Decodeknownbyname
int Decodeknownbyname(wchar_t *name,t_procdata *pd,t_argdec adec[NARG],wchar_t *rettype,int nexp);
If
function with the specified name (in the form <modulename>.<functionname>) is known to OllyDbg, determines characteristics of this function
like type of return, preserved registers, number of stack
arguments and number of bytes discarded from stack on return, and
decodes arguments passed to this function on the stack.
If you want to decode function's arguments to text, you must read these
arguments from the stack and supply them to Decodeknownbyname(). On
entry, you
only need to set adec[].mode and adec[].value and
zero adec[].pushaddr. adec[0]
corresponds to the first argument (pushed last, with the lowest stack
address). Note that ESP at the entry points to the address of
return and first argument is at ESP+4. See Decodeknownbyaddr() to learn why you may need pushaddr.
If
decoded function has variable number of arguments and uses printf()-like
format, parameter nexp
can be set to the expected number of doublewords following format, or
to -1 if this number is unknown. If nexp is positive and format string
specified in the function is not obtainable, format specifiers will be
decoded in the "blind" mode.
Parameters:
name
(in)
Pointer to the UNICODE string containing name of the function.
It must be in the form <modulename>.<functionname>. Module
name is obligatory. For generic functions, like Fn4 for function with 4
doubleword stack arguments, or WINPROCW for UNICODE window function,
use pseudomodule _INTERN_: _INTERN_.Fn4, _INTERN_.WINPROCW
pd
(out)
Optional pointer to the descriptor of the procedure, structure of type t_procdata,
or NULL if description is not necessary. Decodeknownbyname()
fills only the following members of this artificial descriptor:
t_procdata.addr
is set to 0
t_procdata.size
is set to 1
t_procdata.type
(only flags PD_RETSIZE,
PD_FIXARG, PD_FORMATA / PD_FORMATW / PD_SCANA / PD_SCANW)
if apply
t_procdata.retsize
(only if PD_RETSIZE
is set)
t_procdata.narg (only
if PD_FIXARG, PD_FORMATA, PD_FORMATW, PD_SCANA or PD_SCANW is set)
t_procdata.preserved
(if known)
adec
(in/out)
Optional pointer to the list of arguments, array of at least NARG structures of
type t_argdec,
or NULL if decoding of arguments is not necessary. Calling routine must
fill members adec[].mode
and adec[].value and
zero adec[].pushaddr
in all elements of this array.
If function is known, Decodeknownbyname() fills adec[].prtype
(prefixed type of the argument), adec[].name (name of
the argument) and adec[].text (adec[].value decoded
to text according to its type)
rettype
(out)
Optional pointer to the UNICODE buffer, at least SHORTNAME wide
characters long, that receives prefixed type of the answer that
procedure returns in EAX. May be NULL
nexp
(in) If
function includes printf()-like
format followed by a variable number of arguments, number of the
doublewords that follow format on the stack (-1 if this number is
unknown or format is defined). Ignored in all other cases. The safest
"don't care" way is to set this parameter to -1
Return
values:
On
success, returns number of function arguments (may be 0). Otherwise,
returns -1
See
also: