Visual Basic Programs (msbloat.dll)

VB Programs - Wide Char Format - How Lame! - SoftICE bpx's
Patch W32Dasm - MsgBox() equates & String Manipulations

Programs written in Visual Basic sadly proliferate the web, you'll easily identify them when reverse engineering or disassembling by the use of the run-time dll, vbrun300.dll for VB3, vb40032.dll for VB4 & msvbvm50.dll for VB5 (msvbvm60.dll - VB6 is now also available and we are just starting to see programs protected with it). There also exists a legacy 16-bit VB4 vb40016.dll, see below for the compare code.

Visual Basic executables are essentially just scripts which make calls into the functions exported by the run-time dll, this is actually a really convenient way to develop good looking GUI applications without the hassles of a lot of coding (point and click programming as it is affectionately known). When you reverse these targets ensure that you have modified your winice.dat to include the relevant dll exports, its only really worth doing with VB5, VB3 can be decompiled to its 'tokens' quite effectively using DoDi's decompiler.

Use the picture below to learn how to customise another brilliant tool from NuMega, SmartCheck produces a "commented movie" (Fravia's words) of all operations, beware though of p-code compiled programs (the most recent version is v6.03). It is also useful to be aware of the various dll compare routines which compare 2 wide character strings, turning on the floating point window in older versions of SoftICE with "wf -d f" is recommended (newer versions require just wf), unless you use IceDump v5.0 there is no way to modify the FPU registers.

Wide-Char & String Comparison Code inside VB dll's

Most versions of VB use what is called wide-character format to represent string data. This is basically padding with null characters, consider the string 'Your serial #' :-

In ordinary HEX this would be represented as :- 59 6F 75 72 20 73 65 72 69 61 6C 20 23
In Wide Char :- 59 00 6F 00 75 00 72 00 20 00 73 00 65 00 72 00 69 00 61 00 6C 00 20 00 23

As I discussed earlier, the main backbone of VB is the runtime dll which executes most of the common functions, one such task might involve the comparison of 2 wide character strings (you'll find this discussed in several tutorials), here for examples sake is the code from vb40016.dll (16-bit VB4) :-

: 8BF8 MOV DI,AX
: 8EC2 MOV ES,DX
: 1E PUSH DS
: C5760E LDS SI,[BP+0E]
: 33C0 XOR AX,AX
: F3A6 REPZ CMPSB ; Here the strings in DS:SI
: 7405 JZ 2667 ; & ES:DI are compared
: 1BC0 SBB AX,AX
: 1DFFFF SBB AX,FFFF

You now understand of course just how useful being able to bpx these locations might be :-).

SmartCheck Settings

Just how lame VB protections can be!

http://www(dot)ds-technical(dot)com/ - deliberately not hyperlinked.

Certain VB programs that you may find on the web accept an unlock code so you can use a product at its full capability (after paying a fee of course, because not paying would be illegal). Examples of such programs include those that let you prepare for the MCSE exams by trying example questions and paying for the facility to try others. A String Reference from one such hypothetical target might look like so :-

* Possible StringData Ref from Code Obj -> '<censored>'

:00<censored> MOV DWORD PTR [EBP-212], 004084D8
:00<censored> MOV DWORD PTR [EBP-220], 00008008
:00<censored> CALL MSVBVM60.__VbaVarTstEq

Other String Data References - "<censored>", "<censored>", "<censored>, "<censored>".

An incredibly clever protection strategy isn't it? :-).

Common SoftICE BPX's

MultiByteToWideChar, rtcR8ValFromBstr, WideCharToMultiByte, __vbaStrCmp, __vbaStrComp, __vbaStrCopy, __vbaStrMove, __vbaVarTstNe (note 2 underscores). rtcBeep, rtcGetPresentDate (time API), rtcMsgBox.

Patching W32Dasm v8.93

In the dark old days of VB reversing most of us were using just SoftICE or a HEX editor. To a limited extent disassembling VB programs has always been possible with IDA or W32Dasm, yet the latter would never locate the String Data References, until now that is - patch your copy of W32Dasm v8.93 at offsets 0x16B6C-0x16B6D to 98 F4. * Note - most versions of W32Dasm you can download around the net probably already have this patch applied.

Hey!, did I forget, maybe just maybe, you can try using my good friend josephCo's VB5/6 p-code decompiler (63k). This is a beta version and is dated 7th April 2000. Try IRC #cracking4newbies for newer versions.

Teacher Logo

Useful MsgBox() Equates

Button Combination

Mbtype

Symbolic Constant
OK only.

0

vbOKOnly.
OK and Cancel.

1

vbOKCancel.
Abort, Retry, and Ignore.

2

vbAbortRetryIgnore.
Yes, No, and Cancel.

3

vbYesNoCancel.
Yes and No.

4

vbYesNo.
Retry and Cancel.

5

vbRetryCancel.

Useful VB String Functions

Val() - Convert string to number.
Str$() - Convert number to string.
Left$() - Substring from left end e.g. Left$(Theodolite, 4) = "Theo".
Right$() - Substring from right end.
Ltrim$() - Trim spaces off left e.g. Ltrim$ (" Hello ") = "Hello ".
Rtrim$() - Trim spaces off right.
Trim$() - Trim spaces off both ends.
Asc() - Convert char. to ANSI code e.g. Asc("A") = 65.
Chr$() - Convert ANSI code to char. e.g. Chr$(65) = "A".



© 1998, 1999, 2000 CrackZ. 15th May 2000.