VB Decompiler

MrUnleaded · Posted: Fri Jan 24, 2003 4:16 pm Post subject: Multiple Versions of VB6

Joseph helped me realize that because there are 4[i think] different versions of msvbvm60.dll....that i could be parsing my stuff wrong.....all my functions\imports are based on the vbvm that the computer running my decompiler has...since the imports are different....this causes unexpected results.......any ideas?
_________________
-MrU

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

I dont see where the problem lies... If you dont hardcore any import ordinals or names then there should be no problem. The MSVBVM60 rtfs are all backwards compatible too. There is no extra functionality in the Service Pack 5 version as opposed to the original for example, just bug fixes etc. Of course, ordinal numbers shouldnt change (ie rtfMsgBox should be 895(?) because it should then work on all versions of the rtfs. Please elaborate on your problem

MrUnleaded · Posted: Tue Jan 28, 2003 3:56 pm Post subject:

[="moogman":33bhtz07]I dont see where the problem lies... If you dont hardcore any import ordinals or names then there should be no problem. The MSVBVM60 rtfs are all backwards compatible too. There is no extra functionality in the Service Pack 5 version as opposed to the original for example, just bug fixes etc. Of course, ordinal numbers shouldnt change (ie rtfMsgBox should be 895(?) because it should then work on all versions of the rtfs. Please elaborate on your problem [/:33bhtz07]

the import addresses change with the different versions of the dll....

for the programs i decompile....if my app doesnt find the matching dll[that it was compiled with] the import dont work properly.

i dont rely on the import names or ordinals.....only the offsets that are give by a vb exe file. but those offsets vary between the different versions vb

how do i get the same offsets accross the board? i was thinking that the .reloc section may help?
_________________
-MrU

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

[="MrUnleaded":4t4j86pa]
the import addresses change with the different versions of the dll....
[/:4t4j86pa]

Well of course This is the whole point of names or ordinals - they wont (well, shouldnt because that'd break back-compatibility). The import addresses arent intendedto be used explicitly. In my opinion, dont use the addresses. Every update to the dll will inevitably change the import addresses (more code being added, moving existing code up the address space etc).

I cant see how you need to use the import addresses. I naturally ended up using the names/ordinals. I recreated a jump table by parsing the imports (well, a collection with the address as the key) and then used that to lookup the needed data when given an address in pcode

I dont think that the .reloc section will help in this case.

Does this help?!

MrUnleaded · Posted: Wed Jan 29, 2003 4:22 pm Post subject:

[="moogman":1s52jegf][="MrUnleaded":1s52jegf]
the import addresses change with the different versions of the dll....
[/:1s52jegf]

....

Does this help?![/:1s52jegf]

not really

every time i run into like ImpAdCallFPR4 and it references an import....it takes you to the imports section.....the import section is a bunch of jump commands to the address of the procedure in msvbvm.....

so i take msvbvm and parse all the exports and cache them based on their addresses.....

therefore since only the address is in the exe file......i need to import the rtcs by their addresses......

i dont understand how to import them by name when the names are not in the exe[unless they are i just havent found them....]

I can decompile a file's import functions great as long as the msvbvm used to compile the exe is the same one i use to decompile.....so im still a bit confused
_________________
-MrU

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Um. The addresses point to a jump table in your exe. I get that address as you did and then lookup this via a cache taken from the import section of the exe, thus enabling me to get out the ordinal or function name. These *shouldnt* change. I do the lookups using the name/ordinal rather than the address. I havent got multiple versions of the vb rtf. I have the VB6 SP5 rtfs, so if anyone has a pcode exe made in an earlier version of vb6 handy then it'd be nice if they could send it to me to check to see if my method works heh.

Oh, and the name for rtcMsgBox for example is *not* in the exe. Here, you would import the functions by its ordinal instead (595?) in pretty much the same way as you would if it was imported by name

MrUnleaded · Posted: Fri Jan 31, 2003 3:59 pm Post subject:

[="moogman":lto6z6ny]Um. The addresses point to a jump table in your exe. I get that address as you did and then lookup this via a cache taken from the import section of the exe, thus enabling me to get out the ordinal or function name. These *shouldnt* change. I do the lookups using the name/ordinal rather than the address. I havent got multiple versions of the vb rtf. I have the VB6 SP5 rtfs, so if anyone has a pcode exe made in an earlier version of vb6 handy then it'd be nice if they could send it to me to check to see if my method works heh.

Oh, and the name for rtcMsgBox for example is *not* in the exe. Here, you would import the functions by its ordinal instead (595?) in pretty much the same way as you would if it was imported by name[/:lto6z6ny]

you say you import by ordinal....is there a copy of the ordinal in the exe?

what information do you get out of the exe as compared to the msvbvm?

i will work on getting a recompiled version of CA1 and CA2....
_________________
-MrU

MrUnleaded · Posted: Fri Jan 31, 2003 4:04 pm Post subject:

[="MrUnleaded":2t1gduqd]
i will work on getting a recompiled version of CA1 and CA2....[/:2t1gduqd]

wait....in order to test if your way works.....you need to have your decompiler use an older version of the dll

i think i will post the versions i have on the board....
_________________
-MrU

MrUnleaded · Posted: Fri Jan 31, 2003 4:42 pm Post subject:

[="MrUnleaded":2eh7qkvm][="MrUnleaded":2eh7qkvm]
i will work on getting a recompiled version of CA1 and CA2....[/:2eh7qkvm]

wait....in order to test if your way works.....you need to have your decompiler use an older version of the dll

i think i will post the versions i have on the board....[/:2eh7qkvm]

all i could find includes 2 of 5.0 and 3 of 6.0 and you can get them here:

./msvbvm/

if anyone knows of more send me a link or send it to mrunleaded@theautomaters.com and ill add it to the site
_________________
-MrU

MrUnleaded · Posted: Fri Jan 31, 2003 5:08 pm Post subject: im out of practice.....

hmm ok so the ordinal is in the exe......lol ok i think i will be able to manage now

cross-reference the ordinals as opposed to entry points.... got it
_________________
-MrU

Anonymous · New User Joined: 10 Feb 2008 Posts: 0

Marvellous By all means, use the entrypoint internally to look up the ordinal/name but use the ordinal/name to lookup the parameters etc

Oh, and
[="MrUnleaded":1tv89gpq]
wait....in order to test if your way works.....you need to have your decompiler use an older version of the dll
[/:1tv89gpq]

Or compile the app using a different version of the dll that I use