Need help understanding ida pseudocode

Question

I am new to reversing. I have stumbled upon a line of code which I am unable to understand.

return (*(_int64(**)(void))(**(_QWORD **)(v1 + 0x3C8) + 0x68LL ))();

The code is for arm64 lib. So , what I understood is that it's returning a pointer out as unsigned int64 data type. But , when I try to use it as ,

return (unsigned long) ((unsigned long)(v1 + 0x3C8) + 0x68) ;

, the result is so out of the unsigned long range , for example one result is 19985131375820901. Also , _int64 and _QWORD both have the size of 8 bytes and so does unsigned long. So I am a little confused here how is this happening. Can anybody help with the correct interpretation of this pls ?

Answer 1

v1 + 0x3C8

Yes. This adds 0x3C8 to v1. But you seemed to have overlooked something else that happens before 0x68 gets added to it.

(_QWORD **)

The result of this addition gets casted to a pointer to a pointer to a _QWORD. That's what this means in C++.

**

And dereferenced. Twice. That produces a _QWORD, from somewhere. Wherever those pointers lead to.

+0x68LL

And only then does 0x68 gets added to whatever you have now.

But you're not done yet. There's still more C++ code left that you need to unravel.

(_int64(**)(void))

This gets now casted to a pointer to a pointer to a function that takes no parameters and returns an _int64.

*

And the pointer dereferenced.

()

And the function call is finally made, which returns an _int64 value.