Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31

Thread: Visual Basic 5_6 stuff

  1. #16
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    no better do my way.
    so, msvbml60.pdb most likely not exist. now downloading bunch torrs. will in Win10SDK any good for msvbml60, .dbg?

  2. #17
    Quote Originally Posted by blabberer View Post
    it should take no more than 30 seconds for the andre.exe to load analyze run idc close and pack and idb
    Thanks for input blabbs, but I don't think it's my computer. It runs 3D DX games at blazing speed. I have no other issues with speed nor should I using a modern B360 chipset and an i8400 Intel processor.

    For example, I can run my big VB app in windbg and let it run. It loads the entire app in a few seconds. The system is so fast I can't use it on really old games because the action happens too quick.

    I am beginning to suspect other issue, that's why I appreciate your confirmation of the time it should take for andre.exe to finish. Sometimes I notice my Internet security interfering with communication between apps, or the Net, and slowing them down. For example, if I am transferring files from an external hard drive to a hard drive I notice the speed slows significantly if the virus checker is enabled. That should not affect IDA internally but I will check it.

    The free IDA itself disassembles large apps in seconds rather than the minutes I was used to with older processors/chipsets. It does not seem to be about IDA and the processor, it seems to be about vb.idc and IDA.

    Another matter is IDA itself. I am using the free version on W7 because my other IDA is on my XP disk. The free version does not list vb.idc in the menu under Edit where you normally load IDC files when they are located in the IDA\IDC directory. I have to load it from the File menu under load scripts, then I have to look it up in the IDA\IDC directory and load it from there.

    When it loads, it does come up in an IDC window and there is a small window saying 'IDC script' or something. However, IDA becomes unresponsive to mouse clicks after that. I can't move windows around or get a response out of the mouse. In the IDC window, things seem to be moving fast enough.

    I'll have to check these things out. First, I'll fire up IDC 5 in XP and try it out from there.

  3. #18
    Quote Originally Posted by Kayaker View Post
    It's you. The idc script finishes in a few seconds on the crackme. Sorry
    When James Hansen of NASA GISS predicted climate gloom and doom in 1988 he had to retract his error in 1998, since 10 years later it was apparent nothing was happening. He blamed it on his computer. Over 30 years later, there is still nothing happening.

    Sorry, but I cannot take the blame here since i am not personally running the IDC script. I don't have 100 years to spare, since i have only programmed myself for another 80 years.

  4. #19
    Quote Originally Posted by evaluator View Post
    so, msvbml60.pdb most likely not exist
    Think I found a pdb for msvbvm. I see it in a Windows package but have not installed it yet.

  5. #20
    The problem was the free version of IDA. Tried it in IDA 5 in XP and it ran through entire app in about 20 seconds.

    Just loaded Smartcheck. It's still gold, lays out the entire VB app. If you enter a serial it shows you which form is being used and the related commands. It has various amounts of data you can select and when everything is selected it shows every function call, even into OLE.

    VB_Lite looks good too. The difference between Smartchk and VB_Lite is that Smartchk works live. You can start it then work with the app, like entering a username/serial, and it records it as you go along. Doesn't give you the app addresses like VB_Lite. I recall now that Boundschecker was the better of the two because it gave you addresses in the app and all the string data in each function. You could see exactly where to place a BP on a function. Not complaining, Smartchk was written for VB apps and does a lot better with them.

    We have to remember that Boundschecker and Smartchk were designed to find errors in code.

  6. #21
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    @evaluator msvbvm60.dll and pdb are available in ms i just grabbed both of them from ms symbol server

    msvbvm60.dll timestamp and size 4802be3d153000
    msvbvm60.pdb pDbSig and Age 47193e361

    C:\getmsvb>dir /b

    C:\getmsvb>dbh fii msvbvm60.dll

    file: msvbvm60.dll
    stripped: false
    timestamp: 0x4802be3d
    size: 0x153000
    pdb: MSVBVM60.pdb
    pdb guid: 00000000
    pdb sig: 0x47193e36
    pdb age: 0x1

    C:\getmsvb>wget -d -c -U="Microsoft-Symbol-Server/" ""
    Setting --continue (continue) to 1
    Setting --user-agent (useragent) to =Microsoft-Symbol-Server/
    DEBUG output created by Wget 1.19.2 on mingw32.

    ---response begin---
    HTTP/1.1 200 OK
    Content-Length: 2221056
    200 OK

    Length: 2221056 (2.1M) [application/octet-stream]
    Saving to: 'msvbvm60.pdb'

    2020-04-25 03:25:54 (139 KB/s) - 'msvbvm60.pdb' saved [2221056/2221056]

    C:\getmsvb>dir /b



    version 5 is the free version afaik and runs properly in win7,win10 as 32 bit
    there is 64 bit free version 7 i think but i rarely use it
    Last edited by blabberer; April 24th, 2020 at 11:18.

  7. #22
    Quote Originally Posted by blabberer View Post
    C:\getmsvb>wget -d -c -U="Microsoft-Symbol-Server/" ""
    @blabberer did you compile wget? The documentation sent me to a site for a makefile and the site is gone.

    If I use your script above as follows:

    symchk /r c:\symtmp /s SRV*c:\sympdb\*"Microsoft-Symbol-Server/" ""

    I get the following error: FAILED - Image is split correctly, but MSVBVM60.dbg is missing

    I have tried with and without the "Microsoft-Symbol-Server/"

    I have msvbvm60.dbg sitting in the symtmp directory and in system32 with msvbvm60.dll

    The method above has worked fine for retrieving XP symbols in the past using symchk.

    Just retried with a mix of C++ based XP files and VB files and it retrieved 8 of them and ignored the rest as follows:

    C:\Program Files (x86)\Windows Kits\10\Debuggers\x86>symchk /r c:\symtmp /s SRV*c:\sympdb\*
    SYMCHK: Comdlg32.ocx FAILED - Image is split correctly, but Comdlg32.dbg is missing
    SYMCHK: dbgeng.dll FAILED - dbgeng.pdb mismatched or not found
    SYMCHK: kdcom.dll FAILED - kdcom.pdb mismatched or not found
    SYMCHK: MSVBVM60.DLL FAILED - Image is split correctly, but MSVBVM60.dbg is missing

    SYMCHK: FAILED files = 4
    SYMCHK: PASSED + IGNORED files = 8

    Last time it retrieved kdcom.pdb but maybe they have changed the version since.

    Guess I need to get wget going.

  8. #23

    Downloaded the XP SP3 symbol pack from the following link. It has the PDB files for MSVBVM50 and 60, and a whole lot more. It even has kdcom.pdb and dbgeng.pdb missing from my post above. I presume they are all x86 variety.

  9. #24
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    blabberer, in W10 resides msvbvm60.dll ver6.0.98.15 with timestamp 2009.III.5 49B01FC3 sz00152800. can you call wget with it?
    when I started crackme in yo-loved windbg, it did not dld symbol, while did for some other..

  10. #25
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    size !-152800 but 153000 only dll available in ms symserver

    pdb signature both rsds 2 or rsds 7.0 not present so no pdb

    dbg signature not exist so no dbg

    the dll is probably built without Debug information

    grab an older version with symbols as posted earlier 9802 instead of 9815 you have in syswow64

  11. #26
    Just learned something about pdb files. You guys are likely way ahead of me on this.

    In the Debugging Tools For Windows directory there is a little file called dbh.exe. I copied msvbvm60.dll into the DTFW directory and opened a command window in that directory. Ran dbh msvbvm60.pdb and it opened a prompt like in the debuggers. Now you can load a slew of commands that can be viewed with dbh -??.

    At the prompt, I ran the command enum * and it listed every symbol in the pdb file. I was only interested in files beginning with __vba, so I ran dbh __vba*. It listed all the files that began with that set of chars plus it listed the index into the file with the offset.

    Blabbs likely has a way of doing this in windbg.

    What I'm really looking for is a way to identify the version of the PDB file so I can find the msvbvm60.dll that matches it. There may possibly be a way to edit an existing pdb to match a file of a slightly different version. I need to work out the rest of the PDB file format to see if it will reveal a version. I don't mean the version listed at the beginning of the pdb file I mean the version of the file it was made for.

    I might mention that my set of pdb files are for XP and they differ from the newer PDB files, which I think have signatures with them. I tried it again using a pdb for the x64 ntkrnlmp.pdb and it ran fine with no signs of a signature. BTW...I'm using DTFW from W7 on XP. I tried it under both DTFW x86 and DTFW x64 and got the same output.

    It would probably be better in powershell since in the cmd window the text scrolls by so fast it's easy to miss the beginning of the read out. Ctrl-S stops the scrolling and if you're fast you can capture the scrolling at the beginning.

    Here's a partial readout of the scrolling for ntkrnlmp.pdb on DTFW x64.

    C:\Program Files\Debugging Tools for Windows (x64)>dbh ntkrnlmp.pdb
    ntkrnlmp [1000000]: enum *
     index            address     name
         1            1019ad8 :   MiSyncSystemPdes
         2            14523e0 :   ObpStopRTStackTrace
         3            13484b0 :   RtlSetOwnerSecurityDescriptor
         4            155de50 :   PnpInitializeLegacyBusInformationTable
         5            130f0c0 :   AlpcpDeleteBlob
         6            13ea4a0 :   TmpNamespaceEnumerate
         7            156f640 :   IopStoreArcInformation
         8            1429930 :   CmpUpdateParentForEachSon
         9            12ddd98 :   PsReferenceImpersonationToken
         a            10a31c0 :    ?? ::FNODOBFM::`string'
         c            14079b0 :   WmipGetDevicePDO
         d            101f4d8 :   KiSetPriorityThread
         e            13c80f0 :   CmpQueueLazyCommitWorker
         f            1094d20 :   KiInterruptDispatchNoEOI
        10            107d894 :   RtlFindLastBackwardRunClear
        11            1001930 :   _newclmap
        12            11ef1a0 :   _lc_codepage
        13            1110cd0 :   PopQueueBatteryStatusTimeout
        14            14865c0 :   ExpGetSystemFirmwareTableInformation
        15            141aee0 :   CmpDoReDoDeleteValue
        16            142d5e0 :   SmKmSendDeviceControl
        17            10930c0 :   ZwRenameTransactionManager
        18            13c65c0 :   EtwpRemoveProviderTableEntry
        19            1507650 :   ViShutdownWatchdogExecuteDpc
        1a            1498160 :   BiAddBootEntryToNvramDisplayOrder
        1b            1221f44 :   MmZeroedPageSingleBitErrorsDetected
        1d            120f83c :   curr_y
        1e            129d188 :   MmPageToNode

  12. #27
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    well, I not think PDB file will of great help. actually, little problem is structure of stack variables. look in GHIDRA recompilation: local_108 = 100;, but no more you can see it. seems, stack variable in VB is of 4 dword, where in third one is stored variable self. so local_108 = 100; is in third position, but then operations point to first dword.
    thus, better is to directly debug & understand what is happening :)
    decompilation is also bad thing :P, as one can wander what is % 10. while in code one can see, as after DIVision value is grabbed from EDX register, so that can mean MOD operation... mmm...
    waittt.. can't that-one wander, what is EDX ?!? ;;)

  13. #28
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    VB uses a type called VARIANT a structure for all of its Functions

    C:\Program Files (x86)\Windows Kits\10\Include>grep -ir struct.*tagvariant --include *.h *
    10.0.17763.0/um/OAIdl.h:typedef /* [wire_marshal] */ struct tagVARIANT VARIANT;
    10.0.17763.0/um/OAIdl.h:struct tagVARIANT
    10.0.17763.0/um/OAIdl.h:        struct __tagVARIANT
    C:\Program Files (x86)\Windows Kits\10\Include>
     sVar1 = __vbaVarTstEq((__tagVARIANT *)(SomeVar + 0x4b),(__tagVARIANT *)(SomeVar + 0x47));
      if (sVar1 == 0) {
      else {

  14. #29
    Quote Originally Posted by evaluator View Post
    well, I not think PDB file will of great help.
    I was looking at the pdb only to find which msvbvm60.dll it referenced. I decided to look at it with dbh.exe to see what it looked like inside. Meanwhile, I have been using Ollydbg and it seems to find a lot of the functions in msvbvm60. IDA finds all the functions in my VB app in the code section.

    Tracing through the code jungle I am finding that a VB app is almost entirely dependent on msvbvm60. All through the code section it calls out to functions like __vbaTstEq, which calls into msvbvm60 then onto oleaut32. The function I just mentioned compares two strings (serials) by converting them to a real type decimal number. If you enter a serial like 12345, it converts the serial to a number like 45, which is determined from a generated code based on the name you enter in the registration form.

    I found a way to unlock the app during tracing at a FILD instruction where a hex character is converted to its decimal equivalent in ST0 of the FPU. I changed ST0 to the code I entered, replacing the single real type number with my entire guessed serial, which was all numeric, and it accepted the change and registered the app. I did that because the next instruction FCOM was comparing the number in ST0 of the FPU wih my guessed serial. Now I need to either find the good guy jump points or find out how the app converts the input serial to the real serial.

    I have the classic serial fishing problem of not knowing the length of the serial or which characters are required. With some serials, they immediately check the length, and if it's wrong they reject you. This one does not do that but it performs no action on a serial that is all numbers. I'll need to try alphabetical characters to get an idea of how it converts them to a single decimal number. Just occurred to me that many apps check for a range of characters.

    One positive about a VB serial fishing expedition is that the VB code is mainly taking place in system files so there's not much a programmer can do to obfuscate the process.

  15. #30
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    put one 'A' & look at generated serial. put second 'A' and look at generated. also try third 'A'. for me it was enough to guess simple math

Similar Threads

  1. Visual Basic Packer???
    By chessgod101 in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: November 29th, 2009, 08:51
  2. Again on Visual Basic
    By Reversing It Out in forum Blogs Forum
    Replies: 0
    Last Post: January 21st, 2008, 21:51
  3. Visual Basic DllFunctionCall
    By Reversing It Out in forum Blogs Forum
    Replies: 0
    Last Post: November 17th, 2007, 17:04
  4. Microsoft Visual C# / Basic .NET???
    By bazuka in forum OllyDbg Support Forums
    Replies: 7
    Last Post: January 7th, 2006, 06:45
  5. Visual Basic 6
    By tobibot in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 29th, 2005, 06:59


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts