Flag: Tornado! Hurricane!


Article Abstract Microsoft Visual C++ is the most widely used compiler for Win32 so it is important for the Win32 reverser to be familiar with its inner working. Being able to recognize the compiler-generated glue code helps to quickly concentrate on the actual code written by the programmer. It also helps in recovering the high-level structure of the program.

In part II of this 2-part article (see also: Part I: Exception Handling), I will cover how C++ machinery is implemented in MSVC, including classes layout, virtual functions, RTTI. Familiarity with basic C++ and assembly language is assumed.

Full Article ...    Printer Friendly ...

Article Comments
linestyle Posted: Thursday, September 21 2006 20:02.11 CDT
great work!!:)

MohammadHosein Posted: Friday, September 22 2006 15:23.54 CDT
actually didnt read the whole article yet , but seems very informative . the undocumented VC's switch was very interesting , would you like to share how did you find it and are there any other undocumented switches ? :)

igorsk Posted: Friday, September 22 2006 16:30.48 CDT
Well, I was disassembling c1xx to check how it does certain things and sort of stumbled upon it. There are a lot of hidden options, but I didn't really investigate them that much. Here's a page that has a huge list with some described:
http://members.ozemail.com.au/[email protected]/samples/programming/msvc/cl/

dnix Posted: Tuesday, August 19 2008 03:32.23 CDT
wonder whether these structures found by these scripts could be added to the IDA structures so one choose them from add struct var

Sirmabus Posted: Wednesday, December 24 2008 00:45.52 CST
Thanks the vtable finder/namer script functionality is great help. In particular over a very large target with over a 1000 vtables.

I read the article some time ago, but finally got around to experimenting.
It's probably way over looked, people probably don't know how usefull it is on such targets with lots of vtables.  You have to try it to understand..

I think I may expand the idea into a plug-in and add some more features like a list/log window, etc.

Phenomenal work!






Sirmabus Posted: Thursday, January 22 2009 04:26.19 CST
<Here's my plug-in>

Externalist Posted: Thursday, January 29 2009 20:58.09 CST
I've also read this some time ago but never really got a chance to recognize the full power until recently when I got involved in a C++ reversing project.
This is truely awesome along with Part I of this article. I could say I gained tons from this. Thanks alot for the contribution!! And also, thanks for the plugin with extended features Sirmabus. :)

FloydTammie31 Posted: Sunday, September 12 2010 04:35.28 CDT
Houses are quite expensive and not everyone can buy it. Nevertheless, <a href="http://bestfinance-blog.com/topics/home-loans">home loans</a> are invented to support different people in such situations.

hwwh1999 Posted: Saturday, September 18 2010 10:04.12 CDT
Mark and study

tcljg2008 Posted: Saturday, December 18 2010 05:00.26 CST
very very good!

roczhang Posted: Thursday, March 3 2011 13:47.08 CST
Great paper. I have took almost two days to want to know the details how dynamic_cast work through RTTI.
I have tried to search some materials by google, but I failed. Because I don't know the key word, such as "RTTI Complete Object Locator".
So I try to do it by myself. I convert the C++ code to assemby code and find how the RTTI work.  Then I want to write it to share with others, but now I find your article.  Your artical is great! I feel I don't  need to write it any more.  Thank you.
Great artical.

qxsl2000 Posted: Wednesday, March 30 2011 03:47.06 CDT
it seems like c++ object hierarchy to be decomplied but disassemble through some tricks, this is incredible job, for ours aspiring c++ programmers.thank you so much!

EliteKnites Posted: Tuesday, May 10 2011 02:03.28 CDT
Thank you so much.. this paper gives a clear cut idea of RTTI and how the internal implementation is..
This gives me more interest on RTTI

EliteKnites Posted: Tuesday, May 10 2011 02:06.48 CDT
i have some doubts on this.. typeid is returning const type_info&.. but in type_info class implementation copy constructor and equalto operator is private mode how it is returning reference to us? can any one explain me about this ?

martinkro Posted: Tuesday, July 19 2011 06:58.50 CDT
great artical ,thank you!!

Shine Posted: Thursday, August 4 2011 21:23.55 CDT
good article��by what method do you trace it?

julyDragon919 Posted: Tuesday, August 7 2012 07:27.30 CDT
Hi!
you ve just made me smile!
i was having a long face before seeing your article.
thanks! it was, is , will be helpful!

cl001 Posted: Monday, May 6 2013 02:13.31 CDT
Lululemon Outlet numbers Fashion Lululemon Sale styles of Lululemon UK cheap.


Add New Comment
Comment:










There are 31,319 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit