VB Decompiler

Cthulhu · New User Joined: 04 Jun 2004 Posts: 6

Hello folks!
I'm new to this board.
I'd want to know how to decode the forms from a VB Executable.
Following the VBHeader structure I noticed how could I get the number of the forms in the .exe and after reading Kathras' tutorial "Explaining Visual Basic" I realized how could I decode most of the objects.
But I stills have some doubts.
I'd like to know how could I find the pointer to the VBHeader.
Can any of you guys help with this?

Thanks in Advance!

Cthulhu · New User Joined: 04 Jun 2004 Posts: 6

Finding the VBHeader was easy.....
Now I know how to retrieve the number of Forms and the number of external components.
I need now to know how to get to the forms to start decoding them.
Any tips?

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Just continue to follow the "tree branches" down to the level desired. You will need to keep track of each "fork" as you pass it, 'cause you may want to come back to it. Or, you can keep each significant address in a typedef structure or other array type. (That's what I did in RACE). The logic is simple of course:

For each form or module
do properties decode
do procedures decode
do code decode
Next

It may help you in your analysis if you use RACE and turn on the Offset option; it will show you where in the target file the data is...then you can compare that to the structure breakdowns you see here, so you can figure out which branch to take for what operation.

I would be interested in seeing your results compared to my own.
Good luck

Sarge

Cthulhu · New User Joined: 04 Jun 2004 Posts: 6

Hello man!
What I want to do is much simpler than RACE.
I just want to extract the forms and save it as a bitmap file.
Thanks for answering I'll keep on trying.

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

So, you have changed your original intent? You no longer want to decode the forms, you just want bitmaps of them? Obviously, a completely different project! However, you can't "extract" a form, as it doesn't exist as an entity in the exe; only its description. So, to get a bitmap (if that's really what you want) you'd have to run the program and do some kind of PrintScreen effect. Alternatively, you can decode the form's description, cut-and-paste it into another VB project, display it, and view/copy/save it to your hearts content.

Good luck
sarge

Cthulhu · New User Joined: 04 Jun 2004 Posts: 6

I wasn't very clear in my last message but you got it right.
In fact I did something similar with Delphi applications. I extracted the RC_DATA from the resource section and converted it to a .dfm I also made a program to read the .dfm and show the form so I can "printscreen" the forms WITHOUT running the program.
I thought I could do the same with Visual Basic but it's rather more complicated.

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Yep, with Delphi you can do that, but not VB; mostly because forms aren't a resource; at least, not in the same manner as Delphi.

Hope you get to where you want to go. Again, good luck.

Sarge

golem · Often here Joined: 18 Nov 2002 Posts: 73

It wouldn't take much of any effort to create a VB forms viewer. Use the header info to locate the start of the form and just start reading/displaying it a control at a time, setting its properties to match those used in the form definition.

In fact... It's surprising no one has YET done it!

Carry on!
golem

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Very true.

Perhaps Cthulhu will head in that direction.

Sarge

vbgamer45 · Posted: Wed Jul 07, 2004 3:26 pm Post subject:

One of the things that i think has been holding be back were not able to see were to begin but now i think i have an i am going to search for the offset of VB5! in an exe. Then i am going to grab vbheader type. I am still not clear on the order that all these types are stored in the exe such as where to go after getting the vbheader but maybe if i study the types for a while i will figure it out. If not i will come back here.

MrUnleaded · Posted: Wed Jul 07, 2004 3:41 pm Post subject:

[="vbgamer45":2auk1zvx]One of the things that i think has been holding be back were not able to see were to begin but now i think i have an i am going to search for the offset of VB5! in an exe. Then i am going to grab vbheader type. I am still not clear on the order that all these types are stored in the exe such as where to go after getting the vbheader but maybe if i study the types for a while i will figure it out. If not i will come back here.[/:2auk1zvx]

look on google/microsofts website for PE-COFF

"Portable Executable Common Object file format" if my memory serves me right... it is a microsoft doc that explains all about the PE/dos headers.

use this information to get the "EntryPoint"....you should be able to get it from there....

the other way which is not full proof is to search the exe for "VB5!"....but if this is in the exe anywhere except the vb header...it may throw you off.
_________________
-MrU

MrUnleaded · Posted: Wed Jul 07, 2004 4:05 pm Post subject:

I believe this i it:

http://www.microsoft.com/whdc/system/pl ... ECOFF.mspx
_________________
-MrU

Cthulhu · New User Joined: 04 Jun 2004 Posts: 6

So the Start of the VB Header is the VB program's Entry Point:?:

vbgamer45 · Posted: Wed Jul 07, 2004 9:40 pm Post subject:

Well after finding the PE Skeleton. I then had the problem that all the offsets that the header pointed to were well outside the range of the exe. Thats when i noticed that you had to subtract the optheader.imagebase from the address in order to get the correct offset when you read the exe.

MrUnleaded · Posted: Wed Jul 07, 2004 9:43 pm Post subject: take a look...

[="Cthulhu":38ksz1rr]So the Start of the VB Header is the VB program's Entry Point:?:[/:38ksz1rr]

well not exactly...but at the entry point there is a couple of assembly commands...one of which references an address which should lead you to the VB header.
_________________
-MrU

MrUnleaded · Posted: Thu Jul 08, 2004 7:29 pm Post subject:

FYI, i split the topic and moved PE Skeleton to the utilities section.
_________________
-MrU

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Like most Windows programs, where YOU start with WinMain, the actual proggie doesn't. The compiler adds the initialization routines (remember the old SDK stuff?) that run before your code, so that where Windows starts IT'S program. Similarily, in VB, the initialization code comes before the actual VB proggie...it's a call to ThunderMain (or something like that).
That's where the code that YOU wrote is finally handled.

[Hey, anybody remember when VB was advertised as "the power to crack Windows?....That's where Thunder came from]

Sarge

Cthulhu · New User Joined: 04 Jun 2004 Posts: 6

[:3lg2sw3d]
well not exactly...but at the entry point there is a couple of assembly commands...one of which references an address which should lead you to the VB header.
[/:3lg2sw3d]

Thanks for the information guys!

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

You are of course quite welcome. Hopefully, you gained a lot of understanding of the PE format; maybe by using Skeleton, which of course not only gives you the "VB5!", but shows you how to get there.

We're looking forward to your contributions in the future.

Sarge

MrUnleaded · Posted: Fri Jul 09, 2004 3:17 pm Post subject:

[="sarge":pdknrmsq]

[Hey, anybody remember when VB was advertised as "the power to crack Windows?....That's where Thunder came from]

Sarge[/:pdknrmsq]

you learn something new everysday....i always wondered that...
_________________
-MrU