PDA

View Full Version : VB6 Prog cant find a way in !


Greyhound2004
October 6th, 2008, 12:47
Hi,
I'm trying to RE a program that uses MSVBVM60.DLL without much success.
First thing I did after installing it was to look at the exe file with a hex editor.
Not far into the file there is a reference to msvbvm60.dll so I know that its a visual basic prog.
I then ran the prog through Smartcheck and got "Program is compiled to P code Smartcheck is unable to provide substantial info on progs compiled to P code"

So more bad news its Visual Basic and its P code.

I had a look at the exe file with IDA Pro

This shows .idata: 00401000 to 004010B0 ;imports from MSVBVM60
; Image base 400000

.text: 004010B4 to 0044ABB8 ;contains lots of jumps to MSVBVM
;functions. ThunRtMain
;segment type: pure code
;Public Start 004011C8

.data: 0044B000 to 004511A3 ;segment typeure data

.rsrc: 00452000 to 00452FFF

When you run the target exe you get the usual 'buy now' 'continue' 'register' options. If you click register you are asked to enter a 16 digit code in 4 groups of 4.

The problem is that cant find a break point that works with softice.
I've tried BPX ThunRtMain and many others but they dont break.

Am I right in thinking that ThunRtMain is only called once at the start when the prog is run. If this is the case then when I run the prog to get the proc id to make sure i'm standing in the code i'll allready be past that break point?

In this case would it be better to set a BP on WINMAIN and narrow it down from there?

Are there any better approaches ?


I did remember to add MSVBVM60 to winice.dat

Iwarez
October 6th, 2008, 13:55
The VB6 runtime provides a lot of string handling functions that can be breaked upon. You can take a look at these. I also use P32Dasm if I encounter a P-Code program. It makes modifying them easier. You are right in assuming that the ThunRTMain function is only called once. Try placing a memory breakpoint on a p-code fragment to see what the program does with the entered serial.

Greyhound2004
October 7th, 2008, 03:34
Hi Iwarez,
Thanks for suggestion on P32Dasm - Great little prog.
This one gave me exactly what I was looking for. No need to delve further.

Regards,

disavowed
October 14th, 2008, 14:54
http://www.woodmann.com/collaborative/tools/index.php/Whiskey_Kon_Tequilla_VB_P-Code_Debugger is also useful if you need to debug the PCode.

Greyhound2004
October 17th, 2008, 04:08
Thanks disavowed, I'll take a look.

wintruder
October 18th, 2008, 03:10
I just released a p-code debugger. If you're still interested, take a look at http://www.woodmann.com/forum/showthread.php?t=12139

Greyhound2004
October 18th, 2008, 03:16
Thanks wintruder I'll try that one too when I get the time.
Regards,

dELTA
October 24th, 2008, 16:04
You can find all those tools, and more, in the following CRCETL categories:

http://www.woodmann.com/collaborative/tools/index.php/Category:Visual_Basic_Decompilers

http://www.woodmann.com/collaborative/tools/index.php/Category:Visual_Basic_Debuggers