PDA

View Full Version : Trying to decompile a MFC snippet code

dion
January 21st, 2013, 18:11
Hi,

i've been trying to figured out what kind of code that can produce similar output such as :

Code:
.text:004070A2                 mov     ecx, offset CWnd1

.text:004070A7                 mov     [esi+70h], eax

.text:004070AA                 call    ?GetMainWnd@CWinThread@@UAEPAVCWnd@@XZ ; CWinThread::GetMainWnd(void)

.text:004070AF                 xor     ebx, ebx

.text:004070B1                 cmp     eax, ebx

.text:004070B3                 jnz     short loc_4070B9

.text:004070B5                 xor     eax, eax

.text:004070B7                 jmp     short loc_4070BC

.text:004070B9 ; ---------------------------------------------------------------------------

.text:004070B9

.text:004070B9 loc_4070B9:                             ; CODE XREF: gamestart-2BDj

.text:004070B9                 mov     eax, [eax+1Ch]

.text:004070BC

.text:004070BC loc_4070BC:                             ; CODE XREF: gamestart-2B9j

.text:004070BC                 mov     ecx, [esi+40h]

.text:004070BF                 push    offset off_4E6A98

.text:004070C4                 push    ecx

.text:004070C5                 push    eax

.text:004070C6                 call    dword ptr [esi+70h] ; GameInit()


i tried to figure out the parameters of GameInit(). by trial and error, i got the following code (which a little bit match) :

Code:


CWinThread* pThread = AfxGetThread();

CWnd* m_pMainWnd = pThread->GetMainWnd();

HWND test = m_pMainWnd->m_hWnd;


but it's not right. the disassemble form of the above code is :

Code:


102:      CWinThread* pThread = AfxGetThread();

004012FD   call        AfxGetThread (00401854)

00401302   mov         dword ptr [ebp-8],eax

103:

104:      CWnd* m_pMainWnd = pThread->GetMainWnd();

00401305   mov         eax,dword ptr [ebp-8]

00401308   mov         edx,dword ptr [eax]

0040130A   mov         esi,esp

0040130C   mov         ecx,dword ptr [ebp-8]

0040130F   call        dword ptr [edx+7Ch]

00401312   cmp         esi,esp

00401314   call        _chkesp (0040191a)

00401319   mov         dword ptr [ebp-0Ch],eax

105:

106:      HWND test = m_pMainWnd->m_hWnd;

0040131C   mov         eax,dword ptr [ebp-0Ch]

0040131F   mov         ecx,dword ptr [eax+20h]  ;<<<<<<<< see this

00401322   mov         dword ptr [ebp-10h],ecx


so for 1st param, i got a near match, eax+20h instead of eax+1Ch. i looked into CWnd structure, it's wierd. it's said m_hWnd is first data member. looking from the number, it should have previous data member. but it seems i can not find them in the list (i.e. type "m_pMainWnd->" then see the list in MSVC IDE and compile and see the code). anyone can help or give a hint?

thanks
bilbo
January 22nd, 2013, 10:45
Try this simple program (assuming it is called try.cpp)
Code:


// compile from VS Command Prompt as cl -MT try.cpp



#include <afxwin.h>



void

main(void)

{

    printf("%x\n", offsetof(CWnd, m_hWnd));

}


In VS2010 (MFC 10.0) the output is 20, as you found out;
but in VS6 (MFC 4.2) the output is 1C!

Best regards, bilbo
dion
January 22nd, 2013, 11:06
Quote:
[Originally Posted by bilbo;94080]Try this simple program (assuming it is called try.cpp)
Code:


// compile from VS Command Prompt as cl -MT try.cpp



#include <afxwin.h>



void

main(void)

{

    printf("%x\n", offsetof(CWnd, m_hWnd));

}


In VS2010 (MFC 10.0) the output is 20, as you found out;
but in VS6 (MFC 4.2) the output is 1C!

Best regards, bilbo


thanks for the insight bilbo
but actually, i code in msvc6 sp5 ent edition. not in vs2010. i checked my output program DLL dependency, it is MFC42D.DLL. so what i did wrong?
bilbo
January 23rd, 2013, 07:53
I see...
You are compiling using MFC as a dynamic library, while they are using MFC as a static library.
Compile the program above as
Code:
cl -W3 -MD -D_AFXDLL try.cpp
and you will obtain 0x20, no more 0x1C.
The difference is in the member
Code:
static const AFX_MSGMAP* PASCAL _GetBaseMessageMap();
(see AFXWIN.H)

Best regards, bilbo