Heya,
I'm currently dissassembling a prog ... and I have some Problems to understand the code at some
positions. For example:


arg_0 = dword ptr 4
arg_8 = dword ptr 0Ch
arg_C = dword ptr 10h

call ds:GetCurrentThreadId



1. What are this arg_* for? Are this the starting Parameters for the cmd box?
2. What does the "ds:" mean?


Another OFFtopic Question:
Could i reactive my original acc? The name is "chromos" ... i forgot the pwd and I cannot get the pwd via e-mail because the german e-mail provicer www.firemail.de was baught by Lycos and i didn't want to change to lycos. So I have lost pwd and email acc :(
Posted on 2004-07-19 05:51:38 by gallo
1. That's IDA's intelligence that "tells" you what are the parameters to the function, but sometimes it could be wrong.
2. ds is the segment. But since windows uses flat memory model, the usage of ds or es does not really matter.
Posted on 2004-07-19 07:25:23 by roticv
you can rename the args if you want, they're just given the default name of arg_xxx where . IDA sometimes screws up when you have structures allocated as local variables, but i haven't played with IDA enough to figure out how to fix it. and as for the ds:API thing, it means that it's a direct jump to the API/function, and not a normal call to the jump table, and then a jmp to ds:__imp_API
Posted on 2004-07-19 08:31:31 by Drocon
Did you buy IDA, or are you working with one of the freeware/demo versions from simtel?
Posted on 2004-07-19 09:06:45 by f0dder
yes, that's possible, PM me the password you want for the old account.

I have to caution you about the question though, it may be wandering into inappropriate domains (know that we don't support cracking on this forum) :)
Posted on 2004-07-19 10:01:18 by Hiroshimator
Heya,
Thanks for your Answers ....


1. That's IDA's intelligence that "tells" you what are the parameters to the function, but sometimes it could be wrong.
2. ds is the segment. But since windows uses flat memory model, the usage of ds or es does not really matter.


1. ok bc i thought it's someting like an command line argument in c ...
2. hm but why is this ds: in front of the api call? I found this code in an ca 6-7 year old PE ... has the memory model changed? So that's because i doesn't matter anymore?



you can rename the args if you want, they're just given the default name of arg_xxx where . IDA sometimes screws up when you have structures allocated as local variables, but i haven't played with IDA enough to figure out how to fix it. and as for the ds:API thing, it means that it's a direct jump to the API/function, and not a normal call to the jump table, and then a jmp to ds:__imp_API


1. what do you mean with " " ?
2. What is the Difference beetwen a direct jump to the function and normal call to the jump table ?



Did you buy IDA, or are you working with one of the freeware/demo versions from simtel?


I use a 4.6 Demo Version. It's simply the best Debugger/Disasm ... and I'm not that much on a reversing trip :)



yes, that's possible, PM me the password you want for the old account.

I have to caution you about the question though, it may be wandering into inappropriate domains (know that we don't support cracking on this forum)


Ok thank you. Check your PMs ...
Posted on 2004-07-19 16:26:19 by gallo
1. Since when?
2. Ask ida why they add that. I think that is pointless. No, it does not matter.

1. parameters or local variables
2. The first calls the address in a certain memory, while the other calls a table which jmps to the address stored in the memory, or something along the lines.
Posted on 2004-07-20 06:02:05 by roticv
A call with a DS:address is an indirect call. The actual function address is stored at (DS: )address. For a long time now, VC++ compilers have been creating these types of calls for functions identified as DLL functions (uses nonstandard keywords).
Posted on 2004-07-21 16:19:29 by tenkey