Author: Aris
Introduction
During my holidays, I had plenty of time to study and reverse a program, which was completely coded in C++. This was the first time I seriously studied a C++ codebase, using IDA as the only source of information, and found it quite hard.
Here’s a sample of what you get with Hex-rays when you start up digging into an interesting function:
v81 = 9;
v63 = *(_DWORD *)(v62 + 88);
if ( v63 )
{
v64 = *(int (__cdecl **)(_DWORD, _DWORD, _DWORD,
_DWORD, _DWORD))(v63 + 24);
if ( v64 )
v62 = v64(v62, v1, *(_DWORD *)(v3 + 16), *(_DWORD
*)(v3 + 40), bstrString);
}
It’s our job to add symbol names, identify classes and set up all the information to help hex-rays in giving us a reliable and certainly understandable output:
padding = *Dst;
if ( padding < 4 )
return -1;
buffer_skip_bytes(this2->decrypted_input_buffer, 5u);
buffer_skip_end(this2->decrypted_input_buffer, padding);
if ( this2->encrypt_in != null )
{
if ( this2->compression_in != null )
{
buffer_reinit(this2->compression_buffer_in);
packet_decompress(this2,
this2->decrypted_input_buffer,
this2->compression_buffer_in);
buffer_reinit(this2->decrypted_input_buffer);
avail_len = buffer_avail_bytes(this2->compression_buffer_in);
ptr = buffer_get_data_ptr(this2->compression_buffer_in);
buffer_add_data_and_alloc(this2->decrypted_input_buffer, ptr, avail_len);
}
}
packet_type = buffer_get_u8(this2->decrypted_input_buffer);
*len = buffer_avail_bytes(this2->decrypted_input_buffer);
this2->packet_len = 0;
return packet_type;
Of course, Hex-rays is not going to invent the names for you, you’ll still have to make sense of the code and what it means to you, but at least, being able to give a name to the classes will certainly help.
All my samples here have been compiled either with visual studio or Gnu C++. I have found the results to be similar, even if they may not be compatible. Fix it for your compiler of interest.
Greatz thanks to Aris for sharing his knowledge! Original link: http://blog.0xbadc0de.be/archives/67
Regards
m4n0w4r
0day in {REA_TEAM} 