MFC100.dll export functions

[zhgong007]

HI, all
ask you guys a silly question:
I have an app which uses mfc100's export functions, but the function is exported as numbers instead of names, How could I quickly know the actually funtionality for each function ? many thanks

below show some extracted codes:

0018D9F8 |. FF15 68DA2700 call dword ptr ds:[<&mfc100.#7487>] ; mfc100.6736D7FF
0018D9FE |. 50 push eax
0018D9FF |. 8BCF mov ecx,edi
0018DA01 |. C745 FC 02000>mov [local.1],2
0018DA08 |. FF15 E4DA2700 call dword ptr ds:[<&mfc100.#1313>] ; mfc100.67363EB9
0018DA0E |. 8D4D 10 lea ecx,[arg.3]
0018DA11 |. FF15 CCDD2700 call dword ptr ds:[<&mfc100.#901>] ; mfc100.673682A2

[sendersu]

here is my set of tools for fixing MFC XXX (4.2, 8.0, 9.0, 10.0) as *.idc for IDA
Entry point: FixMfcImports.idc and then answer questions as it asks
enjoy

http://www.sendspace.com/file/3iqgve

Note: the set if not full, if you wish to create some other MFCxxx support, here is the recipe:

1) dumpbin /exports mfc100u.lib > mfc100u.def
2) using following regex: ^\s+(\d+)\s+([^\s]{1,})(.*) -> \2 @ \1 NONAME

[zhgong007]

all right, many thanks

[zhgong007]

it is working well, but note that one line in the IDC file needs to be edited, i.e., changing
dll prefix name from MFC71 to mfc100.
minor issue: I produce a map file from IDA, and then load the map into olldbg using loadmap plugin, but the symbol info for MFC100.dll are not loaded into olldbg. I know it is not sendersu's tool issue though.

[sendersu]

Hi, thanks
some questions
1) regarding MFC71, if you referring to line
>strPrefix = AskStr(strPrefix, "Check library version and postfix: U|D|UD (Ex.: MFC71UD)");
then it is not hardcoded, it is just an example for the end-user, user has to put his line by him/herself
2) have you tried mapimp plugin for importing *.map into Olly?
last time it was hosted here
http://code.google.com/p/mapimp/
but I can't reach it anymore...

[TechLord]

here is my set of tools for fixing MFC XXX (4.2, 8.0, 9.0, 10.0) as *.idc for IDA

@sendersu:

Was also struggling to find a way to achieve the fix of the MFC to names. Was afraid to ask as I thought that it would be a silly question

Am happy to know that it isn't such a silly question after all.

Was trying to create .sig files to achieve, but now I know that there is a better way (and maybe a more correct way) to achieve it.

Many thanks

[zhgong007]

my question is actually quite common for sure
for beginners (like me), may spend years finding the solution, but for masters, it may be just seconds. however, the key thing is if those "masters" would like to share knowledges. although there is a tendency that the sharing spirit is now basically dead in the reverse community, there are still some good masters like Sendersu, zeuscane, and zementmischer( sorry your name is difficult to print), who are really helpful to help newbies and share reversing knowledges.

[zhgong007]

Quote:

Originally Posted by sendersu

Hi, thanks
some questions
1) regarding MFC71, if you referring to line
>strPrefix = AskStr(strPrefix, "Check library version and postfix: U|D|UD (Ex.: MFC71UD)");
then it is not hardcoded, it is just an example for the end-user, user has to put his line by him/herself

yes, I know that, and this is what I mean.

Quote:

Originally Posted by sendersu

2) have you tried mapimp plugin for importing *.map into Olly?
last time it was hosted here
http://code.google.com/p/mapimp/
but I can't reach it anymore...

I'll try, and thanks again for this

[zhgong007]

neither loadmap nor mapimp plugin is working for loading the mfc100 symbol info form IDA to olldbg. however, there is a different way to make it work. get a copy of mfc100.lib from vs2010, and put it somewhere in your olldbg folder. start your app using olldbg, and then click the menu-->debug-->select symbol path (i.e. the path where mfc100.lib). after you have set the path for the file, you can click "select imported lib" from the debug menu again, add mfc100 into the lib list, and then click "process". restart your app using olldbg, all symbol info for mfc100 dll can be loaded into your app.
sorry, my ollydbg is in chinese

[sendersu]

By the way, here is the latest edition of great mapimp OllyDbg plugin

https://www.dropbox.com/sh/zz2hranew0usqmn/wPL2w_Yr7l

@zhgong007
could you upload your *.map files that were Not OK with Olly?
just curious what is wrong (supposing you create these using IDA6.1, right?)

thanks

[zhgong007]

yes, I create the map using IDA61. the only reason why both two plugins are not working, I think, are that they both didn't handle when an app may have variable OEP. maybe I am wrong. I didn't chek it for a PE with fixed entry point.

[sendersu]

@all:
could you send me please the mfc110*.lib for Intel and amd64 dirs
same question goes to mfc70*.lib, mfc71*.lib and odl good mfc40*.lib

I'll create the complete tool and we'll close this issue once and forever, gentlemen
Thanks.
P.S. all those libs could be copied from correspondent Visual Studio installation.
Right now I've only VS2010 SP1 (which corresponds to mfc100xxx) and I'll update it as well.

[zhgong007]

and one suggesition for your idc plugin:

the dll name seems to be Case-sensitive--I have tried it a number of times, until I realize it is due to case sensitive issue.

[zhgong007]

free idc for MFC70, MFC71, and MFC80
link:
http://assarbad.net/en/stuff/IDA.idc/

[zhgong007]

lib collections for MFC90 and MFC100, I have uploaded here:

http://www.4shared.com/zip/LklhV0km/mfc90x.html

http://www.4shared.com/zip/ZmIUDUKN/mfc100_lib.html