VB Decompiler Forum Index VB Decompiler
Hosted by TheAutomaters.com
 
  MemberlistMemberlist
 

Object
Goto page Previous  1, 2
 
   VB Decompiler Forum Index -> Structures
Author Message
_aLfa_
Site Admin


Joined: 21 Sep 2002
Posts: 233
Location: Aveiro, Portugal

Posted: Fri Sep 27, 2002 4:35 pm     Post subject: Object

Parents:
Object Table

Code:
Private Type tObject
aObjectInfo As Long ' 0x00 (00d) Pointer to ObjectInfo
lConst1 As Long ' 0x04 (04d)
aPublicBytes As Long ' 0x08 (08d) Pointer to Public Variable Size integers
aStaticBytes As Long ' 0x0C (12d) Pointer to Static Variables Struct
aModulePublic As Long ' 0x10 (16d) Memory Pointer to Public Variables
aModuleStatic As Long ' 0x14 (20d) Pointer to Static Variables
aNTSObjectName As Long ' 0x18 (24d) Pointer to Object Name
lMethodCount As Long ' 0x1C (28d) Number of methods
aMethodNameTable As Long ' 0x20 (32d) Pointer to method names array
oStaticVars As Long ' 0x24 (36d) Offset to Static Vars from aModuleStatic
lObjectType As Long ' 0x28 (40d) Flags defining this object behaviour
lNull2 As Long ' 0x2C (44d)
' 0x30 (48d) <- Structure Size
End Type


Flags:
Object Type Bits

Notes:
* lConst1 is set to -1 by the compiler (maybe some reserved value).
* aPublicBytes points to a structure of 2 integers (iStringBytes and iVarBytes) and this structure tells how many pointers will be in memory at aModulePublic.
* aMethodNameTable is an array(1 to MethodCount) of addresses (longs), and each of these addresses points to a NTS. The index of the Method Name corresponds to the index of ObjectInfo.Method().
* iNull1 and lNull2 seems to be never written/readed by the compiler/runtime.

Pointers:
aPublicBytes
aStaticBytes
Object Info
Optional Object Info = aObjectInfo+0x38 (Only if OptObjectInfo Bit is set in ObjectType)


Last edited by _aLfa_ on Sat Aug 28, 2004 4:58 pm; edited 7 times in total
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Sat Sep 28, 2002 1:08 am     Post subject:

you pretty much had the same as i did....
btw I edited your post
Back to top
Anonymous
New User


Joined: 10 Feb 2008
Posts: 0

Posted: Sat Sep 28, 2002 12:56 pm     Post subject:

I'd change:

NumberOfFunctions As Long ' 0x1C

To:

AmountOfFunctionsAndEvents As Long ' Amount of functions and events in an object

Because it also includes the number of events, and external "functions" such as declare statements etc...

Additionally, object type (ObjectType as Long). This is actually a bitmask. The last but one bit defines whether ObjectInfo has OptionalObjectInfo. I havent bothered to check out the rest. Note this is a bitmask not a bytemask
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Sat Sep 28, 2002 9:59 pm     Post subject:

[="moogman":35tes22y]I'd change:

NumberOfFunctions As Long ' 0x1C

To:

AmountOfFunctionsAndEvents As Long ' Amount of functions and events in an object

Because it also includes the number of events, and external "functions" such as declare statements etc...

Additionally, object type (ObjectType as Long). This is actually a bitmask. The last but one bit defines whether ObjectInfo has OptionalObjectInfo. I havent bothered to check out the rest. Note this is a bitmask not a bytemask [/:35tes22y]

but thats such a long name...hehe wouldnt AmountOfProcedures be a better name?

and on the BitMask Thing you said the last bit.....meaning the least significant? or most significant?

Ill add changes after you reply


Last edited by MrUnleaded on Mon Jan 05, 2004 2:39 am; edited 1 time in total
Back to top
Anonymous
New User


Joined: 10 Feb 2008
Posts: 0

Posted: Sun Sep 29, 2002 11:12 am     Post subject:

Ok, the name isnt really the concern - but the description and useage is. I was just trying to clear it up. AmountOfProcedures may well be a better name for it, as long as we all know that it includes other things such as external declares et al. With the bitmask thing, I cant remember I think its the second least significant bit, but im sure you can figure it out by compiling a module and a form, and comparing the bitmasks for them...
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Mon Sep 30, 2002 1:52 am     Post subject: what the func?

[="moogman":1sojjhim]Ok, the name isnt really the concern - but the description and useage is. I was just trying to clear it up. AmountOfProcedures may well be a better name for it, as long as we all know that it includes other things such as external declares et al. With the bitmask thing, I cant remember I think its the second least significant bit, but im sure you can figure it out by compiling a module and a form, and comparing the bitmasks for them...[/:1sojjhim]


for bitmasks....how do you remove the unneeded items?....like if you have a long....and you dont need a bit and u want to cancel it out...

[dont need first bit]
func(10010011) = 00010011
func(00010011) = 10010011
func(10111011) = 00111011

whats func(x)?

func(x) = x XOR 10000000

is that correct? [i dont think so.....]

is it one op? or are there several?


Last edited by MrUnleaded on Mon Jan 05, 2004 2:40 am; edited 1 time in total
Back to top
Anonymous
New User


Joined: 10 Feb 2008
Posts: 0

Posted: Mon Sep 30, 2002 1:06 pm     Post subject:

You can AND bits with 0 to force them to become 0, and OR bits with 1 to force them to 1. Change this to a long and and the value onto it... Cant remember what 1000 0000 is as a long, but if you or'd it with your number, it'd force the first bit to 1. Additionally, if you ADDed 0111 1111 with your number, it'd force the first bit to 0 and ignore the rest. Simple
Back to top
sarge
Moderator


Joined: 24 Sep 2002
Posts: 194

Posted: Tue Nov 19, 2002 6:40 pm     Post subject: suggestion

Under "related items" you have two reference/links to structs that appear elsewhere; very convenient. Can a reference/link be added to take you to ObjectType also (relating to the reference to OptObjectInfo Bit)?
Would be appreciated.

Thanks
Sarge
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Tue Dec 03, 2002 11:30 pm     Post subject: Re: suggestion

[="sarge":1us9p8tp]Under "related items" you have two reference/links to structs that appear elsewhere; very convenient. Can a reference/link be added to take you to ObjectType also (relating to the reference to OptObjectInfo Bit)?
Would be appreciated.

Thanks
Sarge[/:1us9p8tp]

i must of missed this post

done
_________________
-MrU


Last edited by MrUnleaded on Mon Jan 05, 2004 2:42 am; edited 1 time in total
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Tue Dec 17, 2002 3:54 pm     Post subject: update

I found something that no-one had noted before.....

so i changed Flag1 to aProcNamesArray

Im not sure when you get these names....but you can see the "FunctionX" and "SubX" of frmMain in CommonApp2
_________________
-MrU
Back to top
sarge
Moderator


Joined: 24 Sep 2002
Posts: 194

Posted: Tue Dec 17, 2002 6:47 pm     Post subject:

For CommonApp1:

VB5 = $11B4 VBHeader
$11B4 + 30h = $11E4, points to $127C ProjectInfo
$127C + 4h = $1280, points to $14B8 ObjectTable
$14B8 + 30h = $14E8, points to $150C Object
$150C + 20h = $152C, points to $156C ???

$1560 = 3 NULLs, then the module names

For CommonApp2:

VB5 = $11E4 VBHeader
$11E4 + 30h = $1214, points to $1420 ProjectInfo
$1420 + 4h = $1424, points to $165C ObjectTable
$165C + 30h = $168C, points to $16B0 Object
$16B0 + 20h = $16D0, points to $1710 ???

$1710 = 7 NULLS, then 4 addresses, then the module names.

So...
Why does CA1 have 3 NULLS, but CA2 has 7? Or, if 3 is the standard, the the remaining count is 4, which is the quantity of the names. Coincidence?

Why does CA2 have names, but CA1 not? We know VB doesn't put procedure names in as a rule, so what do those names represent? Without the source to CommonApp2, it's hard to tell.

How do you tell if the names even exist, so that you know NOT to attempt to access them, as in CA1? Or is there a flag/counter someplace else that is non-zero (maybe even 4!) that tells you the names DO exist, as in CA2?

Where/how do "Function1" etc appear in your code?

You are definitely on to something, but how to determine when the pointers at $1560/$1710 do or do not point to good stuff needs to be determined.

Good work!

Sarge
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Tue Dec 17, 2002 10:39 pm     Post subject: ;)

[="sarge":16bsdpre]
Why does CA2 have names, but CA1 not? We know VB doesn't put procedure names in as a rule, so what do those names represent? Without the source to CommonApp2, it's hard to tell.
[/:16bsdpre]

my guess is they are public....im not sure...moog little help? perhaps post the source of one of the correlating functionssubs

[="sarge":16bsdpre]
How do you tell if the names even exist, so that you know NOT to attempt to access them, as in CA1? Or is there a flag/counter someplace else that is non-zero (maybe even 4!) that tells you the names DO exist, as in CA2?
[/:16bsdpre]

if aProcNamesArray <> 0 then {
--for each item{
----if item<>0 then get Name
--}
}

[="sarge":16bsdpre]

Where/how do "Function1" etc appear in your code?
[/:16bsdpre]

"Function Function1() as String" ...or some similar variant of this...and it would of course be in the correlating object
_________________
-MrU


Last edited by MrUnleaded on Mon Jan 05, 2004 2:43 am; edited 1 time in total
Back to top
sarge
Moderator


Joined: 24 Sep 2002
Posts: 194

Posted: Wed Dec 18, 2002 4:18 am     Post subject:

[:3w1fqigb]if aProcNamesArray &lt;&gt; 0 then {
--for each item{
----if item&lt;&gt;0 then get Name
--}
}
[/:3w1fqigb]

Well, this is close, I think. But if you are skipping the 0's, then getting data (which happens to be Name) via a non-0 pointer, won't you try to get data when you hit the also non-0 text of the module name that comes after the real (4 in this case) pointers?

I suspect that the appearance of "Function1" as text in the exe is similar to the appearance of the Declaration text; in the high level overview of the Project, while the actual use in a module is not named, just referenced. But right or wrong, it would be neat to be able to pull them out cleanly.

Boy, how much we have learned. Boy, how much we don't know. Wish we had some help...

sarge
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Wed Dec 18, 2002 3:46 pm     Post subject:

[="sarge":emusc1xm][:emusc1xm]if aProcNamesArray <> 0 then {
--for each item{
----if item<>0 then get Name
--}
}
[/:emusc1xm]
....

sarge[/:emusc1xm]

oy....ok

if aProcNamesArray is not null then go to the adress it contains....

at that address process the number of long specified by ProcCount

for each Long that is processed.....you do one of two things....

if it is Null you ignore it....

if it is not null you goto the address indicated by the long and retrieve a Null terminated String
_________________
-MrU


Last edited by MrUnleaded on Mon Jan 05, 2004 2:43 am; edited 1 time in total
Back to top
sarge
Moderator


Joined: 24 Sep 2002
Posts: 194

Posted: Wed Dec 18, 2002 5:36 pm     Post subject:

Ok I like it (I never even looked at ProcCount - my bad - sorry).

It is interesting to note that since Object.ProcCount = ObjectInfo.NumberOf Procs, it works out that those non-Nulls here are the publics, while the NULLs (whose count must obviously be the remainder) represent the procedures in the ObjectInfo.ProcTable. Wow, somebody must have planned it that way!


Sarge
Back to top
Anonymous
New User


Joined: 10 Feb 2008
Posts: 0

Posted: Fri Dec 20, 2002 2:30 am     Post subject:

http://extra.decompiler.com/progs/store/commonapp2-source.zip:23x8gokx]Source code would help indeed. Uh. As for the function names, they are public members of the main form. According to VB people, forms are really classes with a load of members already, so by adding in public routines to the form, you are doing the same as adding public routines into class objects - either way, the name will be in the exe as is apparent.

As for all the other answers: Hmm. Im too tired to think properly (its 2:30am and i've just come back from the pub heh), plus I dont know so i'll have to get back to y'all on that... possibly :p
Back to top
_aLfa_
Site Admin


Joined: 21 Sep 2002
Posts: 233
Location: Aveiro, Portugal

Posted: Mon Aug 02, 2004 4:51 pm     Post subject:

Like moog said, the name isn't a concern, but anyway I changed from Proc to Method (Method is the word that Microsoft uses to describe procedures, functions, properties and events altogether)

Another change for readability
_________________
One thing only I know, and that is that I know nothing. (Socrates)
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Mon Aug 02, 2004 5:19 pm     Post subject:

Now we have to change ProcedureTable to MethodTable
_________________
-MrU
Back to top
_aLfa_
Site Admin


Joined: 21 Sep 2002
Posts: 233
Location: Aveiro, Portugal

Posted: Mon Aug 02, 2004 5:22 pm     Post subject:

Indeed, but I can't do that
_________________
One thing only I know, and that is that I know nothing. (Socrates)
Back to top
vbgamer45
Regular user


Joined: 07 Jul 2004
Posts: 93
Location: 127.0.0.1

Posted: Thu Aug 05, 2004 5:08 pm     Post subject:

Null1 is sometimes an address
Null2 is sometimes an address

Const2 is not constant it changes at times.
Back to top
_aLfa_
Site Admin


Joined: 21 Sep 2002
Posts: 233
Location: Aveiro, Portugal

Posted: Thu Aug 05, 2004 9:15 pm     Post subject:

I updated those field names, so it won't redirect us in error...
_________________
One thing only I know, and that is that I know nothing. (Socrates)
Back to top
_aLfa_
Site Admin


Joined: 21 Sep 2002
Posts: 233
Location: Aveiro, Portugal

Posted: Tue Aug 10, 2004 4:50 pm     Post subject:

I have a better way to check if this Object hasn't OptionalObjectInfo or if it's a module (whatever pleases you)
If Address2 has an address then this Object is a module, so it hasn't OptionalObjectInfo
_________________
One thing only I know, and that is that I know nothing. (Socrates)


Last edited by _aLfa_ on Tue Aug 10, 2004 7:57 pm; edited 1 time in total
Back to top
MrUnleaded
Site Admin


Joined: 21 Sep 2002
Posts: 385
Location: California

Posted: Tue Aug 10, 2004 5:53 pm     Post subject:

What does Addres2 Point to in a module?
_________________
-MrU
Back to top
_aLfa_
Site Admin


Joined: 21 Sep 2002
Posts: 233
Location: Aveiro, Portugal

Posted: Tue Aug 10, 2004 8:03 pm     Post subject:

I made a typo in my post; now is corrected.
Address2 points to some place after the ProjectInfo.ThreadSpace (I haven't found any logical place yet)
_________________
One thing only I know, and that is that I know nothing. (Socrates)
Back to top
_aLfa_
Site Admin


Joined: 21 Sep 2002
Posts: 233
Location: Aveiro, Portugal

Posted: Sat Aug 28, 2004 12:07 pm     Post subject:

I've updated this structure alot with the help of Ionescu, so if you find anything that doesn't fit feel free to flame, etc...
_________________
One thing only I know, and that is that I know nothing. (Socrates)
Back to top
ionescu007
Sometimes here


Joined: 21 Aug 2004
Posts: 33

Posted: Sat Aug 28, 2004 4:10 pm     Post subject:

aUnknown1 As Long ' 0x0C (12d) = Static Variable Structure
aUnknown2 As Long ' 0x14 (20d) = Static Variables
iFlag1 As Integer ' 0x26 (38d) = Offset to Static Vars from unknown2
Back to top
   VB Decompiler Forum Index -> Structures All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group