Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Help on Reverse engineering MFC binaries (https://forum.exetools.com/showthread.php?t=17274)

dummys 12-09-2015 05:56
Help on Reverse engineering MFC binaries
 
Hi guyz,

I'm reversing an application written in MFC statically linked and it's a pain in the ass. I already read and play with the https://tuts4you.com/download.php?view.2509 by Externalist and https://quequero.org/2008/08/guidelines-to-mfc-reversing/ but can't find what's in. I have successfully found many AFX_MSGMAP and used script to parse it and found several handler for ressource. The problem is:

.rdata:00440890 AFX_MSGMAP_ENTRY <111h, 0, 41Dh, 41Dh, 0Ch, offset sub_42C4BC>

Here the ressourceID must be 0x41d (1053) but I can't find it with ressource hacker. So where to find this ressourceID?
For example I found the function of a button called "ok", but the only action he is doing is to call CDialog::OnOK, if I look on the ms doc: https://msdn.microsoft.com/en-us/en-EN/library/66b3y2ab.aspx It says: "Override this method to perform actions when the OK button is activated"
My question is: How I can find if this function is overidded and how I can find the handler function ?
Thanks.

Syoma 12-09-2015 20:15
OnOK is not only the method which can be used to check something. Look inside all other class methods. Also, try to debug and check call stack.

BlackWhite 12-12-2015 14:27
The resource may be created on the fly.
(1) In OllyDbg, you can View->Window to check that button's ID.
(2) Why don't you set a breakpoint on sub_42C4BC to figure out
who triggered this message processing?

TQN 12-13-2015 10:34
// Entries in a message map (a 'AFX_MSGMAP_ENTRY') table can be of 9 formats
//
// 1) control notification message (i.e. in response to WM_COMMAND)
// WM_COMMAND, nNotifyCode, nControlID, nControlID, signature type, parameterless member function
// (eg: WM_COMMAND, LBN_SELCHANGE, IDC_LISTBOX, AfxSig_vv, ... )
// 2) control notification message range (i.e. in response to WM_COMMAND)
// WM_COMMAND, nNotifyCode, nControlIDFirst, nControlIDLast, signature type, parameterless member function
// (eg: WM_COMMAND, LBN_SELCHANGE, IDC_LISTBOX1, IDC_LISTBOX5, AfxSig_vw, ... )
// 3) WM_NOTIFY notification
// WM_NOTIFY, nNotifyCode, nControlID, nControlID, signature type, ...)
// 3) Update Command UI
// -1, 0, nControlID, 0, signature Unknown, parameterless member function
// 4) Update Command UI Range
// -1, 0, nControlIDFirst, nControlIDLast, signature Unknown, parameterless member function
// 5) menu/accelerator notification message (i.e. special case of first format)
// WM_COMMAND, 0, nID, 0, signature type, parameterless member function
// (eg: WM_COMMAND, 0, IDM_FILESAVE, 0, AfxSig_vv, ... )
// 6) menu/accelerator notification message range
// WM_COMMAND, 0, nIDFirst, nIDLast, signature type, parameterless member function
// (eg: WM_COMMAND, 0, IDM_FILE_MRU1, IDM_FILE_MRU4, AfxSig_vw, ... )
// 7) constant windows message
// nMessage, 0, 0, 0, signature type, member function
// (eg: WM_PAINT, 0, ...)
// 8) variable windows message (using RegisterWindowMessage)
// 0xC000, 0, 0, 0, &nMessage, special member function
//
// The end of the message map is marked with a special value
// 0, 0, AfxSig_end, 0
/////////////////////////////////////////////////////////////////////////////

// Naming scheme:
// <signature> -> AfxSig_<ReturnType>_<WPARAMType>_<LPARAMType>
// <ReturnType> -> b (BOOL)
// h (HANDLE)
// v (void)
// i (int)
// l (LRESULT)
// <WPARAMType> ->
// Naming scheme:
// b - BOOL
// D - CDC*
// W - CWnd*
// w - UINT
// h - handle
// i - int
// s - LPTSTR
// v - void
// l - LPARAM
// M - CMenu*
// p - CPoint
// POS - WINDOWPOS*
// CALC - NCCALCSIZE_PARAMS*
// NMHDR - NMHDR*
// HELPINFO - HELPINFO*
// SIZING - LPRECT
// cmdui - CCmdUI*
// CDS - COPYDATASTRUCT*
// s - short
// by - byte

enum AfxSig
{
AfxSig_end = 0, // [marks end of message map]

AfxSig_b_D_v, // BOOL (CDC*)
AfxSig_b_b_v, // BOOL (BOOL)
AfxSig_b_u_v, // BOOL (UINT)
AfxSig_b_h_v, // BOOL (HANDLE)
AfxSig_b_W_uu, // BOOL (CWnd*, UINT, UINT)
AfxSig_b_W_COPYDATASTRUCT, // BOOL (CWnd*, COPYDATASTRUCT*)
AfxSig_b_v_HELPINFO, // BOOL (LPHELPINFO);
AfxSig_CTLCOLOR, // HBRUSH (CDC*, CWnd*, UINT)
AfxSig_CTLCOLOR_REFLECT, // HBRUSH (CDC*, UINT)
AfxSig_i_u_W_u, // int (UINT, CWnd*, UINT) // ?TOITEM
AfxSig_i_uu_v, // int (UINT, UINT)
AfxSig_i_W_uu, // int (CWnd*, UINT, UINT)
AfxSig_i_v_s, // int (LPTSTR)
AfxSig_l_w_l, // LRESULT (WPARAM, LPARAM)
AfxSig_l_uu_M, // LRESULT (UINT, UINT, CMenu*)
AfxSig_v_b_h, // void (BOOL, HANDLE)
AfxSig_v_h_v, // void (HANDLE)
AfxSig_v_h_h, // void (HANDLE, HANDLE)
AfxSig_v_v_v, // void ()
AfxSig_v_u_v, // void (UINT)
AfxSig_v_u_u, // void (UINT, UINT)
AfxSig_v_uu_v, // void (UINT, UINT)
AfxSig_v_v_ii, // void (int, int)
AfxSig_v_u_uu, // void (UINT, UINT, UINT)
AfxSig_v_u_ii, // void (UINT, int, int)
AfxSig_v_u_W, // void (UINT, CWnd*)
AfxSig_i_u_v, // int (UINT)
AfxSig_u_u_v, // UINT (UINT)
AfxSig_b_v_v, // BOOL ()
AfxSig_v_w_l, // void (WPARAM, LPARAM)
AfxSig_MDIACTIVATE, // void (BOOL, CWnd*, CWnd*)
AfxSig_v_D_v, // void (CDC*)
AfxSig_v_M_v, // void (CMenu*)
AfxSig_v_M_ub, // void (CMenu*, UINT, BOOL)
AfxSig_v_W_v, // void (CWnd*)
AfxSig_v_v_W, // void (CWnd*)
AfxSig_v_W_uu, // void (CWnd*, UINT, UINT)
AfxSig_v_W_p, // void (CWnd*, CPoint)
AfxSig_v_W_h, // void (CWnd*, HANDLE)
AfxSig_C_v_v, // HCURSOR ()
AfxSig_ACTIVATE, // void (UINT, CWnd*, BOOL)
AfxSig_SCROLL, // void (UINT, UINT, CWnd*)
AfxSig_SCROLL_REFLECT, // void (UINT, UINT)
AfxSig_v_v_s, // void (LPTSTR)
AfxSig_v_u_cs, // void (UINT, LPCTSTR)
AfxSig_OWNERDRAW, // void (int, LPTSTR) force return TRUE
AfxSig_i_i_s, // int (int, LPTSTR)
AfxSig_u_v_p, // UINT (CPoint)
AfxSig_u_v_v, // UINT ()
AfxSig_v_b_NCCALCSIZEPARAMS, // void (BOOL, NCCALCSIZE_PARAMS*)
AfxSig_v_v_WINDOWPOS, // void (WINDOWPOS*)
AfxSig_v_uu_M, // void (UINT, UINT, HMENU)
AfxSig_v_u_p, // void (UINT, CPoint)
AfxSig_SIZING, // void (UINT, LPRECT)
AfxSig_MOUSEWHEEL, // BOOL (UINT, short, CPoint)
AfxSig_MOUSEHWHEEL, // void (UINT, short, CPoint)
AfxSigCmd_v, // void ()
AfxSigCmd_b, // BOOL ()
AfxSigCmd_RANGE, // void (UINT)
AfxSigCmd_EX, // BOOL (UINT)
AfxSigNotify_v, // void (NMHDR*, LRESULT*)
AfxSigNotify_b, // BOOL (NMHDR*, LRESULT*)
AfxSigNotify_RANGE, // void (UINT, NMHDR*, LRESULT*)
AfxSigNotify_EX, // BOOL (UINT, NMHDR*, LRESULT*)
AfxSigCmdUI, // void (CCmdUI*)
AfxSigCmdUI_RANGE, // void (CCmdUI*, UINT)
AfxSigCmd_v_pv, // void (void*)
AfxSigCmd_b_pv, // BOOL (void*)
AfxSig_l, // LRESULT ()
AfxSig_l_p, // LRESULT (CPOINT)
AfxSig_u_W_u, // UINT (CWnd*, UINT)
AfxSig_v_u_M, // void (UINT, CMenu* )
AfxSig_u_u_M, // UINT (UINT, CMenu* )
AfxSig_u_v_MENUGETOBJECTINFO, // UINT (MENUGETOBJECTINFO*)
AfxSig_v_M_u, // void (CMenu*, UINT)
AfxSig_v_u_LPMDINEXTMENU, // void (UINT, LPMDINEXTMENU)
AfxSig_APPCOMMAND, // void (CWnd*, UINT, UINT, UINT)
AfxSig_RAWINPUT, // void (UINT, HRAWINPUT)
AfxSig_u_u_u, // UINT (UINT, UINT)
AfxSig_MOUSE_XBUTTON, // void (UINT, UINT, CPoint)
AfxSig_MOUSE_NCXBUTTON, // void (short, UINT, CPoint)
AfxSig_INPUTLANGCHANGE, // void (BYTE, UINT)
AfxSig_v_u_hkl, // void (UINT, HKL)
AfxSig_INPUTDEVICECHANGE, // void (unsigned short)
// Old
AfxSig_bD = AfxSig_b_D_v, // BOOL (CDC*)
AfxSig_bb = AfxSig_b_b_v, // BOOL (BOOL)
AfxSig_bWww = AfxSig_b_W_uu, // BOOL (CWnd*, UINT, UINT)
AfxSig_hDWw = AfxSig_CTLCOLOR, // HBRUSH (CDC*, CWnd*, UINT)
AfxSig_hDw = AfxSig_CTLCOLOR_REFLECT, // HBRUSH (CDC*, UINT)
AfxSig_iwWw = AfxSig_i_u_W_u, // int (UINT, CWnd*, UINT)
AfxSig_iww = AfxSig_i_uu_v, // int (UINT, UINT)
AfxSig_iWww = AfxSig_i_W_uu, // int (CWnd*, UINT, UINT)
AfxSig_is = AfxSig_i_v_s, // int (LPTSTR)
AfxSig_lwl = AfxSig_l_w_l, // LRESULT (WPARAM, LPARAM)
AfxSig_lwwM = AfxSig_l_uu_M, // LRESULT (UINT, UINT, CMenu*)
AfxSig_vv = AfxSig_v_v_v, // void (void)

AfxSig_vw = AfxSig_v_u_v, // void (UINT)
AfxSig_vww = AfxSig_v_u_u, // void (UINT, UINT)
AfxSig_vww2 = AfxSig_v_uu_v, // void (UINT, UINT) // both come from wParam
AfxSig_vvii = AfxSig_v_v_ii, // void (int, int) // wParam is ignored
AfxSig_vwww = AfxSig_v_u_uu, // void (UINT, UINT, UINT)
AfxSig_vwii = AfxSig_v_u_ii, // void (UINT, int, int)
AfxSig_vwl = AfxSig_v_w_l, // void (UINT, LPARAM)
AfxSig_vbWW = AfxSig_MDIACTIVATE, // void (BOOL, CWnd*, CWnd*)
AfxSig_vD = AfxSig_v_D_v, // void (CDC*)
AfxSig_vM = AfxSig_v_M_v, // void (CMenu*)
AfxSig_vMwb = AfxSig_v_M_ub, // void (CMenu*, UINT, BOOL)

AfxSig_vW = AfxSig_v_W_v, // void (CWnd*)
AfxSig_vWww = AfxSig_v_W_uu, // void (CWnd*, UINT, UINT)
AfxSig_vWp = AfxSig_v_W_p, // void (CWnd*, CPoint)
AfxSig_vWh = AfxSig_v_W_h, // void (CWnd*, HANDLE)
AfxSig_vwW = AfxSig_v_u_W, // void (UINT, CWnd*)
AfxSig_vwWb = AfxSig_ACTIVATE, // void (UINT, CWnd*, BOOL)
AfxSig_vwwW = AfxSig_SCROLL, // void (UINT, UINT, CWnd*)
AfxSig_vwwx = AfxSig_SCROLL_REFLECT, // void (UINT, UINT)
AfxSig_vs = AfxSig_v_v_s, // void (LPTSTR)
AfxSig_vOWNER = AfxSig_OWNERDRAW, // void (int, LPTSTR), force return TRUE
AfxSig_iis = AfxSig_i_i_s, // int (int, LPTSTR)
AfxSig_wp = AfxSig_u_v_p, // UINT (CPoint)
AfxSig_wv = AfxSig_u_v_v, // UINT (void)
AfxSig_vPOS = AfxSig_v_v_WINDOWPOS, // void (WINDOWPOS*)
AfxSig_vCALC = AfxSig_v_b_NCCALCSIZEPARAMS, // void (BOOL, NCCALCSIZE_PARAMS*)
AfxSig_vNMHDRpl = AfxSigNotify_v, // void (NMHDR*, LRESULT*)
AfxSig_bNMHDRpl = AfxSigNotify_b, // BOOL (NMHDR*, LRESULT*)
AfxSig_vwNMHDRpl = AfxSigNotify_RANGE, // void (UINT, NMHDR*, LRESULT*)
AfxSig_bwNMHDRpl = AfxSigNotify_EX, // BOOL (UINT, NMHDR*, LRESULT*)
AfxSig_bHELPINFO = AfxSig_b_v_HELPINFO, // BOOL (HELPINFO*)
AfxSig_vwSIZING = AfxSig_SIZING, // void (UINT, LPRECT) -- return TRUE

// signatures specific to CCmdTarget
AfxSig_cmdui = AfxSigCmdUI, // void (CCmdUI*)
AfxSig_cmduiw = AfxSigCmdUI_RANGE, // void (CCmdUI*, UINT)
AfxSig_vpv = AfxSigCmd_v_pv, // void (void*)
AfxSig_bpv = AfxSigCmd_b_pv, // BOOL (void*)

// Other aliases (based on implementation)
AfxSig_vwwh = AfxSig_v_uu_M, // void (UINT, UINT, HMENU)
AfxSig_vwp = AfxSig_v_u_p, // void (UINT, CPoint)
AfxSig_bw = AfxSig_b_u_v, // BOOL (UINT)
AfxSig_bh = AfxSig_b_h_v, // BOOL (HANDLE)
AfxSig_iw = AfxSig_i_u_v, // int (UINT)
AfxSig_ww = AfxSig_u_u_v, // UINT (UINT)
AfxSig_bv = AfxSig_b_v_v, // BOOL (void)
AfxSig_hv = AfxSig_C_v_v, // HANDLE (void)
AfxSig_vb = AfxSig_vw, // void (BOOL)
AfxSig_vbh = AfxSig_v_b_h, // void (BOOL, HANDLE)
AfxSig_vbw = AfxSig_vww, // void (BOOL, UINT)
AfxSig_vhh = AfxSig_v_h_h, // void (HANDLE, HANDLE)
AfxSig_vh = AfxSig_v_h_v, // void (HANDLE)
AfxSig_viSS = AfxSig_vwl, // void (int, STYLESTRUCT*)
AfxSig_bwl = AfxSig_lwl,
AfxSig_vwMOVING = AfxSig_vwSIZING, // void (UINT, LPRECT) -- return TRUE

AfxSig_vW2 = AfxSig_v_v_W, // void (CWnd*) (CWnd* comes from lParam)
AfxSig_bWCDS = AfxSig_b_W_COPYDATASTRUCT, // BOOL (CWnd*, COPYDATASTRUCT*)
AfxSig_bwsp = AfxSig_MOUSEWHEEL, // BOOL (UINT, short, CPoint)
AfxSig_vws = AfxSig_v_u_cs,
};


All times are GMT +8. The time now is 12:37.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX