Igor’s Tip of the Week #152: Force-creating functions

Occasionally, especially when working with embedded firmware or obfuscated code, you may see an error message when trying to create a function (from context menu or using P hotkey):

[Output]
ROM:C998: The function has undefined instruction/data at the specified address.
Your request has been put in the autoanalysis queue.

There can be multiple reasons for it, for example:

  1. some code has been incorrectly converted to data and the execution flows into it;
  2. the function calls a non-returning function which hasn’t been marked as such, so IDA thinks that the execution flows into the following data or undefined bytes;
  3. the function uses an unrecognized switch pattern;
  4. the function calls some function which uses embedded data after the call, but IDA tries to decode it as instructions;
  5. code has been obfuscated and IDA’s autoanalysis went down a wrong path.

You can double-click the address indicated to jump there and to see if you can identify the issue and try to fix it, but it can take a long time to figure out.

Functions are required to use some of IDA’s basic functionality such as graph view or the decompiler.

Forcing IDA to create a function

Whatever the reason of the error, you can still create a function manually if you can determine its bounds using your best judgement. For this, the anchor selection is the most simple and convenient way:

  1. while staying on the first instruction of the function, use Edit > Begin selection, or press AltL;
  2. navigate down to the function’s end (e.g. look for a return instruction or start of the next function);
  3. press P (Create function)

Note that the function created this way may have all kinds of issues, e.g. disconnected blocks in the graph view, JUMPOUT statements in pseudocode or wrong decompilation, but at least it should allow you to advance in your analysis.