Igor’s tip of the week #09: Reanalysis
While working in IDA, sometimes you may need to reanalyze some parts of your database, for example:
- after changing a prototype of an external function (especially calling convention, number of purged bytes, or “Does not return” flag);
- after fixing up incorrectly detected ARM/Thumb or MIPS32/MIPS16 regions;
- after changing global processor options (e.g. setting
$gpvalue in MIPS or TOC in PPC);
- other situations (analyzing switches, etc.)
Reanalyzing individual instructions
To reanalyze an instruction, position the cursor in it and press C (convert to code). Even if the instruction is already code, this action is not a no-op: it asks the IDA kernel to:
- delete cross-references from the current address;
- have the processor module reanalyze the instruction; normally this should result in (re-)creation of cross-references, including the flow cross-reference to the following instruction (unless the current instruction stops the code flow).
Reanalyzing a function
All of the function’s instructions are reanalyzed when any of the function’s parameters are changed (e.g.. in case stack variables need to be recreated). So, the following key sequence causes the whole function to be reanalyzed: Alt-P (Edit function), Enter (confirm dialog).
Reanalyzing a bigger range of instructions
For this we can use the trick covered in the post on selection.
- go to start of the range;
- press Alt-L (start selection);
- go to the end of selection;
- press C (convert to code). Pick “Analyze” in the first prompt and “No” in the second.
Reanalyzing whole database
If you need to reanalyze everything but don’t want to go through the hassle of selecting all the code, there is a dedicated command which can be invoked in two ways:
- Menu Options > General…, Analysis Tab, Reanalyze program button;
- Right-click the status bar at the bottom of IDA’s window, Reanalyze program