VB Decompiler

vbgamer45 · Posted: Wed Jul 07, 2004 9:51 pm Post subject: How does Smart Check work?

Any ideas or knowledge on how Smartcheck works? I think it moniters the calls to msvbvm60.dll And somehow it logs all the data passed to it including the parameters. If you set the right options in smartcheck it will also dump the control information as its being changed. For example How does it monitor when someone clicks a button called cmdClose and show in Smartcheck that cmdClose was clicked and the events that happend when it was clicked.

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Yes, it monitors the msvbvm calls. Wanna know something cool? There's a file called apidefs.w32 that comes with smartcheck and if you open it with a hex editor, you'll find not only the functions in the msvbvm dll, but also the arguments it takes (and human readable names for most arguments). And if you look even better, you'll notice it's a debug info file (codeview), which can be opened with a tool like dumppe (get it here: http://www.tbcnet.com/~clive/vcomwinp.html ) or DumpCV (TOYS.ZIP same site).

I don't know exactly how the events are being monitored, and I can't check now because my computer is officially dead, and a new one is not due till in about three months or so... But my guess it either monitors some api call which is responsible for the events, or the windows messages or something. I expect the first.

By the way, a whole different subject, did one of you guys try VBParser? It's a proggy with functionality similar to exdec (P-Code analysis), some extra options, and some less. It's in either chinese or japanese, don't remember, and it does tend to crash alot. You can easily translate most of it by opening it with a tool like resource hacker, and comparing the string ID numbers with the string ID numbers in an English tool from the same compiler (I think MSVC6, so wordpad probably will do). Google for it if you want it.

vbgamer45 · Posted: Sun Jul 11, 2004 11:52 pm Post subject:

Now I just need to figure out how SmartCheck moniters the api calls...Still looking for an api to do that. Pretty cool information, I am going to have to read up some more about this and see what i can find out.

Hmm never tried VBParser. Well heres the link for others
http://www.pediy.com/tools/Decompilers/ ... ser1.2.zip
Bascilly it looks like its shows the assembly commands inside the procedures for pcode.

sarge · Moderator Joined: 24 Sep 2002 Posts: 194

Believe me, I've tried them all; at least, all that I know of. One of them, and I do think it was VBParser, dumped about 500 lines of "asm" code, while the actual proc length was only a few dozen bytes. Be careful with this one; while it may give you the actual data, YOU have to know when to stop.

Sarge

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

vbgamer45: Well, there are three ways I know of a program can hook api calls. The first is through the win32 debug api. This method is also used in OllyDbg (a free debugger which just completely rocks). First, one patches (WriteProcessMemory) the entrypoint of the api to hook with int3 (0xCC), and then one uses the debug api's "WaitForDebugEvent" function. This method is nearly impossible to implent in VB (although there's an open-source debugger on planet source code called Debuggy which might have implented it by now), so you'll have to get familiar with something like preferably C++ or asm. There's loads of documentation availlable on the debug api, as well as asm snippets and C++ open source projects.
The second method is by placing a hardware breakpoint through the use of the debug registers. I haven't got the details, so you'll just have to google for them if you're interrested.
Third method, use a virtual device driver and place the breakpoint in ring0 mode. I'm no expert here, never implented anything like this, but the basics are pretty similar to the first method; first patch the ep of the function you're hooking to int3, next (works in ring0 only) patch the GDT (Global Descriptor Table, correct me if I'm wrong) to define a callback function for int3. If you're going to read up on the possibilities of ring0 (also called "kernel mode"), remember win9x is a whole lot different than win xp. Well, that about covers it in a nutshell I suppose... Oh, one final thing... Smartcheck is developed by NuMega, same guys who did SoftIce before they were bought out by compuware. And SoftIce is a kernel mode debugger, which is like the nirvana debugger of all reversers, so with any of they're products, you can expect anything...

On a side note, wouldn't it be a nice idea to start a msvbvm api documentation project of some sort? About arguments of the functions, stack correction, what the function does, etc?

vbgamer45 · Posted: Wed Jul 14, 2004 6:21 pm Post subject:

I going to give thoose api's a try. I downloaded debuggy a while back, I will see what I can get out of that.

Here is a vbapi link for msvbvm60.dll.
[url:1e7xz57c]http://www.infonegocio.com/vbcrack/vbapio.htm[/url:1e7xz57c]

I think that starting a msvbvm60.dll api list is a great idea. Theres not a lot of information around on it.

Here's my start on it. A csv file containing function name, entry point(still need to get most of them), and vb api declaration.

MrUnleaded · Posted: Mon Jul 19, 2004 3:31 pm Post subject:

[="vbgamer45":1lvdc6cj]I going to give thoose api's a try. I downloaded debuggy a while back, I will see what I can get out of that.

Here is a vbapi link for msvbvm60.dll.
[url:1lvdc6cj]http://www.infonegocio.com/vbcrack/vbapio.htm[/url:1lvdc6cj]

I think that starting a msvbvm60.dll api list is a great idea. Theres not a lot of information around on it.

Here's my start on it. A csv file containing function name, entry point(still need to get most of them), and vb api declaration.[/:1lvdc6cj]

FYI, you can get alot of information on the dll using dependency viewer....such as the entrypoints and type names....also keep in mind there are at least 4 versions of msvbvm60.dll. Here are all the versions i have encountered:

./msvbvm/
_________________
-MrU