Have you ever seen code that you know belongs to a function, but IDA refuses to create a function out of it? If so, you're probably familiar with disassemblies that look like this:
|
Figure 1. If IDA doesn't interpret code as a part of a function, then all references to variables on the stack are shown as numeric offsets. |
Not only does IDA's initial auto-analysis not create a function out of such code, but even right-clicking on the first instruction and selecting "Create function..." doesn't work. In fact, doing so for the above example yields the following error in IDA's log window:
text:0040104C: The function has undefined instruction/data at the specified address.
Your request has been put in the autoanalysis queue. |
Figure 2. Error message when trying to manually "Create function...". |
This error is displayed because the jmp at 0040104D is trying to jump to 0040104C, which is invalid.
Of course, we could patch the file or database to manually nop-out the bad jmp, but this is a rather un-elegant solution. Instead, we can force IDA to create a function out of the above code by selecting the instructions up until the erroneous instruction, and then doing a "Create function..." on that selection:
|
Figure 3. Select the instructions up until the erroneous instruction. |
รข
|
Figure 4. After forcing "Create function..." on the selected region, references to stack variables are now named. |
We now have named stack variables and can more easily analyze our target.