOS debugger]çWRAP
Reset Hidden Messages ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This command resets the state of all questions and messages
the user hid by checking the "Don't show this message again" checkbox.2WRAP
Plugin options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The -O command line switch allows the user to pass options to the plugins.
A plugin which uses options should call the get_plugin_options() function
to get them.

Since there may be many plugins written by independent programmers,
each options will have a prefix -O in front of the plugin name.

For example, a plugin named "decomp" should expect its parameters
to be in the following format:

        -Odecomp:option1:option2:option3

In this case, get_plugin_options("decomp") will return the "option1:option2:option3"
part of the options string.

If there are several -O options in the command line,
they will be concatenated with ':' between them.

List of plugins recognizing '-O' switch

  @0:1476[Conversion options]
  @0:1675[DWARF]
  @0:1478[Golang]
  @0:1760[Find Functions]
  @0:1732[Lumina]
  @0:1687[Objective-C]
  @0:1374[Pdb]
  @0:1477[Rust]
  @0:1479[Swift]
  hexrays : https://hex-rays.com/products/decompiler/manual/batch.shtml

This switch is not available in the IDA Home edition.
Š}

//------------------------------------------------------------------------
// Information about segmentation

static Segments(void)
{
Ÿ}

//------------------------------------------------------------------------
// Information about patches

static Patches_%d(void)
{
  auto x;
#define id x

­WRAP
Take memory snapshot ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: TakeSnapshot
 Current hotkey: @<TakeSnapshot>

This command copies the contents of the process memory to the database.
It is available during a debugging session.

The memory contents will be copied to the database.
The user may specify that only the segments with the 'loader'
attribute will be saved in the database.

The segments with the loader attribute are created by the
input file loader and usually contain information from the input file.
However, in some cases (like attaching to an existing process),
there will not be any loader segments because the input file was not
loaded by IDA.

To be able to make a partial snapshot in this case and other similar cases,
the user can set or clear the 'loader' attribute of the desired segments
using the
@0:514[edit segment] command.

After applying this command, the user can terminate the debugging
process and continue to analyze the program in the database.

Please note that it is possible to save the database without
taking a memory snapshot. Such a database might be used to keep global
information about the program like the breakpoint information, notes, etc.
However, we recommend to take a memory snapshot of at least the 'loader'
segments because it will allow to save also information about the program
functions, names, comments, etc.

See also @0:1395[Debugger] submenu.q
WRAP
Set current ip▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ThreadSetCurrentIp
 Current hotkey: @<ThreadSetCurrentIp>

This command sets the instruction pointer of the current suspended thread
to the current cursor location.

It is accessible only when the debugger is active and the process is suspended.

 See also @0:1395[Debugger] submenu.UWRAP
Show application screen▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowUserScreen
 Current hotkey: @<ShowUserScreen>

This command displays the application screen.

It is useful for the text mode debugger.

When the debugged application runs in the same window as IDA itself,
the application output is hidden by IDA windows. This command allows
to see the application screen in this case.

To return to IDA display, press any key.

This command is available when the application is suspended or finished.

 See also @0:1395[Debugger] submenu. }

static Functions_%d(void)
{
WRAP
Create INC File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceInc
 Current hotkey: @<ProduceInc>

Please enter a file name for the assembler include file. IDA will write
the information about the defined types (structures and enums) to this file.

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce assembler
include files.

See also other @0:438[Produce output file] commands./WRAP
Database conversion from idb to i64▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

In the past, there were separate binaries of IDA to handle 32-bit and 64-bit input files.
With IDA v9.0, only one binary (ida) is enough to handle all files.
However, old 32-bit databases with the "idb" extension need to be upgraded
to 64-bit databases with the "i64" extension.

This conversion is handled on the fly when an "idb" file is opened.
Command line switches can be used to specify various conversion options.

Example:

  ida foo.idb

This command converts foo.idb to foo.i64 on the fly. The user can immediately
start working with the database.
If foo.i64 already exists, IDA will ask if it should be overwritten or not.
Please note foo.idb is left untouched by the upgrade.

-Ocvt64 options:
        overwrite=yes/no/ask -yes: overwrite the existing i64 database
                              no: immediately exit if the i64 database exists
                              ask: ask the user what to do if the i64 database exists
        restart=yes/no/ask  - yes: automatically open the converted database in IDA
                              no: exit after the conversion
                              ask: ask the user
        privmove=yes/no/ask - move privrange beyond 32bit addrspace
                              (to 0xFF00000000000000) after conversion?

The defaults are:

  batch mode:       overwrite=no:restart=no:privmove=yes
  interactive mode: overwrite=ask:restart=yes:privmove=yes

Example 2:

  idat -Ocvt64:overwrite=no:restart=no foo.idb

This command automatically converts foo.idb and exits at the end of the conversion.
If foo.i64 already exists, the conversion will not be performed.
Since this command uses idat, it can be used for batch processing.
èWRAP
Rust plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀

The binaries produced by the Rust compiler have some peculiarities which make them difficult to analyze, such as:

  - non-standard calling conventions
  - non-terminated string literals
  - unusual name mangling scheme

By default, Rust plugin is enabled if one of the following condition is true

  - one address is named 'rust_begin_unwind'
  - the string 'rustc-' can be found somewhere in the program
    If the segment '.rodata' exists, the search is limited to this segment

String literal analysis▄

Rust plugin walks to all addresses in segment with name ending in "__const", ".rodata" or ".rdata" and creates string literals on xref

  - on dref, the string literal is set up to the next dref
  - on cref, Rust tries to retrieve length from nearby instructions
    Arm, Risc-V and pc proc module benefit from this

To force the string literal detection:

  idaapi.load_and_run_plugin("rust", 1)


Demangling name▄

Rust plugin also offers the possibility to configure a demangler library for rust.
By default the plugin will use the librustdemangle library that is shipped with IDA.
You can disable this feature in 'Edit>Plugin>Rust language helper' or specify another library to use.

See cfg/rust.cfg for the possible options

List of '-Orust' options▄

  - on  : enable rust plugin for this session of IDA
  - off : disable rust plugin for this session of IDA

Example▄

  -Orust:off

This disable the plugin for this session of Ida.
VWRAP
Golang plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Golang binaries are by default statically linked and full of metadata therefore a lot can be gained from annotating a Golang binary's contents using recovered metadata.

Detection▄

The golang plugin's analysis only happens by default if the input file is detected as a Golang file.
There are multiple mechanisms in place to detect that:

 - if a Golang startup signature matches the entry point (PC-only)
 - if the Golang plugin detects a Golang-specific segment name
 - if the elf loader finds a "Go" note in the input file
 - on PE files: if certain Golang symbol names or a Go build id signature is found

Analysis▄

The metadata parsed by the golang plugin falls under two main categories:

 - function information (e.g. name, package, range) retrieved from the pclntab
 - type information (e.g. name, package, layout, size) retrieved from the typelinks table

The package paths of functions and types are used to create folders.
This analysis will occur upon `ev_newfile` (when a new file has been loaded) if Golang has been detected.

Actions▄

  `golang:detect_and_parse` (Edit>Other)

This action is useful to force a full search of the binary for Golang metadata.
It will first attempt to parse a pclntab at the current address, if this is unsuccessful it will perform a full search of the binary for the pclntab's signature and parse it if found.
In addition, it will also attempt to locate and parse the type information.

Calling Conventions▄

Golang has its own calling convention(s), denoted in IDA as `__golang`.
In fact, Golang has two different calling conventions: a stack-based CC (abi0) and a newer register-based CC (abiinternal).
The version of Golang and thus which calling convention to use will be automatically inferred from metadata structures; It is also controllable through the `force_regabi` command line option.

List of `-Ogolang` options▄

Command line options take precedence over config file options.

  force                         try to force the analysis
                                (no detection step needed)
  off                           disable the plugin
  no_rtypes                     do not import any types
  rname_len2                    force the reflect type name format to go1.17
                                and later (varint encoding: 1-10 bytes)
  rname_len1                    force the reflect type name format to before
                                go1.17 (2 bytes)
  import_lnnums                 recover file names & line numbers from pclntab
  no_func_end_from_pcval_tabs   do not derive a function's end from pclntab
                                metadata
  force_regabi[=on|=off]        override calling convention version
                                 `=off`: will force the stack-based CC
                                 `=on`/no value: will force
                                 the register-based CC

See cfg/golang.cfg for available configuration options.


Examples▄

forcing analysis and register-based calling convention

  -Ogolang:force:force_regabi

disabling the plugin

  -Ogolang:off'WRAP
Swift plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀▀

Demangling▄

The swift plugin uses libSwiftDemangle to demangle Swift names.
Note that IDA already had a built-in swift demangler, but it was becoming difficult to maintain. In the long-term we hope to fully deprecate IDA's custom swift demangler in favor of libSwiftDemangle.

However, the new approach still hasn't been fully integrated into IDA, so there may be times when IDA's old swift demangler produces more desirable results.

'cfg/swift.cfg' file presents all the options

'-Oswift' command line switches can be used to enable or disable some plugin options.

List of options▄

  - <demangler_path> : use specific libSwiftDemangle library
  - -d : use the built-in IDA swift demangler (legacy)
  - +d : use libSwiftDemangle swift demangler
  - -m : don't present metadata in nice way
  - +m : present metadata in nice way
  - -e : don't import enumeration types
  - +e : import enumeration types
  - -s : don't import structure types
  - +s : import structure types
  - -v : don't set variable type based on mangled names
  - +v : set variable type based on mangled names
  - -f : don't set function prototype based on mangled names
  - +f : set function prototype based on mangled names
  - -g : don't group functions in folders corresponding to modules
  - +g : group functions in folders corresponding to modules

Examples▄

  -Oswift:-g

Do not group functions into folders.


  -Oswift:/tmp/libSwiftDemangle_custom.dylib

Use /tmp/libSwiftDemangle_custom.dylib as the libSwiftDemangle library.WRAP
Find a register value ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FindRegisterValue
 Current hotkey: @<FindRegisterValue>

This command searches for the value of the register under the cursor if it
can be found by simple methods.  It also shows the found values in the
"Output" window along with the addresses at which they are defined.
If it could not find a value, it shows the reason why it could not.
Unlike @0:1459[FindRegisterDefinition], this command
uses control flow.
KWRAP
Search for next string with error ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpError
 Current hotkey: @<JumpError>

This commands searches for the 'error' operands.
Usually, these operands are displayed with a red color.

Below is the list of probable causes of error operands:

        - reference to an unexisting address
        - illegal offset base
        - unprintable character constant
        - invalid structure or enum reference
        - and so on...

See also @0:568[Search] submenur
WRAP
Find all errors ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: FindAllErrors
 Current hotkey: @<FindAllErrors>

This command searches for all strings containing any error and presents
a list of them.
You may use this list to examine errors and correct them as needed.

 See also @0:1481[string with error]
          @0:568[Search] submenu
-Unloading information about segmentation...
2Unloading information about instructions/data...
}Unloading information about segment registers...

//-------------------------------------------------------------------------IDC execution has been cancelled by the usereWRAP
Breakpoint conditions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

You can use the "Condition" field of the breakpoint properties to enter
an expression which is evaluated when the breakpoint is hit. It can be either
an actual condition or just any valid code in IDC
or another supported scripting language syntax. By using the "..." button, you
can open a multi-line editor for the conditition and switch the scripting language
used for evaluating it.

Expressions

  If you enter an expression, the result will be used to determine whether
  the selected actions are executed. Some examples of IDC expressions:

  Check if EAX is equal to 5:

    EAX==5

  Check if the first argument to the function is 1:

    get_wide_dword(ESP)==1

  Interpret the second argument to the function as a pointer to Unicode string, print it,
  and return 0 (so that the execution continues immediately):

    msg("Filename: %s\n", get_strlit_contents(get_wide_dword(ESP+4), -1, STRTYPE_UNICODE)), 0

  Set EAX to 0 and continue:

    EAX=0,0

Statements

  You can enter several statements in the multi-line editor. If the last one is a 'return' statement,
  it is used as the result of the condition. Otherwise the condition is assumed to return 0.

 See also @0:1404[Breakpoints list]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu
?Attempt to call a database related function without a databaseShow ~s~trings•
@0:1379[]
Setup string window

  <~D~isplay only defined strings:C>
  <~I~gnore instructions/data definitions:C>
  <~S~trict ASCII (7-bit) strings:C>>

  Allowed string types
  <~C~ (zero terminated):C>
  <~P~ascal:C>
  <Pascal, ~2~ byte length:C>
  <~U~nicode:C>
  <Pascal, ~4~ byte length:C>
  <Pascal Unicode, 2 byte length:C>
  <Pascal Unicode, 4 byte length:C>>

  <~M~inimal string length:D::5::>

™	WRAP
Scattered argument locations ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

On x64 and other processors the compiler sometimes passes structures and
unions partially on registers and partially on the stack. Consider the
following structure:

  #pragma pack(push, 4)
  struct struc_1
  {
    char c1;
    short s2;
    char c3;
    int i4;
  };
  #pragma pack(pop)

In binary form it looks like this:

  00000000 struc_1         struc ; (sizeof=0xC)
  00000000 c1              db ?
  00000001                 db ? ; undefined
  00000002 s2              dw ?
  00000004 c3              db ?
  00000005                 db ? ; undefined
  00000006                 db ? ; undefined
  00000007                 db ? ; undefined
  00000008 i4              dd ?
  0000000C struc_1         ends

If we have this function prototype:

  void myfunc(struc_1 s);

the 64bit GNU compiler will pass the structure like this:

  RDI: c1, s2, and c3
  RSI: i4

Since compilers can use such complex calling conventions, IDA needs some
mechanism to describe them. Scattered argument locations are used for that.
The above calling convention can be described like this:

  void __usercall myfunc(struc_1 s@<0:rdi.1, 2:rdi^2.2, 4:rdi^4.1, 8:rsi.4>);

It reads:

  1 byte  at offset 0 of the argument is  passed in the byte 0 of RDI
  2 bytes at offset 2 of the argument are passed in the byte 1,2 of RDI
  1 byte  at offset 4 of the argument is  passed in the byte 3 of RDI
  4 bytes at offset 8 of the argument are passed starting from the byte 0 of RSI

In other words, the following syntax is used:

  argoff:register^regoff.size

where

  argoff - offset within the argument
  register - register name used to pass part of the argument
  regoff - offset within the register
  size - number of bytes

The regoff and size fields can be omitted if there is no ambiguity.

If the register is not specified, the expression describes a stack location:

  argoff:^stkoff.size

where

  argoff - offset within the argument
  stkoff - offset in the stack frame (the first stack argument is at offset 0)
  size - number of bytes

Please note that while IDA checks the argument location specifiers for soundness,
it cannot perform all checks and some wrong locations may be accepted. In
particular, IDA in general does not know the register sizes and accepts any
offsets within them and any sizes.

See also @0:1361[Set type] command.
~F~low chartF~u~nction callsXrefs ~t~o
Xrefs f~r~omU~s~er xrefs chart...	~G~raphsBase class must be a structure'Named bitfields cannot be of zero size?Create segment (%0*a-%0*a, sel %0*a):
Illegal segment bitness.Û
WRAP
Instant debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The -r command line switch is used to run the built-in
debugger without creating a database in advance.
The format is this switch is:

  -rdebname{params}:pass@hostname:port+pid

The explanation of the fields:

  debname       Debugger name. Should contain the debugger
                module name. Examples: win32, linux. This prefix
                can be shortened or even completely
                omitted if there is no ambiguity
  params        Optional parameter for the debugger module
                The parameters from the appropriate configuration file
                can be specified here, separated by semicolons.
  pass          Password for the remote debugger server
  hostname      Host name or address of the remote debugger server.
                IPv6 addresses need to be enclosed in [].
  port          Port number to use to connect to the debugger server
  pid           PID of the process to attach

All fields except the first one are optional. Also, the pid field can be specified
as '+'. IDA will display the process list to attach.
See examples below for typical command lines:

  ida -rwin32 file args
        Run 'file' with command line 'args' in the local debugger
        We have to specify the debugger name to avoid ambiguities.
  ida -rwindbg+450
        Attach to process 450 on the local machine using the windbg backend
  ida -rl:hippy@mycom:4567+
        Connect to the remote linux computer 'mycom' at port 4567 using the
        password 'hippy' and display the list of processes running on it.
        Allow the user to select a process and attach to it.
  ida -rl@mycom /bin/ls e*
        Run '/bin/ls' command on the 'mycom' computer using the remote
        debugger server on Linux. Use an empty password and the
        default port number. Pass "e*" as the parameter to /bin/ls.
  ida -rl@mycom whobase.idb
        Run '/usr/bin/who' command on the 'mycom' computer using the
        remote linux debugger server. Use an empty password and the
        default port number. IDA will extract the name of the
        executable from the whobase.idb file in the local current
        directory. If the database does not exist, then this command
        will fail.
  ida "-rwindbg{MODE=1}@com:port=\\.\pipe\com_1,baud=115200,pipe,reconnect+"
        Attach using windbg in kernel mode. The connection string is
        "com:port=\\.\pipe\com_1,baud=115200,pipe,reconnect". A mini database
        will be created on the fly.

When the -r switch is used, IDA works with the databases in the following way:

        - if a database corresponding to the input file exists and
        the -c switch has not been specified, then IDA will use the
        database during the debugging session

        - otherwise, a temporary database will be created

Temporary databases contain only meta-information about the debugged process
and not the memory contents. The user can make a
@0:1470[memory snapshot]
any time before the process stops. If IDA detects that a command will cause the process to exit or detach IDA,
it will propose to make a snapshot.

The rest of the command line is passed to the launched process.

In the case there is no input file (when attaching to an existing process, for example),
then the temporary database is created in the standard temporary directory.
For Windows, this directory is usually "Local Setting\Temp" in the user
profile directory.

See also

  @0:1463[How to launch remote debugging]¾WRAP
Create HTML File ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ProduceHtml
 Current hotkey: @<ProduceHtml>

Please enter a file name for the HTML file. IDA will write
the disassembled text to this file.

If you've selected a range on the screen using @0:420[Drop Anchor]
command, IDA will write only the selected range (from the
current address to the anchor).

If some I/O problem (e.g. disk full) occurs during writing
to the file, IDA will stop and a partial file will be created.

Please note that @0:421[demo] version cannot produce HTML
files. This command is available only in the graphical version of IDA.

See also other @0:438[Produce output file] commands.Bad alignment valueinternal: continue to match Macro was not previously pushed1WRAP
Toggle leading zeroes ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleLeadingZeroes
 Current hotkey: @<ToggleLeadingZeroes>

This command displays or hides the leading zeroes of the current operand.
Example: if the instruction looked like this:

        and     ecx, 40h

then after applying the command it will look like this:

        and     ecx, 00000040h

If you prefer to see leading zeroes in all cases, then open the
@0:596[calculator]
and enter the following expression:

        set_inf_attr(INF_GENFLAGS, get_inf_attr(INF_GENFLAGS) | INFFL_LZERO);

This will toggle the default for the current database and all numbers
without leading zeroes will become numbers with leading zeroes, and vice versa.

See also @0:1382[Edit|Operand types|Number] submenu.~T~oggle leading zeroesgWRAP
Load TDS debug information file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: LoadTdsFile
 Current hotkey: @<LoadTdsFile>

This command loads a TDS file.

If the program being disassembled has a companion TDS file, this command may be used to load information from the TDS file into the
database.

The TDS file must be placed in the same directory together with the input file.

The LoadTdsFile command launches a special plugin TDS.DLL which can be run manually
using Edit->Plugins submenu.

See also @0:430[Load... submenu] commands.~T~DS file...Not enough memoryBad file handleîWRAP
Locals view (source level) ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This window displays the values of the variables that are local to the current
functions (register and stack based).
  <Loadi~n~g options:C>4>
,WRAP
WinDbg Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The WinDbg debugger plugin uses Microsoft's Debugging Engine COM interfaces from the Debugging Tools package.

To use the WinDbg debugger plugin, the following steps must be carried out:

  - Please download the latest debugging tools from
  http://www.microsoft.com/whdc/devtools/debugging/default.mspx

  - Configure the debugger specific options in
        Debugger Options, Set specific options.

  Windbg debugger plugin has the following configuration options:

  - The Debugging Tools folder: This should be configured to point to the same
  folder where Microsoft Debugging Tools are installed. The plugin will try to
  guess where the tools are, but if it fails, a manual intervention will be required.
  If this option is not set, then the plugin will try to use dbgeng.dll from
  MS Windows system folder, while normal debug operations will work, extensions will not.

  - Kernel mode debugging: Check this option when debugging the kernel.

  - User-mode debugging: Check this option to debug MS Windows applications.

  - Non-Invasive debugging: Check this option to enable attaching to user-mode
  processes non-invasively

  - Kernel mode debugging with reconnect and initial break: Select this option
  when debugging a kernel and when the connection string contains 'reconnect'. This option
  will assure that the debugger breaks as soon as possible after a reconnect.

  - Output flags: These flags tell the debugging engine which kind of output
  messages to display and which to omit


The WinDbg debugger plugins has the following features:

  - Send commands to the debugger engine when the debugging session starts.
  Use the "." key to switch to the command line and start typing commands.
  Please note that while it is possible to send any command to the engine, only the
  commands that change the execution status should not be used:
  go ("g"), step ("t"), step into ("p"), etc...

  - Symbol information: If the symbol path is configured properly, then the
  debugger engine will fetch debug symbols from the appropriate location (symbol server, cache, etc...)
  For example, setting the following environment variable before starting IDA:
  _NT_SYMBOL_PATH=srv*c:\pdb_cache*http://msdl.microsoft.com/download/symbols
  will allow the debug engine/windbg debugger plugin to automatically try to
  fetch and use the symbol information.

  - Multi-processor support: Debugger Engine will create a virtual thread for
  each processor that it finds. Similarly, IDA will present these processors as threads.

  - Remote debugging support: It is possible to use the process server "dbgsrv.exe"
  to enable remote debugging. For example:

    1. Run "dbgsrv -t tcp:port=PORT_NUM,server=HOST_NAME"

    2. Verify that the server is correctly running by listing all process
    servers on the given HOST_NAME:

      cdb -QR \\HOST_NAME

    3. Finally, run IDA and specify the following connection string:
      tcp:port=PORT_NUM,server=HOST_NAME

  - Use WinDbg extensions: it is possible to use the extension commands that
  usually work with WinDbg. Make sure that the "Debugging Tools folder" setting
  is properly set so that this feature works.

  - Kernel Debugging: It is possible to debug the kernel the same way as it is
  done with WinDbg. Simply setup the target kernel and configure the WinDbg
  plugin by checking the "kernel mode debugging" option and by typing a correct
  connection string. If the user detaches from a kernel session (using Debugger/Detach Process),
  the debugged kernel will resume. However, if the user selects Debugger/Terminate Process,
  the kernel will be suspended (it will wait until another client attaches to it).

  - Dump files support: It is possible to load into IDA dump files generated either
  manually (using the ".dump" command) or crash dumps generated from a crashed process or kernel.
  Please refer check the @0:1529[windmp file loader] reference.

  After the dump has been loaded, it is possible to run the debugger and investigate about
  the crash by typing Windbg commands into the command line window.
  For example, one could check the call-stack or use any other Windbg extension.

  - External breakpoints: it is possible to use the command line to create breakpoints
  that are not supported by IDA but supported by the debugging engine: in that
  case, all unknown (external) breakpoints will suspend IDA when they trigger.


The WinDbg debugger can be used to debug local programs as well as remote programs.
This is controlled via the connection string in the "Process Option" dialog.
If it is left blank,it means that a local debugging is in effect. Otherwise, a debug engine compatible connection
string is expected.
IDA will display an error message if the connection string could not be accepted:
in that case, try using the same connection string with "cdb", or "windbg" and see
if it works.

The WinDbg debugger module adds a new menu item: Debugger, WinDbg command.
It can be used to send arbitrary commands to the debugger engine. The command output is
displayed in the message window.
ÞWRAP
Debugging with QEMU ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Run QEMU with -s switch to enable its GDB stub. The default port number is 1234. If desired,
the -p command line switch can be used to change it. The -S command line switch causes
the execution to be suspended at startup.
For example:

 qemu.exe -s -S -L . -m 128 -hda linux.img -soundhw all -localtime -M pc

For better debugging, make sure to set the following options in
@0:1522[GDB Debugger options]:

 Software breakpoints at EIP+1: disabled
 Use CS:IP in real mode: enabled (when debugging 16-bit (real-mode) code)

In other aspects debugging with QEMU is the same as debugging for other targets.

Back to @0:1335[Remote GDB Debugger]
ÈWRAP
Remote GDB Debugger options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Max packet size

        Maximum packet size supported by the GDB stub (in bytes).
        Some stubs can crash on big packets, e.g. memory reads. IDA
        will try to split such requests in smaller chunks so that
        replies should fit in this size. You can enter -1 to
        autodetect (in this case IDA will use the size of the
        "g" packet reply as the max packet size).

Timeout

        Default timeout in milliseconds for remote GDB stub responses.
        Some targets can be slow to respond, so increase this value
        when having problems, e.g. with disappearing memory bytes.

Run a program before starting debugging

        Check to enable @0:1587[external program options].

Processor

        This option is only visible when @0:1502[starting debugger without a database].
        Use it to specify on which CPU the target is running. For some processors you can also
        specify the endianness.

Software breakpoints at EIP+1

        Most GDB stubs for x86 report software breakpoint hits with EIP one byte after
        the breakpoint address. However, some emulators report the actual breakpoint
        address. This option allows IDA to recognize such situations.
        Recommendations: uncheck for QEMU, check for others.

Use CS:IP in real mode

        When debugging real-mode (16-bit) code, the stub can send either
        just 16 bits of IP register or the full EIP (CS<<4 + IP).
        Enable this option in the former case.
        Recommendations: check for QEMU, uncheck for others.

See also

  @0:1502[Instant debugger]
  @0:1335[Remote GDB Debugger]
EWRAP
Command line ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

At the bottom of the main IDA window, just above the status bar there is a input
field. It can be used to enter various commands. By default, it accepts IDC commands,
but plugins may register themselves as command language providers for it.

Currently, the following command line providers exist:

  - IDC
  - python plugin
  - bochs debugger
  - windbg debugger
  - GDB debugger

When these plugins are active, they will process the entered commands.
The current command language can be changed by clicking on the button to the left
of the input field. The current language can be set as default by choosing "Default CLI"
from the context menu of the command line.

The command line input field can be activated by pressing '.'. Esc switches back to the previous window.
.Some items overlap the specified address rang‚WRAP
Windmp file loader ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Windmp loader module can load *.dmp files into IDA for static analysis.

For the Windmp loader to function properly, one need to specify the path to
MS Debugger Engine Library (dbgeng.dll). This option can be set in CFG\IDA.CFG
under the DBGTOOLS key.
If this value is not set then Windmp will try to detect the path.

Windmp can be used to load big dump files, however that will result in a huge database,
therefore is possible to manually load a given input file:

  - Load modules segments only: If used, Windmp will only load segments related to
  the loaded modules and skips all other memory segments

  - Do not load symbol names: If symbol path is configured properly, then Windmp will
  fetch and rename all known addresses; you can skip this step by not loading symbol names.

  - Skip segments greater than: It skips segments with a given size, resulting in faster loading speed.
  If this value is zero then this option will not be used.

In addition to static analysis it is possible to run the dump file under the
@0:1520[windbg debugger module].
5The current processor does not support 'short float',Cannot convert idc object to idc basic typeVariable is not an idc object+Cannot post inc/dec a calculated attributeNo such class id: %dNo such class: '%s'0Circular dependecy on classes has been detectedNo such attribute: %s'The 'this' argument cannot be modified+An construtor method cannot return a valueAttempt to call a non-function!No type information is available3Cannot call application without an active debugger(Function type is not available or wrong/Wrong number of arguments for application call=Calling application is not supported by the current debugger&Appcall: failed to hide existing bpts!Appcall: could not map arguments Could not dereference a pointerBad type informationIllegal variable reference Cannot create reference to '%s'Superfluous & for a function!A variable reference is required$[] operator cannot be used for '%s'"Cannot use [] operator on scalars'Appcall: functions cannot be convertedWrong destructor name,Destructors may not have explicit argumentsNo such base classÛWRAP
External programs and GDB Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The "Run a program before debugging" option in @0:1522[Remote GDB Debugger options]
allows to automatically run a program (such as a debugging server) when starting a debugging
session. If you enable it, the following options become available:

Command line

        Command line of the program to run. The following special symbols can be used:

        %i: input file name from the @0:1398[Process options] dialog
        %p: port number from the @0:1398[Process options] dialog
        %e: file name of a temporary ELF file created from the database contents

Initial SP

        IDA will set the SP (or a similar register) after connecting to the server

Choose a configuration

        Load one of the pre-defined configurations (command line, memory map and SP value)
        described in the gdb_arch.cfg file.

Memory map

        Edit the memory map for the external server. It will be used during debugging.


One use of these options is to @0:1588[debug small code snippets] using the QEMU emulator.

See also

  @0:1522[Remote GDB Debugger options]
  @0:1395[Debugger] submenu.
ÛWRAP
Debugging code snippets with QEMU ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Using the @0:1587["Run external program"] option it is easy to debug small
ARM, MIPS or PowePC code snippets directly from inside IDA.

1) Download and install QEMU. Win32 builds can be downloaded from http://homepage3.nifty.com/takeda-toshiya/qemu/.

2) Edit cfg\gdb_arch.cfg file and change the "set QEMUPATH" line to point to the install directory of QEMU.

3) In @0:1522[Remote GDB Debugger options] (Debugger|Debugger options, Set specific options), enable "Run a program before debugging".

4) Click "Choose a configuration" and choose a predefined configuration. Choose "for snippets", if mentioned.

5) If necessary, edit the command line or memory map.

6) Click OK, OK to confirm and close the options dialog.

7) In Debugger|Process options make sure that Hostname is set to "localhost" and port is non-zero.

8) Select the code range to emulate or at least the first instruction. Alternatively, you can rename the starting address "ENTRY" and end address as "EXIT".

9) Choose Debugger|Run or press F9.

IDA will write the database into an ELF file (if %e was specified), start QEMU with the specified command line and connect to its GDB stub.
It will set the SP and PC values so that the code can be stepped through.

NOTE

While it can be very useful, QEMU emulation has certain limitations:

1) the memory map is usually fixed at compile time. So if your program addresses
intersect some of the system regions as specified by the memory map,
IDA will refuse to start debugging. In that case, you can either rebase the
program so that it fits into RAM regions or check other QEMU board configurations
for a compatible memory layout.

2) the emulation starts at the system (kernel) level when there is no OS loaded.
That means that system calls and imported functions will not work.

3) the hardware access will only work to the extent emulated by QEMU. If the
code you are emulating does not match the chosen board configuration of QEMU,
the code accessing the hardware most likely will not work properly, if at all.

See also
  @0:1587[External programs and GDB Debugger]
  @0:1335[Remote GDB Debugger]
úWRAP
Jump to next function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpNextFunc
 Current hotkey: @<JumpNextFunc>

This command searches the start of the next function and
jumps to the found address.

WRAP
Jump to previous function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpPrevFunc
 Current hotkey: @<JumpPrevFunc>

This command searches the start of the previous function and
jumps to the found address.
\WRAP
Jump to cross reference from current location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: JumpXrefFrom
 Current hotkey: @<JumpXrefFrom>

This command shows you a list of cross-references from the current location: you can jump to the selected one by pressing Enter.

Click @0:1305[here] to see the description of the cross reference dialog box.

See also

         @0:543[Jump] submenu
         @0:564[Jump to Cross References]
         @0:565[Jump to Cross References to Operand]~C~ross reference from...Recent scr~i~pts...WRAP
Set operand type ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SetOpType
 Current hotkey: @<SetOpType>

This command allows you to specify the type of the operand under the cursor.

The operand type must be entered as a C declaration. Currently IDA itself does
not use the operand type information. However, it can be used by the Hex-Rays decompiler plugin.
Setting operand type is most useful in case of indirect calls: the decompiler will use the type information
to determine the input parameters to the call instead of guessing, which can make the decompiled code better.

An example of a type declaration:

        int (*func)(int param1, char param2);

To delete a type declaration, enter an empty string.

For details on possible calling conventions, see @0:1361[Set function/item type...] menu item description.

See also

         @0:1361[Set function/item type...]Set operand ~t~ype....Destructor name does not match the class name1Pointer to structure required on left side of ->'%s' is not member of '%s')idc_func_table.get_unkvar is not defined)idc_func_table.set_unkvar is not defined*idc_func_table.calc_sizeof is not defined²
WRAP
Apply patches to input file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ApplyPatches
 Current hotkey: @<ApplyPatches>

Apply previously @0:526[patched] bytes back to the input file.
If the "Restore" option is selected then the original bytes will be applied to the input file.

See also

         @0:526[Edit|Patch core] submenu.
         @0:443[Produce DIF file]
!A~p~ply patches to input file...Check for free updates...®
WRAP
Take database snapshot ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: SaveBaseSnap
 Current hotkey: @<SaveBaseSnap>

This command takes a database snapshot. The snapshot can be later restored from
the database snapshot manager.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also @0:1622[View database snapshot manager] commands.Ð
WRAP
Database snapshot manager ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowSnapMan
 Current hotkey: @<ShowSnapMan>

This command shows the database snapshot manager. In this dialog, it is possible to
restore previously saved snapshots, rename or delete them.

Note: snapshots work only with regular databases. Unpacked databases do not support them.

See also @0:1621[Take database snapshot] commands.Take database snapsho~t~Database snapshot ~m~anager
WRAP
Proximity view ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


Starting from IDA v6.2, the callgraph of a program can be displayed in a
graph form.

In the proximity view, the current address, the callers and the callees
are represented as a collection of nodes linked together with edges. Nodes
represent functions and data references (global variables, strings, etc..)
and edges represent code or data cross-references between them.

To open the proximity view press the '-' key to zoom out and switch to the
callgraph of the address under cursor.

Only the address names (function names or data labels) are displayed in the proximity view, but not the
disassembly, nonetheless, hovering the mouse over a node will display brief disassembly listing in a
resizable hint window. To see the complete disassembly listing switch to text or graph mode by pressing
'+' or Space respectively.

When disassembling new files, IDA will display a dialog offering to switch to proximity view
when applicable. It is possible to turn off this dialog and not show it again.

In the proximity view there are 3 types of nodes: Function nodes, data nodes
and auxiliar nodes. Function nodes are rectangular and they have a toolbar.
Those nodes are used to display the callers or callees of the current
central node (or any of his parents or children). Data nodes
are rectangular nodes (without a toolbar) and they are used to display the
data references (global variables, strings, etc...) to/from the current
central node or any of his parents and children.

Please select one of the following topic to learn more about graphs:

 - @0:241[Selections in graphs]
 - @0:281[Zooming graphs]
 - @0:1117[Scrolling graphs]
 - @0:1130[Graph overview window]
 - @0:1142[Graph colors]
 - @0:19[Graph options]
’WRAP
FLIRT match indecision: reference to function expected ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Description:
        IDA matched code bytes against at least one
        signature entry, but failed finding expected
        cross-references at certain offsets in the code.

        Consider the following .pat file contents:

                5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _test ^000F _my_fun0
                5589E583EC18A1........890424E8........C9C3...................... 00 0000 0015 :0000 _smuk ^000F _my_fun1

        Now, turn that .pat file into a signature (.sig) file, telling
        sigmake to include function references into signature
        (using the -r switch).
        Then, apply that .sig file to a binary that you are
        examining.
        If IDA recognizes the 0x15-bytes long pattern in the binary, it
        will check that, at offset 0xF from the start of the match,
        a call to either "_my_fun0" or "_my_fun1" is performed.

        If either one of the two is found, then that code will
        be named "test", or "smuk", respectively.
        Otherwise, a SIGFNREF problem will be signalled.

 What to do:
        Examine the code pointed to by the address at the given
        offset (i.e., 0xF) and try and determine whether
        that function could be "_my_fun0", or "_my_fun1".
        If so, name it accordingly and re-apply the signature.

        An alternative is to generate the signature (.sig)
        file without the cross-references to functions
        (i.e., dropping the '-r' switch).
        But beware of collisions: a pattern like the
        one above will inevitably create a collision, since the
        pattern bytes are similar for the two entries.
5WRAP
Basic block tracing ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ToggleTraceBasicBlocks
 Current hotkey: @<ToggleTraceBasicBlocks>

This command starts basic block tracing.
You can then use all debugger commands as usual: the debugger will save all
addresses where a temporary basic block breakpoint was reached.

Internally, the debugger runs the current thread normally, setting temporary
breakpoints in the last instruction of every basic block of every function
referenced from the current function and also at any call instruction in
the middle of the traced basic blocks.

Basic block tracing is slower than normal execution but faster than
instruction or function tracing.

 See also @0:1444[Tracing window]
          @0:1629[Trace management]
          @0:1445[Clear trace]
          @0:1446[Instruction tracing]
          @0:1447[Function tracing]
          @0:1448[Add write trace]
          @0:1449[Add read/write trace]
          @0:1450[Add execution trace]
          @0:1451[Tracing options]
          @0:1443[Tracing] submenu.WRAP
Trace management ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Recorded traces can be managed from the @0:1444[Tracing window].
Traces are saved in a directory specified in the
@0:1451[tracing options] dialog.

Saved binary trace files can be loaded, saved and replayed with the new replayer debugger module,
diffed against other traces (to spot differences between executions) or displayed in a proximity
view (displaying the execution call graph).

  @0:1444[Tracing window]
  @0:1445[Clear trace]
  @0:1446[Instruction tracing]
  @0:1447[Function tracing]
  @0:1628[Basic block tracing]
  @0:1448[Add write trace]
  @0:1449[Add read/write trace]
  @0:1450[Add execution trace]
  @0:1412[Stack trace]
  @0:1451[Tracing Options]

See also @0:1395[Debugger] submenu.íWRAP
Select trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

Load a binary trace file in the 'Tracing' window.

This command displays all the saved trace files that correspond
to the MD5 of the current IDB and allows the user to load one of them. The
traces can be replayed with the @0:1639[replayer debugger], inspected manually in the
disassembly view or displayed as a callgraph in a proximity view.

 See also @0:1445[Clear Trace]
    @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]6WRAP
Other options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Show a dialog with additional options for managing trace files

This command displays a window with all the available commands to manage trace files.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]TWRAP
Edit trace description ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Show the description of a binary trace file

This command displays a window with the description of a selected binary trace file and
allows to edit it.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]
,WRAP
Remove binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Delete a binary trace file from disk

This command displays a window to select a recorded trace file to delete from disk.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]©WRAP
Diff to binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Diff the currently loaded trace against a recorded trace

This command displays a window to select a trace file to diff against the currently
loaded trace, displayed in the 'Tracing' window.

If highlight options are enabled in @0:1451[Tracing Options], instructions
from the currently loaded trace will be displayed with the background "main color"
and instructions from the diff trace file will be displayed with the "diff color". Common
instructions will be highlighted with an average of the two.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]
ÃWRAP
Import binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Import a binary trace file from a different IDB

This command allows to import binary trace files recorded for an IDB with
a different MD5. For example, it can be used to load recorded traces from a malware
sample which is practically the same, but differs in a few bytes.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1633[Remove binary trace]
          @0:1636[Export binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]¸WRAP
Export binary trace ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Export to a binary trace file all events displayed in the 'Tracing' window

This command exports to a binary trace file the current trace being displayed in the
@0:1444[Tracing window]. The trace can be loaded later, removed or diffed
against other trace files.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1633[Remove binary trace]
          @0:1637[Export trace to text file]
          @0:1638[Show trace callgraph]tWRAP
Export trace to text file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Export to a text file all events displayed in the 'Tracing' window

This command exports the current trace being displayed in the @0:1444[Tracing window]
to a text file.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1633[Remove binary trace]
          @0:1637[Export trace to text file]
EWRAP
Show trace callgraph ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Show the callgraph of the loaded trace in a proximity view

This command displays the callgraph of the currently loaded trace in a proximity view.

 See also @0:1445[Clear Trace]
          @0:1630[Select Trace]
          @0:1631[Other options]
          @0:1632[Edit trace description]
          @0:1634[Diff to binary trace]
          @0:1635[Import binary trace]
          @0:1636[Export binary trace]
          @0:1633[Remove binary trace]
          @0:1638[Show trace callgraph]

[WRAP
Replayer debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The replayer debugger is a pseudo-debugger used to replay recorded traces.

The replayer debugger supports replaying traces recorded with any of the currently
supported debuggers, ranging from local Linux or win32 debuggers to remote GDB targets.
Currently supported targets include x86, x86_64, ARM, MIPS and PPC.

To use the replayer debugger you will need first to record a trace by enabling
@0:1446[instruction tracing], @0:1447[function tracing]
or @0:1628[basic block tracing] with another debugger. Then, after
@0:1630[loading] a recorded trace in the @0:1444[Tracing window],
select the replay debugger from the debugger's dropdown list and start the debugger normally
as you would do with any other debugger.

One of the advantages of the replay debugger module over re-executing the debuggee is
that in the replayer debugger it is possible to step not only forward, but
also backwards, making it easier to analyze what happened during the execution
of the recorded trace.

There are two types of traces that can be replayed: instruction level traces or partial traces.
Instruction level traces are recorded by enabling @0:1446[instruction tracing] and
partial traces are recorded using either @0:1447[function tracing] or
@0:1628[basic block] tracing. When a trace is recorded with instruction tracing enabled all
register values are saved. With basic block or function level tracing only the instruction pointer
is saved. Additionally, in basic block tracing the register values are also saved when the last instruction
of a basic block is reached or a call in the middle of a basic block is about to be executed.

The replayer debugger module adds a new menu item: Debugger, Step Back command.
It can be used to step back to the previous instruction when replaying a recorded trace.
	Bad type0Can dereference only VT_LONG or VT_PVOID values*Specified type and value are incompatibleToo wide enum, cannot handle1The specified max length count has been exceededƒWRAP
Page breakpoints ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Page breakpoints are memory access breakpoints that can be set to detect
when the application reads, writes, or executes code/data in a specific
memory range. Page breakpoints are very similar to hardware breakpoints
but there is no limitation on the number of page breakpoints that can be
set or their size, in contrast with normal hardware breakpoints.

Memory access breakpoints are implemented by removing page permissions according
to the specified type of the page breakpoint to be added (for example, for a
write page breakpoint, the write permission will be removed from the page).
When the access violation exception occurs because the application
tries to access the specific memory region, IDA reports a breakpoint hit.

As page breakpoints can be set for a small part of a memory page but the
permissions of the whole page must be changed, page breakpoints can slow
down the debugger because many access violation exceptions may be generated.
If the application accesses memory outside of the desired range but on the
same page, the generated exception must be silently handled and the
application resumed. Specifically, page breakpoints in the code segment can slow
down the debugger very much.

Memory access breakpoints are supported since IDA version 6.3 for the following
debuggers:

Win32

  Page breakpoints are supported for both local and remote debugging
  of 32 and 64bit applications.

WinDbg

  Page breakpoints are supported only for local debugging of 32-bit applications.

Bochs

  Page breakpoints are supported for both of 32 and 64bit applications.
  Page breakpoints in the bochs debugger are just like normal hardware
  breakpoints but with no limit on the number of breakpoints or their size.
  Please note that hardware breakpoints in the bochs debugger occur AFTER the
  instruction is executed while regular page breakpoints occur BEFORE the
  instruction is actually executed.

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1406[Delete breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.
ÁWRAP
PIN debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

The PIN debugger is a remote debugger plugin used to record execution traces. It
allows to record traces on Linux and Windows (x86 and x86_64) from any of the
supported IDA platforms (Windows, Linux and MacOSX). Support for MacOSX targets
is not yet available. Please see the section @0:1653[PIN support for MacOSX]
for more details on this subject.

To use the PIN debugger plugin the following steps must be carried out:

  - Download the appropriate version of PIN from http://www.pintool.org

  - @0:1655[Build the PIN tool]

  - Configure the debugger specific options in
    Debugger Options, Set specific options.

  PIN debugger plugin has the following configuration options:

  - PIN Binary Path: Full path to the pin binary.
  - PIN Tool Path: Directory where the idadbg.so or .dll PIN tool resides.
  - Tracing options:
    - Instruction tracing: trace individual instructions
    - Basic block tracing: trace basic blocks
    - Function tracing: trace functions
    - Recording of register values: record register values or not. If
      this option is disabled, only EIP/RIP will be recorded.
  - PIN Tool options:
    - Autolaunch pin for "localhost": When this option is set and
    the host name specified in Debugger, Process Options is "localhost", the PIN
    tool will be executed by IDA. Otherwise IDA expects the PIN tool to be
    already running and listening. Please refer to
    @0:1654[Connecting a remote PIN tool instance from IDA] for more details.
    - Debug mode: This flag allows one to see what's happening in the PIN tool
    side. It prints out some debugging information.
    - Extra-arguments: Additional command line arguments to be used when
    constructing the command line to launch PIN locally. The extra arguments can
    be added before the PIN tool specification (before '-t /path/to/pin/tool) or
    after the PIN tool (after '-t /path/to/pin/tool' but before '-- application').
    Please consult the section "Command Line Switches" of the Intel PIN manual
    for more details.

Optionally you can launch PIN yourself and connect to it from IDA. See
@0:1654[Connecting a remote PIN tool instance from IDA] for more
details.
¤
WRAP
PIN support for MacOSX ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Recording traces on MacOSX target is not supported yet. Versions equal or prior to
2.12-55942 does not have support for the API PIN_SpawnInternalThread, which is
needed by IDA to communicate with the PIN tool.

However, it's possible to record traces from a Linux or Windows target using the
MacOSX version of IDA.
üWRAP
Connecting a remote PIN tool instance from IDA ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

For local debugging the PIN tool can be automatically launched by IDA.
For remote debugging it must be launched manually, as in the following example:

  $ /path/to/pin -t /path/to/idadbg/lib -p PORT -- APPLICATION [ARGUMENTS]

Where PORT is the port that the PIN tool will listen for incoming connections
from IDA. APPLICATION is the target application to be traced and the optional
parameter ARGUMENTS are the arguments to be passed to the target application.
Please note that on Win64 it may be required to specify the path to
specific x64 binary instead to the pin.bat batch file.

To attach to an already running process instead of starting a new one a command
like the following one must be executed:

  $ /path/to/pin -pid PID -t /full/path/to/idadbg/lib/with.extension -p PORT

Where PID is the pid of the running process to attach and PORT the port that the
PIN tool will listen for incoming connections.

The hostname and port where the PIN tool is listening for incoming connections
should be specified in IDA. See the Debugger, Process options dialog.

After successfully launching the PIN tool the IDA debugger can be launched
by pressing F9 or selecting Debugger, Start Process.

PIN accepts the following optional environment variables and command
line arguments:

  - Environment variables:
    IDAPIN_DEBUG: Set this environment variable to 1 or higher to print
    debugging information.

  - Command line arguments:
    -p number: Port where the PIN tool will listen for incoming connections from IDA
    -idadbg [0|1|2]: Same as the IDAPIN_DEBUG environment variable
š
WRAP
Building the PIN tool ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Before using the PIN tracer the PIN tool module (distributed only in source code
form) must be built as the Intel PIN license disallows redistributing PIN tools
in binary form.

Please refer to

https://www.hex-rays.com/products/ida/support/tutorials/pin/pin_tutorial.pdf

to learn how to build our PIN tool.

~T~racingTrace ~w~indow~C~lear trace~I~nstruction tracing~B~asic block tracing~F~unction tracingAdd write trac~e~Add ~r~ead/write traceAdd e~x~ecution traceTracing ~o~ptions...Expected identifier-Function return types cannot have attributesIllegal type qualifier?WRAP
Dalvik debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Dalvik debugger is a plugin to debug Android applications written for the Dalvik Virtual Machine. It includes the source level debugging too.

Dalvik debugger specific options:

    ADB executable

        IDA needs to know where the 'adb' utility resides, and tries various
        methods to locate it automatically. Usually IDA finds the path to adb,
        but if it fails then we can define the ANDROID_SDK_HOME or the
        ANDROID_HOME environment variable to point to the directory where the
        Android SDK is installed to. Or set the path to 'adb' here.

    Emulator/device serial number

        If multiple emulator/device instances are running, you must specify
        the target instance to connect to.

    Package name

        Set the package name for the application as specified in
        AndroidManifest.xml. It is a mandatory option to start an application.
        If you plan to use "Attach to process" debugger action then you may
        leave this field empty.


    Activity

        If your want to start an application using the "Start process"
        debugger action then you have to set this option too. Copy it from
        AndroidManifest.xml. If you plan to use the "Attach to process"
        debugger action then you may leave this field empty.

    Command line arguments

        Every object inside Dalvik VM has an ID. It is the 64-bit number.
        If you want to see it in "Locals"/"Watches" windows then set this
        checkbox.

Source-level debugging

    In order to use source-level debugging you have to set paths to the
    application source code files. Do it using "Options/Sources path"
    menu item.

    Our dalvik debugger presumes that the application sources reside
    in the current (".") directory.  If this is not the case, you can
    map current directory (".") to the directory where the source files
    are located.

List of special things about our Dalvik debugger:

  - In Dalvik there is no stack and there is no SP register.
    The only available register is IP.
  - The method frame registers and slots (v0, v1, ...) are represented as
    local variables in IDA.
    We can see them in the Debugger/Debugger Windows/Locals window
  - The stack trace is available from "Debugger/Windows/Stack trace"
  - When the application is running, it may execute some system code.
    If we break the execution by clicking on the "Cancel" button,
    quite often we may find ourselves outside of the application,
    in the system code. The value of the IP register is 0xFFFFFFFF in this
    case, and stack trace shows only system calls and a lot of 0xFFFFFFFFs.
    It means that IDA could not locate the current execution position inside
    the application. We recommend to set more breakpoints inside the
    application, resume the execution and interact with application by
    clicking on its windows, selecting menu items, etc.
    The same thing can occur when we step out the application or
    step into the system code. In the last case we can use "Run until
    return" debugger command to return to the application code.

Locals window

    IDA considers the method frame registers, slots, and
    variables (v0, v1, ...) as local variables.
    To see their values we have to open the "Locals" window
    from the "Debugger/Debugger windows/Locals" menu item.

    If the information about the frame is available (the symbol table is
    intact) then IDA shows the method arguments, the method local variables
    with names and other non-named variables.
    Otherwise some variable values will not be displayed because IDA
    does not know their types. Variables without type information are
    marked with "Bad type" in the "Locals" window.
    To see the variable value in this case please use the "Watches" window.

Watches window

    To open the "Watches" window please select the "Debugger/Windows/Watches"
    menu item. In this window we can add any variable to watch its value.

    Please note that we have to specify type of variable if it is not known.
    Use C-style casts:
        (Object*)v0
        (String)v6
        (char*)v17
        (int)v7

    We do not need to specify the real type of an object variable,
    the "(Object*)" cast is enough.  IDA can derive the real object type
    itself.

    ATTENTION! An incorrect type may cause the Dalvik VM to crash.

    There is not much we can do about it. Our recommendation is to never
    cast an integer variable to an object type, the Dalvik VM usually
    crashes if we do that. But the integer cast "(int)" is safe in practice.

    Keeping the above in the mind, do not leave the cast entries
    in the "Watches" window for a long time. Delete them before any
    executing instruction that may change the type of the watched variable

See also @0:1395[Debugger] submenu.Missing return typeƒWRAP
Export data ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀


  "Export data" dialog can export binary data into different formats.E~x~port data...çWRAP
Generate a FLIRT signature file ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: makesig:create_signature
 Current hotkey: Ctrl-Shift-F12

This command generate a FLIRT signature file.
A function is eligible when then name don't start with "sub_".

 File: Pathname for the signature file
 Library name: identifier, shown in the description of @0:588[Signature]

 Collect functions
  - All: Generate signature for all functions in the idb that are eligible
  - Selected: Generate a signature only for the selection in @0:639[Functions]

 Collisions
  - Ignore: don't add collision FLIRT signature
            will delete the Exclusion file if it exists
  - Deal with manually: if there is collisions, a window will open to manage
                        the collisions

Two or three files are generated:

 - Signature file: The output file
 - Pattern file:   Filename is Signature filename with extension replaced
                   with "pat"
 - Exclusion File: Filename with extension replaced by "exc"
                   Only present if you want to deal with collision and there
                   is any.

The last two files can be deleted once the signature file is generated.
ˆWRAP
DWARF plugin▄
 ▀▀▀▀▀▀▀▀▀▀▀▀


The DWARF plugin will search for DWARF-encoded debug information either in the input file, or a "companion" file (using a strategy similar to that of GDB), when some is found, will extract the following:

  - type information
  - function names, prototypes, local variables
  - global variables names & types

In addition, the DWARF plugin provides source-level debugging.

Dialog box▄

  Global name               : create global names based on DWARF informations
  Functions                 : Create functions based on DWARF informations
  Use function bounds       : Uses DWARF to determine functions boundaries
  Types (uncheck for speed) : Create types, needed for Apply calling
                              convention or Function prototype are definitive
  Apply calling convention  : DWARF will try and guess the calling convention
                              instead of using platform default calling
                              convention. Needed for Allow __usercall
  Allow __usercall          : If DWARF detects __usercall, allow to use it. If
                              not allowed, the default calling convention for
                              the platform will be used
  Function prototypes are definitive: Decompiler will not try to change the
                                     prototype if set. Use this with caution
  Import file names/line numbers: Import all information

'cfg/dwarf.cfg' file presents in details all the options

List of '-Odwarf' options▄

 - off : disable the plugin for the current session
 - import_lnnums=1 : import file name and line number into idb]WRAP
Remote iOS Debugger ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The Remote iOS Debugger allows for debugging iOS applications directly from IDA.

IDA's iOS debugger acts as a client to Apple's debugserver. So, you must ensure that
the debugserver is already installed on your device for the debugger to work.

See: https://www.hex-rays.com/products/ida/support/tutorials/ios_debugger_tutorial.pdf

for a detailed tutorial on getting started with iOS.

See also @0:1335[Remote GDB Debugger]
         @0:1078[Debugger for macOS]
         @0:1463[How to launch remote debugging]
Dump view historyÓWRAP
Center current line in window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CenterInWindow
 Current hotkey: @<CenterInWindow>Expected string literal7Function arguments cannot contain forward declarations
   <~M~emory mapping:B:4:::>
Ñ
WRAP
Copy field info to pointers▄
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: CopyFieldsToPointers
 Current hotkey: @<CopyFieldsToPointers>

This command scans the current struct variable and renames the locations
pointed by offset expressions unless they already have a non-dummy name.

It also copies the type info from the struct members to pointed locations.

See also @0:490[Edit|Structs] submenu.
"Please specify the reference type×PCRE2 LICENCE ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀
PCRE2 LICENCE
-------------

PCRE2 is a library of functions to support regular expressions whose syntax
and semantics are as close as possible to those of the Perl 5 language.

Release 10 of PCRE2 is distributed under the terms of the "BSD" licence, as
specified below. The documentation for PCRE2, supplied in the "doc"
directory, is distributed under the same terms as the software itself. The data
in the testdata directory is not copyrighted and is in the public domain.

The basic library functions are written in C and are freestanding. Also
included in the distribution is a just-in-time compiler that can be used to
optimize pattern matching. This is an optional feature that can be omitted when
the library is built.


THE BASIC LIBRARY FUNCTIONS
---------------------------

Written by:       Philip Hazel
Email local part: ph10
Email domain:     cam.ac.uk

University of Cambridge Computing Service,
Cambridge, England.

Copyright (c) 1997-2016 University of Cambridge
All rights reserved.


PCRE2 JUST-IN-TIME COMPILATION SUPPORT
--------------------------------------

Written by:       Zoltan Herczeg
Email local part: hzmester
Emain domain:     freemail.hu

Copyright(c) 2010-2016 Zoltan Herczeg
All rights reserved.


STACK-LESS JUST-IN-TIME COMPILER
--------------------------------

Written by:       Zoltan Herczeg
Email local part: hzmester
Emain domain:     freemail.hu

Copyright(c) 2009-2016 Zoltan Herczeg
All rights reserved.


THE "BSD" LICENCE
-----------------

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimer.

    * Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.

    * Neither the name of the University of Cambridge nor the names of any
      contributors may be used to endorse or promote products derived from this
      software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.

EndÜWRAP
Objective-C Analysis Plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The objc plugin performs Objective-C specific analysis on the database.

For an overview of what the plugin can do, see the menu options in Edit>Other>Objective-C,
or the config options in objc.cfg.


Type Information

The bulk of the plugin's work is done at file load time, when it will parse all
Objective-C type information embedded in the binary, and use this to create
tinfo_t structures for all known classes and construct prototypes for all known
methods.

This analysis can be invoked manually at any time with:

  Edit>Other>Objective-C>Reload Objective-C info

Or:

  idaapi.load_and_run_plugin("objc", 1)

You can also disable objc analysis at load time with command line option:

  -Oobjc:+l

Or check the "Lazy mode" option in:

  Edit>Other>Objective-C>Objective-C Options...


Decompilation

The plugin will also perform Objective-C analysis during decompilation.

When a function is decompiled, the plugin will analyze any calls to objc_msgSend,
and use the arguments to determine if objc_msgSend will ultimately invoke one of
the methods in the current database.

If such a situation is detected, the plugin will replace the call to objc_msgSend with
a call to the target method, and add an xref to the method. This is done in the hopes that
continued use of the decompiler will improve call graphs for Objective-C binaries.

If the target method has type information, then the return type can be used to refine
the types of local variables in the pseudocode, which in turn could lead to more method
calls being detected, and so on.

You can disable objc analysis in the pseudocode with command line option:

  -Oobjc:-h

Or uncheck the "Enable decompiler plugin for Objective-C" option in:

  Edit>Other>Objective-C>Objective-C Options...


Debugging

objc also provides tools for dynamic analysis.

During debugging, you can analyze objc info for a specific library
by right-clicking in the Modules window and selecting "Load debug info".

This operation can also be performed programmatically with:

  n = idaapi.netnode()
  n.create("$ objc")
  n.supset(1, "/module/path", 'R')
  idaapi.load_and_run_plugin("objc", 3)

If you prefer that objc does not perform analysis during "Load debug info",
(say if DWARF information is available for a module and you prefer that),
you can disable this functionality with command line option:

  -Oobjc:-s

Or by unchecking the "Enable SIP for Objective-C" option in:

  Edit>Other>Objective-C>Objective-C Options...


Step Into Message

The plugin also implements a "step into" debugger action for Objective-C.

If you use this action before a call to objc_msgSend, objc will try to calculate
the address of method that is being invoked, and break at the method address
rather than step into the objc_msgSend function itself.

You can perform this action with shortcut:

  Shift+O

Or via the menu option:

  Debugger>Run until message received

Or programmatically with:

  idaapi.load_and_run_plugin("objc", 2)

This action can be very useful, but you must be careful. When invoked, the action
will automatically run to the address of objc_msgSend, analyze its arguments,
then continue to the target method.

If there is no subsequent call to objc_msgSend in the program, you will lose control
of the process. It is best to use this action only when you are sure that IP is
in the vicinity of an objc_msgSend call.


NSConcreteStackBlock
--------------------

The objc plugin can also be used to analyze Apple binaries that make heavy
use of blocks: https://clang.llvm.org/docs/Block-ABI-Apple.html

The analysis involves identifying NSConcreteStackBlock instances on the stack,
and creating a specialized Block_layout structure to apply to the function's
stack frame.

The end result transforms the following sequence of statements:

  loc_BF60:                                 Block_layout_BF60 v1;
    v1 = _NSConcreteStackBlock;             v1.isa        = _NSConcreteStackBlock;
    v2 = 0x...;                             v1.flags      = 0x...;
    v3 = 0;                                 v1.reserved   = 0;
    v4 = __block_invoke;             =>     v1.invoke     = __block_invoke;
    v5 = &__block_descriptor_tmp;           v1.descriptor = &__block_descriptor_tmp;
    v6 = ...                                v1.lvar1      = ...
    v7 = ...                                v1.lvar2      = ...
    ...                                     ...
    func(&v1);                              func(&v1);

Already this cleans up the analysis quite a lot, but more importantly this new
Block_layout_BF60 structure will be applied to the prototype of __block_invoke,
which can heavily improve the pseudocode.

Block analysis can be performed on the database with:

  Edit>Other>Objective-C>Analyze stack-allocated blocks (entire database)

Or programmatically with:

  idaapi.load_and_run_plugin("objc", 5)

You can also perform block analysis on a specific function:

  Edit>Other>Objective-C>Analyze stack-allocated blocks (current function)

Or with shortcut:

  Ctrl+Shift+S

Or programmatically:

  n = idaapi.netnode()
  n.create("$ objc")
  n.altset(1, 0xBF60, 'R') # the address can be any address within the function
  idaapi.load_and_run_plugin("objc", 5)

These actions work in both the disassembly and pseudocode windows,
but note that you must refresh the pseudocode with F5 for the changes
to take full effect.

Also, please note that this feature makes use of the microcode in the hexrays SDK,
so you must have the decompiler in order to use it.


NSConcreteGlobalBlock
---------------------

Global blocks (i.e. blocks that don't make use of local variables) are much easier
to analyze, and simply involve identifying references to NSConcreteGlobalBlock in
the __const segment.

Global blocks are analyzed automatically at load time, but the analysis
can be performed manually at any time with:

  Edit>Other>Objective-C>Re-analyze global block functions

Or:

  idaapi.load_and_run_plugin("objc", 4)


Command Line
------------

Here's a summary of the command-line arguments that can be passed to objc:

objc features can be enabled or disabled using '+' or '-', followed by one of the following characters:

  v: verbose mode
  s: source info provider
  h: hexrays decompiler analysis
  l: lazy mode

For example, -Oobjc:+v:+l:-s will enable verbose and lazy mode, and will disable the objc SIP.


See also @0:1078[Debugger for macOS]
         @0:1677[Remote iOS debugger]
         @0:1705[DYLD Shared Cache Utils]
îWRAP
Kernel analysis options 3▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Enable EH analysis

  If this option is set on, IDA uses EH information of the binary for
  more detailed analysis.

Enable RTTI analysis

  If this option is set on, IDA tries to detect C++ Run-Time Type
  Identification and does additional analysis based on this information.

Enable macros

  This option is disabled if the processor module does not support macros.

  If this option is on, IDA will combine several instructions into one macro
  instruction.
  For example for the ARM processor,

      ADRP Rx, label@PAGE
      ADD  Rx, Rx, label@PAGEOFF

  will be replaced by

      ADRL Rx, label

Merge strlits

  if the analysis option "Create string literals if data xref exists" is set
  and the target string literal ends at the existing one (without a
  termination character), IDA will merge these strlits into one.

See also @0:621[analysis options 1] @0:622[analysis options 2]»@0:1688[]
Kernel analysis options 3
%/
<Enable ~E~H analysis           :C>
<Enable ~R~TTI analysis         :C>
<Enable ~m~acros                :C1>
<Merge ~s~trlits                :C>>

"Only classes may have destructorsy
WRAP
C++ type details ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

IDA can parse and handle simple C++ class declarations. It cannot parse
templates and other complex constructs but simple standard cases can be parsed.

If a C++ class contains virtual functions, IDA will try to rebuild the
virtual function table (VFT) for the class. The VFT will be linked to the
class by the name: if the class is called "A", the VFT type will be "A_vtbl".

Let us consider the following class hierarchy:

  class A { virtual int f(); int data; };
  class B : public A { virtual int g(); };

IDA will create the following structures:

  struct __cppobj A {A_vtbl *__vftable;int data;}
  struct A_vtbl {int (*f)(A *__hidden this);}
  struct __cppobj B : A {}
  struct B_vtbl {int (*f)(A *__hidden this);
                 int (*g)(B *__hidden this);}

Please note that the VFT pointer in the class A has a special name: "__vftable".
This name allows IDA to recognize the pointer as a VFT pointer and treat it
accordingly.

Another example of more complex class hierarchy:

  class base1 { virtual int b1(); int data; };
  class base2 { virtual int b2(); int data; };
  class der2 : public base2 { virtual int b2(); int data; };
  class derived : public base1, public der2 { virtual int d(); };

Compiling in 32-bit Visual Studio mode yields the following layout:

  class derived size(20):
        +---
   0    | +--- (base class base1)
   0    | | {vfptr}
   4    | | data
        | +---
   8    | +--- (base class der2)
   8    | | +--- (base class base2)
   8    | | | {vfptr}
  12    | | | data
        | | +---
  16    | | data
        | +---
        +---

IDA will generate the following types:

  struct __cppobj base1 {base1_vtbl *__vftable /*VFT*/;int data;};
  struct /*VFT*/ base1_vtbl {int (*b1)(base1 *__hidden this);};
  struct __cppobj base2 {base2_vtbl *__vftable /*VFT*/;int data;};
  struct /*VFT*/ base2_vtbl {int (*b2)(base2 *__hidden this);};
  struct __cppobj der2 : base2 {int data;};
  struct /*VFT*/ der2_vtbl {int (*b2)(der2 *__hidden this);};
  struct __cppobj derived : base1, der2 {};
  struct /*VFT*/ derived_vtbl {int (*b1)(base1 *__hidden this);
                               int (*d)(derived *__hidden this);};

The 'derived' class will use 2 VFTs:

  offset 0: derived_vtbl
  offset 8: der2_vtbl

IDA and Decompiler can use both VFTs and produce nice code for virtual calls.

Please note that the VFT layout will be different in g++ mode and IDA
can handle it too. Therefore it is important to have the target compiler
set correctly.

It is possible to build the class hierarchy manually. Just abide by the
following rules:

  - VFT pointer must have the "__vftable" name
  - VFT type must follow the "CLASSNAME_vtbl" pattern

C++ classes are marked with "__cppobj" keyword, it influences the class layout.
However, this keyword is not required for VFT types.

In the case of a multiple inheritance it is possible to override a virtual
table for a secondary base class by declaring a type with the following name:
"CLASSNAME_XXXX_vtbl" where XXXX is the offset to the virtual table
inside the derived (CLASSNAME) class.

Example: if in the above example we add one more function

        virtual int derived::b2();

then we need one more virtual table. Its name must be "derived_0008_vtbl".
Please note that our parser does not create such vtables, you have to do it
manually.

 See also @0:1259[Local types window]
(Shifted pointers cannot have zero delta#Too big delta of a shifted pointerShifted pointer cannot be voidûWRAP
Shifted pointers ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Sometimes in binary code we can encounter a pointer to the middle of a structure.
Such pointers usually do not exist in the source code but an optimizing
compiler may introduce them to make the code shorter or faster.

Such pointers can be described using shifted pointers. A shifted pointer
is a regular pointer with additional information about the name of the
parent structure and the offset from its beginning. For example:

        struct mystruct
        {
          char buf[16];
          int dummy;
          int value;            // <- myptr points here
          double fval;
        };
        int *__shifted(mystruct,20) myptr;

The above declaration means that myptr is a pointer to 'int' and if we
decrement it by 20 bytes, we will end up at the beginning of 'mystruct'.

Please note that IDA does not limit parents of shifted pointers to structures.
A shifted pointer after the adjustment may point to any type except 'void'.

Also, negative offsets are supported too. They mean that the pointer points
to the memory before the structure.

When a shifted pointer is used with an adjustment, it will be displayed with
the 'ADJ' helper function. For example, if we refer to the memory 4 bytes further,
it can be represented like this:

        ADJ(myptr)->fval

Shifted pointers are an improvement compared to the CONTAINING_RECORD macro
because expressions with them are shorter and easier to read.

See also @0:1361[Set type] command.Duplicate __shifted modifier“WRAP
Manual memory regions ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ManualRegions
 Current hotkey: @<ManualRegions>

This command open a window with manual memory regions. In this window the user
can manipulate memory region definitions: add or delete them.

Some debugger backends (e.g. the gdb backend) do not provide memory layout
information. IDA needs this information in order to show the memory contents.
When this information is not available, the user must specify it.

The defined memory regions will be accessible when the debugger is active.
The user will be able to see the memory contents in the disassembly windows.

If no memory information is provided by the user nor by the debugger backend,
IDA will assume that entire memory space is accessible. However, it is better
to specify memory layout more precisely.

See also @0:1395[Debugger] submenu.—
WRAP
Lumina Submenu ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This submenu contains actions to work with the Lumina server:

    @0:1699[Pull all metadata]
    @0:1700[Push all metadata]
    @0:1701[View all metadata]
    @0:1702[Pull current function metadata]
    @0:1702[Push current function metadata]

To learn more about Lumina, please read:

  https://www.hex-rays.com/products/ida/lumina
ûWRAP
Pull all metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands retrieves @0:1704[metadata] about the current database from Lumina.

IDA will calculate checksums for all non-trivial functions in the database
and send it to Lumina. This information will be used to match and retrieve
metadata, which will be automatically applied.

Please note that this may overwrite your changes, so taking a database snapshot
and saving the database before invoking this command is a good idea.

By non-trivial functions we mean:

  - long enough functions (>=16 bytes)
  - non-library functions
  - non-imported functions (functions with real body)

See also @0:1701[View all metadata], which allows the user
to interactively apply metadata.
bWRAP
Push all metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands sends @0:1704[metadata] about the current database to Lumina.

IDA will calculate checksums for all non-trivial functions in the database,
extract metadata about them, and send it to Lumina. The metadata includes
function names and types, user comments, operand types, etc.

If Lumina already has metadata about the involved functions, it will be replaced
only if the new metadata is better and more complete.

Only functions with non-trivial names are pushed by this command.

See also @0:1698[Lumina submenu]
EWRAP
View all metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands retrieves @0:1704[metadata] about the current database from Lumina.

IDA will calculate checksums for all non-trivial functions in the database
and send it to Lumina. This information will be used to match and retrieve
metadata. After that IDA will display list of matched functions.

The user can then select the desired metadata and apply it to the database.
If the result is not satisfactory, it is possible to revert the changes.

Once the window is closed, it is not possible to revert the changes anymore.

At the bottom of the window there are convenience buttons to apply or
revert all available metadata.

See also @0:1699[Pull all metadata], which automatically
applied all retrieved metadata.

See also @0:1698[Lumina submenu]

WRAP
Pull current function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands tries to retrieve @0:1704[metadata] about the current function from Lumina.
If successful, the metadata will be automatically applied.

See also @0:1698[Lumina submenu]
ÓWRAP
Push current function ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This commands sends @0:1704[metadata] about the current function to Lumina.

See also @0:1698[Lumina submenu]
­
WRAP
Lumina Metadata ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Metadata currently consists of the following information:

  - function address, name, prototype
  - function frame layout
  - stack variables
  - user-defined sp change points
  - representation of instruction operands
  - function and instruction comments

We plan to add more information to metadata in the future.

See also @0:1698[Lumina submenu]
ª	WRAP
DYLD Shared Cache Utils ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This plugin (nicknamed "dscu" for brevity) is essentially just an extension of
the Mach-O loader. It allows you to manually load modules from a dyldcache
that were not loaded when first opening the cache in IDA (the plugin is only activated
after using the "single module" option for a dyldcache).

For a quick overview of the dscu functionality, see menu File>Load file>DYLD Shared Cache Utils.


Loading Modules
---------------

There are a few ways to manually load a module from the cache:

1) Use File>Load file>DYLD Shared Cache Utils>Load module... and choose which module to load

2) Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'

3) Programatically:

  n = idaapi.netnode()
  n.create("$ dscu")
  n.supset(2, "/usr/lib/libobjc.A.dylib")
  idaapi.load_and_run_plugin("dscu", 1)


Loading Sections
----------------

dscu also allows you to load a subset of a given module.

Any section from any of the dyldcache's submodules can be loaded individually.
This is especially useful when analyzing Objective-C code, since often times it is
convenient to only load Objective-C info from a given module without loading all
of its code.

For example, if you see a pointer to a selector string that has not been loaded:

  ADRP  X8, #0x1AECFF7F9@PAGE
  ADD   X1, X8, #0x1AECFF7F9@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0

Right-click on "0x1AECFF7F9" and dscu will provide you with two options:

  Load UIKitCore:__objc_methname
  Load UIKitCore

The UIKitCore module is huge, so perhaps you don't want to load the entire thing,
but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname",
dscu will load only these selector strings into the database:

  ADRP  X8, #sel_alloc@PAGE ; "alloc"
  ADD   X1, X8, #sel_alloc@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0

This operation is much faster, and still provides a lot of benefit to the analysis.

Sections can also be loaded via:

  File>Load file>DYLD Shared Cache Utils>Load section...

or programmatically with:

  node = idaapi.netnode()
  node.create("$ dscu")
  node.altset(3, 0x1AECFF7F9) # address can be any address in the section
  idaapi.load_and_run_plugin("dscu", 2)


See also @0:1687[Objective-C Analysis Plugin]
         @0:1078[Debugger for macOS]
         @0:1677[Remote iOS debugger]
UndoRedo
Disable undoShow undo historyŒ
WRAP
Undo an action ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Undo
 Current hotkey: @<Undo>

This command reverts the database to the state before executing the last
user action. It is possible to apply Undo multiple times, in this case
multiple user actions will be reverted.

Please note the entire database is reverted, including all modifications that
were made to the database after executing the user action and including the ones
that are not connected to the user action. For example, if a third party plugin
modified the database during or after the user action, this modification will
be reverted. In theory it is possible to go back in time to the very beginning
and revert the database to the state state that was present immediately after
performing the very first user action. However, in practice the undo buffers
overflow because of the changes made by autoanalysis. @0:620[Autoanalysis]
generates copious amounts of undo data. Also please note that maintaining undo
data during autoanalysis slows it down a bit. In practice it is not a big deal
because the limit on the undo data is reached quite quickly (in a matter of minutes).
Therefore, if during analysis the user does not perform any actions that modify
the database, the undo feature will turn itself off temporarily.

However, if you prefer not to collect undo data at all during the initial autoanalysis,
just turn off the UNDO_DURING_AA parameter in @0:419[ida.cfg].

The configuration file @0:419[ida.cfg] has 2 more undo-related parameters:

  UNDO_MAXSIZE  max size of undo buffers; default: 128MB
                once this limit is reached, the undo info about the oldest
                user action will be forgotten.

  UNDO_DEPTH    max number of user actions to remember; default: 1000000
                if set to 0, the undo feature will be unavailable.

Since there is a limit on the size of undo buffers, any action, even the tiniest,
may become non-undoable after some time. This is true because the analysis
or plugins may continue to modify the database and overflow the buffers.
Some massive actions, like deleting a segment, may be non-undoable just
because of the sheer amount of undo data they generate.

Please note that Undo does not affect the state of IDC or Python scripts. Script
variables will not change their values because of Undo. Also nothing external to
the database can be changed: created files will not be deleted, etc.

Some actions cannot be undone. For example, launching a debugger or resuming
from a breakpoint cannot be undone.

See also
        @0:1711[Redo]
        @0:1712[Reset Undo]
        @0:1713[Disable Undo]
        @0:1714[Open undo history]
ŠWRAP
Redo an action ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: Redo
 Current hotkey: @<Redo>

This command reverts the previously issued @0:1710[Undo] command.
It is possible to use Redo multiple times.

This command also reverts all changes that were done to the database after
the last Undo command, including the eventual useful modifications made by the
autoanalysis. In other words, the entire database is modified to get to the
exact state that it had before executing the last Undo command.

See also
        @0:1710[Undo]
        @0:1712[Reset Undo]
        @0:1713[Disable Undo]
        @0:1714[Open undo history]
xWRAP
Clear undo history ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ResetUndo
 Current hotkey: @<ResetUndo>

This command clears the undo history. After it the Undo and Redo commands
become unavailable. However, once the user performs a new action, IDA will
again start journaling all database modifications.

A side effect of this command is fast autoanalysis: since there is no user
action to revert yet, IDA does not maintain undo buffers and this speeds up
the analysis.

See also
        @0:1710[Undo]
        @0:1711[Redo]
        @0:1713[Disable Undo]
        @0:1714[Open undo history]
'
WRAP
Disable undo ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: DisableUndo
 Current hotkey: @<DisableUndo>

This command completely disables the undo feature.

See also
        @0:1710[Undo]
        @0:1711[Redo]
        @0:1712[Reset Undo]
        @0:1714[Open undo history]
PWRAP
Show undo history ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: ShowUndoHistory
 Current hotkey: @<ShowUndoHistory>

This command opens a window with the undo history. It is available from
the Views, Open subviews submenu.

Double clicking on a line reverts the database to the state before the
corresponding action.

It is possible to truncate the undo history by using the corresponding context menu command.
The undo information for the selected action will be removed together with the
information about all preceding actions.

The redoable user actions are displayed in italics.
The current position in the undo buffers is displayed in bold, it
usually denotes the first redoable user action.

See also
        @0:1710[Undo]
        @0:1711[Redo]
        @0:1712[Reset Undo]
        @0:1713[Disable Undo]
Run currently selected scriptReset filters@0:1720[]
Address bookmarks}WRAP
IDA View bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]yWRAP
Structs bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]qWRAP
Enums bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]Open bookmarksÿWRAP
Bookmarks window ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: OpenBookmarks
 Current hotkey: @<OpenBookmarks>

This command opens the bookmarks window. This window lets
the user jump to a specific place in the listing.
HExplicit locations, if present, should be given for all stack arguments!Duplicate __spoils specificationm
WRAP
Find breakpoint ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

 Action    name: BreakpointFind
 Current hotkey: @<BreakpointFind>

Open the breakpoints window if needed, then find current breakpoint in it.

 See also @0:1404[Breakpoints list]
          @0:1405[Add breakpoint]
          @0:1407[Edit breakpoint]
          @0:1404[Breakpoints] submenu.‚WRAP
IDAClang plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The IDAClang plugin is shipped with IDA, and it provides the ability
to parse header files that contain arbitrarily complex C/C++/Objective-C
source code using the @0:1367[Load C header] action.

To enable the IDAClang parser, go to Options>Compiler>Source parser, and select "clang".
Then use 'File>Load file>Parse C header file' to invoke the parser on a given source file.

Since IDAClang is based on the third-party libclang parser, it can only parse standalone
source files that contain valid C/C++/Objective-C syntax.

See also @0:1367[Load C header] command.ÇWRAP
Function flags▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀

The following flags can be set in function properties:

Does not return

The function does not return to caller (for example, calls a process exit function or has an infinite loop).
If no-return analysis is enabled in @0:621[Kernel Options], IDA will not analyze bytes
following the calls to this function.

Far function

On processors which distinguish near and far functions (e.g. PC x86), mark the function as 'far'.
This may affect the size of the special @0:488[stack frame] field reserved for the return address,
as well as analysis of calls to this function.

Library func

Mark the function as part of compiler runtime library code. This flag is usually set when applying @0:436[FLIRT signatures]

Static func

Mark the function as static. Currently this flag is not used by IDA and is simply informational.

BP based frame

Inform IDA that the function uses a frame pointer (BP/EBP/RBP on PC) to access @0:488[local variables].
The operands of the form  [BP+xxx] will be automatically converted to @0:474[stack variables].

BP equal to SP

Frame pointer points to the bottom of the stack instead of at the beginning of the local variables area as is typical.

Fuzzy SP

Function changes SP by an unknown value, for example: and esp, 0FFFFFFF0h

Outlined code

The function is not a real function but a fragment of multiple functions' common instruction sequence extracted by the compiler
as a code size optimization (sometimes called "code factoring"). During decompilation, body of the function
will be expanded at the call site.

See also

         @0:483[Edit|Functions] submenu.
         @0:485[Edit a function]
         @0:687[Append function tail...]
Ì,Apache License for Ghidra ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.

   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.

   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.

   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.

   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

   END OF TERMS AND CONDITIONS

   APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

   Copyright [yyyy] [name of copyright owner]

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.‹;Apache License for LLVM ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

==============================================================================
The LLVM Project is under the Apache License v2.0 with LLVM Exceptions:
==============================================================================

                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

    1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.

    2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.

    3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.

    4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

    5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.

    6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.

    7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

    8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

    9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

    END OF TERMS AND CONDITIONS

    APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

    Copyright [yyyy] [name of copyright owner]

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.


---- LLVM Exceptions to the Apache 2.0 License ----

As an exception, if, as a result of your compiling your source code, portions
of this Software are embedded into an Object form of such source code, you
may redistribute such embedded portions in such Object form without complying
with the conditions of Sections 4(a), 4(b) and 4(d) of the License.

In addition, if you combine or link compiled forms of this Software with
software that is licensed under the GPLv2 ("Combined Software") and if a
court of competent jurisdiction determines that the patent provision (Section
3), the indemnity provision (Section 9) or other Section of the License
conflicts with the conditions of the GPLv2, you may retroactively and
prospectively choose to deem waived or otherwise exclude such Section(s) of
the License, but only in their entirety and only with respect to the Combined
Software.

==============================================================================
Software from third parties included in the LLVM Project:
==============================================================================
The LLVM Project contains third party software which is under different license
terms. All such code will be identified clearly using at least one of two
mechanisms:
1) It will be in a separate directory tree with its own `LICENSE.txt` or
   `LICENSE` file at the top containing the specific license and restrictions
   which apply to that software, or
2) It will contain specific license and restriction terms at the top of every
   file.

==============================================================================
Legacy LLVM License (https://llvm.org/docs/DeveloperPolicy.html#legacy):
==============================================================================
University of Illinois/NCSA
Open Source License

Copyright (c) 2007-2019 University of Illinois at Urbana-Champaign.
All rights reserved.

Developed by:

    LLVM Team

    University of Illinois at Urbana-Champaign

    http://llvm.org

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal with
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:

    * Redistributions of source code must retain the above copyright notice,
      this list of conditions and the following disclaimers.

    * Redistributions in binary form must reproduce the above copyright notice,
      this list of conditions and the following disclaimers in the
      documentation and/or other materials provided with the distribution.

    * Neither the names of the LLVM Team, University of Illinois at
      Urbana-Champaign, nor the names of its contributors may be used to
      endorse or promote products derived from this Software without specific
      prior written permission.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
CONTRIBUTORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS WITH THE
SOFTWARE.ÉWRAP
Lumina options ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Lumina dialog box options▄

This options tab allows for modification of Lumina credentials and use settings.

Use the public server

        Sets host and port to the default public server hosted by Hex-Rays.
        No username or password is required.

Use a private server

        Allows for setting the name/address and port of a private server.
        If username and password credentials are needed, they can be specified here.

Automatically use Lumina server for analysis

        Instructs IDA to fetch function metadata from the current Lumina server,
        after the initial auto-analysis is complete. This helps with the recognition
        of known functions stored in the database of the Lumina server.


Lumina command line options ▄

Command line switch '-Olumina' overrides for ida session the primary server and '-Osecondary_lumina' the secondary one.

List of options▄

         host: lumina server host
         port: lumina server port
         user: username for authentification on private lumina
         pass: password for authentification on private lumina
         proxy_host: proxy host
         proxy_port: proxy port
         proxy_user: username for authentification on proxy
         proxy_pass: password for authentification on proxy

Example▄

  -Osecondary_lumina:host=lumina.hex-rays.com:port=443

Use the public lumina as secondary server for this ida sessionLWRAP
picture_search ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

picture_search is a plugin that allows you to search for, and
inspect pictures that are embedded in the binary.

The key feature of the plugin is the "Search for pictures"
action, available in the @0:568["Search"] menu,
that will scan the entire binary (or the selection if there is one)
for so-called "magic" numbers of well-known image types
(PNG, JPEG, ...), and present the results in a tabular fashion:

                 [Address]         |[Format]
        .noptrdata:0000000000511620|GIF89a
        .noptrdata:00000000005133E0|PNG
        .noptrdata:0000000000517460|JPEG
        .noptrdata:000000000051ADA0|BMP

Note: at this point, pictures have not been decoded yet; the plugin
has merely spotted what looks like the start of pictures.
Decoding will only happen when triggering any of the following actions.

Double-clicking any row of that list will show the picture
directly in IDA. Opening the context menu will reveal even more
possibilities: open the picture in the OS's default viewer,
save it, jump to its start address...

In addition to this very handy scanning feature, the plugin will
add the "Open picture" action to the disassembly listing's
context menu when the current position happens to be near data
that matches the well-known image types' magic numbers.
BAUTOHIDE SESSION
Create a segment (%0*a-%0*a):
bad segment start.@AUTOHIDE SESSION
Create a segment (%0*a-%0*a):
bad segment end.Show register value…hGNU Lesser General Public License v2.1 for libiberty ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

                  GNU LESSER GENERAL PUBLIC LICENSE
                       Version 2.1, February 1999

 Copyright (C) 1991, 1999 Free Software Foundation, Inc.
     51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

[This is the first released version of the Lesser GPL.  It also counts
 as the successor of the GNU Library Public License, version 2, hence
 the version number 2.1.]

                            Preamble

  The licenses for most software are designed to take away your
freedom to share and change it.  By contrast, the GNU General Public
Licenses are intended to guarantee your freedom to share and change
free software--to make sure the software is free for all its users.

  This license, the Lesser General Public License, applies to some
specially designated software packages--typically libraries--of the
Free Software Foundation and other authors who decide to use it.  You
can use it too, but we suggest you first think carefully about whether
this license or the ordinary General Public License is the better
strategy to use in any particular case, based on the explanations below.

  When we speak of free software, we are referring to freedom of use,
not price.  Our General Public Licenses are designed to make sure that
you have the freedom to distribute copies of free software (and charge
for this service if you wish); that you receive source code or can get
it if you want it; that you can change the software and use pieces of
it in new free programs; and that you are informed that you can do
these things.

  To protect your rights, we need to make restrictions that forbid
distributors to deny you these rights or to ask you to surrender these
rights.  These restrictions translate to certain responsibilities for
you if you distribute copies of the library or if you modify it.

  For example, if you distribute copies of the library, whether gratis
or for a fee, you must give the recipients all the rights that we gave
you.  You must make sure that they, too, receive or can get the source
code.  If you link other code with the library, you must provide
complete object files to the recipients, so that they can relink them
with the library after making changes to the library and recompiling
it.  And you must show them these terms so they know their rights.

  We protect your rights with a two-step method: (1) we copyright the
library, and (2) we offer you this license, which gives you legal
permission to copy, distribute and/or modify the library.

  To protect each distributor, we want to make it very clear that
there is no warranty for the free library.  Also, if the library is
modified by someone else and passed on, the recipients should know
that what they have is not the original version, so that the original
author's reputation will not be affected by problems that might be
introduced by others.

  Finally, software patents pose a constant threat to the existence of
any free program.  We wish to make sure that a company cannot
effectively restrict the users of a free program by obtaining a
restrictive license from a patent holder.  Therefore, we insist that
any patent license obtained for a version of the library must be
consistent with the full freedom of use specified in this license.

  Most GNU software, including some libraries, is covered by the
ordinary GNU General Public License.  This license, the GNU Lesser
General Public License, applies to certain designated libraries, and
is quite different from the ordinary General Public License.  We use
this license for certain libraries in order to permit linking those
libraries into non-free programs.

  When a program is linked with a library, whether statically or using
a shared library, the combination of the two is legally speaking a
combined work, a derivative of the original library.  The ordinary
General Public License therefore permits such linking only if the
entire combination fits its criteria of freedom.  The Lesser General
Public License permits more lax criteria for linking other code with
the library.

  We call this license the "Lesser" General Public License because it
does Less to protect the user's freedom than the ordinary General
Public License.  It also provides other free software developers Less
of an advantage over competing non-free programs.  These disadvantages
are the reason we use the ordinary General Public License for many
libraries.  However, the Lesser license provides advantages in certain
special circumstances.

  For example, on rare occasions, there may be a special need to
encourage the widest possible use of a certain library, so that it becomes
a de-facto standard.  To achieve this, non-free programs must be
allowed to use the library.  A more frequent case is that a free
library does the same job as widely used non-free libraries.  In this
case, there is little to gain by limiting the free library to free
software only, so we use the Lesser General Public License.

  In other cases, permission to use a particular library in non-free
programs enables a greater number of people to use a large body of
free software.  For example, permission to use the GNU C Library in
non-free programs enables many more people to use the whole GNU
operating system, as well as its variant, the GNU/Linux operating
system.

  Although the Lesser General Public License is Less protective of the
users' freedom, it does ensure that the user of a program that is
linked with the Library has the freedom and the wherewithal to run
that program using a modified version of the Library.

  The precise terms and conditions for copying, distribution and
modification follow.  Pay close attention to the difference between a
"work based on the library" and a "work that uses the library".  The
former contains code derived from the library, whereas the latter must
be combined with the library in order to run.

                  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License Agreement applies to any software library or other
program which contains a notice placed by the copyright holder or
other authorized party saying it may be distributed under the terms of
this Lesser General Public License (also called "this License").
Each licensee is addressed as "you".

  A "library" means a collection of software functions and/or data
prepared so as to be conveniently linked with application programs
(which use some of those functions and data) to form executables.

  The "Library", below, refers to any such software library or work
which has been distributed under these terms.  A "work based on the
Library" means either the Library or any derivative work under
copyright law: that is to say, a work containing the Library or a
portion of it, either verbatim or with modifications and/or translated
straightforwardly into another language.  (Hereinafter, translation is
included without limitation in the term "modification".)

  "Source code" for a work means the preferred form of the work for
making modifications to it.  For a library, complete source code means
all the source code for all modules it contains, plus any associated
interface definition files, plus the scripts used to control compilation
and installation of the library.

  Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope.  The act of
running a program using the Library is not restricted, and output from
such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for
writing it).  Whether that is true depends on what the Library does
and what the program that uses the Library does.
  
  1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an
appropriate copyright notice and disclaimer of warranty; keep intact
all the notices that refer to this License and to the absence of any
warranty; and distribute a copy of this License along with the
Library.

  You may charge a fee for the physical act of transferring a copy,
and you may at your option offer warranty protection in exchange for a
fee.

  2. You may modify your copy or copies of the Library or any portion
of it, thus forming a work based on the Library, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:

    a) The modified work must itself be a software library.

    b) You must cause the files modified to carry prominent notices
    stating that you changed the files and the date of any change.

    c) You must cause the whole of the work to be licensed at no
    charge to all third parties under the terms of this License.

    d) If a facility in the modified Library refers to a function or a
    table of data to be supplied by an application program that uses
    the facility, other than as an argument passed when the facility
    is invoked, then you must make a good faith effort to ensure that,
    in the event an application does not supply such function or
    table, the facility still operates, and performs whatever part of
    its purpose remains meaningful.

    (For example, a function in a library to compute square roots has
    a purpose that is entirely well-defined independent of the
    application.  Therefore, Subsection 2d requires that any
    application-supplied function or table used by this function must
    be optional: if the application does not supply it, the square
    root function must still compute square roots.)

These requirements apply to the modified work as a whole.  If
identifiable sections of that work are not derived from the Library,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works.  But when you
distribute the same sections as part of a whole which is a work based
on the Library, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.

Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Library.

In addition, mere aggregation of another work not based on the Library
with the Library (or with a work based on the Library) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.

  3. You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library.  To do
this, you must alter all the notices that refer to this License, so
that they refer to the ordinary GNU General Public License, version 2,
instead of to this License.  (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.)  Do not make any other change in
these notices.

  Once this change is made in a given copy, it is irreversible for
that copy, so the ordinary GNU General Public License applies to all
subsequent copies and derivative works made from that copy.

  This option is useful when you wish to copy part of the code of
the Library into a program that is not a library.

  4. You may copy and distribute the Library (or a portion or
derivative of it, under Section 2) in object code or executable form
under the terms of Sections 1 and 2 above provided that you accompany
it with the complete corresponding machine-readable source code, which
must be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange.

  If distribution of object code is made by offering access to copy
from a designated place, then offering equivalent access to copy the
source code from the same place satisfies the requirement to
distribute the source code, even though third parties are not
compelled to copy the source along with the object code.

  5. A program that contains no derivative of any portion of the
Library, but is designed to work with the Library by being compiled or
linked with it, is called a "work that uses the Library".  Such a
work, in isolation, is not a derivative work of the Library, and
therefore falls outside the scope of this License.

  However, linking a "work that uses the Library" with the Library
creates an executable that is a derivative of the Library (because it
contains portions of the Library), rather than a "work that uses the
library".  The executable is therefore covered by this License.
Section 6 states terms for distribution of such executables.

  When a "work that uses the Library" uses material from a header file
that is part of the Library, the object code for the work may be a
derivative work of the Library even though the source code is not.
Whether this is true is especially significant if the work can be
linked without the Library, or if the work is itself a library.  The
threshold for this to be true is not precisely defined by law.

  If such an object file uses only numerical parameters, data
structure layouts and accessors, and small macros and small inline
functions (ten lines or less in length), then the use of the object
file is unrestricted, regardless of whether it is legally a derivative
work.  (Executables containing this object code plus portions of the
Library will still fall under Section 6.)

  Otherwise, if the work is a derivative of the Library, you may
distribute the object code for the work under the terms of Section 6.
Any executables containing that work also fall under Section 6,
whether or not they are linked directly with the Library itself.

  6. As an exception to the Sections above, you may also combine or
link a "work that uses the Library" with the Library to produce a
work containing portions of the Library, and distribute that work
under terms of your choice, provided that the terms permit
modification of the work for the customer's own use and reverse
engineering for debugging such modifications.

  You must give prominent notice with each copy of the work that the
Library is used in it and that the Library and its use are covered by
this License.  You must supply a copy of this License.  If the work
during execution displays copyright notices, you must include the
copyright notice for the Library among them, as well as a reference
directing the user to the copy of this License.  Also, you must do one
of these things:

    a) Accompany the work with the complete corresponding
    machine-readable source code for the Library including whatever
    changes were used in the work (which must be distributed under
    Sections 1 and 2 above); and, if the work is an executable linked
    with the Library, with the complete machine-readable "work that
    uses the Library", as object code and/or source code, so that the
    user can modify the Library and then relink to produce a modified
    executable containing the modified Library.  (It is understood
    that the user who changes the contents of definitions files in the
    Library will not necessarily be able to recompile the application
    to use the modified definitions.)

    b) Use a suitable shared library mechanism for linking with the
    Library.  A suitable mechanism is one that (1) uses at run time a
    copy of the library already present on the user's computer system,
    rather than copying library functions into the executable, and (2)
    will operate properly with a modified version of the library, if
    the user installs one, as long as the modified version is
    interface-compatible with the version that the work was made with.

    c) Accompany the work with a written offer, valid for at
    least three years, to give the same user the materials
    specified in Subsection 6a, above, for a charge no more
    than the cost of performing this distribution.

    d) If distribution of the work is made by offering access to copy
    from a designated place, offer equivalent access to copy the above
    specified materials from the same place.

    e) Verify that the user has already received a copy of these
    materials or that you have already sent this user a copy.

  For an executable, the required form of the "work that uses the
Library" must include any data and utility programs needed for
reproducing the executable from it.  However, as a special exception,
the materials to be distributed need not include anything that is
normally distributed (in either source or binary form) with the major
components (compiler, kernel, and so on) of the operating system on
which the executable runs, unless that component itself accompanies
the executable.

  It may happen that this requirement contradicts the license
restrictions of other proprietary libraries that do not normally
accompany the operating system.  Such a contradiction means you cannot
use both them and the Library together in an executable that you
distribute.

  7. You may place library facilities that are a work based on the
Library side-by-side in a single library together with other library
facilities not covered by this License, and distribute such a combined
library, provided that the separate distribution of the work based on
the Library and of the other library facilities is otherwise
permitted, and provided that you do these two things:

    a) Accompany the combined library with a copy of the same work
    based on the Library, uncombined with any other library
    facilities.  This must be distributed under the terms of the
    Sections above.

    b) Give prominent notice with the combined library of the fact
    that part of it is a work based on the Library, and explaining
    where to find the accompanying uncombined form of the same work.

  8. You may not copy, modify, sublicense, link with, or distribute
the Library except as expressly provided under this License.  Any
attempt otherwise to copy, modify, sublicense, link with, or
distribute the Library is void, and will automatically terminate your
rights under this License.  However, parties who have received copies,
or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance.

  9. You are not required to accept this License, since you have not
signed it.  However, nothing else grants you permission to modify or
distribute the Library or its derivative works.  These actions are
prohibited by law if you do not accept this License.  Therefore, by
modifying or distributing the Library (or any work based on the
Library), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Library or works based on it.

  10. Each time you redistribute the Library (or any work based on the
Library), the recipient automatically receives a license from the
original licensor to copy, distribute, link with or modify the Library
subject to these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties with
this License.

  11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Library at all.  For example, if a patent
license would not permit royalty-free redistribution of the Library by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Library.

If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply,
and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system which is
implemented by public license practices.  Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.

This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.

  12. If the distribution and/or use of the Library is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Library under this License may add
an explicit geographical distribution limitation excluding those countries,
so that distribution is permitted only in or among countries not thus
excluded.  In such case, this License incorporates the limitation as if
written in the body of this License.

  13. The Free Software Foundation may publish revised and/or new
versions of the Lesser General Public License from time to time.
Such new versions will be similar in spirit to the present version,
but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number.  If the Library
specifies a version number of this License which applies to it and
"any later version", you have the option of following the terms and
conditions either of that version or of any later version published by
the Free Software Foundation.  If the Library does not specify a
license version number, you may choose any version ever published by
the Free Software Foundation.

  14. If you wish to incorporate parts of the Library into other free
programs whose distribution conditions are incompatible with these,
write to the author to ask for permission.  For software which is
copyrighted by the Free Software Foundation, write to the Free
Software Foundation; we sometimes make exceptions for this.  Our
decision will be guided by the two goals of preserving the free status
of all derivatives of our free software and of promoting the sharing
and reuse of software generally.

                            NO WARRANTY

  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.

                     END OF TERMS AND CONDITIONS

           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
possible use to the public, we recommend making it free software that
everyone can redistribute and change.  You can do so by permitting
redistribution under these terms (or, alternatively, under the terms of the
ordinary General Public License).

  To apply these terms, attach the following notices to the library.  It is
safest to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least the
"copyright" line and a pointer to where the full notice is found.

    <one line to give the library's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>

    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
    License as published by the Free Software Foundation; either
    version 2.1 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    Lesser General Public License for more details.

    You should have received a copy of the GNU Lesser General Public
    License along with this library; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

Also add information on how to contact you by electronic and paper mail.

You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the library, if
necessary.  Here is a sample; alter the names:

  Yoyodyne, Inc., hereby disclaims all copyright interest in the
  library `Frob' (a library for tweaking knobs) written by James Random Hacker.

  <signature of Ty Coon>, 1 April 1990
  Ty Coon, President of Vice

That's all there is to it!

tWRAP
Data representation: enum member ▄

Syntax:

  __enum(enum_name)

Instead of a plain number, a symbolic constant from the specified enum will be used.
The enum can be a regular enum or a bitmask enum. For bitmask enums, a bitwise
combination of symbolic constants will be printed.
If the value to print cannot be represented using the specified enum, it will
be displayed in red.

Example:

   enum myenum { A=0, B=1, C=3 };
   short var __enum(myenum);

   If `var` is equal to 1, it will be represented as "B"

Another example:

   enum mybits __bitmask { INITED=1, STARTED=2, DONE=4 };
   short var __enum(mybits);

   If `var` is equal to 3, it will be represented as "INITED|STARTED"

This annotation is useful if the enum size is not equal to the variable size.
Otherwise using the enum type for the declaration is better:

   myenum var;  // is 4 bytes, not 2 as above
ÆData representation: offset expression ▄

Syntax:

  __offset(type, base, tdelta, target)
  __offset(type, base, tdelta)
  __offset(type, base)
  __offset(type|AUTO, tdelta)
  __offset(type)
  __off

where

type is one of:

  OFF8       8-bit full offset
  OFF16      16-bit full offset
  OFF32      32-bit full offset
  OFF64      64-bit full offset
  LOW8       low 8 bits of 16-bit offset
  LOW16      low 16 bits of 32-bit offset
  HIGH8      high 8 bits of 16-bit offset
  HIGH16     high 16 bits of 32-bit offset

The type can also be the name of a custom refinfo.

It can be combined with the following keywords:

  RVAOFF     based reference (rva)
  PASTEND    reference past an item
             it may point to an nonexistent address
  NOBASE     forbid the base xref creation
             implies that the base can be any value
             nb: base xrefs are created only if the offset base
             points to the middle of a segment
  SUBTRACT   the reference value is subtracted from the base value instead of
             (as usual) being added to it
  SIGNEDOP   the operand value is sign-extended (only supported for
             REF_OFF8/16/32/64)
  NO_ZEROS   an opval of 0 will be considered invalid
  NO_ONES    an opval of ~0 will be considered invalid
  SELFREF    the self-based reference

The base, target delta, and the target can be omitted. If the base is BADADDR,
it can be omitted by combining the type with AUTO:

  __offset(type|AUTO, tdelta)

Zero based offsets without any additional attributes and having the size
that corresponds the current application target (e.g. REF_OFF32 for a 32-bit
bit application), the shoft __off form can be used.

Examples:

  A 64-bit offset based on the image base:

  int var __offset(OFF64|RVAOFF);

  A 32-bit offset based on 0 that may point to an non-existing address:

  int var __offset(OFF32|PASTEND|AUTO);

  A 32-bit offset based on 0x400000:

  int var __offset(OFF32, 0x400000);

  A simple zero based offset that matches the current application bitness:

  int var __off;

This annotation is useful the type of the pointed object is unknown or
the variable size is different from the usual pointer size. Otherwise
it is better to use a pointer:

  type *var;
”Data representation: string ▄

Syntax:

  __strlit(strtype, "encoding")
  __strlit(strtype, char1, char2, "encoding")
  __strlit(strtype)

where strtype is one of:

  C          Zero terminated string, 8 bits per symbol
  C_16       Zero terminated string, 16 bits per symbol
  C_32       Zero terminated string, 32 bits per symbol
  PASCAL     Pascal string: 1 byte length prefix, 8 bits per symbol
  PASCAL_16  Pascal string: 1 byte length prefix, 16 bits per symbol
  LEN2       Wide Pascal string: 2 byte length prefix, 8 bits per symbol
  LEN2_16    Wide Pascal string: 2 byte length prefix, 16 bits per symbol
  LEN4       Delphi string: 4 byte length prefix, 8 bits per symbol
  LEN4_16    Delphi string: 4 byte length prefix, 16 bits per symbol

It may be followed by two optional string termination characters (only for C).
Finally, the string encoding may be specified, as the encoding name or
"no_conversion" if the string encoding was not explicitly specified.

Example:

  A zero-terminated string in windows-1252 encoding:

  char array[10] __strlit(C,"windows-1252");

  A zero-terminated string in utf-8 encoding:

  char array[10] __strlit(C,"UTF-8");
ëData representation: structure offset ▄

Syntax:

  __stroff(structname)
  __stroff(structname, delta)

Instead of a plain number, the name of a struct or union member will be used.
If delta is present, it will be subtracted from the value before converting
it into a struct/union member name.

Example:

  An integer variable named `var` that hold an offset from the beginning of
  the `mystruct` structure:

  int var __stroff(mystruct);

  If mystruct is defined like this:

  struct mystruct
  {
    char a;
    char b;
    char c;
    char d;
  }

  The value 2 will be represented as `mystruct.c`

Another example:

  A structure offset with a delta:

  int var __stroff(mystruct, 1);

  The value 2 will be represented as `mystruct.d-1`
c
Data representation: custom data type and format ▄

Syntax:

  __custom(dtid, fid)

where dtid is the name of a custom data type and fid is the name of a
custom data format. The custom type and format must be registered by a plugin
beforehand, at the database opening time. Otherwise custom data type and format
ids will be displayed instead of names.
åData representation: tabular form ▄

Syntax:

  __tabform(flags)
  __tabform(flags,lineitems)
  __tabform(flags,lineitems,alignment)
  __tabform(,lineitems,alignment)
  __tabform(,,alignment)

This keyword is used to format arrays.
The following flags are accepted:

  NODUPS do not use the `dup` keyword
  HEX    use hexadecimal numbers to show array indexes
  OCT    use octal numbers to show array indexes
  BIN    use binary numbers to show array indexes
  DEC    use decimal numbers to show array indexes

It is possible to combine NODUPS with the index radix: NODUPS|HEX

The `lineitems` and `alignment` attributes have the meaning described for
the @0:455[create array] command.

Example:

  Display the array in tabular form, 4 decimal numbers on a line, each number
  taking 8 positions. Display indexes as comments in hexadecimal:

  char array[16] __tabform(HEX,4,8) __dec;

  A possible array may look like:

  dd   50462976, 117835012, 185207048, 252579084; 0
  dd  319951120, 387323156, 454695192, 522067228; 4
  dd  589439264, 656811300, 724183336, 791555372; 8
  dd  858927408, 926299444, 993671480,1061043516; 0Ch

Without this annotation, the `dup` keyword is permitted, number of items on a
line and the alignment are not defined.
Focus other widget~D~elete type...De~l~ete type...-Field '%s' contains illegal zero-sized array%s~A~dd type...Edit ~t~ype...J}

static LocalTypes_%d() 
{
  auto p_type, p_fields, p_cmt, p_fldcmts;

àWRAP
Patfind plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Patfind plugin makes it possible to automatically find functions in binary files.

It relies on bit pattern definitions for typical function starts and function ends.

Those bit patterns are defined in XML files, based on Ghidra's function patterns format.
A collection of bit pattern files is provided for the commonly used CPU architectures.

It is possible to add new architectures by simply adding a new XML file, just like the other XML files.

It's also possible to add, remove or change existing patterns for better matching.

Configuration ▄

'cfg/patfind.cfg' file presents all the options

The config file also contains the documentation on how to use or change the XML pattern files.

If desired, new XML files can be added to the 'cfg/ghidra_patterns/' directory.

'-Opatfind' command line switches can be used to select the type of run differently for this session of IDA.

List of options▄

  autorun=0 : don't automatically search for bit pattern
  autorun=1 : search for bit pattern only on binary like files
  autorun=2 : search for bit pattern on any input file

Examples▄

  -Opatfind:autorun=0

Disable the autorun of Patfind plugin for this session¹
WRAP
Borland RTTI descriptors plugin ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

This plugin allows you to create/delete/view Borland RTTI descriptors.

These descriptors appear in programs written on BCC++ or Borland C++ Builder or Borland Delphi.

The plugin is available for 32 bits binaries for PE or OMF format.

Dialog box▄

  - List RTTI descriptors      : Displays the list of recognized RTTI
                                 descriptors. IDA automatically recognizes
                                 most descriptors. The list will include only
                                 the descriptors specified by the 'RTTI type'
                                 radiobuttons. You can also delete any
                                 descriptor from list.
  - List RTTI problems        :  Displays the list of problematic RTTI
                                 descriptors. The list will include only the
                                 descriptors specified by the 'RTTI type'
                                 radiobuttons. You can also delete any
                                 descriptor from list.
  - Delete list of descriptors : Delete the whole list of RTTI descriptors.
  - Delete list of problems    : Delete the whole list of problematic RTTI
                                 descriptors.
  - Create C++ descriptor      : Manually invoke creation of a C++ descriptor
                                 at the current cursor location.
  - Create Pascal descriptor   : Manually invoke creation of a Pascal
                                 descriptor at the current cursor location.
  - Create Pascal or C++ descriptor : Manually invoke creation of a Pascal or
                                      C++ descriptor at the current cursor
                                      location. This action tries to create a
                                      Pascal descriptor. If it fails, then it
                                      tries to create a C++ descriptor.

  - RTTI type radiobutton group : Controls which descriptors will appear in
                                  the displayed lists.
                                  Options are :
                                    * Include C++
                                    * Include Pascal
                                    * Include both

   - Create recursive : If this option is set, then IDA tries to create
                        descriptors recursively: if a created descriptor
                        refers to another unknown descriptor, then it will be
                        created and so on.

Configuration▄

This plugin may be also called with a parameter. See plugins.cfg for the possibles values. @0:1763[]
Local Types bookmarksŒWRAP
Local Types bookmarks ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

See:
 @0:227[Choose marked location]¹WRAP
Inspecting a type library ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Provide the ability to inspect the types present in a type library.
View type library contents;@0:544[]
Jump to type offset

  <~J~ump offset:m:+:32::>

Add a function argumentEdit argument locationëWRAP
Edit the argument location ▄
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

Allow to edit argument or return value location.
 .!--------------------------------------------------------------Change calling convention5Intersection forbidden while already in intersection:Range forbidden while already in intersection or in range)Range operator expects a codepoint firstBad codepoint value*Codepoint forbidden while in intersection(Unexpected state for handling codepoint"Unexpected category at this pointUnexpected block at this pointInvalid block nameInvalid category nameExpected a second dot-Expected an identifier, or negation operator6Expected a category as second operand of intersectionUnrecognized identifier6Character or string literals only accept ASCII values)Unexpected CURRENT_CULTURE at this pointOIntersections require that the first operand be something else than a category!Unexpected culture at this pointInvalid culture name+Culture is not a Unicode block, nor a file*Failed to serialize type declaration '%s'Failed to exportBad JSON string representationShow trace infoShow overlay infoClear traceClear overlayLoad trace
Load overlaySave traceExport trace to text fileChange trace descriptionToggle diffSynchronize ~t~o idbSynchronize ~t~o idb, and jump~U~nsync from idbExport to header fileMap to another type...Compact types...~S~uspend thread~R~esume threadLoad debug ~s~ymbols~J~ump to module base~A~nalyze module~B~reak on access	Setup...Move segment(s)Break on accessCreate folder...

C-like formatShow selection onlytilist form test...	Re~n~ameContinue backwardsStep into (backwards)Step over (backwards)Run to cursor (backwards)