Page 1 of 4 1234 LastLast
Results 1 to 15 of 49

Thread: C++ programming for reversing

  1. #1

    C++ programming for reversing

    Dusting off my C++ books but trying not to re-invent the wheel. Would appreciate input on best way to proceed as far as writing relatively simply apps to use in reversing.

    I have literally no experience with C or C++ other than entering source files in a compiler and producing a working executable. I do have decent experience with Fortran and Basic, a long time ago, and I can get my way around assembly code. In fact, I have written small apps in Assembly to use on computer hardware.

    I have an excellent book on C++, written by Stroustrup, the guy who invented C++, as far as I know. I have reviewed 'types' and there is nothing in the concepts that baffle me. I get int, char, float, struct, etc. I have no issues with loops, stacks, calls, functions, local and global variables. I lack the finesse to sit down and write a good program but I get the structure of C++ wrt the curly brackets and deciphering statements. I get include files, declarations, etc.

    The thing I like about Stroustrup is the way he cuts to the heart of the matter. I have read countless books on C++ and when it comes to classes, most authers can't tell you what a class is. They talk around it. Stroustrup defines a class immediately as a user-defined type. Also, he defines user-defined types as abstractions (abstract data types), constructors as member function of a class, and containers as a class holding members of the same type. Suddenly, the light went on.

    Really, if you take the abstracted bs out of C++, it's not much different than any other programming with functions and sub-routines, with the exception of modules that contain data and hide it. The rules are just different. To hear many authors talk on C++, you'd think it was a mysterious language.

    How deeply do I have to get into structures, classes, abstractions, containers, oop, etc., to write decent apps for reversing? Have you guys studied C++ formally or have you applied the language as needed? I quite enjoy getting deeper into the theory as offered by Stroustrup but even he urges not to try learning it all immediately, or even to try absorbing all the concepts at once.

    The thing I need right now is a practical application related to reversing. I know enough about Windows programming to realize there's a difference between a basic C++ app that is meant to run with a command window, and one written to create a GUI, with real windows.

    How did you guys get going?

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Myself I just use MS Visual Studio to create a default application/console/dll and build a reusable skeleton project from there. I treat all code as C, never use classes and try to simplify compiler options as much as possible. Initially, much of the code is probably going to be copy/paste examples of how to do things, like developing a message handling loop, or creating threads, or creating controls, or numerous other code snippets you like and develop into your own style.

    I usually use a dialog box with a basic listbox output and a bunch of blank buttons as a skeleton interface for most reversing work. The buttons are assigned to whatever code idea I'm working on, and is handled by a wm_command call. The listbox is to output debug messages and exception information. A good start is to create a separate cpp file to handle SEH exceptions from test code protected with a try/except routine, that you can reuse in other projects.

  3. #3
    api, protocolls, mfc, win32, .net come later

    before you start you have to complete c/++

    there is not so many diffrens in c and c++

    the best source might be "sams teach yourself in 21 days" it even got rolled up to more editions

    im not so good with different compilers but there are some the compilers from ms are not that bad and since you on windows that will do it

    either if its vc6 or the newer vc 9 - vc 16 series

    how deeply you have to know it to write an app this answer is simple
    you do not need if you want you can write eveything in assembly but c code being public and widely used

    how deeply you have to know c++ to write a reverse app is a different question
    you have to understand the c++ code to write an reverse app , as you have to transfer c++ code to an reverse application
    that code might being public or was written in that code so you know exactly how to transfer it from assembly reverse and oposite
    but thats not all you also need to know how to create an app and understand pe , assembly, a disassembler or such things
    softice ? for a hardware based video write you need to know the paging system in protected mode you need a mask to draw digits over a pure video buffer
    what is higher skilled then a classical ring3 debugger does its just a "drawtext" function for example
    not having a deeper unstanding how this really works

    time for more people to join in the conversation and extend it

  4. #4
    Quote Originally Posted by Kayaker View Post
    I treat all code as C, never use classes and try to simplify compiler options as much as possible.
    Interesting. I had allowed myself to be talked into regarding C as too old but as I read through Stroustrup, he says nothing about that. In fact, it becomes clear that the main advantage of C++ is in application to large programs in which modularity and data hiding become an issue. He claims in his book that if modularity and data hiding are not an issue then procedural programming is adequate.

    Good to have you confirm that good old C still works.

    Quote Originally Posted by Kayaker View Post
    Initially, much of the code is probably going to be copy/paste examples of how to do things, like developing a message handling loop, or creating threads, or creating controls, or numerous other code snippets you like and develop into your own style.
    That's what I was hoping, to build up a personal library of reusable snippets.
    Quote Originally Posted by Kayaker View Post
    I usually use a dialog box with a basic listbox output and a bunch of blank buttons as a skeleton interface for most reversing work. The buttons are assigned to whatever code idea I'm working on, and is handled by a wm_command call.
    Good to know, thanks.

  5. #5
    Quote Originally Posted by Elenil View Post
    there is not so many diffrens in c and c++ ....the best source might be "sams teach yourself in 21 days" it even got rolled up to more editions
    I've owned a copy of Kernighan and Ritchie on C for years. Apparently Ritchie is given credit for inventing the C language and Kernighan came into it later as a co-author of the book 'The C Programming Language'. Kernighan was a computer scientist from Bell Labs, as was Ritchie. I'll see if I can find the Sams book, which likely has coding examples that can be applied immediately. I have a similar book on C++, 'Rescued by C++', although the theory sucks compared to that of Stroustrup's, 'The C++ Programming Language'. The book is well-structured, however, with byte sized chapters on the essentials.

    Quote Originally Posted by Elenil View Post
    either if its vc6 or the newer vc 9 - vc 16 series
    I've had Visual C++ 2010 Express loaded under W7 for years. I don't want to get too new or too old although I recently read a guy in blog who claimed to have to go back to version 6 to get a compiler to work on his recompilation of a windows kernel.

    Having said that, I was reading through my MASM 6.1 reference the other night, (I bought it originally with 4 floppy disks), and it calls for version 5 if you want to integrate MASM into the C++ version.

    Anyone have ideas on that?

    Quote Originally Posted by Elenil View Post
    ...if you want you can write eveything in assembly but c code being public and widely used...
    Good point. I don't plan on redistributing code, so the rules can be bent. I plan to cover Assembly at the same time and the Microsoft books that come with the MASM app are excellent for that if not overly formal. I still keep a copy of one of the books, 'The Microsoft MASM Reference' beside the computer for quick lookup of Assembly/machine instructions. It has a handy ASCII chart in the back.

    Quick question regarding that. I downloaded the same book recently but the ASCII chart table characters appear as a checkerboard pattern rather than the actual characters. Seems to be related to postscript, rasterized, type 1 fonts missing in Adobe reader DC. Any ideas? The rest of the book fonts are fine.

    Quote Originally Posted by Elenil View Post
    how deeply you have to know c++ to write a reverse app is a different question
    you have to understand the c++ code to write an reverse app , as you have to transfer c++ code to an reverse application ....but thats not all you also need to know how to create an app and understand pe , assembly, a disassembler or such things
    That's what has rekindled my interest. I knew I'd have to transfer C/C++ code but I also need to understand what it does and how to interface with it. I have enough understanding of both languages, plus Assembly, to follow C/C++/Assembly source, I just want to get better at understanding it faster.

    I have worked extensively with IDA and have a good understanding of the PE header, although I am a bit rusty with the latter. Another good reason to learn C/C++...to write plugins for IDA, or maybe even windbg.

    I have LordPE loaded and other tools that help with the PE header but I have learned to find my way through the header itself manually. I have a better understanding of Assembly than C/C++ but I cannot write an app in Assembly. Tell a lie, I have written small Assembly routines for hardware applications, even coded at machine level for the same. Some people are doing extensive mods of the BIOS on mobos to enable features in XP on modern chipsets that were never available on XP.

    Been looking at the Iczelion tutes again.

    Quote Originally Posted by Elenil View Post
    softice ? for a hardware based video write you need to know the paging system in protected mode you need a mask to draw digits over a pure video buffer...what is higher skilled then a classical ring3 debugger does its just a "drawtext" function for example not having a deeper unstanding how this really works
    The video problem is intriguing but I'd like to know how sice works from the time an OS like XP is booting. In my naivete, I was hoping to use windbg in remote k-mode to intercept the OS as it is loading. As you know, driverstudio gives the option early in the boot phase to turn sice on or off. That suggests to me that the sice drivers are active early in the boot phase. An early hook maybe, or something even more devious???

    If that is the case, would it be out of the question to port sice to 64 bit and adjust its symbol interface to work on a newer OS? This question is most certainly naive at this point.

    I have enough understanding of the memory paging system to be dangerous. I have read through the books on the Windows kernel extensively, much of it rusty by now, but it's not as if I am starting from the beginning. My weakness right now is understanding the registers used and the tables to which they point. I have worked enough with similar tables in the Windows kernel mode so that I am not a complete noob at that either.
    Last edited by WaxfordSqueers; December 31st, 2019 at 09:10.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    I was going to mention that. I always used VC6++ for the purpose of inline __asm{}. Perhaps other compiling reasons as well but I do remember there being an issue with the __asm inline syntax in anything > VC6++. That said, I do seem to have old VS2010 code I used __asm{cpuid} in what appears working code, so easy enough to check when you get to it.

    Other than the rootkitty stuff, I often used __asm{int 3} as a way to break into Softice to trace my code, with NMS files for source debugging, so it was very handy in XP.

    I'm not presupposing anything, but if you'd ever like to get started with a VS2010 template showing a way to load and communicate with a driver, just so you know how it's done, or strip it back as a gui interface for other projects, or use it to play with 2010 Express project settings, feel free.

    The SystemVA's entry in my blog post has well used source code for a Win7 32 bit driver and dialog box, the basic code framework I used many times. In Win10 the dialog will inform you OS not supported.

    http://www.woodmann.com/forum/entry....ce-in-Windows7
    http://www.woodmann.com/forum/attachment.php?attachmentid=2421&d=1296422476


    You seem to be getting deeper into a lot of reversing ideas and programming, cool.

  7. #7
    i would call no1 here a noob that would be a misinterpretation special not the ones who longer on this forum there is quite a skill in this forum

    the problem might be that eveything heads of to a c# .net enviroment what at some point fuse windows with linux
    and in my opinion lead to the end of windows
    i wonder if microsoft is knowing that they might made a bad decision making here

    the problem with the pde/pte in pae and others is that when you make writes you have to unprotect them also the things like dirty flags have to be restores
    if not better you restore just the entire entrys

    my softice antivalent write directly new pde/pde entrys to the physical memory in ring0

    that problem being persistent for iceext i wrote a routine what read out the current flags in protected mode
    over the control registers like PSE, PAE that derminated the current sutuation based on hardware flags

    we dont neccesary need to make a 64 bit version for softice, there is a windows 10 32 bit - what is already being present with all kinds of software (by far enough)
    that is hardly possible for the current softice drivers too
    they are made for 32 bit system drivers
    and the code there is also written for 32 bits hard so the driver has to be rewritten too
    there is a 64 bit version of the compuware debug monitor that has a dbgmsg.sys for a 64 bit os - but thats it!?
    there is a ealier boot options yes, that loads that bootcfg.sys for example
    bootcfg then sets softice to loads or not
    that changed quite a bit from the older "nt softice" versions - there only where ntice.sys and dbgmsg.sys - no cpthook or bootcfg
    you load softice in ealier boot (options 0) but you dont need to do that either
    you can load up the softice driver after windows has started too (icestealth can do this for you)
    if you want i can private message you how to do that (going back to your private message about windows 7)

    back to the boot phase im not certain of softice search for the functions it wants, there is useally only text displayed over hal.dll in ring0

    the "video problem" useally apears when softice is told to pop up
    the question would be what is going wrong here

    but 1 big problem is that in vmware this problem doesnt apear so its harder to search for this problem
    maybe if some1 set me up a vmware that can debug into softice i could look whats happening there (iceext would not go in that part i tryed - command tracer)
    but its harder to see where softice failed without having the problem apeared

    even todays debuggers rather use functions instead of making changes to the pde/pte´s not to talk about ring3 debuggers
    you have to do that to read out the data or write/edit data and even for the hardware video frame buffer

    Iczelion hey its been a while i heared that name but thats something you still can use today
    but it leads up to the c# .net question win32 api programming going backwards

    the ascii problem ? maybe open it with a older editor its pdf ? cant say

    im not good with compilers as kayaker had to help me to set up the asm driver
    but then i could work up without problems

  8. #8
    Quote Originally Posted by Kayaker View Post
    I'm not presupposing anything, but if you'd ever like to get started with a VS2010 template showing a way to load and communicate with a driver, just so you know how it's done, or strip it back as a gui interface for other projects, or use it to play with 2010 Express project settings, feel free.
    Thanks for links and material. Had a quick peek at IOCTL.cpp and noted the switch statement testing the 5 buttons. I read through the book on Windows Programming years ago so I recognize a lot of the code for that part of the gui. In fact, I have generated a Windows GUI using c++ have never added code.

    I am definitely interested in applying your code...thanks. I might begin with something seriously simple like noob code offered in K&R for converting Fahrenheit to Celsius. The implementation they offer does not really convert, it simply runs in a loop from 0F to 300F in steps of 20 degrees, printing out the converted C temperature as it goes. However, they included an important point in the code related to the difference between declaring the F and C variables as integers rather than float. I noted in your code that you have used one of the code simplifications they recommend.

    In the button 1 case statement you coded:

    for (i = IDC_RADIO0, j = -1 ; i <= IDC_RADIO15; i++, j++)

    This is an example of what K&R recommended rather than writing out individual loop statements. As they describe it, when iteration i is IDC_RADIO0, and the 2nd test for j = -1 is encountered, if j does = -1, the loop breaks and presumably goes to the error checking code. I had not known that loops in C were that smart, knowing what to do inside the loop brackets.

    If j != -1 it tests to see if the button # is <= button 5 then it does the rest of the code before coming back and incrementing i and j. I may be out a step here. Maybe it doesn't test for the button # till after it does one iteration.

    Anyway, I was thinking of rewriting the temperature converter so I could apply it to a template with buttons and maybe an input box. I could check the i/p box with getchar() and maybe clear it with a button. Something simple stupid so I can see how to work the template to interface with code, them maybe run it through sice or windbg to see what's going on.

    As I understand it, my temperature converter code has a main() function looking for input from elsewhere and returning (possibly) a value to that elsewhere. I know with Windows, the winmain function runs the message loop, after creating all the windows, and when told to terminate, it returns a value to 'something' allowing the code to enter the shutdown sequence.

    I am trying to get my mind around the templates and how they interact with the code but I'll need to look at one first to refresh my memory.

  9. #9
    Quote Originally Posted by Elenil View Post
    i would call no1 here a noob that would be a misinterpretation special not the ones who longer on this forum there is quite a skill in this forum
    I just call myself a noob in certain areas. When I studied Fortran, I did it formally, at university, in a computer science class. I have also used Assembly and machine code with computer hardware in the field, as well as Basic. In those days, Basic could be coded on the screen and executed immediately, without compiling, to get a response from hardware. Things have changed.

    If I try to learn C/C++ properly, I will still be trying years from now. I have to keep reminding myself that I am reversing. By the same token, I don't want to pick up bad programming habits and that's why I categorize myself as a noob. I think there is a way to apply C/C++ and Assembly specifically rather than covering every detail of the languages in general.

    I already understand a lot of the basics. Fortran uses subroutines and basics like arrays, loops, and structures are fairly common to all languages I have seen. The data types are similar as well. And they all share a common annoyance. If you leave out a comma, a semi-colon, or another syntax device, the compiler is sure to give you an error message that makes no sense.

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    In those days, Basic could be coded on the screen and executed immediately, without compiling, to get a response from hardware. Things have changed.
    nah just names have changed

    Name:  wax.JPG
Views: 84
Size:  40.5 KB

    and your fahren to cel without compiling

    Name:  pymdog.gif
Views: 82
Size:  161.4 KB
    Last edited by blabberer; January 3rd, 2020 at 00:26.

  11. #11
    next comes the useage
    c/c++ only shows how the language works

    not what the compiler wants
    not what the linker wants
    nor what the pe header norm would look like
    or what the function wants

  12. #12
    Quote Originally Posted by blabberer View Post
    nah just names have changed
    Interesting. If I recall correctly, you can run Python under windows using cygwin, or something. Are those windows in your examples being generated by Python internally or can Python access the Windows windows?

    In my reply, I was referring more to the bad old days in the hardware field where we used a Basic interactive interpreter directly to access the heads on a hard drive and position them to a certain cylinder. We could even test the drive by specifying a cylinder range and have the heads seek between the ranges. A lot like your brief Python code.

    There are Russian low level apps that can still do that on Windows but on one app you need an add-on card in a PCI bus slot to reach the disk directly to achieve full implementation. There are many tables and data structures on hard drives hidden from Windows, both in the HDD BIOS and on the disk, in an area reserved for the HDD itself.

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,508
    Blog Entries
    15
    python can run natively in windows
    no need for cygwin
    no need for mingw /msys
    no need for any layers or vm

    it is pythonw.exe (native windows executable)

    the MessageBoxA is a WindowsApi
    The SimpleGetInput is a mfc api

    pywin or ctypes under python can use these native windows APIS

  14. #14
    Quote Originally Posted by blabberer View Post
    it is pythonw.exe (native windows executable)....pywin or ctypes under python can use these native windows APIS
    Cool!! Thanks for info.

    Have not given up on windbg, you have opened my eyes to its power and usefulness. Looking to try a remote connection to XP along the lines of this:

    https://github.com/MovAX0xDEAD/KDNET

    I know how you feel about an older OS like XP and I cannot explain my interest. One good reason for me is that M$oft, supported by Intel, have gone out of their way to block users using XP and W7 on newer chipsets. I got W7 running on a 300-series chipset only to find that M$oft had blocked access to updates for users with newer mobos. Not only that, for the last couple of years they have been including updates aimed specifically at pushing users toward W10. One of them secretly downloaded W10 components onto existing W7 installs.

    I have w10 dual booting with W7 on a desktop and my laptop is W7. I can see the advantage of W10 in certain ways. For example, I got my windbg k-mode remote sessions going using W10 and once established, the setup ran on W7. Therefore, w10 is more advanced than w7 wrt to windbg. However, I fail to see a significant difference between the two as far as general performance is concerned. w10 still has that annoying touch-screen focus, for example, not to mention the blatant spying.

    I had XP on a hard drive and I was curious to see if it would even run on a new mobo. It would not, although w7 ran fine, except for the USB mouse/keyboard. Had to use a PS/2 input. Surprisingly, all XP needed was a modded ACPI driver and a SATA miniport driver to get it to the desktop. Good news for me since many of my reversing tools/apps are on XP. My NVidia GT-730 and my Creative XFi video/sound cards are now running fine on XP with minimal adjustments. I have USB running via an add-on card (Vantec....using a VIA chipset) designed for w7 using XP drivers I found on the Net.

    There is a new situation arising that has me concerned. There is a move to hard drives with a native 4096 bytes/sector format. Currently, most of those drives have a 512 byte/sector emulation but if the native format sans emulation takes off I fear those of us with the older hard drives will be out of luck as far as recovering data via a saved disk image. An image saved at 512 bytes/sector cannot be recovered onto a disk written natively at 4096 bytes/sector.

    What are we going to do when all disks sold, including SSDs, are hard coded for 4096 bytes/sector? The only solution I can see is to reload every app from disk. That is surely by design, to force users to buy new disks and maybe new software while moth-balling all their old hardware. I am personally looking into buying a stock of hard drives with the old 512 b/s formatting.

  15. #15
    Quote Originally Posted by Elenil View Post
    next comes the useage
    c/c++ only shows how the language works

    not what the compiler wants
    not what the linker wants
    nor what the pe header norm would look like
    or what the function wants
    For me, C/C++ will show the meaning of the code. That's what I want to know, what does the code in an export or import mean? What was the programmer thinking? How does it affect the hardware and what does the interface look like between the processor, memory, etc. and the user. My main problem is a lack of visualization of how an application interfaces with memory and/or peripherals.

    For example, with the app kayaker just posted, I can understand most of the C++ code, I just don't get how it uses windows functions to access memory. From what I have seen, however, a bit of research will reveal that.

    It's not as if we are looking at reversing Windows itself we are focused only at certain exports in certain modules. Here's the github project in which ntoskrnl source code is presented. Don't know which version.

    https://github.com/Zer0Mem0ry/ntoskrnl

    From my experience with compilers, they are very logical. They are very strict about syntax and sometimes offer errors that are misleading. If I remember correctly, the compiler does highlight the area of source code with which it had a problem. Once the modules are compiled, I don't see why the linker should have much of a problem. Also, as kayaker pointed out, you can use a minimal set of compiler directives since the intention is not to make the compilations backward compatible or for general usage.

    Maybe my memory has become naive, not to mention deluded.

Similar Threads

  1. ask a question about debuger programming
    By zqBugZ in forum The Newbie Forum
    Replies: 3
    Last Post: June 23rd, 2008, 09:50
  2. World of Warcraft "reversing" / bot programming
    By n00bster in forum The Newbie Forum
    Replies: 25
    Last Post: April 27th, 2006, 05:06
  3. Assembler programming
    By book in forum The Newbie Forum
    Replies: 28
    Last Post: March 28th, 2006, 10:58
  4. Teach yourself programming...
    By TBone in forum The Newbie Forum
    Replies: 1
    Last Post: April 12th, 2004, 18:29
  5. ATA programming
    By goatass in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: September 16th, 2002, 19:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •