VB Decompiler

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Here is my input. Feel free to comment. You'll note that I have only bothered to include the executable section - I havent bothered with the PE headers, resource directory etc etc because thats common knowledge. White text on a black background means duplicated sections - possible ovelapping of functions, sections parsed more than once etc etc. You'll see I have some hehe.

<a href="/files/moog.html">CommonApp v 1.0 Memory Export</a>

MrUnleaded

just a tip to cut down on file size...

the Activate() Function is called everttime you call tt() so....why not put Activate() inside of the tt() function....thats 12bytes per instance saved....

theres at least 200 instances....12*200=2400,so ~2K......just a thought
_________________
-MrU

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

? Heh, I didnt use your class/module whatever. I implemented the idea myself, so didnt really care for size (I didnt think I was gonna upload it you see!). I'll modify it to cut the size down...

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Heh, I know what you mean now. I'll change that as well as cutting down the size :p

MrUnleaded · Posted: Thu Dec 12, 2002 3:53 pm Post subject:

[="moogman":36mwixl8]Heh, I know what you mean now. I'll change that as well as cutting down the size :p[/:36mwixl8]

its not too big of a deal because[well at least for me] cuz IE asks the server to compress it before it downloads....and since its text it compresses pretty well....

i cut off anyting before the code section and made mine able to do either 16 or 32 columns wide....i like viewing the 16 better....but the size of the 32 is at 84K right now
_________________
-MrU

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Wow!

Double Wow!

Sarge

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Over the last week, i've brushed the dust off my old VBSnoop 2 heh. This was an attempt to give you a bearing on what i've done.

Since then, i've revamped the mapping function - experimenting with cool ideas. Golem did have a good point (!), when he said "but what *exactly* does it show". I thought to myself, sure its all nice and pretty but all it really does is give a percentage of what I can process. It doesnt really do much more than make my brain swell. I initially tried adding in the structure info, with variables in each of the structures but the size of commonapp.exe.html was well over 10mb EEK and double EEK! Im sticking to trying to make it smaller for the time being.

I've gone through all the structures making sure the sizes are right and noted a few changes - everything is now a little tighter and i've noted differences and gaps - for example DataReports will always have a pointer to some location after their OptionalObjectInfo, as do PropertyPages. Additionally, the size (amount) of events for the DataReport is too large by 9 addresses - all nulls as far as I can tell etc etc.

As for all the other stuff i've done in the last week, well i'll post that elsewhere on the site no doubt...

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Just a quick comment...

Some of the "collisions" aren't. They're just items that have been validly accessed by more than one procedure. This is certainly different than a real collision caused by two sequential mis-sized structs.

Again, (and still) wow.

Sarge

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Indeed Sarge! One of the "collisions" "detected" is when one GUID is accessed by say, two text boxes. By definition they are collisions I guess, but it is plainly wrong. I cant really be arsed to change it, because it'd only slow down the speed of my decompiler. Also, some strings will be one byte over or one byte under what they should be hence a collision of two bytes "detected". Again, wrong but again I cant really see the need to spend time in fixing these obviously wrong bugs. But thanks for noting the problems

MrUnleaded · Posted: Fri Dec 20, 2002 4:07 pm Post subject:

[="moogman":2jzywpx7]Indeed Sarge! One of the "collisions" "detected" is when one GUID is accessed by say, two text boxes. By definition they are collisions I guess, but it is plainly wrong. I cant really be arsed to change it, because it'd only slow down the speed of my decompiler. Also, some strings will be one byte over or one byte under what they should be hence a collision of two bytes "detected". Again, wrong but again I cant really see the need to spend time in fixing these obviously wrong bugs. But thanks for noting the problems [/:2jzywpx7]

well in theory you should be able to turn the memMap off... and therefore it wouldnt slow your decompiler down
_________________
-MrU

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Good thinking batman! I'll add in a preprocessor clause to do the stuff conditionally

MrUnleaded · Posted: Fri Dec 20, 2002 6:52 pm Post subject:

[="moogman":wja1byiz]Good thinking batman! I'll add in a preprocessor clause to do the stuff conditionally[/:wja1byiz]

your supposed to say "Holy-Rusted-Metal" hehe anyways....
_________________
-MrU