I keep coming across a compiling pattern that IDA doesn't automatically handle well. Consider the following example:
mov rax, rsp ; Set rax at the start of the function ... lea rbp, [rax-5Fh] ; Shortly afterward, set rbp as the frame pointer at a nonstandard offset ... mov [rbp+3Fh], rcx ; Reference all stack offsets from rbp for the rest of the function ... In this example, it appears that IDA has lost track of rbp's state as an offset into the stack frame, presumably because of the additional indirection. (We copy from rsp to rax to rbp, rather than just from rsp to rbp)
I would like the above example to look something more like this:
var_20= qword ptr -20h ... mov [rbp+5Fh+var_20], rcx However, as one would expect, if I change the type of 3Fh to be a stack offset, I get the following:
arg_37= qword ptr 3Fh ... mov [rbp+arg_37], rcx Which is obviously not correct. I have two questions:
- Is it possible to generate the desired output?
- If not, how would one normally deal with this?
Solutions I am aware of:
- I could create a structure for the stack frame and specify the offset delta (occasionally also adjusting for negative offsets). The downsides are that I would have to create a structure for each stack frame I analyze, and I would also not have cross-references.
- I could just use the incorrect offsets in the stack frame. This would give me cross-references, but I would expect things to break when touching
r, the offset storing the return address.
Also relevant: I'm using IDA Pro 6.2.
