Igor’s tip of the week #105: Offsets with custom base – Hex Rays

We’ve already covered simple offsets, where an operand value or a data value matches an address in the program and so can be directly converted to an offset. However, programs may also employ more complex, or indirect ways of referring to a location. One common approach is using a small offset from some predefined base address.

Offset (displacement) from a register

Many processors support instructions with addressing modes called “register with displacement”, “register with offset” or similar. Operands in such mode may use syntax similar to following:

1. reg(offset)
2. offset(reg)
3. reg[offset]
4. [reg, offset]
5. [reg+offset]
6. etc.

The basic logic is the same in all cases: offset is added to the value of the register and then used as a number or (more commonly) as an address. In the latter case it may be useful to have IDA calculate the final address for you and add the cross-reference to it. If you know the value of the register at the time this instruction is executed (e.g. it is set in the preceding instructions), it is very simple to do:

1. With the cursor on the operand, Invoke Edit > Operand type > Offset > Offset (user-defined), or press Ctrl–R;
   
2. Enter the register value in the Base address field;
   
3. Click OK;
4. IDA will calculate the final address, replace the offset value by an equivalent expression, and add a cross-reference to destination:
   

Now it is obvious that the location being referenced is  dword_E01FC0C4.

See also:
IDA Help: Convert operand to offset (user-defined base)
IDA Help: Complex Offset Expression