Cpp Reversing
Most of this requires IDA Pro + Hex-Rays.
https://blog.0xbadc0de.be/archives/67 https://alschwalm.com/blog/static/2016/12/17/reversing-c-virtual-functions/ https://alschwalm.com/blog/static/2017/01/24/reversing-c-virtual-functions-part-2-2/
You need to do more work depending on whether your binary is stripped or not.
The basic concepts are as follows:
- Each subclass will have a structure like
With the parent classes first. Each parent class will have a vtable, containing function pointers. Next are the member variables for the parent class, and then the member variables for the subclass.
You can create structs in IDA in the Structs Subview (Subviews -> Structs). The shortcut is Shift-F9.
When creating structs for C++ classes in IDA, the first member will be a vtable ptr, and the next will be the parent's member variables.
You might want to create the structures as follows:
For each class, define a classXX_members, classXX_vtable, classXX structure. classXX contains
- +++ vtable (typed to classXX_vtable *)
- +++ classXX-1_members (members of the superclass)
- +++ classXX_members, if any classXX_vtable contains
- +++classXX-1_vtable
- +++classXX’s vptrs, if any
In the Bat example, the Bird and Mammal vtables can be separated by a negative 'Offset to Top'. This Offset to Top component of the vtable allows us to easily identify vtable groups. A group will consist of those consecutive vtables that have decreasing values in the Offset to Top.
To identify constructors in C++, note that they will:
- Invoke the parent class's constructors
- Initialize the vptr(s) to point to this type's vtable(s)
- Initialize the members of the object
- Run whatever other code is in the constructor
The destructor performs essentially the opposite steps:
- Set the vptr(s) to point to this type's vtable(s)
- Run whatever other code is in the destructor
- Destroy the members of the object
- Invoke the parent class's destructor