.I am trying to decompile a code which heavily uses com interfaces.
For doing so i tried to first decompile my own program/samples and see how it works.
But the situation is very difficult for me.
Here is my asm+code listing.
AREA |.text|, CODE, ARM
|?CreateIImage@CImageView@@AAAJXZ| PROC ; CImageView::CreateIImage
; 183 : {
|$LN13@CreateIIma|
stmdb sp!, {r4 - r7, lr}
sub sp, sp, #0x48
|$M45474|
mov r6, r0
; 184 : HRESULT hr;
; 185 : if(!pStream)
ldr r3, [r6, #0x1C]
cmp r3, #0
bne |$LN5@CreateIIma|
|$LN10@CreateIIma|
mov r3, #0x16, 2
; 186 : return E_FAIL;
orr r0, r3, #1, 18 ; 16384 (0x4000)
; 220 : }
; 221 : return hr;
; 222 : }
add sp, sp, #0x48
ldmia sp!, {r4 - r7, pc}
|$LN5@CreateIIma|
; 187 :
; 188 : assert (m_pImage == NULL);
ldr r3, [r6, #0x30]
cmp r3, #0
beq |$LN8@CreateIIma|
ldr r0, [pc, #0x12C]
bl OutputDebugStringW
__debugbreak_ce
|$LN8@CreateIIma|
; 189 : hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
mov r1, #0
mov r0, #0
bl CoInitializeEx
cmp r0, #0
; 190 : if FAILED(hr)
; 191 : return E_FAIL;
bmi |$LN10@CreateIIma|
; 192 : ------------------------------------------------------------------------------- READ FROM HERE ---------------------------------------------
; 193 : IImagingFactory *pImgFactory = NULL;
; 194 : hr = CoCreateInstance (CLSID_ImagingFactory, NULL, SCTX_INPROC_SERVER,IID_IImagingFactory, (void **)&pImgFactory);
ldr r3, [pc, #0x108]
ldr r0, [pc, #0x100]
mov r4, #0
add lr, sp, #4
mov r2, #1
mov r1, #0
str r4, [sp, #4]
str lr, [sp]
bl CoCreateInstance
movs r7, r0
; 196 : if FAILED(hr)
; 197 : return E_FAIL;
bmi |$LN10@CreateIIma|
; 198 : if (SUCCEEDED (hr))
; 199 : {
; 200 : ImageInfo imageInfo;
; 202 :
; 203 : pImgFactory->CreateImageDecoder(pStream, DecoderInitFlagNone, &pDecoder);
ldr r0, [sp, #4]
ldr r1, [r6, #0x1C]
add r3, r6, #0x20
ldr r2, [r0]
ldr r4, [r2, #0x24]
mov r2, #0
mov lr, pc
mov pc, r4
; 204 : if (pDecoder==NULL)
ldr r3, [r6, #0x20]
movs r0, r3
; 205 : return E_FAIL;
beq |$LN10@CreateIIma|
; 206 : pDecoder->GetImageInfo(&imageInfo);
ldr r3, [r0]
add r1, sp, #8
mov lr, pc
ldr pc, [r3, #0x30]
I have used python plugin + classinterface + vtables plugins all accessible from http://www.reconstructer.org/code.html.
1.
IDA pro 5.2 do not translate mov lr,pc and mov pc,r4 into something like bx r4 (i read somewhere it should).
2.
I was able to find following code
LDR R4, [R2,#IImagingFactoryVtbl.CreateImageDecoder] from ida,it was easy.i followed instructions in this demo file http://www.reconstructer.org/papers/Practical%20COM%20code%20reconstruction.swf .
But how can i find in ida the pDecoder interface?
3.
Also it seems to me first argument in coms start from r1?right?it seems r0 is pointer to base interface?
4.
And I somehow think how it is called.
In CreateImageDecoder ,
add r3, r6, #0x20 is pDecoder pointer and i guessldr pc, [r3, #0x30] is also pointer to GetImageInfo,as you subtract 0x20 from 0x30 and it gives you pointerto this function inside pDecoder.
But what is default value for r6?it is r0 from start of procedure.but what is r0?
Also because all this data is referenced by registers i dont know how to keep up with them and give them names inside ida.
Is there any automated way or...?
I hope i was clear.
Thanks.
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}