• Welcome to Valhalla Legends Archive.
 

Looking at disassembly

Started by K, December 08, 2003, 01:19 PM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

K

December 08, 2003, 01:19 PM Last Edit: December 08, 2003, 01:20 PM by K
Code Select

                ; ...
                push    offset sub_11802190
                push    7
                push    6
                ; ...
                call    SomeFunction
                test    eax, eax


Is this code passing a function pointer to SomeFunction?
Code Select

typedef BOOL(_stdcall *pfSomeFunction)(int, int, pfAnotherFunction);

Kp

#1
December 08, 2003, 01:27 PM
Looks like it, yes.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

K

#2
December 09, 2003, 04:13 PM
Thanks for the help with these basic questions.  I've got a couple more:

Code Select

mov     ecx, [ebp+arg_C]
mov     ecx, [ecx]


does this indicate that arg_C is a pointer of some type?

IDA generated this:
Code Select

AdminEventCallback proc near

arg_0           = dword ptr  8
event_id        = dword ptr  0Ch
arg_C           = dword ptr  14h

; .....

retn 10h


there are three arguments at 4 bytes each (12bytes), yet 16 are returned to the stack at the end -- is there an argument between event_id and arg_C that just isn't used and therefore isn't generated by IDA?

Adron

#3
December 09, 2003, 04:15 PM
1. Yes, arg_C seems to be a pointer.

2. Perhaps so. It's also possible that it is used in some way IDA doesn't notice - perhaps the address of event_id is taken and then indexed from?

K

#4
December 09, 2003, 04:38 PM Last Edit: December 09, 2003, 04:40 PM by K
Quote from: Adron on December 09, 2003, 04:15 PM
1. Yes, arg_C seems to be a pointer.

2. Perhaps so. It's also possible that it is used in some way IDA doesn't notice - perhaps the address of event_id is taken and then indexed from?


So the mystery argument would be offset 10h;

Code Select

arg_0          = dword ptr  8
event_id       = dword ptr  0Ch
arg_?          = dword ptr 10h
arg_C          = dword ptr  14h

; is this code referencing arg_?
; I get confused with the +/- offsets for local variables
; and arguments.
mov     eax, [ebp+arg_0]       ; ebp - 8 + 18h = ebp + 10h
and     dword ptr [eax+18h], 0 ; ebp + 8 + 18h = ebp + 20h

Adron

#5
December 09, 2003, 05:08 PM
Quote from: K on December 09, 2003, 04:38 PM

Code Select

; is this code referencing arg_?
; I get confused with the +/- offsets for local variables
; and arguments.
mov     eax, [ebp+arg_0]       ; ebp - 8 + 18h = ebp + 10h
and     dword ptr [eax+18h], 0 ; ebp + 8 + 18h = ebp + 20h


No, it's moving the value passed as arg_0 into eax. Then it's zeroing out a value at offset 0x18 from that. This means that arg_0 probably is a pointer to a struct.

K

#6
December 09, 2003, 05:31 PM
Quote from: Adron on December 09, 2003, 05:08 PM
No, it's moving the value passed as arg_0 into eax. Then it's zeroing out a value at offset 0x18 from that. This means that arg_0 probably is a pointer to a struct.

I see now.  Thanks for the help, I'm trying to get a handle on this  ;).
Print
|
Go Up Pages1
User actions