Reverse Engineering Asked by H Bellamy on June 24, 2021
I have an exe with symbols stripped that I am trying to reverse engineer. I know the library is linked with MFC but I don’t know which version. (Therefore, I can’t use something like FLIRT signatures etc. to import known symbols and help reverse engineering).
Is there a way to deduce the version of MFC statically linked into an exe from the exe itself?
I have tried some trial and error approaches but really it caused a lot of trouble as some symbols matched and others don’t. I’m looking for a tried and tested way – is something embedded in the metadata of an exe?
All statically linked MFC binaries I've seen always include strings for some internal classes. The naming convention can be found in afximpl.h:
#define AFX_WNDCLASS(s)
_T("Afx") _T(s) _T(_MFC_FILENAME_VER) _STATIC_SUFFIX _UNICODE_SUFFIX _DEBUG_SUFFIX
#define AFX_WND AFX_WNDCLASS("Wnd")
#define AFX_WNDCONTROLBAR AFX_WNDCLASS("ControlBar")
#define AFX_WNDMDIFRAME AFX_WNDCLASS("MDIFrame")
#define AFX_WNDFRAMEORVIEW AFX_WNDCLASS("FrameOrView")
#define AFX_WNDOLECONTROL AFX_WNDCLASS("OleControl")
So, for example, AfxWnd100s means that the program has been compiled with the static release MFC 10.0 library while AfxWnd140sd will be present in the static debug build of MFC 14.0 (VS2015). The string will be in Unicode (UTF-16) and with the u suffix for Unicode builds (e.g. AfxWnd140sud).
Answered by Igor Skochinsky on June 24, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP