Help with C++ Class interpretation

[guga]

Hi guys

I need a bit help to understand a C++ class.

For example, on a pdb file i found this as a public symbol for Windows7 (wmp_notestroot.pdb):

Code: [Select]

public: virtual long __stdcall ATL::IDispatchImpl<struct IWMPPlaylistCollection,&struct __s_GUID const _GUID_10a13217_23a7_439b_b1c0_d847c79b7774,&struct __s_GUID const _GUID_6bf52a50_394a_11d3_b153_00c04f79faa6,1,0,class ATL::CComTypeInfoHolder>::GetTypeInfo(unsigned int,unsigned long,struct ITypeInfo * *)
The whole size of this chunk is 28 Bytes, which it seems to be a structure of some sort.

The question, is...is this really a structure ?

If it is, how it can be interpreted in Masm (or RosAsm, or even in plain C win Api) ?

Also...all the "public: virtual XXXXXXX" are structures or they are, in fact, only code chunks ??? If it is a code chunk, then how to know the total amount of parameters it have ?

I´m asking this because the pdb parser is now being able to parse and rip from PublicSymbols, some known global static data (Float, Real, Guids), and i´m trying to identify all public symbols that are really code or data (in any kind, such as a structure, int, int64, etc etc)

The pdb parser can now identify, Ascii, Unicode, Global Data (some of them, such as Float, Real(double), Guids), Delay Load Helpers functions, IAT pointers, stdcall functions, cdecl functions, fastcall functions, the parameters count of some simplistic functions (The ones where the MSDia, PdbHelper and msvcrt unmangle functions failed)

I`m asking this, because why the above example seems to be a structure (data), while this one below is code with 10 bytes long ?

Code: [Select]

[thunk]:public: virtual unsigned long __stdcall ATL::CComObject<class CIWMPCdromCollectionSecurityWrapper>::AddRef`adjustor{12}' (void)
Does it means that all "[thunk]" are related to a code chunk ?

If it is, then....why this is code (195 bytes) ?

Code: [Select]

public: virtual long __thiscall CWMPSyncPageRaze::Apply(void)


Also...another wuestion...I found some pch manglednames that sems to be encodage of a path ?
http://www.vxdev.com/docs/vx55man/diab5.0ppc/c-featur.htm

Code: [Select]

PublicSymbolErr|0:0|0x00000000|4:0x0003945C|56|125:___@@_PchSym_@00@UdHignOlyqOcIGuivUnfogrnvwrzUwnwUxivhxvmgUdnkUwveUoryizibUmznvhkzxvUlyquivUrDIGUdnkkxsOlyq@libraryNamespace|Unmangling Error|1313

Code: [Select]

PublicSymbolErr|0:0|0x00000000|4:0x00037C88|56|119:___@@_PchSym_@00@UdHignOlyqOcIGuivUnfogrnvwrzUwnwUxivhxvmgUdnkUwveUdnkfrUkilkkztvUlyquivUrDIGUdnkkxsOlyq@PropertyPages|Unmangling Error|3031
Someone have any clue how to decode a pch file ? Or even...how to encode it, because, if i can be able to encode a pch file to generate this pchsym, i can try to see how t is done to properly decode it

[qWord]

Code: [Select]

public: virtual long __stdcall ATL::IDispatchImpl<struct IWMPPlaylistCollection,&struct __s_GUID const _GUID_10a13217_23a7_439b_b1c0_d847c79b7774,&struct __s_GUID const _GUID_6bf52a50_394a_11d3_b153_00c04f79faa6,1,0,class ATL::CComTypeInfoHolder>::GetTypeInfo(unsigned int,unsigned long,struct ITypeInfo * *)

In context to PDB files, I assume this symbol represents the definition of a virtual member function (GetTypeInfo) of a template class (ATL::IDispatchImpl<T,...>). The class template is described at msdn.

Code: [Select]

[thunk]:public: virtual unsigned long __stdcall ATL::CComObject<class CIWMPCdromCollectionSecurityWrapper>::AddRef`adjustor{12}' (void)

These adjustors occurs in COM object with multiple interfaces. I guess there is a short peach of code that adjust the this-pointer (by +-12) and then jump/call to the method implementation of an other interface.

why this is code (195 bytes) ?

Code: [Select]

public: virtual long __thiscall CWMPSyncPageRaze::Apply(void)

also a definition of member function.

[guga]

Many tks qword.

ABout pch file i succeded decoding it. It was a bit pain to find out where this was stored, but, the encoding algo is inside c1.dll in visual studio bin directory (the same as cl.exe), The encodage is formed with a reversed table like this:

[RegularAscii: B$ "abcdefghijklmnopqrstuvwxyz0123456789$ :/._+-()\", 0]
[PCH_Reversed: B$ "zyxwvutsrqponmlkjihgfedcbaABCDEFGHIJKLMNOPQRSTU", 0]

This is simply a reversed table where "z" = "a", "y" = "b" and so on

A decoder for this table is:

Code: [Select]


[PCH_CAPS_TBL: B$ "0123456789$ :/._+-()\", 0]

Proc DecodePCHString:
    Arguments @Input, @Output
    Uses esi, edi

    mov edi D@Input
    mov esi D@Output
    xor eax eax
    .While B$edi <> 0

        ..If_And B$edi >= 'a', B$edi <= 'z'
            mov al 0DB | sub al B$edi
            mov B$esi al
            inc esi
        ..Else_If_And B$edi >= 'A', B$edi <= 'U'
            mov al B$edi | sub al 'A' | movzx eax B$PCH_CAPS_TBL+eax
            mov B$esi al
            inc esi
        ..Else
            xor eax eax | ExitP
        ..End_If
        inc edi
    .End_While
    mov eax &TRUE

EndP

Example of usage:

Code: [Select]

[FilePath: B$ "UdHignOlyqOcIGuivUnfogrnvwrzUwnwUxivhxvmgUdnkUwveUoryizibUmznvhkzxvUlyquivUrDIGUdnkkxsOlyq", 0]
[OutBuff: B$ 0 #1311]

call DecodePCHString FilePath, OutBuff

Btw, a pch file have a maximum of 778 bytes long during compiling in visualstudio. So the path have a limit of 778 bytes. Also, it seems to include .obj files as well, which i presume it could be compiled with the "/Z7" Debugging Option as stated in: http://msdn.microsoft.com/en-us/library/aa984840%28v=vs.71%29.aspx
Also, it is an indicative that the file uses stdafx.h
http://stackoverflow.com/questions/6650709/precompiled-header-and-visual-studio
http://www.ogre3d.org/tikiwiki/tiki-index.php?page=precompiled+headers