Reversing question (SP) - working on Is

[Tanaris4]

So I'm about 90% complete w/my reversing on isOutdoors (you just pass the baseAddress of the object), but I'm running into one tiny snag, and I think it's just due to my understanding.

This function passes &v5 as the key, which obviously isn't defined in the below code (but it's stated the value is [stack pointer+24h]. Can someone shed some light on this?

Code:

void *__cdecl GetWMOAreaRec(int a1, int a2, int a3)
{
  int v3; // ecx@1
  char v5; // [sp+24h] [bp-44h]@3
  int v6; // [sp+28h] [bp-40h]@1
  int v7; // [sp+2Ch] [bp-3Ch]@1
  int v8; // [sp+30h] [bp-38h]@1

  v3 = 0;
  v6 = a1;
  v7 = a2;
  v8 = a3;
  if ( g_WMOAreaTableDB.numRows > 0 )
    v3 = g_WMOAreaTableDB.FirstRow;
  return bsearch(&v5, (const void *)v3, g_WMOAreaTableDB.numRows, 0x3Cu, BattleNetLogin__vFunc48);
}

I understand the concept of pushing values on the stack, but I'm a bit confused as to how the key was pushed on the stack in the first place. if I move up the call chain, I go from:

• GetWMOAreaRec(int a1, int a2, int a3)
• CWorldMap__QueryOutdoors(int a1)
• World__QueryOutdoors(int a1)

How is this actually set? Sooo close to having this done OOP. Can it not be done?

Thanks!

Note: The function names are from the mac build 13850 (all function names are given)
PS. If you want to see everything I've done, it's here: [Objective C] int CMapObj__GetGroup(int a1, int a2, int a3){ log(LOG_MEMORY, @" CMapObj__G - Pastebin.com

Edit: And the assembly (Note: addresses are from the 4.0.6 binary and off_12635A4 is a pointer to g_WMOAreaTableDB):

Code:

__text:002541B0                                     GetWMOAreaRec   proc near               ; CODE XREF: sub_AEF700+8Dp
__text:002541B0                                                                             ; sub_AEF7B0+7Dp ...
__text:002541B0
__text:002541B0                                     var_44          = byte ptr -44h
__text:002541B0                                     var_40          = dword ptr -40h
__text:002541B0                                     var_3C          = dword ptr -3Ch
__text:002541B0                                     var_38          = dword ptr -38h
__text:002541B0                                     arg_0           = dword ptr  8
__text:002541B0                                     arg_4           = dword ptr  0Ch
__text:002541B0                                     arg_8           = dword ptr  10h
__text:002541B0
__text:002541B0 55                                                  push    ebp
__text:002541B1 31 C9                                               xor     ecx, ecx
__text:002541B3 89 E5                                               mov     ebp, esp
__text:002541B5 83 EC 68                                            sub     esp, 68h
__text:002541B8 8B 15 A4 35 26 01                                   mov     edx, ds:off_12635A4
__text:002541BE 8B 45 08                                            mov     eax, [ebp+arg_0]
__text:002541C1 89 45 C0                                            mov     [ebp+var_40], eax
__text:002541C4 8B 45 0C                                            mov     eax, [ebp+arg_4]
__text:002541C7 89 45 C4                                            mov     [ebp+var_3C], eax
__text:002541CA 8B 45 10                                            mov     eax, [ebp+arg_8]
__text:002541CD 89 45 C8                                            mov     [ebp+var_38], eax
__text:002541D0 8B 42 04                                            mov     eax, [edx+4]
__text:002541D3 85 C0                                               test    eax, eax
__text:002541D5 7E 03                                               jle     short loc_2541DA
__text:002541D7 8B 4A 14                                            mov     ecx, [edx+14h]
__text:002541DA
__text:002541DA                                     loc_2541DA:                             ; CODE XREF: GetWMOAreaRec+25j
__text:002541DA 89 44 24 08                                         mov     [esp+8], eax    ; size_t
__text:002541DE 8D 45 BC                                            lea     eax, [ebp+var_44]
__text:002541E1 C7 44 24 10 80 41 25 00                             mov     dword ptr [esp+10h], offset BattleNetLogin__vFunc48 ; int (*)(const void *, const void *)
__text:002541E9 C7 44 24 0C 3C 00 00 00                             mov     dword ptr [esp+0Ch], 3Ch ; size_t
__text:002541F1 89 4C 24 04                                         mov     [esp+4], ecx    ; void *
__text:002541F5 89 04 24                                            mov     [esp], eax      ; void *
__text:002541F8 E8 CC 1E 01 01                                      call    _bsearch
__text:002541FD C9                                                  leave
__text:002541FE C3                                                  retn
__text:002541FE                                     GetWMOAreaRec   endp

[MaiN]

That argument is passed to the comparator ("BattleNetLogin_vFunc48"). The comparator only uses +4, +8 and +12, which is v6, v7 and v8, or a1, a2 and a3.

[Tanaris4]

I understand it's passed, but it's never defined. v5 is never set anywhere. IDA is telling me that v5 points to [sp+24], but how do I understand where [sp+24] is set.

I need to know this to do it out of process :/

I tried just adding another argument (thanks namreeb) in IDA by pressing y, but this didn't get me anywhere, same issue, the key that is passed to bsearch isn't set anywhere (well it is, I just don't know where)

[schlumpf]

Code:

struct WMOAreaTableDBRec
{
  uint32_t id;
  uint32_t rootID;
  uint32_t nameSet;
  uint32_t groupID;
  uint32_t padding[0x3C-0x10];
};

void* GetWMOAreaRec(uint32 _rootID, uint32 _nameSet, uint32 _groupID)
{
  if ( g_WMOAreaTableDB.numRows <= 0 )
    return NULL;

  WMOAreaTableDBRec key;
  key.rootID = _rootID;
  key.nameSet = _nameSet;
  key.groupID = _groupID;
  return bsearch( key, g_WMOAreaTableDB.FirstRow, g_WMOAreaTableDB.numRows, sizeof(WMOAreaTableDBRec), BattleNetLogin__vFunc48);
}

[TOM_RUS]

Same as above:

Code:

struct WMOAreaTableRec
{
  DWORD m_ID;
  DWORD m_WMOID;
  DWORD m_NameSetID;
  DWORD m_WMOGroupID;
  DWORD m_SoundProviderPref;
  DWORD m_SoundProviderPrefUnderwater;
  DWORD m_AmbienceID;
  DWORD m_ZoneMusic;
  DWORD m_IntroSound;
  DWORD m_flags;
  DWORD m_AreaTableID;
  DWORD m_AreaName_lang;
  DWORD m_field12; // added in 4.x
  DWORD m_field13; // added in 4.x
  DWORD m_field14; // added in 4.x
};
 
struct WoWClientDB
{
  void *funcTable;
  int numRows;
  int maxIndex;
  int minIndex;
  int stringTable;
  void *FirstRow;
  void **Rows;
};

void *__cdecl SDBWMOAreaTableLookup(DWORD wmoId, DWORD nameSetId, DWORD wmoGroupId)
{
  int num; // edx@1
  WMOAreaTableRec *base; // ecx@1
  WMOAreaTableRec key; // [sp+24h] [bp-44h]@3

  num = g_wMOAreaTableDB.numRows;
  base = 0;
  if ( num > 0 )
    base = g_wMOAreaTableDB.FirstRow;
  key.m_WMOID = wmoId;
  key.m_NameSetID = nameSetId;
  key.m_WMOGroupID = wmoGroupId;
  return bsearch(&key, base, num, 0x3Cu, WMOAreaTableRecComparer_sub_259450);
}

unsigned int __cdecl WMOAreaTableRecComparer_sub_259450(WMOAreaTableRec *a1, WMOAreaTableRec *a2)
{
  unsigned int result; // eax@1

  result = a1->m_WMOID - a2->m_WMOID;
  if ( a1->m_WMOID == a2->m_WMOID )
  {
    result = a1->m_NameSetID - a2->m_NameSetID;
    if ( a1->m_NameSetID == a2->m_NameSetID )
      result = a1->m_WMOGroupID - a2->m_WMOGroupID;
  }
  return result;
}

[_Mike]

I understand it's passed, but it's never defined. v5 is never set anywhere. IDA is telling me that v5 points to [sp+24], but how do I understand where [sp+24] is set.

Simple answer; It isn't set.
Like MaiN said, the comparator only uses +4 +8 +12 so there's no need to set the first DWORD.
v5-v8 are pointers (+0,+4,+8,+12 respectively) to the same WMOAreaTableDBRec struct
The stack variable var_44 is what hex-rays calls v5
This part:

Code:

v6 = a1;
v7 = a2;
v8 = a3;

would be something like

Code:

v5.rootID = a1;
v5.nameSet = a2;
v5.groupID = a3;

If you want a slightly better decompilation, edit the function stack and remove var_40, var_3C, var_38 and set var_44 as a WMOAreaTableDBRec struct and you'll get something like: (13623-windows)

Code:

void *__cdecl GetWMOAreaRec(int a1, int a2, int a3)
{
  bool v4; // ecx@1
  WMOAreaTableDBRec v5; // [sp+0h] [bp-3Ch]@1

  v5.nameSetId = a2;
  v5.rootId = a1;
  v4 = g_WMOAreaTableDB.numRows < 0;
  LOBYTE(v4) = g_WMOAreaTableDB.numRows <= 0;
  v5.groupId = a3;
  return bsearch(
           &v5,
           (const void *)((unsigned int)g_WMOAreaTableDB.FirstRow & (v4 - 1)),
           g_WMOAreaTableDB.numRows,
           0x3Cu,
           sub_642B00);
}

[schlumpf]

Same as above:

Code:

struct WMOAreaTableRec
{
  DWORD m_ID;
  DWORD m_WMOID;
  DWORD m_NameSetID;
  DWORD m_WMOGroupID;
  DWORD m_SoundProviderPref;
  DWORD m_SoundProviderPrefUnderwater;
  DWORD m_AmbienceID;
  DWORD m_ZoneMusic;
  DWORD m_IntroSound;
  DWORD m_flags;
  DWORD m_AreaTableID;
  DWORD m_AreaName_lang;
  DWORD m_field12; // added in 4.x
  DWORD m_field13; // added in 4.x
  DWORD m_field14; // added in 4.x
};

Is there a wiki with all those Rec structs, I don't know about?

[XTZGZoReX]

Is there a wiki with all those Rec structs, I don't know about?

See http://www.mmowned.com/forums/world-...ml#post2067796

[schlumpf]

See http://www.mmowned.com/forums/world-...ml#post2067796

And how does the binaries thread contain a wiki including DBC structures? At least, I did not find some link.

[TOM_RUS]

And how does the binaries thread contain a wiki including DBC structures? At least, I did not find some link.

Binary linked above has lots of dbc structs inside.

[schlumpf]

Binary linked above has lots of dbc structs inside.

I must be blind. Oh, well.

[TOM_RUS]

I must be blind. Oh, well.

I've wrote IDC script to dump dbc structs from this binary, there's a dump: Paste2: Next Generation Pastebin - Viewing Paste 1366912

[Tanaris4]

I've wrote IDC script to dump dbc structs from this binary, there's a dump: Paste2: Next Generation Pastebin - Viewing Paste 1366912

Holy crap that's sexy, did you post the IDC script anywhere? Always curious

[TOM_RUS]

Holy crap that's sexy, did you post the IDC script anywhere? Always curious

Script itself is useless, as 4.0.0.11792 is only build with such info (there's few older builds like 3.0.2.8885 and some others that have such info as well).

[TOM_RUS]

I've wrote IDC script to dump dbc structs from this binary, there's a dump: Paste2: Next Generation Pastebin - Viewing Paste 1366912

I've updated my script to produce real structs instead of "pseudo structs" like it did before. Updated DBC structs dump from build 4.0.0.11792: Paste2: Next Generation Pastebin - Viewing Paste 1388089.