Results 1 to 7 of 7

Thread: Generic IDAPro/ASM questions...

  1. #1
    midnitrcr
    Guest

    Generic IDAPro/ASM questions...

    In IDA I have seen the parameter listing inside functions contain any of the following...

    arg_0
    arg_C
    var_1
    var_2
    var_3

    I'm assuming there is some sort of logic to the naming convention, but I haven't figured it out.

    Also, what register do *return* values for functions get placed in? For instance a program that looks like the following...

    push [ebp+var_1]
    push [ebp+var_2]
    call function_12345

    ...where the function would take those two parameters, manipulate them and return execution to the calling segment.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Master Of Nebulah Frost Polaris's Avatar
    Join Date
    Jun 2002
    Location
    Invincible Cyclones Of FrostWinds
    Posts
    221
    Quote Originally Posted by midnitrcr
    In IDA I have seen the parameter listing inside functions contain any of the following...

    arg_0
    arg_C
    var_1
    var_2
    var_3

    I'm assuming there is some sort of logic to the naming convention, but I haven't figured it out.
    It is quite simple, indeed... The "arg_" prefix is used for passed arguments (positive offsets), while the "var_" prefix is used for locals vars (negative offsets). Then the offset address is used to complete the name.

    Quote Originally Posted by midnitrcr
    Also, what register do *return* values for functions get placed in? For instance a program that looks like the following...

    push [ebp+var_1]
    push [ebp+var_2]
    call function_12345

    ...where the function would take those two parameters, manipulate them and return execution to the calling segment.
    This heavily depends on compiler specifications; usually using the accumulator register (EAX).

    HTH,

    Polaris
    Stand In The Fog With So Cold A Heart... Watching The Death Of The Sun...

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    arg_C probably = argument at [ebp+0Ch]..

    retern can be anywhere where code will want.. go there & look

  4. #4
    Registered User
    Join Date
    Mar 2004
    Location
    maze of twisty little passages, all alike
    Posts
    133
    There are various calling conventions that define how return values are handled, but as has been pointed out, a function can return a value any way it wants to. It can even not return at all, or return to somewhere other than where it came from, as I'm sure you'll discover if/when you play around with packers/crypters. But, probably 99% of the time, something will be returned in EAX, even if it's just a status code that indicates success or a failure code. The only way to know for sure is to look at the function and see what registers are referenced and modified by the code. It could also return values by modifying data in memory. Look for any memory addresses that are pushed as arguments to the function. Variables and structures in memory that are passed by address could have their contents modified. A function could also modify the contents of a global variable without having the address passed to it.

    On a related note, you can rename the variables and arguments in IDA, although I don't know if you can change the default naming convention. So if you've figured out that var_4 is the serial number, you can call it that. If you look at the top of a subroutine, IDA provides a variable legend for you. Something like:
    Code:
    .text:00401320 LocalFileTime   = _FILETIME ptr -0C4h
    .text:00401320 Time            = SYSTEMTIME ptr -0BCh
    .text:00401320 lParam          = dword ptr -0A8h
    .text:00401320 var_A4          = dword ptr -0A4h
    .text:00401320 var_A0          = dword ptr -0A0h
    ...
    .text:00401320 hWnd            = dword ptr  4
    .text:00401320 FileTime        = FILETIME ptr  8
    .text:00401320 arg_C           = dword ptr  10h
    .text:00401320 arg_10          = dword ptr  14h
    ...
    As you can see, the arg_X names seem to be off by 4, for some reason, and it automatically assigns descriptive names (and types) when an argument or variable is only used as an argument to some API call that IDA recognizes.
    The debugging of a thousand lines of code begins with a single-step.

    "It has always therefore been one of my main endeavors as a teacher to persuade the young that first-hand knowledge is not only more worth acquiring than second-hand knowledge, but is usually much easier and more delightful to acquire." -- C.S. Lewis

    I think I can, I think I can, I think I can...

  5. #5
    About calling conventions:

    http://www.codeproject.com/cpp/calling_conventions_demystified.asp

    Tom

  6. #6
    midnitrcr
    Guest
    Thanks for the input guys... Nice to find a place that people actually understand what the hell it is I'm talking about and can give some solid answers.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    ColdWinterWind
    Guest
    It's always good to not have to dumb-yourself-down, or spend so much time Explaining-to-Lucy that you forget your original thought!

    Now if I could just find a decompiler so I'll know what my teenaged kids are talking about!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. FlexLM.ECC.Generic.Patcher
    By Arlequim in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: February 24th, 2014, 22:44
  2. Pokas x86 PE Emulator for Generic Unpacking
    By AmrThabet in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 7th, 2010, 16:01
  3. Generic unpacking paper revision
    By Piotr Bania Chronicles in forum Blogs Forum
    Replies: 0
    Last Post: July 14th, 2009, 22:37
  4. Generic ways to find OEP
    By black_ice in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: November 10th, 2002, 17:52
  5. IDAPro problem??
    By MTB in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: November 9th, 2001, 11:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •