Igor’s tip of the week #91: Item flags

When changing operand representation, you may need to check what are the operand types currently used by IDA for a specific instruction. In some cases it is obvious (e.g. for offset or character type), but the hex and default, for example, look exactly the same in most processors so it’s not easy to tell them apart just by look.

To check the current flags of an instruction (or any other address) in the database,  use View > Print internal flags (hotkey F) .

Wen you invoke it, IDA prints flags for the current address to the Output window. It only prints info about non-default operand types — the default ones are omitted (except for suspicious operands which are printed as void).

code and flow are generic instruction flags: they mean that the current item is marked as code (instruction) and the execution reaches it from the previous address (this is the case for most instructions in the program). 

Whenever IDA prints information about the second operand (number 1 since they  are counted from 0), the operands 2,3…6 (even if they do not actually exist) are also printed as having the same type. This happens because of a limitation in IDA: it originally supported user-specified representation only for two operands (0 and 1) and this limitation is not completely lifted yet as of IDA 7.7.

Besides operand types, the  feature may show other low-level info about the current address: for example, the type information if it’s set for current location, the function arguments layout similarly to what you can see in decompiler annotations, structure name for structure data items,  and so on.

 

 

Article Link: Igor’s tip of the week #91: Item flags – Hex Rays