开发者

IDA Pro, QT Nokia Library, dll call, what is it actually doing?

I have reversed a dll using IDA Pro. Looking at the pseudocode generated by IDA i am interested in a set of calls into the QT library, is it trying to find the location of functions so that it can call them? I would like to try and repeat what is going on but am a little confused by the code generated by IDA, can someone give me some pointers as to what is really necessary? I am especially interested in the use of 'this' when defining the function calls as I am not really sure what it signifies. Thanks.

 int v2; // eax@10
 int v3; // eax@10
 char v12; // [sp+14h] [bp-368h]@10
 int v13; // [sp+20h] [bp-35Ch]@10


...
v2 = sub_100010B3((int)&v12, "QtGui4.dll");
    v19 = sub_10001115((int)&v12, v2, "?rowsInserted@QListView@@MAEXABVQModelIndex@@HH@Z");
    Buf2 = -1;
    v21 = 21;
    v24 = (unsigned int)v19 >> 24;
    v23 = (unsigned int)v19 >> 16;
    v22 = v19;
    v3 = sub_100010B3((int)&v12, "QtCore4.dll");
    v13 = sub_10001115((int)&v12, v3, "?endInsertRows@QAbstractItemModel@@IAEXXZ");


int __thiscall sub_10001115(int this, int a1, const char *Str1)
{
  int v3; // eax@5
  int v5; // [sp+0h] [bp-10h]@1
  char v6; // [sp+4h] [bp-Ch]@4
  int *v7; // [sp+8h] [bp-8h]@1
  int v8; // [sp+Ch] [bp-4h]@1

  v5 = this;
  v7 = (int *)sub_10001470(this, *(_DWORD *)a1);
  v8 = 0;
  while ( *v7 )
{
    if ( *v7 & 0x80000000 )
    {
      v6 = (*v7 & 0xFFFF) == (_DWORD)Str1;
    }
    else
    {
      v3 = sub_10001470(v5, *v7);
      v6 = stricmp(Str1, (const char *)(v3 + 2)) == 0;
    }
    if ( v6 )
      return sub_10001470(v5, *(_DWORD *)(a1 + 16)) + 4 * v8;
    ++v7;
    ++v8;
  }
  return 0;
}


int __thiscall sub_100010B3(int this, const char *Str1)
{
  int result; // eax@2
  int v3; // eax@4
  int v4; // [sp+0h] [bp-8h]@1
  in开发者_Python百科t v5; // [sp+4h] [bp-4h]@1

  v4 = this;
  v5 = sub_10001090(this, 1);
  if ( v5 )
  {
    while ( *(_DWORD *)(v5 + 16) )
    {
      v3 = sub_10001470(v4, *(_DWORD *)(v5 + 12));
      if ( !stricmp(Str1, (const char *)v3) )
        return v5;
      v5 += 20;
    }
    result = 0;
  }
  else
  {
    result = 0;
  }
  return result;
}


    int __thiscall sub_10001090(int this, int a2)
{
  return sub_10001470(this, *(_DWORD *)(*(_DWORD *)(this + 4) + 8 * a2 + 120));
}


int __thiscall sub_10001470(int this, int a2)
{
  int result; // eax@3

  if ( *(_DWORD *)(this + 8) && a2 )
    result = a2 + *(_DWORD *)(this + 8);
  else
    result = 0;
  return result;
}


It looks like it first looks up some DLL entry in a table which returns a structure that appears to have the list of functions provided by that DLL. It then looks in the Dll entry structure at the list of functions that are available, checking either by ordinal (where it treats Str1 as a DWORD) or by name (doing stricmp on Str1) and then probably returns the function pointer that it found.


It seems v12 is an instance of some class that does DLL lookups. sub_100010B3 seems to be roughly corresponding to LoadLibrary and sub_10001115 to GetProcAddress. "this" refers to the implicit "this" object instance pointer passed when calling C++ methods.

See my article and talk on how C++ works on the low level.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜