TLDR of Hex-Ray's Igor Tip of the Week

README.md

Current working URL

• https://hex-rays.com/blog/tag/igors-tip-of-the-week/

#01: Lesser-known keyboards shorcuts in IDA

• CTRL+Enter to close a window
• hold down ALT to display shortcut options
• ALT-X to save database

source

#02: IDA UI Actions and where to find them

• The shortcut editor Options, Shortcuts.. can be used to modify shortcuts options
• The comamnd pallete Ctrl-Shift-P allows to pull up all actions and invoke them.
• Example, jump to next data, CTRL-Shift-P, type "next data", enter, ui jumps to the next data

source

#03: Selction in IDA

• Selecting large ranges of data can be done using Edit, Begin selection, select the range, perform an operation and then Edit, Abort selection to deselect the data.
• Using Begin selection allows for choosing a static offset that doesn't rely on selecting data, holding shift and scrollin with a mouse or keyboard.
• The shortcut ALT-L can also be used begin a selection and then ALT-L again to deselect the selection.

source

#04: More selection!

• Selecting data using ALT-L or Edit, Begin selection on raw binary, then pressing Edit, Code or C opens a dialogue box with options for converting the selected bytes to instructions. Choosing the Force option makes IDA scans the bytes and convert any undefined bytes to instructions.
• A structure offset dialogue can be used by pressing T to populate structure offsets. Note: couldn't replicate with 9+.
• Selecting a string and press A can be used to force the creation of strings.
• Formatting data and then converting the data into a structure by right clicking and clicking Create struct from selection can be quicker than creating the structure manually.

source

#05: Highlight

• A highlight can be saved by pressing CTRL-ALT-1 (up to 8 highlights can be saved).
• A highlight can be removed by pressing CTRL-ALT-1 or the corresponding highlight number 1-8
• The next highlight can be navigated to by pressing ALT-UP or ALT-DOWN.

source

#06: IDA Release notes

• SHIFT-ALT-UP can be used to find where a register was defined.
• SHIFT-ALT-DOWN can be used to find where a register is used. source

#07: IDA command-line options cheatsheet

• Covers the most common command line arguments.
• IDAlib is now recommended because it uses less system resources.

source

#08: Batch mode under the hood

• The decompiler can be invoked via ida -Ohexrays:outfile.c:ALL -A <filename>
• idat.exe is faster for batch analysis than ida.exe.

source

#09 Reanalysis

• Selecting bytes and then pressing C can force a reanalysis of a selection of code. Similar to what is described in #04: More selection!
• The whole database can be reanalyzed by Menu Options , General…, Analysis Tab, Reanalyze program button or by right clicking on the bottom left corner of IDA and selecting Reanalyze program.

source

#10 Working with arrays

• Arrays can be created by first creating the first item, choosing Array.. or by pressing *
• This approach works well for string literals.

source

#11: Quickly creating structures

• IDA has Assembler level and C level types
• Structures can be created by selecting the formatted data or by defining the structures using View, Open subviews, Local Types or Shift-F1

source

#12: Creating structures with known size

• The Structures view is no longer present in IDA.
• TODO Review

source

#13# String literals and custom encodings

• Selecting a string and pressing ALT-A brings up a dialogue to convert the string.
• Options, String literals or ALT-A allows for configuring new encodings.
• Options, String literals, Manage defaults can be used to configure the default encoding for a string.

source

#14: Comments in IDA

• : can be used to insert a comment
• ; can be used to insert a repeatable commemnt
• select first instruction in a function and then press ; to insert a function comment
• An anterior comment is a comment that is inserted before an address as a seperate line(s)
• Press ins to enter an anterior comment
• An posterior comment is a comment that is inserted after an address as a seperate line(s)
• Press shift-ins to enter an posterior comment

source

#15: Comments in structures and enums

• Comments can be added to structure/enums or to individual members through the Locals Types view
• Comments in the Local Types view also appears in the disassembly

source

#16: Cross-references

• There are two types of cross-references (aka. xrefs) code and data.
• code xrefs have a relationship of jump, calls and flow
• data xrefs have a relationship of read, write, offset and structure.
• Shortcuts x, ctrl-x and ctrl-j` can be used to navigate the xrefs.
• ctrl-x can be useful to see xrefs to a function address without scrolling to the function start.

Note: Correct link to Cross references attributes documentation

source

#17: Cross-references 2

• xrefs have their own viewer and is accesible via `View, Open Subviews, Cross references
• xrefs can be manually added by right clicking in the Cross references view and clicking Add cross-reference..
• add_cref and add_dref can be used within IDAPython to programatically add xrefs.

Note: Edit, Plugin, Set Callee is no longer valid. IDAPython links are no longer valid on the blog post.

source

#18: Decompiler and global cross-references

• x for xrefs is also avaliable in the decompiler view
• Requires a cleaned up IDB but xrefs can be found that xref a structure, enum or local type.

Note: I was unabe to replicate the later due to my current working IDB

source

#19: Function calls

• View, Open subviews, Function calls can be used to display the callee function and all the functions called.

source

#20: Going places

• g is used to navigate by entering an address, a name or evaluate an expression (e.g. here - 100)

source

#21: Calculator and expression evaluation feature in IDA

• ? or View, Calculator is a calculator but the highlighted selection can be used as input.

source

#22: IDA desktop layouts

• Desktops can be rearranged, reset Windows, Reset desktop, saved Windws, Save Desktop and loaded Windws, Load Desktop

source

#23: Graph view

• w to zoom out (same as the small graph overview window), 1 to zoom back to 100%, ctrl-up to move to parent node, ctrl-down to move to child node(s)
• double-click to jump to an edge
• ctrl + mouse wheel to zoom in and out
• Graph view documentation

source

#24: Renaming registers

• A register can be renamed by double-clicking on it, N or Right click, Rename.
• The register can be renamed for a defined start and end address. Useful for the liveness of a varibable being assinged to a general purpose register.

source

#25: Disassembly options

• Disassembly options can be accessed via Options, General, Disassembly Tab
• Graph and non-graph have seperate options.

source

#26: Disassembly options 2

• The Display disassembly line parts has 4 notable options. See #25 on how to access the menu.=
• Line prefixes (non-graphy can be used to hide the section name and address (e.g. seg000:00000000000000BC)
• Stack pointer enables displaying the estimated stack pointer value
• Number of opcodes bytes (non-graph) enables displaying N number of bytes of the instruction. Personal favorite
• Auto comments enables a short description of the instruction.

source

#27: Fixing the stack pointer

• "sp-analysis failed" and "positive sp value has been detected" are errors that an incorrect stack delta was discovered
• To identify the error enabled the Disassembly option Stack pointer (see #26: Disassembly options 2)
• Aberrant increases and decreases to the stack point can then be manually reviewed
• Once identified, the stack delta can be modified by pressing Alt–K or Edit, Functions, Change stack pointer… at where the error occurs and enter the correct stack-pointer change.

Note: It is recommend to read the blog post, Igor gives excellent examples of what are "usual" and "unusual" changes to the stack pointer

source

#28: Functions list

• When code is selected, Jump, .. can be used to navigate to different parts (sections, file offset, etc) of the IDB.
• The Functions view can be syncromized with the disassembly so the current function is highlighted. To enable this right click within the Functions view and select Turn on synchronization
• Folders can be created in the Functions view by right clicking in it and selecting Create folder..
• Functions have different colors Cyan (library functions), Magenta (external thunk) and Lime (Lumina)
• Multiple functions can be selected/highlighted to work with.

source

#29: Color up your IDA

• Options, Colors, Current theme can be used to change/select default installed themes.
• CSS-based styling

source

#30: Quick views

• CTRL-1 opens up the Quick view window.
• CTRL-2 opens up the Debug view window.
• CTRL-3 opens up the Plugin view window.

source

#31: Hiding and Collapsing

• Comments can be added to hidden code by right clicking View, Hide or Ctrl+Numpad- and adding the Name
• Use Ctrl+Numpad- if hide is not present when right clicking
• Functions, structures, enums and decompiler can be hidden or opened.

source

#32: Running scripts

• Script snippet window can be accessed via File, Script Command.. or Shift+F2
• Recent scripts can be accessed via View, Recent scripts or Alt+F9

source

#33: IDA’s user directory (IDAUSR)

• $IDAUSR can be found at %APPDATA%/Hex-Rays/IDA Pro on Windows and $HOME/.idapro on Linux and Mac
• Modifications or new shortcuts are stored in shortcuts.cfg within $IDAUSR
• Plugins are stored in $IDAUSR/plugins
• Configuration files ida.cfg and hexrays.cfg are stored in $IDAUSR/cfg
• If idapythonrc.py is in $IDAUSR functions within it are executed and loaded at the end of IDAPython's initialization. This can be used to load common code or libraries.

source

#34: Dummy names

• Dummy names are prefixes and suffixes added to addresses to help describe it's type
• They are special strings and therefore can not be used when renaming addresses
• Two other autogenerate names are var_ and arg_.

source

#35: Demangled names

source

---

Template

# # 
-

[source]()