VISUAL BASIC REVERSED - A decompiling approach

Frameworks are getting more and more popular today, Visual Basic is one of them. Personally i hate frameworks, and also most reversers do. So, why this tutorial? We can consider both the light and the dark side of the problem: frameworks usually put a lot of code in the compiled programs, so it becomes hard to find the way among all that jungle. But they also use sets of pre-built objects, so theese objects are always the same and can be recognized, helping the reverser to understand the code itself. In a VB PE you have a lot of information inside the exe, so you can easily extract all the information you need about all components of the program.

To analyze a VB application I used this program that was written by a friend of mine (thank you _d31m0s_!). It’s a sort of name/serial crackme, but we are not interested in serial fishing, we are interested in how it works and how the vb knows how to build the app itself. I asked my friend to write it adding some event handling (colors, on over, etc) and a simple algorithm to check serial. He also wrote the proggy using more source files and making various subs (some null sub too). We also have the source of all, but we will check them later.

Before VB5 the VB programs were not truly traduced in assembler, they were coded in Pseudo Code (hehe you all remember those hating pcode exe!), and the VB virtual machine had the task of interpreting the pseudo code and execute it. Those programs were linked to vbrun100, vbrun200, vbrun300, vbrun400 dlls (depending on the version); well thing are a little different because there were variations between 16bit or 32bit modules (pcode were mostrly 16bit apps), but this is not what we are looking for. Today we have version 5 and 6 of VB, they use MSVBVM50.dll and MSVBVM60.dll, and now VB exes are really compiled and traduced in asm. As you all know you can’t use usual breakpoints like ”GetWindowTextA” when debugging VB programs, infact you should use the apis exported from the VBVM dll (e.g. for a serial i would use __vbaStrCmp, or rtcMsgBox), if you want to use theese apis in softice you just have to load the VB dll (in winice.dat or via symbol loader). This will help you debug VB applications.

Get download pdf VISUAL BASIC REVERSED - A decompiling approach

Related Tutorial

• The ASM Method for System Design and Analysis. A Tutorial Introduction
• Java Collections Framework
• Easy Code GoAsm v1.01.0.0011
• Easy Code Masm v1.01.0.0011

Tags: algorithm, apps, asm, assembler, breakpoints, crackme, frameworks, jungle, msvbvm60 dll, pcode, proggy, pseudo code, reverser, serial fishing, source files, subs, vb application, vb programs, virtual machine, Visual Basic

Comments

• Recently Written

  • 2nd Edition YOUR FREE GUIDE TO PROGRAMMING RUBY
  • Programming in Ruby
  • Tutorial on Fourier Theory
  • Image Processing Library C++ Edition v1.2 Introduction, Tutorial, and User Guide
  • Image Analysis and Processing Tutorial
  • DirectX in C# in Brief
  • Working with Data in ASP.NET 2.0 - Efficiently Paging Through Large Amounts of Data
  • XML-RPC and SOAP Programming Guide
  • Programming Web Services with Perl
  • SOAP Architecture and Application Programming Interface

• Categories

  • Ada
  • Algorithrm
  • ASP.NET
  • assembly
  • C#
  • C/C++
  • Caml
  • ColdFusion
  • CORBA
  • Database
  • General
  • Hardware
  • Java
  • Javascript
  • MAPI
  • News
  • Oracle
  • Perl
  • PHP
  • Python
  • Ruby
  • SAP
  • Scripting
  • Silverlight
  • Tools
  • Visual Basic
  • XML

• 
  
• Archives

  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008