Igor’s tip of the week #10: Working with arrays

Malware Analysis
1

Arrays are used in IDA to represent a sequence of multiple items of the same type: basic types (byte, word, dword etc.) or complex ones (e.g. structures).

Creating an array

To create an array:

  1. Create the first item;
  2. Choose “Array…” from the context menu , or press *;
  3. Fill in at least the Array size field and click OK.

Step 1 is optional; if no data item exists at the current location, a byte array will be created.

Hint: if you select a range before pressing *, Array size will be pre-filled with the number of items which fits into the selected range.

Array parameters

Array parameters affect how the array is displayed in the listing and can be set at the time the array is first created or any time later by pressing *.

  • Array size: total number of elements in the array;
  • Items on a line:  how many items (at most) to print on one line. 0 means to print the maximum number which fits into the disassembly line;
  • Element print width:  how many characters to use for each element. Together with the previous parameter can be used for formatting arrays into nice-looking tables. For example:
    8 items per line, print width -1
    db 1, 2, 3, 4, 5, 6, 7, 8
db 9, 10, 11, 12, 13, 14, 15, 16
db 17, 18, 19, 20, 21, 22, 23, 24
db 25, 255, 255, 255, 255, 255, 255, 26
db 27, 28, 29, 30, 31, 32, 33, 34
db 35, 36, 37, 38, 39, 40, 41, 42

    print width 0:

    db   1,  2,  3,  4,  5,  6,  7,  8
db   9, 10, 11, 12, 13, 14, 15, 16
db  17, 18, 19, 20, 21, 22, 23, 24
db  25,255,255,255,255,255,255, 26
db  27, 28, 29, 30, 31, 32, 33, 34
db  35, 36, 37, 38, 39, 40, 41, 42

    print width 5:

    db     1,    2,    3,    4,    5,    6,    7,    8
db     9,   10,   11,   12,   13,   14,   15,   16
db    17,   18,   19,   20,   21,   22,   23,   24
db    25,  255,  255,  255,  255,  255,  255,   26
db    27,   28,   29,   30,   31,   32,   33,   34
db    35,   36,   37,   38,   39,   40,   41,   42
  • Use “dup” construct: for assemblers that support it, repeated items with the same value will be collapsed into a dup expression instead of printing each item separately;
    dup off: db 0FFh, 0FFh, 0FFh, 0FFh, 0FFh, 0FFh
    dup on: db 6 dup(0FFh)
  • Signed elements: integer items will be treated as signed numbers;
  • Display indexes: for each line, first item’s array index will be printed in a comment. 
  • Create as array: if unchecked, IDA will convert the array into separate items.

Creating multiple string literals

The last option in array parameters dialog can be useful when dealing with multiple string literals packed together. For example, if we have a string table like this:

739×360

First, create one string.

739×360

Then, select it and all the following strings using one of the methods described before.

739×360

Invoke Edit > Array… or press *. The array size will be set to the total length of the selection. In the dialog, uncheck “Create as array”. Click OK.

We get a nicely formatted string table!

739×360

 

This approach works also with Unicode (UTF-16) strings.

Article Link: https://www.hex-rays.com/blog/igor-tip-of-the-week-10-working-with-arrays/