Reputation: 315
Decompiling - _thiscall expression
I'm using Hex-Rays's IDA Pro to decompile a binary. I have this switch:
case 0x35:
CField::OnDesc_MAYB(v6, a6);
break;
case 0x36:
(*(void (__thiscall **)(_DWORD, _DWORD))(*(_DWORD *)(a1 - 8) + 28))(a1 - 8, a6);
break;
case 0x3A:
CField::OnWarnMessage(v6, a6);
break;
If you look at case 0x36:, I can't understand this statement. Usually I just point at the function and decode it using the F5 shotcut, however, I don't understand what this statement means? How can I decode it to view it's code?
Thanks.
Upvotes: 0
Views: 557
Answers (1)
Reputation: 848
case 0x36 is invoking a virtual function, or at least what Hex-Rays believes to be a virtual function. Consider the following pseudo C++ code (excluded reinterpret_cast to brevity, etc), which deconstructs that one line.
// in VC++, 'this' is usually passed via ECX register
typedef void (__thiscall* member_function_t)(_DWORD this_ptr, _DWORD arg_0);
// a1's declaration wasn't included in your post, so I'm making an assumption here
byte* a1 = address_of_some_child_object;
// It would appear a1 is a pointer to an object which has multiple vftables (due to multiple inheritance/interfaces)
byte*** base_object = (byte***)(a1 - 8);
// Dereference the pointer at a1[-8] to get the base's vftable pointer (constant list of function pointers for the class's virtual funcs)
// a1[0] would probably be the child/interface's vftable pointer
byte** base_object_vftable = *base_object;
// 28 / sizeof(void*) = 8th virtual function in the vftable
byte* base_object_member_function = base_object_vftable[28];
auto member_function = (member_function_t)base_object_member_function;
// case 0x36 simplified using a __thiscall function pointer
member_function((_DWORD)base_object, a6)
Deconstructed from:
(
*(
void (__thiscall **)(_DWORD, _DWORD)
)
(*
(_DWORD *)(a1 - 8) + 28
)
)
(a1 - 8, a6);
If you're unfamiliar with __thiscall calling convention, or how virtual functions are typically implemented in C++, you should probably read up on them before trying to reverse engineer programs which use them.
You could start with these breakdowns:
Upvotes: 1
Related Questions
- How do I interpret this disassembled code in IDA?
- De-compiling a C function but obtaining a strange code (too many args, double-free)
- How to simplify a function referencing itself as argument ? (and what does this mean)
- How to read this decompiled statement?
- How to rename a function in IDA Pro?
- How to analyze the function call (sub_41A1b8) for solving crackme with IDA Pro?
- Disassembling c function in Ida pro
- Is decompiled __thiscall expression a pointer to a function?
- IDA pro 'this' keyword
- Confusing function