Results 1 to 4 of 4

Thread: Trying to decompile a MFC snippet code

Hybrid View

  1. #1
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Blog Entries
    1

    Trying to decompile a MFC snippet code

    Hi,

    i've been trying to figured out what kind of code that can produce similar output such as :

    Code:
    .text:004070A2                 mov     ecx, offset CWnd1
    .text:004070A7                 mov     [esi+70h], eax
    .text:004070AA                 call    ?GetMainWnd@CWinThread@@UAEPAVCWnd@@XZ ; CWinThread::GetMainWnd(void)
    .text:004070AF                 xor     ebx, ebx
    .text:004070B1                 cmp     eax, ebx
    .text:004070B3                 jnz     short loc_4070B9
    .text:004070B5                 xor     eax, eax
    .text:004070B7                 jmp     short loc_4070BC
    .text:004070B9 ; ---------------------------------------------------------------------------
    .text:004070B9
    .text:004070B9 loc_4070B9:                             ; CODE XREF: gamestart-2BDj
    .text:004070B9                 mov     eax, [eax+1Ch]
    .text:004070BC
    .text:004070BC loc_4070BC:                             ; CODE XREF: gamestart-2B9j
    .text:004070BC                 mov     ecx, [esi+40h]
    .text:004070BF                 push    offset off_4E6A98
    .text:004070C4                 push    ecx
    .text:004070C5                 push    eax
    .text:004070C6                 call    dword ptr [esi+70h] ; GameInit()
    i tried to figure out the parameters of GameInit(). by trial and error, i got the following code (which a little bit match) :

    Code:
    CWinThread* pThread = AfxGetThread();
    CWnd* m_pMainWnd = pThread->GetMainWnd();
    HWND test = m_pMainWnd->m_hWnd;
    but it's not right. the disassemble form of the above code is :

    Code:
    102:      CWinThread* pThread = AfxGetThread();
    004012FD   call        AfxGetThread (00401854)
    00401302   mov         dword ptr [ebp-8],eax
    103:
    104:      CWnd* m_pMainWnd = pThread->GetMainWnd();
    00401305   mov         eax,dword ptr [ebp-8]
    00401308   mov         edx,dword ptr [eax]
    0040130A   mov         esi,esp
    0040130C   mov         ecx,dword ptr [ebp-8]
    0040130F   call        dword ptr [edx+7Ch]
    00401312   cmp         esi,esp
    00401314   call        _chkesp (0040191a)
    00401319   mov         dword ptr [ebp-0Ch],eax
    105:
    106:      HWND test = m_pMainWnd->m_hWnd;
    0040131C   mov         eax,dword ptr [ebp-0Ch]
    0040131F   mov         ecx,dword ptr [eax+20h]  ;<<<<<<<< see this
    00401322   mov         dword ptr [ebp-10h],ecx
    so for 1st param, i got a near match, eax+20h instead of eax+1Ch. i looked into CWnd structure, it's wierd. it's said m_hWnd is first data member. looking from the number, it should have previous data member. but it seems i can not find them in the list (i.e. type "m_pMainWnd->" then see the list in MSVC IDE and compile and see the code). anyone can help or give a hint?

    thanks

  2. #2
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Try this simple program (assuming it is called try.cpp)
    Code:
    // compile from VS Command Prompt as cl -MT try.cpp
    
    #include <afxwin.h>
    
    void
    main(void)
    {
        printf("%x\n", offsetof(CWnd, m_hWnd));
    }
    In VS2010 (MFC 10.0) the output is 20, as you found out;
    but in VS6 (MFC 4.2) the output is 1C!

    Best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

  3. #3
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Blog Entries
    1
    Quote Originally Posted by bilbo View Post
    Try this simple program (assuming it is called try.cpp)
    Code:
    // compile from VS Command Prompt as cl -MT try.cpp
    
    #include <afxwin.h>
    
    void
    main(void)
    {
        printf("%x\n", offsetof(CWnd, m_hWnd));
    }
    In VS2010 (MFC 10.0) the output is 20, as you found out;
    but in VS6 (MFC 4.2) the output is 1C!

    Best regards, bilbo
    thanks for the insight bilbo
    but actually, i code in msvc6 sp5 ent edition. not in vs2010. i checked my output program DLL dependency, it is MFC42D.DLL. so what i did wrong?

  4. #4
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    I see...
    You are compiling using MFC as a dynamic library, while they are using MFC as a static library.
    Compile the program above as
    Code:
    cl -W3 -MD -D_AFXDLL try.cpp
    and you will obtain 0x20, no more 0x1C.
    The difference is in the member
    Code:
    static const AFX_MSGMAP* PASCAL _GetBaseMessageMap();
    (see AFXWIN.H)

    Best regards, bilbo
    Non quia difficilia sunt, non audemus, sed quia non audemus, difficilia sunt.[Seneca, Epistulae Morales 104, 26]

Similar Threads

  1. snippet [NODE.JS] Add section to PE EXE x86
    By CovetousEyes in forum Mini Project Area
    Replies: 1
    Last Post: February 12th, 2013, 14:26
  2. How decompile a visual c++ 2003 executable file?
    By mansourweb in forum The Newbie Forum
    Replies: 2
    Last Post: December 25th, 2010, 22:10
  3. Confusing code snippet
    By VectoR.360 in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: September 20th, 2006, 03:00
  4. decrypt decompile precompiled resources
    By blabberer in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: February 2nd, 2005, 09:02
  5. Wisd can't even decompile it's own setup.ins ??!!
    By Mr. Smith in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: October 31st, 2000, 05:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •