VB Decompiler

_aLfa_ · Posted: Fri Sep 27, 2002 4:35 pm Post subject: Object

Parents:
Object Table

MrUnleaded · Posted: Sat Sep 28, 2002 1:08 am Post subject:

you pretty much had the same as i did....
btw I edited your post

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

I'd change:

NumberOfFunctions As Long ' 0x1C

To:

AmountOfFunctionsAndEvents As Long ' Amount of functions and events in an object

Because it also includes the number of events, and external "functions" such as declare statements etc...

Additionally, object type (ObjectType as Long). This is actually a bitmask. The last but one bit defines whether ObjectInfo has OptionalObjectInfo. I havent bothered to check out the rest. Note this is a bitmask not a bytemask

MrUnleaded · Posted: Sat Sep 28, 2002 9:59 pm Post subject:

[="moogman":35tes22y]I'd change:

NumberOfFunctions As Long ' 0x1C

To:

AmountOfFunctionsAndEvents As Long ' Amount of functions and events in an object

Because it also includes the number of events, and external "functions" such as declare statements etc...

Additionally, object type (ObjectType as Long). This is actually a bitmask. The last but one bit defines whether ObjectInfo has OptionalObjectInfo. I havent bothered to check out the rest. Note this is a bitmask not a bytemask [/:35tes22y]

but thats such a long name...hehe wouldnt AmountOfProcedures be a better name?

and on the BitMask Thing you said the last bit.....meaning the least significant? or most significant?

Ill add changes after you reply

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Ok, the name isnt really the concern - but the description and useage is. I was just trying to clear it up. AmountOfProcedures may well be a better name for it, as long as we all know that it includes other things such as external declares et al. With the bitmask thing, I cant remember I think its the second least significant bit, but im sure you can figure it out by compiling a module and a form, and comparing the bitmasks for them...

MrUnleaded · Posted: Mon Sep 30, 2002 1:52 am Post subject: what the func?

[="moogman":1sojjhim]Ok, the name isnt really the concern - but the description and useage is. I was just trying to clear it up. AmountOfProcedures may well be a better name for it, as long as we all know that it includes other things such as external declares et al. With the bitmask thing, I cant remember I think its the second least significant bit, but im sure you can figure it out by compiling a module and a form, and comparing the bitmasks for them...[/:1sojjhim]

for bitmasks....how do you remove the unneeded items?....like if you have a long....and you dont need a bit and u want to cancel it out...

[dont need first bit]
func(10010011) = 00010011
func(00010011) = 10010011
func(10111011) = 00111011

whats func(x)?

func(x) = x XOR 10000000

is that correct? [i dont think so.....]

is it one op? or are there several?

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

You can AND bits with 0 to force them to become 0, and OR bits with 1 to force them to 1. Change this to a long and and the value onto it... Cant remember what 1000 0000 is as a long, but if you or'd it with your number, it'd force the first bit to 1. Additionally, if you ADDed 0111 1111 with your number, it'd force the first bit to 0 and ignore the rest. Simple

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Under "related items" you have two reference/links to structs that appear elsewhere; very convenient. Can a reference/link be added to take you to ObjectType also (relating to the reference to OptObjectInfo Bit)?
Would be appreciated.

Thanks
Sarge

MrUnleaded · Posted: Tue Dec 03, 2002 11:30 pm Post subject: Re: suggestion

[="sarge":1us9p8tp]Under "related items" you have two reference/links to structs that appear elsewhere; very convenient. Can a reference/link be added to take you to ObjectType also (relating to the reference to OptObjectInfo Bit)?
Would be appreciated.

Thanks
Sarge[/:1us9p8tp]

i must of missed this post

done
_________________
-MrU

MrUnleaded · Posted: Tue Dec 17, 2002 3:54 pm Post subject: update

I found something that no-one had noted before.....

so i changed Flag1 to aProcNamesArray

Im not sure when you get these names....but you can see the "FunctionX" and "SubX" of frmMain in CommonApp2
_________________
-MrU

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

For CommonApp1:

VB5 = $11B4 VBHeader
$11B4 + 30h = $11E4, points to $127C ProjectInfo
$127C + 4h = $1280, points to $14B8 ObjectTable
$14B8 + 30h = $14E8, points to $150C Object
$150C + 20h = $152C, points to $156C ???

$1560 = 3 NULLs, then the module names

For CommonApp2:

VB5 = $11E4 VBHeader
$11E4 + 30h = $1214, points to $1420 ProjectInfo
$1420 + 4h = $1424, points to $165C ObjectTable
$165C + 30h = $168C, points to $16B0 Object
$16B0 + 20h = $16D0, points to $1710 ???

$1710 = 7 NULLS, then 4 addresses, then the module names.

So...
Why does CA1 have 3 NULLS, but CA2 has 7? Or, if 3 is the standard, the the remaining count is 4, which is the quantity of the names. Coincidence?

Why does CA2 have names, but CA1 not? We know VB doesn't put procedure names in as a rule, so what do those names represent? Without the source to CommonApp2, it's hard to tell.

How do you tell if the names even exist, so that you know NOT to attempt to access them, as in CA1? Or is there a flag/counter someplace else that is non-zero (maybe even 4!) that tells you the names DO exist, as in CA2?

Where/how do "Function1" etc appear in your code?

You are definitely on to something, but how to determine when the pointers at $1560/$1710 do or do not point to good stuff needs to be determined.

Good work!

Sarge

MrUnleaded · Posted: Tue Dec 17, 2002 10:39 pm Post subject: ;)

[="sarge":16bsdpre]
Why does CA2 have names, but CA1 not? We know VB doesn't put procedure names in as a rule, so what do those names represent? Without the source to CommonApp2, it's hard to tell.
[/:16bsdpre]

my guess is they are public....im not sure...moog little help? perhaps post the source of one of the correlating functionssubs

[="sarge":16bsdpre]
How do you tell if the names even exist, so that you know NOT to attempt to access them, as in CA1? Or is there a flag/counter someplace else that is non-zero (maybe even 4!) that tells you the names DO exist, as in CA2?
[/:16bsdpre]

if aProcNamesArray <> 0 then {
--for each item{
----if item<>0 then get Name
--}
}

[="sarge":16bsdpre]

Where/how do "Function1" etc appear in your code?
[/:16bsdpre]

"Function Function1() as String" ...or some similar variant of this...and it would of course be in the correlating object
_________________
-MrU

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

[:3w1fqigb]if aProcNamesArray <> 0 then {
--for each item{
----if item<>0 then get Name
--}
}
[/:3w1fqigb]

Well, this is close, I think. But if you are skipping the 0's, then getting data (which happens to be Name) via a non-0 pointer, won't you try to get data when you hit the also non-0 text of the module name that comes after the real (4 in this case) pointers?

I suspect that the appearance of "Function1" as text in the exe is similar to the appearance of the Declaration text; in the high level overview of the Project, while the actual use in a module is not named, just referenced. But right or wrong, it would be neat to be able to pull them out cleanly.

Boy, how much we have learned. Boy, how much we don't know. Wish we had some help...

sarge

MrUnleaded · Posted: Wed Dec 18, 2002 3:46 pm Post subject:

[="sarge":emusc1xm][:emusc1xm]if aProcNamesArray <> 0 then {
--for each item{
----if item<>0 then get Name
--}
}
[/:emusc1xm]
....

sarge[/:emusc1xm]

oy....ok

if aProcNamesArray is not null then go to the adress it contains....

at that address process the number of long specified by ProcCount

for each Long that is processed.....you do one of two things....

if it is Null you ignore it....

if it is not null you goto the address indicated by the long and retrieve a Null terminated String
_________________
-MrU

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Ok I like it (I never even looked at ProcCount - my bad - sorry).

It is interesting to note that since Object.ProcCount = ObjectInfo.NumberOf Procs, it works out that those non-Nulls here are the publics, while the NULLs (whose count must obviously be the remainder) represent the procedures in the ObjectInfo.ProcTable. Wow, somebody must have planned it that way!

Sarge

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

http://extra.decompiler.com/progs/store/commonapp2-source.zip:23x8gokx]Source code would help indeed. Uh. As for the function names, they are public members of the main form. According to VB people, forms are really classes with a load of members already, so by adding in public routines to the form, you are doing the same as adding public routines into class objects - either way, the name will be in the exe as is apparent.

As for all the other answers: Hmm. Im too tired to think properly (its 2:30am and i've just come back from the pub heh), plus I dont know so i'll have to get back to y'all on that... possibly :p

_aLfa_ · Posted: Mon Aug 02, 2004 4:51 pm Post subject:

Like moog said, the name isn't a concern, but anyway I changed from Proc to Method (Method is the word that Microsoft uses to describe procedures, functions, properties and events altogether)

Another change for readability
_________________
One thing only I know, and that is that I know nothing. (Socrates)

MrUnleaded · Posted: Mon Aug 02, 2004 5:19 pm Post subject:

Now we have to change ProcedureTable to MethodTable
_________________
-MrU

_aLfa_ · Posted: Mon Aug 02, 2004 5:22 pm Post subject:

Indeed, but I can't do that
_________________
One thing only I know, and that is that I know nothing. (Socrates)

vbgamer45 · Posted: Thu Aug 05, 2004 5:08 pm Post subject:

Null1 is sometimes an address
Null2 is sometimes an address

Const2 is not constant it changes at times.

_aLfa_ · Posted: Thu Aug 05, 2004 9:15 pm Post subject:

I updated those field names, so it won't redirect us in error...
_________________
One thing only I know, and that is that I know nothing. (Socrates)

_aLfa_ · Posted: Tue Aug 10, 2004 4:50 pm Post subject:

I have a better way to check if this Object hasn't OptionalObjectInfo or if it's a module (whatever pleases you)
If Address2 has an address then this Object is a module, so it hasn't OptionalObjectInfo
_________________
One thing only I know, and that is that I know nothing. (Socrates)

MrUnleaded · Posted: Tue Aug 10, 2004 5:53 pm Post subject:

What does Addres2 Point to in a module?
_________________
-MrU

_aLfa_ · Posted: Tue Aug 10, 2004 8:03 pm Post subject:

I made a typo in my post; now is corrected.
Address2 points to some place after the ProjectInfo.ThreadSpace (I haven't found any logical place yet)
_________________
One thing only I know, and that is that I know nothing. (Socrates)

_aLfa_ · Posted: Sat Aug 28, 2004 12:07 pm Post subject:

I've updated this structure alot with the help of Ionescu, so if you find anything that doesn't fit feel free to flame, etc...
_________________
One thing only I know, and that is that I know nothing. (Socrates)

ionescu007 · Sometimes here Joined: 21 Aug 2004 Posts: 33

aUnknown1 As Long ' 0x0C (12d) = Static Variable Structure
aUnknown2 As Long ' 0x14 (20d) = Static Variables
iFlag1 As Integer ' 0x26 (38d) = Offset to Static Vars from unknown2