Greyhound2004
September 18th, 2008, 11:19
Hi, can anybody give me a few pointers.
I am trying to RE a prog written in visual basic 6.0.
I have trawled the net and tried to find info myself.
Ida gives me the following information :
.hc0j7ci : 0040 1000
004F 7FFF
.data : 004E E000
004F 7FFF
.rsrc : 004F 8000
004F 9FFF
.v3utv94v : 004F A000
.fpf0xu9b : 0054 A000
005F 7FFD
.xmgnvmgh : 005F 8000
005F 8FFF
Start point is shown as fpf0xu9b : 005F7A80
Imports: Kernel 32 User32
Why does it not show MSVBVM6 as an import because it definitly uses it?
I set up softice, ran the prog, got the proc ID, set the ADDR, and set a BP on
MessageBoxA (this is show as imported from user32) softice did not break when I clicked on the reg box.
Just out of interest I tried clicking on the reg box without entering any info.
Sice broke on an error.
001B:0052 BEC9 CALL [MSVBVM60! __vbaHresultCheckObj]
Just above the command window I get the following info:
(PASSIVE) KTEB (81441280) TID 03D0 Myprog! v3utv94v+00032AB4
What I have learnt so far is that the string compare between what we entered and the 'real' generated serial is done with MSVBVM6.
The info that I got when Sice broke on an error suggests that i'm not looking at the right area as this is located in memory at 001B:0052 BEC9
comparing it to what I got fro IDA it does not seem to fit in any of the locations.
This is obviously something fundamental that I've missed.
.
I am trying to RE a prog written in visual basic 6.0.
I have trawled the net and tried to find info myself.
Ida gives me the following information :
.hc0j7ci : 0040 1000
004F 7FFF
.data : 004E E000
004F 7FFF
.rsrc : 004F 8000
004F 9FFF
.v3utv94v : 004F A000
.fpf0xu9b : 0054 A000
005F 7FFD
.xmgnvmgh : 005F 8000
005F 8FFF
Start point is shown as fpf0xu9b : 005F7A80
Imports: Kernel 32 User32
Why does it not show MSVBVM6 as an import because it definitly uses it?
I set up softice, ran the prog, got the proc ID, set the ADDR, and set a BP on
MessageBoxA (this is show as imported from user32) softice did not break when I clicked on the reg box.
Just out of interest I tried clicking on the reg box without entering any info.
Sice broke on an error.
001B:0052 BEC9 CALL [MSVBVM60! __vbaHresultCheckObj]
Just above the command window I get the following info:
(PASSIVE) KTEB (81441280) TID 03D0 Myprog! v3utv94v+00032AB4
What I have learnt so far is that the string compare between what we entered and the 'real' generated serial is done with MSVBVM6.
The info that I got when Sice broke on an error suggests that i'm not looking at the right area as this is located in memory at 001B:0052 BEC9
comparing it to what I got fro IDA it does not seem to fit in any of the locations.
This is obviously something fundamental that I've missed.
.