Question about reversing C++ calls

[GliderPro]

I'm trying to figure out the following bit of code.

Code:

sub_xxxx proc near
mov     edx, dword_xxxx
mov     eax, ds:Foo     ; <<  symbol exported from DLL that points to object
mov     eax, [eax]
mov     ecx, [eax]
push    edi
push    edx
push    0Dh
push    eax
mov     eax, [ecx+14h]
call    eax
test    al, al
jnz     short loc_xxxx

Based on this code I've created the following class definition.

Code:

class Foo
{
public:
  virtual void func00() = 0;
  virtual void func04() = 0;
  virtual void func08() = 0;
  virtual void func0C() = 0;
  virtual void func10() = 0;
  virtual void __cdecl func14(int val) = 0;
};

I call this function using this code.

Code:

Foo **pFoo = (Foo**)mImports[192];

  (*pFoo)->func14(13);

This results in the following code from the compiler.

Code:

  (*pFoo)->func14(13);
00414777  mov         esi,esp 
00414779  push        0Dh  
0041477B  mov         eax,dword ptr [pFoo] 
0041477E  mov         ecx,dword ptr [eax] 
00414780  mov         edx,dword ptr [pFoo] 
00414783  mov         eax,dword ptr [edx] 
00414785  mov         ecx,dword ptr [ecx] 
00414787  push        eax  
00414788  mov         edx,dword ptr [ecx+14h] 
0041478B  call        edx  
0041478D  add         esp,8 
00414790  cmp         esi,esp 
00414792  call        @ILT+4925(__RTC_CheckEsp) (412342h)

This results in the following runtime error. "Run-Time Check Failure #0 - The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention."

I verified that my code calls the same function as the client and the function looks like it was executed based on the log output. I'm guessing that I just messed up the function definition. I'm not well versed on the different calling conventions. Would one of you RE gurus kindly point out what I did wrong?

Thanks

[lanman92]

It looks like the function you're calling is stdcall. Your using cdecl, which is caller cleanup. Try stdcall.

[GliderPro]

Tried it and I still get the error. Below is the prolog and epilog of the function I'm calling. The function is returning so the stack is not being corrupted. Should I just turn off runtime stack checking and not worry about it?

Code:

arg_0= dword ptr  8
arg_4= word ptr  0Ch
arg_8= dword ptr  10h

push    ebp
mov     ebp, esp
and     esp, 0FFFFFFF8h
push    0FFFFFFFFh
push    offset loc_100D9E89
mov     eax, large fs:0
push    eax
sub     esp, 0C8h
mov     eax, dword_1010602C
xor     eax, esp
mov     [esp+0D4h+var_14], eax
push    ebx
push    esi
push    edi
mov     eax, dword_1010602C
xor     eax, esp
push    eax
lea     eax, [esp+0E4h+var_C]
mov     large fs:0, eax
mov     esi, [ebp+arg_0]
mov     [esp+0E4h+var_D4], esi
call    sub_1002B490
test    al, al
jnz     short loc_1001061A

Code:

mov     ecx, [esp+0E4h+var_C]
mov     large fs:0, ecx
pop     ecx
pop     edi
pop     esi
pop     ebx
mov     ecx, [esp+0D4h+var_14]
xor     ecx, esp
call    sub_100D1482
mov     esp, ebp
pop     ebp
retn    0Ch

[lanman92]

That's always an option

[Bobbysing]

The "RETN C" tells us that the function actually takes 3 arguments.
Since that function also is a virtual class-method and passes the this-pointer as first argument ( you can guess that from the way it's being called ) you define it like this:

Code:

virtual void __stdcall FuncName( Foo * pThis, DWORD dwValue, DWORD dwSecondArg ) = 0;

You should never turn RTC off to get rid of errors, they may hunt you later when you can't easily see what is going wrong.