Is there any way to restore struct by reverse engineering. Pointer to that struct is returned by the only function for export inside DLL

Question

Kinda... i have an DLL, that exports the only single function CreateInterface
From disassembled and then decompiled code:

int __cdecl CreateInterface(const char *a1, int a2)
{
//many crazy things
}

here it have a return type as int, but actually it's a pointer to some structure. from a main exe this lib is loaded and then used that way:

int (__stdcall *__cdecl Sys_GetFactory(int (__stdcall *hModule)()))()
{
  int (__stdcall *result)(); // eax@1

  result = hModule;
  if ( hModule )
    result = GetProcAddress(hModule, "CreateInterface");
  return result;
}

void some_funct()
{
    FARPROC net_interface =  Sys_GetFactory(pModule);
    int s_pClientNet = ((int (__cdecl *)(_DWORD, _DWORD))net_interface)("INetClient_003", 0);
}

and after being initialized it used that way:

 int result = (*(int (__stdcall **)(int, int, int, int))(*(_DWORD *)s_pClientNet + 60))(
                 login,
                 password,
                 mw_account_struct,
                 mw_account_struct_size);

so.. back to struct. Anyway to restore it, istead of calling needed functions by so crazy way? i mean (s_pClientNet + 60)

P.S. for sure i don't have dll sources, def file and etc. and don't have even idea what functions can be in target class / struct... the only thing i know it's some calls to that functions like that s_pClientNet + 60

Answer 1

Hmm, this looks like it might be a C++ class. There's an extra level of indirection, and I bet it's a vtable. s_pClientNet is definitely a pointer, but the +60 happens after dereferencing it. vpointers are usually the first element in the class, so that's more evidence. It's going to be basically impossible to recreate a C++ class that compiles to the same layout, unless you get really lucky. But you could manage some pieces manually.

typedef int(*login_fcn_t)(int, int, int, int);

struct ClientInterfaceVtable
{
    _DWORD reserved[60];
    login_fcn_t login_fcn;
};

struct ClientInterface
{
    ClientInterfaceVtable *vpointer;
    /// other fields
};

Now, after casting your s_pClientNet to a ClientInterface *, you should be able to invoke the login method via s_pClientNet->vpointer->login_fcn(login, etc.);

After you discover a few more fields, you could always try to create a polymorphic C++ class and see if you can push definitions around until you get a match, but that won't be portable.

Edit:

Hmm, I just realized the code isn't passing the this pointer. If I'm not completely wrong about the vtable, then that suggests this is a static method, perhaps a factory method of some sort.

Answer 2

It's rather difficult to impossible, AFAIK there's no guarantee regarding the layout and alignment of struct, so each compiler may layout the struct differently. Even the same compiler may have different data layouting through modifiers and/or compiler option.

Answer 3

I don't know of any way to automatically identify the struct, however if you are using IDA, you may be able to define the structure inside of IDA and then change the call signature to explicitly use it (changing the return value to that struct type and forcing re-analysis).

This may help you quicker analyse the structure and understand the program behavior, but ultimately it will be mostly manual analysis.

There may be some scripts for IDA/OllyDbg which can help with this, so it might be worth glancing over http://www.openrce.org/downloads/