Results 1 to 7 of 7

Thread: IDA Pro, obtaining class information.

  1. #1

    IDA Pro, obtaining class information.

    General information
    IDA Pro 32-bit
    Windows 7 64-bit
    Visual Studio (old version)

    Breakpoint address (The application succesfully breaks at this address):
    Code:
    .text:00542DC7    movss xmm0, dword ptr [esi+18h]
    Register at break:
    Code:
    esi = 15647ECC
    If I understand correctly, esi points to the object and 18 is the offset of the member variable or function.
    This is where esi takes me:
    Code:
    debug089:15647ECC db 54h
    Where 54h is the byte representation of 0C0CA54 (double word).

    0C0CA54 takes me to:
    Code:
    .rdata:00C0CA54 off_C0CA54 dd offset sub_543D50
    0C0CA54+18 takes me to:
    Code:
    .rdata:00C0CA6C dd offset sub_543D30
    sub_543D30:
    Code:
    void __thiscall sub_543D30(int this)
    {
    	sub_5428D0(this, COERCE_INT(180.0));
    }
    My conclusion:
    Code:
    class foo { /* 0x0C0CA54 */
    public:
    	float sub_5428D0(int i) {
    		/* do nothing for now */
    	}
    	void sub_543D30(){ /* 0x0C0CA54+18 */
    		sub_5428D0(COERCE_INT(180.0));
    	}
    };
    My question is if this is true, have I found the class and have I found the function?

    If I did everything correctly, then my question is, how do I know where the class ends?
    Last edited by RCE; April 14th, 2011 at 06:14.

  2. #2
    ...you cant: only virtual functions are stored in your v-table.

    Also, if the class use multiple-inheritance, you'll end up having multiple tables.
    I want to know God's thoughts ...the rest are details.
    (A. Einstein)
    --------
    ..."a shellcode is a command you do at the linux shell"...

  3. #3
    Hmmm, what I want to do is translate the class to C++, and create a new instantiation and inject it into the application using dll injection.

    How do you suggest I continue?

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    your terminology may have been in the wrong 'season'..

    https://code.google.com/p/autumnframework/

    This should give 'some' idea...

    http://www.governmentsecurity.org/forum/index.php?showtopic=31679

    make sure to read the 'bottom post' @governmentsecurity

    http://en.wikipedia.org/wiki/Object_copy#In_C.2B.2B

    NsCopyObject Sounds like a good function.. o0

    regards BanMe
    Last edited by BanMe; April 14th, 2011 at 11:34.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  5. #5
    I have been doing DLL injection for a couple years, I know how that works.

    Problem is, I always did it based on information I received from a reverse engineer. My problem is that this time, I need to obtain the information myself.

    I think what I need to do is obtain the function that creates these objects and hook it. Then I can create new objects of this kind with a minimal amount of information that needs to be defined in C++.

    Sorry if my question from the previous post was unclear.


    ps.
    At the time of posting the first post, I was thinking about doing the following:
    1, reverse the class
    2, instantiate new object in dll from this class
    The problem in doing this is that the application isn't aware of the object.
    Using the method I describe in this post will probably be a faster and less buggy approach.

    ps2.
    I already contacted someone with a decend amount of RE experience to help me obtain the
    function that creates these objects. He hasn't replyed yet, so if anyone else has some time
    for a remote session, let me know.
    Last edited by RCE; April 14th, 2011 at 11:34.

  6. #6
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Your words are so close to the 'correct answers'...

    regards BanMe
    Last edited by BanMe; April 14th, 2011 at 12:45.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  7. #7
    Quote Originally Posted by BanMe View Post
    Your words are so close to the 'correct answers'...

    regards BanMe
    Not sure if I understand what your saying.

    Anyway, thanks for the ClassFactory link!

Similar Threads

  1. class concept
    By dion in forum Off Topic
    Replies: 4
    Last Post: September 28th, 2009, 13:03
  2. How do you bpx on a class method??
    By Jacques in forum The Newbie Forum
    Replies: 5
    Last Post: May 31st, 2004, 00:05
  3. How to bpx on class method?
    By Jacques in forum The Newbie Forum
    Replies: 0
    Last Post: May 2nd, 2004, 21:26
  4. A new class... join now!
    By Rage9 in forum Mini Project Area
    Replies: 32
    Last Post: July 29th, 2001, 16:55
  5. java : PE & .class
    By keyser in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: December 23rd, 2000, 13:45

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •