.This has been driving me insane (pun intended)....
This is my first experience reversing a C++ app, so forgive me if I am asking something completely obvious.
B63EC324 arg_0= dword ptr 8
B63EC324
B63EC324 000 push ebp
B63EC325 004 mov ebp, esp
B63EC327 004 push esi
B63EC328 008 push ebx
B63EC329 00C call $+5 ; calls ahead 5 bytes
B63EC32E 010 pop ebx ; pops the current instruction pointer off the stack (points to itself)
B63EC32F 00C add ebx, 0B0686h
B63EC335 00C mov eax, [ebp+arg_0]
B63EC338 00C cmp dword ptr [eax+4], 0
B63EC33C 00C jnz short loc_B63EC372
the value of ebx, after being incremented, seems to be pointing to a table of function pointers. My initial thought is that its to the vtable, now to where I'm confused:
B63EC372 loc_B63EC372:
B63EC372 00C sub esp, 0Ch
B63EC375 018 mov eax, [ebp+arg_0]
B63EC378 018 mov eax, [eax+4]
B63EC37B 018 mov edx, [eax]
B63EC37D 018 add edx, 14h
B63EC380 018 mov eax, [ebp+arg_0]
B63EC383 018 push dword ptr [eax+4]
B63EC386 01C mov eax, [edx]
B63EC388 01C call eax
My definition of the this pointer may be wrong, but my assumption is that arg_0 is the this pointer and ebx is the vtable. Where I'm confused is when we get down to the second chunk, we've got several pointers being juggled, ebp+8 -> eax+4 -> eax -> edx -> eax (called). My initial understanding of the this pointer is that it points to the constructed objects, but the constructors are never called. So, what could eax be a pointer to? Is it just a pointer being passed as a parameter or am I completely missing something? Normally I'd try debugging it to find the address and see whats being passed into eax, but the pointer being called is null (this is a null pointer deref vulnerability I found a while ago).
I know this should be obvious, but I haven't found a lot of resources for reversing C++ and I thought I'd ask since its been driving me crazy.
Any help would be greatly appreciated.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}