Log in

View Full Version : IDA Pro, obtaining class information.


RCE
April 13th, 2011, 16:31
General information
IDA Pro 32-bit
Windows 7 64-bit
Visual Studio (old version)

Breakpoint address (The application succesfully breaks at this address):
Code:
.text:00542DC7 movss xmm0, dword ptr [esi+18h]


Register at break:
Code:
esi = 15647ECC


If I understand correctly, esi points to the object and 18 is the offset of the member variable or function.
This is where esi takes me:
Code:
debug089:15647ECC db 54h

Where 54h is the byte representation of 0C0CA54 (double word).

0C0CA54 takes me to:
Code:
.rdata:00C0CA54 off_C0CA54 dd offset sub_543D50


0C0CA54+18 takes me to:
Code:
.rdata:00C0CA6C dd offset sub_543D30


sub_543D30:
Code:
void __thiscall sub_543D30(int this)
{
sub_5428D0(this, COERCE_INT(180.0));
}

My conclusion:
Code:
class foo { /* 0x0C0CA54 */
public:
float sub_5428D0(int i) {
/* do nothing for now */
}
void sub_543D30(){ /* 0x0C0CA54+18 */
sub_5428D0(COERCE_INT(180.0));
}
};


My question is if this is true, have I found the class and have I found the function?

If I did everything correctly, then my question is, how do I know where the class ends?

Maximus
April 14th, 2011, 04:09
...you cant: only virtual functions are stored in your v-table.

Also, if the class use multiple-inheritance, you'll end up having multiple tables.

RCE
April 14th, 2011, 06:21
Hmmm, what I want to do is translate the class to C++, and create a new instantiation and inject it into the application using dll injection.

How do you suggest I continue?

BanMe
April 14th, 2011, 11:22
your terminology may have been in the wrong 'season'..

https://code.google.com/p/autumnframework/

This should give 'some' idea...

http://www.governmentsecurity.org/forum/?showtopic=31679

make sure to read the 'bottom post' @governmentsecurity

http://en.wikipedia.org/wiki/Object_copy#In_C.2B.2B

NsCopyObject Sounds like a good function.. o0

regards BanMe

RCE
April 14th, 2011, 11:29
I have been doing DLL injection for a couple years, I know how that works.

Problem is, I always did it based on information I received from a reverse engineer. My problem is that this time, I need to obtain the information myself.

I think what I need to do is obtain the function that creates these objects and hook it. Then I can create new objects of this kind with a minimal amount of information that needs to be defined in C++.

Sorry if my question from the previous post was unclear.


ps.
At the time of posting the first post, I was thinking about doing the following:
1, reverse the class
2, instantiate new object in dll from this class
The problem in doing this is that the application isn't aware of the object.
Using the method I describe in this post will probably be a faster and less buggy approach.

ps2.
I already contacted someone with a decend amount of RE experience to help me obtain the
function that creates these objects. He hasn't replyed yet, so if anyone else has some time
for a remote session, let me know.

BanMe
April 14th, 2011, 12:21
Your words are so close to the 'correct answers'...

regards BanMe

RCE
April 14th, 2011, 13:16
Quote:
[Originally Posted by BanMe;90055]Your words are so close to the 'correct answers'...

regards BanMe


Not sure if I understand what your saying.

Anyway, thanks for the ClassFactory link!