Reverse Engineering: Analyzing Compiled OOP in Binaries

Source: opensecuritytraining.info

In C++, the this Pointer is a reference to the object that Methods act upon. This calling convention is commonly known as Thiscall. Understanding how to recognize the this pointer when reverse engineering object oriented code will is can aid in tracking objects and understanding the relationships between objects and their methods.

By convention, Microsoft Visual C++ compilers pass the this pointer to instance methods through the ECX register, and passes the rest of the parameters onto the stack in reverse order (like Stdcall).

The GCC compiler Thiscall is based on Cdecl; however, it pushes this onto the stack before the method call after all arguments have been pushed.

Some compilers, such as Borland and Watcom, reportedly store this in EAX. As always, these are conventions, and though exceptions to the rules exist, they are fairly reliable.


When a Class or Struct instance is created, a block of contiguous memory is created to store it’s object’s member variables. A pointer, commonly referred to as this, points to the base address of the structure.

Member access typically occurs as a two instruction sequence

  • The this pointer is stored in a register (e.g. ECX, ESI)
    1. The member is retrieved as an offset and stored

    mov ecx, [ebp + var_myobj]   ; Store the object pointer
    mov eax, [ecx + 0Ch]         ; Store the member 12 bytes from object base
    Access to these offsets within an object’s memory space can to give leads to its composition (and ultimately the Class/Struct definition). Note that often times some of the data that comprises an object may be other objects (perhaps of different classes) which are embedded. An object may also contain pointers to objects, arrays, function tables, or other data.


    The life of a Class/Struct instance begins with a Constructor and ends with a Destructor. Both of the special methods are optional; however, behind the scenes, there is generally some sort of initialization (perhaps with exceptions such as a global Struct instance).

    Constructor

    Destructor

    When developing Classes in C++, inheritance is used to define characteristics and functionality only once for functionality shared by several related classes. For example, the following could be base class for people:

    class Person {
    protected:
        char name[50];
    public:
        Person(char *_name) { strncpy(name, _name, 50); }
        virtual void work() {
            printf("%s moves some boxes\n", name);
        }
    };

    Here the Person class is defined with a single function which can be overridden any derived classes:

    class Novelist : public Person {
    public:
        Novelist(char *_name) : Person(_name) {}
        virtual void work() {
            printf("%s writes a book\n", name);
        }
    };

    A Novelist can be created using a Person pointer:

    Person *Chaucer = new Novelist((char*)"Geoffrey Chaucer");
    Chaucer->work();  // Will write "Geoffrey Chaucer writes a book\n" to STDOUT

    The initialization code for looks very similar to code for classes not using inheritance:



    Leave a Reply

    Fill in your details below or click an icon to log in:

    Gravatar
    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Cancel

    Connecting to %s