How can i find out what calling mfc42.#xxx does. Can I find a reference somewhere that will help me convert this code into a function that can be found in the msdn documentation?

Eg.
0040126E . E8 2D180100 CALL <JMP.&mfc42.#860>
What is going on here?

As far as I can figure out this is something to do with menus - if i could work out which function listed here at MSDN ("http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmfc98/html/_mfc_cmenu.asp") I might get somewhere.

Any help appreciated. Thanks.

use ida and export to a map file and use plugin mapconv to import to olly

Ricardo Narvaja

well there was an utility called mfcspy in some chinese site pediy i think which decoded all those vtable calls
also in ollydbg if you take a look at call tree it almost shows the vtable names

IDA refuses to open this particular exe. It freezes on "Please wait"..

I dont know how to use the information mfcspy gives me.... and I cant get the call tree window to come up in ollydbg ("ctrl - k" right?).

Im a noob, so please b patient ;-)

Had limited success by importing the mfc42.lib file from VC++ 6, but I have limited success only eg. what does

004013BB . E8 C8160100 CALL xxxxxx.00412A88 ; JMP to MFC42.#823_??2@YAPAXI@Z

mean?

Someone mentioned in another thread that the mfc42.lib way wasnt the best way to go. But IDA wont work, grrr. The exe is packed with PECompact 2.x but other PECompact packed exes seem to open fine.

Also some specific instructions for exporting maps in IDA and how to use the call tree would be appreciated.

Thanks.

mfcspy gives all thos information apparently like dede
i tried it just once or twice just to check its functionality
if you look it also comes with source included (iirc authour is goldenegg)
who also has written the ollyhelper plugin

004013BB . E8 C8160100 CALL xxxxxx.00412A88 ; JMP to MFC42.#823_??2@YAPAXI@Z



is this line from ollydbg
if yes
options -->debugging options -->addresses --> check mark demagle symbolic names
it should do the trick of making this #&#036;@ZZFRE&#036; to some thing more sensible like
mfcrap::bullshitfunction::just returns without doing nothing


Names in mfcspy, item 110
Address=004020AA
Section=.text
Type=User
Name=AfxFindResourceHandle(char const *,char const *)

Names in mfcspy, item 114
Address=0040236A
Section=.text
Type=User
Name=AfxWinMain(HINSTANCE__ *,HINSTANCE__ *,char *,int)

Names in mfcspy, item 132
Address=00401F9C
Section=.text
Type=User
Name=CCmdTarget::OnCmdMsg(uint,int,void *,AFX_CMDHANDLERINFO *)


also if you have the lib files from vc then try doing this also shows you many more names like ida flirt
right click --> analysis --> scan object files (you can point the whole include&#92;library directory and add it into groups then just hitting scna group 1 scan group2 should scan respective groups)

also try utilising the godup plugin by godfather it can load all those signatures directly

yes ctrl+k but i was talking about ctrl+n right click find referances and the context menu show call tree in there

@oh me anon

Thanks for sharing us info about existence of this tool

hosiminh

glad to be of help your nick suggests you should be knowing this tool before me :devilish

@infirmus

btw to answer the original question i had used a map from ida on mfc42.dll
so it was showing those names
like this


Call tree
Called from Procedure Calls Comment
MFC42.73DD3ADB <MFC42.CWaitCurs <MFC42.CCmdTarget::BeginWaitCursor(void)> Sys
MFC42.CRichEditView::WrapChanged(void)+12 MFC42.AfxGetModuleState(void) Sys
MFC42.73DE198F
MFC42.IPropertyPage2::`RTTI Base Class Descriptor at (0,-1,0,0)'+9
MFC42.CRecordView::OnInitialUpdate(void)+27
MFC42.CDaoRecordView::OnInitialUpdate(void)+28
MFC42.CWnd::WinHelpA(ulong,uint)+1D
MFC42.CDocument:oSave(char const *,int)+0E6
MFC42.CDocument::OnSaveDocument(char const *)+85
MFC42.CEditView::FindTextA(char const *,int,int)+56
MFC42.CRichEditView::OnInsertObject(void)+55
MFC42.CRichEditView::OnEditPasteSpecial(void)+9E
MFC42.CRichEditView::SetParaFormat(_paraformat &+11
MFC42.CRichEditView::InsertFileAsObject(char const *)+28
MFC42.CRichEditView:oPaste(COleDataObject &,ushort,void *)+1B
MFC42.CRichEditView::OnReplaceAll(char const *,char const *,int,int)+52
MFC42.CRichEditView::FindTextA(char const *,int,int)+0B
MFC42.CDocument::OnFileSendMail(void)+23
MFC42.COleConvertDialog:oConvert(COleClientItem *)+13
MFC42.COlePasteSpecialDialog::CreateItem(COleClientItem *)+15



to get this effect
load mfc42.dll on idafree
let it complete the analysis(will take half an hour to 40 minutes)
save the idb
then get the mfc42.pdb from windbg directory
put it in same place where idb resides
then open ida again and load the mfc42.dll (its hould be quick this time)one minute max
file--> load pdb
it should load the pdb information
then
file produce map file
use this map file in ollydbg to get all names



bytes pages size description
--------- ----- ---- --------------------------------------------
1048576 128 8192 allocating memory for b-tree...
1048576 128 8192 allocating memory for virtual array...
262144 32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
2359296 total memory allocated

Loading IDP module D:&#92;borland&#92;freeida&#92;IDA Freeware 4.3&#92;pc.w32 for processor metapc...OK
Autoanalysis subsystem is initialized.
Possible file format: MS-DOS executable (EXE) (D:&#92;borland&#92;freeida&#92;IDA Freeware 4.3&#92;dos.ldw)
Possible file format: Portable executable for IBM PC (PE) (D:&#92;borland&#92;freeida&#92;IDA Freeware 4.3&#92;pe.ldw)
Loading file 'D:&#92;borland&#92;windbg&#92;MFC42.pdb&#92;78506869754E46FABF6059C8004810DFe&#92;mfc42.d ll' into database...
Detected file format: Portable executable for IBM PC (PE)
0. Creating a new segment (73DD1000-73E76000) ... ... OK
1. Creating a new segment (73E76000-73EA8000) ... ... OK
2. Creating a new segment (73EA8000-73EB1858) ... ... OK
Reading exports directory...
Reading imports directory...
3. Creating a new segment (73EAE390-73EB1858) ... ... OK
4. Creating a new segment (73EADF10-73EAE390) ... ... OK
Reading fixups...
5. Creating a new segment (73E76840-73EA8000) ... ... OK
Possible file format: PE executable (D:&#92;borland&#92;freeida&#92;IDA Freeware 4.3&#92;dbg.ldw)
Loading CODEVIEW debug information...
Unknown codeview information format: RSDSAssuming __cdecl calling convention by default
Marking typical code sequences...
Flushing buffers, please wait...ok
File 'D:&#92;borland&#92;windbg&#92;MFC42.pdb&#92;78506869754E46FABF6059C8004810DFe&#92;mfc42.d ll' is successfully loaded into the database.
Compiling file 'D:&#92;borland&#92;freeida&#92;IDA Freeware 4.3&#92;idc&#92;ida.idc'...
Executing function 'main'...
Compiling file 'D:&#92;borland&#92;freeida&#92;IDA Freeware 4.3&#92;idc&#92;onload.idc'...
Executing function 'OnLoad'...
IDA is analysing the input file...
You may start to explore the input file right now.
The initial autoanalysis is finished.
Initializing the symbol engine.
Preparing to open the input file D:&#92;borland&#92;windbg&#92;MFC42.pdb&#92;78506869754E46FABF6059C8004810DFe&#92;mfc42.dl l
Loading the symbols from D:&#92;borland&#92;windbg&#92;MFC42.pdb&#92;78506869754E46FABF6059C8004810DFe&#92;mfc42.dl l
Symbols are loaded at image base 73DD0000
Getting the module information from the symbol engine.
Starting to enumerate functions.
Debug information is loaded.
Map file created, total 10607 lines.

As I know, when loading an executable which uses MFC42.dll, IDA will apply the mfc42.ids (in IDS dir) to replace the MFC.xxxx name with full decorative name. But the MFC42.ids of IDA have some wrong name with MFC42.dll. The IDS file of IDA created with a old version of MFC42.dll. I have create a new MFC42.ids, and it seems OK.
I am recreate the MFC42.dll/mfc42u.dll/mfc42d.dll/mfc42ud.dll/.... IDA signature.

well when loading an exe that use mfc.dll ida uses ids yes but the poster
said somewhere ida could not load his exe so i gave some ways to
bypass that problem ida also loads vcmfc32something.sig if it successfully loads the exe and applies flirt too

but getting a dlls map is always a better option coz it is universal
for the pc you are operating just click and forget