table of Contents
@
1 MFC implementation process
1.1 Environment Support
- vs 2017
- afxwin.h,afxcdialogex.h
1.2 Analysis
There is a "disassembly window", also can break down, step over step into like vs Debug window.
It can compile a detailed layer can step over / into the details of each step --- to know detailed system call API / library, get a stack traceback conditions, etc.
1.3 Practice
1.3.1 Creating an MFC program
Major rewrite CWinApp :: InitInstance () and a custom dialog class (in order to achieve a simple interface)
Note : I did not file dialog resource listed, because only one dialog box and click a button
My Demo as follows:
- Custom program entry
//CMyWinApp.cpp
#include "mywinapp.h"
#include"wndDlg.h"
myWinapp App;
myWinapp::myWinapp(){}
myWinapp::~myWinapp(){}
BEGIN_MESSAGE_MAP(myWinapp,CWinApp)
END_MESSAGE_MAP()
BOOL myWinapp::InitInstance()
{
wndDlg * TWND = new wndDlg;
m_pMainWnd = (CDialog*)TWND;
TWND->DoModal();
CWinApp::InitInstance();
return 0;
}
- Customize dialog box
// wndDlg.cpp: 实现文件
//
#include "stdafx.h"
#include "wndDlg.h"
#include "afxdialogex.h"
#include"resource.h"
// wndDlg 对话框
IMPLEMENT_DYNAMIC(wndDlg, CDialogEx)
wndDlg::wndDlg(CWnd* pParent /*=nullptr*/): CDialogEx(IDD_DIALOG1, pParent){}
wndDlg::~wndDlg(){}
void wndDlg::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
}
BEGIN_MESSAGE_MAP(wndDlg, CDialogEx)
ON_BN_CLICKED(IDC_BUTTON1, &wndDlg::OnBnClickedButton1)
END_MESSAGE_MAP()
// wndDlg 消息处理程序
void wndDlg::OnBnClickedButton1()
{
MessageBox("hello Leibso-HUANGHAI/黄海");
}
1.3.2 Key breakpoints and debug
For example, here I want to explore key function InitInstance () position
1. The key break
Note: DoModal () is a modal dialog box, when you break here when F10, only when the exit time will step over
2. Call up the disassembly window
3. Review the call stack window
Analysis: It clearly see calling sequence MFC program is WinMain () -> AfxWinMain () -> InitInstance ()
has it ended?
not at all. .
1.4 steering MFC library source file observations
- Continuing the above steps in the disassembly window, type F10
- Until out of the InitInstance ()
- We came to find an oasis - library code
- Slide up the middle mouse button found in the current source file path name +
- This is one of our MFC library source files
Note: The path here is not what you might have the correct path (as may be repeated uninstall the sake of VS)
-
Solution: Use file search tool (I use here is everything) - named search at this winmain.cpp
This marks it wants
-
Then open the file with VS, you will find that your breakpoint came out clearly on top of the source code
2 Reverse
After we looked at the source code can be found in such a complex would like to look back step by step from the entry function was a waste of energy
So - using signature
2.1 signature choice (for example, I still want to find here InitInstance ())
That just find the key assembly code in the disassembly window, the more accurate the more the number of rows
Note: The key code can not contain an address like this might be a problem, as there may be relocated uncertain issues like data
Figure:
that:
This can be a few sentences as our signature
mov eax,dword ptr [edx] mov esi,esp mov ecx,dword ptr [eax+58h] mov dword ptr [ebp-24h],ecx mov edi,esp mov ecx,dword ptr [ebp-24h]
2.2 Use of debugging tools (OD) Special Investigation code search
OD dynamic debugging using the following code sequence search, you can get this place function of the
Figure:
After the break can be dynamically analyzed
Commanded language
Reverse the procedure for other platforms can also use this method: a platform -> write a Demo program -> familiar with the process -> find the target signature