tags:

views:

70

answers:

4
Q: 

What would this register contain after...

I can't seem to figure out what eax contains after this peice of assembly:

mov     edi, [edi+4]
lea     eax, [edi+88h]

With edi pointing to a class

A: 

A long shot, since I know nothing about your class, but here goes anyway.

Do you have multiple inheritance? Perhaps edi+4 is the second virtual table, and [edi+4]+88h is a function pointer you wish to call? Or depending on your compiler, it might be that the virtual table is located at +4, in either case eax contains the address of the virtual function to call.

roe  2010-07-19 08:16:17
+1  A: 

Load Effective Address gets the actual address of the reference. For some arcane reason, the symbolic assembly is written as if it references the content of edi+88h, but what the instruction actually does is loading the value of the edi register plus the constant 088h (equivalent to mov eax, edi; add eax, 088h). I doubt edi+4 is a function pointer: more likely, it's a vtbl pointer or an array.

Pontus Gagge  2010-07-19 08:17:51
Wait, isn't a class similar to a vftable? Well actually, edi points to vftable and edi+4 points to a function in the vftable
kotarou3  2010-07-19 08:32:42
If there is multiple inheritance involved, the compiler may implement it via multiple vtable pointers (http://en.wikipedia.org/wiki/Virtual_method_table). [edi+4] may be loading a secondary vtable, in which there's a function at offset 088h. Perhaps you should say why you're so sure edi+4 is a function pointer?
Pontus Gagge  2010-07-19 08:44:01
Actually, as I think about it more... It might not be a pointer to a function
kotarou3  2010-07-19 10:58:46
A: 

Based on the use of edi, it probably ends up pointing to a memory location, but lea isn't always used like this: http://en.wikipedia.org/wiki/Addressing_mode#Useful_side_effect.

altie  2010-07-20 01:56:06
A:  
mov     edi, [edi+4]
lea     eax, [edi+88h]

    edi points here after 'mov'
    .
    xxxx....................
    |                      ^
xxxx....                   eax points here after 'lea'
^
edi pointed here before 'mov'

char* edi;
void* eax;

edi = *(char**)(edi+4);
eax = edi+0x88;

It looks like some record is just getting accessed there.

Cheery  2010-07-20 16:52:41

related questions

Wrapping Visual C++ in C#
Open source ER diagramming tool for mysql
What are the best ways to understand an unfamiliar database?
Is reverse engineering evil?
Best way to inject functionality into a binary...
Good techniques for understanding someone else's code
How is the photoshop cutout filter implemented?
Best way to reverse-engineer a web service interface from a WSDL file?
How to reverse engineer undocumented legacy application?
Is there a C++ decompiler?
What's a good C decompiler?
Reverse engineering war stories
How do I decompile a .NET EXE into readable C# source code?
Creating a new rrd database based on an existing one
how are serial generators / cracks developed?
Is it legal to reverse engineer binary file formats
How would you go about reverse engineering a set of binary data pulled from a device?
Reverse Engineering C# code using StarUML
What are the best tools for reverse engineering z80 machine code?
Sequence Diagram Reverse Engineering
Stored procedures reverse engineering
How do I disassemble a VC++ application?
best tool to reverse-engineer a WinXP PS/2 touchpad driver?
Reverse engineer (oracle) schema to ERD
Annotating YouTube videos programatically