Hi there!
uh, this is kind of al earning cerv for me, so i'm not sure where best to start.
I have executable code in memory and an address to a __Fastcall function.
What I have done, is compiled a C dll to take an address and param, and call the address passing the param.
The param is a table of vb6 __Stdcall function address's, that the function im calling, will calls back on.

This is the function in my C dll:
Code:
__int32 __stdcall Test(__int32 dwAddr, __int32 dwTable)
{
    __asm {
        mov        ecx, [esp+8]   //dwTable
        call       [esp+4]        //dwAddr
    }
}
This is that function in IDA:
Code:
.text:10001040 Test    proc near
.text:10001040
.text:10001040 arg_0           = dword ptr  4
.text:10001040 arg_4           = dword ptr  8
.text:10001040
.text:10001040                 mov     ecx, [esp+arg_4] 
.text:10001044                 call    [esp+arg_0]
.text:10001048                 retn    8
.text:10001048 Test    endp
This is how I declare it in VB6:
Code:
Public Declare Function Test Lib "Test.dll" (ByVal Address As Long, ByVal dwParam As Long) As Long
This works fine. When I call the Test, with the address of the __fastcall function I want to call, and a pointer to the callback list, the function returns the expected value, plus calls my VB6 functions (in the callback table)

How ever, I don't want to do this from a DLL, I'm trying to do it from a VB6 class.
So far, I have been able to call the function address and get the call backs (so I know the address and param is on the stack in the right palaces)
But, I don't get the return value plus some nast crash's next time I call it.

Here is my VB6 code:
Code:
Private m_ptrMe         As Long 'pointer of this class
Private m_ptrFunc       As Long 'function pointer of MyFunc
Private m_Mem           As Long 'pointer to the code
Private m_Code          As String

Private Sub Class_Initialize()
    Dim fctAddress      As Long
    Call CopyMemory(m_ptrMe, ByVal ObjPtr(Me), 4)
    Call CopyMemory(m_ptrFunc, ByVal m_ptrMe + 28, 4)
    Call MyFunc(0, 0) 'inits the function
End Sub
Private Sub Compile(ByVal S As String)
    m_Code = m_Code & HexToStr(S)
End Sub
Public Function MyFunc(ByVal lngAddr As Long, ByVal lngParam As Long) As Long
    Call Compile("8B 4C 24 0C") 'mov     ecx, [esp+lngParam]
    Call Compile("FF 54 24 08") 'call    [esp+lngAddr]
    Call Compile("C2 0C 00")    'retn    8
    
    '//Copy code to a block of memory
    m_Mem = malloc(Len(m_Code))
    Call CopyMemory(ByVal m_Mem, ByVal m_Code, Len(m_Code))
    '//Copy code address over MyFunc
    Call CopyMemory(ByVal m_ptrMe + 28, m_Mem, 4)
End Function

Public Function CallFunc(ByVal lngAddr As Long, ByVal Param As Long) As Long
    CallFunc = MyFunc(lngAddr, Param)
End Function

As you can see, the ASM in the DLL was like this:
8B 4C 24 08 FF 54 24 04 C2 08 00
But the only way I could get it even close to working in VB6, is:
8B 4C 24 0C FF 54 24 08 C2 0C 00

Does anyone know why the stack is out of line by 4 bytes?
The above code is an __stdcall that call's a __fastcall, so intheory it should be like trying to call a normal API with 2 params.
This is all kind of new-ground to me, so I maybe missing somthing -- but could anyone please explain to me whats up, what im missing, and why I don't get a return?

big thanks in advance!