Results 1 to 15 of 49

Thread: C++ programming for reversing

Hybrid View

  1. #1

    C++ programming for reversing

    Dusting off my C++ books but trying not to re-invent the wheel. Would appreciate input on best way to proceed as far as writing relatively simply apps to use in reversing.

    I have literally no experience with C or C++ other than entering source files in a compiler and producing a working executable. I do have decent experience with Fortran and Basic, a long time ago, and I can get my way around assembly code. In fact, I have written small apps in Assembly to use on computer hardware.

    I have an excellent book on C++, written by Stroustrup, the guy who invented C++, as far as I know. I have reviewed 'types' and there is nothing in the concepts that baffle me. I get int, char, float, struct, etc. I have no issues with loops, stacks, calls, functions, local and global variables. I lack the finesse to sit down and write a good program but I get the structure of C++ wrt the curly brackets and deciphering statements. I get include files, declarations, etc.

    The thing I like about Stroustrup is the way he cuts to the heart of the matter. I have read countless books on C++ and when it comes to classes, most authers can't tell you what a class is. They talk around it. Stroustrup defines a class immediately as a user-defined type. Also, he defines user-defined types as abstractions (abstract data types), constructors as member function of a class, and containers as a class holding members of the same type. Suddenly, the light went on.

    Really, if you take the abstracted bs out of C++, it's not much different than any other programming with functions and sub-routines, with the exception of modules that contain data and hide it. The rules are just different. To hear many authors talk on C++, you'd think it was a mysterious language.

    How deeply do I have to get into structures, classes, abstractions, containers, oop, etc., to write decent apps for reversing? Have you guys studied C++ formally or have you applied the language as needed? I quite enjoy getting deeper into the theory as offered by Stroustrup but even he urges not to try learning it all immediately, or even to try absorbing all the concepts at once.

    The thing I need right now is a practical application related to reversing. I know enough about Windows programming to realize there's a difference between a basic C++ app that is meant to run with a command window, and one written to create a GUI, with real windows.

    How did you guys get going?

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,124
    Blog Entries
    5
    Myself I just use MS Visual Studio to create a default application/console/dll and build a reusable skeleton project from there. I treat all code as C, never use classes and try to simplify compiler options as much as possible. Initially, much of the code is probably going to be copy/paste examples of how to do things, like developing a message handling loop, or creating threads, or creating controls, or numerous other code snippets you like and develop into your own style.

    I usually use a dialog box with a basic listbox output and a bunch of blank buttons as a skeleton interface for most reversing work. The buttons are assigned to whatever code idea I'm working on, and is handled by a wm_command call. The listbox is to output debug messages and exception information. A good start is to create a separate cpp file to handle SEH exceptions from test code protected with a try/except routine, that you can reuse in other projects.

  3. #3
    api, protocolls, mfc, win32, .net come later

    before you start you have to complete c/++

    there is not so many diffrens in c and c++

    the best source might be "sams teach yourself in 21 days" it even got rolled up to more editions

    im not so good with different compilers but there are some the compilers from ms are not that bad and since you on windows that will do it

    either if its vc6 or the newer vc 9 - vc 16 series

    how deeply you have to know it to write an app this answer is simple
    you do not need if you want you can write eveything in assembly but c code being public and widely used

    how deeply you have to know c++ to write a reverse app is a different question
    you have to understand the c++ code to write an reverse app , as you have to transfer c++ code to an reverse application
    that code might being public or was written in that code so you know exactly how to transfer it from assembly reverse and oposite
    but thats not all you also need to know how to create an app and understand pe , assembly, a disassembler or such things
    softice ? for a hardware based video write you need to know the paging system in protected mode you need a mask to draw digits over a pure video buffer
    what is higher skilled then a classical ring3 debugger does its just a "drawtext" function for example
    not having a deeper unstanding how this really works

    time for more people to join in the conversation and extend it

  4. #4
    Quote Originally Posted by Elenil View Post
    there is not so many diffrens in c and c++ ....the best source might be "sams teach yourself in 21 days" it even got rolled up to more editions
    I've owned a copy of Kernighan and Ritchie on C for years. Apparently Ritchie is given credit for inventing the C language and Kernighan came into it later as a co-author of the book 'The C Programming Language'. Kernighan was a computer scientist from Bell Labs, as was Ritchie. I'll see if I can find the Sams book, which likely has coding examples that can be applied immediately. I have a similar book on C++, 'Rescued by C++', although the theory sucks compared to that of Stroustrup's, 'The C++ Programming Language'. The book is well-structured, however, with byte sized chapters on the essentials.

    Quote Originally Posted by Elenil View Post
    either if its vc6 or the newer vc 9 - vc 16 series
    I've had Visual C++ 2010 Express loaded under W7 for years. I don't want to get too new or too old although I recently read a guy in blog who claimed to have to go back to version 6 to get a compiler to work on his recompilation of a windows kernel.

    Having said that, I was reading through my MASM 6.1 reference the other night, (I bought it originally with 4 floppy disks), and it calls for version 5 if you want to integrate MASM into the C++ version.

    Anyone have ideas on that?

    Quote Originally Posted by Elenil View Post
    ...if you want you can write eveything in assembly but c code being public and widely used...
    Good point. I don't plan on redistributing code, so the rules can be bent. I plan to cover Assembly at the same time and the Microsoft books that come with the MASM app are excellent for that if not overly formal. I still keep a copy of one of the books, 'The Microsoft MASM Reference' beside the computer for quick lookup of Assembly/machine instructions. It has a handy ASCII chart in the back.

    Quick question regarding that. I downloaded the same book recently but the ASCII chart table characters appear as a checkerboard pattern rather than the actual characters. Seems to be related to postscript, rasterized, type 1 fonts missing in Adobe reader DC. Any ideas? The rest of the book fonts are fine.

    Quote Originally Posted by Elenil View Post
    how deeply you have to know c++ to write a reverse app is a different question
    you have to understand the c++ code to write an reverse app , as you have to transfer c++ code to an reverse application ....but thats not all you also need to know how to create an app and understand pe , assembly, a disassembler or such things
    That's what has rekindled my interest. I knew I'd have to transfer C/C++ code but I also need to understand what it does and how to interface with it. I have enough understanding of both languages, plus Assembly, to follow C/C++/Assembly source, I just want to get better at understanding it faster.

    I have worked extensively with IDA and have a good understanding of the PE header, although I am a bit rusty with the latter. Another good reason to learn C/C++...to write plugins for IDA, or maybe even windbg.

    I have LordPE loaded and other tools that help with the PE header but I have learned to find my way through the header itself manually. I have a better understanding of Assembly than C/C++ but I cannot write an app in Assembly. Tell a lie, I have written small Assembly routines for hardware applications, even coded at machine level for the same. Some people are doing extensive mods of the BIOS on mobos to enable features in XP on modern chipsets that were never available on XP.

    Been looking at the Iczelion tutes again.

    Quote Originally Posted by Elenil View Post
    softice ? for a hardware based video write you need to know the paging system in protected mode you need a mask to draw digits over a pure video buffer...what is higher skilled then a classical ring3 debugger does its just a "drawtext" function for example not having a deeper unstanding how this really works
    The video problem is intriguing but I'd like to know how sice works from the time an OS like XP is booting. In my naivete, I was hoping to use windbg in remote k-mode to intercept the OS as it is loading. As you know, driverstudio gives the option early in the boot phase to turn sice on or off. That suggests to me that the sice drivers are active early in the boot phase. An early hook maybe, or something even more devious???

    If that is the case, would it be out of the question to port sice to 64 bit and adjust its symbol interface to work on a newer OS? This question is most certainly naive at this point.

    I have enough understanding of the memory paging system to be dangerous. I have read through the books on the Windows kernel extensively, much of it rusty by now, but it's not as if I am starting from the beginning. My weakness right now is understanding the registers used and the tables to which they point. I have worked enough with similar tables in the Windows kernel mode so that I am not a complete noob at that either.
    Last edited by WaxfordSqueers; December 31st, 2019 at 09:10.

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,124
    Blog Entries
    5
    I was going to mention that. I always used VC6++ for the purpose of inline __asm{}. Perhaps other compiling reasons as well but I do remember there being an issue with the __asm inline syntax in anything > VC6++. That said, I do seem to have old VS2010 code I used __asm{cpuid} in what appears working code, so easy enough to check when you get to it.

    Other than the rootkitty stuff, I often used __asm{int 3} as a way to break into Softice to trace my code, with NMS files for source debugging, so it was very handy in XP.

    I'm not presupposing anything, but if you'd ever like to get started with a VS2010 template showing a way to load and communicate with a driver, just so you know how it's done, or strip it back as a gui interface for other projects, or use it to play with 2010 Express project settings, feel free.

    The SystemVA's entry in my blog post has well used source code for a Win7 32 bit driver and dialog box, the basic code framework I used many times. In Win10 the dialog will inform you OS not supported.

    http://www.woodmann.com/forum/entry....ce-in-Windows7
    http://www.woodmann.com/forum/attachment.php?attachmentid=2421&d=1296422476


    You seem to be getting deeper into a lot of reversing ideas and programming, cool.

  6. #6
    i would call no1 here a noob that would be a misinterpretation special not the ones who longer on this forum there is quite a skill in this forum

    the problem might be that eveything heads of to a c# .net enviroment what at some point fuse windows with linux
    and in my opinion lead to the end of windows
    i wonder if microsoft is knowing that they might made a bad decision making here

    the problem with the pde/pte in pae and others is that when you make writes you have to unprotect them also the things like dirty flags have to be restores
    if not better you restore just the entire entrys

    my softice antivalent write directly new pde/pde entrys to the physical memory in ring0

    that problem being persistent for iceext i wrote a routine what read out the current flags in protected mode
    over the control registers like PSE, PAE that derminated the current sutuation based on hardware flags

    we dont neccesary need to make a 64 bit version for softice, there is a windows 10 32 bit - what is already being present with all kinds of software (by far enough)
    that is hardly possible for the current softice drivers too
    they are made for 32 bit system drivers
    and the code there is also written for 32 bits hard so the driver has to be rewritten too
    there is a 64 bit version of the compuware debug monitor that has a dbgmsg.sys for a 64 bit os - but thats it!?
    there is a ealier boot options yes, that loads that bootcfg.sys for example
    bootcfg then sets softice to loads or not
    that changed quite a bit from the older "nt softice" versions - there only where ntice.sys and dbgmsg.sys - no cpthook or bootcfg
    you load softice in ealier boot (options 0) but you dont need to do that either
    you can load up the softice driver after windows has started too (icestealth can do this for you)
    if you want i can private message you how to do that (going back to your private message about windows 7)

    back to the boot phase im not certain of softice search for the functions it wants, there is useally only text displayed over hal.dll in ring0

    the "video problem" useally apears when softice is told to pop up
    the question would be what is going wrong here

    but 1 big problem is that in vmware this problem doesnt apear so its harder to search for this problem
    maybe if some1 set me up a vmware that can debug into softice i could look whats happening there (iceext would not go in that part i tryed - command tracer)
    but its harder to see where softice failed without having the problem apeared

    even todays debuggers rather use functions instead of making changes to the pde/pte´s not to talk about ring3 debuggers
    you have to do that to read out the data or write/edit data and even for the hardware video frame buffer

    Iczelion hey its been a while i heared that name but thats something you still can use today
    but it leads up to the c# .net question win32 api programming going backwards

    the ascii problem ? maybe open it with a older editor its pdf ? cant say

    im not good with compilers as kayaker had to help me to set up the asm driver
    but then i could work up without problems

  7. #7
    Quote Originally Posted by Kayaker View Post
    I'm not presupposing anything, but if you'd ever like to get started with a VS2010 template showing a way to load and communicate with a driver, just so you know how it's done, or strip it back as a gui interface for other projects, or use it to play with 2010 Express project settings, feel free.
    Thanks for links and material. Had a quick peek at IOCTL.cpp and noted the switch statement testing the 5 buttons. I read through the book on Windows Programming years ago so I recognize a lot of the code for that part of the gui. In fact, I have generated a Windows GUI using c++ have never added code.

    I am definitely interested in applying your code...thanks. I might begin with something seriously simple like noob code offered in K&R for converting Fahrenheit to Celsius. The implementation they offer does not really convert, it simply runs in a loop from 0F to 300F in steps of 20 degrees, printing out the converted C temperature as it goes. However, they included an important point in the code related to the difference between declaring the F and C variables as integers rather than float. I noted in your code that you have used one of the code simplifications they recommend.

    In the button 1 case statement you coded:

    for (i = IDC_RADIO0, j = -1 ; i <= IDC_RADIO15; i++, j++)

    This is an example of what K&R recommended rather than writing out individual loop statements. As they describe it, when iteration i is IDC_RADIO0, and the 2nd test for j = -1 is encountered, if j does = -1, the loop breaks and presumably goes to the error checking code. I had not known that loops in C were that smart, knowing what to do inside the loop brackets.

    If j != -1 it tests to see if the button # is <= button 5 then it does the rest of the code before coming back and incrementing i and j. I may be out a step here. Maybe it doesn't test for the button # till after it does one iteration.

    Anyway, I was thinking of rewriting the temperature converter so I could apply it to a template with buttons and maybe an input box. I could check the i/p box with getchar() and maybe clear it with a button. Something simple stupid so I can see how to work the template to interface with code, them maybe run it through sice or windbg to see what's going on.

    As I understand it, my temperature converter code has a main() function looking for input from elsewhere and returning (possibly) a value to that elsewhere. I know with Windows, the winmain function runs the message loop, after creating all the windows, and when told to terminate, it returns a value to 'something' allowing the code to enter the shutdown sequence.

    I am trying to get my mind around the templates and how they interact with the code but I'll need to look at one first to refresh my memory.

  8. #8
    Quote Originally Posted by Kayaker View Post
    I treat all code as C, never use classes and try to simplify compiler options as much as possible.
    Interesting. I had allowed myself to be talked into regarding C as too old but as I read through Stroustrup, he says nothing about that. In fact, it becomes clear that the main advantage of C++ is in application to large programs in which modularity and data hiding become an issue. He claims in his book that if modularity and data hiding are not an issue then procedural programming is adequate.

    Good to have you confirm that good old C still works.

    Quote Originally Posted by Kayaker View Post
    Initially, much of the code is probably going to be copy/paste examples of how to do things, like developing a message handling loop, or creating threads, or creating controls, or numerous other code snippets you like and develop into your own style.
    That's what I was hoping, to build up a personal library of reusable snippets.
    Quote Originally Posted by Kayaker View Post
    I usually use a dialog box with a basic listbox output and a bunch of blank buttons as a skeleton interface for most reversing work. The buttons are assigned to whatever code idea I'm working on, and is handled by a wm_command call.
    Good to know, thanks.

Similar Threads

  1. ask a question about debuger programming
    By zqBugZ in forum The Newbie Forum
    Replies: 3
    Last Post: June 23rd, 2008, 09:50
  2. World of Warcraft "reversing" / bot programming
    By n00bster in forum The Newbie Forum
    Replies: 25
    Last Post: April 27th, 2006, 05:06
  3. Assembler programming
    By book in forum The Newbie Forum
    Replies: 28
    Last Post: March 28th, 2006, 10:58
  4. Teach yourself programming...
    By TBone in forum The Newbie Forum
    Replies: 1
    Last Post: April 12th, 2004, 18:29
  5. ATA programming
    By goatass in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 16th, 2002, 19:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •