.Hey Guys,
I've decided to post some code snippets that someone may find useful. Feel free to message me with questions/comments.
This function will determine if a given operand is a function argument.
//
// is_argument()
// [IN] ea - effective address of the line the user wants to examine
// [IN] operand - the operand either 0 for the first operand or 1 for the second operand
//
// returns 1 if it is an argument and or 0 if it is not
//
int is_argument(ea_t ea, int operand)
{
func_t * func = get_func(ea);
// saved regs return size local variables
int size = func->frregs + get_frame_retsize(func) + func->frsize;
int offset = calc_stkvar_struc_offset(func, ea, operand);
if(offset >= size)
return 1;
else
return 0;
}
This function will return the number of arguments in a given function. It takes in ea, which is just a given ea of the function you want to know about.
//
// get_number_of_arguments()
// [IN] ea - an address within the function the users wants argument count preformed on
//
// returns number of arguments or 0 if no arguments
//
int get_number_of_arguments(ea_t ea)
{
func_t * func = get_func( ea );
struc_t * struc = get_frame(func);
int i = 0;
int size = 0;
int var_size = 0;
int num_args = 0;
ea_t startOffset;
ea_t endOffset;
// saved size of registers local variables
size = func->frregs + func->frsize + get_frame_retsize(func);
while(i <= struc->memqty)
{
startOffset = struc->members[i].soff;
if(i == struc->memqty - 1)
endOffset = struc->members[i].eoff;
else
endOffset = struc->members[i + 1].soff;
var_size += (endOffset - startOffset);
if(var_size >= size )
{
num_args++;
}
i++;
}
return num_args;
}
This is my favorite code snippet, this function will dump the size of each variable and its name. It *could* be modified to calculate the distance between a buffer and r (the return address). I have used it to do some rough auditing and calculatng before, its not an exact science but IDA does an ok job building the stack.
//
// dump_stack_sizes()
// [IN] ea - an address within the function the users wants dump preforme don
//
// returns nothing
//
void dump_stack_sizes(ea_t ea)
{
func_t * func = get_func( ea );
struc_t * struc = get_frame(func);
int i = 0;
int var_size = 0;
ea_t startOffset;
ea_t endOffset;
char * name;
while(i <= struc->memqty)
{
startOffset = struc->members[i].soff;
if(i == struc->memqty - 1)
endOffset = struc->members[i].eoff;
else
endOffset = struc->members[i + 1].soff;
var_size = (endOffset - startOffset);
name = get_member_name(struc->members[t].id);
msg("%s[%d]\n", name, var_size);
i++;
}
}
Let me know if you have problems with these snippets or if you are interested in seeing more code snippets.
Also remeber that if you have a question that doesn't get answered at the datarescue forums, you can always ask here i think there are some diffrent demographics between the two forums, and you might get someone here who doesn't check the datarescue forums.
Later'
Peter~
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}