Different function lengths and control flow graphs in different IDA Pro versions

Question

I'm trying to analyse a function in an x86 .so library in IDA Pro. I have IDA Pro 7.1 on 1 machine, and IDA Pro 6.8 on another. The function length, and corresponding control flow graphs (both Graph View and WinGraph32) are different between the 2 versions.

In 6.8, the function is much larger, and begins with the usual prologue

push ebp
mov ebp, esp

In 7.1 though, the function ends much earlier, and the rest of the memory space where 6.8 still thinks is the same function, is split up into other functions. However, these functions don't have the usual prologues.

It's probably worth noting that the function I'm analyzing could be obfuscated, so the prologue/epilogue instruction sequences may be replaced with something else. Will this mess with how IDA Pro is detecting functions?

Which one should I trust?

Answer 1

Without having all the information (assembly instructions, identified cross references to related code, etc) we're left with only vary general and high-level explanations. Including some more concrete details may allow a more detailed and specific answer.

Analyzing function boundaries is one of the though tasks a disassembler has to tackle. This means disassemblers usually employ different types of heuristics to (cleverly) guess where a function starts and ends. One of IDA's biggest advantages (especially in it's early days) was it's interactivity - the users' ability to fix, adjust and modify the automated analysis result.

As this is a difficult task, different IDA versions may have slight differences due to fixes and improvements in the logic. It seems in your case, those improvements/fixes actually worsen the end result instead of improving it. It's important to note that one example does not mean related improvement was a mistake.

Code that is obfuscated is considerably harder to analyze correctly, and also a good indication of attempts to prevent successful analysis of the function structure.