.Hi all,
This is probably a stupid question, but I didn't find out how to fix a situation in IDA when the ebp register is not set directly at the start of a function, but within an exception handler initialization stub that's called as fist thing in a function? In detail it looks like this:
fct: mov eax, handler
call installExceptionHandler
sub esp, 60h
...
And the stub is as follows:
installExceptionHandler:
push 0FFFFFFFFh
push eax
mov eax, large fs:0
push eax
mov eax, [esp+0Ch]
mov large fs:0, esp
mov [esp+0Ch], ebp
lea ebp, [esp+0Ch]
push eax
retn
This will set up a frame like that:
ebp: old-ebp
ebp-4: -1
ebp-8: handler
ebp-12: next-seh <= esp
Unfortunately when IDA analyzes "fct:" above it does not notice that ebp is set in installExceptionHandler and subsequently does not translate accesses to local variables relative to ebp as it should. From then on it will only show things like "[ebp-18h]" without resolving it to local stack variables. This is particularly bad if you're using the HexRays decompiler plugin, you can't give any type informations. Is there any way to tell IDA how ebp is aligned manually so it can detect accesses to local variables in the function?
Thanks in advance, klaymen
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}