Patch W32Dasm Tutorials MsgBox() equates & String Manipulations |
VBReFormer 2007 Professional v5.0
- Visual Basic 5 and 6 decompiler (2.49Mb's).
VBRezQ v3.1b - Source Recovery
for Visual Basic 4(32-bit), 5 and 6 (244k).
Programs written in Visual Basic sadly proliferate the web, you'll easily identify them when reverse engineering or disassembling by the use of the run-time dll, vbrun300.dll for VB3, vb40032.dll for VB4 & msvbvm50.dll for VB5 (msvbvm60.dll - VB6 is now also available and we are just starting to see programs protected with it). There also exists a legacy 16-bit VB4 vb40016.dll, see below for the compare code.
Visual Basic executables are essentially just scripts which make calls into the functions exported by the run-time dll, this is actually a really convenient way to develop good looking GUI applications without the hassles of a lot of coding (point and click programming as it is affectionately known). When you reverse these targets ensure that you have modified your winice.dat to include the relevant dll exports, its only really worth doing with VB5, VB3 can be decompiled to its 'tokens' quite effectively using DoDi's decompiler.
Use the picture below to learn how to customise another brilliant tool from Compuware / NuMega, SmartCheck produces a "commented movie" (Fravia's words) of all operations, beware though of p-code compiled programs (the most recent version is v6.03). It is also useful to be aware of the various dll compare routines which compare 2 wide character strings, turning on the floating point window in older versions of SoftICE with "wf -d f" is recommended (newer versions require just wf), unless you use IceDump v5.0 there is no way to modify the FPU registers.
Most versions of VB use what is called wide-character format to represent string data. This is basically padding with null characters, consider the string 'Your serial #' :-
In ordinary HEX this would be represented as :- 59 6F 75 72
20 73 65 72 69 61 6C 20 23
In Wide Char :- 59 00 6F 00 75 00 72 00 20 00 73 00 65 00 72 00
69 00 61 00 6C 00 20 00 23
As I discussed earlier, the main backbone of VB is the runtime dll which executes most of the common functions, one such task might involve the comparison of 2 wide character strings (you'll find this discussed in several tutorials), here for examples sake is the code from vb40016.dll (16-bit VB4) :-
: 8BF8 MOV DI,AX
: 8EC2 MOV ES,DX
: 1E PUSH DS
: C5760E LDS SI,[BP+0E]
: 33C0 XOR AX,AX
: F3A6 REPZ CMPSB ; Here the strings in DS:SI
: 7405 JZ 2667 ; & ES:DI are compared
: 1BC0 SBB AX,AX
: 1DFFFF SBB AX,FFFF
You now understand of course just how useful being able to bpx these locations might be :-).
http://www(dot)ds-technical(dot)com/ - deliberately not hyperlinked.
Certain VB programs that you may find on the web accept an unlock code so you can use a product at its full capability (after paying a fee of course, because not paying would be illegal). Examples of such programs include those that let you prepare for the MCSE exams by trying example questions and paying for the facility to try others. A String Reference from one such hypothetical target might look like so :-
* Possible StringData Ref from Code Obj -> '<censored>'
:00<censored> MOV DWORD PTR [EBP-212], 004084D8
:00<censored> MOV DWORD PTR [EBP-220], 00008008
:00<censored> CALL MSVBVM60.__VbaVarTstEq
Other String Data References - "<censored>", "<censored>", "<censored>, "<censored>".
An incredibly clever protection strategy isn't it? :-).
MultiByteToWideChar, rtcR8ValFromBstr, WideCharToMultiByte, __vbaStrCmp, __vbaStrComp, __vbaStrCopy, __vbaStrMove, __vbaVarTstNe (note 2 underscores). rtcBeep, rtcGetPresentDate (time API), rtcMsgBox.
In the dark old days of VB reversing most of us were using just SoftICE or a HEX editor. To a limited extent disassembling VB programs has always been possible with IDA or W32Dasm, yet the latter would never locate the String Data References, until now that is - patch your copy of W32Dasm v8.93 at offsets 0x16B6C-0x16B6D from 28 F6 to 98 F4. * Note - most versions of W32Dasm you can download around the net probably already have this patch applied.
GPcH Soft's VB
Decompiler Pro v3.4 (2.12Mb) - The latest in VB decompiling
technology. Should this link expire it shouldn't take more than
about 1 minute to find a working download with the search string
'VB.Decompiler.Pro.v3.4-YAG'.
josephCo's VB5/6 p-code decompiler
(571k) - This is now an old beta version, I'm unsure whether there
is an updated version, if there is, it isn't public. Some VB p-code Information (10k). If
you are really interested in this stuff, be sure to get the all
new WKTVBDebugger.
Target Name | Description | Date |
VB5 trick for serial number protections | Revealing the VB5 (msvbvm50.dll) wide character compare code. | 26/05/98 |
Bubba's Decompiling Forms for CT Software | Elementary VB decompiling and ASCII conversion. | 29/12/98 |
ChromaPIX v1.0fc1 | String reference locating with ASM Key Generator. | 07/09/99 |
Cuentapasos v3.75 | Time trial extending & nag screen elimination, pure VB theory and highly recommended, translation from the Spanish original (thanks to WKT). | 29/12/99 |
Dutoon (by Duran) | Patching a VB5 program in 2 ways (assisted by Typh). | 27/07/98 |
E-Z Credit '98 | __vbaVarTstNe (another useful VB breakpoint). | 29/01/99 |
EscapeRC v1.0.1 | VB Time-Trial cracking with W32Dasm by ACiD BuRN. | 26/10/99 |
EyeCU v1.1 | Timer limits and nag box removing by SHeeP140. | 31/08/99 |
Lan-Box v1.01 | Following an algorithm in SmartCheck by ACiD BuRN. | 26/10/99 |
Little Drummer Boy | Understanding decompiled VB forms by Bomber Monkey. | 19/02/99 |
Mouse & Key Recorder v2.5.2 | Filling in the gaps left by SmartCheck with ASM Key Generator. | 06/10/99 |
MusicMatch JukeBox v2.03 & v2.51 | More VB5 reversing, C++ Key Generator in the archive. | 21/01/99 |
News Poster Pro v5.3.4 | 2 approaches to VB5 reversing with C Key Generator. | 21/12/98 |
Split32 v1.1 | A concept tutorial by PaRKeR, using SmartCheck to reverse engineer. | 14/12/98 |
The World vs Transcender Corp. | Simple serial number catching by AlpHaz. | 21/07/99 |
Visi Font Gold 2.0 | SmartCheck Key Generating courtesy of ManKind. | 06/04/00 |
widYa-cL's Guide to VB5 serial catching | Pretty Good Solitaire 98 & Pam v1.13. | 26/02/99 |
Wave Events v2.0 | Learn about the FPU and protections using it. | 18/02/99 |
WinArj98 | VB4 code tracking by BigMoM with Win32 ASM Key Generator. | 03/12/98 |
Win Sensual Jack | Tracking VB4 string manipulation to an inevitable compare. | 29/10/98 |
Button Combination |
|
|
OK only. |
|
|
OK and Cancel. |
|
|
Abort, Retry, and Ignore. |
|
|
Yes, No, and Cancel. |
|
|
Yes and No. |
|
|
Retry and Cancel. |
|
|
Useful VB String Functions
Val() - Convert string to number.
Str$() - Convert number to string.
Left$() - Substring from left end e.g. Left$(Theodolite, 4) =
"Theo".
Right$() - Substring from right end.
Ltrim$() - Trim spaces off left e.g. Ltrim$ (" Hello
"
) = "Hello "
.
Rtrim$() - Trim spaces off right.
Trim$() - Trim spaces off both ends.
Asc() - Convert char. to ANSI code e.g. Asc("A") = 65.
Chr$() - Convert ANSI code to char. e.g. Chr$(65) = "A".