Log in

View Full Version : App using Visual C++ 7.0 Method2

VeeDub
July 29th, 2006, 01:47
Hi,

I am looking at an app that according to Peid is written in Visual C++ 7.0 Method2

The app is different to what I am used to in that when you view the Intermodular calls, although there are some of the "conventional" Windows API calls - many of the usual calls are missing and instead there are many calls to entries prefixed by MSVCP71 and MSVCR71, which I understand are C++ DLL's.

Also if you run the app with a log breakpoint on every command, to get some idea of the flow of the code, the resulting log file is very sparse with many entries:

- address COND:

rather than your typical entry

- CALL to with values

I have traced app's written in Visual C++ 6.0, and what I am looking at here is very different to what I recognise.

I've tried searching on the forums, but haven't found anything that gives me some direction. Basically I need some help in identifying what I'm dealing with.

Thanks

VW
VeeDub
July 29th, 2006, 03:15
I think what I need is the equivalent of what Smartcheck does for VB, but for Visual C++, does such a tool exist?
Polaris
July 29th, 2006, 09:52
Quote:
[Originally Posted by VeeDub]I think what I need is the equivalent of what Smartcheck does for VB, but for Visual C++, does such a tool exist?


AFAIK, no... At the times of Smartcheck (sic, I am old! ) many asked for such a thing, but no such tool was made.
LLXX
July 30th, 2006, 06:25
Perhaps you could post some (non-target-identifying) fragments of code so we can see some examples of this style?
VeeDub
July 30th, 2006, 19:55
Here is an extract from the intermodular call list, there are pages of these calls instead of the "usual" Win32 calls.

Code:
00413D8F   CALL    DWORD PTR DS:[<&MSVCP71.?widen@?  MSVCP71.?widen@?$ctype@D@std@@QBEDD@Z

00411222   CALL    DWORD PTR DS:[<&MSVCP71.?width@i  MSVCP71.?width@ios_base@std@@QAEHH@Z

0046846F   CALL    DWORD PTR DS:[<&MSVCP71.??Y?$bas  MSVCP71.??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z

004DA3E4   CALL    DWORD PTR DS:[<&MSVCR71.strchr>]  MSVCR71.strchr

0045BB25   CALL    DWORD PTR DS:[<&MSVCR71._strdup>  MSVCR71._strdup


For instance there is a nag screen when the program starts - and I cannot see what API is being called to make the screen appear, because hardly any of the conventional API's appear to being used.

I'm guessing that most of the program execution is going on via all the MSVCP71 and MSVCR71 routines, I haven't been able to locate any doco which helps me to understand say how the nag window is being created.

Thanks

VW
LLXX
July 31st, 2006, 01:23
Load into IDA and use option to unmangle function names. That should make the code more easy to understand.
naides
July 31st, 2006, 02:15
Quote:
[Originally Posted by VeeDub]

For instance there is a nag screen when the program starts - and I cannot see what API is being called to make the screen appear, because hardly any of the conventional API's appear to being used.

VW


The key word is conventional.

Using the typical system dll functions to perform the functionalities of a program (Like MessageBoxA for displaying a nag screen)
is convenient, but not obligatory.

Certain frameworks like macromedia, java etc can perform all the functionalities you are used to see performed by user32.dll or kernel32.dll calls without ever calling them. MFC programs call first the MFC framework, and usually, but not always, MFC functions call "conventional" functions in kernel and user. ie they "wrap" around the MS windows framework.

In the problem you describe I would run the application under an API spy (SmartCheck is but one example of such spy applications) and figure out what MSVCR71 function calls are involved in performing the routine you want to understand/reverse.

Perhaps, (I DONT KNOW) the VC SDK may have a catalog describing the functionality of the APIs contained in SVCR71.dll
VeeDub
July 31st, 2006, 07:20
Quote:
[Originally Posted by naides]The key word is conventional.

Using the typical system dll functions to perform the functionalities of a program (Like MessageBoxA for displaying a nag screen)
is convenient, but not obligatory.

Hi Naides,

I understand your point however ...

Quote:
Certain frameworks like macromedia, java etc can perform all the functionalities you are used to see performed by user32.dll or kernel32.dll calls without ever calling them. MFC programs call first the MFC framework, and usually, but not always, MFC functions call "conventional" functions in kernel and user. ie they "wrap" around the MS windows framework.

There must be a reasonable number of applications written using this development environment, what I find surprising is that I have not been able to locate any threads discussing this issue. I have spent a reasonable amount of time searching too. I must be using the wrong keywords I guess. I would have thought that this "wrapping" must be reasonably common - and therefore I would have expected to see some discussion on the topic somewhere.

Quote:
In the problem you describe I would run the application under an API spy (SmartCheck is but one example of such spy applications) and figure out what MSVCR71 function calls are involved in performing the routine you want to understand/reverse.

Thanks I'll do a search on API spy and see what I find.

Quote:
Perhaps, (I DONT KNOW) the VC SDK may have a catalog describing the functionality of the APIs contained in SVCR71.dll

I'll investigate this as well.

Thanks

VW
VeeDub
July 31st, 2006, 07:27
Quote:
[Originally Posted by LLXX]Load into IDA and use option to unmangle function names. That should make the code more easy to understand.

Hi LLXX,

Last time I tried using IDA I didn't know enough to be able to make use of it. It may be time to revisit IDA and see if I can make more sense of it now.

Thanks for the advice.

VW
Hamy
July 31st, 2006, 08:16
Hi
I had the same problem in last week. I had an app that peid report C++ but nothing was right.
finally I found that the app was written with Foxpro.
osirisone
November 11th, 2006, 14:30
Can anyone mention any place or document, which one can use to learn or reference for MFC v7 reverese engineering?
Did any guy watching this succeed in handleing MFC v7? Did you VeeDub?

TnX,

-------
OsIris
osirisone
November 12th, 2006, 17:44
Ok, maybe I'd better change the approach to the topic.
And if anything looks stupid don't take me since here is called "for Newbies".

(I guess You'd prefer codes!)
Let's have an example question:
how the fuck could i get the members of a class here? as seen CompareNoCase gets only one argument, the other argument is the object itself or beter say actually the string buffer of the object(object is of type CString) is used. I want to see what is the content of the other string that is compared with the SN(ShitNumber having its pointer in the eax).

Code:


.text:0040C04F loc_40C04F:                             ; CODE XREF: .text:0040C03Aj

.text:0040C04F call    AfxGetModuleState(void)

.text:0040C054 mov     eax, [eax+4]

.text:0040C057 mov     eax, [eax+0ECh]

.text:0040C05D push    eax                             ; Serial Number location address in EAX - Osiris

.text:0040C05E lea     ecx, [esp+14h]

.text:0040C062 call    ds:ATL::CStringT<char,StrTraitMFC_DLL<char,ATL::ChTraitsCRT<char>>>::CompareNoCase(char const *)

.text:0040C068 test    eax, eax

.text:0040C06A jmp     short loc_40C07F                ; Was JZ (74) 40C07F =now> JMP(EB)  ... - Osiris


Come one. Stop trying to hit me and hit me.
------
OsIris