Reverse Engineer a C++ implementation

Posted on 2011-02-20
Last Modified: 2012-05-11
If you were given a large and complex multi-threaded C++ implementation and asked to come up with a detailed design document for the same, I would like to know how you would go about doing this.

I am in a somewhat similar situation and am not allowed to use any external tools other than Microsoft Visual Studio 2008. I am thinking of a strategy to start and finish with.
Question by:sukhoi35
  • 2
  • 2
  • 2
  • +3

Assisted Solution

HawyLem earned 50 total points
ID: 34936908
That's just what you need.

heavy multithreaded is not synonymous with "Undebuggable", you can breakpoint into the thread's routines and if you have doubts about who called that, look at the call stack window VS provides you.

Having source code, symbols and VS makes your debugging very easy. You just need a lot of patience
LVL 37

Expert Comment

ID: 34937333
I assume you do not have the source code? Unless you want to learn assembler, the only way to do reverse engineering is to observe and test test test.

Play with the application and see what it does, then make testable assumptions about the design. Then test them.

By "no external tools" does that mean you can't use programs similar to task manager to see the processes and threads that spawn?

Expert Comment

ID: 34937440
Wait.. no source code makes VS not the best tool. I would suggest OllyDbg or IDA pro.

But watch out for legal issues, you may have not the permission to disassemble the code.

If the application belongs to your society and you have the right to disasm it, then open it up with a debugger and use breakpoints (software or hardware) to step in the right function. Threads should not be a problem since debuggers let you break in every routine you need.

Author Comment

ID: 34937776
Hello Experts,
Thanks for your responses. I am sorry if the details I provided does not clear whether the source code is avaialbe or not with me. Yes, I do have the full source code which is in C++. My only worry is it is a complex architecture. So, was wondering should I just start at the entry point and walk-through the code method by method or is there any other better approach to the task.

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

LVL 37

Assisted Solution

TommySzalapski earned 100 total points
ID: 34939160
My suggestion would be to find the places where new threads spawn and put breakpoints there (after) so that you can catch both. Otherwise new threads will run in the background and you won't have control.
Stepping line by line is good if it works. Often it takes many lines to get to where you need to be so it might take a very long time. If you are running the code in VS (in debug mode) you can hit the 'break' button on the keyboard at any time and it will stop and you can do line-by-line from there. (might be ctrl+break).
LVL 33

Assisted Solution

sarabande earned 50 total points
ID: 34941961
if it is console application (has function main or tmain) i would go topdown from that inspecting any class type used and function called.

for a gui app based on a framework like mfc or qt you firstly should get familiar with that framework before examining specialization.

you could use tools like doxygen which would give good overview charts of what is going on.


Accepted Solution

JimBeveridge earned 300 total points
ID: 34954263
The strategy is that you find the "core" of the system to start with, then start moving outward. You can expect to find something like:

- Init app
- Run main loop (gui) or dispatcher (service)
- Shutdown

Start by documenting these pieces to get your baseline, then research more of the system, piece by piece, and document what you find for each piece.

In a heavily-multithreaded app, the dispatcher is generally handled by Windows in the form of an I/O completion port managing a thread pool.

Now you want to find everything that raises an event (hands something to the dispatcher) and then everything that processes an event (is called by the dispatcher.) Document each of these in turn.

The entire point is to break up your research into manageable chunks that can be researched individually. If you try to attack the entire thing as a whole, you'll drown in data.
LVL 11

Expert Comment

ID: 34955142

If logging mechanism is not there then I would suggest you to add some log messages (which writes to a file and print the thread id also inside - to know which thread called which function) in each and every functions. This might be time consuming but it will get you understand the code/functionality very fast. My 2 cents :)


Author Closing Comment

ID: 34969901
Thank You Very Much!

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
static class 3 61
method argument as final 1 74
Eclipse IDE - Cannot copy/paste from console output 8 132
Why isn't object file created? 6 42
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
"Disruption" is the most feared word for C-level executives these days. They agonize over their industry being disturbed by another player - most likely by startups.
The viewer will learn how to use NetBeans IDE 8.0 for Windows to connect to a MySQL database. Open Services Panel: Create a new connection using New Connection Wizard: Create a test database called eetutorial: Create a new test tabel called ee…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now