[Tutorial] Reverse Engineering C++ Programs: NyxLauncher.exe (Work-In-Progress)

[qwename]

If you can't read x86 assembly, you should turn back now.

This is an introduction to reverse engineering using Gunbound as an example. The file I'm analyzing in this tutorial is NyxLauncher.exe (1,126,400 bytes, 1100 KiB, SHA1: 242c4c9e7f004088e6252ae12060b8738f39d9f5) from GunBound_GIS_S2_120731_Ver1068.exe (497,546,464 bytes, 474 MiB, SHA1: 66cd0efd8ed30ffa0f39dd901fe270ea3aa11d3b), this was the latest version I could get my hands on as I can't access MEGA.nz.

This tutorial is a work-in-progress.

Recommended knowledge before reading this tutorial:​

• C and C++ programming basics
• Win32 programming basics

Tools required to follow along:​

• You must be registered to see links
  for easier disassembly, latest version is v8.3.
• Virtualization (VM) software to host old software. (I use
  You must be registered to see links
  )
• Windows XP/2000 iso to install guest OS in a VM. (I use Windows 2000)
• Visual Studio .NET 2003 to compile old software, I'll explain why this particular version later.

This particular version of Gunbound (v1068) was probably developed on Windows XP as can be seen in Gunbound.log, but I use Win 2000 for now as it requires less space and still works. You can find downloads for both OS and VS .iso files from archive.org (which I can't access either), but I got mine elsewhere. No matter where you download your .iso file, please make sure to verify/search the .iso file's hash (usually SHA1 for old OS) online.

Optional tools:
-

You must be registered to see links

, just a great tool in general, I use it for checking file hashes, and uncompressing .zip files for my guest OS as Windows 2000 doesn't support .zip files natively.
- Newer Visual Studio version, mainly to get dumpbin.exe, but .NET 2003 also comes with it. (I'm using the 2022 version on my host OS Windows 10)

Side note: You don't really need to install things within a VM, but I do it to prevent my host OS from messing up, it's also easier to make snapshots/backups to revert back to if things go wrong, and you can also isolate the guest OS from the internet.

I won't go over the installation of all the tools required.

---

Step 1. Determine the compiler and language used to create the executable.​

Open NyxLauncher.exe in IDA with the default options, after the autoanalysis completes, you should see something like this:

Follow the jmp instruction to see this:

If you lookup the three functions (AfxGetThread, AfxGetModuleState, AfxWinInit) I've underlined in red, you'll find that these are

You must be registered to see links

functions, so we know that this file was written with the MFC Library that comes with Visual C++.

In the HEADERS segment in IDA, you should find the following that tells us the linker version used, which is 7.10:

HEADER:00400140 ; IMAGE_OPTIONAL_HEADER
HEADER:00400140                 dw 10Bh                 ; Magic number
HEADER:00400142                 db 7                    ; Major linker version
HEADER:00400143                 db 0Ah                  ; Minor linker version

To get the compiler version, lookup

You must be registered to see links

or the partial table I've pasted below. The linker version is in parenthesis on the left, _MSC_VER is the compiler version. But we only need to know that linker version 7.10 corresponds to VS .NET 2003.

Visual Studio version	_MSC_VER
Visual Studio 6.0	1200
Visual Studio .NET 2002 (7.0)	1300
Visual Studio .NET 2003 (7.1)	1310
Visual Studio 2005 (8.0)	1400

To check if this is true, I run link.exe from cmd within the VM. The first line of output gives the linker version:

D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7>link.exe
Microsoft (R) Incremental Linker Version 7.10.6030

Visual Studio comes with the source codes for MFC, C Runtime (CRT) and C++ standard library, they are located in "Vc7\atlmfc" and "Vc7\crt".
These are useful for identifying functions that IDA doesn't recognize, and that's why I listed VS .NET 2003 as a required tool.
We can also compile our own source code while analyzing the file to check that we are on the right path, as some C++ classes can be very tricky to navigate by just looking at disassembly.

---

About DUMPBIN.exe​

You must be registered to see links

comes with Visual Studio, here's how to run it:

• Visual Studio 2022 comes with "x64 Native Tools Command Prompt for VS 2022", this setups the required environment for easy command-line access to tools, so you don't have to mess with your environment variables.
  • If you just want to use cmd, you have to navigate to somewhere like "Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.XX.XXXXX\bin\Hostx64\x64" to find dumpbin.exe, or add the directory to your PATH variable.
• Visual Studio .NET 2003 has something similar, execute "Vc7\bin\vcvars32.bat" from cmd to get a working environment.

The main

You must be registered to see links

I use are:

• You must be registered to see links
  : Displays the file PE/COFF headers, not as fancy as seen in IDA.
  • Usage example: dumpbin /headers NyxLauncher.exe
• You must be registered to see links
  : I use it to find the
  You must be registered to see links
  in statically-linked libraries.
  • Usage example: dumpbin /symbols Vc7\atlmfc\lib\nafxcw.lib > symbols.txt
• You must be registered to see links
  : Similar to "/symbols" but for dynamically linked libraries.
  • Usage example: dumpbin /exports Vc7\atlmfc\lib\mfc71.lib > exports.txt

What are

You must be registered to see links

?

Functions, data, and objects in C and C++ programs are represented internally by their decorated names. A decorated name is an encoded string created by the compiler during compilation of an object, data, or function definition. It records calling conventions, types, function parameters and other information together with the name. This name decoration, also known as name mangling, helps the linker find the correct functions and objects when linking an executable.

For us, this is just a way to set function names and types in IDA, especially when C++ classes and templates are involved. There are pages to determine which .lib file to use for finding

You must be registered to see links

and

You must be registered to see links

names. The static library files "Vc7\lib\libcpmt.lib" (C++ STL) and "Vc7\atlmfc\lib\nafxcw.lib" (MFC) are enough for now.

---

Step 2. Find out which libraries are used.​

Knowing the compiler and language used is just the first step.
For programs written in languages like C#/Java, there are decompilers that can reconstruct source code very effectively.

For C/C++ programs, knowing the third-party libraries used can speed things up, as you can spend more time functions that the authors wrote, instead of wasting time on identifying standard and third-party functions (e.g. C/C++ standard library, ATL/MFC, Boost, directx, zlib).

In our case, we know that NyxLauncher.exe uses the MFC Library from Visual Studio .NET 2003. There are strings we can find in IDA that indicate other libraries as well:

• You must be registered to see links
  : "inflate 1.2.1 Copyright 1995-2003 Mark Adler", "deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly"
• Boost: "boost::bad_weak_ptr", version unknown but no later than
  You must be registered to see links
  (released on Feb 24th 2012), as the file time stamp is "Wed Mar 21 09:05:24 2012". Maybe much earlier depending on how often the devs updated their libraries, will need to compare Boost source codes to find out.

I have only just begun so there may be more to uncover.

To be continued...analysis is still being done, tutorials will be updated whenever I have time to do so.