(I am not an I.P. lawyer and certainly not a binary reverser, and long
time Wine non-contributor already, but just my .02 €¢)
* On 2021-12-28 07:50, Mohamad Al-Jaf wrote:
How can you see the stack entries if you don't
disassemble the file?
The only way I know of is through WineDbg and that does not seem to be
correct. The method on that wiki page appears to require looking at the
assembly code.
(1) The stack doesn't belong to a binary file, it's an ephemeral,
entirely runtime entity. So looking at it is safe.
(2) A binary file saved onto disk and the one loaded into memory as
executable image are already a bit different things, IMO.
Differences are introduced at least during runtime relocations of (the
position-dependent) sections of an executable image.
(3) Actually there are two methods here:
- 3a, creating the wrapper + looking at the stack pointer change after
the call, and
- 3b, finding the function epilogues [1], the `ret` instructions.
(3a) It doesn't require disassembly of the function, reading an ESP
value just before the call and after it.
As this is not a low-level dll (like `ntdll.dll`), there would be
probably no BSODs during the wrapper run.
It even could be done using `winedbg` and the `br` + `next` commands,
IIRC, in debug session of the Media Creation Tool.
Maybe it would just do for you. (ie. maybe you'll see that the ESP
register remains the same right before and just after the call)
(3b) The epilogue reflects only a small, non-core part of the function
implementation. It merely shows how the interface between caller (an
app) and callee (native lib) is organized.
And as the saying goes,
https://www.google.com/search?q=interfaces+cannot+be+copyrighted
(4) Main concern here seems to be about "submitting disassembled or
decompiled code" + "what the code does generally". [2]
--- quote ---
While in theory it is still possible for someone that has disassembled
Microsoft code to document what the code does generally, in their own
words, this can become a legal grey area.
--- quote ---
Specifically, it says "ret hhll (where hhll is
the number of bytes to
remove, i.e. the number of arguments times 4)". As far as I know, ret
is
assembly code. So the method listed requires disassembly, no?
Umm, yes and no. My summary would be following:
By looking at the disassembled calling points of the function and its'
epilogues [1] _and_ by avoiding to memorize what does core of the
function do (particularly which other WinAPI functions does it call),
you stay safe and in compliance with copyrights and other stuff of
Intellectual Property law.
This is my personal interpretation.
S.
[1]
https://en.wikipedia.org/wiki/Function_prologue_and_epilogue#Epilogue
[2]
https://wiki.winehq.org/Disassembly#:~:text=While%20in%20theory,legal%20gre….