0x90.org

[XSO] Argument naming

nemo nemo at felinemenace.org
Thu Apr 10 17:30:57 EDT 2008 

Just out of interest, why are you reversing Mail.app anyway, it's just a
thin wrapper around a bunch of open source libraries. 

Seems like there's plenty of bugs in libraries used by Mail.app that are
easy to find / exploit without any reverse engineering.

Just a thought ;O

On Thu, Apr 10, 2008 at 04:25:27PM -0500, nummish wrote:
> On Thu, Apr 10, 2008 at 3:02 PM, itsme <itsme at xs4all.nl> wrote:
> > nummish wrote:
> >  > .. I wonder if it's because this is a stret call, or if it's just a
> >  > bad example. I'll take a look for a better example later tonight.
> >  >
> >
> >  yes, _objc_msgSend_stret  is an assembler function from the objective-C
> >  runtime
> >  source code can be found here: http://www.opensource.apple.com/darwinsource/
> >   look for 'objc4-XXX.tar.gz
> >
> >  that is a bit strange function, you can't really declare something like
> >  that in C.
> >
> >  looking at the assembler source, it ends with 'retn 4',  and takes a
> >  variable nr of arguments.
> >
> Ok, I'm not crazy.. here's a function that uses only standard msgSend
> and no advanced ones that have different return types
> 
> ToDoBackgroundView.setToDo:
> 
> __text:000B4ADF     setToDo_        proc near               ; DATA
> XREF: __inst_meth:002AE568o
> __text:000B4ADF
> __text:000B4ADF     msgSend_recipient= dword ptr -48h
> __text:000B4ADF     msgSend_selector= dword ptr -44h
> __text:000B4ADF     var_40          = dword ptr -40h
> ...
> __text:000B4ADF     arg_0           = dword ptr  8
> __text:000B4ADF     arg_4           = dword ptr  0Ch
> __text:000B4ADF     arg_8           = dword ptr  10h
> ...
> __text:000B4ADF 000                 push    ebp
> __text:000B4AE0 004                 mov     ebp, esp
> __text:000B4AE2 004                 push    edi
> __text:000B4AE3 008                 push    esi
> __text:000B4AE4 00C                 push    ebx
> __text:000B4AE5 010                 sub     esp, 3Ch
> __text:000B4AE8 04C                 mov     edi, [ebp+arg_0]
> __text:000B4AEB 04C                 mov     eax, [ebp+arg_8]
> __text:000B4AEE 04C                 mov     [ebp+var_1C], eax
> ...
> __text:000B4BDE 04C                 mov     [esp+48h+msgSend_recipient], eax
> __text:000B4BE1 04C                 call    _objc_msgSend
> __text:000B4BE6 048                 mov     [esp+44h+var_3C], eax
> __text:000B4BEA 048                 mov     eax, ds:off_28CF4C
> __text:000B4BEF 048                 mov     [esp+44h+msgSend_selector], ebx
> __text:000B4BF2 048                 mov     [esp+44h+var_40], eax
> __text:000B4BF6 048                 call    _objc_msgSend
> __text:000B4BFB 048                 mov     eax, ds:off_28DB68
> __text:000B4C00 048                 mov     ebx, [edi+0B8h]
> __text:000B4C06 048                 mov     [esp+44h+var_40], eax ; [ESP+4]
> __text:000B4C0A 048                 mov     eax, [ebp+var_1C]
> __text:000B4C0D 048                 mov
> [esp+44h+msgSend_selector], eax ; [ESP]
> __text:000B4C10 048                 call    _objc_msgSend   ; a =
> [[ebp+var_1C] priorityEnabled]
> ...
> __text:000B4CE6 048                 mov     [ebp+arg_8], eax; should be an int
> __text:000B4CE9 048                 mov     eax, ds:off_289854;
> selectItemAtIndex:
> __text:000B4CEE 048                 mov     [ebp+arg_0], ebx
> __text:000B4CF1 048                 mov     [ebp+arg_4], eax
> __text:000B4CF4 048                 add     esp, 3Ch
> __text:000B4CF7 00C                 pop     ebx
> __text:000B4CF8 008                 pop     esi
> __text:000B4CF9 004                 pop     edi
> __text:000B4CFA 000                 leave
> __text:000B4CFB 000                 jmp     _objc_msgSend
> __text:000B4CFB     setToDo_        endp
> 
> There's a few interesting notes about this now that I'm looking at it
> though. The SP has already zeroed by the time it hits the leave call,
> which should be popping from the stack. I guess I'm back to my
> question from the other day about how this can happen or at least be
> detected automatically.
> 
> The other interesting part is the jmp to the last msgSend which will
> return to the caller of this function. I've seen this some, my guess
> is that it's indicating something along the lines of
> 
> return [ebx selectItemAtIndex:x];
> _______________________________________________
> XSO mailing list
> XSO at 0x90.org
> http://0x90.org/mailman/listinfo/xso

More information about the XSO mailing list