i currently have a program loaded into IDA dissassembler and i am looking at this function call inside another function



stxt371:013DF4AD                call   

IDA tells me it thinks var_74 is a DWORD(4 byte) value.  I'm confused to how this is possible if it's being called like an address?
does this instruction tell me var_74 = 4byte pointer to a function?
Posted on 2010-09-11 15:11:40 by maybnxtseasn
maybnxtseasn,

Correct. Indirect near call expects 32-bit offset as the operand, in your case at effective address given by (in 32-bit mode). Why are you suspecting anything else?
Posted on 2010-09-11 15:36:00 by baldr
i am new to learning assembly/reversing and i didn't think i would be correct on my first guess lol :).  are all pointers 4-bytes on a 32bit processor/program? and also any idea on how i can figure out what the return type of the function might be? should i just observe the data type being stored in the EAX register at the end of the function?
Posted on 2010-09-11 15:38:14 by maybnxtseasn
Remember that you can run 16-bit apps on a 32-bit processor, in which case the pointers are 16-bit (assuming the operating system provides such support, ie WOW32).  However, assuming you are running a modern version of Windows or Linux then it is pretty safe to assume that the pointers are all 32-bit for a 32-bit OS.  Pointers on a 64-bit OS can be either 32-bit or 64-bit, again depending on the application and whether the operating system itself supports it.

As far as return values be advised that, on a 32-bit machine EDX can also be used along with EAX to return a LONG or even a struct which fits into 8 bytes.  EAX on a 32-bit machine will contain a 32-bit pointer or integer if the function returns a pointer or integer, respectively.

This topic also gets into standard calling conventions of the operating system in question.  Using assembly, you are free to write your functions any way you see fit and return values in any register want.  It is really when you are calling into somebody's library or making a system call that you really need to understand the convention used.  Using the previous example of a Linux or Windows Operating System the previous paragraph would be true.  To point you in the right direction Google "C calling convention" and research for your operating system of choice.

Since you indicated you are new to assembly I would suggest understanding writing your own programs and functions and understand the issues involved before diving into the deep dark waters of reversing, my friend.  Assembly pro's can make your journey very difficult and we try our best not to make our commercial applications easily reversible ;)


Posted on 2010-09-11 21:32:38 by p1ranha
are all pointers 4-bytes on a 32bit processor/program?


Actually in 32-bit mode (remember, you can have 32-bit instruction in 16-bit code segment using addrsize/opsize prefix) pointers are 48-bit (16-bit segment selector + 32-bit offset). Since most modern OSes are using flat model, segment part is often overlooked because all their respective linear addresses are overlapped (have you already encountered instructions with fs: segment register override?).

Someone might argue that in protected mode pointers are 46-bit (selector contributes only 14 bits). I agree, partially. RPL/DPL/CPL are so intertwined, but modern OSes rarely use LDT or ring 1/2 (hence TI bit is unused and RPL bits count as one).
Posted on 2010-09-12 04:45:07 by baldr