If you go back to the code that immediately follows the invocation of the
callback, you can see that when the check for ESIoffset +8 finds a nonzero
value, the code jumps to ntdll.7C924F22, which is an address you’ve
already looked at. This is the code that loads ESIfrom EAXand jumps back to
the beginning of the loop.
At this point, you have gathered enough information to make some edu-
cated guesses on this function. This function loops on code that calls some call-
back and acts differently based on the return value received. The callback
function receives items in what appears to be some kind of a linked list. The
first item in that list is accessed through offset +0 in the root data structure.
The continuation of the loop and the direction in which it goes depend on
the callback’s return value.- If the callback returns 0, the loop continues on offset +4 in the current
item. If offset +4 contains zero, the function returns 2. - If the callback returns 1, the function loads the next item from offset +8
in the current item. If offset +8 contains zero the function returns 3.
When offset +8 is non-NULL, the function continues looping on offset +4
starting with the new item. - If the callback returns any other value, the loop terminates and the cur-
rent item is returned. The return value is 1.
High-Level Theories
It is useful to take a little break from all of these bits, bytes, and branches, and
look at the big picture. What are we seeing here, what does this function do?
It’s hard to tell at this point, but the repeated callback calls and the direction
changes based on the callback return values indicate that the callback might be
used for determining the relative position of an element within the list. This is
probably defined as an element comparison callback that receives two ele-
ments and compares them. The three return values probably indicate smaller
than, larger than, or equal.
It’s hard to tell at this point which return value means what. If we were to
draw on our previous conclusions regarding the arrangement of next and pre-
vious pointers we see that the next pointer comes first and is followed by the
previous pointer. Based on that arrangement we can make the following
guesses:
■■ A return value of 0 from the callback means that the new element is
higher valued than the current element and that we need to move for-
ward in the list.
■■ A return value of 1 would indicate that the new element is lower valued
than the current element and that we need to move backward in the list.176 Chapter 5