A Quiz in Advanced RE (Asm/C)

[chants]

For the first question for some more interesting detail (its very compiler specific of course), taken from StackOverflow

Quote:

https://stackoverflow.com/questions/1473935/can-the-size-of-pointers-vary-between-data-and-function-pointers

:

Quote:

> type ppp.c
#include <stdio.h>
#include <stdlib.h>

int global = 0;

int main(void) {
int local = 0;
static int staticint = 0;
int *mall;
int (*fx)(void);

fx = main;
mall = malloc(42); /* assume it worked */
printf("#sizeof pointer to local: %d\n", (int)sizeof &local);
printf("#sizeof pointer to static: %d\n", (int)sizeof &staticint);
printf("#sizeof pointer to malloc'd: %d\n", (int)sizeof mall);
printf("#sizeof pointer to global: %d\n", (int)sizeof &global);
printf("#sizeof pointer to main(): %d\n", (int)sizeof fx);
free(mall);
return 0;
}
> tcc -mc ppp.c
Turbo C Version 2.01 ...
warnings about unused variables elided ...
Turbo Link Version 2.0 ...
> ppp
#sizeof pointer to local: 4
#sizeof pointer to static: 4
#sizeof pointer to malloc'd: 4
#sizeof pointer to global: 4
#sizeof pointer to main(): 2
> tcc -mm ppp.c
> ppp
#sizeof pointer to local: 2
#sizeof pointer to static: 2
#sizeof pointer to malloc'd: 2
#sizeof pointer to global: 2
#sizeof pointer to main(): 4
tcc -mc generates code in the "compact" model; tcc -mm generates code in the "medium" model

I did not know about the __ptr32/64 but that's also quite interesting since in ASM, 64-bit often uses 32-bit relative displacements and not raw 64-bit addresses.

A pointer to a function pointer is data again too and so the function pointer is much more specific.

3) as far as I know its the captures that are on the temporary object, and the actual function arguments are passed per __thiscall logic.

I did not give any interviews with these questions but it would be interesting to see what creative answers people would come up with. Obviously these are a bit to technical and advanced to do more than probe and analyze people's knowledge a bit. Would be interesting to see them used for a "Senior Reverse Engineer" job or the like .

[zeffy]

Quote:

Originally Posted by chants

3) as far as I know its the captures that are on the temporary object, and the actual function arguments are passed per __thiscall logic.

Oops, you're right. I knew that but mixed up the terminology (captures vs arguments), heh.

Here's an example of how MSVC seems to implement lambdas:

Code:

bool normal_function()
{
    int a, b, c;
    int d = 0;
    int e = 0;
    int f = 0;

    return [a, b, c](int, int, int) -> bool {
        return true;
    }(d, e, f);
}

Which is compiled into something resembling this:

Code:

bool normal_function()
{
    class lambda_class
    {
        int *a_;
        int *b_;
        int *c_;

    public:
        lambda_class(int *a, int *b, int *c)
            : a_(a), b_(c), c_(c)
        {
        }

        bool operator()(int d, int e, int f)
        {
            return true;
        }
    };

    int a, b, c;
    int d = 0;
    int e = 0;
    int f = 0;

    return lambda_class(&a, &b, &c)(d, e, f);
}