OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: May 28, 2007 20:58 CDT by ogami .

Hi all, I am sorry that my first post is a question. I hope that somebody has time to assist me. I am reversing a binary that is implemented in C++ and MFC, the binary is statically linked to the following files located in the directory that the software is installed in:



Name	    Version       MD5

----------------------------------------------------------

mfc71u.dll  7.10.3077.0   7b93c623333f121dc9e689ccb1b7a733

msvcp71.dll 7.10.3077.0   561fa2abb31dfa8fab762145f81667c2

msvcr71.dll 7.10.3052.4   86f1895ae8c5e8b17d99ece768a70732

msvcrt.dll  7.0.2600.2180 b0fefa816d61ec66aa765ddf534eab5e

(Digression: Aren't these versions vulnerable to MS07-012, hehe)

I cannot find pdb or def files for these libraries so the symbol names are not being resolved for IDA or Olly.

Does anybody know where I could find a script that would map the ordinals to symbol names in IDA?(Also it would be very helpful if the symbol names were mapped in Olly). Also, does anybody know if a tool like symbol-retriever still works to get the pdb files or def for the above libraries? If I can get the def files I can write some IDC to map the ordinals in IDA and can post it here.

Thanks to anybody that has time to help me out.

anonymouse		May 29, 2007 04:09.07 CDT
i dont think microsoft symbol server will provide you def files they come with vc installation a quick google can and you can fetch these def files if i remember correctly igorsk answered this same question a few days before with a link to def file too search the forums if you want ollydbg to map those ordinal names to thier actual names you can try my plugin modified commandline plugin available here in downlaod section and use the command loadpdb read my blog for its usage you would need to setup symbol path _NT_SYMBOL_PATH it will fetch the symbols from ms symbol servers and map the ordinal names to its actual names a sample here 00401CA8 JMP [<&MFC71U.#4535>] ; MFC71U.CWinApp::OnHelp 00401CAE JMP [<&MFC71U.#3677>] ; MFC71U.CWinApp::GetThisMessageMap 00401CB4 JMP [<&MFC71U.#4032>] ; MFC71U.CWinApp::LoadSysPolicies 00401CBA JMP [<&MFC71U.#4008>] ; MFC71U.CWinApp::LoadAppLangResourceDLL 00401CC0 JMP [<&MFC71U.#6272>] ; MFC71U.CWinApp::WinHelpInternal 00401CC6 JMP [<&MFC71U.#3795>] ; MFC71U.CWinApp::HtmlHelpW 00401CCC JMP [<&MFC71U.#6274>] ; MFC71U.CWinApp::WinHelpW 00401CD2 JMP [<&MFC71U.#4320>] ; MFC71U.CWinApp::OnDDECommand 00401CD8 JMP [<&MFC71U.#2054>] ; MFC71U.CWinApp::DoWaitCursor 00401CDE JMP [<&MFC71U.#2009>] ; MFC71U.CWinApp::DoMessageBox 00401CE4 JMP [<&MFC71U.#5579>] ; MFC71U.CWinApp::SaveAllModified 00401CEA JMP [<&MFC71U.#3800>] ; MFC71U.CWinApp::InitApplication 00401CF0 JMP [<&MFC71U.#1007>] ; MFC71U.CWinApp::AddToRecentFileList 00401CF6 JMP [<&MFC71U.#5096>] ; MFC71U.CWinApp::OpenDocumentFile 00401CFC JMP [<&MFC71U.#6215>] ; MFC71U.CWinApp::Unregister 00401D02 JMP [<&MFC71U.#5378>] ; MFC71U.COleObjectFactory::Unregister 00401D08 JMP [<&MFC71U.#3826>] ; MFC71U._AFX_DB_STATE::~_AFX_DB_STATE 00401D0E JMP [<&MFC71U.#1911>] ; MFC71U.CWinThread::Delete 00401D14 JMP [<&MFC71U.#2925>] ; MFC71U.CWinThread::GetMainWnd 00401D1A JMP [<&MFC71U.#5220>] ; MFC71U.CWinThread::ProcessMessageFilter 00401D20 JMP [<&MFC71U.#5222>] ; MFC71U.CWinApp::ProcessWndProcException 00401D26 JMP [<&MFC71U.#2239>] ; MFC71U.CWinApp::ExitInstance 00401D2C JMP [<&MFC71U.#3942>] ; MFC71U.CWinThread::IsIdleMessage 00401D32 JMP [<&MFC71U.#4562>] ; MFC71U.CWinApp::OnIdle 00401D38 JMP [<&MFC71U.#5226>] ; MFC71U.AfxInternalPumpMessage 00401D3E JMP [<&MFC71U.#5209>] ; MFC71U.CWinThread::PreTranslateMessage 00401D44 JMP [<&MFC71U.#5562>] ; MFC71U.CWinApp::Run 00401D4A JMP [<&MFC71U.#2531>] ; MFC71U.CCmdTarget::GetExtraConnectionPoints 00401D50 JMP [<&MFC71U.#2725>] ; MFC71U.CCmdTarget::GetExtraConnectionPoints 00401D56 JMP [<&MFC71U.#2829>] ; MFC71U.CCmdTarget::GetExtraConnectionPoints 00401D5C JMP [<&MFC71U.#4301>] ; MFC71U.CFrameWnd::IsFrameWnd 00401D62 JMP [<&MFC71U.#2708>] ; MFC71U.CCmdTarget::GetThisEventSinkMap 00401D68 JMP [<&MFC71U.#2832>] ; MFC71U.CCmdTarget::GetThisInterfaceMap 00401D6E JMP [<&MFC71U.#2534>] ; MFC71U.CCmdTarget::GetThisConnectionMap 00401D74 JMP [<&MFC71U.#2640>] ; MFC71U.CCmdTarget::GetThisDispatchMap 00401D7A JMP [<&MFC71U.#2527>] ; MFC71U.CCmdTarget::GetThisCommandMap 00401D80 JMP [<&MFC71U.#3712>] ; MFC71U.CCmdTarget::GetTypeLib 00401D86 JMP [<&MFC71U.#3713>] ; MFC71U.CWinThread::InitInstance 00401D8C JMP [<&MFC71U.#3703>] ; MFC71U.CWinThread::InitInstance 00401D92 JMP [<&MFC71U.#2638>] ; MFC71U.CCmdTarget::GetExtraConnectionPoints 00401D98 JMP [<&MFC71U.#3943>] ; MFC71U.CCmdTarget::IsInvokeAllowed 00401D9E JMP [<&MFC71U.#4475>] ; MFC71U.CCmdTarget::OnFinalRelease 00401DA4 JMP [<&MFC71U.#4255>] ; MFC71U.CCmdTarget::OnCmdMsg 00401DAA JMP [<&MFC71U.#3327>] ; MFC71U.CWinApp::GetRuntimeClass 00401DB0 JMP [<&MFC71U.#566>] ; MFC71U.CWinApp::CWinApp 00401DB6 JMP [<&MFC71U.#757>] ; MFC71U.CWinApp::~CWinApp 00401DBC JMP [<&MFC71U.#605>] ; MFC71U.CDialog::~CDialog 00401DC2 JMP [<&MFC71U.#620>] ; MFC71U.CEdit::~CEdit 00401DC8 JMP [<&MFC71U.#764>] ; MFC71U.operator delete 00401DCE JMP [<&MFC71U.#2011>] ; MFC71U.CDialog::DoModal 00401DD4 JMP [<&MFC71U.#5971>] ; MFC71U.CWinApp::SetRegistryKey 00401DDA JMP [<&MFC71U.#1049>] ; MFC71U.AfxEnableControlContainer 00401DE0 JMP [<&MFC71U.#3824>] ; MFC71U.CWinApp::InitInstance 00401DE6 JMP [<&MFC71U.#3635>] ; MFC71U.CDialog::GetMessageMap 00401DEC JMP [<&MFC71U.#5178>] ; MFC71U.CWnd::PostNcDestroy 00401DF2 JMP [<&MFC71U.#4206>] ; MFC71U.CDialog::OnCancel 00401DF8 JMP [<&MFC71U.#4729>] ; MFC71U.CDialog::OnOK 00401DFE JMP [<&MFC71U.#4884>] ; MFC71U.CTestCmdUI::SetText 00401E04 JMP [<&MFC71U.#4574>] ; MFC71U.CDialog::OnInitDialog 00401E0A JMP [<&MFC71U.#1662>] ; MFC71U.CDialog::CreateIndirect 00401E10 JMP [<&MFC71U.#1661>] ; MFC71U.CDialog::CreateIndirect 00401E16 JMP [<&MFC71U.#1542>] ; MFC71U.CDialog::Create 00401E1C JMP [<&MFC71U.#5908>] ; MFC71U.CDialog::SetOccDialogInfo 00401E22 JMP [<&MFC71U.#1611>] ; MFC71U.CWnd::CreateControlSite 00401E28 JMP [<&MFC71U.#1608>] ; MFC71U.CWnd::CreateControlContainer 00401E2E JMP [<&MFC71U.#3940>] ; MFC71U.CWinThread::InitInstance 00401E34 JMP [<&MFC71U.#1392>] ; MFC71U.CDialog::CheckAutoCenter 00401E3A JMP [<&MFC71U.#4238>] ; MFC71U.CWnd::OnChildNotify 00401E40 JMP [<&MFC71U.#5148>] ; MFC71U.CWnd::PostNcDestroy 00401E46 JMP [<&MFC71U.#1899>] ; MFC71U.CWnd::DefWindowProcW 00401E4C JMP [<&MFC71U.#5067>] ; MFC71U.CWnd::OnWndMsg 00401E52 JMP [<&MFC71U.#6271>] ; MFC71U.CWnd::WindowProc 00401E58 JMP [<&MFC71U.#4179>] ; MFC71U.CWnd::OnAmbientProperty 00401E5E JMP [<&MFC71U.#5199>] ; MFC71U.CDialog::PreTranslateMessage 00401E64 JMP [<&MFC71U.#3397>] ; MFC71U.CWnd::GetSuperWndProcAddr 00401E6A JMP [<&MFC71U.#4716>] ; MFC71U.CWnd::OnNotify 00401E70 JMP [<&MFC71U.#4276>] ; MFC71U.CWnd::OnCommand 00401E76 JMP [<&MFC71U.#1591>] ; MFC71U.CWnd::CreateAccessibleProxy 00401E7C JMP [<&MFC71U.#5956>] ; MFC71U.CWnd::SetProxy 00401E82 JMP [<&MFC71U.#5231>] ; MFC71U.CWnd::put_accValue 00401E88 JMP [<&MFC71U.#5229>] ; MFC71U.CWnd::put_accValue 00401E8E JMP [<&MFC71U.#920>] ; MFC71U.CWnd::accDoDefaultAction 00401E94 JMP [<&MFC71U.#925>] ; MFC71U.CWnd::accHitTest 00401E9A JMP [<&MFC71U.#929>] ; MFC71U.CWnd::accNavigate 00401EA0 JMP [<&MFC71U.#927>] ; MFC71U.CWnd::accLocation 00401EA6 JMP [<&MFC71U.#931>] ; MFC71U.CWnd::accSelect 00401EAC JMP [<&MFC71U.#2384>] ; MFC71U.CWnd::get_accDefaultAction 00401EB2 JMP [<&MFC71U.#2404>] ; MFC71U.CWnd::get_accSelection 00401EB8 JMP [<&MFC71U.#2388>] ; MFC71U.CWnd::get_accFocus 00401EBE JMP [<&MFC71U.#2394>] ; MFC71U.CWnd::get_accKeyboardShortcut 00401EC4 JMP [<&MFC71U.#2392>] ; MFC71U.CWnd::get_accHelpTopic 00401ECA JMP [<&MFC71U.#2390>] ; MFC71U.CWnd::get_accHelp 00401ED0 JMP [<&MFC71U.#2407>] ; MFC71U.CWnd::get_accState 00401ED6 JMP [<&MFC71U.#2402>] ; MFC71U.CWnd::get_accRole 00401EDC JMP [<&MFC71U.#2386>] ; MFC71U.CWnd::get_accDescription 00401EE2 JMP [<&MFC71U.#2409>] ; MFC71U.CWnd::get_accValue 00401EE8 JMP [<&MFC71U.#2397>] ; MFC71U.CWnd::get_accName 00401EEE JMP [<&MFC71U.#2379>] ; MFC71U.CWnd::get_accChild 00401EF4 JMP [<&MFC71U.#2381>] ; MFC71U.CWnd::get_accChildCount 00401EFA JMP [<&MFC71U.#2399>] ; MFC71U.CWnd::get_accParent 00401F00 JMP [<&MFC71U.#2169>] ; MFC71U.CWnd::EnsureStdObj 00401F06 JMP [<&MFC71U.#2163>] ; MFC71U.CWnd::EndModalLoop 00401F0C JMP [<&MFC71U.#1513>] ; MFC71U.CWnd::ContinueModal 00401F12 JMP [<&MFC71U.#6273>] ; MFC71U.CWnd::WinHelpInternal 00401F18 JMP [<&MFC71U.#3796>] ; MFC71U.CWnd::HtmlHelpW 00401F1E JMP [<&MFC71U.#6275>] ; MFC71U.CWnd::WinHelpW 00401F24 JMP [<&MFC71U.#3339>] ; MFC71U.CCmdTarget::GetExtraConnectionPoints 00401F2A JMP [<&MFC71U.#4961>] ; MFC71U.CWnd::OnToolHitTest 00401F30 JMP [<&MFC71U.#1353>] ; MFC71U.CWnd::CalcWindowRect 00401F36 JMP [<&MFC71U.#5171>] ; MFC71U.CWnd::PreCreateWindow 00401F3C JMP [<&MFC71U.#1955>] ; MFC71U.CWnd::DestroyWindow 00401F42 JMP [<&MFC71U.#1647>] ; MFC71U.CWnd::CreateEx 00401F48 JMP [<&MFC71U.#1646>] ; MFC71U.CWnd::CreateEx 00401F4E JMP [<&MFC71U.#1590>] ; MFC71U.CWnd::Create 00401F54 JMP [<&MFC71U.#5196>] ; MFC71U.CWnd::PostNcDestroy 00401F5A JMP [<&MFC71U.#2856>] ; MFC71U.CWnd::GetInterfaceMap 00401F60 JMP [<&MFC71U.#4480>] ; MFC71U.CWnd::OnFinalRelease 00401F66 JMP [<&MFC71U.#4256>] ; MFC71U.CDialog::OnCmdMsg 00401F6C JMP [<&MFC71U.#3176>] ; MFC71U.CDialog::GetRuntimeClass 00401F72 JMP [<&MFC71U.#354>] ; MFC71U.CDialog::CDialog 00401F78 JMP [<&MFC71U.#6232>] ; MFC71U.CWnd::UpdateData 00401F7E JMP [<&MFC71U.#1079>] ; MFC71U.AfxGetModuleState 00401F84 JMP [<&MFC71U.#2365>] ; MFC71U.CMenu::FromHandle 00401F8A JMP [<&MFC71U.#1894>] ; MFC71U.CWnd::Default 00401F90 JMP [<&MFC71U.#1545>] ; MFC71U.CEdit::Create 00401F96 JMP [<&MFC71U.#5911>] ; MFC71U.CCmdTarget::GetExtraConnectionPoints 00401F9C JMP [<&MFC71U.#1393>] ; MFC71U.CFrameWnd::IsFrameWnd 00401FA2 JMP [<&MFC71U.#5210>] ; MFC71U.CWnd::PreTranslateMessage 00401FA8 JMP [<&MFC71U.#2985>] ; MFC71U.CWnd::GetThisMessageMap 00401FAE JMP [<&MFC71U.#3189>] ; MFC71U.CEdit::GetThisClass 00401FB4 JMP [<&MFC71U.#572>] ; MFC71U.CWnd::CWnd 00401FBA JMP [<&MFC71U.#1058>] ; MFC71U.AfxFindResourceHandle 00401FC0 JMP [<&MFC71U.#1883>] ; MFC71U.DDX_Text 00401FC6 JMP [<&MFC71U.#1784>] ; MFC71U.DDX_Check 00401FCC JMP [<&MFC71U.#1785>] ; MFC71U.DDX_Control 00401FD2 JMP [<&MFC71U.#2155>] ; MFC71U.CWnd::EnableWindow 00401FD8 JMP [<&MFC71U.#4743>] ; MFC71U.CDialog::OnPaint 00401FDE JMP [<&MFC71U.#709>] ; MFC71U.CPaintDC::~CPaintDC 00401FE4 JMP [<&MFC71U.#501>] ; MFC71U.CPaintDC::CPaintDC

MohammadHosein		May 29, 2007 10:53.38 CDT
http://www.determina.com/security.research/presentations/index.html#recon06

ogami		May 29, 2007 23:09.20 CDT
Thanks a lot for the help. I did see that igorsk had posted on the MFC42 ordinals thread, but variations of the search query to find the def files resulted in failure. I'll keep looking. anonymouse, your olly plugin is amazing nice work and thanks for the pointers. However, for this library the symbols still do not resolve, I am wondering if it is a custom dll. Although that seems kind of outlandish. I am going to get my hands on another version of the dll tomorrow and hopefully I can test this out. MohammadHosein, thanks for the link thats an excellent paper. Sorry if this doesn't make sense. I'm kinda tired.

anonymouse		May 30, 2007 02:22.17 CDT
i wont say my plugin is amazing it has its own set of glitches but it does work ok so i would put in a catagory of something is better than nothing a few glitches i would like to point out are it doesn't always label correctly when it is labelling a relocated dll 1)try loading hal.dll or ntoskrnl.exe and load thier pdb you will see the names are resolved to 0x8010000 for hal while ollydbg actually loaded it in 0x10000 2) you will see ollydbg creating a few .udds which would be discarded in next session for the dlls who have thier pdbs loaded you would be forced to do real analysis with ctrl+a for the labels to be intact in following sessions and a few more irritants exist but it works 80/20 also in its present form it doesnt understand TypeInformation,Tags, etc it only understands and works with PUBLIC NAMES what do you mean by doesn't resolve ? are you saying ollydbg still shows call mfc42u.#1234 after you loaded the pdbs if thats the case yes you need to rename the ExportLabel NM_LABEL that was put there by ollydbg automatically to its real name either manually or with some kind of script you can check JoeStewarts VB HELPER plugin which does that magic of renaming MSVBVM.!@#$ to its pdb names with a simple signature scan or you can write a ollyscript script to extract NM_COMMENT on jmp tables and convert them to NM_LABEL\|NM_EXPORT or you could rather paste a small snippet so that i can try visualising whats the problem to confirm if the pdb names have been resolved do right click -> search for names in currrent module (ctrl+n) it should show several extra LIBRARY Names in the display

ogami		June 1, 2007 23:06.04 CDT
I will need to rename the NM_LABEL I think (I'll have to search around how to do that). After loading the pdb, I searched for names in the current module and none of them were resolved. I wrote a bad python script for IDA to map some of the ordinals to symbols: http://www.openrce.org/blog/browse/ogami But it would be so nice to have symbols in Olly :). Hopefully I can get a chance to work on it tomorrow.

anonymouse		June 2, 2007 12:29.14 CDT
> ogami: I searched for names in the current module and none of them were resolved. > by current module i meant you search in mfc71u.dll :) not in your application and in your application it still would show mfc71u.2865 as ollydbg has autogenerated labels :)

moyix		September 30, 2008 12:04.46 CDT
Does symchk.exe give any helpful messages in this case? The symbols really should be on the MS symbol server if they were distributed by MS at some point...

frankboldewin		October 1, 2008 02:41.35 CDT
here is a very good symbolfinder for the commandline. http://rapidshare.com/files/139779186/SymbolFinder.zip.html the needed pdb files from the microsoft site will be stored in C:\Symbols so be sure, to have internet access while trying. e.g. for msvcr71.dll the command looks like below: symbolfinder -a msvcr71.dll 0

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

View Gallery (11) / Submit