1

A C++ program I'm looking at appears to have been compiled with MSVC. It links to MSVCR100.dll, contains MSVC's security cookie code and uses the Microsoft mangling scheme. However, one of the functions I've hit sends its only argument in the EAX register, which is immediately passed as an argument to LoadLibraryW (after BP frame initialisation).

Looking at the code, there are sequences and strings referenced in other functions (evidence of inlining), so I don't think it's a direct assembly code job.

To my knowledge and according to my sources, MSVC doesn't have a calling convention that sends arguments via EAX. Watcom and Delphi have options, but not MSVC. Is it possible that the compiler optimised the function into a register call? Or is there another, undocumented calling convention in MSVC?

user22100
  • 56
  • 2
Ben Jaguar Marshall
  • 137
  • 6

1 Answers1

2

We can see from this list that IA-32's Delphi/Free Pascal calling convention is the register calling convention. My guess is you're dealing with a binary that's the result of something like this: How to call a function using Delphi's register calling conventions from Visual C++?

To partially quote the top-voted answer:

Delphi's register calling convention, also known as Borland fastcall, on x86 uses EAX, EDX and ECX registers, in that order.

Some additional reading that may help paint a clearer picture of what you're looking at:

dsasmblr
  • 2,234
  • 10
  • 18
  • 1
    I may need to amend my question. After posting, I found a function that passes the first argument in EAX, then pushes the second argument. I'll say that your answer here is correct for the posed question and ask a new question. – Ben Jaguar Marshall Dec 05 '17 at 23:22