reversing Qt programs [Archive] - RCE Messageboard's Regroupment

Shub-nigurrath

June 8th, 2008, 17:11

Hi all,
I am finding more and more targets using the Qt libraries, then I started to get interested in this framework, also from the reversing point of view.
What I found is that these programs are really difficult to follow because the library adds a lot of code to the programs and becomes hard to distinguish code of the application or of the library.

I was then wondering if there are some tutorials on Qt reversing or signatures for IDA or whatever someone did in the past.

10x in advance.
Shub

Daniel Pistelli

June 9th, 2008, 03:12

The MetaData compiler creates metadata for every Qt widget, this is necessary becuase Qt uses the signal / slot mechanism they invented. Meaning you can connect the signal of a child widget to the slot of the parent. This is great for GUI coding, but it should simplify the life of a reverser. Let's look at the c++ file generated by the moc for a qwidget:

Code:

QT_BEGIN_MOC_NAMESPACE

static const uint qt_meta_data_MainWindow[] = {



 // content:

       1,       // revision

       0,       // classname

       0,    0, // classinfo

      10,   10, // methods

       0,    0, // properties

       0,    0, // enums/sets



 // slots: signature, parameters, type, tag, flags

      12,   11,   11,   11, 0x0a,

      31,   22,   11,   11, 0x0a,

      49,   11,   11,   11, 0x08,

      56,   11,   11,   11, 0x08,

      63,   11,   11,   11, 0x08,

      72,   11,   11,   11, 0x08,

      78,   11,   11,   11, 0x08,

      85,   11,   11,   11, 0x08,

      93,   11,   11,   11, 0x08,

     101,   11,   11,   11, 0x08,



       0        // eod

};



static const char qt_meta_stringdata_MainWindow[] = {

    "MainWindow\0\0newFile()\0fileName\0"

    "openFile(QString)\0open()\0save()\0"

    "saveAs()\0cut()\0copy()\0paste()\0about()\0"

    "updateMenus()\0"

};



const QMetaObject MainWindow::staticMetaObject = {

    { &QMainWindow::staticMetaObject, qt_meta_stringdata_MainWindow,

      qt_meta_data_MainWindow, 0 }

};



const QMetaObject *MainWindow::metaObject() const

{

    return &staticMetaObject;

}



void *MainWindow::qt_metacast(const char *_clname)

{

    if (!_clname) return 0;

    if (!strcmp(_clname, qt_meta_stringdata_MainWindow))

	return static_cast<void*>(const_cast< MainWindow*>(this));

    return QMainWindow::qt_metacast(_clname);

}



int MainWindow::qt_metacall(QMetaObject::Call _c, int _id, void **_a)

{

    _id = QMainWindow::qt_metacall(_c, _id, _a);

    if (_id < 0)

        return _id;

    if (_c == QMetaObject::InvokeMetaMethod) {

        switch (_id) {

        case 0: newFile(); break;

        case 1: openFile((*reinterpret_cast< const QString(*)>(_a[1]))); break;

        case 2: open(); break;

        case 3: save(); break;

        case 4: saveAs(); break;

        case 5: cut(); break;

        case 6: copy(); break;

        case 7: paste(); break;

        case 8: about(); break;

        case 9: updateMenus(); break;

        }

        _id -= 10;

    }

    return _id;

}

QT_END_MOC_NAMESPACE@

qt_metacall seems to respect the order of qt_meta_stringdata_MainWindow (counting only the methods marked with ()). So, it is possible in Qt to associate a name to a slot (of course). I wouldn't know how easy it is reversing Qt, but in theory it shouldn't be that difficult, even if the code added is in fact very much, we might just lack the necessary tools. An IDC script could solve the names for the methods of a QWidget, given the qt_metacall method and the qt_meta_stringdata_X.