IDA Pro将操作数转换为偏移量（Convert operand to offset）

Convert operand to offset (data segment)

 　Action name:OpOffset

 This command converts the immediate operand of the current instruction/data to an offset from the current data segment(DS).

 If current DS value is unknown(or equal 0xFFFF)IDA will warn you--it will beep.In this case,you have to define DS register value for the current byte.The best way to do it is:

 -jump to segment register change point

 -change value of DS

 -return

 or you can change default value of DS for the current segment.

 If you want to delete offset definition,you can use this command again-it works as trigger.

 If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwis,all other operands will be affected.

 If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.

 To create offsets to structure members use Convert to struct offset command.

Convert operand to offset (code segment)

 　Action name:OpOffsetCs

 This command converts the immediate operand of the current instruction/data to an offset from the current segment(CS).

 If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.

 If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise,it will be left unmodified.

 If this command is applied to a structure member in the structure window,then IDA will create an"automatic offset".An automatic offset is an offset with the base equal to 0xFFFFFFFF.This base value means that the actual value of the base will be calculated by IDA when a structure instance is created.

 To create offsets to structure members,use Convert to struct offset command.

Convert operand to offset (any segment)

 　Action name:OpAnyOffset

 This command converts the immediate operand of the current instruction/data to an offset from any segment.

 IDA will ask to choose a base segment for the offset.

 If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.

 If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.

 To create offsets to structure members use Convert to struct offset command.

Convert operand to offset (user-defined base)

 　Action name:OpUserOffset

 This command converts the immediate operand of the current instruction/data to a complex offset expression.

 Please click here to learn more about complex offsets.

 If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the an operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.

 If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.

 If the offset base is specified as 0xFFFFFFFF,then IDA will create"an automatic offset".Automatic offsets mean that the actual value of the base will be calculated by IDA.

 The following offset attributes are available:

 Treat the base address as a plain number

 if checked,IDA will treat the base address as a number.

 In this case,IDA will not create a cross-reference to it

 and the base address will be printed as a number,

 not as an offset expression.

 Offset points past the main object

 Offsets of this type point past an object end.

 They do not cause an object created/deletion.

 Use image base as offset base

 These offsets are based on the image base.

 There is no need to explicitly specify the offset base.

 These offsets are displayed in a concise form:

 rva func

 instead of

 offset func-imagebase

 If you intend to reassemble the output file,execute the

 following IDC statement:

 set_inf_attr(INF_GENFLAGS,get_inf_attr(INF_GENFLAGS)&~INFFL_ALLASM);

 Subtract operand value

 Use this option when the operand value should be substracted

 from the base to get the target address.In this case the displayed

 expression will be displayed as

 offset base-target

 instead of the usual

 offset target-base

 Signed operand

 Use this option if the operand should be interpreted

 as a signed value.This option is only available for OFF_REF8,

 OFF_REF16,OFF_REF32 and OFF_REF64 offset types.

Convert operand to struct offset

 　Action name:OpStructOffset

 GUI version:

 ------------

 This command pertmits to convert all immediate operands of instructions in a range selection to a path of offsets through a structure and its possible sub unions.If no selection is active,IDA will simply permit to convert the current operand.In this case,it will display a simple dialog box the same way as the text version(see below).

 You can select the desired register in the drop-down list:all operands relative to this register will be added to the'Offsets'list.A special empty line in the drop-down list is used to directly work on immediate values.Checkboxes in the'Offsets'list allow you to select which operand you indeed want to modify.By default,IDA will select only undefined operands,to avoid overwriting previous type definitions.This list is sorted by operand value,by instruction address and finally by operand number.You can easily see the instructions related to the operand by moving the mouse over it,and wait for a hint to be displayed.

 The'Structures and Unions'tree will contain all selectable structures,and sub unions.Once you select or move over a structure,the'Offsets'list updates itself for each checked offset:the computed name of the operand is displayed,according to the selected structure in the tree.An icon is also drawn,to easily know if a specific structure matchs the offset or not,or if the offset is too big for the selected structure.The structures who match the most offsets will be near the top of the tree.You can also move your mouse over structures in the tree to obtain an interesting hint.

 A'?'icon can also appear,if the offset can be specialized by selecting an union member.In this case,if you expand the structure in the tree,you can select the adequate union member simply by checking the desired radio button.IDA automatically corrects the related name in the'Offsets'list.

 The'Offset delta'value represents the difference between the structure start and the pointer value.For example,if you have an operand 4 and want to convert in into an expression like"mystruct.field_6-2",then you have to enter 2 as the delta.Usually the delta is zero,i.e.the pointer points to the start of the structure.

 The'Hide sub structures without sub unions'option(checked by default)avoids to add unnecessary sub structures to the tree,to keep it as small as possible.If you uncheck this option,all sub structures will be added to the tree.

 By default,IDA displays the structure member at offset 0.To change this behaviour,you can directly disable the'Force zero offset field'in the'Options'frame.Later zero offsets can be forced using Edit,Structs,Force zero offset menu item.

 Text version:

 -------------

 This command converts immediate operand(s)type of the current instruction/data to an offset within the specified structure.Before using this command,you have to define a structure type.

 First of all,IDA will ask a so-called"struct offset delta".This value represents the difference between the structure start and the pointer value.For example,if you have an operand 4 and want to convert in into an expression like"mystruct.field_6-2",then you have to enter 2 as the delta.Usually the delta is zero,i.e.the pointer points to the start of the structure.

 If a range is selected using the anchor,IDA will perform'en masse'conversion.It will convert immediate operands of all instructions in the selected range to offsets.However,IDA will ask you first the lower and upper limits of immediate operand value.If the an operand value is>=lower limit and<=upper limit then the operand will be converted to offset,otherwise it will be left unmodified.

 When you use this command,IDA deletes the manually entered operand.

 If the cursor is on the first operand(the cursor is before',')then the first operand will be affected;otherwise,all other operands will be affected.

 By default IDA doesn't display the structure member at offset 0.To change this behaviour,use Force zero field offset command.

 Moreover,if there are several possible representations(this can happen if unions are used),select the desired representation using the Select union member...command.

中文翻译：

将操作数转换为偏移量（数据段）

Action name:OpOffset

此命令将当前指令/数据的立即数操作数转换为从当前数据段（DS）的偏移量。如果当前DS值未知（或等于0xFFFF），IDA将发出警告声音。在这种情况下，您必须为当前字节定义DS寄存器值。最好的方法是：

●跳转到段寄存器更改点

●更改DS的值

●返回

或者，您可以更改当前段的默认DS值。如果要删除偏移量定义，可以再次使用此命令-它起到触发器的作用。如果光标位于第一个操作数（即光标位于“，”之前），则将影响第一个操作数。否则，将影响所有其他操作数。如果使用锚选择了一个范围，IDA将进行“批量”转换。它将将所选范围内所有指令的立即操作数转换为偏移量。但是，IDA将首先询问立即操作数值的下限和上限。如果操作数值>=下限并且<=上限，则将操作数转换为偏移量，否则将保持不变。要创建指向结构成员的偏移量，请使用“Convert to struct offset”命令。

将操作数转换为偏移量（代码段）

动作名称OpOffsetCs

此命令将当前指令/数据的立即数操作数转换为从当前段（CS）的偏移量。如果光标位于第一个操作数（即光标位于“，”之前），则将影响第一个操作数。否则，将影响所有其他操作数。如果使用锚选择了一个范围，IDA将进行“批量”转换。它将将所选范围内所有指令的立即操作数转换为偏移量。但是，IDA将首先询问立即操作数值的下限和上限。如果操作数值>=下限并且<=上限，则将操作数转换为偏移量，否则将保持不变。如果将此命令应用于结构窗口中的结构成员，则IDA将创建“自动偏移量”。自动偏移量是具有基地址等于0xFFFFFFFF的偏移量。这个基础值意味着当创建结构实例时，IDA将计算基础的实际值。要创建指向结构成员的偏移量，请使用“Convert to struct offset”命令。

将操作数转换为任意段偏移量

动作名称：OpAnyOffset

此命令将当前指令/数据的立即数操作数转换为从任意段的偏移量。IDA将要求选择用于偏移量的基本段。如果使用锚点选择了范围，则IDA将执行'en masse'转换。它将转换所选范围内所有指令的立即数操作数为偏移量。但是，IDA将首先要求您输入立即数操作数值的下限和上限。如果操作数值>=下限且<=上限，则将其转换为偏移量；否则，它将保持不变。如果光标位于第一个操作数（即在','之前），则将影响第一个操作数；否则，将影响所有其他操作数。要创建指向结构体成员的偏移量，请使用“Convert to struct offset”命令。

将操作数转换为偏移量（用户定义的基地址）

动作名称：OpUserOffset该命令将当前指令/数据的立即数操作数转换为复杂的偏移表达式。请单击此处了解有关复杂偏移的更多信息。如果使用锚点选择了范围，则IDA将执行“批量”转换。它将把所选范围内所有指令的立即数操作数转换为偏移量。但是，IDA首先会询问您立即操作数值的下限和上限。如果操作数值大于或等于下限且小于或等于上限，则将操作数转换为偏移量，否则将保持不变。如果光标在第一个操作数（在“，”之前）上，则会影响第一个操作数；否则，将影响所有其他操作数。如果指定的偏移基址为0xFFFFFFFF，则IDA将创建“自动偏移”。自动偏移意味着IDA将计算基址的实际值。以下偏移属性可用：

将基地址视为普通数字：如果勾选此选项，IDA将将基地址视为数字。在这种情况下，IDA将不会为其创建交叉引用，并且基地址将以数字形式而不是偏移表达式形式打印出来。

偏移点超出主对象：这些偏移指向对象的末尾。它们不会导致对象的创建/删除。

使用映像基址作为偏移基址：这些偏移是基于映像基址的。无需明确指定偏移基址。这些偏移以简洁的形式显示：

rva func

而不是

offset func-imagebase

如果您打算重新汇编输出文件，请执行以下IDC语句：

set_inf_attr(INF_GENFLAGS,get_inf_attr(INF_GENFLAGS)&~INFFL_ALLASM);

减去操作数值：当应从基址中减去操作数值以获取目标地址时，请使用此选项。在这种情况下，显示的表达式将显示为

offset base-target

而不是通常的

offset target-base

有符号操作数：如果应将操作数解释为有符号值，则使用此选项。此选项仅适用于OFF_REF8、OFF_REF16、OFF_REF32和OFF_REF64偏移类型。

将操作数转换为结构体偏移量

动作名称：OpStructOffset

GUI版本：

------------------

此命令允许将选定范围内指令的所有立即操作数转换为通过结构体及其可能的子联合体的偏移路径。如果没有选定范围，则IDA将简单地允许转换当前操作数。在这种情况下，它将以与文本版本相同的方式显示一个简单的对话框（见下文）。您可以在下拉列表中选择所需的寄存器：所有相对于此寄存器的操作数都将添加到“Offsets”列表中。下拉列表中的特殊空行用于直接处理立即值。“Offsets”列表中的复选框允许您选择要修改的操作数。默认情况下，IDA仅选择未定义的操作数，以避免覆盖先前的类型定义。此列表按操作数值、指令地址和最后按操作数编号排序。您可以通过将鼠标移动到操作数上并等待出现提示来轻松查看与操作数相关的指令。“结构和联合体”树将包含所有可选择的结构和子联合体。一旦您选择或移动到一个结构，'Offsets'列表就会更新每个选中偏移量的计算名称，根据树中所选结构。图标也会被绘制出来，以便轻松知道特定结构是否与偏移量匹配或是否偏移量过大。最匹配偏移量的结构将靠近树的顶部。您还可以将鼠标移动到树中的结构上，以获得有趣的提示。如果偏移量可以通过选择联合成员来特化，则会出现'?'图标。在这种情况下，如果您展开树中的结构，则可以通过选中所需的单选按钮来选择适当的联合成员。IDA会自动在“Offsets”列表中更正相关名称。“Offset

delta”值表示结构开始和指针值之间的差异。例如，如果您有一个操作数4，并希望将其转换为类似于“mystruct.field_6-2”的表达式，则必须输入2作为差值。通常，差值为零，即指针指向结构的开始。“Hide sub

structures without sub unions”选项（默认选中）避免将不必要的子结构添加到树中，以使其尽可能小。如果取消选中此选项，则将所有子结构添加到树中。默认情况下，IDA在偏移量0处显示结构成员。要更改此行为，您可以直接在“Options”框中禁用“Force zero offset

field”。之后可以使用“Edit”、“Structs”、“Force zero offset”菜单项强制零偏移。

文本版本

----------------

该命令将当前指令/数据的立即数操作数类型转换为指定结构体内的偏移量。在使用此命令之前，您需要定义一个结构体类型。首先，IDA会询问所谓的“结构体偏移量”。这个值表示结构体起始地址和指针值之间的差值。例如，如果您有一个操作数4，并想将其转换为类似“mystruct.field_6-2”的表达式，则需要将2输入为偏移量。通常情况下，偏移量为零，即指针指向结构体的起始位置。如果使用锚点选择了范围，则IDA将执行“大规模”转换。它将将所选范围内所有指令的立即数操作数转换为偏移量。但是，IDA首先会询问您立即数操作数值的下限和上限。如果操作数值>=下限且<=上限，则将转换为偏移量，否则将保持不变。当使用此命令时，IDA会删除手动输入的操作数。如果光标位于第一个操作数之前（光标位于“，”之前），则第一个操作数将受到影响；否则，所有其他操作数都将受到影响。默认情况下，IDA不会显示偏移量为0的结构体成员。要更改此行为，请使用“强制零偏移字段”命令。此后，可以使用“编辑”、“结构体”、“强制零偏移”菜单项来强制使用零偏移。此外，如果有几个可能的表示形式（如果使用了联合体，则可能会发生这种情况），请使用“选择联合体成员…”命令选择所需的表示形式。