OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: May 1, 2007 17:51 CDT by andy .

Hi, I am trying to reverse a visual c++ compiled binary, with no symbols.

How can easily I find where the main() function begins?

dennis		May 1, 2007 23:43.40 CDT
What do you mean? Is it packed and you're trying to find the original entrypoint? If it is an executable, it should have one entrypoint that any disassembler or debugger will show you once you load the file. From there on (if this isn't the main() function but a little stub) you can easily spot the call to the main() function. Many disassemblers will do this automatically for you.

stahl		May 2, 2007 05:21.54 CDT
i think he means: the c++ main function?! i have the same question in the back of my head:-)

dennis		May 2, 2007 05:51.33 CDT
I still don't get it, that shouldn't make a difference, no?

anonymouse		May 2, 2007 06:54.10 CDT
if you are using ollydbg and if you app loaded is loaded on 0x400000 ctrl+t -> check mark condition is true --> type [esp] == 0x400000 -> ok -> ctrl+f12 Log data, item 4 Address=0040B241 Message=Conditional pause: [esp]==0x400000 thats your winmain modify 0x400000 to suit your IMAGEBASE

andy		May 2, 2007 10:29.46 CDT
thx for the reply... It is a regular Visual C++ compiled binary, consisting of a simple int _tmain(...) function...(no symbols) When IDA starts it prompts me to the Startup() function (pe entry-point), which eventually will call _tmain()... what I want to know is how you can know where _tmain() begins...with IDA) without following the flow of Startup... maybe it's not possible, but just wondering... let's say, for example, that the Nth call from Startup is the real call to _tmain.... > dennis*: What do you mean? Is it packed and you\'re trying to find the original entrypoint? If it is an executable, it should have one entrypoint that any disassembler or debugger will show you once you load the file. From there on (if this isn\'t the main() function but a little stub) you can easily spot the call to the main() function. Many disassemblers will do this automatically for you.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit