1

I'm trying to understand how function calls are represented in Hex Rays' pseudocode, especially if the call expects pointers to objects.

Let's say I'm looking at a line of code in a function called MyObject1::Start():

MyObject2::doSomething(*((_DWORD *)this + 38), (char *)this + 104);

Does this mean, it calls the function doSomething of MyObject2 and passes two references to members of MyObject1 as arguments?

If that's the case, how can I identify these passed members? E.g. what's meant by "this + 38"?

Improve this question

1 Answer 1

Reset to default
2

this+38 and this+104 are most likely data members of the current object.

You can figure out what they mean by looking up the context in which they are used.
Take this code for example

int a;
for(int i = 0;i < strlen(this+38); i++){
   if((this+38)[i] == 'a'){
      a++
   }
}

To figure out what's a, you need to see in what context it is used. Here you can clearly see that a is being incremented every time the character 'a' appears in (this+38), from that you can infer that (this+38) is a char array and that a variable counts how many 'a' appear in this+38 (string)

Improve this answer
4
  • Thanks for explaining. I'm wondering if there's a way to figure out the actual identity of these data members. Don't they get initialized in the object's constructor? Commented Feb 17, 2018 at 12:15
  • What do you mean identity? their name cannot be found unless it is included in the binary. most of that type of data (names, function args) is stripped away once you compile. Commented Feb 17, 2018 at 17:56
  • Okay, but then I can at least assume that "this+38" is the same across all members of the class, can't I? Commented Feb 17, 2018 at 18:05
  • You can assume given that it's object of the same class. IDA has a structures tab where you can define structures and it'll make reversing a lot easier for you. Commented Feb 17, 2018 at 18:06

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.