Navigating in IDA Pro is generally an easy thing. Following functions, listing cross references, and going back to your previous location are all one key away. The problem is sometimes you can get a little lost and you end up forget where you left off. That's why marks were invented. Today we briefly discuss using marks when reverse engineering. This is a very simple concept but one you hopefully adopt and integrate into your process.

MindshaRE is our weekly look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries here by going through our blog history.

Marks let the user add a "bookmark" at a specific address. They give us the ability to mark, and name, locations of interest. For instance, if you are at an address you need to remember, or it serves a purpose you want to return to later we can hit the key combination Alt-M. A window should pop up asking for a description. This is where you can name your mark with something meaningful to you. Here is an example.



By adding this mark we are making points of interest we can possibly return to later in time. This also can be very useful when doing things like following function calls, or global variable use. If you happen to be ten functions deep and quickly want to go back to your original position you can set a mark before you start following those functions. An often description you will see in my IDBs is "here" or "I'm here".

Now that you've added your mark you can recall it at any time by hitting Ctrl-M. This pops up our list of marks. It should look something like this.



This list box allows you to see all your marks and go back to those positions. I do not know if there is a limit on the number of marks you can set, I have never reached it. Keep in mind however, that using the IDC functions pertaining to marks can only index the first 32 slots (you can definitely manually create and reference more than 32 marks).

It is easy to manage existing marks as well. If you set a mark at an address, and you want to change its name in the listing, simply go to that mark and redo the description by hitting Alt-M and entering the new name. Marks can also be deleted by either hitting the Del key, or right clicking the mark and choosing "Delete" from the context menu. That same context menu provides an option for copying marks. This will copy *all of your marks*, resulting in a list like below.

01020E4D Read from our packet         

01020E46 Another interesting location 

01020E40 I'm here                     

Marks are extremely useful in staying organized and focused. I use them every day and it can be a life saver when you happen to wander off the beaten path. I hope you get familiar with their use, and adopt them as a necessity in your reverse engineering process.

-Cody