Discussion:
IDA freeware - wide-char strings & IDC tinkering.
(too old to reply)
R.Wieser
2017-10-05 09:42:48 UTC
Permalink
Hello All,

I've got a (rather old) version of IDA (Freeware) here (have looked for, but
could not find a version number), and have been bothered for a while that it
does not seem to support wide-char strings. As a result I see a lot of them
that run off the bottom of my screen (registry keys mostly), and are
therefore rather unreadable.

Is there a keystroke that will perform the same as the "a" (for ASCII) does
(don't think so, but have to ask).

#2
Using its scripting language I'm defining an array of double-bytes
(MakeArray). However, it always uses a "dup" construction by default, and
I was wondering if someone knew how to disable it. I've been looking at the
flags (for each involved byte), but cannot find the specific one(s) which
gouverns this collation.

(done some extra experiments)
Furthermore, I cannot seem to find how the "r" key effect (displaying each
double-byte as a character) is stored in those flags.

#3
I see a flag named FF_STRU, which I suppose has to do with structures
(records), but I do not see any forther reference to how to make them (could
ofcourse be because I've got the freeware version). Does anyone know ?
For example, I have some GUIDs here which could use it. :-)

Regards,
Rudy Wieser
Ross Ridge
2017-10-05 17:25:38 UTC
Permalink
Post by R.Wieser
I've got a (rather old) version of IDA (Freeware) here (have looked for, but
could not find a version number...
The freeware Windows versions of IDA I have (4.3 and 5.0) both display the
version when they startup. You can see it again after IDA has started
with Help -> About. The freeware MS-DOS version of IDA I have doesn't
seem to have a version number associated with it, but I think there was
only one freeware MS-DOS release.
Post by R.Wieser
.. and have been bothered for a while that it
does not seem to support wide-char strings. As a result I see a lot of them
that run off the bottom of my screen (registry keys mostly), and are
therefore rather unreadable.
Is there a keystroke that will perform the same as the "a" (for ASCII) does
(don't think so, but have to ask).
There isn't a single keystroke to do it, but with the Windows version you
should be able to use Edit -> Text -> Unicode or from the keyboard ALT-E,
R, U, ENTER. You may need select the region you want changed first,
and it should be in the "undefined" state (U key) before you do this.

If you're using the MS-DOS version you'll probably have to make it an
array using the * (asterisk) key. Before doing so you may want to use
the D key to change the first two bytes into a 16-bit DW directive, so it
creates a WORD array instead of a BYTE array. You then may want to press
the R key when hovering over the first byte of the array and again when
hovering over the second byte to have elements shown as ASCII characters.
Post by R.Wieser
#2
Using its scripting language I'm defining an array of double-bytes
(MakeArray). However, it always uses a "dup" construction by default, and
I was wondering if someone knew how to disable it. I've been looking at the
flags (for each involved byte), but cannot find the specific one(s) which
gouverns this collation.
If you're using the Windows version you can try producing an IDC file
(File -> Produce file -> Dump database to IDC file) from a simple binary
file that you've created arrays on and see what it generates.
Post by R.Wieser
#3
I see a flag named FF_STRU, which I suppose has to do with structures
(records), but I do not see any forther reference to how to make them (could
ofcourse be because I've got the freeware version). Does anyone know ?
For example, I have some GUIDs here which could use it. :-)
If you're asking how you can do this from the user interface then you
can define a new structure type by bringing up the structures window
(Windows: SHIFT-F9, MS-DOS: View -> Open structures windows) and then
pressing the INS key. On the Windows versions the GUID type should be
included in the standard types, so press the "Add standard structure"
button and select it. Otherwise once you create an empty structure
you can add members to it using the D key. Most of the keys that work
on ordinary data will work in the structures window when inside a of
structure definition. So you can, for example, name structure fields
with the N key, and give them comments with the : and ; keys.

Use ALT-Q to convert data to one of the structure types you've previously
defined.
--
l/ // Ross Ridge -- The Great HTMU
[oo][oo] ***@csclub.uwaterloo.ca
-()-/()/ http://www.csclub.uwaterloo.ca/~rridge/
db //
R.Wieser
2017-10-05 19:39:25 UTC
Permalink
Ross,
Post by Ross Ridge
The freeware Windows versions of IDA I have (4.3 and 5.0) both
display the version when they startup.
Not this version I'm afraid.
Post by Ross Ridge
You can see it again after IDA has started with Help -> About.
The nearest I can come to that is "Files" -> "about...", and that just
displays the same as when IDA is started without arguments. No version
number in sight anywhere.

I also read the ReadMe, Techno.txt, RegForm.txt and even IDC.* files to se
if I could find them, but no luck.

I forgot to mention, this version is still full DOS text mode, no graphics
of any kind (which suits me fine to be honest). Maybe that narrows it down
a bit.
Post by Ross Ridge
but with the Windows version you should be able to use Edit -> Text ->
Unicode or from the keyboard ALT-E, R, U, ENTER
ALT-E (edit) is works. No "R" available here though ...
Post by Ross Ridge
If you're using the MS-DOS version you'll probably have to
make it an array using the * (asterisk) key
Well, that is what I've been doing, but as its tedious manual labour I, as a
posterbook lazy (hobby) programmer, decided I wanted to throw some code at
it. :-)
Post by Ross Ridge
Before doing so you may want to use the D key to change the first
two bytes into a 16-bit DW directive, so it creates a WORD array
instead of a BYTE array
Yep. Noticed that too. Clever guys. Works the same when using scripting.
Post by Ross Ridge
You then may want to press the R key when hovering over the first
byte of the array and again when hovering over the second byte to
have elements shown as ASCII characters
I was wondering about that. What is that good for ? Why not just take the
setting of the first element and apply it to all the others ? Than it hit
me : count-prefixed strings. :-)
Post by Ross Ridge
If you're using the Windows version you can try producing an IDC
file (File -> Produce file -> Dump database to IDC file) from a simple
binary file that you've created arrays on and see what it generates
I did it a bit different: I wrote the GetFlags() values for all of the bytes
to a text file, than tried different things and compared the outputs. I
also, although the docs warn against it, tried al kinds of changes of those
flags for each byte. I got shitloads of crap (byte types overflowing to the
data beyond it, the data disappearing, etc), but in the end all I needed to
to was to set the FF_0char and FF_1char modi on the first byte, and all was
well (even though the other bytes had junk MS_0 & 1TYPE contents -- which
threw me off for the longest time).

One caveat though: (any) formatting (of) the bytes also disables the
repeatable comments for that item. :-(
Post by Ross Ridge
If you're asking how you can do this from the user interface
It would be a start. :-) I would like to be able to use it with scripting
too though ...
Post by Ross Ridge
.. then you can define a new structure type by bringing up the structures
window (Windows: SHIFT-F9, MS-DOS: View -> Open structures
windows) and then pressing the INS key.
Ah. Although I did find that window, I got stuck there (no idea what to do
next) and forgot all about it. So thanks, thats helpfull.

Any idea how I can add a "dup" to any of those types (so I can, for example,
define a string field)?

Regards,
Rudy Wieser
Post by Ross Ridge
Post by R.Wieser
I've got a (rather old) version of IDA (Freeware) here (have looked for, but
could not find a version number...
The freeware Windows versions of IDA I have (4.3 and 5.0) both display the
version when they startup. You can see it again after IDA has started
with Help -> About. The freeware MS-DOS version of IDA I have doesn't
seem to have a version number associated with it, but I think there was
only one freeware MS-DOS release.
Post by R.Wieser
.. and have been bothered for a while that it
does not seem to support wide-char strings. As a result I see a lot of them
that run off the bottom of my screen (registry keys mostly), and are
therefore rather unreadable.
Is there a keystroke that will perform the same as the "a" (for ASCII) does
(don't think so, but have to ask).
There isn't a single keystroke to do it, but with the Windows version you
should be able to use Edit -> Text -> Unicode or from the keyboard ALT-E,
R, U, ENTER. You may need select the region you want changed first,
and it should be in the "undefined" state (U key) before you do this.
If you're using the MS-DOS version you'll probably have to make it an
array using the * (asterisk) key. Before doing so you may want to use
the D key to change the first two bytes into a 16-bit DW directive, so it
creates a WORD array instead of a BYTE array. You then may want to press
the R key when hovering over the first byte of the array and again when
hovering over the second byte to have elements shown as ASCII characters.
Post by R.Wieser
#2
Using its scripting language I'm defining an array of double-bytes
(MakeArray). However, it always uses a "dup" construction by default, and
I was wondering if someone knew how to disable it. I've been looking at the
flags (for each involved byte), but cannot find the specific one(s) which
gouverns this collation.
If you're using the Windows version you can try producing an IDC file
(File -> Produce file -> Dump database to IDC file) from a simple binary
file that you've created arrays on and see what it generates.
Post by R.Wieser
#3
I see a flag named FF_STRU, which I suppose has to do with structures
(records), but I do not see any forther reference to how to make them (could
ofcourse be because I've got the freeware version). Does anyone know ?
For example, I have some GUIDs here which could use it. :-)
If you're asking how you can do this from the user interface then you
can define a new structure type by bringing up the structures window
(Windows: SHIFT-F9, MS-DOS: View -> Open structures windows) and then
pressing the INS key. On the Windows versions the GUID type should be
included in the standard types, so press the "Add standard structure"
button and select it. Otherwise once you create an empty structure
you can add members to it using the D key. Most of the keys that work
on ordinary data will work in the structures window when inside a of
structure definition. So you can, for example, name structure fields
with the N key, and give them comments with the : and ; keys.
Use ALT-Q to convert data to one of the structure types you've previously
defined.
--
l/ // Ross Ridge -- The Great HTMU
-()-/()/ http://www.csclub.uwaterloo.ca/~rridge/
db //
Ross Ridge
2017-10-05 21:23:43 UTC
Permalink
Post by R.Wieser
I also read the ReadMe, Techno.txt, RegForm.txt and even IDC.* files to se
if I could find them, but no luck.
The MS-DOS freeware vesion of IDA I have gives a version of 3.06 in
the IDC.IDC file, but I don't know if that's the version of IDA or the
IDC.IDC file. Most of the files are dated 1997-09-28 so that's probably
about when it was released.
Post by R.Wieser
I forgot to mention, this version is still full DOS text mode, no graphics
of any kind (which suits me fine to be honest). Maybe that narrows it down
a bit.
You should consider upgrading to the latest freeware version. It requires
Windows, but it's a lot more intelligent and capable than MS-DOS version.
Despite using the Windows GUI the user interface is largely the same,
and it's compatible with the IDB files the MS-DOS version creates.
Post by R.Wieser
Any idea how I can add a "dup" to any of those types (so I can, for example,
define a string field)?
I don't think you can define a variable length field in a structure,
but you can define a fixed length field that uses DUP with the * key.
--
l/ // Ross Ridge -- The Great HTMU
[oo][oo] ***@csclub.uwaterloo.ca
-()-/()/ http://www.csclub.uwaterloo.ca/~rridge/
db //
R.Wieser
2017-10-06 07:40:13 UTC
Permalink
Ross,
Post by Ross Ridge
You should consider upgrading to the latest freeware version.
A few years back I did try a more recent, windows version of it. I rather
disliked the navigation by way of the graphical representation of the
codeblocks it found, and how I could not browse the disassembled listing in
a continuous fashion -- trying to page down over the limit of the current
block (in an attempt to get to the next one) threw me back to the graphical
representation of the codeblocks, having me jump in-and-out partial
listings. :-(
Post by Ross Ridge
Most of the files are dated 1997-09-28 so that's probably about when it
was released.
Thats what the "Modified:" field in several files I checked mentions too.
The executable shows one of two days later.
Post by Ross Ridge
I don't think you can define a variable length field in a structure,
but you can define a fixed length field that uses DUP with the * key.
:-| Now I feel stupid. I should have thought of that myself. And, as I
just noticed it while re-reading your previous post, you pretty-much already
mentioned it ("Most of the keys that work on ordinary data will work in the
structures window when inside a of structure definition."). My apologies
for that.

Regards,
Rudy Wieser
Post by Ross Ridge
Post by R.Wieser
I also read the ReadMe, Techno.txt, RegForm.txt and even IDC.* files to se
if I could find them, but no luck.
The MS-DOS freeware vesion of IDA I have gives a version of 3.06 in
the IDC.IDC file, but I don't know if that's the version of IDA or the
IDC.IDC file. Most of the files are dated 1997-09-28 so that's probably
about when it was released.
Post by R.Wieser
I forgot to mention, this version is still full DOS text mode, no graphics
of any kind (which suits me fine to be honest). Maybe that narrows it down
a bit.
You should consider upgrading to the latest freeware version. It requires
Windows, but it's a lot more intelligent and capable than MS-DOS version.
Despite using the Windows GUI the user interface is largely the same,
and it's compatible with the IDB files the MS-DOS version creates.
Post by R.Wieser
Any idea how I can add a "dup" to any of those types (so I can, for example,
define a string field)?
I don't think you can define a variable length field in a structure,
but you can define a fixed length field that uses DUP with the * key.
--
l/ // Ross Ridge -- The Great HTMU
-()-/()/ http://www.csclub.uwaterloo.ca/~rridge/
db //
Ross Ridge
2017-10-06 15:19:01 UTC
Permalink
Post by R.Wieser
A few years back I did try a more recent, windows version of it. I rather
disliked the navigation by way of the graphical representation of the
codeblocks it found, and how I could not browse the disassembled listing in
a continuous fashion -- trying to page down over the limit of the current
block (in an attempt to get to the next one) threw me back to the graphical
representation of the codeblocks, having me jump in-and-out partial
listings. :-(
Oh, I hate that new graph view. I don't know why they implemented it, but
it does seem to be popular with people who use IDA these days. You can
press SPACE to toggle between graph view and the normal disassembly.
You'll also want to unset Options -> General -> Graph -> Use graph view
by default.
--
l/ // Ross Ridge -- The Great HTMU
[oo][oo] ***@csclub.uwaterloo.ca
-()-/()/ http://www.csclub.uwaterloo.ca/~rridge/
db //
Loading...