[General] __thiscall method returning list/vector

[streppel]

Hey all
it's me again ^^

my question is how to get the list/vector that is returned by a function.
According to this thread ( http://www.mmowned.com/forums/world-...n32-mingw.html ) all classes and structures are returned in memory, into an additional pointer that was pushed on the stack too.
So in ida my function has something like this signature:
public class std::vector <class whatever,class std:allocator<whatever *>> _thicall MyClass::MyMethod(void);

for the thiscall i'm moving a pointer to the instance of the class MyClass in ecx.
now normally i'd just do a "call "+MethodAdresse, but as i said before, according to the other thread, i'D have to pass another parameter
so "mov eax, "+SomeAllocatedMemoryAdresseThatIsBigEnough
looks good now,not?

the problem is,that it does not work this way either. both ways(with passing a pointer to allocated memory and without doing so) cause a client crash that i can't seem ti find around.

i'm using RivaLfr's method of hooking Endscene to execute my code in the main thread and all other functions like assisting work fine this way, so i guess that this is not the problem.

thanks for your help again
streppel

[LordJZ]

Try pushing the pointer onto stack like

push SomeAllocatedMemoryAdresseThatIsBigEnough
mov ecx, ptrThis
call func

[streppel]

ofc i did push it on the stack,afterwards wrote my adresse to eax and did a "call eax"

Code:

            string[] asm = new string[]
            {
                "mov eax, "+r1,
                "push eax",
                "mov eax, "+(GetModuleAdresse("Module.dll")+0x0FF5E7),
                "mov ecx, "+GetInstance(),
                "call eax",
                "retn"
            };

r1 is the adresse to my allocated memory,pushed on the stack. eax contains the adress of the function i want to call and ecx the instance of the class. i can't see any mistake there,it should be working,shouldn't it?

[Bananenbrot]

Did you check the signature in ida?

EDIT: Ok, i mean did you verify how the parameters are pushed onto the stack?

[streppel]

Did you check the signature in ida?

EDIT: Ok, i mean did you verify how the parameters are pushed onto the stack?

Code:

int __thiscall MyClass__MyMethod(void *this)
{
  int v1; // eax@1
  int result; // eax@2

this is what idas decompiler shows me
v1 is being overwritten in the next line while result is being set to the result of some subroutine and returned afterwards.

i also tryed to create 2 codecaves and push the adresses to them on the stack(as i saw above that there is a eax@1 and eax@2 what i interpreted as what gets popped from the stack. is that right at all?) but it didn't work either :/

[MaiN]

Why don't you just take a look at how other functions call the function? Or what the function does?

[flo8464]

Please make something clear:
Are you calling

- gcc created code from msvc created code ?
- msvc created code from gcc created code ?
- gcc created code from gcc created code ?
- msvc created code from msvc created code ?

i'm using RivaLfr's method of hooking Endscene to execute my code in the main thread and all other functions like assisting work fine this way, so i guess that this is not the problem.

This makes me assume that you run your code on a Windows box.
In the case you are compiling with mingw(gcc), just get msvc ... the better compiler for Windows.
If you are already using VS ... why the heck are you reading instruction for doing that call with gcc?

[streppel]

I'm calling msvc created code from msvc created code
and the other thread is general about compilers and how they handle their stuff, so i just used it to get my information on where and how something is renturned

[flo8464]

Well, then you might be able to to do it like that:

template<typename T>
std::vector<T> MyClass__MyMethod(void *this)
{
typedef std::vector<T>* (*fPtr __thiscall)(void*);
std::vector<T>* result = reinterpret_cast<fPtr>(INSERT_ADDRESS)(this);
return std::vector<T>(result);
}

This only works if the original code doesn't allocate memory for the vector<> on the stack and if your vector-implementation is binary-compatible with the vector used by the application you're reversing.
But well, it almost always does get memory from the stack.

As you are inspecting that function in IDA, jump to a function referencing your function and show how it's called there.

[Bananenbrot]

He's using RivalFr's EndScene via ASM hook, so i bet injecting compiled C++ isn't an option for him.
Otherwise he could simply use the function definition provided by IDA.

[SKU]

You might also want to provide the actual assembly of the function and a (few) snippet(s) where the function's being called..
The hexrays-generated signature can't always be trusted blindly.

[MaiN]

This thread is the new spam central.

[SKU]

Also, tinyurl or something.. :/

[Bananenbrot]

Ok and my post was deleted because of spam...

Edit by Parog: Maybe if you didn't quote the spam and re-spammed the link we woudn't do that. Keep on doing it and I'll ban you for spamming too.

[lanman92]

This is getting ridiculous.