0

I am trying to hack into an exe to find the implementation of certain functions and perform actions in an injected dll. The exe is a sort of screen saver, and fortunately very simple, so it uses important strings to identify code sections.

My dilemma is that one of the functions, 'getaxis', is a virtual function. I know this thanks to the strings window and other telltale info on the string (Audioplayer.Tracklist::GetAxis) that i traced back to an rdata section

.data:01E204B0 off_1E204B0     dd offset aAudioplayer_to ; DATA XREF: _call_vfuncr
.data:01E204B0                                         ; _call_vfunc+26r
.data:01E204B0                                         ; "Audioplayer.Tracklist::Internal_GetTrack"
...

Using ida pro i have successfully traced the very function call, but I am unable to find the actual virtual function implementation.

So here's my problem:

1- I am ignorant on the subject, being a newbie in disassembling: is there a way to actually find a virtual function's implementation? Ida clearly shows the various 'subs' in the "functions window", but there's a couple hundred of functions in there, and i'm hoping there's a better way of finding a virtual functions' declaration.

2- is there any association between a sub name and a virtual function. i was unable to find any.

So how can I find the actual virtual function declaration in disassembled code? Is this possible at all?

Thanks.

Alpha cockroach
  • 35
  • 1
  • 7

1 Answers1

0

Do you know what compiler/language was used to generate this program? I'm only familiar with how most C++ implementations generate vftables. "Knowing your enemy" is key to reverse engineering.

From the looks of it, those '_call_vfunc' functions may be some sort of implementation detail of some other language's compiler (say some random Pascal compiler, or whatever) which may have a need for retaining such metadata. call_vfunc may throw an error when a pure/nullptr entry is used in whatever they used for a vftable, hence the use of/reference to that string.

If call_vfunc is used to perform ALL virtual function calls, you could hook said function and log the vftable addresses it ends up using. Unless this is an overly complex screen saver, there shouldn't be too many vftables that are used. If IDAPython has any debugger APIs, you could possibly do all the logging via a Python script while debugging with IDA.

kornman00
  • 808
  • 10
  • 27