Hex-Rays' blog

Igor’s tip of the week #104: Immediate search – Hex Rays

Written by Igor Skochinsky | Aug 25, 2022

Immediate search is one of three main search types available in IDA. While not that known, it can be very useful in some situations. Here are some examples.

Unique (magic) constants

If you know some unique constants used by the program, looking for them can let you narrow down the range of code you have to analyze. For example, if a program reports a numerical error code, you could look for it to find the possible locations which may be returning this error.

Undiscovered cross-references in RISC processors

Many RISC processors use fixed-width instructions which does not leave enough space for encoding full address values in the instruction. Thus they have to resort to building address values out of small pieces. For, example, in SPARC, loading of a 32-bit value has to be done as a pair of instructions:

sethi %hi(Prompt),%o1
or    %o1,%lo(Prompt),%o1

Where %hi returns top 22 bits of the value and %lo returns the low 10 bits. Because such instructions may be not immediately next to each other, IDA may fail to “connect” them and recover the full 32-bit value, leading to missing cross references. So if you have, for example, a string constant at address N, which you think should be referenced from somewhere, doing an immediate search for N&0x3FF should produce a list of potential candidates for instructions referring to that address.

Structure field references

Sometimes you may have a structure with a field at a specific offset which is pretty unique (not a small or round value) and want to find where it is used in the program. For example, let’s look at a recent Windows kernel and the structure _KPRCB. At offset 63Eh, it has a field CoresPerPhysicalProcessor:

How to find where it is used? Searching for the value 0x63e gives a list of instructions using that value.


You can then inspect these instructions and see if they indeed reference the _KPRCB field and not something else.

This is probably one of the best uses for immediate search but it does not replace manual analysis. For example:

  1. it may miss references which do not use the value directly but calculate it one way or another;
  2. false positives may happen, especially for common or small values
  3. the field may be referenced indirectly via a bigger containing structure (e.g. _KPCR includes _KPRCB as a member, so references from _KPCR will have an additional offset).

See also:

IDA Help: Search for next instruction/data with the specified operand

 
View full post