Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to find the base structure address with negative offsets

I'm reverse-engineering an old game, using CE. I found the code that modifies the unit's HP, but I can't find the base address, since the offset is negative.

OPCODE: "mov [esi-282],ax"[1]

The thing is I don't even know how this works, it sounds silly to me, why would the compiler/dev do that anyways ? Is it a kind of a stack temporary pointer ? Is there any way to find it ? (I'm pretty sure there is a way) It's frustrating because I have found offsets for like the ID, the HP and stuff, but the base... I don't have problems with that normally, the offsets are positive.

I thought that the base would be something along [esi-STRUCTURE_SIZE] and the last item would be [esi]

Or maybe I'm completely wrong.

Thanks :)

like image 731
Riptide Avatar asked Oct 19 '22 15:10

Riptide


1 Answers

Negative offsets are typically used for accessing base class members from a sub-class pointer when multiple inheritance is used. The compiler will know the full layout and instead of upcasting the pointer first, directly access members from base classes.

From the generated code it is not possible to know where the class instance starts in memory. However it should generally be possible to find the base pointer by tracking accesses to negativly addressed members. After all the programmer probably created the hierarchy to access the base members independently of what exact derived type they are.

like image 90
typ1232 Avatar answered Oct 21 '22 05:10

typ1232