0

I use the IDA pro,hex-rays to decompile some code of a dll.

get some code like below:

void __stdcall IsDotInLine(double a1, double a2, double a3, double a4, double a5, double a6, double a7)
{
  int v7; // edx@1
  int v8; // ecx@1
  double v9; // st7@10
  char v10; // [sp+14h] [bp-88h]@1
  double v11; // [sp+54h] [bp-48h]@10
  double v12; // [sp+5Ch] [bp-40h]@10
  double v13; // [sp+64h] [bp-38h]@10
  double v14; // [sp+6Ch] [bp-30h]@6
  double v15; // [sp+74h] [bp-28h]@6
  double v16; // [sp+7Ch] [bp-20h]@1
  double v17; // [sp+84h] [bp-18h]@1
  double v18; // [sp+8Ch] [bp-10h]@1
  double v19; // [sp+94h] [bp-8h]@1

  memset(&v10, -858993460, 0x88u);
  sub_100014D3((int)&v15);
  v16 = a3;
  v18 = a5;
  v19 = a4;
  v17 = a6;
  sub_10001550(&v16);
  v16 = v16 - a7;
  v18 = v18 + a7;
  v17 = v17 - a7;
  v19 = v19 + a7;
  if ( a1 >= v16 )
  {
    if ( a1 <= v18 )
    {
      if ( a2 >= v17 )
      {
        if ( a2 <= v19 )
        {
          v15 = a6 - a4;
          v14 = a3 - a5;
          if ( v15 > 0.000000001 || v15 < -0.000000001 || v14 > 0.000000001 || v14 < -0.000000001 )
          {
            v13 = -v15 * a3 - v14 * a4;
            v11 = fabs(v15 * a1 + v14 * a2 + v13);
            v9 = sqrt(v15 * v15 + v14 * v14);
            v12 = v11 / v9;
          }
        }
      }
    }
  }
  chkesp(v8, v7);
}

After my ananlysis, besides some functional code.

I think the code like this type is no use, at least in this function , I can not figure out the use of the "sub_100021C0" function.

Can anyone got some idea about this code, what effect of the "sub_100021C0"?

thanks, attached is the code 

int __thiscall sub_100014D3(int this)
{
  return sub_100021C0(this);
}
int __thiscall sub_100021C0(int this)
{
  int v1; // ecx@1
  int v2; // edx@1
  int v3; // eax@1
  int v5; // [sp+4Ch] [bp-4h]@1

  v5 = this;
  *(_DWORD *)this = 0;
  *(_DWORD *)(this + 4) = 0;
  v1 = v5;
  *(_DWORD *)(v5 + 8) = 0;
  *(_DWORD *)(v1 + 12) = 0;
  v2 = v5;
  *(_DWORD *)(v5 + 16) = 0;
  *(_DWORD *)(v2 + 20) = 0;
  v3 = v5;
  *(_DWORD *)(v5 + 24) = 0;
  *(_DWORD *)(v3 + 28) = 0;
  return v5;
}
user1279988
  • 757
  • 1
  • 11
  • 27
  • It looks like it's using some strange tricks to zero out everything in as few calls as possible. I have no idea why it's doing that. – GRAYgoose124 May 30 '13 at 07:15
  • I got some idea about it. Maybe it take an function like "alloc/ new " take in high level C++; – user1279988 May 30 '13 at 07:16
  • `malloc` and `new` eventually call mmap() or something similar, which is a C wrapper for a kernel interrupt. There are no such calls here, it is simply setting every byte in `v1`, `v2`, `v3`, `v4`, and `v5` to `0`. Why is it doing it like this? No clue. – GRAYgoose124 May 30 '13 at 07:20
  • Could be an initializer for some structure, returning itself. `This` is the pointer to the structure. Why it is using v1 to v3 though is strange, because they all have the same value. Maybe unoptimized code? – Devolus May 30 '13 at 07:51

1 Answers1

1

That's probably the constructor/initializer of whatever class that is. Notice the this pointer being passed as the first argument, and v1 through v5 are just aliases for that. So it is setting (presumably) every member of the structure or class at the address this to 0.

The memset line above the call to that function is setting all the local variables (including the members of the class) to 0xcccccccc, which is a sentinel value used by some compilers to mean "uninitialized" if you compile in debug mode. Thus, the called function is necessary to initialize the values.

My guess is that there's a struct that looks something like struct Line { double x1, y1, x2, y2; }; with a constructor that initializes them to 0.

Simon Broadhead
  • 3,483
  • 21
  • 19
  • I am not clear why the keyword is not show on the decompiled code. I write some code to mimi the process and got a " Line::Line((int)&v7)" in the decompile code; and I got to Line::Line defination , it show exactly the exactly same as "sub_100021C0" but why the decompile dll code just show the "sub_100021C0", not some structure name of itself? – user1279988 May 30 '13 at 09:00
  • There are several possible reasons. If you are exporting the class (i.e. so that it can be used by other things, which happens by default) then it has to maintain the name inside the compiled code, so IDA can see it and substitute it. If you aren't exporting it (try putting it inside an anonymous namespace) the compiler is free to remove all traces of the class itself from the compiled code. Ultimately it comes down to what the compiler decides to do. – Simon Broadhead May 30 '13 at 09:05