We’ve covered arrays previously, but one feature briefly mentioned there is worth a separate highlight.
Complex programs may use arrays of data, either of items such as integers or floats, or of complex items such as structures. When the arrays are small, it’s not too difficult to make sense of them, but what to do if your task requires, for example, to find the value of the item #567 in a 3000-item array?
You can of course try to count the items manually or copy the array into a text editor (Export Data can help here) and import into a spreadsheet but there are ways to do it inside IDA without too much trouble.
Resizing the array
Let’s say we have an array of 88 items:
and we need the item #25. Manual counting is possible but tedious, especially because we need to account for the repeated items in the dup expressions. There is a different approach to solve this. Because the items are counted from 0 and we have 88 of them, the last one has index 87. To make it so that the last item is number 25, we can resize the array to 26(25+1) items. For this, press * to open the array parameters dialog and change the Array size field:
Now the array contains 26 items from #0 to #25 so we can see that the item we needed has the value 35h.
Array index display
Alternatively, we can enable the Display indexes option.
With the option on, index of the first element is displayed as a comment for each line:
While still not very obvious, it is a little easier to find the necessary element by counting from the start of a line. You can also set the Items on a line value to 1 or another small value so that each line contains fewer elements and it’s easier to find the necessary one.
Indexes and arrays of structures
When you have an array of structures and they can be displayed in terse form, the indexes are printed for each line similarly to the array of simple values.
However, if you unhide/uncollapse the array to show the structs in verbose form, each field gets a comment with an array notation:
See also: IDA Help: Convert to array