Results 1 to 3 of 3

Thread: IDA/Softice & VB

  1. #1

    IDA/Softice & VB

    Hi, can anybody give me a few pointers.
    I am trying to RE a prog written in visual basic 6.0.
    I have trawled the net and tried to find info myself.

    Ida gives me the following information :

    .hc0j7ci : 0040 1000
    004F 7FFF

    .data : 004E E000
    004F 7FFF

    .rsrc : 004F 8000
    004F 9FFF

    .v3utv94v : 004F A000

    .fpf0xu9b : 0054 A000
    005F 7FFD

    .xmgnvmgh : 005F 8000
    005F 8FFF

    Start point is shown as fpf0xu9b : 005F7A80

    Imports: Kernel 32 User32

    Why does it not show MSVBVM6 as an import because it definitly uses it?
    I set up softice, ran the prog, got the proc ID, set the ADDR, and set a BP on
    MessageBoxA (this is show as imported from user32) softice did not break when I clicked on the reg box.

    Just out of interest I tried clicking on the reg box without entering any info.
    Sice broke on an error.

    001B:0052 BEC9 CALL [MSVBVM60! __vbaHresultCheckObj]

    Just above the command window I get the following info:
    (PASSIVE) KTEB (81441280) TID 03D0 Myprog! v3utv94v+00032AB4

    What I have learnt so far is that the string compare between what we entered and the 'real' generated serial is done with MSVBVM6.

    The info that I got when Sice broke on an error suggests that i'm not looking at the right area as this is located in memory at 001B:0052 BEC9
    comparing it to what I got fro IDA it does not seem to fit in any of the locations.

    This is obviously something fundamental that I've missed.
    .

  2. #2
    1. Dump all exports from MSVBVMxx.dll
    2. Search for RTCxxxxx (you will get your messagebox here, not the MessageBoxX variant in kernel/user)
    3. BP to hearts content. BTW, this works even in IDA debugger.

    Have Phun
    Blame Microsoft, get l337 !!

  3. #3
    Thank Aimless
    I wrongly assumed that by adding msvbvm60 to the imports in winice.dat that Sice would find them.
    When I exported it with NTloader it works fine.

Similar Threads

  1. Softice 4.05 NT
    By crackn101 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: May 22nd, 2003, 01:30
  2. Softice for NT
    By Uradox in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: September 27th, 2002, 14:54
  3. DEBUG using Softice: Softice look for abort.c atoi.c etc... (Win32 console program)
    By lsteo2 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 15th, 2001, 03:23
  4. Softice vs Win Me
    By Vasquez in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: December 1st, 2000, 04:50
  5. Softice Help from a pro Please
    By down_n_out in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: November 29th, 2000, 01:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •