Results 1 to 15 of 15

Thread: VB P-Code

  1. #1
    Spencer
    Guest

    VB P-Code

    Hi Guys,

    I found a little and interesting app on the web. I suspect the possibility of this utility being a hoax and I would like to ear an opinion.

    Let me explain :

    First of all this app is protected by a packer named ExeStealth that I have already unpacked and have presented me with a VB P-Code exe .

    0040104C > $ 68 C8954000 PUSH Xxxxxxx.004095C8
    00401051 . E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>

    it jumps to MSVBVM60.dll and the only call to the app code is to do this:

    0040A91C . B8 4C000000 MOV EAX,4C
    0040A921 . 66:3D 33C0 CMP AX,0C033
    0040A925 . BA B0AB4000 MOV EDX,Xxxxxxx.0040ABB0
    0040A92A . 68 3E104000 PUSH <JMP.&MSVBVM60.MethCallEngine>
    0040A92F . C3 RETN

    and return to the VB library and call the the app again for Form Load procedure. Ok I have decompiled the target and this is what I take:

    [Form]
    Private Sub Form_Load()
    '-=-=-=-=-=-=-= ProcAddr Range: [0040AB74 - 0040ABB0] , ProcSize: 3C =-=-=-=-=-=-=-
    0040AB74: 27 08 FF LitVar_Missing PushVarError 80020004 (missing) VT_ERROR signifies an optional argument that is missing
    0040AB77: 27 28 FF LitVar_Missing PushVarError 80020004 (missing) VT_ERROR signifies an optional argument that is missing

    *********** Referent String: "WARNING UNAUTHORIZED! Dongle not found." ***********
    |
    0040AB7A: 3A 58 FF 00 00 LitVarStr PushVarString Ptr_00409C48

    0040AB7F: 4E 48 FF FStVarCopyObj [local_B8]=vbaVarDup(Pop)
    0040AB82: 04 48 FF FLdRfVar Push local_B8
    0040AB85: F5 10 00 00 00 LitI4: Push 00000010
    0040AB8A: 1B 01 00 LitStr: Push Ptr_00409B58
    0040AB8D: 1B 02 00 LitStr: Push Ptr_00409BB8
    0040AB90: 2A ConcatStr vbaStrCat
    0040AB91: 23 78 FF FStStrNoPop SysFreeString [local_88]; [local_88]=[stack]
    0040AB94: 1B 03 00 LitStr: Push Ptr_00409BC4
    0040AB97: 2A ConcatStr vbaStrCat
    0040AB98: 46 68 FF CVarStr
    0040AB9B: 0A 04 00 14 00 ImpAdCallFPR4 Call Ptr_00401020; check stack 0014 (no return value)
    0040ABA0: 2F 78 FF FFree1Str SysFreeString [local_88]; [local_88]=0
    0040ABA3: 36 08 00 68 FF 48 FFreeVar Free 0008 variants : 68 FF 48 FF 28 FF 08 FF
    FF 28 FF 08 FF
    0040ABAE: 13 ExitProcHresult
    0040ABAF: 00 A4 LargeBos IDE beginning of line with A4 byte codes

    Now what do you think it is a hoax or not ?

    Rgds

    Spencer
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Do you think WHAT is a hoax...your question is not clear.

    First, you start out describing an "app", which you apparently have to unpack. Then you say that (something?) presented you with a "VB P-Code exe". Do you mean that, when the app was unpacked, you discovered it was a VB program, compiled to PCode?

    Now, you say you decompiled the "target". Do you mean you decompiled the VB program you just unpacked? Or did you use the program you just unpacked to decompile some other target program? Or maybe you used it to decompile itself?

    Finally, what part of this operation do you think might be the hoax? If you mean does your data dump look like real, viable P-Code, well, yes it does.

    The datadump format you have shown is very reminisicent of one of the PCode decompilers I have seem from (I think) China, although I have to look that up. Why not try one of the other PCode dumpers and compared the outputs?

    Sarge

  3. #3

  4. #4
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    would you mind telling us which program you used to produce that pcode output? sarge, i know you're a pcode guru too.. mind posting the name of that chinese dumper once you find it?

  5. #5
    Spencer
    Guest
    Quote Originally Posted by sarge
    Do you think WHAT is a hoax...your question is not clear.

    First, you start out describing an "app", which you apparently have to unpack. Then you say that (something?) presented you with a "VB P-Code exe". Do you mean that, when the app was unpacked, you discovered it was a VB program, compiled to PCode?

    Now, you say you decompiled the "target". Do you mean you decompiled the VB program you just unpacked? Or did you use the program you just unpacked to decompile some other target program? Or maybe you used it to decompile itself?

    Finally, what part of this operation do you think might be the hoax? If you mean does your data dump look like real, viable P-Code, well, yes it does.

    The datadump format you have shown is very reminisicent of one of the PCode decompilers I have seem from (I think) China, although I have to look that up. Why not try one of the other PCode dumpers and compared the outputs?

    Sarge
    Hi

    1 - yes. after unpacked discovered that was a VB prog compiled to p-code.

    2 - Decompiled the VB prog that just unpacked

    3 - I mean that this is a prog that don't do anything. It only present us with this error message for 20 times on every textbox, label, button or option box. yes it was decompiled with VBParser. ExDec give an error when try to load. P-Code Loader 4.2 works fine but as explain after loaded it stops on Form Load routine.

    Now I used SI, Ollydbg and nothing!!!! It seams that the prog loads de VB library and only go out to the the Form Load routine. The author use the same routine error for about 20 times as I said for any mouse click on Text Box, Command Buttons, Label’s and Options Box’s.

    If you want I will send the file by e-mail for your analyses. Only see this prog you understand what I mean. It have 0,97 mb zip compressed.


    rgds

    Spencer
    Last edited by Spencer; March 31st, 2004 at 13:45.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6

    VB P-Code

    1.
    I can be reached at sargeant_g@hotmail.com.

    2.
    No problem on the China stuff, if I can find it. I'll take a look this weekend. As I said, it looks very familiar...it may be that VBParser is it.

    3. There are a few other analyzers you might try for VB:
    a. VBRezQ
    b. VBReformer
    c. WKTDebugger
    d. VBEditor
    e. RACEVB6

    Sarge

  7. #7
    Spencer
    Guest
    Hi,

    Thnks for yr reply.

    i will try the tools mentioned. I allready have the WKTDebugger - Loader 4.2. It works but don't accept any BPX on any address only stop on the begin of Form Load routine.

    Target sent by email and your opinion about it will be very, very apreciated.


    Thnks again

    Spencer
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8

    I found it

    Disavowed:
    I have found a cryptic note to myself referencing the "Chinese" program I mentioned. It has only an email address and a sample decompiled code; the format of that decompiled code is similar to Spencers post, which is why I thought it looked familiar. I really believe I have further info here someplace, but I haven't found it yet. At any rate, you may wish to contact the author. The address I have is "?jtt@yeah.net"; the "?" is either an upper case "I" or a lower case "L"; they both look the same in print. (No joke here---it really is "yeah.net"). I'll keep looking to see if I can find the actual proggie.


    Spencer:
    Never had a problem with the WKT breakpoints. Since the prog stops on the FORMLOAD, that is certainly the SUM (StartUp Module) for your target. You can then single step, set breakpoints, etc, like any debugger.

    Sarge

  9. #9
    Spencer
    Guest
    Hi Sarge,

    I have sent you an email with this project. Sorry if haven´t received but you can find it at :

    h**p://id-discussions.com/vbulletin/attachment.php?s=&postid=302176

    This is packed with EXEStealth. You can find an unpack tool on te web at cobans site :

    h**p://www.cobans.net/unstealth.php.

    As i said the decompiled of this P-code was made with VBParser 1.2. You can find it at:
    h**p://www.pediy.com/tools/Decompilers/VB_pcode/VBParser/VBParser1.2.zip

    But i do not give my time with this project as a lost, because this was a very intersting way of contact with p-code and discovery very intersting tools to play with.

    Wayting you opinions about this. For me, this a fake program with a fake protection.

    Thnks again for your time and it is a pleasure to participate in this forum.

    Tgds

    Spencer
    Last edited by Spencer; April 6th, 2004 at 15:37.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Spencer:
    I'll check it out as soon as I can

    Disavowed:
    I found the proggie. It's from the China Cracking Group. It's simply called VBparser. But it's 95percent in Chinese. Of course, it's available if you want it.

    Sarge

  11. #11
    Spencer:
    Finally got the progs dl'ed. Sorry it took so long, been ill lately.

    Now, company is sending me out of town for a few days. So I don't think I'll get to actually look at the progs until next weekend. But I won't forget!

    Sarge

    --------------------------EDIT-----------------------------
    I am unable to DL the x-factor zip file properly...I always get an invalid file error. I'm using Win XP. Any ideas?

    S
    Last edited by sarge; April 17th, 2004 at 12:03.

  12. #12
    Spencer
    Guest
    Quote Originally Posted by sarge
    Spencer:
    Finally got the progs dl'ed. Sorry it took so long, been ill lately.

    Now, company is sending me out of town for a few days. So I don't think I'll get to actually look at the progs until next weekend. But I won't forget!

    Sarge

    --------------------------EDIT-----------------------------
    I am unable to DL the x-factor zip file properly...I always get an invalid file error. I'm using Win XP. Any ideas?

    S
    Hi Sarge,

    Take your time, no problem

    No problem with XP. It's probably some file demage when sent by e-mail.

    pls chk my last post where you have all the links for down the app, the unpacker and the decompiler that i used.

    rgds

    Spencer
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    That's my point....the DL didn't work..twice

    Sarge

  14. #14
    Spencer
    Guest
    Quote Originally Posted by sarge
    That's my point....the DL didn't work..twice

    Sarge

    Hi Sarge,

    I hv try to send an email with de x-factor but it was returned.

    pls confirm you email to spencer@faston.cjb.net

    Thnks n rgds

    Spencer
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Done!

    Sarge

Similar Threads

  1. please Help on the Code
    By shan75 in forum The Newbie Forum
    Replies: 1
    Last Post: January 7th, 2010, 18:24
  2. LINK: Grafting Compiled Code: The Ultimate in Code Reuse
    By Cthulhu in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: November 10th, 2007, 03:40
  3. Code - *ock
    By nikolatesla20 in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: August 10th, 2005, 05:33
  4. Need help on P-Code.
    By mr.x in forum The Newbie Forum
    Replies: 7
    Last Post: December 20th, 2003, 01:27
  5. Replies: 10
    Last Post: November 9th, 2002, 04:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •