View Full Version : Reversing a QT-GUI-Framework based Application

August 29th, 2008, 19:05
Hi there,

what i'm trying to do is to patch away a popup-window in a QT-GUI-Framework (_http://trolltech.com/products/qt) based application written in VC++.

As the framework has its own routines to create windows, there's no way to set breakpoints on createwindow and stuff (or at least I wasn't able to do it).

A small sample of code for a window in QT looks like this

QWinWidget *w = new QWinWidget(hWnd, 0, 0);
QMessageBox *mb = new QMessageBox("Qt on Win32 - modeless",
"Is this dialog modal?",
QMessageBox::Yes | QMessageBox:efault,
QMessageBox::No | QMessageBox::Escape,
QMessageBox::NoButton, w);

My question is how can I identify this code in the debugger? My idea was to break in where the show() function (in its compiled state of course :-) ) is called ...

Thanks for any hint!


August 29th, 2008, 22:54
Hi fxxx:

You have several points of attack, none of them guaranteed to work, but worth exploring:

- You should download the Qt framework. Pay close attention to its static libraries. The assembly code of the show() method is for sure contained in one of them. Remember that static libraries still have to contain all the symbols so the linker will find the right function code during static linking. I think lib.exe and other utilities like that will give you a list of all the functions contained in a given library, and even add or extract functions as obj files from a static lib file. Once you see the asm code of show(), you can search for it and place breakpoints in your application. You actually could do this in a more general and automatic fashion by creating a FLIRT signature from the Libs (See this thread: Then disassemble your app with IDA, apply the FLIRT, then located the show() code, plus all the references to it. Subsequently you can even import IDA map into Olly, so you will see most of the statically linked Qt functions correctly identified by their symbols in the Olly code window.

- Another approach that is useful when you run into apps that skip the use of typical (user32) API is learn to track windows Messages. Frameworks often bypass, reimplement or wrap windows APIs, but windows messages are a different story, they are always the heartbeat of a windows app. You need to learn the handle of the control/window/whatever show() displays, then intercept the messages to it. sooner or later you will locate the code that is sending such messages which are nothing else than the methods that make the Qt objects tick.

- Lastly, even if a framework bypasses or wraps the obvious APIs, eventually it may call native windows APIs, deeper into the NTdll or even lower. Placing BP on such native API may eventually help you, by backtracking the call stack, locate the show() code.

Other suggestions??

August 30th, 2008, 12:47
or make a standalone selfcontained helloworld createwindow using qt if possible and attach it here
precondition is that it wouldn't/shouldn't/maynot ask to download gigabytes of crap that i have no intention/requirement of using
and may be i can take a look :P

August 31st, 2008, 17:11
Thank you naides for your hints where to start from. This siganature thing in IDA sounds interesting, but seems like I need some more practise (starting with IDA :-) ) but I'll give my best ...

I have QT running now, that btw was a real pain in the ar** under VS 2008. I'll make a sample for this message box and put it online. blabberer, would be nice if you could take a look. Shouldn't take me too long, hopefully.


September 19th, 2008, 15:15
Any progress yet fxxx? Would be fun to see some Qt reversing around here.

October 20th, 2008, 03:56
Hi there,

um ok, it has taken me longer than expected, scusi :-) ... The attachment contains a "Hello-World-example-with-one-main-window-and-one-popup". Should have debugging code in it and needs QT framework 4 or higher in order to run.


October 24th, 2008, 14:33
Thanks for your contribution.