TransWikia.com

Fix bad calling conventions in IDA

Reverse Engineering Asked by Pororo on July 31, 2020

A binary I am studying puts the this pointer in rcx, followed by the rest of its arguments as its default convention. For some reason, IDA defaults to fastcall, but ignores the this pointer. This results in just about every function getting an incorrect prototype.

For example, if a symbol demangles to

Chicken * Chicken::Chicken(int height, int weight)

IDA will detect three arguments, but apply the demangled name wrongly as:

Chicken * Chicken::Chicken(int height @<rcx, int weight @<rdx>, int a3 @<r8>)

When instead the actual function prototype is:

Chicken * Chicken::Chicken(Chicken * this @<rcx>, int height @<rdx>, int weight @<r8>)

This is sometimes fixable from the UI manually – unless we are dealing with C++ types. As far as I know, the C parser does NOT accept stuff like std::string in SetType (see How to set the type of a variable or function to an std::string?) .

I am thus looking for an easy way to force IDA to use my preferred default convention, or code (idapython?) that fixes functions on demand. I have tried variants of my old code from IDA: Changing type of arguments to local type but with little success.

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP