well I need a litle help with this I've never seen this b4 I came across a program that uses MethCallEngine in the Msvbvm50.dll now I cant find the compare routine also it dont work with smartcheck {runs in smart check but with no info but a repeating timer}.

I tried looking for tutors on this but failed to any that covered this call. anybody got any ideas

Is MethCallEngine even an export in MSVBVM50.DLL? If it is disassemble it and look at whats going on shouldnt be too hard. And if it is in the VB DLL then its doubtful that its a protection should just be normal VB generated code that noone has stumbled upon yet.

Snatch

it is a call heres a clip from quick view

00cc 00101e51 GetMemVar
039c 00109c1b IID_IVbaHost
0063 00109c29 MethCallEngine
0056 00109cb3 ProcCallEngine
00da 00109ca3 PutMem1
00ce 00109c7c PutMem2

this is from ida


ENGINE:0F102FFC public MethCallEngine
ENGINE:0F102FFC MethCallEngine proc near
ENGINE:0F102FFC
ENGINE:0F102FFC arg_0 = dword ptr 4
ENGINE:0F102FFC
ENGINE:0F102FFC sub [esp+arg_0], eax
ENGINE:0F103000 mov ecx, offset unk_F0FE302
ENGINE:0F103005 jmp loc_F0FD243
ENGINE:0F103005 MethCallEngine endp

jumped call...

loc_F0FD243: ; CODE XREF: ProcCallEngine+Fj
ENGINE:0F0FD243 ; MethCallEngine+9j
ENGINE:0F0FD243 push ebp
ENGINE:0F0FD244 mov ebp, esp
ENGINE:0F0FD246 sub esp, 78h
ENGINE:0F0FD249 push ebx
ENGINE:0F0FD24A push esi
ENGINE:0F0FD24B push edi
ENGINE:0F0FD24C mov ebx, edx
ENGINE:0F0FD24E mov [ebp-50h], ebx
ENGINE:0F0FD251 mov [ebp-6Ch], ecx
ENGINE:0F0FD254 mov edx, dword_F10F064
ENGINE:0F0FD25A or edx, edx
ENGINE:0F0FD25C jnz loc_F10356B
ENGINE:0F0FD262 mov edx, dword_F10F06C
ENGINE:0F0FD268 mov edi, [ebx]
ENGINE:0F0FD26A mov esi, [edi+34h]
ENGINE:0F0FD26D mov [ebp-54h], esi
ENGINE:0F0FD270 mov esi, [edi+4]
ENGINE:0F0FD273 mov esi, [esi+14h]
ENGINE:0F0FD276 mov esi, [esi+0Ch]
ENGINE:0F0FD279 mov [ebp-2Ch], esi
ENGINE:0F0FD27C

from what i can see its like this calls all the vb exports
humm i think i just got lost again

You would have a VB5 PCode program on your hands. 2 options for live debugging. WKT debugger and softice (with symbols loaded). With symbols loaded BPX DOEXDISP and that should break you at the first excode that is executed (softice). WKT debugger will have it's own options (it's a nice tool).


Good luck!!


joe

thanks for the point in the right direction i tried WKT and after the app starts it causes a GFP in the MSVBVM50.DLL so now im off to try SI

later
Viper