Hex Rays
Hex Rays Blog —  State of the art code analysis

Igor’s tip of the week #11: Quickly creating structures

When reverse engineering a big program, you often run into information stored in structures. The standard way of doing it involves using the Structures window and adding fields one by one, similar to the way you format data items in disassembly. But are there other options? Let’s look at some of them.

Using already formatted data

This was mentioned briefly in the post on selection but is worth repeating. If you happen to have some formatted data in your disassembly and want to group it into a structure, just select it and choose “Create struct from selection” in the context menu.

Using Local Types

The Local Types view shows the high level  or C level types used in the database such as structs, enums and typedefs. It is most useful with the decompiler but can still be used for the assembler level types such as Structures and Enums. For example, open the Local Types (ShiftF1 or View > Open subviews > Local Types), then press Ins (or pick Insert.. from the context menu). In the new dialog enter a C syntax structure definition and click OK.

The structure appears in the list but cannot yet be used in disassembly. 

To make it available, double-click it and answer “Yes”.

Now that a corresponding assembler level type has been created in the Structures view, it can be used in the disassembly.

For more info about using Local Types and two kinds of types check this IDA Help topic.

 

Go to top of page