0

What I often see online, when the topic is reversing, is this syntax 

  *(_WORD *)(a1 + 6) = *(_WORD *)(a2 + 2);

I think this code is from an IDA plugin (right?), but I can't understand it .. can someone explain me a little bit, or indicate something where to study this code nature ?

Thanxs in advance =)

Kiks777
  • 113
  • 1
  • 2
  • 9
  • What don't you understand about this code? Do you understand C? Are you familiar with pointers? – YSK Sep 01 '17 at 13:58
  • Yeah, i mean i undestand pointers and casting.. but, for example, [a1+6] what's mean? a1 + 6 positions ? into an array ? – Kiks777 Sep 02 '17 at 15:47

1 Answers1

2

This code copies 2 bytes from the address pointed to by a2 + 2 into the address pointed to by a1 + 6.

In more detail, the code does the following:

  • advance 2 bytes from a2.
  • treat the result as a WORD pointer, i.e. a pointer to a value made up of two bytes. This is the (_WORD *) part on the right.
  • read the 2 bytes referenced by the above pointer. This is the * at the very left of the expression on the right.

We now have a 16-bit value. Now we:

  • advance 6 bytes from a1.
  • treat the result as a WORD pointer. Again, this is the (_WORD *) part.
  • write the 2 bytes we read in the first part into the address pointed to by the pointer that we have.

If you've never seen such code before, you may think that it's superfluous to use the (_WORD*) on both sides of the expression - but it is not. For example, we can read a 16 bit value and write it into a pointer to a 32-bit value (e.g. by sign-extending it).

I suggest that you also look at the assembly code where you will see the steps making up this assignment. If you don't have it available then just write a C program on your own that does such manipulation and then decompile it.

YSK
  • 1,572
  • 10
  • 19
  • Thanxs for the explaination, that s what I needed ! – Kiks777 Sep 03 '17 at 13:28
  • Just one thing ... so a1 can be considered an array of pointers (or just an array with values in it)? Or it can be a normal variable? – Kiks777 Sep 12 '17 at 15:16
  • `a1` is a pointer to something. That's the only thing we can learn. It can be an array but it can also be a pointer to a struct. It's possible that the code copies a field from one struct to another, or from an array to a struct, or from a struct to an array.You can't tell from this single line of code, and in fact an array can be considered as a type of a struct. With more code to reverse engineer you can get more and more hints on how `a1` is used so you can learn what's in it. – YSK Sep 16 '17 at 05:30