Reversing C++ Object

Hi All,

After long journey in the reverse engineering world which requires Us to never stop learning.

Today I am going to give you an introduction of reversing C++ programming languange where most of the malware are actually being coded in this language. The main different component of C and C++ is the C++ supports object oriented programming such as Class

I would have a small application coded in C++ and has object class as an example like below

#include <iostream>
#include<Person.h>

using namespace std;

int main()
{
    Person * Rio = new Person();
    int result = Rio->getAge_time(2);
    cout << "a is equal to:"<<result<<endl;
    int hair = Rio->get_hair_color();
    cout << "Rio hair Color" << hair;
    return 0;
}

#ifndef PERSON_H
#define PERSON_H
#include <iostream>

using namespace std;

class Person
{
    int height;
    int weight;
    int hair_color;
    int age;

    public:
        Person();
        virtual ~Person();
        int getAge_time(int var);
        int get_hair_color();

    protected:

    private:
};

#endif // PERSON_H

#include "Person.h"

Person::Person()
{
    weight = 2;
    height = 1;
    hair_color = 5;
    age = 35;

}

Person::~Person()
{
    //dtor
}

int Person::getAge_time(int var)
{
    return age*var;
}

int Person::get_hair_color()
{
    return hair_color;
}

If we looked at the assembly code from the compiled PE, We can see that there is no longer object oriented in the assembly code. Any function call from the object will be like normal function written in C code

Below is the object constructor function

Based on the above code, it is not really clear about the object field and field being assigned. We can convert it into struct with all the field by reseting the pointer type

Below is the constructor after reseting the pointer value

Create new structure based on the below value assignment

IDA will automatically detect based on the value assignment in this function. We can give name to each structure value

We can see the function call is just like another C function call. But we can see that before the function call there is ECX assignment and push to the stack as parameter. It is the sign of there is an object oriented function call.

We can see that the above code that IDA will help you to restructure the code when you have added the new structure object into IDA.

If you put break point at this function, You can find that IDA is able to map the value of the structure and view in it the local value window

All right, I think that is all about it. I will continue in the detail after this post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s