0

Playing with ghidra and there is this statement on the disassembly display that i don't understand.

(**(code **)

For example in this context:

int *piVar1;
int iVar2;

uVar3 = (**(code **)(*piVar1 + 8))(iVar2);

The internet did not had any good results due to that pointer operator that the search machine doesn't accept.

273K
  • 29,503
  • 10
  • 41
  • 64
Aedn
  • 5
  • 2
  • 1
    Looks like it treats `(*piVar1 + 8)` as a pointer to a pointer to a function and then calls that? The original assembly is probably more explicit. You should edit your question to include it. – Botje Nov 30 '22 at 20:58
  • Might be an idea to post the associated assembly instructions. – Richard Critten Nov 30 '22 at 20:58
  • Could this be a virtual function call of C++ code? `piVar1` is a pointer the the object. It contains the *vtable* at the start. Within the *vtable*, the function at offset 8 is looked up and then called with `iVar2` as the argument. – Codo Nov 30 '22 at 21:45

1 Answers1

2

code is not a C keyword or reserved identifier. From context, it looks like Ghidra is using it as a generic representation of a function, such that code ** means pointer to pointer to function. Ghidra might do this because without knowing the function's return type, it cannot form a correct function-pointer type name for it. Or perhaps it just thinks the form it is using is clearer.

In any case, in C, this expression ...

(**(code **)(*piVar1 + 8))(iVar2)

... is a function call, with (**(code **)(*piVar1 + 8)) as function designator and with iVar2 as argument. Presumably, the double dereference is present in the binary code, and Ghidra invents the (code **) cast to make it sensible. It follows that *piVar1 + 8 is (used as) a pointer to a pointer to a function, so overall that looks like a function being called via a dispatch table.

A call to a C++ member function via an object's vtable might look much like that, but the same general form might be used in certain C code, too.

John Bollinger
  • 160,171
  • 8
  • 81
  • 157