Exetools question about the function argument-- this pointer
 Register Forum Rules FAQ Calendar Mark Forums Read

 Notices https://forum.exetools.com This is the ONLY ONE domain that we use. Follow @exetools on Twitter and send me a message, I will choose whether to send the invitation code. Any password problems please mailto: 883600(at)qq(dot)com

#1
09-22-2022, 02:55
 zhgong007 Family Join Date: May 2011 Posts: 237 Rept. Given: 17 Rept. Rcvd 299 Times in 45 Posts Thanks Given: 26 Thanks Rcvd at 360 Times in 99 Posts
question about the function argument-- this pointer

so below is a F5 code of an function generated by IDA

so "_DWORD *this"

this particular argument ( or this pointer) should be regarded as a real funtion argument, or not?

_DWORD *__thiscall sub_464060(_DWORD *this, _DWORD *Src)
{
_DWORD *v3; // edi
bool v4; // cf
unsigned int v5; // eax
_DWORD *result; // eax
int v7; // ebx
void *v8; // eax
_DWORD *v9; // ecx
void *Srca; // [esp+14h] [ebp+8h]

v3 = Src;
this[4] = 0;
this[5] = 0;
v4 = Src[5] < 0x10u;
v5 = Src[4];
Srca = (void *)v5;
if ( !v4 )
v3 = (_DWORD *)*v3;
if ( v5 >= 0x10 )
{
v7 = v5 | 0xF;
if ( (v5 | 0xF) > 0x7FFFFFFF )
v7 = 0x7FFFFFFF;
if ( (unsigned int)(v7 + 1) < 0x1000 )
{
if ( v7 == -1 )
v9 = 0;
else
v9 = operator new(v7 + 1);
}
else
{
if ( v7 + 36 <= (unsigned int)(v7 + 1) )
sub_44B280();
v8 = operator new(v7 + 36);
if ( !v8 )
invalid_parameter_noinfo_noreturn();
v9 = (_DWORD *)(((unsigned int)v8 + 35) & 0xFFFFFFE0);
*(v9 - 1) = v8;
}
*this = v9;
memcpy(v9, v3, (size_t)Srca + 1);
this[4] = Srca;
result = this;
this[5] = v7;
}
else
{
*(_OWORD *)this = *(_OWORD *)v3;
this[4] = v5;
result = this;
this[5] = 15;
}
return result;
}
#2
09-22-2022, 03:07
 zhgong007 Family Join Date: May 2011 Posts: 237 Rept. Given: 17 Rept. Rcvd 299 Times in 45 Posts Thanks Given: 26 Thanks Rcvd at 360 Times in 99 Posts
correspoinding ASM code

sub_464060 proc near ; CODE XREF: sub_44C6D0+5A2↑p

Src= dword ptr 8

push ebp
mov ebp, esp
push ebx
push esi
mov esi, ecx
push edi
mov edi, [ebp+Src]
mov dword ptr [esi+10h], 0
mov dword ptr [esi+14h], 0
cmp dword ptr [edi+14h], 10h
mov eax, [edi+10h]
mov [ebp+Src], eax
jb short loc_464087
mov edi, [edi]

loc_464087: ; CODE XREF: sub_464060+23↑j
cmp eax, 10h
jnb short loc_4640A6
movups xmm0, xmmword ptr [edi]
mov ebx, 0Fh
pop edi
movups xmmword ptr [esi], xmm0
mov [esi+10h], eax
mov eax, esi
mov [esi+14h], ebx
pop esi
pop ebx
pop ebp
retn 4

loc_4640A6: ; CODE XREF: sub_464060+2A↑j
mov ebx, eax
mov eax, 7FFFFFFFh

or ebx, 0Fh

cmp ebx, eax
cmova ebx, eax
lea eax, [ebx+1]

cmp eax, 1000h
jb short loc_4640E4

lea ecx, [eax+23h]
cmp ecx, eax
jbe short loc_46411A

push ecx ; Size
call ??2@YAPAXI@Z ; operator new(uint)

test eax, eax
jz short loc_4640DE

lea ecx, [eax+23h]
and ecx, 0FFFFFFE0h

mov [ecx-4], eax
jmp short loc_4640F7

loc_4640DE: ; CODE XREF: sub_464060+71↑j
call ds:_invalid_parameter_noinfo_noreturn

loc_4640E4: ; CODE XREF: sub_464060+5D↑j
test eax, eax
jz short loc_4640F5

push eax ; Size
call ??2@YAPAXI@Z ; operator new(uint)

mov ecx, eax
jmp short loc_4640F7

loc_4640F5: ; CODE XREF: sub_464060+86↑j
xor ecx, ecx

loc_4640F7: ; CODE XREF: sub_464060+7C↑j
; sub_464060+93↑j
mov eax, [ebp+Src]
inc eax
mov [esi], ecx

push eax ; Size
push edi ; Src
push ecx ; void *
call memcpy

mov eax, [ebp+Src]
mov [esi+10h], eax

mov eax, esi

mov [esi+14h], ebx
pop edi
pop esi
pop ebx
pop ebp
retn 4

loc_46411A: ; CODE XREF: sub_464060+64↑j
call sub_44B280

sub_464060 endp
#3
09-22-2022, 13:54
 arthur plank Friend Join Date: Jan 2005 Posts: 109 Rept. Given: 28 Rept. Rcvd 22 Times in 14 Posts Thanks Given: 20 Thanks Rcvd at 62 Times in 25 Posts
Quote:
 Originally Posted by zhgong007 so "_DWORD *this" this particular argument ( or this pointer) should be regarded as a real funtion argument, or not?
Yes, the 'this' is a pointer to the instance data for the object and is normal for OOP. Without it the best the code could do is access static data for the class.
 The Following User Says Thank You to arthur plank For This Useful Post: tonyweb (10-12-2022)
#4
09-22-2022, 14:29
 zhgong007 Family Join Date: May 2011 Posts: 237 Rept. Given: 17 Rept. Rcvd 299 Times in 45 Posts Thanks Given: 26 Thanks Rcvd at 360 Times in 99 Posts
but based on IDA, we notice another instance of the same function is called with only one argument (i.e., the last argument). I guess the F5 analysis is not reliable and not consistent.

Quote:
 Originally Posted by arthur plank Yes, the 'this' is a pointer to the instance data for the object and is normal for OOP. Without it the best the code could do is access static data for the class.
 The Following User Says Thank You to zhgong007 For This Useful Post: niculaita (09-23-2022)
#5
10-12-2022, 09:24
 TQN VIP Join Date: Apr 2003 Location: Vietnam Posts: 318 Rept. Given: 132 Rept. Rcvd 11 Times in 9 Posts Thanks Given: 111 Thanks Rcvd at 73 Times in 31 Posts
thiscall calling convention.
this = ECX, RCX.
 The Following 2 Users Say Thank You to TQN For This Useful Post: niculaita (10-12-2022), tonyweb (10-12-2022)

 Thread Tools Display Modes Linear Mode

 Posting Rules You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is Off HTML code is Off Forum Rules

All times are GMT +8. The time now is 00:49.

 Aaron's homepage - Top