1.通過AppleHDAFunctionGroupFactory::createAppleHDAFunctionGroup(DevIdStruct *)實際創建相應的
AppleHDAFunctionGroupSTAC9220
AppleHDAFunctionGroup_80862805
AppleHDAFunctionGroupWM8800
AppleHDAFunctionGroupCS4206
AppleHDAFunctionGroupATI_RS730
...
AppleHDAFunctionGroupAD1984
AppleHDAFunctionGroupAD1988
AppleHDAFunctionGroupALC885
...
AppleHDAFunctionGroup這樣的對象
10.9.3 : 0x48162
createAppleHDAFunctionGroup由AppleHDACodecGeneric::start(IOService *)調用
AppleHDACodecGeneric::start: 0x478A
call create... : 0x4ceb
var_58 = DevIdStruct*
0x4d26: call qword [r10 + 1F0] ; r10 = AppleHDAFunctionGroup*
eax = (AppleHDAFunctionGroup* var_hf)->
0x4cf0: AppleHDACodecGeneric:
r13(this) + 0xA8 = AppleHDAFunctionGroup*
r13(this) + 88h = IOService *
r13(this) + 90h = 0x480a call return,其0x5d0 -> start
AppleHDACodecGeneric::start中
r13 --> this
r12 --> IOService * 參數
2.AppleHDAFunctionGroup的虛表(0x7c680):
vtable + 0x200 [0x400a6] => initForNodeID(unsigned short, OSObject *, OSObject *, DevIdStruct *, bool)
vtable + 0x130 [0x3fa08] => AppleHDANode::runVerb(unsigned short, unsigned short, unsigned int*)
vtable + 0x1F0 [0x3fd4e] => AppleHDANode::isBitDepthSupported(unsigned int)
3.AppleHDACodec的虛表:
vtable + 0x5d0 => start()
X86-64有16個64位寄存器,分別是:%rax,%rbx,%rcx,%rdx,%esi,%edi,%rbp,%rsp,%r8,%r9,%r10,%r11,%r12,%r13,%r14,%r15。其中:
%rax 作為函數返回值使用。
%rsp 棧指針寄存器,指向棧頂
%rdi,%rsi,%rdx,%rcx,%r8,%r9 用作函數參數,依次對應第1參數,第2參數。。。
%rbx,%rbp,%r12,%r13,%14,%15 用作數據存儲,遵循被調用者使用規則,簡單說就是隨便用,調用子函數之前要備份它,以防他被修改
%r10,%r11 用作數據存儲,遵循調用者使用規則,簡單說就是使用之前要先保存原值
X86-64寄存器和棧幀:
http://www.searchtb.com/2013/03/x86-64_register_and_function_frame.html