#1
|
|||
|
|||
question about the function argument-- this pointer
so below is a F5 code of an function generated by IDA
so "_DWORD *this" this particular argument ( or this pointer) should be regarded as a real funtion argument, or not? _DWORD *__thiscall sub_464060(_DWORD *this, _DWORD *Src) { _DWORD *v3; // edi bool v4; // cf unsigned int v5; // eax _DWORD *result; // eax int v7; // ebx void *v8; // eax _DWORD *v9; // ecx void *Srca; // [esp+14h] [ebp+8h] v3 = Src; this[4] = 0; this[5] = 0; v4 = Src[5] < 0x10u; v5 = Src[4]; Srca = (void *)v5; if ( !v4 ) v3 = (_DWORD *)*v3; if ( v5 >= 0x10 ) { v7 = v5 | 0xF; if ( (v5 | 0xF) > 0x7FFFFFFF ) v7 = 0x7FFFFFFF; if ( (unsigned int)(v7 + 1) < 0x1000 ) { if ( v7 == -1 ) v9 = 0; else v9 = operator new(v7 + 1); } else { if ( v7 + 36 <= (unsigned int)(v7 + 1) ) sub_44B280(); v8 = operator new(v7 + 36); if ( !v8 ) invalid_parameter_noinfo_noreturn(); v9 = (_DWORD *)(((unsigned int)v8 + 35) & 0xFFFFFFE0); *(v9 - 1) = v8; } *this = v9; memcpy(v9, v3, (size_t)Srca + 1); this[4] = Srca; result = this; this[5] = v7; } else { *(_OWORD *)this = *(_OWORD *)v3; this[4] = v5; result = this; this[5] = 15; } return result; } |
#2
|
|||
|
|||
correspoinding ASM code
sub_464060 proc near ; CODE XREF: sub_44C6D0+5A2↑p Src= dword ptr 8 push ebp mov ebp, esp push ebx push esi mov esi, ecx push edi mov edi, [ebp+Src] mov dword ptr [esi+10h], 0 mov dword ptr [esi+14h], 0 cmp dword ptr [edi+14h], 10h mov eax, [edi+10h] mov [ebp+Src], eax jb short loc_464087 mov edi, [edi] loc_464087: ; CODE XREF: sub_464060+23↑j cmp eax, 10h jnb short loc_4640A6 movups xmm0, xmmword ptr [edi] mov ebx, 0Fh pop edi movups xmmword ptr [esi], xmm0 mov [esi+10h], eax mov eax, esi mov [esi+14h], ebx pop esi pop ebx pop ebp retn 4 loc_4640A6: ; CODE XREF: sub_464060+2A↑j mov ebx, eax mov eax, 7FFFFFFFh or ebx, 0Fh cmp ebx, eax cmova ebx, eax lea eax, [ebx+1] cmp eax, 1000h jb short loc_4640E4 lea ecx, [eax+23h] cmp ecx, eax jbe short loc_46411A push ecx ; Size call ??2@YAPAXI@Z ; operator new(uint) add esp, 4 test eax, eax jz short loc_4640DE lea ecx, [eax+23h] and ecx, 0FFFFFFE0h mov [ecx-4], eax jmp short loc_4640F7 loc_4640DE: ; CODE XREF: sub_464060+71↑j call ds:_invalid_parameter_noinfo_noreturn loc_4640E4: ; CODE XREF: sub_464060+5D↑j test eax, eax jz short loc_4640F5 push eax ; Size call ??2@YAPAXI@Z ; operator new(uint) add esp, 4 mov ecx, eax jmp short loc_4640F7 loc_4640F5: ; CODE XREF: sub_464060+86↑j xor ecx, ecx loc_4640F7: ; CODE XREF: sub_464060+7C↑j ; sub_464060+93↑j mov eax, [ebp+Src] inc eax mov [esi], ecx push eax ; Size push edi ; Src push ecx ; void * call memcpy mov eax, [ebp+Src] add esp, 0Ch mov [esi+10h], eax mov eax, esi mov [esi+14h], ebx pop edi pop esi pop ebx pop ebp retn 4 loc_46411A: ; CODE XREF: sub_464060+64↑j call sub_44B280 sub_464060 endp |
#3
|
|||
|
|||
Yes, the 'this' is a pointer to the instance data for the object and is normal for OOP. Without it the best the code could do is access static data for the class.
|
The Following User Says Thank You to arthur plank For This Useful Post: | ||
tonyweb (10-12-2022) |
#4
|
|||
|
|||
but based on IDA, we notice another instance of the same function is called with only one argument (i.e., the last argument). I guess the F5 analysis is not reliable and not consistent.
|
The Following User Says Thank You to zhgong007 For This Useful Post: | ||
niculaita (09-23-2022) |
#5
|
|||
|
|||
thiscall calling convention.
this = ECX, RCX. |
|
|