1.通过AppleHDAFunctionGroupFactory::createAppleHDAFunctionGroup(DevIdStruct *)实际创建相应的
AppleHDAFunctionGroupSTAC9220
AppleHDAFunctionGroup_80862805
AppleHDAFunctionGroupWM8800
AppleHDAFunctionGroupCS4206
AppleHDAFunctionGroupATI_RS730
...
AppleHDAFunctionGroupAD1984
AppleHDAFunctionGroupAD1988
AppleHDAFunctionGroupALC885
...
AppleHDAFunctionGroup这样的对象
10.9.3 : 0x48162
createAppleHDAFunctionGroup由AppleHDACodecGeneric::start(IOService *)调用
AppleHDACodecGeneric::start: 0x478A
call create... : 0x4ceb
var_58 = DevIdStruct*
0x4d26: call qword [r10 + 1F0] ; r10 = AppleHDAFunctionGroup*
eax = (AppleHDAFunctionGroup* var_hf)->
0x4cf0: AppleHDACodecGeneric:
r13(this) + 0xA8 = AppleHDAFunctionGroup*
r13(this) + 88h = IOService *
r13(this) + 90h = 0x480a call return,其0x5d0 -> start
AppleHDACodecGeneric::start中
r13 --> this
r12 --> IOService * 参数
2.AppleHDAFunctionGroup的虚表(0x7c680):
vtable + 0x200 [0x400a6] => initForNodeID(unsigned short, OSObject *, OSObject *, DevIdStruct *, bool)
vtable + 0x130 [0x3fa08] => AppleHDANode::runVerb(unsigned short, unsigned short, unsigned int*)
vtable + 0x1F0 [0x3fd4e] => AppleHDANode::isBitDepthSupported(unsigned int)
3.AppleHDACodec的虚表:
vtable + 0x5d0 => start()
X86-64有16个64位寄存器,分别是:%rax,%rbx,%rcx,%rdx,%esi,%edi,%rbp,%rsp,%r8,%r9,%r10,%r11,%r12,%r13,%r14,%r15。其中:
%rax 作为函数返回值使用。
%rsp 栈指针寄存器,指向栈顶
%rdi,%rsi,%rdx,%rcx,%r8,%r9 用作函数参数,依次对应第1参数,第2参数。。。
%rbx,%rbp,%r12,%r13,%14,%15 用作数据存储,遵循被调用者使用规则,简单说就是随便用,调用子函数之前要备份它,以防他被修改
%r10,%r11 用作数据存储,遵循调用者使用规则,简单说就是使用之前要先保存原值
X86-64寄存器和栈帧:
http://www.searchtb.com/2013/03/x86-64_register_and_function_frame.html