PDA

View Full Version : IDA auto function arguments


taylorjonl
April 21st, 2005, 19:14
I have been stumbling around IDA for a few days and am getting the hang of it, sorta. I am trying to figure out if it is able to follow the function arguments. I have defined the function below but it doesn't auto follow ECX like I thought it would.

Code:
.text:6FAA1140
.text:6FAA1140 ; ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ S U B R O U T I N E ŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚŚ
.text:6FAA1140
.text:6FAA1140
.text:6FAA1140 ; void __fastcall sub_6FAA1140(CellFile *UiImage)
.text:6FAA1140 sub_6FAA1140 proc near ; CODE XREF: sub_6FAA7440+Cp
.text:6FAA1140 ; sub_6FAA7440+2Dp ...
.text:6FAA1140 push esi
.text:6FAA1141 mov esi, ecx
.text:6FAA1143 push esi
.text:6FAA1144 call D2CMP_10032 ; Call Procedure
.text:6FAA1144
.text:6FAA1149 test esi, esi ; Logical Compare
.text:6FAA114B jz short loc_6FAA115D ; Jump if Zero (ZF=1)
.text:6FAA114B
.text:6FAA114D push 0
.text:6FAA114F push 7Ah
.text:6FAA1151 mov edx, offset aCProjectsD2_10 ; "C:\\projects\\D2\\head\\Diablo2\\Source\\D2Cl"...
.text:6FAA1156 mov ecx, esi
.text:6FAA1158 call Fog_10043 ; Call Procedure
.text:6FAA1158
.text:6FAA115D
.text:6FAA115D loc_6FAA115D: ; CODE XREF: sub_6FAA1140+Bj
.text:6FAA115D pop esi
.text:6FAA115E retn ; Return Near from Procedure
.text:6FAA115E
.text:6FAA115E sub_6FAA1140 endp ; sp = -0Ch
.text:6FAA115E


I have read through the help file but it is very lacking, this has got to be one of the most un-userfriendly programs I have ever used. btw, I am using 4.7.

If you can tell me how to set this up I would appreciate it. Also would like to know if it can mark the arguments going into the function when it is called.

naides
April 21st, 2005, 20:15
In fast_call convention the arguments are passed in registers, and IDA will not auto-label them as arguments.

In your example the pointer argument *UiImage appears to be passed in ECX,
which is typical of microsoft C++ 4.0 to 6.0 compilers.

I agree, IDA is an advanced tool that assumes the user has a great ammount of advanced knowledge.

Hacker Disassembling Uncovered by Kris Kaspersky covers a lot of the IDA basics

SiGiNT
April 21st, 2005, 20:15
Not an answer to your question, but a suggestion, The Art of Assembly is an excellent reference on assembler, good reading for what you need to know IDA can't do everything, and it does a lot of guessing based on it's analysis.

SiGiNT

taylorjonl
April 21st, 2005, 21:41
I am pretty familiar with assembly, I know that fastcalls ECX and EDX are first 2 args the rests are pushed onto stack. I have been using Ollydbg for a few years but was wanting to get used to IDA since it is a bit more advanced for dissassembly. I was just hoping it would trace where the variable is passed around to. That example is very simple but on some the variables may get passed around quite a bit making it a pain having to play musical registers.

That answers my first question what about if I can make it trace what is passed into the function? Even a simple labeling of it so I can see the args and not have to go the the functions address to check the prototype?

naides
April 22nd, 2005, 06:05
That is when the I (interactive) of IDA comes into play.
You could write a IDC script to do the 'follow the register' game for you. But without somehow peeking the function prototype, or examining several instances of the code that call the function, the script will make mistakes, just as IDA often makes mistakes, when doing the auto-labeling.

Remember that calling conventions are only that, conventions, and in certain situations, either code optimization done by the compiler, inline coding done by the coder, or linking modules wirtten in different languages and compiled with different compilers could produce rather peculiar and unpredictible argument passing and handling that neither IDA, your script, or you yourself could easily sort out without some live tracing.

Sergey R.
May 3rd, 2005, 08:02
Quote:
[Originally Posted by taylorjonl]I have been stumbling around IDA for a few days and am getting the hang of it, sorta. I am trying to figure out if it is able to follow the function arguments. I have defined the function below but it doesn't auto follow ECX like I thought it would.
...
If you can tell me how to set this up I would appreciate it. Also would like to know if it can mark the arguments going into the function when it is called.
...
I know that fastcalls ECX and EDX are first 2 args the rests are pushed onto stack.

Yes, it is possible to mark function's arguments and to see them transferring into the function when it is called.
But, IDA uses another 'fastcall' calling convention then you expect to see. (Is it Borland agreement???) It assumes that with '__fastcall' declaration 3 (not 2!) arguments are tranferred into subroutine in registers:
1st - in EAX,
2nd - in EDX,
3rd - in ECX,
any others (if they are) in stack from left to right.
If you follow this convention IDA properly marks arguments going into functions when they are called.

I don't know how to change IDA from using "Borland"(?) calling convention to "Microsoft" or is it ever possible...