反编译 - _thiscall表达式
问题描述:
我正在使用Hex-Rays的IDA Pro来反编译二进制文件。我有这个开关:反编译 - _thiscall表达式
case 0x35:
CField::OnDesc_MAYB(v6, a6);
break;
case 0x36:
(*(void (__thiscall **)(_DWORD, _DWORD))(*(_DWORD *)(a1 - 8) + 28))(a1 - 8, a6);
break;
case 0x3A:
CField::OnWarnMessage(v6, a6);
break;
如果你看看大小写0x36 :,我不明白这个说法。通常我只是指向函数并使用F5 shotcut对其进行解码,但是,我不明白这句话的含义是什么?我怎样才能解码它来查看它的代码?
谢谢。
答
大小写0x36正在调用虚函数,或者至少Hex-Rays认为是虚函数。考虑下面的伪C++代码(排除reinterpret_cast以简化等),它将解构这一行。
// in VC++, 'this' is usually passed via ECX register
typedef void (__thiscall* member_function_t)(_DWORD this_ptr, _DWORD arg_0);
// a1's declaration wasn't included in your post, so I'm making an assumption here
byte* a1 = address_of_some_child_object;
// It would appear a1 is a pointer to an object which has multiple vftables (due to multiple inheritance/interfaces)
byte*** base_object = (byte***)(a1 - 8);
// Dereference the pointer at a1[-8] to get the base's vftable pointer (constant list of function pointers for the class's virtual funcs)
// a1[0] would probably be the child/interface's vftable pointer
byte** base_object_vftable = *base_object;
// 28/sizeof(void*) = 8th virtual function in the vftable
byte* base_object_member_function = base_object_vftable[28];
auto member_function = (member_function_t)base_object_member_function;
// case 0x36 simplified using a __thiscall function pointer
member_function((_DWORD)base_object, a6)
从解构:
(
*(
void (__thiscall **)(_DWORD, _DWORD)
)
(*
(_DWORD *)(a1 - 8) + 28
)
)
(a1 - 8, a6);
如果你不熟悉__thiscall调用约定,或功能如何虚拟通常是用C++实现的,你应该对他们阅读了尝试反向工程项目之前,哪些使用它们。
你可以与这些故障开始:
我并不是怕什么回答,但你可以告诉它是什么,你想拆卸/编译? –