All geek questions in one place

How can I get the lea instruction from C ++ functions by disassembling?

I'm trying to learn reverse engineering, and I'm stuck with this little thing. I have a code like this:

.text:10003478 mov eax, HWHandle .text:1000347D lea ecx, [eax+1829B8h] <------ .text:10003483 mov dword_1000FA64, ecx .text:10003489 lea esi, [eax+166A98h]<------ .text:1000348F lea edx, [eax+11FE320h] .text:10003495 mov dword_1000FCA0, esi

and I wonder how it looks in C or C ++? Especially two instructions are marked by arrows. HWHandle is a variable that contains the value returned from the GetModuleHandle() function. More interestingly, the couple lines below this dword_1000FCA0 instruction dword_1000FCA0 used as a function:

 .text:1000353C mov eax, dword_1000FCA0 .text:10003541 mov ecx, [eax+0A0h] .text:10003547 push offset asc_1000C9E4 ; "\r\n========================\r\n" .text:1000354C call ecx

This will draw this text in my game console. Do you have any ideas guys?

+4
source share
6 answers

Since HWHandle is a module descriptor that is only the base address of the DLL, it looks like the constants that are added to this are offsets for functions or static data inside the DLL. The code calculates the addresses of these functions or data elements and stores them for later use.

Since this is usually the task of the dynamic linker, I'm not sure if this build code matches the actual C ++ code. It would be useful to know what environment you are working in exactly - since you are linking to game consoles, is this this Xbox code? Unfortunately, I donโ€™t know how dynamic linking works on the Xbox, but it looks like it could be happening here.

In the specific case of dword_1000FCA0 , it looks like this is the location of the jump table (i.e. essentially a list of function pointers) inside the DLL. Your second piece of code receives a pointer to a function from offset 0xA inside this table, and then calls it - apparently, the called function displays the lines on the screen. (The pointer to the line to be output is pushed onto the stack, which is the usual convention of calling x86.) The C ++ code corresponding to this will look like

 my_print_function("\r\n========================\r\n");

Edit:

If you want to call functions in the DLL itself, the canonical way to get a pointer to a function is to use GetProcAddress() :

 FARPROC func=GetProcAddress(HWHandle, "MyFunction");

However, the code you posted calculates the offsets themselves, and if you really want to do the same, you can use something like this:

 DWORD func=(DWORD)HWHandle + myOffset;

myOffset is the offset you want to use - of course, you will need to somehow determine this offset, and this may change every time the DLL is recompiled, so this is not the method I would recommend - but this is, after all , what you asked for, but.

Regardless of which of these two methods you use to access the function address, you need to call it. To do this, you need to declare a pointer to a function - and for this you need to know the signature of your function (its parameters and return data types). For instance:

 typedef void (*print_func_type)(const char *); print_func_type my_func_pointer=(print_func_type)func; my_func_pointer("\r\n========================\r\n");

Beware - if you get the wrong address of the function or its signature, your code is likely to fail. All part of the pleasure of this kind of low-level work.

+3
source

LEA is nothing more than an arithmetic operation : in this case, the ECX is simply filled with the offset EAX + (the address itself, not the specified content). if HWHandle pointed to a (very large) structure, ECX would simply be one of its members.

This may be related source code:

 extern A* HWHandle; // mov eax, HWHandle B* ECX = HWHandle->someStructure; // lea ecx, [eax+1829B8h]

and then one of the Bs members is used as a function.

 *(ECX->ptrFunction(someArg)) // mov ecx, [eax+0A0h] // call ecx
+5
source

It seems that HWHandle is an appoterium of some structure (large). lea command reads addresses (addresses) from this structure, for example:

 mov eax, HWHandle lea ecx, [eax+1829B8h] mov dword_1000FA64, ecx

means:

  • Read the address from HWHandle + 0x1829B8 and put it in ecx
  • Put this address (from ecx ) in some (global) variable dword_1000FA64

The rest looks simple.

In C ++, you can get it almost anywhere, and you really cannot predict where (depends on the compiler and optimization), for example:

 int x; int* pX = &X;

The second line can generate lea .

Another example:

 struct s { int x; int y; }; my_s s; int Y = sy; //here: probably lea <something> , [address(my_s) + 0x4]

Hope this helps.

+2
source

In C ++, this is roughly equivalent

 char* ecx, eax, esi; ecx = eax+0x1829B8 // lea ecx, [eax+1829B8h] esi = eax+0x166A98 // lea esi, [eax+166A98h]

Assuming that eax, esi, and ecx do contain pointers to memory locations. Of course, the lea instruction can also be used for simple arithmetic, and in fact, it is often used to be added by compilers. An advantage over simple add : it can contain up to three input operands and another destination.

+1
source

For example, foo = &bar->baz matches (simplified) foo = (char *)bar + offsetof(typeof(*bar), baz) , which can be translated into lea foo, [bar+offsetofbaz] .

+1
source

It really depends on the compiler and optimization, but if IIRC, lea can only be emitted for add-ons ... So, lea ecx, [eax+1829B8h] can be understood as ecx = eax + 0x1829B8

0
source

Source: https://habr.com/ru/post/1399147/

More articles:


All Articles