1

I am new to reversing. I have stumbled upon a line of code which I am unable to understand.

return (*(_int64(**)(void))(**(_QWORD **)(v1 + 0x3C8) + 0x68LL ))();

The code is for arm64 lib. So , what I understood is that it's returning a pointer out as unsigned int64 data type. But , when I try to use it as ,

return (unsigned long) ((unsigned long)(v1 + 0x3C8) + 0x68) ;

, the result is so out of the unsigned long range , for example one result is 19985131375820901. Also , _int64 and _QWORD both have the size of 8 bytes and so does unsigned long. So I am a little confused here how is this happening. Can anybody help with the correct interpretation of this pls ?

Akram Raza
  • 11
  • 3
  • this looks a lot like a jnienv function call you can try import the jni.h header file and retype the v1 to struct jnienv if its a jnienv call it should print function name – ahmed mani May 27 '23 at 19:40

1 Answers1

0
v1 + 0x3C8

Yes. This adds 0x3C8 to v1. But you seemed to have overlooked something else that happens before 0x68 gets added to it.

(_QWORD **)

The result of this addition gets casted to a pointer to a pointer to a _QWORD. That's what this means in C++.

**

And dereferenced. Twice. That produces a _QWORD, from somewhere. Wherever those pointers lead to.

+0x68LL

And only then does 0x68 gets added to whatever you have now.

But you're not done yet. There's still more C++ code left that you need to unravel.

(_int64(**)(void))

This gets now casted to a pointer to a pointer to a function that takes no parameters and returns an _int64.

*

And the pointer dereferenced.

()

And the function call is finally made, which returns an _int64 value.

Sam Varshavchik
  • 114,536
  • 5
  • 94
  • 148
  • so , the correct way for doing it should be :- ''' (_int64)getPtr(getPtr(getPtr(getPtr(v1 + 0x3C8)) + 0x68 )) ''' – Akram Raza Aug 17 '22 at 04:46
  • So after looking a bit into pointers what I found is ** is used to point to a certain address inside a multi-dimensional array. Which is what is happening here because this code is actually used to get pointer to a table. Intially it was 1-D so it was simply pointer by (v1 + 0xA0). But now it's multi-dimensional that's why ** is being used. But , still don't understand how my reconstruction is wrong. – Akram Raza Aug 17 '22 at 13:06
  • If by "looking a bit into pointers" means "run a Google search and read the results", it's not going to work. Google is not a replacement for a C++ textbook. `**` can be used with "multi-timensional array"s, but that's not what it means. Attempting to reverse-engineer complicated existing code (as I understand to be the source of this question) without fully understanding core C++ fundamental concepts, like pointers, is simply not realistic. – Sam Varshavchik Aug 17 '22 at 17:20