C++ Analysis

Chapter 20
OOP
 Functions (i.e. methods) in C++ associated with particular classes of objects
Classes used to define objects -> object: instance of class, same method
Similar to struct, but also include functions

“this” pointer
 Implicit pointer to object that holds the variable being accessed
 (By default) Passed as a compiler-generated parameter to a function (typically the ECX
register, sometimes ESI)
 Listing 20-2, Listing 20-3, p. 430
 Loads this pointer into ecx
 puts ecx into eax, then access x to compare it to 10
Create stack
space
Ref to the
Pointer into beginning of
ECX object
Overloading and Mangling
 Method overloading allows multiple functions to have same name, but accept different
parameters
 When function called, compiler determines which version to use (according to
parameters)
 C++ uses name mangling to support this construct in the PE file
 Algorithm for mangling is compiler-specific
 IDA Pro demangles based on what it knows about specific compilers
?TestFunction@SimpleClass@@QAEXHH@Z
public: void __thiscall SimpleClass::TestFunction(int,int)
 Shows the original function name and parameters
 IDAPro supports Microsoft, Borland, Watcom, Visual Age, GNU
 Inheritance is not visible in assembly code (a feature, does not require any
runtime data structure)
Virtual vs. Nonvirtual Functions
 Virtual functions
 Has the same name defined in child class
 Can be overridden by a child class (polymorphism)
 Execution is determined at runtime with the child class overriding
the parent
 Can keep parent functionality by changing the type of the object to
be an instance of the parent class
 Example: parent class Socket with a virtual function called
sendData , two child classes UDPSocket and TCPSocket to override
sendData function with specific protocol
Virtual vs. Nonvirtual Functions
 Nonvirtual functions
Execution is determined at compile time
 If object is an instance of the parent, the parent class's function will be called, even if
the object at run-time belongs to the child class, see example at Table 20-1, Page 433.
Defined as Class A Defined as Class A
Determined at Determine runtime
Compile
time
Virtual Function Tables
 C++ compiler add special data structure to support virtual
function tables
 Code look the same – Assembly Different
 Non-virtual call vs. Virtual call

Argument – a
reference to
function
V Table
 Each class (with virtual function) has own vtable
 Vtable -> first 4 bytes of the object

 The first 4-byte entry of the vtable is a pointer to the code for the first virtual function
(next 4 bytes -> first function)
 See which offset is being called to figure out which function is called
Recognize VTable
 Usually after new….
 Only the first value has cross-reference, the rest -> offsets
 Creating and Destroying Objects

 Constructor and Destructor functions

 Constructor is called when object is created;
destructor is called when object is destroyed
 Object either stored on stack for local variables
 Object stored in heap if “new” is used (Listing 20-8, p.
437) -> keywords for creating heap space
 Initializes vtable for object stored on stack
 Does multiple loads of vtable (parent, then child)
 Creates another object via “new” call (see the name mangling)