Skip to main content

Making IDA ::1 Part Two – Technicolor Listings for the Visually Minded

September 07, 2012

One feature of OllyDbg I love, which I miss when using IDA for viewing disassembly listings and debugging, is Schemes. Schemes in OllyDbg allow the user to assign commands and operands to specific colors. Figure 1 shows OllyDbg using the Jumps’n’calls highlighting Scheme, where calls are highlighted red and jumps in yellow and blue. More examples of Olly’s Schemes can be found at:

mihp 1

OllyDbg with Jumps’n’calls highlighting Scheme

While IDA does allow highlighting a specific line, it does not allow the user to specify colors for individual mnemonics. Furthermore, when I’m trying to get my bearings in code quickly, I name memory locations using a convention that allows me to see how much time I have spent in the location and how sure I am of its functionality. For instance, if I glance at a function that is performing some sort of registry query but I’m unsure of its purpose, I may label it ‘____?RegStuff’ and on a second pass if I notice creation of a start-up item, I rename it something like, ‘__?CreateRunKey’, etc.

I created an IDA Python script to mimic some of the Scheme functionality by allowing the user to specify colors for jumps, calls and calls to named locations with various prefixes.

This script can be run from the File->Script file… menu item or loaded through When run, the script adds a ‘Highlight Special Lines’ to the Edit->Other menu with a hotkey of Alt-h.

Using Alt-h will apply coloring or remove coloring from the highlighted lines. By default the colors are red for calls and blue for jumps as shown in Figure 2.

mihp 2

IDA listing with jumps and calls highlighted

Prefixing locations with predefined constants in __CONFIG allows coloring of calls to named locations. Figure 3 shows 0x01012520 and 0x01012539 highlighted differently because the locations they call have been named according to the configured convention.

mihp 3

IDA listing with jumps and calls highlighted

While I recognize all these colors may be incredibly obnoxious to some, having different classes of jumps and calls highlighted separately allows me navigate code and understand where I haven’t yet been at a glance.

I hope this script will make your IDA environment a little more like home. If you have any questions, rants, fixes, etc. please send them my way.

% case b

Security Tools:


    Case Barnes

By: Case Barnes

Practice Manager, Enterprise Incident Management and Response

See More

Related Blogs

December 23, 2014

Diversionary Tactics 101

When organizations are hacked or infected with malware, an important question they ask themselves is, “Who is attacking us?” Understanding an attacker...

See Details

November 04, 2014

Improving Reliability of Sandbox Results

Cuckoo Sandbox is an increasingly popular system for automated malware analysis. Beginning in 2010 as a Google Summer of Code project, it has quickly ...

See Details

October 31, 2014

Decoding IBM WebShere Portlet URLs

Portlet based web applications built with the IBM Web Experience Factory, previously known as the WebSphere Portlet Factory, produce long URL's contai...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.