Results 1 to 6 of 6

Thread: How do you bpx on a class method??

  1. #1
    Jacques
    Guest

    How do you bpx on a class method??

    Greetings all,

    I posted this question a few weeks ago now... lots of people read it, but there were 0 replies. (I suppose that means that it was either not an easy question, or it's so silly nobody bothered to reply. :-) Anyways, I thought I would try again cause I'm still stuck:

    I have been using SoftIce for a few months now, but there is one thing that I can't figure out and haven't found any mention of in the documentation or any tutorial. The question is:

    How do you set a breakpoint on a class method?

    More specifically how do you set a breakpoint on a custom method like "MyClass::MyMethod()" or an MFC method like CString::Format()?

    I am certain that the symbols are loaded, and I can see "CClass::MyMethod" in the .nms file, so I don't think it's that. If I manage to find the location for "MyClass::MyMethod()" in the Softice code window, then I can set a breakpoint by double clicking on the label in the code window... but this is hardly a practical way of doing so.

    My guess is that the problem has something to do with C++ name mangling for class methods... but I don't know how to proceed from here.

    Anyone have any ideas?

    Thanks,
    Jacques
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Jacques
    Greetings all,


    Anyone have any ideas?

    Thanks,
    Jacques
    I am not sure I understand what you want to do.

    Do you have high level information like CString::Format() method is used in such and such situation? are you debugging an app in which you have source code available, which may make such a question relevant?

    The typical work that goes on here happens in code that has been stripped from symbols, debug information, optimized, and not unusually encrypted and obfuscated, all of which make locating the code of a high level method unfeasible or perhaps unnecessary.

    IDA can recognize typical "signatures" of common use methods in libraries like MFC and label them in the dissasembly accordingly, but this may not be what you want.
    Can you provide an example of the problem you want to solve??

  3. #3
    Jacques
    Guest
    Quote Originally Posted by naides
    I am not sure I understand what you want to do.

    Do you have high level information like CString::Format() method is used in such and such situation? are you debugging an app in which you have source code available, which may make such a question relevant?

    The typical work that goes on here happens in code that has been stripped from symbols, debug information, optimized, and not unusually encrypted and obfuscated, all of which make locating the code of a high level method unfeasible or perhaps unnecessary.

    IDA can recognize typical "signatures" of common use methods in libraries like MFC and label them in the dissasembly accordingly, but this may not be what you want.
    Can you provide an example of the problem you want to solve??
    Hi. First, here are the answers to your questions:

    1) I can't think of anything special about the situation.

    2) I do not have source code available, only what IDA provided.

    3) I pulled "MyClass::MyMethod()" and CString::Format() out of the air as examples of a class method implemented by the developer, and a standard class method that is part of MFC.

    I understand the type of reversing work that happens here, and I was doing something similar. I should also clarify that I mis-spoke in my initial post, I am not stuck in the sense that I can't accomplish my objective... that was resolved weeks ago. I am stuck on this in the sense that it's bugging me... I also don't understand why I can't say "bpx CString::Find" or "bpx CDialog::OnInitDialog".

    I did use IDA to disassemble the code in question, and it was IDA that provided the following at the top of the function disassembly:

    public: unsigned char __thiscall CVerifyI::VerifyInstallNmbr(char const*) const
    public ?VerifyInstallNmbr@CVerifyI@@QEEPBD@Z
    ?VerifyInstallNmbr@CVerifyI@@QEPBD@Z proc near

    A few lines down there was an IDA generated jmp label: loc_40003278

    I could not break on VerifyInstallNmbr() no matter what I tried, but breaking on loc_40003278 worked as expected.

    After generating the .nms file from IDA, and loading and translating it in the Symbol Loader, VerifyInstallNmbr() show up as (in the Softice code window):

    CVerifyI::VerifyInstallNmbr(char

    (Not a typo, the label ends after the 'r')

    So the questions are:
    - Is it possible to say "bpx VerifyInstallNmbr" in some fashion?
    - Is the label trucation messing up Softice?

    In the more general case, why does "bpx CString::Find()" not work? Is it because Softice can only determine the mangled C++ name and not the developer friendly name because I have no .nms file for MFC? Or maybe this is where ordinals come in?

    I have probably confused things even more... thanks for your patience.
    Jacques
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,147
    Blog Entries
    5
    Hi

    If you break in the context of the program and type SYM, does your function and address show up, along with all the other nms symbols? In theory, that symbol name should be the one you can use in a breakpoint. If it doesn't, maybe you can simplify and undecorate it in IDA without the :: or brackets and try again.

    K.

  5. #5
    Jacques
    Guest
    Quote Originally Posted by Kayaker
    Hi

    If you break in the context of the program and type SYM, does your function and address show up, along with all the other nms symbols? In theory, that symbol name should be the one you can use in a breakpoint. If it doesn't, maybe you can simplify and undecorate it in IDA without the :: or brackets and try again.

    K.
    Hi Kayaker,

    Thanks for telling me about the SYM command, that's very useful... I definitely won't be forgetting that one.

    The function does show up in the list produced by SYM in the same truncated form as in the code window:

    CVerifyI::VerifyInstallNmbr(char

    I was about to try your second suggestion (renaming/simplifying the function name in IDA) when I noticed that perhaps I hadn't chosen the correct options in IDA when generating the MAP file. The three checkbox options for deciding what to include when generating the map file are:

    - Segmentation information
    - Autogenerated names
    - Demangle names

    Only the first one is checked by default, so I always used to check the other two as well because it made sense to include the autogenerated names and to demangle the names.

    I generated a new map file with "Demangle names" UNchecked, with the hope that this option was messing up the class::method symbols. Loaded the new .nms file in Softice, and the symbol is fixed! It is now:

    CVerifyI::VerifyInstallNmbr

    and simply typing "bpx CVerifyI::VerifyInstallNmbr" works just fine.

    Thanks a lot for your help!

    Jacques.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,147
    Blog Entries
    5
    Hey, glad it worked. Thanks for your explanation as well, that's definitely useful to know.

    Cheers,
    Kayaker

Similar Threads

  1. class concept
    By dion in forum Off Topic
    Replies: 4
    Last Post: September 28th, 2009, 13:03
  2. How to bpx on class method?
    By Jacques in forum The Newbie Forum
    Replies: 0
    Last Post: May 2nd, 2004, 21:26
  3. deobfuscation java class
    By chitech in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: September 19th, 2002, 14:28
  4. A new class... join now!
    By Rage9 in forum Mini Project Area
    Replies: 32
    Last Post: July 29th, 2001, 16:55
  5. java : PE & .class
    By keyser in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: December 23rd, 2000, 13:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •