Igor’s Tip of the Week #127: Changing function bounds

When analyzing regular, well-formed binaries, you can usually rely on IDA’s autoanalysis to create functions and detect their boundaries correctly. However, there may be situations when IDA’s guesses need to be adjusted.

Non-returning calls

One example could be calls to non-returning functions. Let’s say a function has been misdetected by IDA as non-returning:

But on further analysis you realize that it actually returns and remove the no-return flag. However, IDA has already truncated the function after the call and now you need to extend it to include the code after call. How to do it?

Recreating the function

This is probably the quickest approach which can be used in simple situations:

Go to the start of the function (for example, by double-clicking the function in the Functions list), or via key sequence Ctrl–P, Enter.
Delete the function (from the Functions list), or Ctrl–P, Del. If you were in Graph view, IDA will switch to the text view.
Create it again (Create function… from context menu), or press P.

This works well if the changes were enough to fix the original problem. You may need to repeat this a few times when fixing problems one by one. Note that deleting the function may destroy some of the information attached to it (such as the function comment), so this is not always the best choice.

Editing function bounds

The Edit function dialog has fields for function’s start and end addresses:

They can be edited to expand or shrink the function, but there are some limitations:

The new function bounds may not intersect with another function or a function chunk. They also may not cross a segment boundary.
The function start must be a valid instruction.

Keep in mind that the end address is exclusive, i.e. it is the address after the last instruction of the function.

Changing the function end

To move the current or preceding function’s end only, you can use the hotkey E (Set function end). If there is a function or a chunk at the current address, it is truncated to end just after the current instruction. If the current address does not belong to a function, the nearest preceding function or chunk is extended instead. If the extension causes function chunks to be immediately next to each other, they’re merged together.

For example, consider this situation:

The instructions in the red rectangle should be part of the function but they’re currently “independent” (this can also be seen by the color of the address prefix which is brown and not black like for instructions inside a function). To make them part of the function, we can move its end to the last one (0027FD6A). Putting the cursor there and invoking Edit > Functions > Set function end (shortcut E) will move the function end from 0027FD44 to 0027FD6A. Because this makes the function adjacent to its own chunk, IDA merges the chunk with the function and the function is expanded to cover all newly reachable instructions.

See also: 

IDA Help: Edit Function

IDA Help: Set Function End

 

Article Link: Igor’s Tip of the Week #127: Changing function bounds – Hex Rays

1 post – 1 participant

Read full topic

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Generated by Feedzy