[wow][mac] Reversing a mount list function (IDA)

[Tanaris4]

So I didn't find this the standard way, but I was able to find the mount list pointer in memory, then I xrefed it in IDA Pro for 3.3.0.11159. Basically I need help understanding exactly what this function does (I don't NEED to know, I'm able to read the # of mounts and the mount list fine, but I want to better understand what is going on here).

What I think is going on is the # of mounts is read into v0, as unk_E02A74 stores the # of mounts. Also just fyi, unk_E02A74 + 0x4 is a pointer to the mount list (just one UInt32 after another). Then it loops through until v1 == v0. So in essence v1 and v0 are both the same number (this might be where I go astray). dword_E02A54 is a pointer to something, a list of #'s, but the first number is kind of irrelevant I think, it's always 21651 (the spell Opening?)

After this I'm just confused. The sub_93920 function simply frees memory? What else goes on after the first while loop?

Code:

const void *__cdecl sub_5A0AC0()      //version 3.3.0.11159
{
  char *v0; // ebx@1
  int v1; // eax@3
  const void *result; // eax@5

  v0 = (char *)&unk_E02A74;      // number of mounts are stored @ this location
  do
  {
    if ( *(_DWORD *)v0 )
    {
      v1 = 0;
      do
        ++v1;
      while ( *(_DWORD *)v0 != v1 );
    }
    result = (const void *)*((_DWORD *)v0 + 1);
    if ( result )
      result = (const void *)sub_93920(result);
    v0 -= 16;
  }
  while ( (void **)v0 != &dword_E02A54 );
  return result;
}

Code:

signed int __cdecl sub_93920(const void *ptr)
{
  if ( ptr )
  {
    malloc_size(ptr);
    free((void *)ptr);
  }
  return 1;
}

Raw assembly:

Code:

text:005A0AC0 ; =============== S U B R O U T I N E =======================================
__text:005A0AC0
__text:005A0AC0 ; Attributes: bp-based frame
__text:005A0AC0
__text:005A0AC0 sub_5A0AC0      proc near               ; DATA XREF: __StaticInit:00C4590Fo
__text:005A0AC0                 push    ebp
__text:005A0AC1                 mov     ebp, esp
__text:005A0AC3                 push    ebx
__text:005A0AC4                 mov     ebx, offset unk_E02A74
__text:005A0AC9                 sub     esp, 14h        ; Integer Subtraction
__text:005A0ACC
__text:005A0ACC loc_5A0ACC:                             ; CODE XREF: sub_5A0AC0+55j
__text:005A0ACC                 mov     edx, [ebx]
__text:005A0ACE                 test    edx, edx        ; Logical Compare
__text:005A0AD0                 jz      short loc_5A0AE5 ; Jump if Zero (ZF=1)
__text:005A0AD2                 xor     eax, eax        ; Logical Exclusive OR
__text:005A0AD4                 nop     word ptr [eax+eax+00h] ; No Operation
__text:005A0ADA                 nop     word ptr [eax+eax+00h] ; No Operation
__text:005A0AE0
__text:005A0AE0 loc_5A0AE0:                             ; CODE XREF: sub_5A0AC0+23j
__text:005A0AE0                 inc     eax             ; Increment by 1
__text:005A0AE1                 cmp     edx, eax        ; Compare Two Operands
__text:005A0AE3                 jnz     short loc_5A0AE0 ; Jump if Not Zero (ZF=0)
__text:005A0AE5
__text:005A0AE5 loc_5A0AE5:                             ; CODE XREF: sub_5A0AC0+10j
__text:005A0AE5                 mov     eax, [ebx+4]
__text:005A0AE8                 test    eax, eax        ; Logical Compare
__text:005A0AEA                 jz      short loc_5A0B0C ; Jump if Zero (ZF=1)
__text:005A0AEC                 mov     dword ptr [esp+0Ch], 0
__text:005A0AF4                 mov     dword ptr [esp+8], 0FFFFFFFEh
__text:005A0AFC                 mov     dword ptr [esp+4], offset byte_A62B10
__text:005A0B04                 mov     [esp], eax      ; ptr
__text:005A0B07                 call    sub_93920       ; Call Procedure
__text:005A0B0C
__text:005A0B0C loc_5A0B0C:                             ; CODE XREF: sub_5A0AC0+2Aj
__text:005A0B0C                 sub     ebx, 10h        ; Integer Subtraction
__text:005A0B0F                 cmp     ebx, offset dword_E02A54 ; Compare Two Operands
__text:005A0B15                 jnz     short loc_5A0ACC ; Jump if Not Zero (ZF=0)
__text:005A0B17                 add     esp, 14h        ; Add
__text:005A0B1A                 pop     ebx
__text:005A0B1B                 leave                   ; High Level Procedure Exit
__text:005A0B1C                 retn                    ; Return Near from Procedure
__text:005A0B1C sub_5A0AC0      endp

Code:

text:00093920 ; int __cdecl sub_93920(void *ptr)
__text:00093920 sub_93920       proc near               ; CODE XREF: sub_8A020+47p
__text:00093920                                         ; sub_8A020+97p ...
__text:00093920
__text:00093920 ptr             = dword ptr  8
__text:00093920
__text:00093920                 push    ebp
__text:00093921                 mov     ebp, esp
__text:00093923                 push    ebx
__text:00093924                 sub     esp, 14h        ; Integer Subtraction
__text:00093927                 mov     ebx, [ebp+ptr]
__text:0009392A                 test    ebx, ebx        ; Logical Compare
__text:0009392C                 jz      short loc_9393E ; Jump if Zero (ZF=1)
__text:0009392E                 mov     [esp], ebx      ; ptr
__text:00093931                 call    _malloc_size    ; Call Procedure
__text:00093936                 mov     [esp], ebx      ; void *
__text:00093939                 call    _free           ; Call Procedure
__text:0009393E
__text:0009393E loc_9393E:                              ; CODE XREF: sub_93920+Cj
__text:0009393E                 add     esp, 14h        ; Add
__text:00093941                 mov     eax, 1
__text:00093946                 pop     ebx
__text:00093947                 leave                   ; High Level Procedure Exit
__text:00093948                 retn                    ; Return Near from Procedure
__text:00093948 sub_93920       endp

Any help is greatly appreciated, I'm just trying to better understand this.

[Tanaris4]

anyone have any ideas here? If it's too complicated that's cool just let me know and I'll move on

[EmilyStrange]

Just glancing at that code, without starting up IDA, I strongly believe the function is walking the mount array, from the end, to the beginning. The first loop is most likely an inlined call to get the number of mounts remaining to be read.

The "free" is either a decompilation anomaly or this function is called by another that first allocates the memory for the mount list. I don't think this is the full function graph because result will either be 1 or 0.