Tell IDA Pro that a memory area contains a pointer table

Question

I have a binary image for an embedded CPU where a memory area contains a number of pointers to entry points into the binary. This is an interrupt vector table in the binary used by the CPU. How can I hint to IDA what this memory is, so it can use the entry points for its analysis?

Answer 1

I'll assume you already have your IDB setup using the correct processor for the loaded binary image.

If the image file is a raw file (ie, without a header), you can define the low/high address suspiciousness limits under the Disassembly tab in Options->General.

With this set, you can set the first element in this vector to be an offset by either placing the text cursor on the first byte and pressing 'O' or 'Ctrl+O'. You can also do 'Ctrl+R' for a 'user-defined' offset (brings up a dialog with multiple options). All the various offsets can be viewed under Edit->Operand type->Offset->...

With the first element set, and with your text cursor on it, you can then hit the '*' key on your numpad to create an actual array (assuming you know how many elements are in the vector). This should apply the same operand type information to all the elements in the array. Since in this case the operand is an offset, IDA should (automatically) try and disassemble the bytes which are referenced.

Note: if an elements value falls outside the suspiciousness limit, it won't be turned into an offset

If this is a raw image, you may wish to setup some Segments info (Shift+F7) if you know the binary contains sections of pure code or pure data. I'm not sure off hand if the 'automatic disassembly' mentioned above is done only when a segment's class is defined as 'CODE' or if it even matters.

Note: you can always re-run analysis by pressing the colored circle icon in the toolbar (it should green, else IDA is busy doing something) or by clicking "Reanalyze program" in the Analysis tab in General->Options.