Hi all,

I've got a few functions that get only called by calculated addresses during runtime. I've traced the calls so I know that this particular collection of commands is a function, but Ollydbgs code analysis does not recognise it, since it is not referenced to from anywhere explicitly. Now my question is: can I somehow tell Ollydbg to treat this area as a function? It's kind of annoying that I can't label the function and thus see all calls from this function in the stack frame. I already tried assuming arguments for the entry point, but it doesn't work. Any other ideas?

Any help would be appreciated, I hope I didn't miss something obvious here.

edit: I've already set the analysis method to fuzzy.

ollydbg doesnt recognize ? does it mean it shows all those opcodes as a bunch of dbs ? analyse -> hints -> code and or remove analysis from selection or simply select all those dbs and hit ctrl+e and hit ok without doing anything

now this function block isnt recognised
does it mean ollydbg has enclosed the block in a ()
like
( push ##
( do blah
(do foo
(do dumbomg
(pop ##
(retn

but still cant find any referances to it ?

then you can try creating an arg file
"my app .arg"

and just put it in ollydbg dir when your application is loaded it will parse that
and show you all the args when it is called dynamically

for example ollydbg by default does not recognise for ntdll!ZwSystemDebugcontrol

creating an arg file would make it show all the args

****** CALL to ZwSystemDebugControl from *******
ControlCode = SYS_DBG_READ_VMEMORY
PVOID InputBuffer = 00****
ULONG InputBufferLength = *
PVOID OutputBuffer = NULL
ULONG OutputBufferLength = 0
PULONG ReturnLength = ******
***** Breakpoint at ntdll.ZwSystemDebugControl

for help look at custom function description in ollydbg help

I'm not sure I did understand you correctly. I'll try to clarify the problem:
The display looks like this:



Every command has a single dot, not one continual bracket around it all. I think I understand now that Ollydbg doesn't bracket this function because it is continued in another address (compiler optimisation?). What I am trying to do: have this part of the function bracketed or otherwise joined so that I can assign a label to the entry point and Ollydbg shows me the addresses below as label + x. So that I can identify this part easier in the stack frame or call tree.

only one . and no $ that means its a part of a big multiple exit proc yes you are right some kind of optimisation by compiler that breaks the proc into pieces of chunks and spreads them all over the place

some thing called rtti blah blah i am not aware much about it

for example if you open calc.exe (xp-sp2)in ollydbg ollydbg wont bracket or give you any referance to a block in between a proc that starts at
1004a76 and ends at 10050a6 and if you use fuzzy analysis
ollydbg will actually show it in several bits and pieces but not as a contigous function

i attach a picture

you can notice arg.1 and arg.2 in both the pieces
but inbetween you will see [ebp+c] which is arg 1

anyone else with some better explanation ??????