CppCon 2019: Gal Zaban “Behind Enemy Lines – Reverse Engineering C++ in Modern Ages”

Discussion & Comments:

Presentation Slides, PDFs, Source Code and other presenter materials are available at:

What do C++ programs really look like? When developers think about hierarchy and virtual calls they see it as design patterns and code but reverse engineers look at it from a different angle, they think about Assembly puzzles.

C++ is known as a tangled language, templates, lambdas and pointers. All of these features create a jungle of objects intended to make life easier for the programmer. But once the program is compiled, the target program is no longer what it once seemed.

Reversing C++ programs is tedious, demanding, and requires rebuilding inheritance, identifying templates and tainting program flow in order to combat the ties of function overloading and class utilization.

C++ Binaries are a world of mysteries. In my presentation I am going to show how C++ binaries looks like after compilation and how reverse engineers see C++ binaries and understand their logic.

Gal Zaban
Gal Zaban is a Reverse Engineer with a particular interest in C++ code, currently working as a Vulnerability Researcher. As part of her journey in understanding the catacombs of C++, she developed various RE tools for C++ including Virtuailor.
In her spare time when she’s not dwelling into low-level research, she designs and sews her own clothes and plays the Clarinet.
Twitter: @0xgalz

Videos Filmed & Edited by Bash Films:

Nguồn: https://infernalaffairsguild.com/

Xem thêm bài viết khác: https://infernalaffairsguild.com/cong-nghe/

Article Categories:
Công Nghệ


  • The code in the slides was compiled with debug symbols, but what was the optimization level? I assume the reversing is enormously more difficult in release mode.

    Araeos July 3, 2020 11:38 am Reply
  • 31:00 This code won't work regardless of small string optimization. The only case I can think of where this might work is if the compiler inlines f() and the temporary std::string created by the + operator is small and therefore allocated on stack. In that case the compiler might let it live until the end of main() as an optimization. But in all other cases it will be either free'd before the call to f_create_print_scoreboard() resulting in a segfault or the stack will be overwritten just like she showed.

    reinterpret_cast July 3, 2020 11:38 am Reply
  • Good talk, well done. Nice to see someone doing actual reverse engineering and not just blindly trusting the hexrays decompiler. 🙂
    The j_ trampolines are because of MSVC's incremental linking btw.

    Mikael Andersson July 3, 2020 11:38 am Reply
  • Nice video

    Ashish July 3, 2020 11:38 am Reply

Leave a Comment

Your email address will not be published. Required fields are marked *