VB Decompiler

_aLfa_

I was wondering if I should post all the steps needed to get VB Header file address...

I'm sure that there are lot of "wannabes" that would like to start on VB decompiling, but they don't have any clue were to start.
Point is, if they start somewhere we then have more brains thinking, and we may start to find out more hidden things

Give me your opinion on this, specially, MrU, Sarge, Moog, golem and vbgamer.

P.S.: There are some diferences between VB5/VB6 and then DLL/EXE/OCX plus some other 'protectors'.
_________________
One thing only I know, and that is that I know nothing. (Socrates)

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Well, for VB6, they can use Skeleton...and probably apply the concepts there to VB5, and OCX, etc. So, if Skeleton is freely available, (umm...is it still around?) so that the "secret" is no longer secret, it seems to me that we can certainly expose/display it here in the text posts; after all, it's already public if they DO choose to use skeleton.

Comments?

Sarge

vbgamer45 · Posted: Mon Aug 02, 2004 2:08 pm Post subject:

Right now I have been focused mainly on vb6 exe files.
I haven't spent much time on dll's or ocx's yet.
The peskeleton helped me the most in where to begin.
It would be very interesting to see the difercenes for the other files..
I started on vb decompiling as soon as I found out how to get the first vbheader, so I think it would be very helpful for others.

_aLfa_ · Posted: Mon Aug 02, 2004 2:12 pm Post subject:

Sarge, thing is PE skeleton doesn't show all things in a 'readable' way and it doens't read VBShrink protected files.

Plus it doesn't support Visual Basic 5, because PE skeleton does bad calculations to find out VB header.
_________________
One thing only I know, and that is that I know nothing. (Socrates)

MrUnleaded · Posted: Mon Aug 02, 2004 3:16 pm Post subject:

I think that by the time someone figures out how to get to the VB Header....they will be so excited about getting to it and want to pursue more....or they will have given up.

The PE/COFF structure is readily available from microsoft....it isnt that hard to work to the entrypoint...

I pretty much feel that because it is openly available...its not a big deal to "hand out" the answers...but also if we hand out all the info....even the easiest part.....then we might end up with too many people that give up.
_________________
-MrU

_aLfa_ · Posted: Mon Aug 02, 2004 4:17 pm Post subject:

You got a point there, but VB6 compiled executables are pretty easy to get VB Header, because you guys all have lazy bums, and go to the wrong way

hehe...
_________________
One thing only I know, and that is that I know nothing. (Socrates)

MrUnleaded · Posted: Mon Aug 02, 2004 4:25 pm Post subject:

[="_aLfa_":2jh3h3r8]You got a point there, but VB6 compiled executables are pretty easy to get VB Header, because you guys all have lazy bums, and go to the wrong way

hehe...[/:2jh3h3r8]

Well...if you are really lazy...you can just search the file for the string "VB5!"

dont pay no attention to the entrypoint/PE/DOS headers etc.
_________________
-MrU

vbgamer45 · Posted: Mon Aug 02, 2004 4:33 pm Post subject:

LOL, thats what I first did till I found the peskeleton...

_aLfa_ · Posted: Mon Aug 02, 2004 4:54 pm Post subject:

/me stabs MrU in the face...
_________________
One thing only I know, and that is that I know nothing. (Socrates)

MrUnleaded · Posted: Mon Aug 02, 2004 5:21 pm Post subject:

[="_aLfa_":2f6ricr3]/me stabs MrU in the face...[/:2f6ricr3]

_aLfa_ · Posted: Tue Aug 10, 2004 11:06 am Post subject:

vbgamer I'll give you a tip for when you get interest in getting vb header file offset for DLL/OCX.
Instead of disassembling the entry point, try disassembling the DLLCanUnloadNow export (this functions passes the control flow to the vb runtime)

Happy decompiling...
_________________
One thing only I know, and that is that I know nothing. (Socrates)

vbgamer45 · Posted: Wed Aug 18, 2004 1:39 pm Post subject:

Thanx _aLfa_, Got ocx's done. Now to look into VB5 exe's and see how its different.

_aLfa_ · Posted: Wed Aug 18, 2004 3:38 pm Post subject:

The diference in VB5 is all about section alignments, so you must calculate entry point address taking that in account (and of course it works for VB6 too, because entry point is an RVA like data directories rva's for example )
_________________
One thing only I know, and that is that I know nothing. (Socrates)

MrUnleaded · Posted: Tue Aug 24, 2004 1:19 am Post subject:

[="MrUnleaded":qjhjjzqs]I think that by the time someone figures out how to get to the VB Header....they will be so excited about getting to it and want to pursue more....or they will have given up.

The PE/COFF structure is readily available from microsoft....it isnt that hard to work to the entrypoint...

I pretty much feel that because it is openly available...its not a big deal to "hand out" the answers...but also if we hand out all the info....even the easiest part.....then we might end up with too many people that give up.[/:qjhjjzqs]

I changed my mind....i am too lazy to do the PE headers again

i know i posted that link hee somewhere...
_________________
-MrU

Dr Memory · Expert Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK

[="MrUnleaded":3e0an32f]I think that by the time someone figures out how to get to the VB Header....they will be so excited about getting to it and want to pursue more....or they will have given up.

The PE/COFF structure is readily available from microsoft....it isnt that hard to work to the entrypoint... [/:3e0an32f]

I'm not sure what the fuss is about - 5 minutes with "AndreaGeddon", and a little knowledge about how DLL's work, suggested the following simple algorithms should work. They did.

_aLfa_ · Posted: Tue Aug 24, 2004 8:58 pm Post subject:

How to get VB Header File Offset (This method isn't related to reading the file from memory)