5

I'm analyzing some code in IDA and I can't figure out the purpose of a couple of instructions.
The code begins with a standard function preamble that pushes the current value of EBP on stack and then shifts the current stack pointer into EBP to later refer to arguments and local variables with respect to it.
But then, it pushes ECX on the stack. Why? I don't suppose anything is being passed in it as an argument to the function?
Then it moves the current value from ECX into [ebp+var_4], which seems to be the ECX value that has been pushed there already in the previous instruction :| What's the point of that?
My guess is that it tries to reserve some space on the stack for the single local variable var_4 with that push ecx, but why would it move the current value of ECX into it in the very next instruction if it already contains it? :P
Moreover, despite the fact that the code is very short, I don't see any place in it where this local variable be used :/ It seems to be totally useless piece of code. And this particular sequence of instructions appears in several other functions, precisely in their preambles, so I guess it's something generated by the compiler, but I can't figure out its purpose.
Any ideas?

; Attributes: bp-based frame

; int __stdcall CloseDevice(HANDLE hObject)
CloseDevice proc near

var_4= dword ptr -4
hObject= dword ptr 8

push  ebp
mov   ebp, esp
push  ecx                          ; WTF?
mov   [ebp+var_4], ecx             ; WTF?
cmp   [ebp+hObject], 0FFFFFFFFh
jz    short loc_BE03C5

mov   eax, [ebp+hObject]
push  eax
call  ds:CloseHandle

loc_BE03C5:
mov   esp, ebp
pop   esp
retn  4
CloseDevice endp
Alojzy Bąbel
  • 51
  • 2
  • 4
    C++ passes the `this` pointer in `ecx` on windows. Might just be unoptimized code. – Jester Dec 10 '19 at 19:48
  • Good point about the `this` pointer! Is there any way to check if this is indeed the case? – Alojzy Bąbel Dec 10 '19 at 19:50
  • If it's C++ code surely you will find a function (method) that actually uses it. That would be a hint. Or, you could trace the caller to see how it sets `ecx`. – Jester Dec 10 '19 at 19:52
  • I found another function that does the same thing, but before calling this function it also does `mov ecx, [ebp+var_4]` that has been set previously in the same way as in the above code. I suppose that this might be the confirmation that it indeed is the `this` beng passed around? If that's the case, please make it an answer and I'll accept it. – Alojzy Bąbel Dec 10 '19 at 20:35
  • Tracing back to the allocation of an object, either on the stack or the heap would be better proof. Or, some function actually **using** it to reference member variables or a call through a vtable. – Jester Dec 11 '19 at 02:07
  • `push ecx` is an efficient alternative to `sub esp, 4` used by multiple compilers. The choice of ECX might just be coincidence. In this case `mov [ebp-4], ecx` to store the same value again is a missed optimization. Un-optimized code is totally braindead and always spills incoming function args to memory whether they're used or not; see [Why does clang produce inefficient asm with -O0 (for this simple floating point sum)?](//stackoverflow.com/q/53366394) – Peter Cordes Dec 11 '19 at 02:33
  • 1
    OK I think that @Jester was spot on with that `this`. First, because there appears a code like `mov ecx, [ebp+var_4]` in several places right before calling this function and several others. Second, because I found a piece of code that seems to be a dereference of a member variable: after `mov ecx, [ebp+var_4]` there is an immediate `mov eax, [ecx+someNumber]`, where `someNumber` changes depending on which member is being accessed. I started mapping the layout of that object and so far it seems meaningful. Still trying to trace the constructor though. – Alojzy Bąbel Dec 11 '19 at 17:26
  • 1
    https://stackoverflow.com/questions/22341081/why-do-i-have-push-ecx – Igor Skochinsky Mar 17 '20 at 11:16

0 Answers0