Hello guys!
In a certain binary file, I encountered many functions similar to this:
__int64 __fastcall dispatch_nv_function_5(
UserControlBuf *ucBuf,
nv_file_private_t *a2,
__int64 a3,
nv_file_private_t *a4,
__int64 a5,
__int64 a6,
__int64 a7,
__int64 a8,
__int64 a9,
__int64 a10)
{
__int64 v10; // rbp
__int64 *v11; // rbp
FuncTableA *global_func_table; // rax
__int64 result; // rax
v11 = (__int64 *)(v10 - 32);
*v11 = a7;
v11[1] = a8;
v11[2] = a9;
v11[3] = a10;
text:00000000000BB840 ; __int64 __fastcall dispatch_nv_function_5(UserControlBuf *ucBuf, nv_file_private_t *a2, __int64 a3, nv_file_private_t *a4, __int64 a5, __int64 a6, __int64 a7, __int64 a8, __int64 a9, __int64 a10)
.text:00000000000BB840 dispatch_nv_function_5 proc near ; CODE XREF: RmIoctl+15C↓p
.text:00000000000BB840
.text:00000000000BB840 arg_0 = qword ptr 8
.text:00000000000BB840 arg_8 = qword ptr 10h
.text:00000000000BB840 arg_10 = qword ptr 18h
.text:00000000000BB840 arg_18 = qword ptr 20h
.text:00000000000BB840
.text:00000000000BB840 endbr64
.text:00000000000BB844 push rbx
.text:00000000000BB845 sub rbp, 20h ; ' '
.text:00000000000BB849 mov rax, [rsp+8+arg_0]
.text:00000000000BB84E mov rbx, rdi
.text:00000000000BB851 xor edi, edi
.text:00000000000BB853 mov [rbp+0], rax
.text:00000000000BB857 mov rax, [rsp+8+arg_8]
.text:00000000000BB85C mov [rbp+8], rax
.text:00000000000BB860 mov rax, [rsp+8+arg_10]
.text:00000000000BB865 mov [rbp+10h], rax
.text:00000000000BB869 mov rax, [rsp+8+arg_18]
.text:00000000000BB86E mov [rbp+18h], rax
.text:00000000000BB872 call get_global_func_table ; callee addr: 0xc4ac0, callee name: get_global_func_table
.text:00000000000BB877 mov edx, [rbx+4]
.text:00000000000BB87A mov esi, [rbx]
.text:00000000000BB87C lea rcx, [rbx+8]
.text:00000000000BB880 mov rdi, rax
.text:00000000000BB883 mov r8, rbp
.text:00000000000BB886 mov rax, [rax+68h]
.text:00000000000BB88A call __x86_indirect_thunk_rax ; callee addr: 0xc7020, callee name: coordinate_gpu_resource_management_6
.text:00000000000BB88A ; callee addr: 0xc7190, callee name: orchestrate_gpu_resource_operations_26
.text:00000000000BB88A ; callee addr: 0x4144428, callee name: __x86_indirect_thunk_rax
.text:00000000000BB88F mov [rbx+14h], eax
.text:00000000000BB892 pop rbx
.text:00000000000BB893 add rbp, 20h ; ' '
.text:00000000000BB897 retn
.text:00000000000BB897 dispatch_nv_function_5 endp
The function uses a special variable v11 to reference various local variables within the function, where the value of v11 is rbp - 32. At the beginning of such functions, a constant value is subtracted from rbp to allocate stack space (with rbp being less than rsp), which appears to be a rather special compiler implementation. This pattern has increased the difficulty of cross-function variable tracking for me. Is there any way to process these types of functions so that in the pseudocode, local variables are accessed directly rather than through v11?
Really hope for your help! Thanks!