3

I'm really (reaaaally) new to IDA (and debugging in general), so I wanted to ask a little for some directions.

I have this sub / function:

sub_5AE50B      proc near               ; CODE XREF: sub_4F0E29+252p
.text:005AE50B                                         ; sub_5B81A9+36p
.text:005AE50B
.text:005AE50B var_548         = dword ptr -548h
.text:005AE50B var_544         = dword ptr -544h
.text:005AE50B var_540         = dword ptr -540h
.text:005AE50B var_53C         = dword ptr -53Ch
.text:005AE50B var_538         = dword ptr -538h
.text:005AE50B var_534         = dword ptr -534h
.text:005AE50B var_530         = dword ptr -530h
.text:005AE50B var_52C         = dword ptr -52Ch
.text:005AE50B var_528         = dword ptr -528h
.text:005AE50B var_524         = dword ptr -524h
.text:005AE50B var_520         = dword ptr -520h
.text:005AE50B var_51C         = dword ptr -51Ch
.text:005AE50B var_518         = dword ptr -518h
.text:005AE50B var_514         = dword ptr -514h
.text:005AE50B var_510         = dword ptr -510h
.text:005AE50B var_50C         = dword ptr -50Ch
.text:005AE50B var_508         = dword ptr -508h
.text:005AE50B var_504         = dword ptr -504h
.text:005AE50B var_500         = dword ptr -500h
.text:005AE50B var_4FC         = dword ptr -4FCh
.text:005AE50B var_4F8         = dword ptr -4F8h
.text:005AE50B var_4F4         = dword ptr -4F4h
.text:005AE50B var_4F0         = dword ptr -4F0h
.text:005AE50B var_4EC         = dword ptr -4ECh
.text:005AE50B var_4E8         = dword ptr -4E8h
.text:005AE50B var_4E4         = dword ptr -4E4h
.text:005AE50B var_4E0         = dword ptr -4E0h
.text:005AE50B var_4DC         = dword ptr -4DCh
.text:005AE50B var_4D8         = dword ptr -4D8h
.text:005AE50B var_4D4         = dword ptr -4D4h
.text:005AE50B var_4D0         = dword ptr -4D0h
.text:005AE50B var_4CC         = dword ptr -4CCh
.text:005AE50B var_4C8         = dword ptr -4C8h
.text:005AE50B var_4C4         = dword ptr -4C4h
.text:005AE50B var_4C0         = dword ptr -4C0h
.text:005AE50B var_4BC         = dword ptr -4BCh
.text:005AE50B var_4B8         = dword ptr -4B8h
.text:005AE50B var_4B4         = dword ptr -4B4h
.text:005AE50B var_4B0         = dword ptr -4B0h
.text:005AE50B var_4AC         = dword ptr -4ACh
.text:005AE50B var_4A8         = dword ptr -4A8h
.text:005AE50B var_4A4         = dword ptr -4A4h
.text:005AE50B var_4A0         = byte ptr -4A0h
.text:005AE50B var_49C         = dword ptr -49Ch
.text:005AE50B var_498         = dword ptr -498h
.text:005AE50B var_494         = dword ptr -494h
.text:005AE50B var_490         = dword ptr -490h
.text:005AE50B var_48C         = dword ptr -48Ch
.text:005AE50B var_488         = dword ptr -488h
.text:005AE50B var_484         = dword ptr -484h
.text:005AE50B var_480         = dword ptr -480h
.text:005AE50B var_47C         = dword ptr -47Ch
.text:005AE50B var_478         = dword ptr -478h
.text:005AE50B var_474         = dword ptr -474h
.text:005AE50B var_470         = dword ptr -470h
.text:005AE50B var_46C         = dword ptr -46Ch
.text:005AE50B var_468         = dword ptr -468h
.text:005AE50B var_464         = dword ptr -464h
.text:005AE50B var_460         = dword ptr -460h
.text:005AE50B var_45C         = dword ptr -45Ch
.text:005AE50B var_458         = dword ptr -458h
.text:005AE50B var_454         = dword ptr -454h
.text:005AE50B var_450         = dword ptr -450h
.text:005AE50B var_444         = dword ptr -444h
.text:005AE50B var_440         = dword ptr -440h
.text:005AE50B var_43C         = dword ptr -43Ch
.text:005AE50B var_438         = dword ptr -438h
.text:005AE50B var_434         = dword ptr -434h
.text:005AE50B var_430         = dword ptr -430h
.text:005AE50B var_42C         = dword ptr -42Ch
.text:005AE50B var_428         = dword ptr -428h
.text:005AE50B var_424         = dword ptr -424h
.text:005AE50B var_418         = dword ptr -418h
.text:005AE50B var_414         = dword ptr -414h
.text:005AE50B var_410         = dword ptr -410h
.text:005AE50B var_40C         = dword ptr -40Ch
.text:005AE50B var_408         = dword ptr -408h
.text:005AE50B var_404         = dword ptr -404h
.text:005AE50B var_400         = dword ptr -400h
.text:005AE50B var_3FC         = dword ptr -3FCh
.text:005AE50B var_3F8         = dword ptr -3F8h
.text:005AE50B var_3EC         = dword ptr -3ECh
.text:005AE50B var_3E8         = dword ptr -3E8h
.text:005AE50B var_3E4         = dword ptr -3E4h
.text:005AE50B var_3E0         = dword ptr -3E0h
.text:005AE50B var_3DC         = dword ptr -3DCh
.text:005AE50B var_3D8         = dword ptr -3D8h
.text:005AE50B var_3D4         = dword ptr -3D4h
.text:005AE50B var_3D0         = dword ptr -3D0h
.text:005AE50B var_3CC         = dword ptr -3CCh
.text:005AE50B var_3C8         = dword ptr -3C8h
.text:005AE50B var_3C4         = dword ptr -3C4h
.text:005AE50B var_3C0         = dword ptr -3C0h
.text:005AE50B var_3BC         = dword ptr -3BCh
.text:005AE50B var_3B8         = dword ptr -3B8h
.text:005AE50B var_3AC         = dword ptr -3ACh
.text:005AE50B var_3A8         = dword ptr -3A8h
.text:005AE50B var_3A4         = dword ptr -3A4h
.text:005AE50B var_3A0         = dword ptr -3A0h
.text:005AE50B var_39C         = dword ptr -39Ch
.text:005AE50B var_398         = dword ptr -398h
.text:005AE50B var_394         = dword ptr -394h
.text:005AE50B var_390         = dword ptr -390h
.text:005AE50B var_38C         = dword ptr -38Ch
.text:005AE50B var_380         = dword ptr -380h
.text:005AE50B var_37C         = dword ptr -37Ch
.text:005AE50B var_378         = dword ptr -378h
.text:005AE50B var_374         = dword ptr -374h
.text:005AE50B var_370         = dword ptr -370h
.text:005AE50B var_36C         = dword ptr -36Ch
.text:005AE50B var_368         = dword ptr -368h
.text:005AE50B var_364         = dword ptr -364h
.text:005AE50B var_360         = dword ptr -360h
.text:005AE50B var_35C         = dword ptr -35Ch
.text:005AE50B var_358         = dword ptr -358h
.text:005AE50B var_354         = dword ptr -354h
.text:005AE50B var_350         = dword ptr -350h
.text:005AE50B var_34C         = dword ptr -34Ch
.text:005AE50B var_348         = dword ptr -348h
.text:005AE50B var_344         = dword ptr -344h
.text:005AE50B var_340         = dword ptr -340h
.text:005AE50B var_33C         = dword ptr -33Ch
.text:005AE50B var_338         = dword ptr -338h
.text:005AE50B var_334         = dword ptr -334h
.text:005AE50B var_330         = dword ptr -330h
.text:005AE50B var_32C         = dword ptr -32Ch
.text:005AE50B var_328         = dword ptr -328h
.text:005AE50B var_324         = dword ptr -324h
.text:005AE50B var_320         = dword ptr -320h
.text:005AE50B var_31C         = dword ptr -31Ch
.text:005AE50B var_318         = dword ptr -318h
.text:005AE50B var_314         = dword ptr -314h
.text:005AE50B var_310         = dword ptr -310h
.text:005AE50B var_30C         = dword ptr -30Ch
.text:005AE50B var_308         = dword ptr -308h
.text:005AE50B var_304         = dword ptr -304h
.text:005AE50B v               = dword ptr -2FCh
.text:005AE50B var_2F8         = dword ptr -2F8h
.text:005AE50B var_2F4         = dword ptr -2F4h
.text:005AE50B var_2F0         = dword ptr -2F0h
.text:005AE50B var_2EC         = dword ptr -2ECh
.text:005AE50B var_2E8         = dword ptr -2E8h
.text:005AE50B var_2E4         = dword ptr -2E4h
.text:005AE50B var_2E0         = dword ptr -2E0h
.text:005AE50B var_2DC         = dword ptr -2DCh
.text:005AE50B var_2D8         = dword ptr -2D8h
.text:005AE50B var_2D4         = dword ptr -2D4h
.text:005AE50B var_2D0         = dword ptr -2D0h
.text:005AE50B var_2CC         = dword ptr -2CCh
.text:005AE50B var_2C8         = dword ptr -2C8h
.text:005AE50B var_2C4         = dword ptr -2C4h
.text:005AE50B var_2C0         = dword ptr -2C0h
.text:005AE50B var_2BC         = dword ptr -2BCh
.text:005AE50B var_2B8         = dword ptr -2B8h
.text:005AE50B var_2B4         = dword ptr -2B4h
.text:005AE50B var_2B0         = dword ptr -2B0h
.text:005AE50B var_2AC         = dword ptr -2ACh
.text:005AE50B var_2A8         = dword ptr -2A8h
.text:005AE50B var_2A4         = dword ptr -2A4h
.text:005AE50B var_298         = dword ptr -298h
.text:005AE50B var_294         = dword ptr -294h
.text:005AE50B var_290         = dword ptr -290h
.text:005AE50B var_28C         = dword ptr -28Ch
.text:005AE50B var_288         = dword ptr -288h
.text:005AE50B var_284         = dword ptr -284h
.text:005AE50B var_280         = dword ptr -280h
.text:005AE50B var_274         = dword ptr -274h
.text:005AE50B var_270         = dword ptr -270h
.text:005AE50B var_26C         = dword ptr -26Ch
.text:005AE50B var_268         = dword ptr -268h
.text:005AE50B var_264         = dword ptr -264h
.text:005AE50B var_260         = dword ptr -260h
.text:005AE50B var_25C         = dword ptr -25Ch
.text:005AE50B var_250         = dword ptr -250h
.text:005AE50B var_24C         = dword ptr -24Ch
.text:005AE50B var_248         = dword ptr -248h
.text:005AE50B var_244         = dword ptr -244h
.text:005AE50B var_240         = dword ptr -240h
.text:005AE50B var_23C         = dword ptr -23Ch
.text:005AE50B var_238         = dword ptr -238h
.text:005AE50B var_22C         = dword ptr -22Ch
.text:005AE50B var_228         = dword ptr -228h
.text:005AE50B var_224         = dword ptr -224h
.text:005AE50B var_220         = dword ptr -220h
.text:005AE50B var_21C         = dword ptr -21Ch
.text:005AE50B var_218         = dword ptr -218h
.text:005AE50B var_214         = dword ptr -214h
.text:005AE50B var_210         = dword ptr -210h
.text:005AE50B var_20C         = dword ptr -20Ch
.text:005AE50B var_208         = dword ptr -208h
.text:005AE50B var_204         = dword ptr -204h
.text:005AE50B var_200         = dword ptr -200h
.text:005AE50B var_1FC         = dword ptr -1FCh
.text:005AE50B var_1F0         = dword ptr -1F0h
.text:005AE50B var_1EC         = dword ptr -1ECh
.text:005AE50B var_1E8         = dword ptr -1E8h
.text:005AE50B var_1E4         = dword ptr -1E4h
.text:005AE50B var_1E0         = dword ptr -1E0h
.text:005AE50B var_1DC         = dword ptr -1DCh
.text:005AE50B var_1D8         = dword ptr -1D8h
.text:005AE50B var_1CC         = dword ptr -1CCh
.text:005AE50B var_1C8         = dword ptr -1C8h
.text:005AE50B var_1C4         = dword ptr -1C4h
.text:005AE50B var_1C0         = dword ptr -1C0h
.text:005AE50B var_1BC         = dword ptr -1BCh
.text:005AE50B var_1B0         = dword ptr -1B0h
.text:005AE50B var_1AC         = dword ptr -1ACh
.text:005AE50B var_1A8         = dword ptr -1A8h
.text:005AE50B var_1A4         = dword ptr -1A4h
.text:005AE50B var_1A0         = dword ptr -1A0h
.text:005AE50B var_19C         = dword ptr -19Ch
.text:005AE50B var_198         = dword ptr -198h
.text:005AE50B var_194         = dword ptr -194h
.text:005AE50B var_190         = dword ptr -190h
.text:005AE50B var_184         = dword ptr -184h
.text:005AE50B var_180         = dword ptr -180h
.text:005AE50B var_17C         = dword ptr -17Ch
.text:005AE50B var_178         = dword ptr -178h
.text:005AE50B var_174         = dword ptr -174h
.text:005AE50B var_170         = dword ptr -170h
.text:005AE50B var_16C         = dword ptr -16Ch
.text:005AE50B var_168         = dword ptr -168h
.text:005AE50B var_164         = dword ptr -164h
.text:005AE50B var_160         = dword ptr -160h
.text:005AE50B var_154         = dword ptr -154h
.text:005AE50B var_150         = dword ptr -150h
.text:005AE50B var_14C         = dword ptr -14Ch
.text:005AE50B var_148         = dword ptr -148h
.text:005AE50B var_144         = dword ptr -144h
.text:005AE50B var_140         = dword ptr -140h
.text:005AE50B var_13C         = dword ptr -13Ch
.text:005AE50B var_138         = dword ptr -138h
.text:005AE50B var_134         = dword ptr -134h
.text:005AE50B var_130         = dword ptr -130h
.text:005AE50B var_12C         = dword ptr -12Ch
.text:005AE50B var_128         = dword ptr -128h
.text:005AE50B var_124         = dword ptr -124h
.text:005AE50B var_120         = dword ptr -120h
.text:005AE50B var_11C         = dword ptr -11Ch
.text:005AE50B var_118         = dword ptr -118h
.text:005AE50B var_114         = dword ptr -114h
.text:005AE50B var_110         = dword ptr -110h
.text:005AE50B var_10C         = dword ptr -10Ch
.text:005AE50B var_108         = dword ptr -108h
.text:005AE50B var_104         = dword ptr -104h
.text:005AE50B var_100         = dword ptr -100h
.text:005AE50B var_FC          = dword ptr -0FCh
.text:005AE50B var_F8          = dword ptr -0F8h
.text:005AE50B var_F4          = dword ptr -0F4h
.text:005AE50B var_F0          = dword ptr -0F0h
.text:005AE50B var_EC          = dword ptr -0ECh
.text:005AE50B var_E8          = dword ptr -0E8h
.text:005AE50B var_E4          = dword ptr -0E4h
.text:005AE50B var_E0          = dword ptr -0E0h
.text:005AE50B var_DC          = dword ptr -0DCh
.text:005AE50B var_D8          = dword ptr -0D8h
.text:005AE50B var_D4          = dword ptr -0D4h
.text:005AE50B var_D0          = dword ptr -0D0h
.text:005AE50B var_CC          = dword ptr -0CCh
.text:005AE50B var_C8          = dword ptr -0C8h
.text:005AE50B var_C4          = dword ptr -0C4h
.text:005AE50B var_C0          = dword ptr -0C0h
.text:005AE50B var_BC          = dword ptr -0BCh
.text:005AE50B var_B8          = dword ptr -0B8h
.text:005AE50B var_B4          = dword ptr -0B4h
.text:005AE50B var_B0          = dword ptr -0B0h
.text:005AE50B var_AC          = dword ptr -0ACh
.text:005AE50B var_A8          = dword ptr -0A8h
.text:005AE50B var_A4          = dword ptr -0A4h
.text:005AE50B var_A0          = dword ptr -0A0h
.text:005AE50B var_9C          = dword ptr -9Ch
.text:005AE50B var_98          = dword ptr -98h
.text:005AE50B var_94          = dword ptr -94h
.text:005AE50B var_90          = dword ptr -90h
.text:005AE50B var_84          = dword ptr -84h
.text:005AE50B var_80          = dword ptr -80h
.text:005AE50B var_7C          = dword ptr -7Ch
.text:005AE50B var_78          = dword ptr -78h
.text:005AE50B var_74          = dword ptr -74h
.text:005AE50B var_70          = dword ptr -70h
.text:005AE50B var_6C          = dword ptr -6Ch
.text:005AE50B var_68          = dword ptr -68h
.text:005AE50B var_64          = dword ptr -64h
.text:005AE50B var_60          = dword ptr -60h
.text:005AE50B var_5C          = dword ptr -5Ch
.text:005AE50B var_58          = dword ptr -58h
.text:005AE50B var_54          = dword ptr -54h
.text:005AE50B var_50          = dword ptr -50h
.text:005AE50B var_4C          = dword ptr -4Ch
.text:005AE50B var_48          = dword ptr -48h
.text:005AE50B var_44          = dword ptr -44h
.text:005AE50B var_40          = dword ptr -40h
.text:005AE50B var_3C          = dword ptr -3Ch
.text:005AE50B var_38          = dword ptr -38h
.text:005AE50B var_34          = dword ptr -34h
.text:005AE50B var_30          = dword ptr -30h
.text:005AE50B var_2C          = dword ptr -2Ch
.text:005AE50B var_28          = dword ptr -28h
.text:005AE50B var_24          = dword ptr -24h
.text:005AE50B var_20          = dword ptr -20h
.text:005AE50B var_1C          = dword ptr -1Ch
.text:005AE50B alpha           = dword ptr -18h
.text:005AE50B var_14          = dword ptr -14h
.text:005AE50B var_10          = dword ptr -10h
.text:005AE50B var_C           = dword ptr -0Ch
.text:005AE50B var_4           = dword ptr -4
.text:005AE50B arg_0           = dword ptr  8
.text:005AE50B arg_C           = dword ptr  14h
.text:005AE50B
.text:005AE50B                 push    ebp
.text:005AE50C                 mov     ebp, esp
.text:005AE50E                 push    0FFFFFFFFh
.text:005AE510                 push    offset loc_876BAE
.text:005AE515                 mov     eax, large fs:0
.text:005AE51B                 push    eax
.text:005AE51C                 mov     large fs:0, esp
.text:005AE523                 sub     esp, 524h
.text:005AE529                 mov     eax, [ebp+arg_0]
.text:005AE52C                 mov     ecx, [eax+30h]
.text:005AE52F                 imul    ecx, 0F4h
.text:005AE535                 mov     edx, dword_596CB28
.text:005AE53B                 add     edx, ecx
.text:005AE53D                 mov     [ebp+var_10], edx
.text:005AE540                 mov     byte ptr [ebp+var_14], 1
.text:005AE544                 cmp     dword_7B46AF4, 0
.text:005AE54B                 jnz     short loc_5AE567
.text:005AE54D                 cmp     dword_7B46AF4, 0
.text:005AE554                 jnz     loc_5B817B
.text:005AE55A                 mov     eax, [ebp+arg_0]
.text:005AE55D                 cmp     dword ptr [eax+3Ch], 0FFFFFFFEh
.text:005AE561                 jz      loc_5B817B
.text:005AE567
.text:005AE567 loc_5AE567:                             ; CODE XREF: sub_5AE50B+40j
.text:005AE567                 cmp     [ebp+arg_C], 0Ah
.text:005AE56B                 jnz     loc_5AE7C9
.text:005AE571                 mov     [ebp+alpha], 3F000000h
.text:005AE578                 mov     [ebp+var_1C], 0
.text:005AE57F                 jmp     short loc_5AE58A

It has a lot of vars, from var_548 descending 4 by 4 until what you can see on the image.

Now I know that this is supposed to be a function that looks like this:

void __cdecl sub_5DE260(STRUCT *lpInfo, int a1, int a2, int a3)

(I know this because someone else posted it on a forum)

Now, here are my doubts (sorry if it's dumb), why does the function have 4 arguments? (I only see 2 arg_ in there, shouldn't be 2 then?) I have one idea of why this could be.. but I'm not sure.. I see that with vars it's going down 4 by 4, and the args are _0 and _C which means if it's 4 by 4 too, then there would be 2 more args in between.. but I don't really know.

And the second question, how can you know that the first argument is a structure? My only idea here is that it has something to do with that "Alpha" there. I would ask how to get that struct too, but that's probably harded, so I want to understand the more basic part first. :)

Edit: Sorry for adding an image, I copied the text instead now.

There's 2 calls to this function, I'll add both of the now:

loc_4F1058:                             ; CODE XREF: sub_4F0E29+219j
.text:004F1058                 push    0
.text:004F105A                 push    0
.text:004F105C                 mov     ecx, [ebp+var_64]
.text:004F105F                 mov     edx, [ecx]
.text:004F1061                 mov     ecx, [ebp+var_64]
.text:004F1064                 call    dword ptr [edx+18h]
.text:004F1067
.text:004F1067 loc_4F1067:                             ; CODE XREF: sub_4F0E29+206j
.text:004F1067                                         ; sub_4F0E29+22Dj
.text:004F1067                 cmp     [ebp+var_60], 0
.text:004F106B                 jz      short loc_4F1083
.text:004F106D                 push    0
.text:004F106F                 mov     eax, [ebp+arg_8]
.text:004F1072                 push    eax
.text:004F1073                 mov     cl, [ebp+var_38]
.text:004F1076                 push    ecx
.text:004F1077                 mov     edx, [ebp+arg_4]
.text:004F107A                 push    edx
.text:004F107B                 call    sub_5AE50B
.text:004F1080                 add     esp, 10h
.text:004F1083
.text:004F1083 loc_4F1083:                             ; CODE XREF: sub_4F0E29+242j
.text:004F1083                 jmp     short loc_4F109B

The other one looks like this:

loc_5B81CF:                             ; CODE XREF: sub_5B81A9+22j
.text:005B81CF                 mov     ecx, [ebp+arg_C]
.text:005B81D2                 push    ecx
.text:005B81D3                 mov     edx, [ebp+arg_8]
.text:005B81D6                 push    edx
.text:005B81D7                 mov     al, [ebp+arg_4]
.text:005B81DA                 push    eax
.text:005B81DB                 mov     ecx, [ebp+arg_0]
.text:005B81DE                 push    ecx
.text:005B81DF                 call    sub_5AE50B
.text:005B81E4                 add     esp, 10h
.text:005B81E7
.text:005B81E7 loc_5B81E7:                             ; CODE XREF: sub_5B81A9+24j
.text:005B81E7                 pop     ebp
.text:005B81E8                 retn
.text:005B81E8 sub_5B81A9      endp

Does that help? I still don't know how to use the function, 'cause I don't understand what the arguments should look like.. this guy on the forum posted the function I wrote above, but that had a struct that I don't know.

user1913644
  • 157
  • 1
  • 11
  • It would help if the `call` instruction shows in the disassembly to be sure of what is being set up for the call. (Or is this the called function itself; hard to say as you aren't showing addresses.) – wallyk Aug 09 '18 at 04:49
  • 2
    Impossible to say since you haven't shown the entire function. Also don't post images, cut & paste the disassembled code. – Ross Ridge Aug 09 '18 at 04:54
  • @OP: The C signature with `STRUCT *lpInfo` shows a *pointer to* a struct, not a struct arg. If the arg *was* a struct passed by value, it would potentially be larger than 4 bytes, and (in at least some 32-bit x86 calling conventions) be copied onto the stack by the caller, rather than passed by reference. Speaking of calling conventions, we can rule out `__fastcall` as an explanation for only 2 named stack args, unless the first register arg is unused because the function writes ECX without reading it first. So no register args; `gcc -mregparm=2` can also be ruled out from clobbering EAX. – Peter Cordes Aug 09 '18 at 04:59
  • 1
    I've edited the first post, replaced the image and added 2 calls to the function. – user1913644 Aug 09 '18 at 05:16

2 Answers2

2

We don't have enough evidence from the snippet you posted to tell if mov ecx, [eax+30h] is an array or struct access. So from what you show, the first arg could be int *arg_0.

The fact that there is an arg at ebp+14h, with a gap of 8 bytes from the end of the pointer first arg at ebp+8, tells us that either

  • the first arg is actually a by-value struct that takes up 12 bytes

  • the disassembly is incomplete and didn't see the code that does use the middle args

  • there are 4 dword-sized args, but the middle two are unused. (Or there's one unused double arg). Actually, normal calling conventions require arg padded to fill a dword stack slot, so we can't rule out stuff like the middle args having char, float, short, or void* type either. No reason to assume they're int.

    In fact, the callers are doing mov al, stuff / push eax, so it looks like one of the unused args is a char or uint8_t.

If [ebp+14h] wasn't an arg, then the code would be reading stack memory owned by its caller, and that wouldn't make sense.

cmp [ebp+arg_C], 0Ah / jnz loc_5AE7C9 jumps if the dword arg is != 10. I was thinking at first that it was probably actually a char arg (and checking for a newline), but IDA omits an operand-size and the only thing that implies a size is the arg_C which is defined as a dword ptr. So maybe it's a character passed in an int, or it's checking for 10 for some other reason.

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
  • Hi! So if arguments are not being used, they are not shown? That's good to know. The function is being called in 2 places, I added both on the original post. Does that help to establish a bit more info? – user1913644 Aug 09 '18 at 05:18
  • @user1913644: I don't use IDA, but yeah it appears that way. There's no way for it to decide whether it's one 8-byte arg vs. two 4-byte args, or two `char` args padded to 4-byte stack slots, so it makes perfect sense for it to not show anything. – Peter Cordes Aug 09 '18 at 05:21
  • I made it work with int *a, 2 non used in the middle and then int d on the end. Don't know what the 2 in the middle are yet, one of them does work with either int or char, both cases are just null or 0 though when hooked. – user1913644 Aug 09 '18 at 06:08
1

You have to get familiar with the concept of calling convention (CC).
The CC will tell you how many parameters a function takes.

Handwritten assembly functions may not adhere to any existing standard CC thereby making each function have its own CC.
In that case, a full reverse engineering of the function is required, along with the one of the context surrounding the calling sites.

Since there is a SEH handler in the accused function, you are under Windows.

In Windows the prominent CC are:

  • stdcall
  • cdecl
  • borland
  • thiscall

If you look at the call sites and make the assumption that the function doesn't unbalance the stack, you see that the four DWORDs pushed on the stack immediately before the call will be lost immediately after the call (due to the add esp, 10h instruction).
If the function were not to use them, that'd be a pointless operation. In fact, while a lot of malware are made up of numerous long sequences of instruction that turn out to do nothing, this pattern is the textbook signature of the cdecl convention.

It could also have been the thiscall or the fastcall but luckily we see that ecx is loaded and pushed, so it's not an argument on its own (like these two CCs require). Same goes for the borland CC.

Since in the cdecl is the caller that cleans the stack, the add esp, 10h tells us that 10h / 4 = 4 arguments are used.

IDA does its best but, in my experience, it's not an automatic tool.

If you RE just the first part of the function:

                              push    ebp
.text:005AE50C                 mov     ebp, esp                    ;Prolog

.text:005AE50E                 push    0FFFFFFFFh
.text:005AE510                 push    offset loc_876BAE           ;Watch this, SEH handlers can be used to escape a debugger
.text:005AE515                 mov     eax, large fs:0
.text:005AE51B                 push    eax
.text:005AE51C                 mov     large fs:0, esp             ;Set SEH handler

.text:005AE523                 sub     esp, 524h                   ;Allocated 524h bytes of stack

.text:005AE529                 mov     eax, [ebp+arg_0]
.text:005AE52C                 mov     ecx, [eax+30h]              ;Common pattern: load a value and access an offset
                                                                   ;this usually is: array (rare, the are iterated),
                                                                   ;struct (possible) or C++ vtable (very likely considering the
                                                                   ;code around the call site)

You see the common pattern where a register is loaded with a value from memory (mov eax, [ebp+arg_0]) and then it is used as an indirect access (mov ecx, [eax+30h]).
This is a pointer access.

As I commented, it's possible that arg_0 is an array but it seldom happen that code needs to access a random element in an array, you mostly see arrays used in loops.
It could be a struct or it could be a C++ class (that, vtable apart, are the same thing at this level).

Considering this code present at one of the call site:

.text:004F1058                 push    0
.text:004F105A                 push    0
.text:004F105C                 mov     ecx, [ebp+var_64]
.text:004F105F                 mov     edx, [ecx]
.text:004F1061                 mov     ecx, [ebp+var_64]
.text:004F1064                 call    dword ptr [edx+18h]

where:

  • An indirect call is made through an offsetted register ([edx+18h])
  • ecx is loaded just before the call (Hint: the double loading of ecx means this was compiled with optimizations out).

We can speculate that that's a fastcall to a C++ member function, thus is likely that the program is a C++ one and hence the arg is a class.

However we cannot tell for sure with the limited sample, it could be a struct in a C++ program or that call could be a COM call.

The alpha thing found by IDA is not related to arg_0 since it is an offset to ebp, thus a local var.

Margaret Bloom
  • 41,768
  • 5
  • 78
  • 124