VB Decompiler Hosted by TheAutomaters.com     Memberlist   How to get Sub Main's Position in an Exe file(PCODE)      VB Decompiler Forum Index -> The Code Author Message Anonymous New User Joined: 10 Feb 2008 Posts: 0 Posted: Wed Jul 02, 2003 7:34 am     Post subject: How to get Sub Main's Position in an Exe file(PCODE) Hi I need to know the position of Sub Main in an EXE file compiled in P-Code with VB6. I used the folowing fields of the structures but they seem to have incorrect values: Code: submain (VBHeader) ---> 0040113Ch startofcode(ProjectInfo) ---> 00401B00h I used JosehCo's VBExDec and the real RVA of the sub main in the Exe file is 00401A18h. The ProcId is 00401A2Ch. I've checked this RVA with Hiew32(HexEditor) and the Sub main's Op-Code stream starts there. Can anyone help me to obtain this Sub Main Start? Thanks in advance Back to top sarge Moderator Joined: 24 Sep 2002 Posts: 194 Posted: Wed Jul 02, 2003 1:39 pm     Post subject: I'm not sure if you want to get to the events of SubMain, or to the SubMain module. They are usually located in widely different places The first thing to do is find out if SubMain is, in fact, the startup module. You have already done this by realizing that the value at {submain(VBHeader)} is non-zero. So, remember that number, but correct it for the offset of the loading address. In your case, the offset appears to be the usual 0x400000. So you have 0x40113C - 0x400000 = 0x113C. Call this address SubMainOffset. Now go to that offset in the file. Skip one byte, then get the next 4-byte address. Remember to correct this address, too. Call this address the SubMainPointer. Since I'm not sure which way you want to go.... See where this new info takes you, depending upon what you want to do. In one case, it will help you with the SubMain module. In the other case, it will help you with the SubMain events. Also, RACE will give you these offset automatically if you enable the proper option. Sarge Back to top Anonymous New User Joined: 10 Feb 2008 Posts: 0 Posted: Thu Jul 03, 2003 6:34 am     Post subject: Sub main... Thanks, I can't believe! I was so blind! All the time i have the proc structure! I've got it. I have the sub main MODULE code... Compiled with PCODE but... What about NCode???? I need it too... I know it's hard... Do u have any idea? Back to top sarge Moderator Joined: 24 Sep 2002 Posts: 194 Posted: Fri Jul 04, 2003 1:18 pm     Post subject: Both the PCode and the NCode exist in the same way. In fact, each individual procedure in each module actually has a flag that indicates whether it is coded in N or P, regardless of what the compiler option says. So it is possible to have a mix of both P and N codes in the same exe. However, this is quite rare since most VB programmers just let the compiler do its' thing. So, all you have to do is get the compile-type flag and you will know if the exe is P or N. Now, do actually decode P-vs-N, N code is assembler and can be disassembled with, ...well... a disassembler. And there are lots out there that can do that. As for the P code, that's what this and other forums are for. Sarge Back to top    VB Decompiler Forum Index -> The Code All times are GMT Page 1 of 1   You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum Powered by phpBB © 2001, 2005 phpBB Group