PDA

View Full Version : Finding Entry Point for VB6 Program


NeonFlash
January 19th, 2013, 05:23
Hi,

Analyzing a virus written in VB6.

Used this: http://www.reteam.org/papers/e46.pdf as a reference to find the entry point of code section (Original Entry Point).

as mentioned in the PDF referenced above, the StartofCode is surrounded by a signature, E9E9E9 followed by a few 0xCC bytes and then the code and at the end again, 9E9E9E.

in my case, I get:

E9E9E9CCCCCCCC9E9E9E

the code is missing

here is the code:

Code:

E9
E9
E9
E9
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3
INT3 <<< code should have started after this point
9E
9E
9E
9E


how do I find the entry point in this case so that I can step through the code in debugger?

Aimless
January 19th, 2013, 05:48
Why don't you get 'VB Decompiler' and examine the same?

VB Code is 'generally' not meant to be disassembled, but decompiled.

Have Phun

NeonFlash
January 19th, 2013, 05:50
I tried to decompile it using DeDe software which is for VB. However, it could not find any Forms and code.

I am going to try VBDecompiler Lite now.

disavowed
January 19th, 2013, 14:26
DeDe is for Delphi, not for VB.