hey I've looked at it, as you said weird. I see you are still looking at
Mail.app at the method (float)verticalPageScrollDistance of
WebMessageDisplay, that is the only one that does that from that class
in IDA, and yes I'm wondering why it got 'confused' did you have the
chance debug the program to check if IDA is right or not?
Sergio 'shadown' Alvarez wrote:
> Hi nummish,
>
> I haven't even look at it but, did you check what those two calls do?
> there has to be some stack pointer modification/maths somewhere in them.
> IDA use to be pretty good following these things.
>
> I know I'm giving no answer and not being helpful, but if you would like
> to tell me what binary you are looking at, I could check it myself and
> come back to you.
>
> Cheers,
> Sergio
>
> nummish wrote:
>> This is more of an IDA question, but before I go to openrce I figured
>> I'd check here first. I'm working on a variable traceback function. It
>> is simplistic and doesn't have delusions of grandeur, so when it sees
>> the stack pointer has changed, it bails. On going back through the
>> points where it bails (it conveniently adds a marked position until
>> all 1024 slots are full) I noticed something strange about the spd.
>>
>> At 0x0016A282, the stack offset is 0x4C and drops to 0x48 after the
>> call (technically rises, but let's not be pedantic) but then later to
>> another call to msgSend at 0x0016A294 it doesn't modify the stack
>> offset. Is this some IDA weirdness that's correctable/preventable?
>> Does IDA know something about some unnamed class's superview property?
>> If so, how can I get these same psychic powers?
>>
>> __text:0016A26A sub_16A26A proc near ; DATA
>> XREF: __inst_meth:002A753C
>> __text:0016A26A
>> __text:0016A26A msgSend_recipient= dword ptr -48h
>> __text:0016A26A msgSend_selector= dword ptr -44h
>> __text:0016A26A var_40 = dword ptr -40h
>> __text:0016A26A var_3C = dword ptr -3Ch
>> __text:0016A26A var_2C = dword ptr -2Ch
>> __text:0016A26A var_28 = byte ptr -28h
>> __text:0016A26A var_1C = dword ptr -1Ch
>> __text:0016A26A var_C = dword ptr -0Ch
>> __text:0016A26A arg_0 = dword ptr 8
>> __text:0016A26A
>> __text:0016A26A 000 push ebp
>> __text:0016A26B 004 mov ebp, esp
>> __text:0016A26D 004 sub esp, 48h
>> __text:0016A270 04C mov eax, [ebp+arg_0]
>> __text:0016A273 04C mov edx, [eax+8]
>> __text:0016A276 04C mov eax, ds:off_2878C8
>> __text:0016A27B 04C mov
>> [esp+48h+msgSend_recipient], edx
>> __text:0016A27E 04C mov
>> [esp+48h+msgSend_selector], eax
>> __text:0016A282 04C call _objc_msgSend ; [[eax+8]
>> superview]
>> __text:0016A287 048 mov edx, ds:off_2878C8
>> __text:0016A28D 048 mov [esp+44h+var_40], edx
>> __text:0016A291 048 mov
>> [esp+44h+msgSend_selector], eax
>> __text:0016A294 048 call _objc_msgSend
>> __text:0016A299 048 mov edx, ds:off_28819C
>> __text:0016A29F 048 lea ecx, [ebp+var_28]
>> __text:0016A2A2 048 mov
>> [esp+44h+msgSend_selector], ecx
>> __text:0016A2A5 048 mov [esp+44h+var_3C], edx
>> __text:0016A2A9 048 mov [esp+44h+var_40], eax
>> __text:0016A2AD 048 call _objc_msgSend_stret
>> __text:0016A2B2 048 mov eax, [ebp+var_1C]
>> __text:0016A2B5 048 mov [ebp+var_C], eax
>> __text:0016A2B8 048 movss xmm0, [ebp+var_C]
>> __text:0016A2BD 048 sub esp, 4
>> __text:0016A2C0 04C subss xmm0, ds:dword_26CAC0
>> __text:0016A2C8 04C movss [ebp+var_2C], xmm0
>> __text:0016A2CD 04C fld [ebp+var_2C]
>> __text:0016A2D0 04C leave
>> __text:0016A2D1 000 retn
>> __text:0016A2D1 sub_16A26A endp
>> _______________________________________________
>> XSO mailing list
>> XSO at 0x90.org
>> http://0x90.org/mailman/listinfo/xso
>
--
Sergio 'shadown' Alvarez
Security Researcher
===============================
email: shadown at gmail.com
gpg : F140 A2E4 1675 BDB6 9FE4
F53A 7969 7104 75CD B86E
| 