how to find function boundaries in binary code

I see that binary translation is usually trace-based. Is it because one can not get the boundaries of functions? Is there f开发者_如何学编程unction label in binary code?

There's no trivial answer to this. You could search for ret instructions, but they are no guarantee that they are function boundaries as you could return from the middle of a function.

Searching for stuff like

mov   ebp, esp 

will work to some extent, but again, it's no guarantee.

Some compilers (most notably the Intel Compiler), will move branched blocks to after the function ends, and jump back into the function...

What does trace-based mean? The essential answer to your question is no, there is no function label in machine code. There are probably patterns specific to each compiler you could look for and you could also use the executable format to find entry points into public functions in the code. But these days compilers can do whole-program optimizations that blur out the concept of a function at the machine code level.

The usual method for finding the begin and ending addresses of C functions is to print out a memory map and scan for the start of the function. Many compilers will specify the function length in the memory map.

Some compilers provide #pragma or preprocessing keywords to allow you to assign a function to a specific address.

Sorry, but the C language only provides the starting address of functions; not their lengths.