Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-12-2019, 04:59
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 282
Rept. Given: 2
Rept. Rcvd 18 Times in 6 Posts
Thanks Given: 1
Thanks Rcvd at 30 Times in 20 Posts
jonwil Reputation: 18
Hex-Rays and negative structure offsets

I have the following structure definitions:
Code:
#pragma pack(push, 1)
struct Vector2
{
  float X;
  float Y;
};
#pragma pack(pop)
#pragma pack(push, 1)
struct Vector3
{
  float X;
  float Y;
  float Z;
};
#pragma pack(pop)
#pragma pack(push, 1)
struct VertClass
{
  Vector3 Vertexes[2];
  Vector3 Normals[2];
  int SmGroup;
  int Id;
  int BoneIndexes[2];
  int BoneWeights[2];
  int MaterialRemapIndex;
  int MaxVertColIndex;
  Vector2 TexCoord[4][2];
  Vector2 TexCoord2[4][2];
  Vector2 TexCoord3[4][2];
  Vector2 TexCoord4[4][2];
  Vector3 DiffuseColor[4];
  Vector3 SpecularColor[4];
  Vector3 DiffuseIllumination[4];
  float Alpha[4];
  int VertexMaterialIndex[4];
  Vector3 Tangent;
  Vector3 Binormal;
  Vector3 CrossProduct;
  int Attribute0;
  int Attribute1;
  int SharedSmGroup;
  int UniqueIndex;
  int ShadeIndex;
  VertClass *NextHash;
};
#pragma pack(pop)
Then in HexRays I have this
Code:
void __thiscall VertClass::Reset(VertClass *this)
{
  int *v1; // edi
  _DWORD *v2; // esi
  _DWORD *v3; // eax
  signed int v4; // ebp

  this->Vertexes[0].X = 0.0;
  this->Vertexes[0].Y = 0.0;
  this->Vertexes[0].Z = 0.0;
  this->Normals[0].X = 0.0;
  this->Normals[0].Y = 0.0;
  this->Normals[0].Z = 0.0;
  this->Vertexes[1].X = 0.0;
  this->Vertexes[1].Y = 0.0;
  this->Vertexes[1].Z = 0.0;
  this->Normals[1].X = 0.0;
  this->Normals[1].Y = 0.0;
  this->Normals[1].Z = 0.0;
  this->SmGroup = 0;
  this->Id = 0;
  this->MaxVertColIndex = 0;
  this->MaterialRemapIndex = 0;
  v1 = this->VertexMaterialIndex;
  v2 = (_DWORD *)&this->DiffuseColor[0].Z;
  v3 = (_DWORD *)&this->TexCoord[0][1].Y;
  v4 = 4;
  do
  {
    *(v2 - 2) = 1065353216;
    *(v2 - 1) = 1065353216;
    *v2 = 1065353216;
    v2[10] = 1065353216;
    v2[11] = 1065353216;
    v2[12] = 1065353216;
    v2[22] = 0;
    v2[23] = 0;
    v2[24] = 0;
    *(v1 - 4) = 1065353216;
    *v1 = -1;
    *(v3 - 3) = 0;
    *(v3 - 2) = 0;
    *(v3 - 1) = 0;
    *v3 = 0;
    v3[1] = 0;
    v3[2] = 0;
    v3[3] = 0;
    v3[4] = 0;
    v3[5] = 0;
    v3[6] = 0;
    v3[7] = 0;
    v3[8] = 0;
    v3[9] = 0;
    v3[10] = 0;
    v3[11] = 0;
    v3[12] = 0;
    v2 += 3;
    ++v1;
    v3 += 16;
    --v4;
  }
  while ( v4 );
  this->BoneIndexes[0] = 0;
  this->BoneIndexes[1] = 0;
  this->BoneWeights[0] = 100;
  this->BoneWeights[1] = 0;
  this->Attribute0 = 0;
  this->Attribute1 = 0;
  this->UniqueIndex = 0;
  this->ShadeIndex = 0;
  this->NextHash = NULL;
}
Does anyone know of a way to tell IDA that v2 and v3 point to the middle of a structure so it can print the correct structure members or any other way to make that code clearer without needing to manually calculate structure offsets?
Reply With Quote
  #2  
Old 02-17-2019, 03:49
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,084
Rept. Given: 219
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 81
Thanks Rcvd at 203 Times in 119 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
Find your struct in Local Types and Edit it. See if it matches what you think it should be. Find you struct in Structures, open it up with ctrl-+ and you'll see all your struct members and their offsets (sorry, I'm sure you know all this). My point is - alignment. It can easily be diffent to what you think. If you are inputing your structs to IDA as a *.h file, rather than directly into Local Types, then there is an even bigger chance of the alignment beig different. I'm never sure if alignment directives in *.h files fed to IDA get interpretted or not, IDA often seems to align struct member of a 4 byte boundary for a 32 bit PE and 8 bytes for a 64bit PE.

Actually, I'm wondering... you *did* give IDA your struct definitions, yes?

Git
Reply With Quote
  #3  
Old 02-20-2019, 06:43
Avalon Avalon is offline
Friend
 
Join Date: Jul 2018
Posts: 7
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 9 Times in 7 Posts
Avalon Reputation: 0
Well Ida has analyzed and defined in the stack setup:
Code:
int *v1; // edi
_DWORD *v2; // esi
_DWORD *v3; // eax
If you create a struct of 3 PDWORD's, and apply it on the stack at v1 i.e.
Code:
struct SomeStruct
{
    PDWORD pdwField1, 
    PDWORD pdwField2, 
    PDWORD pdwField3
}
Then Ida will remove that *v2 and *v3, and they will become struct members on the stack of SomeStruct.pdwField2 and SomeStruct.pdwField3 which you can define as any pointer type you want, with the struct you defined.
Reply With Quote
The Following User Says Thank You to Avalon For This Useful Post:
niculaita (02-20-2019)
  #4  
Old 02-20-2019, 10:37
computerline computerline is offline
Friend
 
Join Date: Jun 2014
Posts: 69
Rept. Given: 40
Rept. Rcvd 27 Times in 11 Posts
Thanks Given: 94
Thanks Rcvd at 106 Times in 44 Posts
computerline Reputation: 27
Did you post the orginal C source of that function, hexrays can recognize negative offset, but need to known the sharp of struct, http://www.hexblog.com/?p=63
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiply by negative one chants General Discussion 8 02-08-2017 23:23
I need some suggestion about a site structure Hero General Discussion 4 04-30-2005 16:34
Need help with IDA and operand offsets Ecmhacker General Discussion 4 05-04-2003 10:20


All times are GMT +8. The time now is 11:49.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX