Based on the technique described here I'm setting ivars in object instances using the ivar_getOffset() method.
Now I have the case where the ivar is a NSString*:
NSString* _name;
UPDATE:
I was on the wrong track (can't use ivar_getOffset in this case), I should be using:
object_setIvar(target, _ivar, [stringValue copy]);
to assign object values to ivars.
My question remains: is this safe to do under ARC? Will the ivar's existing object be properly released by ARC?
I'm worried that ARC might not properly release whatever string the ivar was set to before the assignment. Though I doubt it, otherwise the compiler wouldn't let me like in the case of object_setInstanceVariable ("not available in automatic reference counting mode") - right?
Yes, doing this with ARC is legal, at least in Mac OS X 10.8.2
If you would disassemble libobjc, you would find this:
================ B E G I N O F P R O C E D U R E ================
; Basic Block Input Regs: rdx rsi rdi - Killed Regs: rbx rbp r15
_object_setIvar:
000000000000c1f5 55 push rbp ; XREF=0xc1e1
000000000000c1f6 4889E5 mov rbp, rsp
000000000000c1f9 4157 push r15
000000000000c1fb 4156 push r14
000000000000c1fd 4155 push r13
000000000000c1ff 4154 push r12
000000000000c201 53 push rbx
000000000000c202 4883EC18 sub rsp, 0x18
000000000000c206 488955C8 mov qword [ss:rbp-0x40+var_8], rdx
000000000000c20a 4889F3 mov rbx, rsi
000000000000c20d 4989FF mov r15, rdi
000000000000c210 4D85FF test r15, r15
000000000000c213 0F8449010000 je 0xc362
; Basic Block Input Regs: rbx - Killed Regs: <nothing>
000000000000c219 4885DB test rbx, rbx
000000000000c21c 0F8440010000 je 0xc362
; Basic Block Input Regs: r15 - Killed Regs: rax
000000000000c222 41F6C701 test r15L, 0x1
000000000000c226 4C89F8 mov rax, r15
000000000000c229 740F je 0xc23a
; Basic Block Input Regs: <nothing> - Killed Regs: rax
000000000000c22b 4883E00F and rax, 0xf
000000000000c22f 48C1E003 shl rax, 0x3
000000000000c233 4803057ECE1000 add rax, qword [ds:0x1190b8]
; Basic Block Input Regs: rax rbx - Killed Regs: rdx rbp rsi rdi r12
000000000000c23a 4C8B20 mov r12, qword [ds:rax] ; XREF=0xc229
000000000000c23d 48C745D000000000 mov qword [ss:rbp-0x40+var_16], 0x0
000000000000c245 4889DF mov rdi, rbx
000000000000c248 E805F5FFFF call _ivar_getName
000000000000c24d 488D55D0 lea rdx, qword [ss:rbp-0x40+var_16]
000000000000c251 4C89E7 mov rdi, r12
000000000000c254 4889C6 mov rsi, rax
000000000000c257 E8C9E7FFFF call __class_getVariable
000000000000c25c 4885C0 test rax, rax
000000000000c25f 7433 je 0xc294
; Basic Block Input Regs: <nothing> - Killed Regs: r14
000000000000c261 4C8D75D0 lea r14, qword [ss:rbp-0x40+var_16]
000000000000c265 EB1F jmp 0xc286
; Basic Block Input Regs: rax rbx r12 r14 - Killed Regs: rdx rbp rsi rdi
000000000000c267 E88EC3FFFF call __class_getSuperclass ; XREF=0xc292
000000000000c26c 488945D0 mov qword [ss:rbp-0x40+var_16], rax
000000000000c270 4889DF mov rdi, rbx
000000000000c273 E8DAF4FFFF call _ivar_getName
000000000000c278 4C89E7 mov rdi, r12
000000000000c27b 4889C6 mov rsi, rax
000000000000c27e 4C89F2 mov rdx, r14
000000000000c281 E89FE7FFFF call __class_getVariable
; Basic Block Input Regs: rax rbx - Killed Regs: <nothing>
000000000000c286 4839D8 cmp rax, rbx ; XREF=0xc265
000000000000c289 7409 je 0xc294
; Basic Block Input Regs: rbp - Killed Regs: rdi
000000000000c28b 488B7DD0 mov rdi, qword [ss:rbp-0x40+var_16]
000000000000c28f 4885FF test rdi, rdi
000000000000c292 75D3 jne 0xc267
; Basic Block Input Regs: rax rbx rbp - Killed Regs: rbx rdi r12 r13
000000000000c294 4C8B6DD0 mov r13, qword [ss:rbp-0x40+var_16] ; XREF=0xc25f, 0xc289
000000000000c298 4889DF mov rdi, rbx
000000000000c29b E8B3F2FFFF call _ivar_getOffset
000000000000c2a0 4889C3 mov rbx, rax
000000000000c2a3 4D8D241F lea r12, qword [ds:r15+rbx]
000000000000c2a7 4C89EF mov rdi, r13
000000000000c2aa E8B3F2FFFF call __class_usesAutomaticRetainRelease
000000000000c2af 84C0 test al, al
000000000000c2b1 746B je 0xc31e
; Basic Block Input Regs: rax r13 - Killed Regs: rdi r14
000000000000c2b3 4C89EF mov rdi, r13
000000000000c2b6 E840A00000 call __class_getInstanceStart
000000000000c2bb 4189C6 mov r14d, eax
000000000000c2be 4C89EF mov rdi, r13
000000000000c2c1 E80EA80000 call _class_getWeakIvarLayout
000000000000c2c6 4885C0 test rax, rax
000000000000c2c9 7423 je 0xc2ee
; Basic Block Input Regs: rax rbx r14 - Killed Regs: rcx rsi rdi
000000000000c2cb 4489F1 mov ecx, r14d
000000000000c2ce 4889DF mov rdi, rbx
000000000000c2d1 4829CF sub rdi, rcx
000000000000c2d4 4889C6 mov rsi, rax
000000000000c2d7 E8483C0000 call __ZL17is_scanned_offsetlPKh ; is_scanned_offset(long, unsigned char const*)
000000000000c2dc 84C0 test al, al
000000000000c2de 740E je 0xc2ee
; Basic Block Input Regs: rbp r12 - Killed Regs: rsi rdi
000000000000c2e0 4C89E7 mov rdi, r12
000000000000c2e3 488B75C8 mov rsi, qword [ss:rbp-0x40+var_8]
000000000000c2e7 E82B440100 call _objc_storeWeak
000000000000c2ec EB74 jmp 0xc362
; Basic Block Input Regs: rax r13 - Killed Regs: rdi
000000000000c2ee 4C89EF mov rdi, r13 ; XREF=0xc2c9, 0xc2de
000000000000c2f1 E8C5A70000 call _class_getIvarLayout
000000000000c2f6 4885C0 test rax, rax
000000000000c2f9 7423 je 0xc31e
; Basic Block Input Regs: rax rbx r14 - Killed Regs: rcx rsi rdi
000000000000c2fb 4489F1 mov ecx, r14d
000000000000c2fe 4889DF mov rdi, rbx
000000000000c301 4829CF sub rdi, rcx
000000000000c304 4889C6 mov rsi, rax
000000000000c307 E8183C0000 call __ZL17is_scanned_offsetlPKh ; is_scanned_offset(long, unsigned char const*)
000000000000c30c 84C0 test al, al
000000000000c30e 740E je 0xc31e
; Basic Block Input Regs: rbp r12 - Killed Regs: rsi rdi
000000000000c310 4C89E7 mov rdi, r12
000000000000c313 488B75C8 mov rsi, qword [ss:rbp-0x40+var_8]
000000000000c317 E8044C0100 call _objc_storeStrong
000000000000c31c EB44 jmp 0xc362
; Basic Block Input Regs: <nothing> - Killed Regs: <nothing>
000000000000c31e 803DEB49110000 cmp byte [ds:_UseGC], 0x0 ; XREF=0xc2b1, 0xc2f9, 0xc30e
000000000000c325 7428 je 0xc34f
; Basic Block Input Regs: rax r13 - Killed Regs: rdi
000000000000c327 4C89EF mov rdi, r13
000000000000c32a E8A5A70000 call _class_getWeakIvarLayout
000000000000c32f 4885C0 test rax, rax
000000000000c332 741B je 0xc34f
; Basic Block Input Regs: rax rbx - Killed Regs: rsi rdi
000000000000c334 4889DF mov rdi, rbx
000000000000c337 4889C6 mov rsi, rax
000000000000c33a E8E53B0000 call __ZL17is_scanned_offsetlPKh ; is_scanned_offset(long, unsigned char const*)
000000000000c33f 84C0 test al, al
000000000000c341 740C je 0xc34f
; Basic Block Input Regs: rbp r12 - Killed Regs: rsi rdi
000000000000c343 488B7DC8 mov rdi, qword [ss:rbp-0x40+var_8]
000000000000c347 4C89E6 mov rsi, r12
000000000000c34a E831230000 call _objc_assign_weak
; Basic Block Input Regs: rbx rbp r15 - Killed Regs: rax rdx rsi rdi
000000000000c34f 488D055AE51000 lea rax, qword [ds:_objc_assign_ivar_internal] ; XREF=0xc325, 0xc332, 0xc341
000000000000c356 488B7DC8 mov rdi, qword [ss:rbp-0x40+var_8]
000000000000c35a 4C89FE mov rsi, r15
000000000000c35d 4889DA mov rdx, rbx
000000000000c360 FF10 call qword [ds:rax]
; Basic Block Input Regs: <nothing> - Killed Regs: rbx rsp rbp r12 r13 r14 r15
000000000000c362 4883C418 add rsp, 0x18 ; XREF=0xc213, 0xc21c, 0xc2ec, 0xc31c
000000000000c366 5B pop rbx
Note the call of _class_usesAutomaticRetainRelease at 000000000000c2aa.
The implementation of this method is available at opensource.apple.com
The header comment to this functions is:
/***********************************************************************
* _class_usesAutomaticRetainRelease
* Returns YES if class was compiled with -fobjc-arc
**********************************************************************/
Which means this particular function of ObjC runtime is aware of ARC.
I don't know the answer, but I know how to determine the answer...
Create an ivar that points to an instance of a class of your own, like LC2DFoo. Put a breakpoint in -[LC2DFoo dealloc]. Create an instance of LC2DFoo and assign it to the ivar using the runtime method you describe. Next, set the same ivar to something else, like nil. Do you hit your breakpoint?
Related
I'm trying to execute a function in a VB6 app, I already know the instruction address and the format of the original code but when I execute it the app crashes.
It's probably wrong the way I'm executing it or there is something else missing.
This is the "original" function code:
Public Sub WriteLeftClick(ByVal x As Byte, ByVal y As Byte)
On Error GoTo WriteLeftClick_Err
With outgoingData
Call .WriteByte(ClientPacketID.LeftClick)
Call .WriteByte(x)
Call .WriteByte(y)
End With
Exit Sub
WriteLeftClick_Err:
Call RegistrarError(Err.number, Err.Description, "Protocol.WriteLeftClick", Erl)
Resume Next
End Sub
This is the decompiled version from the exe:
Private Sub Proc_98_29_793220(arg_C) '793220
loc_00793220: push ebp
loc_00793221: mov ebp, esp
loc_00793223: sub esp, 00000018h
loc_00793226: push 0042B2B6h ; __vbaExceptHandler
loc_0079322B: mov eax, fs:[00000000h]
loc_00793231: push eax
loc_00793232: mov fs:[00000000h], esp
loc_00793239: sub esp, 00000034h
loc_0079323C: push ebx
loc_0079323D: push esi
loc_0079323E: push edi
loc_0079323F: mov var_18, esp
loc_00793242: mov var_14, 00425FD8h
loc_00793249: xor edi, edi
loc_0079324B: mov var_10, edi
loc_0079324E: mov var_C, edi
loc_00793251: mov var_24, edi
loc_00793254: mov var_28, edi
loc_00793257: mov var_2C, edi
loc_0079325A: mov var_30, edi
loc_0079325D: mov var_4, 00000001h
loc_00793264: mov var_4, 00000002h
loc_0079326B: push 00000001h
loc_0079326D: call [00401134h] ; __vbaOnError
loc_00793273: mov var_4, 00000003h
loc_0079327A: mov eax, [007CE9C4h]
loc_0079327F: mov esi, [eax]
loc_00793281: mov ecx, 00000016h
loc_00793286: call [00401204h] ; __vbaI2I4
loc_0079328C: push eax
loc_0079328D: mov ecx, [007CE9C4h]
loc_00793293: push ecx
loc_00793294: call [esi+00000030h]
loc_00793297: fnclex
loc_00793299: cmp eax, edi
loc_0079329B: jge 007932B6h
loc_0079329D: push 00000030h
loc_0079329F: push 00484EA0h
loc_007932A4: mov edx, [007CE9C4h]
loc_007932AA: push edx
loc_007932AB: push eax
loc_007932AC: mov esi, [004010E0h] ; __vbaHresultCheckObj
loc_007932B2: call __vbaHresultCheckObj
loc_007932B4: jmp 007932BCh
loc_007932B6: mov esi, [004010E0h] ; __vbaHresultCheckObj
loc_007932BC: mov var_4, 00000004h
loc_007932C3: mov eax, [007CE9C4h]
loc_007932C8: mov ecx, [eax]
loc_007932CA: mov edx, arg_8
loc_007932CD: push edx
loc_007932CE: push eax
loc_007932CF: call [ecx+0000002Ch]
loc_007932D2: fnclex
loc_007932D4: cmp eax, edi
loc_007932D6: jge 007932E9h
loc_007932D8: push 0000002Ch
loc_007932DA: push 00484EA0h
loc_007932DF: mov ecx, [007CE9C4h]
loc_007932E5: push ecx
loc_007932E6: push eax
loc_007932E7: call __vbaHresultCheckObj
loc_007932E9: mov var_4, 00000005h
loc_007932F0: mov eax, [007CE9C4h]
loc_007932F5: mov edx, [eax]
loc_007932F7: mov ecx, arg_C
loc_007932FA: push ecx
loc_007932FB: push eax
loc_007932FC: call [edx+0000002Ch]
loc_007932FF: fnclex
loc_00793301: cmp eax, edi
loc_00793303: jge 00793316h
loc_00793305: push 0000002Ch
loc_00793307: push 00484EA0h
loc_0079330C: mov edx, [007CE9C4h]
loc_00793312: push edx
loc_00793313: push eax
loc_00793314: call __vbaHresultCheckObj
loc_00793316: mov var_4, 00000006h
loc_0079331D: mov eax, [007CE0ACh]
loc_00793322: add eax, 00000001h
loc_00793325: jo 007934A1h
loc_0079332B: mov [007CE0ACh], eax
loc_00793330: mov var_4, 00000007h
loc_00793337: mov ecx, [007CE9C4h]
loc_0079333D: mov edx, [ecx]
loc_0079333F: push eax
loc_00793340: push ecx
loc_00793341: call [edx+00000034h]
loc_00793344: fnclex
loc_00793346: cmp eax, edi
loc_00793348: jge 0079335Bh
loc_0079334A: push 00000034h
loc_0079334C: push 00484EA0h
loc_00793351: mov ecx, [007CE9C4h]
loc_00793357: push ecx
loc_00793358: push eax
loc_00793359: call __vbaHresultCheckObj
loc_0079335B: mov var_4, 00000008h
loc_00793362: mov edx, [007CE9C4h]
loc_00793368: push edx
loc_00793369: lea eax, var_28
loc_0079336C: push eax
loc_0079336D: call [00401148h] ; __vbaObjSetAddref
loc_00793373: push eax
loc_00793374: call 007B8560h
loc_00793379: lea ecx, var_28
loc_0079337C: call [00401438h] ; __vbaFreeObj
loc_00793382: call [00401118h] ; __vbaExitProc
loc_00793388: push 0079348Eh
loc_0079338D: jmp 0079348Dh
loc_00793392: mov var_4, 00000009h
loc_00793399: mov eax, [007CE9C4h]
loc_0079339E: mov ecx, [eax]
loc_007933A0: push eax
loc_007933A1: call [ecx+0000000Ch]
loc_007933A4: fnclex
loc_007933A6: test eax, eax
loc_007933A8: jge 007933BFh
loc_007933AA: push 0000000Ch
loc_007933AC: push 00484EA0h
loc_007933B1: mov edx, [007CE9C4h]
loc_007933B7: push edx
loc_007933B8: push eax
loc_007933B9: call [004010E0h] ; __vbaHresultCheckObj
loc_007933BF: mov var_4, 0000000Ah
loc_007933C6: mov edi, [00401370h] ; rtcErrObj
loc_007933CC: call edi
loc_007933CE: push eax
loc_007933CF: lea eax, var_28
loc_007933D2: push eax
loc_007933D3: mov ebx, [00401138h] ; __vbaObjSet
loc_007933D9: call ebx
loc_007933DB: mov esi, eax
loc_007933DD: mov ecx, [esi]
loc_007933DF: lea edx, var_30
loc_007933E2: push edx
loc_007933E3: push esi
loc_007933E4: call [ecx+0000001Ch]
loc_007933E7: fnclex
loc_007933E9: test eax, eax
loc_007933EB: jge 007933FCh
loc_007933ED: push 0000001Ch
loc_007933EF: push 00455DF4h
loc_007933F4: push esi
loc_007933F5: push eax
loc_007933F6: call [004010E0h] ; __vbaHresultCheckObj
loc_007933FC: call edi
loc_007933FE: push eax
loc_007933FF: lea eax, var_2C
loc_00793402: push eax
loc_00793403: call ebx
loc_00793405: mov esi, eax
loc_00793407: mov ecx, [esi]
loc_00793409: lea edx, var_24
loc_0079340C: push edx
loc_0079340D: push esi
loc_0079340E: call [ecx+0000002Ch]
loc_00793411: fnclex
loc_00793413: test eax, eax
loc_00793415: jge 00793426h
loc_00793417: push 0000002Ch
loc_00793419: push 00455DF4h
loc_0079341E: push esi
loc_0079341F: push eax
loc_00793420: call [004010E0h] ; __vbaHresultCheckObj
loc_00793426: call [004012A0h] ; rtcGetErl
loc_0079342C: mov ecx, eax
loc_0079342E: call [00401204h] ; __vbaI2I4
loc_00793434: push eax
loc_00793435: push 00486528h ; "Argentum20.Protocol_Writes.WriteLeftClick"
loc_0079343A: mov eax, var_24
loc_0079343D: push eax
loc_0079343E: mov ecx, var_30
loc_00793441: push ecx
loc_00793442: call 0066E230h
loc_00793447: lea ecx, var_24
loc_0079344A: call [00401434h] ; __vbaFreeStr
loc_00793450: lea edx, var_2C
loc_00793453: push edx
loc_00793454: lea eax, var_28
loc_00793457: push eax
loc_00793458: push 00000002h
loc_0079345A: call [00401098h] ; __vbaFreeObjList
loc_00793460: add esp, 0000000Ch
loc_00793463: call [00401118h] ; __vbaExitProc
loc_00793469: push 0079348Eh
loc_0079346E: jmp 0079348Dh
loc_00793470: lea ecx, var_24
loc_00793473: call [00401434h] ; __vbaFreeStr
loc_00793479: lea ecx, var_2C
loc_0079347C: push ecx
loc_0079347D: lea edx, var_28
loc_00793480: push edx
loc_00793481: push 00000002h
loc_00793483: call [00401098h] ; __vbaFreeObjList
loc_00793489: add esp, 0000000Ch
loc_0079348C: ret
loc_0079348D: ret
loc_0079348E: mov ecx, var_20
loc_00793491: mov fs:[00000000h], ecx
loc_00793498: pop edi
loc_00793499: pop esi
loc_0079349A: pop ebx
loc_0079349B: mov esp, ebp
loc_0079349D: pop ebp
loc_0079349E: retn 0008h
End Sub
And this is the code I'm using for my DLL:
#include <windows.h>
#include "Memory.h"
#include <sstream>
typedef void(__stdcall* myFunc)(byte, byte);
myFunc func;
DWORD WINAPI MainThread(LPVOID param) {
//func = (myFunc)(0x793220);
//typedef int func(byte x, byte y); // Creating an int function alias, replace (void) with your parameters
uintptr_t modBase = (uintptr_t)GetModuleHandle(NULL);
//func* f = (func*)reinterpret_cast<void*>(modBase + 0x393220);
func = (myFunc)(modBase + 0x393220);
HANDLE hPipe;
char buffer[1024];
DWORD dwRead;
/*int value = modBase + 0x393220;
std::stringstream stream;
stream << "Value is " << value;
MessageBoxA(NULL, stream.str().c_str(), "Test Msg", MB_OK | MB_ICONINFORMATION);*/
hPipe = CreateNamedPipe(TEXT("\\\\.\\pipe\\Pipe"),
PIPE_ACCESS_DUPLEX,
PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT, // FILE_FLAG_FIRST_PIPE_INSTANCE is not needed but forces CreateNamedPipe(..) to fail if the pipe already exists...
1,
1024 * 16,
1024 * 16,
NMPWAIT_USE_DEFAULT_WAIT,
NULL);
while (hPipe != INVALID_HANDLE_VALUE)
{
if (ConnectNamedPipe(hPipe, NULL) != FALSE) // wait for someone to connect to the pipe
{
while (ReadFile(hPipe, buffer, sizeof(buffer) - 1, &dwRead, NULL) != FALSE)
{
/* add terminating zero */
buffer[dwRead] = '\0';
/* do something with data in buffer */
//printf("%s", buffer);
func(55,55);
MessageBoxA(NULL, buffer, "Test Msg", MB_OK | MB_ICONINFORMATION);
}
}
DisconnectNamedPipe(hPipe);
}
FreeLibraryAndExitThread((HMODULE)param, 0);
return 0;
}
BOOL APIENTRY DllMain(HINSTANCE hInstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
MessageBoxA(NULL, "Hello From The Injected DLL", "Injected !", MB_OK | MB_ICONINFORMATION);
CreateThread(NULL, NULL, MainThread, hInstDLL, NULL, NULL);
break;
case DLL_THREAD_ATTACH:
MessageBoxA(NULL, "Hello From The Injected DLL", "Injected !", MB_OK | MB_ICONINFORMATION);
break;
case DLL_THREAD_DETACH:
MessageBoxA(NULL, "Hello Again From The Injected DLL", "Injected !", MB_OK | MB_ICONINFORMATION);
break;
case DLL_PROCESS_DETACH:
MessageBoxA(NULL, "Hello Again From The Injected DLL", "Injected !", MB_OK | MB_ICONINFORMATION);
break;
}
return TRUE;
}
So basically when it receives a message from the Pipe it should execute that function.
func* f = (func*)reinterpret_cast<void*>(0x793220);
f(55,55);
But when I execute it, the app crashes.
Any ideas?
Finally I got it working.
But I had to change completly the perspective.
Instead of injecting a C++ dll into the game, I created an injector that launches the game, creates a VB object using "CreateVBObjectInThread" and with that using a placeholder for the function and the real address of the pointer I could execute the function in the game and avoid the crash due to the "On error".
Both DLLs now are developed in VB6 as well.
Here's the code sample where I ran into the problem:
pub fn div(x: u32, y: u32) -> u32 {
x / y
}
pub fn safe_div(x: u32, y: std::num::NonZeroU32) -> u32 {
x / y.get() // an unchecked division expected
}
Godbolt's rustc 1.47.0 -O generates the same assembly for both functions:
example::div:
push rax
test esi, esi
je .LBB0_2
mov eax, edi
xor edx, edx
div esi
pop rcx
ret
.LBB0_2:
lea rdi, [rip + str.0]
lea rdx, [rip + .L__unnamed_1]
mov esi, 25
call qword ptr [rip + core::panicking::panic#GOTPCREL]
ud2
example::safe_div:
push rax
test esi, esi
je .LBB1_2
mov eax, edi
xor edx, edx
div esi
pop rcx
ret
.LBB1_2:
lea rdi, [rip + str.0]
lea rdx, [rip + .L__unnamed_2]
mov esi, 25
call qword ptr [rip + core::panicking::panic#GOTPCREL]
ud2
However, it is statically known that
checking NonZeroU32::get's result against zero is pointless.
Can I somehow make the optimizer believe it
(maybe with creating new structs for this) in an unsafeless way?
Related GitHub issue #49572
After I saw your question, I added the needed impls to std,
so now the nightly release (and the upcoming 1.51 stable release) supports this!
Godbolt for
pub fn div(x: u32, y: u32) -> u32 {
x / y
}
pub fn safe_div(x: u32, y: std::num::NonZeroU32) -> u32 {
x / y
}
pub fn safe_rem(x: u32, y: std::num::NonZeroU32) -> u32 {
x % y
}
Produces the expected assembly:
example::div:
push rax
test esi, esi
je .LBB0_2
mov eax, edi
xor edx, edx
div esi
pop rcx
ret
.LBB0_2:
lea rdi, [rip + str.0]
lea rdx, [rip + .L__unnamed_1]
mov esi, 25
call qword ptr [rip + core::panicking::panic#GOTPCREL]
ud2
example::safe_div:
mov eax, edi
xor edx, edx
div esi
ret
example::safe_rem:
mov eax, edi
xor edx, edx
div esi
mov eax, edx
ret
The following code presents QuickSort. I am trying to make it faster. Please help.
global sort
sort:
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 28
mov eax, dword [ebp+8]
mov esi, dword [ebp+12]
mov dword [ebp-32], 1
lea edi, [eax-1]
sal eax, 2
lea edx, [eax+18]
movss xmm1, dword [esi-4+eax]
mov dword [ebp-28], edi
and edx, -16
sub esp, edx
lea edx, [esp+3]
shr edx, 2
lea ebx, [0+edx*4]
mov dword [4+edx*4], edi
mov dword [0+edx*4], 0
xor edi, edi
mov dword [ebp-36], ebx
.L14:
mov eax, dword [ebp-28]
lea edx, [edi-1]
cmp eax, edi
lea ebx, [esi+eax*4]
jle .L15
lea eax, [esi+edi*4]
.L18:
movss xmm0, dword [eax]
comiss xmm1, xmm0
jb .L16
add edx, 1
lea ecx, [esi+edx*4]
movss xmm2, dword [ecx]
movss dword [ecx], xmm0
movss dword [eax], xmm2
.L16:
add eax, 4
cmp eax, ebx
jne .L18
movss xmm1, dword [ebx]
.L15:
lea eax, [esi+4+edx*4]
cmp edx, edi
movss xmm0, dword [eax]
movss dword [eax], xmm1
movss dword [ebx], xmm0
jg .L19
sub dword [ebp-32], 2
lea edi, [edx+2]
cmp edi, dword [ebp-28]
jl .L25
.L21:
mov eax, dword [ebp-32]
test eax, eax
js .L11
mov edi, dword [ebp-36]
lea eax, [edi+eax*4]
mov edi, dword [eax]
mov ecx, edi
mov dword [ebp-28], edi
mov edi, dword [eax-4]
movss xmm1, dword [esi+ecx*4]
jmp .L14
.L19:
mov edi, dword [ebp-32]
mov eax, dword [ebp-36]
mov dword [eax+edi*4], edx
lea edi, [edx+2]
cmp edi, dword [ebp-28]
jge .L21
.L25:
mov ebx, dword [ebp-32]
mov ecx, dword [ebp-36]
movaps xmm1, xmm0
lea eax, [ecx+ebx*4]
mov ecx, dword [ebp-28]
mov dword [eax+4], edi
mov dword [eax+8], ecx
mov eax, ebx
add eax, 2
mov dword [ebp-32], eax
jns .L14
.L11:
lea esp, [ebp-12]
pop ebx
pop esi
pop edi
pop ebp
ret
I am getting a crash in MMC code. The dump is pointing to p->QueryInterface(GetIID(), reinterpret_cast<void**>(&pInterface));
The disassembly shows as below,
//fill method is called.
BSecRem!std::fill<int *,int>:
5d931510 8b442404 mov eax,[esp+0x4]
5d931514 8b4c2408 mov ecx,[esp+0x8]
5d931518 3bc1 cmp eax,ecx
5d93151a 7411 jz BSecRem!std::fill<int *,int>+0x1d (5d93152d)
5d93151c 8b54240c mov edx,[esp+0xc]
5d931520 56 push esi
5d931521 8b32 mov esi,[edx]
5d931523 8930 mov [eax],esi
5d931525 83c004 add eax,0x4
5d931528 3bc1 cmp eax,ecx
5d93152a 75f5 jnz BSecRem!std::fill<int *,int>+0x11 (5d931521)
5d93152c 5e pop esi
5d93152d c3 ret
5d93152e cc int 3
5d93152f cc int 3
BSecRem!stdext::_Unchecked_move_backward<int *,int *>:
5d931530 8b442408 mov eax,[esp+0x8]
5d931534 8b542404 mov edx,[esp+0x4]
5d931538 2bc2 sub eax,edx
5d93153a c1f802 sar eax,0x2
5d93153d 56 push esi
5d93153e 8b742410 mov esi,[esp+0x10]
5d931542 8d0c8500000000 lea ecx,[00000000+eax*4]
5d931549 2bf1 sub esi,ecx
5d93154b 85c0 test eax,eax
5d93154d 7e0d jle BSecRem!stdext::_Unchecked_move_backward<int *,int *>+0x2c (5d93155c)
5d93154f 51 push ecx
5d931550 52 push edx
5d931551 51 push ecx
5d931552 56 push esi
5d931553 ff15e034a65d call dword ptr [BSecRem!_imp__memmove_s (5da634e0)]
5d931559 83c410 add esp,0x10
5d93155c 8bc6 mov eax,esi
5d93155e 5e pop esi
5d93155f c3 ret
BSecRem!_com_ptr_t<_com_IIID<PATENTTEMPOCXLib::_DPatentTempOCX,&_GUID_6042985e_c7cc_4286_b5c4_48a347173739> >::_QueryInterface<IUnknown *>:
5d931560 8b442404 mov eax,[esp+0x4]
5d931564 56 push esi
5d931565 8bf1 mov esi,ecx
5d931567 85c0 test eax,eax
5d931569 7439 jz instant.dll!_com_ptr_t<_com_IIID<PATENTTEMPOCXLib::_DPatentTempOCX,&_GUID_7072787e_ddeb_1223_9aab4_9aab4d923e31> >::_QueryInterface<IUnknown *>+0x44 (5d9315a4)
5d93156b 8b08 mov ecx,[eax]
5d93156d 53 push ebx
5d93156e 57 push edi
5d93156f 8d542410 lea edx,[esp+0x10]
5d931573 52 push edx
5d931574 68cc54a65d push 0x5da654cc
5d931579 50 push eax
5d93157a 8b01 mov eax,[ecx] ds:002b:0000000c=???????
The crash is seen frequently. Specially when I navigate from one interface to other interface of MMC.
Thanks in advance.
I am trying to figure out which method objc_msgSend() will call.
While looking at assembly of any function in Appkit or Cocoa or Any framework based on Objective-C framework, I always get stucked at objc_msgSend().
Does any one has any idea how to reach the actual function call from here?
I remember while browsing I have seen some open source code which was kind of Map for which function will be called based on selector (integer value). I guess it was from Apple (not sure). I am trying to find that link from almost 2 days, but cannot find it. If anyone who that link please share.
In following assembly, I am trying to solve this call
__text:001C6E46 call _objc_msgSend
It should be great, if some one can help me understand the complete procedure.
__text:001C6DC0 ; -[NSWindow _windowMovedToRect:]
__text:001C6DC0 __NSWindow__windowMovedToRect__ proc near ; DATA XREF: __inst_meth:00993418o
__text:001C6DC0
__text:001C6DC0 var_C = dword ptr -0Ch
__text:001C6DC0 arg_0 = dword ptr 8
__text:001C6DC0 arg_8 = dword ptr 10h
__text:001C6DC0 arg_C = dword ptr 14h
__text:001C6DC0 arg_10 = dword ptr 18h
__text:001C6DC0 arg_14 = dword ptr 1Ch
__text:001C6DC0
__text:001C6DC0 push ebp
__text:001C6DC1 mov ebp, esp
__text:001C6DC3 push esi
__text:001C6DC4 push ebx
__text:001C6DC5 sub esp, 30h
__text:001C6DC8 call $+5
__text:001C6DCD pop ebx
__text:001C6DCE mov esi, [ebp+arg_0]
__text:001C6DD1 lea eax, [ebp+var_C]
__text:001C6DD4 mov [esp], eax
__text:001C6DD7 call _PSbuttondown
__text:001C6DDC mov edx, [ebp+var_C]
__text:001C6DDF test edx, edx
__text:001C6DE1 jz short loc_1C6E1D
__text:001C6DE3 mov eax, [esi+80h]
__text:001C6DE9 or dword ptr [eax+0B8h], 1000000h
__text:001C6DF3 mov eax, [ebp+arg_8]
__text:001C6DF6 mov edx, [ebp+arg_C]
__text:001C6DF9 mov [esp+8], eax
__text:001C6DFD mov [esp+0Ch], edx
__text:001C6E01 mov eax, [esi+8]
__text:001C6E04 mov edx, [esi+0Ch]
__text:001C6E07 mov [esp], eax
__text:001C6E0A mov [esp+4], edx
__text:001C6E0E call _NSEqualPoints
__text:001C6E13 test al, al
__text:001C6E15 jnz loc_1C6ED6
__text:001C6E1B jmp short loc_1C6E50
__text:001C6E1D ; ---------------------------------------------------------------------------
__text:001C6E1D
__text:001C6E1D loc_1C6E1D: ; CODE XREF: -[NSWindow _windowMovedToRect:]+21j
__text:001C6E1D mov eax, [ebp+arg_8]
__text:001C6E20 mov [esp+8], eax
__text:001C6E24 mov eax, [ebp+arg_C]
__text:001C6E27 mov [esp+0Ch], eax
__text:001C6E2B mov eax, [ebp+arg_10]
__text:001C6E2E mov [esp+10h], eax
__text:001C6E32 mov eax, [ebp+arg_14]
__text:001C6E35 mov [esp+14h], eax
__text:001C6E39 mov eax, ds:(off_926DC8 - 1C6DCDh)[ebx]
__text:001C6E3F mov [esp+4], eax
__text:001C6E43 mov [esp], esi
__text:001C6E46 call _objc_msgSend
__text:001C6E4B jmp loc_1C6ED6
__text:001C6E50 ; ---------------------------------------------------------------------------
__text:001C6E50
__text:001C6E50 loc_1C6E50: ; CODE XREF: -[NSWindow _windowMovedToRect:]+5Bj
__text:001C6E50 mov eax, [ebp+arg_8]
__text:001C6E53 mov [esp+8], eax
__text:001C6E57 mov eax, [ebp+arg_C]
__text:001C6E5A mov [esp+0Ch], eax
__text:001C6E5E mov eax, [ebp+arg_10]
__text:001C6E61 mov [esp+10h], eax
__text:001C6E65 mov eax, [ebp+arg_14]
__text:001C6E68 mov [esp+14h], eax
__text:001C6E6C mov eax, ds:(off_91D198 - 1C6DCDh)[ebx]
__text:001C6E72 mov [esp+4], eax
__text:001C6E76 mov [esp], esi
__text:001C6E79 call _objc_msgSend
__text:001C6E7E mov eax, ds:(off_91A4B8 - 1C6DCDh)[ebx]
__text:001C6E84 mov [esp+4], eax
__text:001C6E88 mov eax, ds:(off_928EE8 - 1C6DCDh)[ebx]
__text:001C6E8E mov [esp], eax
__text:001C6E91 call _objc_msgSend
__text:001C6E96 mov [esp+0Ch], esi
__text:001C6E9A mov edx, ds:(_NSWindowDidMoveNotification_ptr - 1C6DCDh)[ebx]
__text:001C6EA0 mov edx, [edx]
__text:001C6EA2 mov [esp+8], edx
__text:001C6EA6 mov edx, ds:(off_91B0DC - 1C6DCDh)[ebx]
__text:001C6EAC mov [esp+4], edx
__text:001C6EB0 mov [esp], eax
__text:001C6EB3 call _objc_msgSend
__text:001C6EB8 mov eax, ds:(_NSAccessibilityMovedNotification_ptr - 1C6DCDh)[ebx]
__text:001C6EBE mov eax, [eax]
__text:001C6EC0 mov [esp+8], eax
__text:001C6EC4 mov eax, ds:(off_91B030 - 1C6DCDh)[ebx]
__text:001C6ECA mov [esp+4], eax
__text:001C6ECE mov [esp], esi
__text:001C6ED1 call _objc_msgSend
__text:001C6ED6
__text:001C6ED6 loc_1C6ED6: ; CODE XREF: -[NSWindow _windowMovedToRect:]+55j
__text:001C6ED6 ; -[NSWindow _windowMovedToRect:]+8Bj
__text:001C6ED6 add esp, 30h
__text:001C6ED9 pop ebx
__text:001C6EDA pop esi
__text:001C6EDB leave
__text:001C6EDC retn
__text:001C6EDC __NSWindow__windowMovedToRect__ endp
This site mentions a tool called otx that appears to decode the selector for you.