VB Decompiler

Dr Memory · Expert Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK

While browsing through the msvbvm60 library's Travel section, looking for somwhere to go, I came across these:

ProcCallEngine

MethCallEngine

It looks like the runtime pcode interpreter to me!

I only found one mention in this site - odd, I thought!

so I went looking and found this at Virus Bulletin:
http://www.virusbtn.com/print/magazine/ ... earing.xml

That's an interesting article! worth a look

vbgamer45 · Posted: Tue Sep 07, 2004 8:05 pm Post subject:

Thank you, Dr Memory.
I remember seeing that article a couple weeks ago. Back then it wasn't of use to me but now that I started more on PCode it will be very helpful.
Finally, i may beable to figure out how to process VCallH from that article.

_aLfa_ · Posted: Tue Sep 07, 2004 8:39 pm Post subject:

Very nice article
_________________
One thing only I know, and that is that I know nothing. (Socrates)

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

FYI:
a Virtual Call does a complete ContextSwitch of the running environment, in effect spawning another thread. That's why it's so complex. If you put a debugger break point on the Virtual Call, and another one on the first opcode of the called proc, you can observe that the CPU registers reflect a completly new run space. This complicates the analysis procedure in that, if the new procedure does not happen to perform an EndOfScope, the stack variables of the original (calling) proc do NOT match the pre-called values.

This same type of operation also occurs on 0x0A calls, as well as a number of others that escape me at the moment. (I think 0x0F might also be one).

And, of course, if the called proc returns a value, you now need to track that.

Sarge

Dr Memory · Expert Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK

Just a thought from left field .....

I wonder if it was Crystal who wrote the Meth engine?

That reminds me (for some reason): the curious appellation "Regular User" above my Avatar seems to be suggesting something ... but what?

Dr Memory · Expert Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK

The system has worked out my age, mysteriously....

... albeit in HEX!

That could explain the strange birthday greeting I got today ...

I love software updates!

PS: Capricorn, though, that's not even warm! Come on!

_aLfa_ · Posted: Wed Sep 08, 2004 5:50 pm Post subject:

" title="Razz" />
_________________
One thing only I know, and that is that I know nothing. (Socrates)

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Does the fact that your avator shows you smoking something seem suggestive?

Sarge

Dr Memory · Expert Joined: 16 Aug 2004 Posts: 147 Location: Surrey, UK

That's no avatar - that's an old passport photo .....

It was taken some years ago .... I've less hair now ....

And since I lost an eye in a motorcycle accident, I have to wear an eye patch, of course ....

MrUnleaded · Posted: Thu Sep 09, 2004 4:53 am Post subject:

[="Dr Memory":1y64cetn]That's no avatar - that's an old passport photo .....

It was taken some years ago .... I've less hair now ....

And since I lost an eye in a motorcycle accident, I have to wear an eye patch, of course ....

[/:1y64cetn]lol you are something else
_________________
-MrU