OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Article Abstract Microsoft Visual C++ is the most widely used compiler for Win32 so it is important for the Win32 reverser to be familiar with its inner working. Being able to recognize the compiler-generated glue code helps to quickly concentrate on the actual code written by the programmer. It also helps in recovering the high-level structure of the program.

In part II of this 2-part article (see also: Part I: Exception Handling), I will cover how C++ machinery is implemented in MSVC, including classes layout, virtual functions, RTTI. Familiarity with basic C++ and assembly language is assumed.

Full Article ...

Printer Friendly ...

Article Comments

linestyle	Posted: Thursday, September 21 2006 20:02.11 CDT
great work!!:)

MohammadHosein	Posted: Friday, September 22 2006 15:23.54 CDT
actually didnt read the whole article yet , but seems very informative . the undocumented VC's switch was very interesting , would you like to share how did you find it and are there any other undocumented switches ? :)

igorsk	Posted: Friday, September 22 2006 16:30.48 CDT
Well, I was disassembling c1xx to check how it does certain things and sort of stumbled upon it. There are a lot of hidden options, but I didn't really investigate them that much. Here's a page that has a huge list with some described: http://members.ozemail.com.au/[email protected]/samples/programming/msvc/cl/

dnix	Posted: Tuesday, August 19 2008 03:32.23 CDT
wonder whether these structures found by these scripts could be added to the IDA structures so one choose them from add struct var

Sirmabus

Posted: Wednesday, December 24 2008 00:45.52 CST

Thanks the vtable finder/namer script functionality is great help. In particular over a very large target with over a 1000 vtables.

I read the article some time ago, but finally got around to experimenting.
It's probably way over looked, people probably don't know how usefull it is on such targets with lots of vtables. You have to try it to understand..

I think I may expand the idea into a plug-in and add some more features like a list/log window, etc.

Phenomenal work!

Sirmabus	Posted: Thursday, January 22 2009 04:26.19 CST
<Here's my plug-in>

Externalist	Posted: Thursday, January 29 2009 20:58.09 CST
I've also read this some time ago but never really got a chance to recognize the full power until recently when I got involved in a C++ reversing project. This is truely awesome along with Part I of this article. I could say I gained tons from this. Thanks alot for the contribution!! And also, thanks for the plugin with extended features Sirmabus. :)

FloydTammie31	Posted: Sunday, September 12 2010 04:35.28 CDT
Houses are quite expensive and not everyone can buy it. Nevertheless, <a href="http://bestfinance-blog.com/topics/home-loans">home loans</a> are invented to support different people in such situations.

hwwh1999	Posted: Saturday, September 18 2010 10:04.12 CDT
Mark and study

tcljg2008	Posted: Saturday, December 18 2010 05:00.26 CST
very very good!

roczhang

Posted: Thursday, March 3 2011 13:47.08 CST

Great paper. I have took almost two days to want to know the details how dynamic_cast work through RTTI.
I have tried to search some materials by google, but I failed. Because I don't know the key word, such as "RTTI Complete Object Locator".
So I try to do it by myself. I convert the C++ code to assemby code and find how the RTTI work. Then I want to write it to share with others, but now I find your article. Your artical is great! I feel I don't need to write it any more. Thank you.
Great artical.

qxsl2000	Posted: Wednesday, March 30 2011 03:47.06 CDT
it seems like c++ object hierarchy to be decomplied but disassemble through some tricks, this is incredible job, for ours aspiring c++ programmers.thank you so much!

EliteKnites	Posted: Tuesday, May 10 2011 02:03.28 CDT
Thank you so much.. this paper gives a clear cut idea of RTTI and how the internal implementation is.. This gives me more interest on RTTI

EliteKnites	Posted: Tuesday, May 10 2011 02:06.48 CDT
i have some doubts on this.. typeid is returning const type_info&.. but in type_info class implementation copy constructor and equalto operator is private mode how it is returning reference to us? can any one explain me about this ?

martinkro	Posted: Tuesday, July 19 2011 06:58.50 CDT
great artical ,thank you!!

Shine	Posted: Thursday, August 4 2011 21:23.55 CDT
good article��by what method do you trace it?

julyDragon919	Posted: Tuesday, August 7 2012 07:27.30 CDT
Hi! you ve just made me smile! i was having a long face before seeing your article. thanks! it was, is , will be helpful!

cl001	Posted: Monday, May 6 2013 02:13.31 CDT
Lululemon Outlet numbers Fashion Lululemon Sale styles of Lululemon UK cheap.

There are 31,313 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit