15

When reverse engineering programs, I often find functions like the one below. This function in particular has a set of nested if/else blocks (pink boxes) which would typically be fairly easy to follow. When code executes at the blue box however, the code becomes messy and can take either of two independent code paths (purple or yellow). If the developer had used a function (or not used an inline function) for the purple or yellow code blocks, this code would be much easier to reverse engineer. As a function, I can rename and comment on the code block, and the overall program becomes easier to read.

My usual technique when I come across this kind of function is to apply colors to the code blocks like you see in the graph below. Is there a way for IDA to treat an arbitrary collection of code blocks as a function that is not called and/or are there better approaches to dealing with inline code and independent code blocks?

Large function

amccormack
  • 1,326
  • 2
  • 13
  • 29

1 Answers1

12

It sounds like what you need is node groups. Since the very first implementation (5.0) IDA's graph view allowed to group several nodes into one "super-node" with a custom title. Just select the nodes you want to group with Ctrl-click and choose "Group nodes" from the context menu.

For more info, see "Graph node groups" in IDA's help or online.

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
  • On a separate note, it would help to put your input on on-topic-ness/off-topic-ness here http://meta.reverseengineering.stackexchange.com/q/7/189 – asheeshr Mar 27 '13 at 01:37
  • Which is probably off topic, my question or your answer? – amccormack Mar 27 '13 at 01:51
  • 1
    @amccormack The question, since it does not involve reverse engineering itself but "how to use an RE tool". But I guess we could make such questions on-topic. Please add your thoughts here. – Igor Skochinsky Mar 27 '13 at 01:54
  • 1
    @IgorSkochinsky: as much as I like (and as you know ;)) to point out that this shouldn't get too biased towards a particular tool, I think those questions should be on-topic. I added my "comment" there and hope many others will. Btw: you already live up to what I hope will be your position soon ;) ... also see: http://meta.reverseengineering.stackexchange.com/questions/7 – 0xC0000022L Mar 27 '13 at 16:55
  • 1
    @IgorSkochinsky: I'm not sure per-se, but on most SE sites it's frowned upon to simply post a link without quoting at least a vital part. – 0xC0000022L Mar 27 '13 at 16:56
  • @IgorSkochinsky I think my question doesn't apply to the meta-discussion you had listed. But I understand the hesitation so I created a new meta question Is asking about reverse engineering tools on topic – amccormack Mar 27 '13 at 19:45
  • Okay, all good points, let me edit it a bit... – Igor Skochinsky Mar 27 '13 at 22:38