PDA

View Full Version : VB Header Info


JoePub
December 5th, 2010, 04:13
Hi All,

I am in the process of analyzing a VB executable that was packed with yoda's protector v1.03.3.

I have found the OEP and dumped the executable, I have also managed to rebuild the import table.

The executable doesn't run though (imports are loaded, etc, but then hangs) so I can continue my analysis. I think it something to do with the VB header, project info and friends.

Some VB P-Code disassemblers seem to manager to read it but WKTVBDE and VBResQ don't appear to believe it's a VB executable

I have tried WKTVBDE with other VB executables and it seems to work fine, it reports that it finds the VB table and the loads the executable.

I think there is an issue with the VB headers that are pushed onto the stack on the first instruction at the OEP, so I was wondering if anyone has found the details for the various structures that are present so that I can check that they are good.

Also has anyone seen this problem after dumping an VB exe packed with yoda's protector?

Thanks Guys.

disavowed
December 25th, 2010, 20:55
Assuming it is P-code and not native...
Have you tried debugging WKTVBDE/VBResQ to see what they're trying to validate before they complain?