So, while using IDA to disassemble a dll, I came across this class function:
mov eax, [ecx+4]
mov eax, [eax]
retn
I know ecx means this and eax is the return value, but I fail to understand what it returns. Any help?
views:
80answers:
5
+3
A:
That function loads a pointer (into eax) at offset 4 from whatever ecx points to. Then it follows that pointer to load a 32-bit value into eax, which is returned from the function.
That's what the function does, but it's impossible to say what that means without a lot more context.
Greg Hewgill
2010-06-29 09:07:25
It's reasonably probable that it's returning the first int or reference member of a class with a vtable, or the second of a struct without one.
Pete Kirkham
2010-06-29 09:14:19
Can you show this in C or c++ syntax? Hex-Rays returns: return \*\*(DWORD \*\*)(this+4);Is that actually what the function does?
kotarou3
2010-06-29 09:24:55
kotarou3, explained with a "pic" in my answer, follow the "arrows" and you can convert in whatever language you're familiar with. You here are assuming the lang is C/C++, likely C++ if you talk about "this", and any other answer suggesting what it could be must assume a specific runtime; I think (but I am not sure of), C++ standards do not mandate how the runtime must be done, or even how a class or object is "done at lowlevel", so if there's no context, ...
ShinTakezou
2010-06-29 09:46:21
A:
My assembly is a bit rusty but the first instruction loads something into EAX ... something which is being pointed at by the contents of the ECX register ... but which is a word (4 bytes) offset therefrom. The next instruction is then loading (over-writing) EAX with whatever EAX is pointing at.
This notation (the square brackets surrounding the second or "source" operations of these MOV (load) instructions indicates that the indirect addressing modes are being used.
I'm guessing it's just a way to implement a sort of double-indirection. The address in register ECX may be pointing into the stack frame or perhaps into some attribute pointer of the C++ "this" to which you've referred. That address, in turn, holds the address of the return value. So this code pulls the address into a register, then uses that address in the register to pull a value (co-incidentally into the same register). This approach is nice in that it preserves all the other registers.
(Incidentally most of the x86 function calling paradigms --- system calls, DOS function calls, etc. leave function return codes or system errors ... errno in the stdlib C libraries, in the EAX register).
Jim Dennis
2010-06-29 09:12:44
A:
What a question. If ecx holds the pointer to a "this" structure, you have to know how it is done exactly. The first instr, gets the second dword, another pointer; what it could be? We can't know. This pointer now held in eax, likely points to another struct or whatever. The first pointed value is put in eax, and this is what the func returns.
ecx -------> dword dataA offset 0
dword dataB offset 4
mov eax, [ecx + 4]
eax = dataB ----> dword dataC offset 0
mov eax, [eax]
eax = dataC
What is dataC exactly, depends on a lot of things we can't know.
ShinTakezou
2010-06-29 09:19:43
A:
class C
{
int a;
int *b; // ecx+4
int get_b()
{
return *b;
}
}
Of course, the actual type of a and *b is unknown, but they're both 32-bit types. a could also be the pointer to the VMT, if the class has any virtual methods or destructors.
CyberShadow
2010-06-29 09:31:53
Oh, but in this class, ecx+4 is actually the function itself in the vftable. So what would this mean...?
kotarou3
2010-06-29 09:47:13
That doesn't change anything. The *pointer* to the vtable is stored in the first class field (`a` in my example).
CyberShadow
2010-06-29 10:06:50
Well, you already know that it's a pointer to a 32-bit value. You'll have to look at other code to see what it is. I would recommend looking at code that calls this function, but since you mentioned that this function is virtual you won't be able to simply get a list of cross-references. You could place a breakpoint in the function and examine the call stack to find code that calls it. You can also find the class's virtual method table, and look at other virtual functions to see if they operate on this value.
CyberShadow
2010-06-29 10:50:07
A:
This depends greatly on the calling convention used by the original compiler. A fairly normal setting for e.g. MSVC is to return 32 bit values in the eax register. @Gregs answer says what it does, but as he says, the meaning depends on knowing more details of the implementation language and compiler.
If you want to understand disassemblies, try viewing the results on your own (C/C++) code. It's really the only way to get a feeling for what happens in others' DLLs.
Pontus Gagge
2010-06-29 10:30:10