Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Hex-Rays and negative structure offsets (https://forum.exetools.com/showthread.php?t=19125)

jonwil 02-12-2019 04:59

Hex-Rays and negative structure offsets
 
I have the following structure definitions:
Code:

#pragma pack(push, 1)
struct Vector2
{
  float X;
  float Y;
};
#pragma pack(pop)
#pragma pack(push, 1)
struct Vector3
{
  float X;
  float Y;
  float Z;
};
#pragma pack(pop)
#pragma pack(push, 1)
struct VertClass
{
  Vector3 Vertexes[2];
  Vector3 Normals[2];
  int SmGroup;
  int Id;
  int BoneIndexes[2];
  int BoneWeights[2];
  int MaterialRemapIndex;
  int MaxVertColIndex;
  Vector2 TexCoord[4][2];
  Vector2 TexCoord2[4][2];
  Vector2 TexCoord3[4][2];
  Vector2 TexCoord4[4][2];
  Vector3 DiffuseColor[4];
  Vector3 SpecularColor[4];
  Vector3 DiffuseIllumination[4];
  float Alpha[4];
  int VertexMaterialIndex[4];
  Vector3 Tangent;
  Vector3 Binormal;
  Vector3 CrossProduct;
  int Attribute0;
  int Attribute1;
  int SharedSmGroup;
  int UniqueIndex;
  int ShadeIndex;
  VertClass *NextHash;
};
#pragma pack(pop)

Then in HexRays I have this
Code:

void __thiscall VertClass::Reset(VertClass *this)
{
  int *v1; // edi
  _DWORD *v2; // esi
  _DWORD *v3; // eax
  signed int v4; // ebp

  this->Vertexes[0].X = 0.0;
  this->Vertexes[0].Y = 0.0;
  this->Vertexes[0].Z = 0.0;
  this->Normals[0].X = 0.0;
  this->Normals[0].Y = 0.0;
  this->Normals[0].Z = 0.0;
  this->Vertexes[1].X = 0.0;
  this->Vertexes[1].Y = 0.0;
  this->Vertexes[1].Z = 0.0;
  this->Normals[1].X = 0.0;
  this->Normals[1].Y = 0.0;
  this->Normals[1].Z = 0.0;
  this->SmGroup = 0;
  this->Id = 0;
  this->MaxVertColIndex = 0;
  this->MaterialRemapIndex = 0;
  v1 = this->VertexMaterialIndex;
  v2 = (_DWORD *)&this->DiffuseColor[0].Z;
  v3 = (_DWORD *)&this->TexCoord[0][1].Y;
  v4 = 4;
  do
  {
    *(v2 - 2) = 1065353216;
    *(v2 - 1) = 1065353216;
    *v2 = 1065353216;
    v2[10] = 1065353216;
    v2[11] = 1065353216;
    v2[12] = 1065353216;
    v2[22] = 0;
    v2[23] = 0;
    v2[24] = 0;
    *(v1 - 4) = 1065353216;
    *v1 = -1;
    *(v3 - 3) = 0;
    *(v3 - 2) = 0;
    *(v3 - 1) = 0;
    *v3 = 0;
    v3[1] = 0;
    v3[2] = 0;
    v3[3] = 0;
    v3[4] = 0;
    v3[5] = 0;
    v3[6] = 0;
    v3[7] = 0;
    v3[8] = 0;
    v3[9] = 0;
    v3[10] = 0;
    v3[11] = 0;
    v3[12] = 0;
    v2 += 3;
    ++v1;
    v3 += 16;
    --v4;
  }
  while ( v4 );
  this->BoneIndexes[0] = 0;
  this->BoneIndexes[1] = 0;
  this->BoneWeights[0] = 100;
  this->BoneWeights[1] = 0;
  this->Attribute0 = 0;
  this->Attribute1 = 0;
  this->UniqueIndex = 0;
  this->ShadeIndex = 0;
  this->NextHash = NULL;
}

Does anyone know of a way to tell IDA that v2 and v3 point to the middle of a structure so it can print the correct structure members or any other way to make that code clearer without needing to manually calculate structure offsets?

Git 02-17-2019 03:49

Find your struct in Local Types and Edit it. See if it matches what you think it should be. Find you struct in Structures, open it up with ctrl-+ and you'll see all your struct members and their offsets (sorry, I'm sure you know all this). My point is - alignment. It can easily be diffent to what you think. If you are inputing your structs to IDA as a *.h file, rather than directly into Local Types, then there is an even bigger chance of the alignment beig different. I'm never sure if alignment directives in *.h files fed to IDA get interpretted or not, IDA often seems to align struct member of a 4 byte boundary for a 32 bit PE and 8 bytes for a 64bit PE.

Actually, I'm wondering... you *did* give IDA your struct definitions, yes?

Git

Avalon 02-20-2019 06:43

Well Ida has analyzed and defined in the stack setup:
Code:

int *v1; // edi
_DWORD *v2; // esi
_DWORD *v3; // eax

If you create a struct of 3 PDWORD's, and apply it on the stack at v1 i.e.
Code:

struct SomeStruct
{
    PDWORD pdwField1,
    PDWORD pdwField2,
    PDWORD pdwField3
}

Then Ida will remove that *v2 and *v3, and they will become struct members on the stack of SomeStruct.pdwField2 and SomeStruct.pdwField3 which you can define as any pointer type you want, with the struct you defined.

computerline 02-20-2019 10:37

Did you post the orginal C source of that function, hexrays can recognize negative offset, but need to known the sharp of struct, http://www.hexblog.com/?p=63


All times are GMT +8. The time now is 18:23.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX