field3d
September 5th, 2010, 13:42
I have a VB exe. I used peid to check any encryption and told Microsoft Visual Basic 5.0 / 6.0 encrypt. Now I used many other files on VB and all is working perfect on ollydb the code appears right, I canīt run the exes but i was able to see the code nice and is sufficient to me but now in this new exe is strange appears code like this:
Private Sub OKButton_Click() '11CBBEC
'Data Table: 43454C
Dim As Timer
loc_11CA3A8: LargeBos loc_11CA3AA 'Ignore this
loc_11CA3AA: LargeBos loc_11CA3AF 'Ignore this
loc_11CA3AC: On Error Resume Next
loc_11CA3AF: LargeBos loc_11CA3B7 'Ignore this
loc_11CA3B1: ImpAdLdI2 MemVar_140689C
loc_11CA3B4: BranchF loc_11CAC6E
loc_11CA3B7: LargeBos loc_11CA3C8 'Ignore this
loc_11CA3B9: FLdPr Me
loc_11CA3BC: MemLdI2 global_52
loc_11CA3BF: LitI2_Byte 1
loc_11CA3C1: AddI2
loc_11CA3C2: FLdPr Me
loc_11CA3C5: MemStI2 global_52
loc_11CA3C8: LargeBos loc_11CA405 'Ignore this
loc_11CA3CA: FLdRfVar var_8C
loc_11CA3CD: LitI2_Byte 0
loc_11CA3CF: FLdPrThis
loc_11CA3D0: VCallAd namepassword
loc_11CA49C: NewIfNullPr
loc_11CA49F: = Global.App 'Ignore this
loc_11CA4A4: FLdPr var_88
loc_11CA4A7: = App.Title
loc_11CA4AC: LitVar_Missing var_100
loc_11CA4AF: LitVar_Missing var_C
The code at the top is on VBDecompiler because the procedure i made on other exes where i had success and a perfect code was:
1.-Use Vb decompiler to decode exaclty like VB code is.
2.-Study the code and find what i need to change.
3.-Use ollydbg to write the exe looking the memory positions VB decompiler gave me.
Like i said I used this steps on other exes and all worked for me perfect because vbdecompiler produce me results like this:
loc_00707826: Set var_4C = var_4C
loc_0070782C: var_E0 = var_4C
loc_00707847: 00000000h = namepassword
loc_0070784C: var_E4 = var_4C
loc_00707876: var_15C = var_4C
loc_0070787C: GoTo loc_00707888
How you see the code is pretty perfect an able to understand and ollydbg no problem is paired with vb decompiler 100%.
But on the code at the begin of this page (the strange code) of vb decompiler i canīt find strings nothing and off course ollydb the same. I used the ollydbg 2.0 and OLLY PARCHEADO PARA BUSCAR OEPs and nothing the code is strange like you see too.
How can i decompile that exe? or at least how can i see the real code like the other ones? What kind of code produce the exe i canīt see code like the other ones?.
Thank you
Private Sub OKButton_Click() '11CBBEC
'Data Table: 43454C
Dim As Timer
loc_11CA3A8: LargeBos loc_11CA3AA 'Ignore this
loc_11CA3AA: LargeBos loc_11CA3AF 'Ignore this
loc_11CA3AC: On Error Resume Next
loc_11CA3AF: LargeBos loc_11CA3B7 'Ignore this
loc_11CA3B1: ImpAdLdI2 MemVar_140689C
loc_11CA3B4: BranchF loc_11CAC6E
loc_11CA3B7: LargeBos loc_11CA3C8 'Ignore this
loc_11CA3B9: FLdPr Me
loc_11CA3BC: MemLdI2 global_52
loc_11CA3BF: LitI2_Byte 1
loc_11CA3C1: AddI2
loc_11CA3C2: FLdPr Me
loc_11CA3C5: MemStI2 global_52
loc_11CA3C8: LargeBos loc_11CA405 'Ignore this
loc_11CA3CA: FLdRfVar var_8C
loc_11CA3CD: LitI2_Byte 0
loc_11CA3CF: FLdPrThis
loc_11CA3D0: VCallAd namepassword
loc_11CA49C: NewIfNullPr
loc_11CA49F: = Global.App 'Ignore this
loc_11CA4A4: FLdPr var_88
loc_11CA4A7: = App.Title
loc_11CA4AC: LitVar_Missing var_100
loc_11CA4AF: LitVar_Missing var_C
The code at the top is on VBDecompiler because the procedure i made on other exes where i had success and a perfect code was:
1.-Use Vb decompiler to decode exaclty like VB code is.
2.-Study the code and find what i need to change.
3.-Use ollydbg to write the exe looking the memory positions VB decompiler gave me.
Like i said I used this steps on other exes and all worked for me perfect because vbdecompiler produce me results like this:
loc_00707826: Set var_4C = var_4C
loc_0070782C: var_E0 = var_4C
loc_00707847: 00000000h = namepassword
loc_0070784C: var_E4 = var_4C
loc_00707876: var_15C = var_4C
loc_0070787C: GoTo loc_00707888
How you see the code is pretty perfect an able to understand and ollydbg no problem is paired with vb decompiler 100%.
But on the code at the begin of this page (the strange code) of vb decompiler i canīt find strings nothing and off course ollydb the same. I used the ollydbg 2.0 and OLLY PARCHEADO PARA BUSCAR OEPs and nothing the code is strange like you see too.
How can i decompile that exe? or at least how can i see the real code like the other ones? What kind of code produce the exe i canīt see code like the other ones?.
Thank you
incredible. The code is exactly the same i had oon vb decompiler but the difference with tequila thing is i can debugg step step thing make very easy the situation inside the ugly code of P-CODE. I solved the problem and modified my exe 