Source: opensecuritytraining.info
In C++, the this Pointer is a reference to the object that Methods act upon. This calling convention is commonly known as Thiscall. Understanding how to recognize the this pointer when reverse engineering object oriented code will is can aid in tracking objects and understanding the relationships between objects and their methods.
By convention, Microsoft Visual C++ compilers pass the this pointer to instance methods through the ECX register, and passes the rest of the parameters onto the stack in reverse order (like Stdcall).
The GCC compiler Thiscall is based on Cdecl; however, it pushes this onto the stack before the method call after all arguments have been pushed.
Some compilers, such as Borland and Watcom, reportedly store this in EAX. As always, these are conventions, and though exceptions to the rules exist, they are fairly reliable.
Member access typically occurs as a two instruction sequence
- The member is retrieved as an offset and stored
mov ecx, [ebp + var_myobj] ; Store the object pointer
mov eax, [ecx + 0Ch] ; Store the member 12 bytes from object base
Constructor
Destructor
class Person {
protected:
char name[50];
public:
Person(char *_name) { strncpy(name, _name, 50); }
virtual void work() {
printf("%s moves some boxes\n", name);
}
};
Here the Person class is defined with a single function which can be overridden any derived classes:
class Novelist : public Person {
public:
Novelist(char *_name) : Person(_name) {}
virtual void work() {
printf("%s writes a book\n", name);
}
};
A Novelist can be created using a Person pointer:
Person *Chaucer = new Novelist((char*)"Geoffrey Chaucer");
Chaucer->work(); // Will write "Geoffrey Chaucer writes a book\n" to STDOUT
The initialization code for looks very similar to code for classes not using inheritance: