| Author | Message | Time |
|---|---|---|
| K | [code] ; ... push offset sub_11802190 push 7 push 6 ; ... call SomeFunction test eax, eax [/code] Is this code passing a function pointer to SomeFunction? [code] typedef BOOL(_stdcall *pfSomeFunction)(int, int, pfAnotherFunction);[/code] | December 8, 2003, 7:19 PM |
| Kp | Looks like it, yes. | December 8, 2003, 7:27 PM |
| K | Thanks for the help with these basic questions. I've got a couple more: [code] mov ecx, [ebp+arg_C] mov ecx, [ecx] [/code] does this indicate that arg_C is a pointer of some type? IDA generated this: [code] AdminEventCallback proc near arg_0 = dword ptr 8 event_id = dword ptr 0Ch arg_C = dword ptr 14h ; ..... retn 10h [/code] there are three arguments at 4 bytes each (12bytes), yet 16 are returned to the stack at the end -- is there an argument between event_id and arg_C that just isn't used and therefore isn't generated by IDA? | December 9, 2003, 10:13 PM |
| Adron | 1. Yes, arg_C seems to be a pointer. 2. Perhaps so. It's also possible that it is used in some way IDA doesn't notice - perhaps the address of event_id is taken and then indexed from? | December 9, 2003, 10:15 PM |
| K | [quote author=Adron link=board=7;threadid=4151;start=0#msg34495 date=1071008133] 1. Yes, arg_C seems to be a pointer. 2. Perhaps so. It's also possible that it is used in some way IDA doesn't notice - perhaps the address of event_id is taken and then indexed from? [/quote] So the mystery argument would be offset 10h; [code] arg_0 = dword ptr 8 event_id = dword ptr 0Ch arg_? = dword ptr 10h arg_C = dword ptr 14h ; is this code referencing arg_? ; I get confused with the +/- offsets for local variables ; and arguments. mov eax, [ebp+arg_0] ; ebp - 8 + 18h = ebp + 10h and dword ptr [eax+18h], 0 ; ebp + 8 + 18h = ebp + 20h [/code] | December 9, 2003, 10:38 PM |
| Adron | [quote author=K link=board=7;threadid=4151;start=0#msg34512 date=1071009534] [code] ; is this code referencing arg_? ; I get confused with the +/- offsets for local variables ; and arguments. mov eax, [ebp+arg_0] ; ebp - 8 + 18h = ebp + 10h and dword ptr [eax+18h], 0 ; ebp + 8 + 18h = ebp + 20h [/code] [/quote] No, it's moving the value passed as arg_0 into eax. Then it's zeroing out a value at offset 0x18 from that. This means that arg_0 probably is a pointer to a struct. | December 9, 2003, 11:08 PM |
| K | [quote author=Adron link=board=7;threadid=4151;start=0#msg34521 date=1071011318] No, it's moving the value passed as arg_0 into eax. Then it's zeroing out a value at offset 0x18 from that. This means that arg_0 probably is a pointer to a struct. [/quote] I see now. Thanks for the help, I'm trying to get a handle on this ;). | December 9, 2003, 11:31 PM |