Reversing Some C++ Io Operations

In general decompilers are not friendly with c++ let's analyse a simple program to get familiar with it.
Let's implement a simple code that loads a file into a vector and then save the vector with following functions:

  • err
  • load
  • save
  • main


Lets identify the typical way in C++ to print to stdout with the operator "<<"


The basic_ostream is initialized writing the word "error" to the cout, and then the operator<< again to add the endl.




The Main function simply calls  "vec = load(filename)"  but the compiler modified it and passed the vector pointer as a parámeter. Then it bulds and prints "loaded  " << size << " users".
And finally saves the vector to /tmp/pwd and print "saved".
Most of the mess is basically the operator "<<" to concat and print values.
Also note that the vectors and strings are automatically deallocated when exit the function.


And here is the code:


Let's take a look to the load function, which iterates the ifs.getline() and push to the vector.
First of all there is a mess on the function definition, __return_storage_ptr is the vector.
the ifstream object ifs is initialized as a basic_ifstream and then operator! checks if it wasn't possible to open the file and in that case calls err()
We see the memset and a loop, getline read a cstr like line from the file, and then is converted to a string before pushing it to the vector. lVar1 is the stack canary value.

In this situations dont obfuscate with the vector pointer vec initialization at the begining, in this case the logic is quite clear.



The function save is a bit more tricky, but it's no more than a vector iteration and ofs writing.
Looping a simple "for (auto s : *vec)" in the decompiler is quite dense, but we can see clearly two write, the second write DAT_0010400b is a "\n"



As we see, save implememtation is quite straightforward.




More info

Sem comentários:

Enviar um comentário

Subscrever: Enviar feedback (Atom)