t_argdec
Used to decode stack arguments of known function, usually as an array with NARG elements, in calls to Decodeknownbyname() and Decodeknownbyaddr(). On entry, only mode, value and pushaddr must be set (undefined pushaddr must be zeroed).
typedef
struct t_argdec
{
// Descriptor of function argument
ulong
mode;
// (in/out) Value descriptor, set of ADEC_xxx
ulong
value;
// (in) Value on the stack
ulong
pushaddr;
// (in) Address of command that pushed data
wchar_t
prtype[SHORTNAME]; // (out) Type of argument with
ARG_xxx prefix
wchar_t
name[TEXTLEN]; // (out)
Decoded name of argument
wchar_t
text[TEXTLEN]; // (out)
Decoded value (if valid or predicted)
} t_argdec;
Members:
mode
Input
parameter, describes state of the stack argument. Combines following bits:
ADEC_VALID - value is valid
ADEC_PREDICTED - value is not the actual stack doubleword but was predicted by the Analyser
ADEC_CHGNAME - allows for name substitution (for example, generic wParam and lParam may be replaced by the more meaningful identifiers or decoded as a bit fields according to Msg)
On output, following bit may be additionally set:
ADEC_MARK
- parameter is declared as important in internal OllyDbg database.
Important parameters are usually displayed as comments in search results
value
Input parameter, value of the function parameter pushed onto the stack or known from analysis. If unknown, set this member to 0
pushaddr
Input parameter, address of command that placed value
of the function parameter onto the stack. Usually this command is a
PUSH, but different forms of MOV may be used, too. If several
doublewords are modified at once (FSTP [QWORD] or similar), name will
be modified to take this fact into account. It is always safe to set pushaddr to 0
prtype
Type of the argument, zero-terminated UNICODE string preceded by prefix ARG_xxx. See Argument types for details name
Decoded name of the argument, zero-terminated UNICODE string. If function is only guessed, OllyDbg uses generic names, like ARG1
text
Decoded value of the argument, zero-terminated UNICODE string. Empty if value is absent
See
also: