Page 1 of 3 123 LastLast
Results 1 to 15 of 31

Thread: Visual Basic 5_6 stuff

  1. #1

    Visual Basic 5_6 stuff

    I'm working on a VB 5/6 app but maybe VB is too ancient to be of interest. I was dubious about it at first since I have done some Delphi in the past but I came across a tute by Andrea Geddon and another by Alex Ionescu that has shed considerable light on the subject. BTW...I got my lead to that help here, via a search.

    Andrea included a crackme created by a friend especially for the tute which is a name/serial crack. He runs through the crackme stage by stage revealing the format of VB5. When I first loaded my app in IDA it looked like a horrible mess since IDA can't make head or tale of the VB structure. I have also d/l'd a plugin for IDA that supposedly helps IDA create a structure. Using Andrea's description of the format, I have been able to take raw VB data and make sense of it using IDA's 'Undefine' feature then rebuilding the data using mainly double-word formats. It's nice to see structure forming out of the data chaos.

    Don't know as yet whether the plugin is written for VB 5/6, the difference being that earlier versions apparently used p-code. The 5/6 version uses assembly but getting to the code start is not apparent. Once in it, however, it's a matter of deciphering the VB calls. Another difference is that VB does not offer strings as plain strings it uses string objects, so when a code move takes place it moves the entire object, not just the string.

    Anyone interested? If not, feel free to delete the thread. If there is interest, I propose to clarify certain parts of the tute offered by Andrea and see what others may have to offer. His native language is Italian and he seems to bypass certain code features that maybe he presumes the reader will understand. I sure didn't. I had to scratch my head thinking, "where'd he get that"? Then again, maybe I'm just dumb.

    I also plan to run it through windbg or sice, in a VM, and input from others may be helpful.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    Sure, pass along whatever you find.

    I don't really need to add this, right?

    http://www.woodmann.com/collaborative/tools/index.php/Category:Visual_Basic_Tools


    Numega SmartCheck VB debugger might be what you were thinking about before.

  3. #3
    Quote Originally Posted by Kayaker View Post
    I don't really need to add this, right? Numega SmartCheck VB debugger might be what you were thinking about before.
    Thanks for reminder Kayaker. You know, I found a really good lead using the search engine on this site and I did not come back, as intended, to check the tools section. Looks like some good stuff in there.

    And, yes, it was Smartcheck I was thinking about. Came across the name while checking out other VB material. I think people forget that in the latter days, sice came as part of the DriverStudio package and it included Smartcheck, Boundschecker, etc.The latter two can be turned on or off in the DS setup utility.

    Anyway, I am not focused on the serial fishing aspect of the app I am checking, wasting a lot of time reassembling the structure in IDA. It's intriguing to see structure appear out of a jungle of jumbled data, that often looks like a set of pointers. Once undefined, text in both c-type and unicode begin to appear, then jumbled addresses in the 4xxxxx range appear. Many of them already have names I managed to attach using Andrea Geddon's tute but Alex Ionescu's tute is more about structure.

    Once you find the VB signature, VB5! or VB6!, in the binary, you have found the main structure and it contains pointers to important structures. In IDA, it has a pointer to it at 'jump to start of code' in IDA menu. The main structure is defined well in Alex Ionescu's tute but I found a few discrepancies re offsets. For the most part, his offsets are dead on in other areas like the Object Table structire.

    Some preliminary links:

    general...with link to Andrea Geddon's VB tute.

    http://sandsprite.com/vb-reversing/

    Alex Ionescu's VB tute:

    http://web.archive.org/web/20071020232030/http://www.alex-ionescu.com/vb.pdf

    The crackme Andrea Geddon uses in his tute is on his old page at link below, at the top.

    ******Note******

    Don't know how kosher this link is re present site policy. I don't see any copywrited material on it and I don't think Andrea was the type to post it.

    Actually, this link leads to main page. Look under crackmes and it is on top under VB_Crackme.

    https://web.archive.org/web/20070114080420/http://xoomer.alice.it/andreageddon/main0.htm
    Last edited by WaxfordSqueers; April 18th, 2020 at 13:49.

  4. #4
    Switching modes to do some reversing. In my last post, at the last link (with xoomer in the URL), there is a small VB crackme (in the crackme section called vb_crackme). I tried loading it in Windbg and it would not run. Tried attaching to it but it froze in a window. Resorted to Olly because It's to much of a hassle tonight to fire up sice on a VM. It's a very small, very simply app with a window with slots for entering a user name/serial and an OK button. It's not clear why windbg has so much trouble running it.

    I was finally able to trace through the app in Olly 1.1 to the good guy/bad guy jump and bypassed the crackme serial protection. Two BPs did it using generous hints from Andrea Geddon's tute. So, I am not claiming any credit, I was just testing to see if Olly would run the app. When I tried on a much bigger VB app, Olly choked. I can get to the VB Start of code easy enough but if I set a BP at the real start of code (not the VB entry point where Olly stops) Olly stops with an error "inexact floating-point result - use Shift F7/F8/F9 to pass exception to program".

    EIP points to kernelBA.764EC5AF (kernalBA is kernelBASE), wherever that is. All the main register are in red text. I'm thinking the app may have some kind of VB protection but I have seen Olly 2 do stuff like this on an unprotected app. I was looking for an Olly anti-anti-debug extension like Ollyext or Hyde. Tried the link for Hyde in our tools section but the link is no longer good.

    If push comes to shove I could go back to the VB code start and just start tracing. However, that means coping with MSVBVM60.dll. It's doable one's I get into my tricks for bypassing large chunks of bloated code. I can also set BPs at various points to cut down on tracing.

    The again, why waste my time when I could fire up sice in a VM? At least I know what's going on there.
    Last edited by WaxfordSqueers; April 20th, 2020 at 13:16.

  5. #5
    ps. tracing MSVBVM60 is not nearly as bad as I had imagined. I'm all the way through to where it is setting up the app header section and it has already generated windows and controls that are not yet visible. As I progress, I note addresses where I can BP and using those BPs I've had no problem starting the app over again and setting a BP on those addresses.

    This is all without symbols since I have yet to connect to the Net to retrieve them. I don't even know if Olly will use symbols. Have not encountered the error with the exception when I allow the app to run from beginning.

    I'm using intuition based on experience with other reversing as to which calls can be jumped over. So, I run Olly with my left hand with one finger on F7 (step into) and the next finger on F8 (jump over). My right hand runs the mouse for scrolling the code windows. Occasionally when caught up in system code I resort to jumping to return. And when caught in a loop, I stop to check jump instructions to see if I can safely jump out of the loop. Most of the time it's obvious. Some loops are far more complicated so I have to watch a variable changing and hold the F7 or F8 key down while code races by. Not elegant, I admit, but when you have little inkling as to what the code is doing, sometimes drastic measures work better. .

    I much prefer doing it slowly and formally with notes, to build a picture of what the code is doing. Did not have time last night. Having reached the addresses below, I will begin taking serious notes to see what is going on.

    One of the most recent BP addresses I have noted is in MSVBVM60 at:

    732A7898.....CALL....MSVBVM60!EbLoadRuntime

    followed by:

    732A8BE1.....MOV....ss:[18FE501], EAX....where EAX = 408C80 = Start of Code (thanks to IDA, Andrea Geddon, and Alex Ionescu))

    This is the Start of Code proper, where the actual VB code is run. I have also seen a reference to the .DATA section, so it seems to be checking the format of the different sections in the file related to runtime. I am guessing that any VB protection will be in this code since protection is hardly likely to be found in MSVBVM60, which has dominated the code tracing. I have seen no callbacks as yet into the app code but obviously, MSVBVM knows where the app code resides and does not have to access it via a CALL.

    One stark difference in the VB process is that normal Windows apps (normal meaning from my limited experience) is that user-level apps I have dealt with call into the system then return to the app. Sometimes, in the middle of such a call, the system will call back into the app at another address then return to the system module. With VB, the app immediately calls MSVBVM after PUSHing an address of the VB app's main info structure which leads via pointers to all of its pertinent information. Therefore, MSVBVM has an address through which it can access any of the VB apps information on how to construct its forms.

    Early on in the MSVBVM code there are initialization procedures identical to what would be found in a normal Window's app. Rather than having those procedures in the app as would be expected in a beginning of a Windows app, a VB app calls immediately to MSVBVM to initialize it and set up all it's windows (forms). I have traced (jumped over) calls to User32 from MSVBVM where the winprocs are taking place. There were also calls to OLE procedures for the COM parts of the VB app that I don't want to touch with a 10 foot pole.

  6. #6
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    there is a small VB crackme (in the crackme section called vb_crackme). I tried loading it in Windbg and it would not run
    what wont run? windbg/ crackme?

    i just downloaded it and gave a twirl it ran properly

    why would you want to do everything the most hardest possible way? tracing inside msvbvm60.dll ??

    have you downloaded the vb-decompiler (the free one is sufficient ) ? it will provide you all the places where you need to set a break for each forum control events

    have you downloaded the vb.idc originally written by reginald wong updated by sapden (it will work in idafree also )

    it will also provide all the entry points for all click_event_handlers

    run the crackme

    enter some crap

    hit check and you will break here for the event

    Code:
    .text:00402FD0
    .text:00402FD0                 public _O_Pub_Obj_Inf1_Event0x3
    .text:00402FD0 _O_Pub_Obj_Inf1_Event0x3 proc near      ; CODE XREF: .text:00402412j
    .text:00402FD0
    .text:00402FD0 ; FUNCTION CHUNK AT .text:004011AC SIZE 00000006 BYTES
    .text:00402FD0
    .text:00402FD0                 push    ebp             ; _O_Pri_Obj_Inf1_Event0x3
    .text:00402FD1                 mov     ebp, esp


    here is a replica of some of the structures as found in alex ionescu's pdf using windbg


    Code:
    0:000> .load .\vbanalyze.dll
    0:000> !vbanalyze
    401970
    struct _VBHEADER * 0x00401970
       +0x000 szVbMagic        : [4]  "VB5!"
       +0x004 wRuntimeBuild    : 0x231c
       +0x006 szLangDll        : [14]  "VB6IT.DLL"
       +0x014 szSecLangDll     : [14]  "*"
       +0x022 wRuntimeRevision : 0xa
       +0x024 dwLCID           : 0x410
       +0x028 dwSecLCID        : 0x409
       +0x02c lpSubMain        : (null)
       +0x030 lpProjectData    : 0x00401aa0 _PROJECTINFO
       +0x034 fMdlIntCtls      : 0x30f016
       +0x038 fMdlIntCtls2     : 0xffffff00
       +0x03c dwThreadFlags    : 8
       +0x040 dwThreadCount    : 1
       +0x044 wFormCount       : 2
       +0x046 wExternalCount   : 0
       +0x048 dwThunkCount     : 0xe9
       +0x04c lpGuiTable       : 0x00401a00 Void
       +0x050 lpExternalTable  : 0x004018f8 Void
       +0x054 lpComRegisterData : 0x0040131c _REGDATA
       +0x058 bSZProjectDescription : 0x78
       +0x05c bSZProjectExeName : 0x7e
       +0x060 bSZProjectHelpFile : 0x84
       +0x064 bSZProjectName   : 0x85
    struct _PROJECTINFO * 0x00401aa0

  7. #7
    Quote Originally Posted by blabberer View Post
    i just downloaded it and gave a twirl it ran properly
    Thanks, as usual.

    Go figure, I ran it again after a reboot and the crackme ran fine. Last time, it froze when I hit Go under debug. I tried it several times so it wasn't a one-timer.

    I reloaded my other VB app, which is considerably larger and it loaded fine till the system address. I knew the start of code for the VB entry point so I set a BP on it and the app ran to the BP. Now I am in the VB app at a 4xxxxx address just before the call to MSVBVM60. I have to figure out which address I need to capture the serial input.

    I am trying to clear the cobwebs. If I get to entry point and hit go, the app's windows (forms) all come up and windbg sits there saying the debugger is running. So, I hit break to stop it so I can enter a BP, or whatever. At that point I should be able to set a BP to where I want the loaded serial to break. At that point I can activate the serial and it should stop at the BP. Is that right?

    Quote Originally Posted by blabberer View Post
    have you downloaded the vb-decompiler (the free one is sufficient ) ? it will provide you all the places where you need to set a break for each forum control events
    yes...the free version is working, I need to look at it closer.

    Quote Originally Posted by blabberer View Post
    have you downloaded the vb.idc originally written by reginald wong updated by sapden (it will work in idafree also )
    Downloaded it a few days ago. I have just loaded it and it is running the IDC script. Took a bit to find how to load the script, normally I'd look under the Edit menu. On my free version I had to look under File\load script and direct it to the idc script which I had already loaded in the IDA IDC directory.

  8. #8
    re vb.idc by Reginald Wong et al.

    I ran this yesterday on my big VB app and it ran overnight, a total of about 20 hours. I had not finished but I thought the problem may be that I ran it on the app after I had modified it somewhat on IDA.

    Stopped it and ran it on the small crackme and it took close to an hour to do it. I restarted it on a clean version of my big VB app on IDA and it's still running after 10 hours. Not what I'd call practical.

    All I have seen the past 10 hours is this:

    lpuuidObjectTypes Value: 0x111A00000

    This variable is defined in vb.idc as "Pointer to Array of Object Interface GUIDs"

    That's where it was at after starting from 0. It's now approaching 0x111D00000 and that took about 15 minutes.

    Have no idea what it's doing. The uuidObjectTypes apparently refer to GUIDs for objects, but why so many? That's nearly 4.6 billion GUIDs, surely there are no more than a few thousand, if that.

    Seems the app may be comparing GUIDs to every possible GUID value from 0x000000000 to 0xFFFFFFFFF. If that's the case, it doesn't seem an efficient way of going about that. In the VB app the GUIDs are arranged in dwords, one after the other.

    Just noticed that it seems to be running through the GUID values faster. Maybe there hope. Problem is, it hogs the entire processor. Can't even change to the desktop.

  9. #9
    Looking at the vb.idc script again, and I know nothing about IDC scripts, I get this for the ObjectTypes GUID routine:



    Code:
    //
        // make names for lpuuidObjectTypes
        //
        dwObjectTypeGuids = Dword(ea + 0x10);
        Message("--> dwObjectTypeGuids Value: 0x%s\n", ltoa(dwObjectTypeGuids,16));    
    
        if(dwObjectTypeGuids > 0)
        {
            for(counter=0; counter < dwObjectTypeGuids; counter++)
            {
                lpuuidObjectTypes = Dword(ea + 0xC) + (0x04*counter);
                Message("--> lpuuidObjectTypes Value: 0x%s\n",ltoa(lpuuidObjectTypes,16));
                FixDword(lpuuidObjectTypes,catstring+"_lpuuidObjectTypes_" + ltoa(counter,16),"Ptr to GUID Data");            
            }
        }
    According to Ilfak's definitions, ea is a linear address. So,

    dwObjectTypeGuids = Dword(ea + 0x10);

    seems to be saying, check each linear address + 0x10 for a 'possible' dwObjectType Guid. There are only 2 or 3 references in the script to dwObjectTypeGuids and I don't see anything defining it other than as an offset in a structure.

    There is a mention here under Optional Object Information...auto lpuuidObjectTypes; From what I gather, auto is a reference to auto analysis, which IDA seems to be doing alright, in an infinite, or near infinite loop. I define infinite as an app taking about 24 hours to complete a process.

    But, first, how does the code know it has a GUID?

    The code says:

    Code:
    if(dwObjectTypeGuids > 0)
        {
            for(counter=0; counter < dwObjectTypeGuids; counter++)
            {
                lpuuidObjectTypes = Dword(ea + 0xC) + (0x04*counter);
    How does this loop know when to end? As far as I know, there is nothing in the VB app that says how many GUIDs there are. And when it finds one, how does it know it has a GUID? There are GUIDs in certain structures but offset 0x10 into a structure does not mean it is necessarily a GUID. There is nothing I can see in the script that tells this particular function (above) to look in any particular structure.

    The structures are all linked, starting at the VB structure with the VB5! signature. But, how does the script know where to look for a GUID?

    Seems to me all the author is doing is checking each address in the app and so far, he has checked 0x11B140000 of them = 4.7 billion addresses. The addresses go from 401000 to 57DFFF which is 0x17CFF = 1,560,575 addresses.

    Is this app buggy or is it me?

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    Wow Your Computer is probably jinxed by A Bellatrix
    You probably need ginny weasly to chant Leviosa Wingardium

    it should take no more than 30 seconds for the andre.exe to load analyze run idc close and pack and idb


    Code:
    :\>now
    
    Thu Apr 23 17:46:32 2020
    
    :\>"..\IDA Free\idag.exe" -B andre.exe
    
    :\>dir /b
    andre.asm
    andre.exe
    andre.idb
    vb.idc
    
    :\>now
    
    Thu Apr 23 17:46:53 2020
    
    :\>"..\IDA Free\idag.exe" -Svb.idc andre.idb
    
    :\>now
    
    Thu Apr 23 17:47:31 2020
    
    :\>dir /b
    andre.asm
    andre.exe
    andre.idb
    vb.idc
    
    :\>

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,143
    Blog Entries
    5
    It's you. The idc script finishes in a few seconds on the crackme. Sorry

  12. #12
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    are you about "andre.exe" size 28672 ?
    I just load it in Olly, find start of normal code procedures PUSH EBP, BP them all and continue debugging.
    as I hated VB stuff, I even renamed in system its DLLs, to prevent VB progies to run :) (and there where bunch of VB viris)
    VB puts so many trash, so one can say, it scrambles simple code. for ex. many fpu calculation..
    finally it compares strings..

    by the way, just dlded GHIDRA! guys where mentioned, "forget idA". It looks fun :) is java :( is interactive :) it decompiles :)
    probb somewhere should be alla flirts modules :?

    Code:
      while (iVar4 != 0) {
        if (DAT_00405010 == (int *)0x0) {
          __vbaNew2(&DAT_00401f48,&DAT_00405010);
        }
        piVar7 = DAT_00405010;
        uVar3 = (**(code **)(*DAT_00405010 + 0x308))(DAT_00405010);
        __vbaObjSet(&local_60,uVar3);
        local_f8 = 1;
        local_a8 = 1;
        local_118 = 1;
        local_98 = local_60;
        puVar5 = local_b0;
        local_108 = 100;
        local_110[0] = 2;
        local_100[0] = 2;
        local_b0[0] = 2;
        local_120[0] = 2;
        local_60 = 0;
        local_a0[0] = 9;
        uVar3 = __vbaVarAdd(local_90,local_120,local_24);
        uVar3 = __vbaI4Var(uVar3,puVar5);
        rtcMidCharVar(local_c0,local_a0,uVar3,piVar7);
        uVar3 = __vbaStrVarVal(&local_58,local_c0);
        uVar3 = rtcAnsiValueBstr(uVar3);
        __vbaStrI2(uVar3);
        uVar3 = __vbaStrMove();
        rtcR8ValFromBstr(uVar3);
        local_138 = __vbaFpI4();
        local_140[0] = 3;
        local_138 = local_138 % 10;
        puVar6 = local_110;
        puVar5 = local_44;
        uVar3 = __vbaVarAdd(local_70,local_100,local_24);
        uVar3 = __vbaVarMul(local_80,uVar3,puVar6);
        uVar3 = __vbaVarMul(local_d0,local_140,uVar3);
        uVar3 = __vbaVarInt(local_e0,uVar3);
        __vbaVarCat(local_f0,uVar3,puVar5);
        __vbaVarMove();
        __vbaFreeStrList(2,&local_58,&local_5c);
        __vbaFreeObj();
        __vbaFreeVarList(5,local_70,local_a0,local_90,local_b0,local_c0);
        iVar4 = __vbaVarForNext(local_24,local_150,local_160);
      }
      FUN_00403710();
      FUN_00403710();
      FUN_00403710();
      FUN_00403710();
      FUN_00403710();
      FUN_00403710();
      sVar2 = __vbaVarTstEq(local_34,local_44);
      if (sVar2 == 0) {
        FUN_00403a20();
      }
      else {
        FUN_00403720();
    Last edited by evaluator; April 23rd, 2020 at 02:53.

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    @evaluator yes same andre.exe
    yes ghidra will work better than ida if you have an x64pc
    and you can write a c header and parse them in ghidra to rename all the VB structs

    but if you are stuck with a 32 bitpc
    ida free and idc works nicetoo

    if you write a bat file analyzing and running the idc wont take more than 10 seconds

    contents of bat file with now toshow time

    Code:
    D:\testvbidc>type ana.bat
    ls -l
    now
    d:\IDAF5\idag.exe -B andre.exe
    now
    ls -l
    strings andre.idb | grep -i regin
    strings andre.idb |grep -i event | wc -l
    d:\IDAF5\idag.exe -Svb.idc andre.idb
    now
    ls -l
    strings andre.idb | grep -i regin
    strings andre.idb | grep -i event | wc -l
    strings andre.idb | grep -i event
    executing and looking for event handlers

    Code:
    D:\testvbidc>ana.bat
    
    D:\testvbidc>ls -l
    total 148
    -rwxrwxrwx  1  0    298 2020-04-23 19:29 ana.bat
    -rwxrwxrwx  1  0  28672 2003-08-21 11:54 andre.exe
    -rw-rw-rw-  1  0 117177 2020-04-23 17:17 vb.idc
    
    D:\testvbidc>now
    
    Thu Apr 23 19:29:59 2020
    
    D:\testvbidc>d:\IDAF5\idag.exe -B andre.exe
    
    D:\testvbidc>now
    
    Thu Apr 23 19:30:03 2020
    
    D:\testvbidc>ls -l
    total 448
    -rwxrwxrwx  1 0    298 2020-04-23 19:29 ana.bat
    -rw-rw-rw-  1 0  71399 2020-04-23 19:30 andre.asm
    -rwxrwxrwx  1 0  28672 2003-08-21 11:54 andre.exe
    -rw-rw-rw-  1 0 229532 2020-04-23 19:30 andre.idb
    -rw-rw-rw-  1 0 117177 2020-04-23 17:17 vb.idc
    
    D:\testvbidc>strings andre.idb   | grep -i regin
    
    D:\testvbidc>strings andre.idb   | grep -i event   | wc -l
    7
    
    D:\testvbidc>d:\IDAF5\idag.exe -Svb.idc andre.idb
    
    D:\testvbidc>now
    
    Thu Apr 23 19:30:10 2020
    
    D:\testvbidc>ls -l
    total 560
    -rwxrwxrwx  1 0    298 2020-04-23 19:29 ana.bat
    -rw-rw-rw-  1 0  71399 2020-04-23 19:30 andre.asm
    -rwxrwxrwx  1 0  28672 2003-08-21 11:54 andre.exe
    -rw-rw-rw-  1 0 344220 2020-04-23 19:30 andre.idb
    -rw-rw-rw-  1 0 117177 2020-04-23 17:17 vb.idc
    
    D:\testvbidc>strings andre.idb   | grep -i regin
    _Com_Reg_Dat_bRegInfo
    ;Author: Reginald Wong, updated by Bernard Sapaden
    om_Reg_Dat_bRegInfo
    
    D:\testvbidc>strings andre.idb   | grep -i event   | wc -l
    403
    
    D:\testvbidc>strings andre.idb   | grep -i event
    N_O_Pub_Obj_Inf1_Ctl_Inf0x7_bWEventsOffset
    Ptr to Form QueryUnload Event Code.
    Ptr to Textbox DragOver Event Code.
    _O_Pri_Obj_Inf4_Event0x2
    _O_Pri_Obj_Inf4_Event0x1
    _O_Pub_Obj_Inf4_Event0x2
    
    
    cut oooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Pointer to Event Handler Table.
    Offset in to Memory struct to copy Events.
    Number of Events Handlers.
    _O_Pub_Obj_Inf1_Ctl_Inf0x4_lpEventHandlerTable
    Pointer to Event Handler Table.
    Jmp to Event Addr 0x403200
    _O_Pub_Obj_Inf1_lpEvent_4
    Jmp to Event Addr 0x403140
    _O_Pub_Obj_Inf1_lpEvent_3
    Jmp to Event Addr 0x402FD0    <<<<<<<<<<<<<<<<<<<< click handler
    _O_Pub_Obj_Inf1_lpEvent_2
    Jmp to Event Addr 0x402F40
    _O_Pub_Obj_Inf1_lpEvent_1
    Jmp to Event Addr 0x402E60
    cut oooooooooooooooooooooooooooooooooooooooooooooooooooooo
    
    D:\testvbidc>
    Last edited by blabberer; April 23rd, 2020 at 03:33.

  14. #14
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    blabberer, at start of my post: Olly is enough locate code and BP all

  15. #15
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,524
    Blog Entries
    15
    in olly no need to locate all push ebp

    just locate the jmp thunks

    Search For All Command Sequences

    Code:
    sub [r32+CONST],CONST
    jmp CONST
    and breakpoint the 7 sequences


    Code:
    Search - Command sequences found in andre:.text
    Address   First command                            Comments
    00401F2C  SUB     DWORD PTR SS:[ESP+4], 37
    00401F39  SUB     DWORD PTR SS:[ESP+4], 37
    004023F0  SUB     DWORD PTR SS:[ESP+4], 0FFFF
    004023FD  SUB     DWORD PTR SS:[ESP+4], 3F
    0040240A  SUB     DWORD PTR SS:[ESP+4], 43  <<<<<<<<<<<<<< this is Check Button Click :)
    00402417  SUB     DWORD PTR SS:[ESP+4], 3B
    00402424  SUB     DWORD PTR SS:[ESP+4], 47
    entercrap click youwill break on the thunk

    andthis is the callstack

    Code:
    Call stack of main thread
    Stack     Data      Procedure                                                                                                                                Called from                  Frame
    0012F4A0  72991D33   andre.0040240A  
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                                                                                                                                                                                                                          USER32.76D796C0
    0012FA50  003204FC  |  hWnd = 003204FC, class = ThunderRT6FormDC, text = Leimcrackme
    0012FA54  00000111  |  Msg = WM_COMMAND
    0012FA58  00000003  |  wParam = NotifyCode = MENU/BN_CLICKED..., ID = 3
    0012FA5C  001003A4  \  hControl = 001003A4, class = ThunderRT6CommandButton, text = &Check!
    0012FA64  76D797C5   USER32.xxxButtonNotifyParent                                                                                                            USER32.76D797C0
    0012FA80  76D67F21   USER32.xxxBNReleaseCapture                                                                                                              USER32.76D67F1C
    0012FB04  76D582B5   USER32.ButtonWndProcWorker                                                                                                              USER32.76D582B0
    0012FB24  76D4C4E7   ???                                                                                                                                     USER32.76D4C4E4
    0012FB50  76D4C5E7   USER32.InternalCallWinProc                                                                                                              USER32.76D4C5E2
    0012FBC8  76D41B31   USER32.UserCallWinProcCheckWow                                                                                                          USER32.76D41B2C
    0012FBF8  76D62BEE   USER32.CallWindowProcAorW                                                                                                               USER32.76D62BE9
    0012FC18  7299D082  /USER32.CallWindowProcA                                                                                                                  MSVBVM60.7299D07C
    0012FC1C  76D5DBCD  |  WinProc = USER32.ButtonWndProcA
    0012FC20  001003A4  |  hWnd = 001003A4, class = ThunderRT6CommandButton, text = &Check!
    0012FC24  00000202  |  Msg = WM_LBUTTONUP
    0012FC28  00000000  |  Keys = 0
    0012FC2C  000C003E  \  =lParam = X = 62., Y = 12.
     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                                                       MSVBVM60.7294A6C2
    0012FE48  0012FE58  \  pMsg = 0012FE58 -> MSGA {hWnd=001003A4, class = ThunderRT6CommandButton, text = &Check!, Msg=WM_LBUTTONUP, Keys=0, lParam=X = 62., Y >
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                                                                                            MSVBVM60.7294363F
    0012FF84  0040131A   MSVBVM60.ThunRTMain                                                                                                                     andre.00401315
    0012FF98  773337EB   ???                                                                                                                                     ntdll.773337E9
    0012FFD8  773337BE   ntdll.__RtlUserThreadStart
    ntdll.773337B9

Similar Threads

  1. Visual Basic Packer???
    By chessgod101 in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: November 29th, 2009, 08:51
  2. Again on Visual Basic
    By Reversing It Out in forum Blogs Forum
    Replies: 0
    Last Post: January 21st, 2008, 21:51
  3. Visual Basic DllFunctionCall
    By Reversing It Out in forum Blogs Forum
    Replies: 0
    Last Post: November 17th, 2007, 17:04
  4. Microsoft Visual C# / Basic .NET???
    By bazuka in forum OllyDbg Support Forums
    Replies: 7
    Last Post: January 7th, 2006, 06:45
  5. Visual Basic 6
    By tobibot in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 29th, 2005, 06:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •