IDA PRO中有关USERCALL的说明

 Action name: SetType
 
This command allows you to specify the type of the current item.
If the cursor is located on a name, the type of the name's item will be edited. Otherwise, the current function type (if there is a function) or the current item type (if it has a name) will be edited.
The function type must be entered as a C declaration. IDA will use the type information to comment the disassembly with the information about function arguments. It can also be used by the Hex-Rays decompiler plugin for better decompilation.
Here is an example of a function declaration:
        int main(int argc, const char *argv[]);
To delete a type declaration, please enter an empty string.
IDA supports the user-defined calling convention. In this calling convention, the user can explicitly specify the locations of arguments and the return value. For example:
        int __usercall func<ebx>(int x, int y<esi>);
denotes a function with 2 arguments: the first argument is passed on the stack and the second argument is passed in the ESI register and the return value is stored in the EBX register. General rules for the user defined prototypes are:
  - the return value must be in a register
  - if the return type is 'void', the return location must not be specified
  - if the argument location is not specified, it is assumed to be
    on the stack; consequent stack locations are allocated for such arguments
  - currently, ida does not check the register sizes, but it is recommended
    to specify correct register sizes (for example, use AL for char type)
  - it is allowed to declare nested declarations, for example:
    int **__usercall func16<eax>(int *(__usercall *x)<ebx>
                                                (int, long<ecx>, int)<esi>);
    Here the pointer "x" is passed in the ESI register;
    The pointed function is a usercall function and expects its second
    argument in the ECX register, its return value is in the EBX register.
    The rule of thumb to apply in such complex cases is to specify the
    the registers just before the opening brace for the parameter list.
  - registers used for the location names must be valid for the current
    processor; some registers are unsupported (if the register name is
    generated on the fly, it is unsupported; inform us about such cases;
    we might improve the processor module if it is easy)
  - register pairs can be specified with a colon like <edx:eax>
IDA also understands the "__userpurge" calling convention. It is the same thing as __usercall, the only difference is that the callee cleans the stack.
The name used in the declaration is ignored by IDA.
Function declarations may have the __spoils keyword. It is used to specify the list of registers spoiled by the function. The syntax is the following:
   int __spoils<eax, bh> func(int x);
If the __spoils keyword is present, the specified list overrides the standard spoiled list. For x86, the standard spoiled list is <eax, edx, ecx>. The spoiled list may be empty.