Wednesday, March 19, 2014

Filling in a Stubbed Function

Continued from the previous entry

A Stubbed Function is one in which the function is present, but doesn't implement the full behavior required. In ResidualVM, the EMI engine has a number of stubbed functions which represent the unfinished Lua function calls. These functions print a warning to the console to show that they're actually used, and when they're used. In the previous post, I identified a function, SetActorLocalAlpha that was stubbed and located the code in the original binary that implements this function. In this post, we'll work through the assembly and create a patch implementing the missing functionality from this call.

Start of the SetActorLocalAlpha Function
After renaming the routine to SetActorLocalAlpha, we start at the beginning of the disassembled code. Here, we see a representation of the stack with each variable representing the local variables in this code. After these, the first real code from the function is present. In our first pass over the code, I usually start by examining any functions called from here. In this code, the first function we see called is:
?lua_lua2C@@YAIH@Z
While this looks a little confusing, this function call is encoded or mangled to ensure that it doesn't collide with any other named functions in this program. Mangling names allows for implementations with different calling parameters, such as the overloading functionality found in C++.

Dropping this name into a demangler gives us this result:
unsigned int __cdecl lua_lua2C(int)
Which is a whole lot more readable! We know that the EMI engine uses Lua to execute the game scripting, so looking into the Lua documentation for what this does will help us to understand what the decompiled function is intended to do. We can also look at the existing code for ResidualVM and its Lua implementation for information. With some research, we find that Lua maintains a stack of values or objects and this is how values are accessed from this stack.

As we go, we examine the structure of the branches and jumps (helpfully represented as blocks in IDA) to sketch out the shape of the code. I usually re-write the code in C as I work through it, so, after the first pass my code will contain the function calls, if/else statements and loops.
Code After the First Pass
The code at this point is really just pseudo-code, but we'll expand on it further in the next pass, in the next post.

No comments:

Post a Comment