Extract Function
- You have a set of code fragments that constitutes an individual function.
Turn the fragments into a function.
...
loc100();
...
loc100:
...
return;
⇓
...
loc100();
...
void loc100() {
...
return;
}
Motivation
The Assembly functions generated by compilers are not always clearly delimited in machine code. Moreover, the machine code corresponding to the function body may be interleaved with auxiliary data, such as initialization constants and jump tables.
So the basic step in reverse engineering the code is to aggregate the scattered code fragments in individual functions.
Mechanics
- Identify all code fragments belonging to a function.
- Shift all the code fragments together in order to make a single continuous code fragment.
- Wrap the fragment by a function enclosure.
- Scan the code for references for the function label and promote them to function calls.
Example: noncontiguous code fragments
...
loc100();
...
loc100:
goto loc102;
loc101:
char var101[] = "Some data";
loc102:
eax = 0;
return;
⇓
...
loc100();
...
void loc100() {
goto loc102;
loc102:
eax = 0;
return;
}
loc101:
char var101[] = "Some data";