Hi nummish,
I haven't even look at it but, did you check what those two calls do?
there has to be some stack pointer modification/maths somewhere in them.
IDA use to be pretty good following these things.
I know I'm giving no answer and not being helpful, but if you would like
to tell me what binary you are looking at, I could check it myself and
come back to you.
Cheers,
Sergio
nummish wrote:
> This is more of an IDA question, but before I go to openrce I figured
> I'd check here first. I'm working on a variable traceback function. It
> is simplistic and doesn't have delusions of grandeur, so when it sees
> the stack pointer has changed, it bails. On going back through the
> points where it bails (it conveniently adds a marked position until
> all 1024 slots are full) I noticed something strange about the spd.
>
> At 0x0016A282, the stack offset is 0x4C and drops to 0x48 after the
> call (technically rises, but let's not be pedantic) but then later to
> another call to msgSend at 0x0016A294 it doesn't modify the stack
> offset. Is this some IDA weirdness that's correctable/preventable?
> Does IDA know something about some unnamed class's superview property?
> If so, how can I get these same psychic powers?
>
> __text:0016A26A sub_16A26A proc near ; DATA
> XREF: __inst_meth:002A753C
> __text:0016A26A
> __text:0016A26A msgSend_recipient= dword ptr -48h
> __text:0016A26A msgSend_selector= dword ptr -44h
> __text:0016A26A var_40 = dword ptr -40h
> __text:0016A26A var_3C = dword ptr -3Ch
> __text:0016A26A var_2C = dword ptr -2Ch
> __text:0016A26A var_28 = byte ptr -28h
> __text:0016A26A var_1C = dword ptr -1Ch
> __text:0016A26A var_C = dword ptr -0Ch
> __text:0016A26A arg_0 = dword ptr 8
> __text:0016A26A
> __text:0016A26A 000 push ebp
> __text:0016A26B 004 mov ebp, esp
> __text:0016A26D 004 sub esp, 48h
> __text:0016A270 04C mov eax, [ebp+arg_0]
> __text:0016A273 04C mov edx, [eax+8]
> __text:0016A276 04C mov eax, ds:off_2878C8
> __text:0016A27B 04C mov [esp+48h+msgSend_recipient], edx
> __text:0016A27E 04C mov [esp+48h+msgSend_selector], eax
> __text:0016A282 04C call _objc_msgSend ; [[eax+8]
> superview]
> __text:0016A287 048 mov edx, ds:off_2878C8
> __text:0016A28D 048 mov [esp+44h+var_40], edx
> __text:0016A291 048 mov [esp+44h+msgSend_selector], eax
> __text:0016A294 048 call _objc_msgSend
> __text:0016A299 048 mov edx, ds:off_28819C
> __text:0016A29F 048 lea ecx, [ebp+var_28]
> __text:0016A2A2 048 mov [esp+44h+msgSend_selector], ecx
> __text:0016A2A5 048 mov [esp+44h+var_3C], edx
> __text:0016A2A9 048 mov [esp+44h+var_40], eax
> __text:0016A2AD 048 call _objc_msgSend_stret
> __text:0016A2B2 048 mov eax, [ebp+var_1C]
> __text:0016A2B5 048 mov [ebp+var_C], eax
> __text:0016A2B8 048 movss xmm0, [ebp+var_C]
> __text:0016A2BD 048 sub esp, 4
> __text:0016A2C0 04C subss xmm0, ds:dword_26CAC0
> __text:0016A2C8 04C movss [ebp+var_2C], xmm0
> __text:0016A2CD 04C fld [ebp+var_2C]
> __text:0016A2D0 04C leave
> __text:0016A2D1 000 retn
> __text:0016A2D1 sub_16A26A endp
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso
--
Sergio 'shadown' Alvarez
Security Researcher
===============================
email: shadown at gmail.com
gpg : F140 A2E4 1675 BDB6 9FE4
F53A 7969 7104 75CD B86E
| 