Again hello everyone, today we’ll understand about vTable and how it works, I made some modifications since last article.
- Windows
- Reclass.Net
- MinGW for compile
I made this changes because I was having problems debugging with the old set of tools, let’s go?
#include <stdio.h>
#include <windows.h>
class Vehicle
{
public:
Vehicle(){}
~Vehicle(){}
bool is_on;
virtual void turn_on(){this->is_on = true;}
virtual void turn_off(){this->is_on = false;}
void make_sound()
{
printf("Vruuuuuuuum!");
}
};
class Car : public Vehicle
{
virtual void break_car()
{
printf("Break!!!!!");
}
};
int main()
{
Car *car1 = new Car();
printf("Car1 Instance Address: %p\n", car1);
while(true)
{
if(GetAsyncKeyState(VK_MENU))
car1->turn_on();
if(GetAsyncKeyState(VK_SPACE))
car1->turn_off();
if(GetAsyncKeyState(VK_F1))
{
printf("Turn on: %p\n", (void*) &car1->turn_on);
printf("Turn off: %p\n", (void*) &car1->turn_off);
Sleep(120);
}
}
}
Ok, no panic, I will explain this code, as you know we had the vehicle class right? From vehicle class I created a child class called Car, inside main function I instantiated the car class.
Car *car1 = new Car();
printf("Car1 Instance Address: %p\n", car1);
So I instantiated the class with new operator, after that I get the object instantiated address with this printf. So far so good, as u can see I created infinite loop,
while(true)
{
if(GetAsyncKeyState(VK_MENU))
car1->turn_on();
if(GetAsyncKeyState(VK_SPACE))
car1->turn_off();
if(GetAsyncKeyState(VK_F1))
{
printf("Turn on: %p\n", (void*) &car1->turn_on);
printf("Turn off: %p\n", (void*) &car1->turn_off);
Sleep(120);
}
}
It will be useful for Reclass.Net. When I press alt key (VK_MENU) the car changes the bool is_on to true and when I press the Space it’s the inverse, false bool.
Now let’s work with Reclass if u don’t know how it works watch this video: https://www.youtube.com/watch?v=DyqnhSkcVIw from Guided Hacking. The first thing it’s attaching to the target process in my case: VehicleExample.exe.
After that, did u remember about the printf that shows us the object instance address?
Just place this shit on Reclass
To confirm that’s working I’ll press space and ALT to change the bool value.
Usually, the first member of a class structure is the vftbl_ptr it’s “hidden”, in reclass u can change the type, I’ll do that for verifying if it’s the vftbl_ptr.
Looking at the local pointed by vftbl_ptr u’ll get this:
There’s any coincidence here? I don’t think so. It’s our virtual methods.
Conclusion
Ok my friend, then to fresh your mind I’ll resume everything again. When u create a class with virtual methods and instantiate it, the first member will be hidden (vftbl_ptr our beautiful table) after it’ll have the other members like my bool is_on and etc. Inside this table hidden will have pointers for virtual functions, and that’s it, however, when u override the function the vTable will have that will be different. When u inherit more than 1 class more vftbl_ptr will appear in your class structure. REMEMBER usually “brother” classes shares the same function if it’s not overridden, then if u change the pointer on the virtual table… Ok, that’s could theme for the next article.
But’s why C++ compilers do that? It’s simply less code repetition because the classes that inherit the same classes and has the same virtual methods don’t need to generate every time the same function.
That’s it mate, I hope that u have understood everything, any doubt contact me on twitter or discord (It’s on page footer).
For more information some links:
https://en.wikipedia.org/wiki/Virtual_method_table
https://www.learncpp.com/cpp-tutorial/125-the-virtual-table/
Very good, congratulations friend !!!!
Thanks mate, I hope that helped you.