1

I am reverse-engineering a program, and found a member method that looks like this:

int __thiscall sub_40A490(void *this)
{
    return *(_DWORD *)this;
}

IDA generated this code, the original assembly looks like this:

sub_      proc near              
          mov     eax, [ecx]
          retn
sub_      endp

What is this? If its a simple cast, why is it a __thiscall?

There are lots of cross-references to this functions. For example, we have this one here calling it:

char __cdecl sub_4011B0(int a1, int a2)
{
    char v2; // bl
    int v3; // esi
    _DWORD *v4; // eax
    int v5; // eax
    
    if ( !a1 || !a2 )
        return 0;
    v2 = byte_593B70[4 * *(_DWORD *)(a1 + 504) + *(_DWORD *)(a2 + 504)];
    if ( !v2 )
    {
        v3 = 0;
        if ( sub_40A490((void *)(a1 + 1196)) > 0 )
        {
            while ( 1 )
            {
                v4 = (_DWORD *)sub_40A480(v3);
                v5 = sub_40A0E0(*v4);
                if ( v5 )
                {
                    if ( *(_DWORD *)(v5 + 44) == *(_DWORD *)(a2 + 44) )
                        return 1;
                }
                else
                {
                    sub_4CE390(v3);
                }
                if ( ++v3 >= sub_40A490((void *)(a1 + 1196)) )
                    return 0;
            }
        }
    }
    return v2;
}
Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
geo10
  • 366
  • 2
  • 11
  • 1
    `__thiscall` is not a standard C++ feature. It is [specific to Windows](https://learn.microsoft.com/en-us/cpp/cpp/thiscall). It may be defined on other platforms, if you aren't on Windows you should check your platform's documentation. – François Andrieux Jun 09 '21 at 15:59
  • From a reverse-engineering standpoint, do you have any surrounding context such as functions calling `sub_40A490`, which you can share? – nanofarad Jun 09 '21 at 16:03
  • @Francois this is pseudocode generated by a decompiler. – geo10 Jun 09 '21 at 16:04
  • 2
    `__thiscall` is a calling convention: https://en.wikipedia.org/wiki/X86_calling_conventions#thiscall – erenon Jun 09 '21 at 16:04
  • 7
    @geo10 I missed that part of your question. It looks to me like `sub_40A490` is a member function of some class which returns a `_DWORD` member, which is the first member of the class. – François Andrieux Jun 09 '21 at 16:05
  • 3
    If you compiled `class Foo{DWORD x; public: DWORD getX(){return x;}}`, I would expect it to compile to what you have above. (reading the comments, now, this is what Francois said) – Jeffrey Jun 09 '21 at 16:11
  • `void *this` is not a valid argument specifier in C++. `this` is a keyword, and cannot be used in any other way. The code in the question is some C hack. – Pete Becker Jun 09 '21 at 16:24
  • @FrançoisAndrieux "*`__thiscall` is ... specific to Windows*" - more accurately, to Visual Studio, not to Windows generally. Not all Windows compilers support `__thiscall`. – Remy Lebeau Jun 09 '21 at 16:29
  • 2
    @PeteBecker This was brought up earlier, the code shown is generated by a decompiler. Most of it will look like C hacks, it will depend on compiler specific details. – François Andrieux Jun 09 '21 at 16:30

1 Answers1

1

Probably is the solution: from comments

"It looks to me like sub_40A490 is a member function of some class which returns a _DWORD member, which is the first member of the class."

– François Andrieux

geo10
  • 366
  • 2
  • 11