反编译 - _thiscall表达式

时间:2014-02-23 15:44:48

标签: decompiling decompiler ida

我正在使用Hex-Rays的IDA Pro来反编译二进制文件。我有这个开关:

 case 0x35:
  CField::OnDesc_MAYB(v6, a6);
  break;
case 0x36:
  (*(void (__thiscall **)(_DWORD, _DWORD))(*(_DWORD *)(a1 - 8) + 28))(a1 - 8, a6);
  break;
case 0x3A:
  CField::OnWarnMessage(v6, a6);
  break;

如果你看一下案例0x36:,我无法理解这句话。通常我只是指向函数并使用F5 shotcut对其进行解码,但是,我不明白这句话是什么意思?如何解码它以查看它的代码?

感谢。

1 个答案:

答案 0 :(得分:1)

情况0x36正在调用虚函数,或者至少是Hex-Rays认为是虚函数的函数。考虑以下伪C ++代码(排除reinterpret_cast到简洁等),它解构了那一行。

// in VC++, 'this' is usually passed via ECX register
typedef void (__thiscall* member_function_t)(_DWORD this_ptr, _DWORD arg_0);
// a1's declaration wasn't included in your post, so I'm making an assumption here
byte* a1 = address_of_some_child_object;
// It would appear a1 is a pointer to an object which has multiple vftables (due to multiple inheritance/interfaces)
byte*** base_object = (byte***)(a1 - 8);
// Dereference the pointer at a1[-8] to get the base's vftable pointer (constant list of function pointers for the class's virtual funcs)
// a1[0] would probably be the child/interface's vftable pointer
byte** base_object_vftable = *base_object;
// 28 / sizeof(void*) = 8th virtual function in the vftable
byte* base_object_member_function = base_object_vftable[28];
auto member_function = (member_function_t)base_object_member_function;
// case 0x36 simplified using a __thiscall function pointer
member_function((_DWORD)base_object, a6)

解构:

(
    *(
        void (__thiscall **)(_DWORD, _DWORD)
    )
    (*
        (_DWORD *)(a1 - 8) + 28
    )
)
(a1 - 8, a6);

如果您不熟悉__thiscall调用约定,或者通常如何在C ++中实现虚函数,那么在尝试对使用它们的程序进行反向工程之前,您应该阅读它们。

您可以从这些细分开始: