Used to decode stack arguments of known function, usually as an array with NARG elements, in calls to Decodeknownbyname() and Decodeknownbyaddr(). On entry, only mode, value and pushaddr must be set (undefined pushaddr must be zeroed).
typedef struct t_argdec { // Descriptor of function argument
ulong mode; // (in/out) Value descriptor, set of ADEC_xxx
ulong value; // (in) Value on the stack
ulong pushaddr; // (in) Address of command that pushed data
wchar_t prtype[SHORTNAME]; // (out) Type of argument with ARG_xxx prefix
wchar_t name[TEXTLEN]; // (out) Decoded name of argument
wchar_t text[TEXTLEN]; // (out) Decoded value (if valid or predicted)
} t_argdec;
Members:
mode
Input
parameter, describes state of the stack argument. Combines following bits:
ADEC_VALID - value is valid
ADEC_PREDICTED - value is not the actual stack doubleword but was predicted by the Analyser
ADEC_CHGNAME - allows for name substitution (for example, generic wParam and lParam may be replaced by the more meaningful identifiers or decoded as a bit fields according to Msg)
On output, following bit may be additionally set:
ADEC_MARK - parameter is declared as important in internal OllyDbg database. Important parameters are usually displayed as comments in search results
valueADEC_VALID - value is valid
ADEC_PREDICTED - value is not the actual stack doubleword but was predicted by the Analyser
ADEC_CHGNAME - allows for name substitution (for example, generic wParam and lParam may be replaced by the more meaningful identifiers or decoded as a bit fields according to Msg)
On output, following bit may be additionally set:
ADEC_MARK - parameter is declared as important in internal OllyDbg database. Important parameters are usually displayed as comments in search results
Input parameter, value of the function parameter pushed onto the stack or known from analysis. If unknown, set this member to 0
pushaddrInput parameter, address of command that placed value
of the function parameter onto the stack. Usually this command is a
PUSH, but different forms of MOV may be used, too. If several
doublewords are modified at once (FSTP [QWORD] or similar), name will
be modified to take this fact into account. It is always safe to set pushaddr to 0
prtypeType of the argument, zero-terminated UNICODE string preceded by prefix ARG_xxx. See Argument types for details
nameDecoded name of the argument, zero-terminated UNICODE string. If function is only guessed, OllyDbg uses generic names, like ARG1
textDecoded value of the argument, zero-terminated UNICODE string. Empty if value is absent
See also: