Functions all start out with some type of prologue. Powerpc is no different. I was recently taking apart some firmware when I discovered the need to have an IDA Script take care of some function creations. Since the firmware was so large I didn’t really want to continue scrolling down and manually converting the data to code by pressing ‘c’.

In order to have Ida Python create functions automatically you can use two functions.

FindBinary
and
MakeFunction

the concept is to use FindBinary to locate the standard function prologue byte code and from there, create a function using MakeFunction. Using a python while loop you can create a short IdaPython script to expand your disassembly. I ran it on a fairly large piece of firmware and it ended up handling a lot of the disassembly that Ida’s auto analysis failed to complete due to the lack of a true entry point.

When it comes to PowerPC our prologue is going to look something like this

mflr r0 ; Save the link register to r0
stw r0, 4(rsp) ; Save r0 to register commonly used as stack pointer
stwu rsp,-16(rsp) ; Create frame
stw r31, 12(rsp); Save r31

For the particular piece of firmware I was playing with it was not saving the link register. Our prologue began with a stwu instruction. So, we use FindBinary to locate all instances of 0×9421. Although the method is not perfect, on a large scale it’s much easier to automate the creation of functions via IdaPython or IDC and have a few errors, than it is to manually create all the functions.

In terms of a prologue, you are usually left with some type of branching instruction. For most functions it just be a BLR instruction which is “Branch to Link Register”