Greyhound2004
October 6th, 2008, 12:47
Hi,
I'm trying to RE a program that uses MSVBVM60.DLL without much success.
First thing I did after installing it was to look at the exe file with a hex editor.
Not far into the file there is a reference to msvbvm60.dll so I know that its a visual basic prog.
I then ran the prog through Smartcheck and got "Program is compiled to P code Smartcheck is unable to provide substantial info on progs compiled to P code"
So more bad news its Visual Basic and its P code.
I had a look at the exe file with IDA Pro
This shows .idata: 00401000 to 004010B0 ;imports from MSVBVM60
; Image base 400000
.text: 004010B4 to 0044ABB8 ;contains lots of jumps to MSVBVM
;functions. ThunRtMain
;segment type: pure code
;Public Start 004011C8
.data: 0044B000 to 004511A3 ;segment type
ure data
.rsrc: 00452000 to 00452FFF
When you run the target exe you get the usual 'buy now' 'continue' 'register' options. If you click register you are asked to enter a 16 digit code in 4 groups of 4.
The problem is that cant find a break point that works with softice.
I've tried BPX ThunRtMain and many others but they dont break.
Am I right in thinking that ThunRtMain is only called once at the start when the prog is run. If this is the case then when I run the prog to get the proc id to make sure i'm standing in the code i'll allready be past that break point?
In this case would it be better to set a BP on WINMAIN and narrow it down from there?
Are there any better approaches ?
I did remember to add MSVBVM60 to winice.dat
I'm trying to RE a program that uses MSVBVM60.DLL without much success.
First thing I did after installing it was to look at the exe file with a hex editor.
Not far into the file there is a reference to msvbvm60.dll so I know that its a visual basic prog.
I then ran the prog through Smartcheck and got "Program is compiled to P code Smartcheck is unable to provide substantial info on progs compiled to P code"
So more bad news its Visual Basic and its P code.
I had a look at the exe file with IDA Pro
This shows .idata: 00401000 to 004010B0 ;imports from MSVBVM60
; Image base 400000
.text: 004010B4 to 0044ABB8 ;contains lots of jumps to MSVBVM
;functions. ThunRtMain
;segment type: pure code
;Public Start 004011C8
.data: 0044B000 to 004511A3 ;segment type

.rsrc: 00452000 to 00452FFF
When you run the target exe you get the usual 'buy now' 'continue' 'register' options. If you click register you are asked to enter a 16 digit code in 4 groups of 4.
The problem is that cant find a break point that works with softice.
I've tried BPX ThunRtMain and many others but they dont break.
Am I right in thinking that ThunRtMain is only called once at the start when the prog is run. If this is the case then when I run the prog to get the proc id to make sure i'm standing in the code i'll allready be past that break point?
In this case would it be better to set a BP on WINMAIN and narrow it down from there?
Are there any better approaches ?
I did remember to add MSVBVM60 to winice.dat