| Author |
Message |
vbgamer45
Regular user
Joined: 07 Jul 2004
Posts: 93
Location: 127.0.0.1
|
|
Posted: Wed Jul 07, 2004 5:26 pm
Post subject: PE Skeleton
|
|
|
You guys got me to dig up the old PE Skeleton by Sarge from decompiler.com I had to boot up my old pc since it wasn't archived from archive.org. Now back to work heh.
|
|
| Back to top |
|
 |
|
sarge
Moderator
Joined: 24 Sep 2002
Posts: 194
|
|
Posted: Thu Jul 08, 2004 6:42 pm
Post subject:
|
|
Wow, is Skeleton still around. I don't think I myself even have a copy of that!
Yep, you need to subtract the load address (DecLoadOffset) from the address pointers in the target exe to get the offset into the exe where the pointer actually points.
Since everything (structure wise, anyway) references the "VB5!" signature, you can now start from there and walk down the structure trees until you find what you want. Once you find the form, if you need help deciphering the opcodes and data, you may want to use RACE (turn on the offset display under the option menu) to show you the locations in the target exe where the forms properties are. Then, you can use RACE's text output to see what particular opcode uses what data, and what that data means as a property. Then, just write a program to parse the target file, and re-create the form on the screen using the properties you just got from the target exe.
Sarge
|
|
| Back to top |
|
|
|
vbgamer45
Regular user
Joined: 07 Jul 2004
Posts: 93
Location: 127.0.0.1
|
|
Posted: Thu Jul 08, 2004 7:05 pm
Post subject:
|
|
|
That's what i am talking about. Such as the pcode database down and some links that are dead. Mainly the links to the flow chart and MrU's memory mapper. Good thing i have a copy of that already. I am going to attach PE Skeleton made by Sarge. I suggest everyone get it since I have learned so much from it the last couple of days.
|
|
| Back to top |
|
|
|
MrUnleaded
Site Admin
Joined: 21 Sep 2002
Posts: 385
Location: California
|
|
Posted: Thu Jul 08, 2004 7:43 pm
Post subject:
|
|
[="vbgamer45":ehhk1cdj]...Such as the pcode database down and some links that are dead...[/:ehhk1cdj]
pcode database is working again now. but it could be updated....alot...
i fixed most links i could find....if you see more let me know.
_________________
-MrU
|
|
| Back to top |
|
|
|
sarge
Moderator
Joined: 24 Sep 2002
Posts: 194
|
|
Posted: Mon Aug 09, 2004 3:40 pm
Post subject:
|
|
VBGamer45:
I am looking forward to the updates of your decompiler "Semi VB Decompiler" as you have offered it on Planet Source Code. FYI, I get and overflow error when I run it against VisData (proggie that comes with VB6; maybe VB5 too).
I notice that you used a cut-and-paste of Skeleton to do the initial program type verification! I like having an entire Module modeled after it; glad to be of help.
Maybe your friends there at Planet Source Code would like to be invited to visit this MB; they may want to learn the Hows and Whys of VB analysis, as well as simply running a program to DO the analysis. And, of course, RACE and Skeleton are always available to them as well.
Keep up the good work.
Sarge
|
|
| Back to top |
|
|
|
vbgamer45
Regular user
Joined: 07 Jul 2004
Posts: 93
Location: 127.0.0.1
|
|
Posted: Mon Aug 09, 2004 4:16 pm
Post subject:
|
|
Yeah I am not sure if i am going to continue to keep it opensource.
I just provided a base mainly to show people what they are missing and that they should come here for more information.
I want to bring back the interest in vb decompiling
and secondly I think its pretty cool and learn new skills.
The newest version is at
[url:39uqu5yn]http://www.projectxonline.net/data/mydecompiler/files/Semi%20VB%20Decompiler.rar[/url:39uqu5yn] No source in that version.
I keep all my vb decompiling docs and source codes I find at [url:39uqu5yn]http://www.projectxonline.net/data[/url:39uqu5yn]
I really owe you Sarge a lot for the peskeleton without that I would be searching the text for VB5! still.
Events i am 90% right now. I can link them to what control or form, and retrieve the event type via Com but for forms the events are off for me using com. Dam COM. I read your post on how VBDE works on events. I got the control id. But right now i am going off the eventtable then match the event posistion thats not null with the COM list.
Now to begin this pcode decompiling... Spent a couple hours yesterday searching though google groups. Looking up dodi etc. Then yelling at archive.org for not archiving some information I need from some sites, decompiler.com. Cute Bits, I should have saved that stuff when I first saw it.
|
|
| Back to top |
|
|
|
sarge
Moderator
Joined: 24 Sep 2002
Posts: 194
|
|
Posted: Mon Aug 09, 2004 5:38 pm
Post subject:
|
|
[:z03tamgx]
I got the control id. But right now i am going off the eventtable then match the event posistion thats not null with the COM list.
[/:z03tamgx]
That's the correct first step. This allows you to find which events in a control are active (have code) and which are not. Once you determine that, you go to the code for that event (via the non-zero pointer) and begin your analysis. How deep you go is, of course, up to you.
I will take a look at that new version you mention. And, it would be neat to get those others to take a look over here, we could use some enthusiastic new blood.
I know that there are a few here who have the full MB backup of what it was some 3 (?) years ago. Maybe if you tell us what specifically you need (that used to be here) , someone might find it.
Sarge
|
|
| Back to top |
|
|
|
|
|
Memberlist