About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  IDA Pro  >>  Please Help me

Topic created on: September 4, 2012 20:14 CDT by toss758 .

Oh! There is the forum for IDA!
I'm sorry, My english is poor.
Help me, please!
I have a file written with MFC to debug.
I opened it by IDA 5.x, but all routines is shown with "sub_40****" form.
I want the Runtime and MFC lib functions showing as it's standard name.
Help me, Give me, resolution method and ida plug-in, IDC file or scripts
Thank you

  waleedassar     September 5, 2012 08:54.05 CDT
Just try,

In IDA, press (Shift+f5), right click, and choose "Apply new signature". Apply something like "vc32mfc". This might work. There are many similar MFC signatures, also try them.

  toss758     September 6, 2012 11:49.42 CDT
Thank you very much!
OK! Name Found! But ATL function name not found
Teache me! What is this function name
I think this like ATL lib function
text:00403E30     sub_403E30      proc near               ; CODE XREF: sub_4020F0+CBp
.text:00403E30                                             ; sub_4020F0+109p ...
.text:00403E30
.text:00403E30     Src             = dword ptr  4
.text:00403E30     arg_4           = dword ptr  8
.text:00403E30
.text:00403E30 000                 push    ebp
.text:00403E31 004                 push    edi
.text:00403E32 008                 mov     edi, [esp+8+arg_4]
.text:00403E36 008                 mov     ebp, ecx
.text:00403E38 008                 test    edi, edi
.text:00403E3A 008                 jnz     short loc_403E46
.text:00403E3C 008                 call    ?Empty@?$CSimpleStringT@_W$0A@@ATL@@QAEXXZ ; ATL::CSimpleStringT<wchar_t,0>::Empty(void)
.text:00403E41 008                 pop     edi
.text:00403E42 004                 pop     ebp
.text:00403E43 000                 retn    8
.text:00403E46     ; ---------------------------------------------------------------------------
.text:00403E46
.text:00403E46     loc_403E46:                             ; CODE XREF: sub_403E30+Aj
.text:00403E46 008                 push    esi
.text:00403E47 00C                 mov     esi, [esp+0Ch+Src]
.text:00403E4B 00C                 test    esi, esi
.text:00403E4D 00C                 jnz     short loc_403E59
.text:00403E4F 00C                 push    80070057h
.text:00403E54 010                 call    ?AtlThrowImpl@ATL@@YGXJ@Z ; ATL::AtlThrowImpl(long)
.text:00403E59     ; ---------------------------------------------------------------------------
.text:00403E59
.text:00403E59     loc_403E59:                             ; CODE XREF: sub_403E30+1Dj
.text:00403E59 00C                 mov     eax, [ebp+0]
.text:00403E5C 00C                 mov     edx, [eax-8]
.text:00403E5F 00C                 mov     ecx, 1
.text:00403E64 00C                 sub     ecx, [eax-4]
.text:00403E67 00C                 sub     esi, eax
.text:00403E69 00C                 sub     edx, edi
.text:00403E6B 00C                 sar     esi, 1
.text:00403E6D 00C                 or      ecx, edx
.text:00403E6F 00C                 push    ebx
.text:00403E70 010                 mov     ebx, [eax-0Ch]
.text:00403E73 010                 jge     short loc_403E7D
.text:00403E75 010                 push    edi
.text:00403E76 014                 mov     ecx, ebp
.text:00403E78 014                 call    ?PrepareWrite2@?$CSimpleStringT@_W$0A@@ATL@@AAEXH@Z ; ATL::CSimpleStringT<wchar_t,0>::PrepareWrite2(int)
.text:00403E7D
.text:00403E7D     loc_403E7D:                             ; CODE XREF: sub_403E30+43j
.text:00403E7D 010                 mov     eax, [ebp+0]
.text:00403E80 010                 mov     edx, [eax-8]
.text:00403E83 010                 add     edx, edx
.text:00403E85 010                 cmp     esi, ebx
.text:00403E87 010                 lea     ebx, [edi+edi]
.text:00403E8A 010                 push    ebx             ; MaxCount
.text:00403E8B 014                 ja      short loc_403E9A
.text:00403E8D 014                 lea     ecx, [eax+esi*2]
.text:00403E90 014                 push    ecx             ; Src
.text:00403E91 018                 push    edx             ; DstSize
.text:00403E92 01C                 push    eax             ; Dst
.text:00403E93 020                 call    _memmove_s
.text:00403E98 020                 jmp     short loc_403EA6
.text:00403E9A     ; ---------------------------------------------------------------------------
.text:00403E9A
.text:00403E9A     loc_403E9A:                             ; CODE XREF: sub_403E30+5Bj
.text:00403E9A 014                 mov     ecx, [esp+14h+Src]
.text:00403E9E 014                 push    ecx             ; Src
.text:00403E9F 018                 push    edx             ; DstSize
.text:00403EA0 01C                 push    eax             ; Dst
.text:00403EA1 020                 call    _memcpy_s
.text:00403EA6
.text:00403EA6     loc_403EA6:                             ; CODE XREF: sub_403E30+68j
.text:00403EA6 020                 add     esp, 10h
.text:00403EA9 010                 test    edi, edi
.text:00403EAB 010                 jl      short loc_403EC8
.text:00403EAD 010                 mov     eax, [ebp+0]
.text:00403EB0 010                 cmp     edi, [eax-8]
.text:00403EB3 010                 jg      short loc_403EC8
.text:00403EB5 010                 mov     [eax-0Ch], edi
.text:00403EB8 010                 mov     eax, [ebp+0]
.text:00403EBB 010                 xor     ecx, ecx
.text:00403EBD 010                 mov     [ebx+eax], cx
.text:00403EC1 010                 pop     ebx
.text:00403EC2 00C                 pop     esi
.text:00403EC3 008                 pop     edi
.text:00403EC4 004                 pop     ebp
.text:00403EC5 000                 retn    8
.text:00403EC8     ; ---------------------------------------------------------------------------
.text:00403EC8
.text:00403EC8     loc_403EC8:                             ; CODE XREF: sub_403E30+7Bj
.text:00403EC8                                             ; sub_403E30+83j
.text:00403EC8 010                 push    80070057h
.text:00403ECD 014                 call    ?AtlThrowImpl@ATL@@YGXJ@Z ; ATL::AtlThrowImpl(long)
.text:00403ECD     sub_403E30      endp

  waleedassar     September 6, 2012 13:36.19 CDT
As far as i understand, you need to demangle names, right?

"Options" menu ---> "Demangled names". "Show demangled C++ names as:"----> Choose "names".

  TQN     September 14, 2012 19:10.20 CDT
This is CString::operaor= function.

Note: Registration is required to post to the forums.

There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit