没有sig文件时在IDA中定位main函数的一种方法

当有sig文件时，IDA会自动定位到main函数

.text:004013B0.text:004013B0 ; =============== S U B R O U T I N E =======================================.text:004013B0.text:004013B0 ; Attributes: bp-based frame.text:004013B0.text:004013B0 ; int __cdecl main(int argc, char **argv).text:004013B0 _main           proc near               ; CODE XREF: __scrt_common_main_seh+FAp.text:004013B0                                         ; invoke_main+1Ap.text:004013B0.text:004013B0 var_4           = dword ptr -4.text:004013B0 argc            = dword ptr  8.text:004013B0 argv            = dword ptr  0Ch.text:004013B0.text:004013B0                 push    ebp.text:004013B1                 mov     ebp, esp.text:004013B3                 push    ecx.text:004013B4                 push    esi.text:004013B5                 push    4               ; size.text:004013B7                 call    ??2@YAPAXI@Z    ; operator new(uint).text:004013BC                 mov     esi, eax.text:004013BE                 add     esp, 4.text:004013C1                 mov     [ebp+var_4], esi.text:004013C4                 test    esi, esi.text:004013C6                 jz      short loc_4013ED**

没有sig文件的时候怎么办
通常IDA会停留在这里 endp ; sp-analysis failed

.text:00401728.text:00401728 ; =============== S U B R O U T I N E =======================================.text:00401728.text:00401728 ; Attributes: library function.text:00401728.text:00401728                 public start.text:00401728 start           proc near.text:00401728.text:00401728 ; FUNCTION CHUNK AT .text:00401571 SIZE 00000139 BYTES.text:00401728 ; FUNCTION CHUNK AT .text:004016E7 SIZE 00000006 BYTES.text:00401728.text:00401728                 call    sub_401CE0.text:0040172D                 jmp     loc_401571.text:0040172D start           endp ; sp-analysis failed.text:0040172D

我们需要做的是向上向上再向上
寻找拥有这样特征的函数头 它的CODE XREF都向下， 它下方的CODE XREF都向上，它上方的CODE XREF都向下。

.text:004013B0.text:004013B0 ; Attributes: bp-based frame.text:004013B0.text:004013B0 sub_4013B0      proc near               ; CODE XREF: start-BDp.text:004013B0                                         ; .text:0040171Dp.text:004013B0.text:004013B0 var_4           = dword ptr -4.text:004013B0.text:004013B0                 push    ebp.text:004013B1                 mov     ebp, esp.text:004013B3                 push    ecx.text:004013B4                 push    esi.text:004013B5                 push    4.text:004013B7                 call    sub_40143E.text:004013BC                 mov     esi, eax.text:004013BE                 add     esp, 4.text:004013C1                 mov     [ebp+var_4], esi.text:004013C4                 test    esi, esi