Decodeknownbyname

int Decodeknownbyname(wchar_t *name,t_procdata *pd,t_argdec adec[NARG],wchar_t *rettype,int nexp);

If function with the specified name (in the form <modulename>.<functionname>) is known to OllyDbg, determines characteristics of this function like type of return, preserved registers, number of stack arguments and number of bytes discarded from stack on return, and decodes arguments passed to this function on the stack.

If you want to decode function's arguments to text, you must read these arguments from the stack and supply them to Decodeknownbyname(). On entry,
you only need to set adec[].mode and adec[].value and zero adec[].pushaddr. adec[0] corresponds to the first argument (pushed last, with the lowest stack address). Note that ESP at the entry points to the address of return and first argument is at ESP+4. See Decodeknownbyaddr() to learn why you may need pushaddr.

If decoded function has variable number of arguments and uses printf()-like format, parameter nexp can be set to the expected number of doublewords following format, or to -1 if this number is unknown. If nexp is positive and format string specified in the function is not obtainable, format specifiers will be decoded in the "blind" mode.


Parameters:

name
(in) Pointer to the UNICODE string containing name of the function. It must be in the form <modulename>.<functionname>. Module name is obligatory. For generic functions, like Fn4 for function with 4 doubleword stack arguments, or WINPROCW for UNICODE window function, use pseudomodule _INTERN_: _INTERN_.Fn4, _INTERN_.WINPROCW
pd
(out) Optional pointer to the descriptor of the procedure, structure of type t_procdata, or NULL if description is not necessary. Decodeknownbyname() fills only the following members of this artificial descriptor:
t_procdata.addr is set to 0
t_procdata.size is set to 1
t_procdata.type (only flags PD_RETSIZE, PD_FIXARG, PD_FORMATA / PD_FORMATW / PD_SCANA / PD_SCANW) if apply
t_procdata.retsize (only if PD_RETSIZE is set)
t_procdata.narg (only if PD_FIXARG, PD_FORMATA, PD_FORMATW, PD_SCANA or PD_SCANW is set)
t_procdata.preserved (if known)
adec
(in/out) Optional pointer to the list of arguments, array of at least NARG structures of type t_argdec, or NULL if decoding of arguments is not necessary. Calling routine must fill members adec[].mode and adec[].value and zero adec[].pushaddr in all elements of this array. If function is known, Decodeknownbyname() fills adec[].prtype (prefixed type of the argument), adec[].name (name of the argument) and adec[].text (adec[].value decoded to text according to its type)
rettype
(out) Optional pointer to the UNICODE buffer, at least SHORTNAME wide characters long, that receives prefixed type of the answer that procedure returns in EAX. May be NULL
nexp
(in) If function includes printf()-like format followed by a variable number of arguments, number of the doublewords that follow format on the stack (-1 if this number is unknown or format is defined). Ignored in all other cases. The safest "don't care" way is to set this parameter to -1


Return values:

On success, returns number of function arguments (may be 0). Otherwise, returns -1


See also:
Analysis, Decodeargument(), Decodeknownbyaddr(), Decodetype()