OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Friday, May 19 2006 19:22.26 CDT Modified: Friday, May 19 2006 19:29.11 CDT

Printer Friendly ...

How to add custom symbolic constants in IDA

Author: drew

# Views: 15404

Quick Answer: use an Enum

Explanation and long answer:

Let's say that you're using IDA, run across a numerical constant, and want to replace the numerical constant with a symbolic constant. IDA has a great pre-built database of common symbolic constants. To access this, right-click on the constant in question, select Symbolic Constant, Use standard symbolic constant. However if you want to add your own custom symbolic constant, you'll want to add an enum. The process isn't advanced, but I've run into a couple IDA users that weren't familiar with it.

Let's use the following code from notepad.exe as an example:

push    20019h          ; samDesired

xor     esi, esi

push    esi             ; ulOptions

push    offset aClsidAdb880a6D ; lpSubKey

push    80000000h       ; hKey

call    ds:RegOpenKeyExA

In order to add a custom symbolic constant, open the Enumerations subview (shift+F10). Press the Insert key to add a new enumeration type. Ignore all the settings for now and just hit Ok. Now that you have a new enumeration type, press N to create a new symbolic constant. Put your new name, for example mySAM, as the name, and the value for the constant, for example 0x20019. Please note that you'll have to precede hex values with "0x". Now go back to your disassembly subview, right click on the numeric constant, select Symbolic constant, and your newly created symbolic constant should appear just like the following:

Side note: Some readers might notice that the correct symbolic constant for this 20019h is already included in IDA's standard symbolic constant list.

There are 31,322 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit