1

I am not very familiar with Qt to begin with but basic PyQt tutorial showed that a button object is linked with its handler using the connect method that takes in as its argument the function that gets executed when the button signal is met. On trying to reverse an app I managed to successfully figure out where the button was created in IDA:

v15 = (QAbstractButton *)a1[12];
v16 = (const struct QString *)QCoreApplication::translate(
                                  v21,
                                  "SCRRegistrationDialog",
                                  "Button Text 1...",
                                  0i64,
                                  -1);
QAbstractButton::setText(v15, v16);
QString::~QString(v21);
v17 = (QAbstractButton *)a1[14];
v18 = (const struct QString *)QCoreApplication::translate(v21, "SCRRegistrationDialog", "Button Text 2", 0i64, -1);
QAbstractButton::setText(v17, v18);
QString::~QString(v21);
v19 = (QAbstractButton *)a1[15];
v20 = (const struct QString *)QCoreApplication::translate(v21, "SCRRegistrationDialog", "Button text 3", 0i64, -1);
QAbstractButton::setText(v19, v20);
QString::~QString(v21);

As can be seen the button text is passed but I simply cant find the function that gets executed when its pressed. I have tried tracing in IDA and tried this answer : Find code executed on button press in Qt5 Linux application but I am unable to follow the method.

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
Ajaykrishnan R
  • 119
  • 1
  • The function isn't included when the object is instantiated, but afterwards by calling btn.clicked.connect(<function>)... you might need to look further. – Mega Tonnage Dec 02 '22 at 07:18
  • Hi and welcome to RE.SE. The function could probably be found by finding the vtable for a1[12] etc. There are IDA plugins for that, but I don't know just how well they interact with the decompiler plugin, if at all. From the code it reads as if a1 is something like the form and a1[12], a1[14], a1[15] are all instance pointers of QAbstractButton. – 0xC0000022L Dec 02 '22 at 08:40
  • @0xC0000022L I think I found the connect statement: QObject::connect(&v24, *(_QWORD *)(a1[5] + 112i64), "2clicked()", a1, "1registrationDialogValidation()", 0); I think 2Clicked() is the signal and 1registrationDialogueValidation() seems to be the function but its just in text. I am not familiar with vtables but how do you find the vtable of a1[12] ? This was found before the connect statement: QDialog::QDialog(a1, a2, 0i64); *a1 = &SCRRegistrationDialog::'vftable'; a1[2] = &SCRRegistrationDialog::'vftable'; v3 = operator new(0x80ui64); a1[5] = v3; sub_7FF7100D0570(v3, a1); – Ajaykrishnan R Dec 05 '22 at 06:41

0 Answers0