我正在使用Hex-Rays的IDA Pro來反編譯二進制文件。我有這個開關:反編譯 - _thiscall表達式
case 0x35:
CField::OnDesc_MAYB(v6, a6);
break;
case 0x36:
(*(void (__thiscall **)(_DWORD, _DWORD))(*(_DWORD *)(a1 - 8) + 28))(a1 - 8, a6);
break;
case 0x3A:
CField::OnWarnMessage(v6, a6);
break;
如果你看看大小寫0x36 :,我不明白這個說法。通常我只是指向函數並使用F5 shotcut對其進行解碼,但是,我不明白這句話的含義是什麼?我怎樣才能解碼它來查看它的代碼?
謝謝。
大小寫0x36正在調用虛函數,或者至少Hex-Rays認爲是虛函數。考慮下面的僞C++代碼(排除reinterpret_cast以簡化等),它將解構這一行。
// in VC++, 'this' is usually passed via ECX register
typedef void (__thiscall* member_function_t)(_DWORD this_ptr, _DWORD arg_0);
// a1's declaration wasn't included in your post, so I'm making an assumption here
byte* a1 = address_of_some_child_object;
// It would appear a1 is a pointer to an object which has multiple vftables (due to multiple inheritance/interfaces)
byte*** base_object = (byte***)(a1 - 8);
// Dereference the pointer at a1[-8] to get the base's vftable pointer (constant list of function pointers for the class's virtual funcs)
// a1[0] would probably be the child/interface's vftable pointer
byte** base_object_vftable = *base_object;
// 28/sizeof(void*) = 8th virtual function in the vftable
byte* base_object_member_function = base_object_vftable[28];
auto member_function = (member_function_t)base_object_member_function;
// case 0x36 simplified using a __thiscall function pointer
member_function((_DWORD)base_object, a6)
從解構:
(
*(
void (__thiscall **)(_DWORD, _DWORD)
)
(*
(_DWORD *)(a1 - 8) + 28
)
)
(a1 - 8, a6);
如果你不熟悉__thiscall調用約定,或功能如何虛擬通常是用C++實現的,你應該對他們閱讀了嘗試反向工程項目之前,哪些使用它們。
你可以與這些故障開始:
我並不是怕什麼回答,但你可以告訴它是什麼,你想拆卸/編譯? –