0

I decompiled a .so file in ghidra and I found a line of code :

puVar24 = (ulong *)(pbVar12 + 0x10);

pbVar12 type : byte *

0x10 type : int

so if we can concate byte* with int how in python ?

Meendufski
  • 61
  • 1
  • 7
  • What does “concatenate” mean; do you mean *added*? (Numbers can’t be “concatenated” in Python either; nor does Python have a byte* type..) – user2864740 Oct 04 '21 at 03:05
  • i mean '+' in code ( puVar24 = (ulong *)(pbVar12 + 0x10); ) – Meendufski Oct 04 '21 at 03:06
  • 1
    That's address arithmetic. It says "take the address 16 bytes from pbVar12 and store it in puVar24". Since Python doesn't have pointers, there's no way to convert this to Python code. – Tim Roberts Oct 04 '21 at 03:07
  • @TimRoberts Oh thanks ! so we can't implement this in python ? – Meendufski Oct 04 '21 at 03:08
  • I am noob in c++ , sorry ! – Meendufski Oct 04 '21 at 03:09
  • Depends on what “this” means. While Python lacks the notion of C pointers (so it isn’t generally convertible), there are modules that allow dealing with binary data in “C-like ways” (one method https://docs.python.org/3/library/struct.html). – user2864740 Oct 04 '21 at 03:10
  • 1
    You can't implement that instruction. In general, converting C to Python is tricky, because C applications tend to work with raw memory and manipulate pointers, which don't exist in Python. You need to figure out what the code does, and not look at each statement. – Tim Roberts Oct 04 '21 at 03:12

1 Answers1

1

This isn't really a C++ issue but a very down-to-earth C feature: pointer arithmetic. pbVar12 is not a byte or char or anything. The * very much indicates that it's a pointer to byte. Sometimes, pointers are really confusing:

  1. pbVar12 is an address in memory: if you imagine memory as a long street, then every cell in memory corresponds to a house and each house has house numbers. And pbVar12 stores this number.
  2. Pointers allow something kind-of unexpected in C: you can add numbers to them. So if pbVar12 is, say 0x1337 and you add 0x10, the result will be 0x1347. Within the metaphor: you start with house number 0x1337 and progress 0x10 houses "up the street" ending up at house 0x1347.
  3. I didn't lie in the previous point but I left out a detail that only matters in a more general situation: when you add a number x to a pointer p, the result is not just p plus x but p plus x multiplied by the size of the referenced data type. And the referenced data type here is byte, which has a size of 1, so this detail doesn't matter. If pbVar12 wouldn't be a pointer to byte but to, say float, the result would be 0x1377 instead because float has a size of 4 (0x1337 + 0x10 * 4 = 0x1377) . Stretching the metaphor a bit now I suppose, but you can imagine in this general case, tha the pointer points not to a street of single houses but to street of building complexes, where each complex is so big, it has multiple house numbers (4 in this case). And "progressing one house" actually means skipping 4 house numbers.

Now that we got the low-level details straight, I'll give a bit more context and an explanation in the reversing context: These kinds of pointers-arithmetics is used by C internally when working with arrays. The notation a[i] is actually just syntactic sugar for *(a + i) (which reads as "add i to the pointer a and dereference the result).

So if I would have to guess, I'd assume that pbVar12 actually is an array of unsinged long and the + 0x10 actually means indexing it at position 4 (0x10 = 16 = 4 * 4). Or to phrase this in a short C-snipped:

unsigned long *puVar24;
unsigned long pbVar12[123];
puVar24 = &pbVar12[4];

You also mentioned Python, so I'll loose a few more words about that: I assume you are trying to re-implement some code you saw in Ghidra in Python, maybe because you want to emulate some behavior. The confusion now is that you don't actually work with data directly and numbers but with references to memory addresses. So you actually would need to understand, how puVar24 is used later and need to read the corresponding 4 bytes of memory located at pbVar12 + 4 (or pbVar12 + 16 if pbVar12 really turns out to be a byte array as opposed to a float array).

born
  • 656
  • 1
  • 6
  • 21