我正在使用Hex-Rays的IDA Pro来反编译二进制文件。我有这个开关:
case 0x35:
CField::OnDesc_MAYB(v6, a6);
break;
case 0x36:
(*(void (__thiscall **)(_DWORD, _DWORD))(*(_DWORD *)(a1 - 8) + 28))(a1 - 8, a6);
break;
case 0x3A:
CField::OnWarnMessage(v6, a6);
break;
如果你看一下案例0x36:,我无法理解这句话。通常我只是指向函数并使用F5 shotcut对其进行解码,但是,我不明白这句话是什么意思?如何解码它以查看它的代码?
感谢。
答案 0 :(得分:1)
情况0x36正在调用虚函数,或者至少是Hex-Rays认为是虚函数的函数。考虑以下伪C ++代码(排除reinterpret_cast到简洁等),它解构了那一行。
// in VC++, 'this' is usually passed via ECX register
typedef void (__thiscall* member_function_t)(_DWORD this_ptr, _DWORD arg_0);
// a1's declaration wasn't included in your post, so I'm making an assumption here
byte* a1 = address_of_some_child_object;
// It would appear a1 is a pointer to an object which has multiple vftables (due to multiple inheritance/interfaces)
byte*** base_object = (byte***)(a1 - 8);
// Dereference the pointer at a1[-8] to get the base's vftable pointer (constant list of function pointers for the class's virtual funcs)
// a1[0] would probably be the child/interface's vftable pointer
byte** base_object_vftable = *base_object;
// 28 / sizeof(void*) = 8th virtual function in the vftable
byte* base_object_member_function = base_object_vftable[28];
auto member_function = (member_function_t)base_object_member_function;
// case 0x36 simplified using a __thiscall function pointer
member_function((_DWORD)base_object, a6)
解构:
(
*(
void (__thiscall **)(_DWORD, _DWORD)
)
(*
(_DWORD *)(a1 - 8) + 28
)
)
(a1 - 8, a6);
如果您不熟悉__thiscall调用约定,或者通常如何在C ++中实现虚函数,那么在尝试对使用它们的程序进行反向工程之前,您应该阅读它们。
您可以从这些细分开始: