Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Visual Basic 5_6 stuff

All-in-one reversing related discussions
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

no :) better do my way.
so, msvbml60.pdb most likely not exist. now downloading bunch torrs. will in Win10SDK any good for msvbml60, .dbg?
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:it should take no more than 30 seconds for the andre.exe to load analyze run idc close and pack and idb
Thanks for input blabbs, but I don't think it's my computer. It runs 3D DX games at blazing speed. I have no other issues with speed nor should I using a modern B360 chipset and an i8400 Intel processor.

For example, I can run my big VB app in windbg and let it run. It loads the entire app in a few seconds. The system is so fast I can't use it on really old games because the action happens too quick.

I am beginning to suspect other issue, that's why I appreciate your confirmation of the time it should take for andre.exe to finish. Sometimes I notice my Internet security interfering with communication between apps, or the Net, and slowing them down. For example, if I am transferring files from an external hard drive to a hard drive I notice the speed slows significantly if the virus checker is enabled. That should not affect IDA internally but I will check it.

The free IDA itself disassembles large apps in seconds rather than the minutes I was used to with older processors/chipsets. It does not seem to be about IDA and the processor, it seems to be about vb.idc and IDA.

Another matter is IDA itself. I am using the free version on W7 because my other IDA is on my XP disk. The free version does not list vb.idc in the menu under Edit where you normally load IDC files when they are located in the IDA\IDC directory. I have to load it from the File menu under load scripts, then I have to look it up in the IDA\IDC directory and load it from there.

When it loads, it does come up in an IDC window and there is a small window saying 'IDC script' or something. However, IDA becomes unresponsive to mouse clicks after that. I can't move windows around or get a response out of the mouse. In the IDC window, things seem to be moving fast enough.

I'll have to check these things out. First, I'll fire up IDC 5 in XP and try it out from there.
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Kayaker wrote:It's you. The idc script finishes in a few seconds on the crackme. Sorry :smug:
When James Hansen of NASA GISS predicted climate gloom and doom in 1988 he had to retract his error in 1998, since 10 years later it was apparent nothing was happening. He blamed it on his computer. Over 30 years later, there is still nothing happening.

Sorry, but I cannot take the blame here since i am not personally running the IDC script. I don't have 100 years to spare, since i have only programmed myself for another 80 years. :p
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

evaluator wrote:so, msvbml60.pdb most likely not exist
Think I found a pdb for msvbvm. I see it in a Windows package but have not installed it yet.
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

The problem was the free version of IDA. Tried it in IDA 5 in XP and it ran through entire app in about 20 seconds.

Just loaded Smartcheck. It's still gold, lays out the entire VB app. If you enter a serial it shows you which form is being used and the related commands. It has various amounts of data you can select and when everything is selected it shows every function call, even into OLE.

VB_Lite looks good too. The difference between Smartchk and VB_Lite is that Smartchk works live. You can start it then work with the app, like entering a username/serial, and it records it as you go along. Doesn't give you the app addresses like VB_Lite. I recall now that Boundschecker was the better of the two because it gave you addresses in the app and all the string data in each function. You could see exactly where to place a BP on a function. Not complaining, Smartchk was written for VB apps and does a lot better with them.

We have to remember that Boundschecker and Smartchk were designed to find errors in code.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

@evaluator msvbvm60.dll and pdb are available in ms i just grabbed both of them from ms symbol server

msvbvm60.dll timestamp and size 4802be3d153000
msvbvm60.pdb pDbSig and Age 47193e361


C:\getmsvb>dir /b
msvbvm60.dll

C:\getmsvb>dbh fii msvbvm60.dll

file: msvbvm60.dll
stripped: false
timestamp: 0x4802be3d
size: 0x153000
dbg:
pdb: MSVBVM60.pdb
pdb guid: 00000000
pdb sig: 0x47193e36
pdb age: 0x1

C:\getmsvb>wget -d -c -U="Microsoft-Symbol-Server/10.0.0.0" "http://msdl.microsoft.com/download/symb ... vbvm60.pdb"
Setting --continue (continue) to 1
Setting --user-agent (useragent) to =Microsoft-Symbol-Server/10.0.0.0
DEBUG output created by Wget 1.19.2 on mingw32.



---response begin---
HTTP/1.1 200 OK
Content-Length: 2221056
200 OK

Length: 2221056 (2.1M) [application/octet-stream]
Saving to: 'msvbvm60.pdb'

2020-04-25 03:25:54 (139 KB/s) - 'msvbvm60.pdb' saved [2221056/2221056]

C:\getmsvb>dir /b
msvbvm60.dll
msvbvm60.pdb

C:\getmsvb>


@Waxford

version 5 is the free version afaik and runs properly in win7,win10 as 32 bit
there is 64 bit free version 7 i think but i rarely use it
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

blabberer wrote:C:\getmsvb>wget -d -c -U="Microsoft-Symbol-Server/10.0.0.0" "http://msdl.microsoft.com/download/symb ... vbvm60.pdb"
@blabberer ...how did you compile wget? The documentation sent me to a site for a makefile and the site is gone.

If I use your script above as follows:

symchk /r c:\symtmp /s SRV*c:\sympdb\*"Microsoft-Symbol-Server/10.0.0.0" "http://msdl.microsoft.com/download/symb ... vbvm60.pdb"

I get the following error: FAILED - Image is split correctly, but MSVBVM60.dbg is missing

I have tried with and without the "Microsoft-Symbol-Server/10.0.0.0"

I have msvbvm60.dbg sitting in the symtmp directory and in system32 with msvbvm60.dll

The method above has worked fine for retrieving XP symbols in the past using symchk.

Just retried with a mix of C++ based XP files and VB files and it retrieved 8 of them and ignored the rest as follows:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x86>symchk /r c:\symtmp /s SRV*c:\sympdb\*http://msdl.microsoft.com/download/symbols
SYMCHK: Comdlg32.ocx FAILED - Image is split correctly, but Comdlg32.dbg is missing
SYMCHK: dbgeng.dll FAILED - dbgeng.pdb mismatched or not found
SYMCHK: kdcom.dll FAILED - kdcom.pdb mismatched or not found
SYMCHK: MSVBVM60.DLL FAILED - Image is split correctly, but MSVBVM60.dbg is missing

SYMCHK: FAILED files = 4
SYMCHK: PASSED + IGNORED files = 8

Last time it retrieved kdcom.pdb but maybe they have changed the version since.

Guess I need to get wget going.
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

@evaluator
@blabberer

Downloaded the XP SP3 symbol pack from the following link. It has the PDB files for MSVBVM50 and 60, and a whole lot more. It even has kdcom.pdb and dbgeng.pdb missing from my post above. I presume they are all x86 variety.

https://web.archive.org/web/20170710155 ... ll-ENU.exe
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

blabberer, in W10 resides msvbvm60.dll ver6.0.98.15 with timestamp 2009.III.5 49B01FC3 sz00152800. can you call wget with it?
when I started crackme in yo-loved windbg, it did not dld symbol, while did for some other..
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

size !-152800 but 153000 only dll available in ms symserver

pdb signature both rsds 2 or rsds 7.0 not present so no pdb

dbg signature not exist so no dbg

the dll is probably built without Debug information

grab an older version with symbols as posted earlier 9802 instead of 9815 you have in syswow64
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

Just learned something about pdb files. You guys are likely way ahead of me on this.

In the Debugging Tools For Windows directory there is a little file called dbh.exe. I copied msvbvm60.dll into the DTFW directory and opened a command window in that directory. Ran dbh msvbvm60.pdb and it opened a prompt like in the debuggers. Now you can load a slew of commands that can be viewed with dbh -??.

At the prompt, I ran the command enum * and it listed every symbol in the pdb file. I was only interested in files beginning with __vba, so I ran dbh __vba*. It listed all the files that began with that set of chars plus it listed the index into the file with the offset.

Blabbs likely has a way of doing this in windbg. :D

What I'm really looking for is a way to identify the version of the PDB file so I can find the msvbvm60.dll that matches it. There may possibly be a way to edit an existing pdb to match a file of a slightly different version. I need to work out the rest of the PDB file format to see if it will reveal a version. I don't mean the version listed at the beginning of the pdb file I mean the version of the file it was made for.

I might mention that my set of pdb files are for XP and they differ from the newer PDB files, which I think have signatures with them. I tried it again using a pdb for the x64 ntkrnlmp.pdb and it ran fine with no signs of a signature. BTW...I'm using DTFW from W7 on XP. I tried it under both DTFW x86 and DTFW x64 and got the same output.

It would probably be better in powershell since in the cmd window the text scrolls by so fast it's easy to miss the beginning of the read out. Ctrl-S stops the scrolling and if you're fast you can capture the scrolling at the beginning.

Here's a partial readout of the scrolling for ntkrnlmp.pdb on DTFW x64.

Code: Select all

C:\Program Files\Debugging Tools for Windows (x64)>dbh ntkrnlmp.pdb

ntkrnlmp [1000000]: enum *

 index            address     name
     1            1019ad8 :   MiSyncSystemPdes
     2            14523e0 :   ObpStopRTStackTrace
     3            13484b0 :   RtlSetOwnerSecurityDescriptor
     4            155de50 :   PnpInitializeLegacyBusInformationTable
     5            130f0c0 :   AlpcpDeleteBlob
     6            13ea4a0 :   TmpNamespaceEnumerate
     7            156f640 :   IopStoreArcInformation
     8            1429930 :   CmpUpdateParentForEachSon
     9            12ddd98 :   PsReferenceImpersonationToken
     a            10a31c0 :    ?? ::FNODOBFM::`string'
     c            14079b0 :   WmipGetDevicePDO
     d            101f4d8 :   KiSetPriorityThread
     e            13c80f0 :   CmpQueueLazyCommitWorker
     f            1094d20 :   KiInterruptDispatchNoEOI
    10            107d894 :   RtlFindLastBackwardRunClear
    11            1001930 :   _newclmap
    12            11ef1a0 :   _lc_codepage
    13            1110cd0 :   PopQueueBatteryStatusTimeout
    14            14865c0 :   ExpGetSystemFirmwareTableInformation
    15            141aee0 :   CmpDoReDoDeleteValue
    16            142d5e0 :   SmKmSendDeviceControl
    17            10930c0 :   ZwRenameTransactionManager
    18            13c65c0 :   EtwpRemoveProviderTableEntry
    19            1507650 :   ViShutdownWatchdogExecuteDpc
    1a            1498160 :   BiAddBootEntryToNvramDisplayOrder
    1b            1221f44 :   MmZeroedPageSingleBitErrorsDetected
    1d            120f83c :   curr_y
    1e            129d188 :   MmPageToNode
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

well, I not think PDB file will of great help. actually, little problem is structure of stack variables. look in GHIDRA recompilation: local_108 = 100;, but no more you can see it. seems, stack variable in VB is of 4 dword, where in third one is stored variable self. so local_108 = 100; is in third position, but then operations point to first dword.
thus, better is to directly debug & understand what is happening :)
decompilation is also bad thing :P, as one can wander what is % 10. while in code one can see, as after DIVision value is grabbed from EDX register, so that can mean MOD operation... mmm...
waittt.. can't that-one wander, what is EDX ?!? ;;)
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

VB uses a type called VARIANT a structure for all of its Functions

Code: Select all

C:\Program Files (x86)\Windows Kits\10\Include>grep -ir struct.*tagvariant --include *.h *
10.0.17763.0/um/OAIdl.h:typedef /* [wire_marshal] */ struct tagVARIANT VARIANT;
10.0.17763.0/um/OAIdl.h:struct tagVARIANT
10.0.17763.0/um/OAIdl.h:        struct __tagVARIANT

C:\Program Files (x86)\Windows Kits\10\Include>

Code: Select all

 sVar1 = __vbaVarTstEq((__tagVARIANT *)(SomeVar + 0x4b),(__tagVARIANT *)(SomeVar + 0x47));
  if (sVar1 == 0) {
    FUN_00403a20();
  }
  else {
    FUN_00403720();
  }
WaxfordSqueers
Senior Member
Posts: 1001
Joined: Tue Apr 06, 2004 11:00 am

Post by WaxfordSqueers »

evaluator wrote:well, I not think PDB file will of great help.
I was looking at the pdb only to find which msvbvm60.dll it referenced. I decided to look at it with dbh.exe to see what it looked like inside. Meanwhile, I have been using Ollydbg and it seems to find a lot of the functions in msvbvm60. IDA finds all the functions in my VB app in the code section.

Tracing through the code jungle I am finding that a VB app is almost entirely dependent on msvbvm60. All through the code section it calls out to functions like __vbaTstEq, which calls into msvbvm60 then onto oleaut32. The function I just mentioned compares two strings (serials) by converting them to a real type decimal number. If you enter a serial like 12345, it converts the serial to a number like 45, which is determined from a generated code based on the name you enter in the registration form.

I found a way to unlock the app during tracing at a FILD instruction where a hex character is converted to its decimal equivalent in ST0 of the FPU. I changed ST0 to the code I entered, replacing the single real type number with my entire guessed serial, which was all numeric, and it accepted the change and registered the app. I did that because the next instruction FCOM was comparing the number in ST0 of the FPU wih my guessed serial. Now I need to either find the good guy jump points or find out how the app converts the input serial to the real serial.

I have the classic serial fishing problem of not knowing the length of the serial or which characters are required. With some serials, they immediately check the length, and if it's wrong they reject you. This one does not do that but it performs no action on a serial that is all numbers. I'll need to try alphabetical characters to get an idea of how it converts them to a single decimal number. Just occurred to me that many apps check for a range of characters.

One positive about a VB serial fishing expedition is that the VB code is mainly taking place in system files so there's not much a programmer can do to obfuscate the process.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

put one 'A' & look at generated serial. put second 'A' and look at generated. also try third 'A'. for me it was enough to guess simple math :)
Post Reply