Results 1 to 6 of 6

Thread: IDA auto function arguments

  1. #1
    taylorjonl
    Guest

    IDA auto function arguments

    I have been stumbling around IDA for a few days and am getting the hang of it, sorta. I am trying to figure out if it is able to follow the function arguments. I have defined the function below but it doesn't auto follow ECX like I thought it would.

    Code:
    .text:6FAA1140
    .text:6FAA1140 ;  S U B R O U T I N E 
    .text:6FAA1140
    .text:6FAA1140
    .text:6FAA1140 ; void __fastcall sub_6FAA1140(CellFile *UiImage)
    .text:6FAA1140 sub_6FAA1140 proc near                  ; CODE XREF: sub_6FAA7440+Cp
    .text:6FAA1140                                         ; sub_6FAA7440+2Dp ...
    .text:6FAA1140     push esi
    .text:6FAA1141     mov esi, ecx
    .text:6FAA1143     push esi
    .text:6FAA1144     call D2CMP_10032                    ; Call Procedure
    .text:6FAA1144
    .text:6FAA1149     test esi, esi                       ; Logical Compare
    .text:6FAA114B     jz  short loc_6FAA115D              ; Jump if Zero (ZF=1)
    .text:6FAA114B
    .text:6FAA114D     push 0
    .text:6FAA114F     push 7Ah
    .text:6FAA1151     mov edx, offset aCProjectsD2_10     ; "C:\\projects\\D2\\head\\Diablo2\\Source\\D2Cl"...
    .text:6FAA1156     mov ecx, esi
    .text:6FAA1158     call Fog_10043                      ; Call Procedure
    .text:6FAA1158
    .text:6FAA115D
    .text:6FAA115D loc_6FAA115D:                           ; CODE XREF: sub_6FAA1140+Bj
    .text:6FAA115D     pop esi
    .text:6FAA115E     retn                                ; Return Near from Procedure
    .text:6FAA115E
    .text:6FAA115E sub_6FAA1140 endp ; sp = -0Ch
    .text:6FAA115E
    I have read through the help file but it is very lacking, this has got to be one of the most un-userfriendly programs I have ever used. btw, I am using 4.7.

    If you can tell me how to set this up I would appreciate it. Also would like to know if it can mark the arguments going into the function when it is called.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    In fast_call convention the arguments are passed in registers, and IDA will not auto-label them as arguments.

    In your example the pointer argument *UiImage appears to be passed in ECX,
    which is typical of microsoft C++ 4.0 to 6.0 compilers.

    I agree, IDA is an advanced tool that assumes the user has a great ammount of advanced knowledge.

    Hacker Disassembling Uncovered by Kris Kaspersky covers a lot of the IDA basics
    Last edited by naides; April 21st, 2005 at 20:24.

  3. #3
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Not an answer to your question, but a suggestion, The Art of Assembly is an excellent reference on assembler, good reading for what you need to know IDA can't do everything, and it does a lot of guessing based on it's analysis.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  4. #4
    taylorjonl
    Guest
    I am pretty familiar with assembly, I know that fastcalls ECX and EDX are first 2 args the rests are pushed onto stack. I have been using Ollydbg for a few years but was wanting to get used to IDA since it is a bit more advanced for dissassembly. I was just hoping it would trace where the variable is passed around to. That example is very simple but on some the variables may get passed around quite a bit making it a pain having to play musical registers.

    That answers my first question what about if I can make it trace what is passed into the function? Even a simple labeling of it so I can see the args and not have to go the the functions address to check the prototype?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    That is when the I (interactive) of IDA comes into play.
    You could write a IDC script to do the 'follow the register' game for you. But without somehow peeking the function prototype, or examining several instances of the code that call the function, the script will make mistakes, just as IDA often makes mistakes, when doing the auto-labeling.

    Remember that calling conventions are only that, conventions, and in certain situations, either code optimization done by the compiler, inline coding done by the coder, or linking modules wirtten in different languages and compiled with different compilers could produce rather peculiar and unpredictible argument passing and handling that neither IDA, your script, or you yourself could easily sort out without some live tracing.

  6. #6
    Sergey R.
    Guest
    Quote Originally Posted by taylorjonl
    I have been stumbling around IDA for a few days and am getting the hang of it, sorta. I am trying to figure out if it is able to follow the function arguments. I have defined the function below but it doesn't auto follow ECX like I thought it would.
    ...
    If you can tell me how to set this up I would appreciate it. Also would like to know if it can mark the arguments going into the function when it is called.
    ...
    I know that fastcalls ECX and EDX are first 2 args the rests are pushed onto stack.
    Yes, it is possible to mark function's arguments and to see them transferring into the function when it is called.
    But, IDA uses another 'fastcall' calling convention then you expect to see. (Is it Borland agreement???) It assumes that with '__fastcall' declaration 3 (not 2!) arguments are tranferred into subroutine in registers:
    1st - in EAX,
    2nd - in EDX,
    3rd - in ECX,
    any others (if they are) in stack from left to right.
    If you follow this convention IDA properly marks arguments going into functions when they are called.

    I don't know how to change IDA from using "Borland"(?) calling convention to "Microsoft" or is it ever possible...
    Last edited by Sergey R.; May 3rd, 2005 at 08:06.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Dumping function arguments
    By xml in forum OllyDbg Support Forums
    Replies: 6
    Last Post: December 22nd, 2005, 08:57
  2. reading arguments before a function call
    By wirepair in forum Plugins (General)
    Replies: 2
    Last Post: February 23rd, 2005, 06:34
  3. auto.search.msn.com/response.asp
    By mike in forum Mini Project Area
    Replies: 11
    Last Post: July 6th, 2004, 14:09
  4. Log function arguments on __vbaStrCmp
    By Teerayoot in forum OllyDbg Support Forums
    Replies: 9
    Last Post: July 23rd, 2003, 14:04
  5. ida function arguments
    By noone in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: May 5th, 2001, 18:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •