Finding Entry Point for VB6 Program [Archive] - RCE Messageboard's Regroupment

View Full Version : Finding Entry Point for VB6 Program

NeonFlash

January 19th, 2013, 05:23

Hi,

Analyzing a virus written in VB6.

Used this: http://www.reteam.org/papers/e46.pdf as a reference to find the entry point of code section (Original Entry Point).

as mentioned in the PDF referenced above, the StartofCode is surrounded by a signature, E9E9E9 followed by a few 0xCC bytes and then the code and at the end again, 9E9E9E.

in my case, I get:

E9E9E9CCCCCCCC9E9E9E

the code is missing

here is the code:

Code:



E9

E9

E9

E9

INT3

INT3

INT3

INT3

INT3

INT3

INT3

INT3

INT3

INT3

INT3

INT3 <<< code should have started after this point

9E

9E

9E

9E

how do I find the entry point in this case so that I can step through the code in debugger?

Aimless

January 19th, 2013, 05:48

Why don't you get 'VB Decompiler' and examine the same?

VB Code is 'generally' not meant to be disassembled, but decompiled.

Have Phun

NeonFlash

January 19th, 2013, 05:50

I tried to decompile it using DeDe software which is for VB. However, it could not find any Forms and code.

I am going to try VBDecompiler Lite now.

disavowed

January 19th, 2013, 14:26

DeDe is for Delphi, not for VB.