Page 1 of 4 1234 LastLast
Results 1 to 15 of 55

Thread: Decompiler Discussion

  1. #1
    Sarge
    Guest
    Well, here is a copy of the post I made on another thread, titled
    (I think) "Lack of quality on this site":

    -----------------(Start 1st Post Copy)----------------
    Well, how about this:
    Q. Where and why is a controls index value included twice in a VB6 app?
    A. Once in the FORM level code so the form can access it, and once in the
    control level code so the control itself knows.

    Q. How do you find the StartUp module and whether it is a FRM or BAS?
    A. "Walk" the exe structure to find the file-type signature, "walk" the file-type
    signature/structure to find the file-header info, parse the file-header info to find
    the embedded app start-point, parse the embedded app start-point to determine
    the app signature, vector off the app signature to find the app entry-point,
    "walk" the entry-point signature/structure to find the StartUp module, parse the
    StartUp module for its type and name.

    Q. What is the key signature for a CommandButton, contained in a FrameBox, which is itself
    contained in a FrameBox, which is contained by the SECOND Form in a VB6 SDI (Single
    Document Interface) app?
    A. 4 (In hex: 0x04). Note: TRICK QUESTION...It is ALWAYS 4; whether placed in a Frame, or in
    the Form itself.

    Haven't seen this here yet...even though this forum is describe as "Decompiler Discussion Forum". Anyone
    know where a discussion forum that has real discussion, is?

    Sarge
    ------------------(End 1st Post Copy)--------------------------

    When questioned about my statement of "Decompiler Discussion
    Forum", here was my reply (also from the same thread):


    ------------------(Start 2nd Post Copy)--------------------
    Well, I kind of assumed from the concept of "reverse engineering" that, if you were talking about code, you must be decompiling.
    If it was a piece of electronics you were reverse engineering, I
    would have assumed you were trying to re-create the schematic.

    But...
    I'm still waiting for the answer...Where the %*&% is a true,
    reasonably intellectual, non-flame discussion group???

    Sarge
    -----------------(End 2nd Post Copy)---------------------------

    Comments, anyone?

    Sarge
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    Useful information Sarge. Could this be used to explain how a disabled control is encoded in the PE file? I'm thinking of the VB6 Crackme#2 example where the OK button is disabled. It can be enabled run time, but can a control attribute be changed by modifying the file?

    I made a VB6 test app with 1 button, either enabled or not. If I set an Index value for each in the Properties window I can see the 2 Index references in the Form and Control level code as you mention. btw, it seems like this doesn't apply if you *don't* specifically set an Index value? I don't see the reference duplicated in this case.

    For the disabled button I chose an Index value to be equal to 7A99h. You can see that referenced twice in the file, the 1st instance is the 1st WORD value, the 2nd is just after the "OK" string:

    Disabled Button:

    00000599 997A 0800 436F 6D6D 616E 6431 0004 0102 .z..Command1....
    000005A9 004F 4B00 0299 7A04 8007 E808 DF02 7701 .OK...z.......w.
    000005B9 0800 1100 00FF 0204 00


    For the enabled button the value is 7B99h:

    Enabled Button:

    00000599 997B 0800 436F 6D6D 616E 6431 0004 0102 .{..Command1....
    000005A9 004F 4B00 0299 7B04 8007 E808 DF02 7701 .OK...{.......w.
    000005B9 1100 00FF 0204 00 .......


    I'm thinking that the Enabled = False Property value is encoded somewhere in the Control level code in the disabled example. You see an extra WORD value of 0800h in the disabled hex for example. I know in Delphi the Enabled Property is only encoded if it is FALSE, if it is the default TRUE then it doesn't seem to need to be specified.

    If I mess with any of the hex under the disabled button code I get an Invalid File Format error. In Delphi however I've been able to do exactly this and recompile the code successfully using ResHacker. Are there ways to make a hard modification to a VB6 file resource and have it run? More to the point, is there a way to *know* what words and dwords in the PE file might represent certain properties? If I mess with the extra 0800h value and change it to 0900h, then the file runs but the button doesn't show at all (so it might actually be the Visible property value I'm fiddling with).


    Meaculpa had asked me if there was a way to make a permanent patch to the runtime solution of temporarily changing the WS_DISABLED flag of CreateWindowExA I gave in the VB6 Crackme#2. I saw your post and thought it might help answer the question, which is why I split the thread.

    This is new info you've supplied us with, so I'd be happy to see a discussion of it.

    Regards,
    Kayaker

  3. #3
    javelin
    Guest
    Disabled button

    00000599 997A 0800 436F 6D6D 616E 6431 0004 0102 .z..Command1....
    000005A9 004F 4B00 0299 7A04 8007 E808 DF02 7701 .OK...z.......w.
    000005B9 0800 1100 00FF 0204 00

    Enabled button

    00000599 997B 0800 436F 6D6D 616E 6431 0004 0102 .{..Command1....
    000005A9 004F 4B00 0299 7B04 8007 E808 DF02 7701 .OK...{.......w.
    000005B9 1100 00FF 0204 00 .......

    Edited button
    should be enabled

    00000599 997A 0800 436F 6D6D 616E 6431 0004 0102 .z..Command1....
    000005A9 004F 4B00 0299 7A04 8007 E808 DF02 7701 .OK...z.......w.
    000005B9 1100 00FF 0204 0000 00
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    Yup, that works javelin. So you just delete the Enabled = False entry (I guess it was that after all) and shift everything over by a WORD until the zero delimiter. I would have thought this might have upset some address pointers, but it seems to work OK. Cool.

    Kayaker

  5. #5
    Sarge
    Guest
    Not bad, gentlemen! (Or is one or more of you a Lady?)

    Two things:

    Yes, the index is "not there" if you don't indicate it; more correctly, it is a "0", which more normally be a valid index value,
    except the "valid index" flag is not set. So, the data still actually
    DOES appear (that is, there is a data byte in that spot in the code) but its unused as its "not the index".

    Yes, the concept (CONCEPT only) of removing the two code bytes is correct; the reason is that VB thinks in terms of default data (start thinking like this yourself when reverse engineering this stuff, its a lot easier!). That is, if the button is disabled, the value of the "Enabled" property must be "False", so VB sets the code to say "Enabled False". If the button is enabled, the value of the "Enabled" property is "True", so VB does nothing! Why? Well, if it is not specifically marked as "False", it must be "True", so why waste the code? Thus, by removing the two bytes of data that show the button as disabled, it automatically becomes enabled.
    However, you must be carefull in thinking that you can actually just cut two bytes out of the code and move the remainder back
    two bytes. There are many addresses that may now be invalid.
    It would be better to overwrite these two bytes with some other
    two-byte property; one that is innocent and won't change the operation of the button.

    Sarge
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Sarge
    Guest
    Here's another thought: The data sequence for the command button disabled is "08 00"; the data sequence for the command button enabled is [no data]. The "08 00" is basically saying "Enable (08) = False (00)". So, based on the concept of
    IF ITS NOT FALSE IT MUST BE TRUE, we should be able to say
    "Enable (08) = True(FF)". So, try changing the 00 after the 08 to an FF. Then you won't need to move anything, or overwrite with anything that may not be innocent.

    Sarge
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    stealthFIGHTER
    Guest

    VB Menu

    Hi Sarge,

    is it possible to use same/similar technique for menu enabling/disabling in VB applications? I tried to enable menu item using SoftICE but I only 'ungrayed' the menu.

    Thank you
    sF
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Sarge
    Guest
    Hi,

    The menu concept is similar regarding the enable data; it is assumed disabled unless otherwise stated. The enable property for menus is 5 (hex: 0x05), thus a menu item that is disabled is
    "Enabled (05) = False (00)"; in the code that is obviously "05 00".
    If the menu item is enabled, no code is used.

    If you read the previous messages, you will see why it might be better to try "05 FF", but I don't know if that will work---never tried it! Let me know, I'd be interested.

    Also, remember that just making the menu text enabled (or even visible, if it happens to be invisible), does just that: it makes the menu text enabled (ungreyed) or visible. It has NOTHING to do with whether or not there is any code that supports that menu selection!

    Sarge
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    "I See", said the blind man to his deaf dog ;-)

    Rather interesting the way VB inserts its Control properties into the PE file. Make a few test apps with VB and select various combinations of properties other than the defaults and you start to see a pattern when you compare them.

    For a single button control, the *default* byte sequence defining the attributes of that control (VB5) appears to be encoded by the 13 bytes following the null terminated ascii Caption label ("OK" in this case):

    ----------------------------------------------
    Default Property values used on a button
    5A8 4F 4B 00 04 90 06 38 04 CF 03 EF 01 11 00 00 FF OK....8.........

    The 1st byte value after the null-terminated label defines that it's a button (bit of a guess there) = 04h

    The next 4 WORDS are the Position of the button control:
    Left.. 0690h = 1680
    Top... 0438h = 1080
    Width. 03CFh = 975
    Height 01EFh = 495

    The next 2 bytes (1100) I can't define, then there's the terminating 00FF.
    ------------------------------------------------

    If you modify a property from its default you can see how it's defined.

    ------------------------------------------------
    Enabled = False - 2 bytes
    5A8 4F 4B 00 04 90 06 38 04 CF 03 EF 01 08 00 11 00 OK....8.........
    5B8 00 FF
    the difference is the 0800. Sure enough as Sarge mentions, changing it to 08FF enables the control.
    ------------------------------------------------

    ------------------------------------------------
    Visible = False - 2 bytes
    5A8 4F 4B 00 04 90 06 38 04 CF 03 EF 01 09 00 11 00 OK....8.........
    5B8 00 FF
    defined by 0900, change to 09FF to make visible.
    ------------------------------------------------

    ------------------------------------------------
    Appearance = Flat (instead of the default 3D) - 2 bytes
    5A8 4F 4B 00 04 90 06 38 04 CF 03 EF 01 11 00 00 1F OK....8.........
    5B8 00 FF
    difference appears to be 001F.
    ------------------------------------------------

    ------------------------------------------------
    BackColor = &H008000FF - 5 bytes
    5A8 4F 4B 00 03 FF 00 80 00 04 90 06 38 04 CF 03 EF OK.........8....
    5B8 01 11 00 00 FF .....
    appears to be defined as 03 + the color value 008000FF
    ------------------------------------------------

    ------------------------------------------------
    Appearance = Flat + BackColor = &H008000FF - total 7 bytes extra from default
    5A8 4F 4B 00 03 FF 00 80 00 04 90 06 38 04 CF 03 EF OK.........8....
    5B8 01 11 00 00 1F 00 FF .......
    ------------------------------------------------


    You can go on like this forever. What we really need now is a listing of all the identifiers for each property. From this it appears that you can scan the control level code for a control and determine what properties are defined different from default. So far it seems that
    Appearance = 00
    Back Color = 03
    Enabled = 08
    Visible = 09
    etc.


    You can do the same thing with a menu and see that 0005h disables a menu item. Change it to 0004h and it's enabled again. Damn! That is too easy ;-)

    5EA 45 6E 61 62 6C 65 64 00 FF Enabled..

    609 44 69 73 61 62 6C 65 00 05 00 FF Disable....


    This looks great for basic reversing of disabled / not visible controls, where the fact that they *are* disabled means that this must be specifically defined, therefore it's easy to switch them back with a byte change (doesn't do anything about runtime changes though). But what about *adding* bytes to change an attribute? As soon as you do you're going to screw up a bunch of address pointers. The next thing is to find what pointers are important, and if it's possible to fix them.

    I'm trying to get a handle on how the VB specific parts in the code section are structured and how they are referenced to each other. Plus, if there are any pointers within the other sections that would need to be changed if you do start moving chunks of hex around.

    It seems that beginning at the start of the .text section, first is defined the Project, then the Form, then the Controls in reverse order to which they're added, along with the attributes we've just been discussing, then the Menu items. Then there is the name of the project file and some other stuff, then a big bunch of zeroes.

    The fact that there seems to be a large buffer of zero padding makes one think you could add or delete bytes from the Control code to modify the control attributes, and then shift things around without changing the file size or any code that comes after. Then you'd only need to change a minimum number of pointers to readdress the controls from where you made the change down to the zero padding, which could absorb any changes.


    After the zero padded section, a new section of code starts that defines something more about the controls and menu items. I'm trying to make heads or tails of what that describes:

    B28 436F6D6D 616E6431 00000000 0C004400 Command1......D.
    B38 00000000 00000000 4838E99C D5DDD511 ........H8......
    B48 8111909F FE04505E 4738E99C D5DDD511 ......P^G8......
    B58 8111909F FE04505E 4C38E99C D5DDD511 ......P^L8......
    B68 8111909F FE04505E ......P^
    etc

    You mentioned VB uses Form Level code and Control Level code, how do the 2 levels relate to each other? It seems the Control code for each window component is nested within the Form code, and that they appear to follow each other in the PE file. Are there pointers in the Form level code or elsewhere that reference each of the components in the Control level code? This would be the first thing to determine if you're going to modify the code somehow.

    Oh yeah, and does anybody know if there is a resource viewer around that recognizes VB resources?

    'bout it for now.

    Kayaker

  10. #10
    Sarge
    Guest
    Very impressive! You are where I was, long ago.

    Here's some hints:

    1. You are correct that 0x04 indicates the command button type. However, it is NOT the 0x04 that immediately preceeds the 0x90-0x06 word. This 0x04 means that the following 4 words (8 bytes) are the size and position data.

    2. The 0x11 that follows is the tab index; the data is a word (2 bytes).

    3. The termination is NOT 0x00-0xFF, since the 0x00 is the second byte of the tab index. The termination is actually the 0xFF and the sequence of bytes that follow it. Since you didn't give them here, I can't tell you what they are, but I will bet is is probably a 0x02, 0x03 or 0x04. (0x05 is also possible, but is not usually found in a control button section)

    4. Yes, "visible" is 0x09, and the data is a byte.

    5. As for the desired "list of identifiers", yes, thats the way to go. But be prepared for a bit of work (My notes are at least 50 pages long!)

    6. Your comment about adding bytes is valid; the concept of screwing up any following address pointers is a very real concern.
    However, I have had very little need to actually add a missing attribute into an app; presumably, the app already does whatever it is supposed to do, and you don't really care that the appearance of the button is 3-D and you want to change it to Flat; obviously it works either way, now that you have been able to enable it.

    7. As to the FormLevel code vs ControlLevel code:
    Look at my note #3 above about the termination codes. The reason there is more than one is because the control is a child of the parent form, and thus is actually "embedded" within it. The byte sequence after the 0xFF tell how the embedding occurs. Here is an example:

    ----------Begin FORM----------
    Name: frmProperty (SDI)
    Caption: Property Value
    ScaleMode: 1 - Twip
    FontTransparent: True
    AutoRedraw: False
    BorderStyle: 4 - Fixed ToolWIndow
    Icon: (DEFAULT ICON)
    LinkTopic: Form1
    MaxButton: False
    MinButton: False
    Left: 2655
    Top: 3135
    ScaleWidth: 5400
    ScaleHeight: 1215
    ShowInTaskbar: False
    StartUpPosition: 1 - CenterOwner
    ----------Begin TEXTBOX----------
    Name: txtPropValue
    Left: 135
    Top: 315
    Width: 5070
    Height: 300
    TabIndex: 1
    ----------End TEXTBOX---------
    ----------Begin COMMAND BUTTON----------
    Name: cmdCancel
    Caption: &Cancel
    Left: 3735
    Top: 720
    Width: 1335
    Height: 360
    TabIndex: 3
    Cancel: True
    ----------End COMMANDBUTTON---------
    ----------Begin COMMAND BUTTON----------
    Name: cmdOK
    Caption: &OK
    Left: 2190
    Top: 720
    Width: 1335
    Height: 360
    TabIndex: 2
    Default: True
    ----------End COMMANDBUTTON---------
    ----------Begin CHECKBOX----------
    Name: chkPropValue
    Caption: Check1
    Left: 135
    Top: 315
    Width: 5070
    Height: 300
    TabIndex: 4
    ----------End CHECKBOX---------
    ----------Begin LABEL----------
    Name: lblLabel
    Caption: &Enter property value:
    Left: 135
    Top: 60
    Width: 4365
    Height: 225
    TabIndex: 0
    ----------End LABEL---------
    ----------End FORM---------

    This example program is "VISDATA.EXE", found in the VB sub-directory. Notice that the various controls are contained within the form. This is exactly how they are in the code.

    Good luck
    Sarge
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,081
    Blog Entries
    5
    Thanks for the info Sarge, it starts to make sense once you look at the .frm file.

    I've seen your discussions in that "other" decompiler forum ;-) At least we're relatively spam-free here, so I hope you can generate the kind of brainstorming sessions you were looking for. What's the potential for a simple VB resource editor, as opposed to a full blown decompiler?

    I was thinking it would be possible to find virtual address pointers to the start of a project or form and walk your way down to the control level, to figure out how the VB components are put together. I tried finding a few pointers to see if I could get into a linked list which tied together the various parts, but I couldn't come up with any hits.

    You mentioned the byte sequence after the 0xFF tell how the embedding occurs. Here's mine, it begins with the 02h as you guessed. What significance do the final few dwords have?


    0000059B 43 6F 6D 6D 61 6E 64 31 00 04 01 02 00 4F 4B 00 Command1.....OK.
    000005AB 04 08 07 48 03 BF 04 DF 02 11 00 00

    000005B7 FF 02 04 00 00 50 00 00 00 EC D8 86 4C 6E DF D5 .....P......Ln..
    000005C7 11 81 11 F6 AE 82 22 20 5D ......" ]


    Begin VB.CommandButton Command1
    Caption = "OK"
    Height = 735
    Left = 1800
    TabIndex = 0
    Top = 840
    Width = 1215
    End
    End
    Attribute VB_Name = "Form1"
    Attribute VB_GlobalNameSpace = False
    Attribute VB_Creatable = False
    Attribute VB_PredeclaredId = True
    Attribute VB_Exposed = False

    Cheers,
    Kayaker

  12. #12
    meaculpa
    Guest
    Hi All,
    I hope you are all well.

    I don't want to bore anyone with the complete detail, or
    duplicate work already done (and posted), but i got a little
    further. My complete notes are also available.....



    Disabled 2 (with everything else)
    00001225 636D 6442 7574 746F 6E32 0004 0107 0042 cmdButton2.....B
    00001235 7574 746F 6E32 0002 5901 0316 0000 8004 utton2..Y.......
    00001245 4006 2C01 B004 E803 0800 0900 1102 0013 @.,.............
    00001255 FF14 FF16 011B 7B00 0000 1F00 2901 2A00 ......{.....).*.
    00001265 FF03 3200 0080 0200 000A 00 ..2........


    636D 6442 7574 746F 6E32 //button name
    00 //terminating zero
    04 //command button type
    0107 00 //still unknown
    42 7574 746F 6E32 //button caption
    00 //terminating zero
    02 //still unknown
    5901 //index value - see above
    0316 0000 80 //BackColour with value &H80000016& (1600 0080) see above
    04 //4 words button dimentions follow
    4006 //dimention data - see above
    2C01 //dimention data - see above
    B004 //dimention data - see above
    E803 //dimention data - see above
    0800 //this button is disabled
    0900 //this button is NOT visible
    11 //still unknown
    02 00 //tab index value
    13 FF //for this button Default=true
    14 FF //for this button Cancel=True
    16 01 //for this button DragMode=Automatic
    1B 7B00 0000 //Help Context ID
    1F00 //the button appearance = flat
    2901 //for this button Style=Graphical
    2A00 //the Focus Validation is set to CausesValidation=false

    later,

    Regards,
    .MeaCulpa
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    josephCo
    Guest

    nothing special :)

    Heya guys It's been quite a while since I've been here.. and there's some nice stuff BTW Sarge.. good work on sharing what you've learned Umm as far as decompiling forms, I think I've got a list of all controls and their representation somewhere. The only thing I don't have (in paper form) woud be all custom objects. Umm it's been several months (at least) since I've worked with this part of the EXE. I'll see what I can dig up and if all of you could create a "wish list" I'll put together a zip of what I can find.

    Good luck!!

    joe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Sarge
    Guest
    (This message may appear multiple times; somehow I got dumped)

    Wow! Take a few holiday days off and....%$^#$


    1. A Resource decompiler/editor? Hmm...good thought; don't know what it would take, though...have to do some research.

    2. 0xFF begins/ends the embedded sequence. The data following the 0xFF tells a) What new embedded level to begin, or b) what existing embedded level to use, or c) what existing embedded level to end, etc.

    3. Where is the VB6 "Crack2" that you mentioned; it would help if we were all "on the same page"?

    4. Use the sample output I posted from the VISDATA.EXE file, and compare it with a hex listing of that file. You should easily see how the 0xFF ?? ?? ?? sequence works.

    (Sidebar: How much should I tell you, vs how much do you want to find out for yourselves? I hesitate to respond to meaculpa's post by just giving him his missing answers [no offense intended];
    but I am not sure where to draw the line)

    5. Josephco, glad to see you here. I have the exedec program, but frankly don't know how to use it properly, I am always getting error messages! How about a hint? Also, I will be the first to admit that I am still missing about 3 of the codes, mostly because I have not yet found the proper IDE and/or property settings that create them. I would LOVE to compare notes.

    6. I have attached a BMP file that may spark your interest, if I can get it to go. The 100k limit means it is a 16-bit color pallette; hope it show up!

    Sarge
    Attached Images Attached Images  
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Sarge
    Guest
    PS to meaculpa:

    Please check my post dated 11/21, item #2.

    Thanks

    Sarge
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Decompiler in IDA
    By ice_cracked in forum The Newbie Forum
    Replies: 3
    Last Post: March 29th, 2013, 10:57
  2. [Discussion] Do you have an analysis format?
    By Zerith in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: February 16th, 2012, 16:00
  3. Decompiler for IDA on it's way
    By SHaG in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: April 15th, 2007, 15:48
  4. StarFoce Prot. [Open Discussion.]
    By strx in forum Off Topic
    Replies: 6
    Last Post: April 1st, 2006, 12:46
  5. Decompiler
    By MR. Candyman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: November 8th, 2000, 15:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •