0x90.org

[XSO] Argument naming

nummish nummish at 0x90.org
Thu Apr 10 13:14:35 EDT 2008 

On Thu, Apr 10, 2008 at 12:23 AM, itsme <itsme at xs4all.nl> wrote:
> nummish wrote:
>  >
>  > mov     [esp+3C218h+var_3C214], arg2
>  > mov     [esp+3C218h+var_3C218], arg1
>  > call    function
>  >
>  > I'm sure you've seen this all over the place, as this is how
>  this construction is quite common in ARM binaries, what i do there, is
>  rename
>  the top stack vars to  arg4, arg5, arg6, etc..  ( with ARM R0..R3 are
>  always the first 4 parameters )
>
>  register argument passing also is used quite often with objective-C code.
>  hex-rays will discover this automatically.

That's cool, I was curious how arm looked, I haven't had a chance to
go over any iphone binaries yet.

>  > What ended up happening is that in some functions the
>  > stack offset changed part way through the function, causing the names
>  > to be off about half the time.
>
>  a better solution would be to fix the sp-difference ( alt-k )
>  on the function calls which ida missed that change the ESP value.
>  usually these are calls to a function ptr ( for instance virtual method
>  calls )
>  where the called function ends with 'retn <number>'.

What about when the stack offset changes legitimately? It happens all
over the place in Mail.app. Having a script flying around and changing
the offset all over the place so variable names match up seems like a
bad idea. In this case, my original code was:

   function_addr = ScreenEA()

   frm = GetFrame(function_addr)
   firstM = GetFirstMember(frm)

   SetMemberName(frm, firstM, "msgSend_recipient")
   SetMemberName(frm, firstM+4, "msgSend_selector")

Which I think is similar to what you were suggesting at the top. This
didn't hold up very well for obj-c only binaries. Also I've been
looking at some carbon apps too, which make my naming choice pretty
poor if it's going to cover the whole function.

>  > note: GetSpd() gives you the stack offset. It's not easy to google for
>  > if you didn't know that offhand.
>  google?  why not search  path-to-ida\idc\idc.idc  ?
>
>  that is where it is documented.

as "delta". if you're thinking "offset" or "difference" and trying to
do a quick search instead of reading the whole file it won't come up.
But that's probably just laziness to actually read the docs on my
part.

More information about the XSO mailing list