Page 4 of 4 FirstFirst 1234
Results 46 to 55 of 55

Thread: Decompiler Discussion

  1. #46
    josephCo
    Guest
    Ryan

    Hehehe I've given up cracking a LONG time ago Sorry to disappoint you. But if your active x is PCode, then I might take a look at it. Anyway.. good luck!!

    joe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #47
    Ryan
    Guest
    Originally posted by josephCo
    Ryan

    Hehehe I've given up cracking a LONG time ago :) Sorry to disappoint you. But if your active x is PCode, then I might take a look at it. Anyway.. good luck!!

    joe
    Hi,
    yes it is in PCode. Feel free to take a look. You might even *recognise* it... ;) Grin

    Thanks,
    Ryan
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #48
    josephCo
    Guest
    okie... I'll see what I'll find But as I told you a while back, exdec doesn't handle OCXs or DLLs. Good luck with everything

    joe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #49
    Ryan
    Guest
    Originally posted by josephCo
    okie... I'll see what I'll find But as I told you a while back, exdec doesn't handle OCXs or DLLs. Good luck with everything

    joe
    hi,
    by the way, since the xoom server is down, is there any other place I can get the newest version of exdec?

    Thanks
    Ryan
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #50
    josephCo
    Guest
    Sorry for the delay (I'm a lazy arse sometimes hehe ). Umm There is no updated version of ExDec available. I have a private version but atm it'll stay that way. As far as your OCX goes, I've rebuilt almost everything needed to run it through ExDec. I've had to add a few structures and change the format a bit, but nothing really major. If all goes well, would you like me to send you the output? Don't worry.. if I can decompile it, I won't share what I find with anybody (I hope you believe me)

    joe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #51
    Ryan
    Guest
    Originally posted by josephCo
    Sorry for the delay (I'm a lazy arse sometimes hehe ). Umm There is no updated version of ExDec available. I have a private version but atm it'll stay that way. As far as your OCX goes, I've rebuilt almost everything needed to run it through ExDec. I've had to add a few structures and change the format a bit, but nothing really major. If all goes well, would you like me to send you the output? Don't worry.. if I can decompile it, I won't share what I find with anybody (I hope you believe me)

    joe
    Hi,
    sure, that will be great. Maybe I can tell you what the exact source look like in some of the procedures.
    ryan(underscore)thian(at)hotmail(dot)com(remove_this_too)

    Ryan
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #52
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Hi,

    I'm glad to see you're finally getting some input on your protection Ryan. Good luck. Cheers Joe.

    Regards,
    Kayaker

  8. #53
    Snatch
    Guest

    Re: umm dunno :)

    Correction this is the definitive list straight from MSVBVM60.DLL property listing for a CommandButton .

    CommandButton - 0x04

    [0 Name text]
    1 Caption text
    2 Index Word
    3 BackColor color
    4 Size size [4 Left, 5 Top, 6 Width, 7 Height]
    8 Enabled boolean
    9 Visible boolean
    a MousePointer Byte
    [b FontName text]
    [c FontSize Word]
    [d FontBold boolean]
    [e FontItalic boolean]
    [f FontStrikethru boolean]
    [10 FontUnderline boolean]
    11 TabIndex Word
    [12 Value]
    13 Default boolean
    14 Cancel boolean
    [15 Parent]
    16 DragMode Byte
    17 DragIcon pic
    18 TabStop boolean
    19 Tag wtext
    [1a hWnd]
    1b HelpContextID DWord
    1c MouseIcon pic
    1d Font font
    1e WhatsThisHelpID DWord
    1f Appearance Byte
    [20 Container]
    [21 RightToLeft]
    22 Picture pic
    23 DisabledPicture pic
    24 DownPicture pic
    25 ToolTipText text
    26 OLEDropMode Byte
    27 MaskColor color
    28 UseMaskColor boolean
    29 Style Byte
    [2a CausesValidation]

    This is why I dont like the trial and error method as some things never appear until it is too late . For all curious folks out there this stuff is easy. I am thinking about releasing full lists of all of them but I think you should all use your brains and figure it out yourself as the experience is valuable. Here is your hint. Get MSVBVM60.DLL SP5 loaded in IDA. Load the symbols included with the service pack. Go to this offset. You actually do not even need the symbols for this but it makes it easier. 6600B4C8. That is the offset of the Button property listing. It goes in order by index so VB runtime can read a byte and then index the property as a jump table
    mov eax, CommandButtonPropertyVTable
    mov ebx, ReadInPropertyByteValue
    jmp[eax+ebx*4]
    Of course the 04 signifies CommandButton and it looks up the table there. Anyway figuring out the data type corrisponding to each property is a little bit different but easily doable just spend some time surfing through. If you look into the pointers in the table they each point to a structure with the offset to the string name of the property, 8 bytes describing the data type and then the last 4 bytes describe the default. Anyway now everyone has the tool to make a PERFECT form decompiler of standard VB controls no excuses .

    Snatch
    Last edited by Snatch; January 1st, 2002 at 01:42.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #54
    josephCo
    Guest
    As I said earlier (or maybe it was on another forum) I don't really use text files anymore. I used to keep them updated all the time, but it became a big pain in the arse. A lot of my dirty work is done by using VB5.OLB / TLBINF32.DLL (using C makes it a bit more difficult). Sarge, you could easily incorporate this into your project (but remember I can't code worth sh*t using VB.. so don't ask me for help hehe). But here's a snippet from one of my procedures:


    rc = CoCreateInstance(&mCLSID_TypeLibInfo, 0, 1, &mIID_IUnknown, &obj_TLinf);
    rc = QueryInterface(obj_TLinf, &mIID_TypeLibInfo, &int_TLinf);

    /* m_TLInf.AppObjString = "<Unqualified>" */
    sTmp = SysAllocString(L"<Unqualified>");

    rc = Set_AppObjString(int_TLinf, sTmp);
    SysFreeString(sTmp);

    /* m_TLInf.ContainingFile = Path & "VB5.OLB" */
    sTmp = SysAllocString(L"vb5.olb");

    rc = Set_ContainingFile(int_TLinf, sTmp);
    SysFreeString(sTmp);

    /* With m_TLInf.TypeInfos.NamedItem("_Form").VTableInterface.Members */
    rc = Get_TypeInfos(int_TLinf, &int_TypeInfos);

    rc = Get_NamedItem(int_TypeInfos, &sTmpT, &int_NamedItem); /* 13 */
    SysFreeString(sTmpT);
    rc = Get_VTableInterface(int_NamedItem, &int_InterfaceInfo);
    rc = Get_Members(int_InterfaceInfo, &int_Members);


    items = iOffset = 0; /* These are really shorts, so clear the hiword */
    rc = Get_Count(int_Members, &items);
    for (o=1;o<items;o++) {
    rc = Get_Item(int_Members, o, &int_MemberInfo);
    rc = Get_Name(int_MemberInfo, &sTmp);
    rc = Get_VTableOffset(int_MemberInfo, &iOffset);
    if (iOffset == index){
    rc = Get_Parameters(int_MemberInfo,&int_Parameters);
    rc = Get_Count(int_Parameters,&count);
    rc = Release(int_Parameters);
    rc = Get_InvokeKind(int_MemberInfo,&iKind);
    if (iKind == 2){ //get
    b=pop();
    c=pop();
    sprintf(buf,"Get_%ws %s %s \n",sTmp,c,b);
    free(c);
    free(b);
    }
    else if (iKind == 4){
    b=pop();
    c=pop();
    sprintf(buf,"Put_%ws %s %s\n",sTmp,c,b);
    free(c);
    free(b);
    }
    else
    ...
    ...
    so on and so forth...

    hehe it seems this snippet has more comments than what I usually use (lucky me!).

    Anyway, to everyone and nobody in particular:

    HAPPY NEW YEAR!!!!

    May the new year bring you happiness and good fortune.

    joe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #55
    Snatch
    Guest
    Haha JoCo. Looks like I wasnt the only one to be playing around with VTable's and COM . Definitely useful in the land of VB decompilation. A very interesting technology COM is. I had to read a 700 page book about COM and ATL to fully understand the beast. Clever concept but much extra code required to implement the interfaces. Alas, once I know the technology it becomes obsolete and we await to see how SOAP and .NET change the technology. Anyway, cracking .NET programs is going to be the next generation and could pose some problems but now you just need to write a CLR decompiler and you can decompile managed c++, c#, vb all in one swoop. Actually protection was a huge issue so I believe Microsoft will release an encryptor. As if we cant unpack that hah! But if the encryptor is well nested with the CLR it could pose some challenges. We just have to wait a month more til the final release and see. Happy new year!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Decompiler in IDA
    By ice_cracked in forum The Newbie Forum
    Replies: 3
    Last Post: March 29th, 2013, 10:57
  2. [Discussion] Do you have an analysis format?
    By Zerith in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: February 16th, 2012, 16:00
  3. Decompiler for IDA on it's way
    By SHaG in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: April 15th, 2007, 15:48
  4. StarFoce Prot. [Open Discussion.]
    By strx in forum Off Topic
    Replies: 6
    Last Post: April 1st, 2006, 12:46
  5. Decompiler
    By MR. Candyman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: November 8th, 2000, 15:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •