5

I'm reversing a binary and I found this strange keyword I haven't seen before called 'code'. I looked up the C++ keywords and there doesn't seem to be one. Could anyone provide me with more information about this keyword?

      if (*(int *)(param_1 + 4) != 0) {
        (*(code *)(&PTR_thunk_FUN_005a7840_008dd8b8)[(int)param_2[4]])(*(int *)(param_1 + 4));
      }

In Assembly.

00491b95 85  c0           TEST       EAX ,EAX
00491b97 74  10           JZ         LAB_00491ba9
00491b99 8b  4e  10       MOV        ECX ,dword ptr [ESI  + 0x10 ]
00491b9c 8b  14  8d       MOV        EDX ,dword ptr [ECX *0x4  + -> thunk_FUN_005a7840 ] = 00401c30
         b8  d8  8d 
         00
00491ba3 50              PUSH       EAX
00491ba4 ff  d2           CALL       EDX
DohnJoe
  • 65
  • 2
  • 4
  • 2
    Not an answer, because I did no diligent research, but I assume that "code" is supposed to mean "a function pointer of unspecified type", just like "void" means "a data pointer of unspecified type". – Michael Karcher Jun 14 '20 at 23:04
  • I see what you're getting at and it does seem like it, but I want more info on it. – DohnJoe Jun 15 '20 at 00:07
  • 1
    (I'm not totally sure about this to post it as an answer). The decompiler concluded that there is a CALL to the address pointed to by your code. It doesn't know its prototype but it does know that this is called as a function. You can't normally CALL a void *, so code * is the way to show it. Consider it a cast to unknown-prototyped function. – Yotamz Jun 15 '20 at 21:00

1 Answers1

4

There was a function rabbit-hole that I was following in Ghidra that had the (**(code **)) as well.

I cross-examined that section in x64dbg and stepped-over the execution and monitored the EAX register to see the result of return uVar3; or return *(undefined4 *)(iVar2 + 0x2c);

The result of this (**(code **)) function was a function pointer (0x040E2B98) which contained a function pointer (0x03DE2D10) which contained a function pointer (0x03B2802B) which FINALLY was an actual function that began with push esi.

Thus, the answer to this question is...

(code *) is the same as (void *)
aka - function pointer
aka - the address location of the beginning of a function
aka - read this MSDN VOID PTR DOCUMENTATION

...
  if ((iVar2 != 0) && (*(int *)(iVar2 + 0x40) != 0)) {
    uVar3 = (**(code **)(*(int *)(*(int *)(iVar2 + 0x40) + 0x28) + 0xc70))();
    return uVar3;
  }
  iVar2 = FUN_03b03811();
  if (iVar2 == 0) {
    return 0;
  }
  return *(undefined4 *)(iVar2 + 0x2c);
Stryker2k2
  • 56
  • 2