Igor’s tip of the week #68: Skippable instructions

In compiled code, you can sometimes find instructions which do not directly represent the code written by the programmer but were added by the compiler for its own purposes or due to the requirements of the environment the program is executing in.

Skippable instruction kinds

Compiled functions usually have  prolog instructions at the start which perform various bookkeeping operations, for example:

  1. preserve volatile registers used in the function’s body;
  2. set up new stack frame for the current function;
  3. allocate stack space for local stack variables;
  4. initialize the stack cookie to detect buffer overflows;
  5. set up exception handlers for the current function.

In a similar manner, a function’s epilog performs the opposite actions before returning to the caller.

In switch patterns there may also be instructions which only perform additional manipulations to determine the destination of an indirect jump and do not represent the actual logic of the code.

To not spend time analyzing such boilerplate or uninteresting code and only show the “real” body of the function, the decompiler relies on processor modules to mark such instructions. 

Showing skippable instructions

By default skipped instructions are not distinguished visually in any way. To enable their visualization, create a text file idauser.cfg with the following contents:

#ifdef __GUI__
PROLOG_COLOR = 0xE0E0E0 // grey
EPILOG_COLOR = 0xE0FFE0 // light green
SWITCH_COLOR = 0xE0E0FF // pink
#endif

Place the file in the user directory (%appdata%\Hex-Rays\IDA Pro on Windows, $HOME/.idapro on Unix) and restart IDA or reload the database to the observe the effect in the disassembly listing.

Original disassembly:

After creating the configuration file:

As you can see, the first three and last two instructions are highlighted in the specified colors. These instructions will be skipped during decompilation.

Modifying skippable instructions

There may be situations where you need to adjust IDA’s idea of skipped instructions. For example, IDA may fail to mark some register saves as part of prolog (this may manifest as accesses to uninitialized variables in the pseudocode). In that case, you can fix it manually:

  1. In the disassembly view, select the instruction(s) which should be marked;
  2. invoke Edit > Other > Toggle skippable instructions…;
  3. select the category (prolog/epilog/switch) and click OK.

In case of an opposite problem (IDA erroneously marked some instructions which do necessary work), perform the same actions, except there won’t be a dialog at step 3 – the instructions will be unmarked directly.

More info: Toggle skippable instructions (Decompiler Manual)

 

Article Link: Igor’s tip of the week #68: Skippable instructions – Hex Rays