Anybody ever heard about plugin for IDA to decompile Visual Basic p-code? On that page Ilfak says that such thing is impossible because "its format and descriptions are not available".

h**p://www.datarescue.com/cgi-local/ultimatebb.cgi?ubb=get_topic&f=1&t=000406&p=

But there is WKTVBDE - that allows to debug p-code vb apps. And I assume the authors of that tool have complete definition of all opcodes. What would they say? (If they're here).

as impressive a tool as wktvbde is, i don't think the authors have complete definition of all the pcode "opcodes" (this is by no means meant to take away from the program or the authors.. i think it's an outstanding piece of work). i think ilfak might mean that microsoft hasn't publicly published the format and descriptions, and if ida were to support pcode, it would have to rely on information gathered through illegal reverse engineering (i say illegal because it of course is illegal to reverse engineer most any piece of microsoft code). i don't think ilfak wants any kind of legal trouble.

note that this is all based on assumptions, and i don't know for sure that these are the facts

Hi all! First of all, we (mr silver and mr snow) gathered the opcode information trought reverse engineering methods, if you check the help file that comes with WKTVBDebugger you'll see that we've included all the opcode tables including the name of each opcode and their size. We know that IDA it's a comercial product so it's clear that Ilfak don't want any kind of trouble with M$. Any experienced C programmer could build that plugin you mention here be working with the info provided either by wktvbdebugger or exdec and of course never forget the debugging symbols of the vb virtual machine , you can download them from M$. If any of you is interested i wrote some papers (only in spanish) talking about how we get all this info and put them together to build the debugger so just let me know and i'll drop it here

Mr. Silver

Thanks for the info mrsilver, you are very welcome to share your papers here.


dELTA

I volunteer to do the translations if more than 5 ppl are interested

PM me

Here it is , it was posted in a spanish mailing list some time ago. I don't have the time to translate it cos i wrote this paper from my own notes and from a scracth.
Misteriously M$ has removed some links that i'm pointing here I don't know the reason

If you need more info just let me know and i'll try to do my best.

Thanks mrsilver, now all I have to do is learn spanish, and I'm all set to go.

Naides, I'm sure more than 5 people are interested, it would be great if you could translate it!

Ok, come on people, put your signatures below, we need 5 of them.


dELTA


PS.
Everyone not signing this will be kicked/banned from the board.

Well then allow me to add the ubiquitous: ME TOO (he said shouting). If you want, I'll sign in as some other people and post their names also...

Regards (from the mySQL wanabe expert with much to learn),

OK naides, Delta, JMI and maybe other.
you can count me too !
I'm waiting for a translation, cause i can understand nothing (wrong : only 3 or 4 words in Spanish).

Thank's for your help !

hey hey

im also insterrested by pcode informations!
Count me in

Hi all again, seems that people is interested in the info, as I said before i'm busy these days (mainly finishing BDASM and it's web page and all the stuff that involves it), I don't know when I'll be able to translate this papers, i'll try to ask some of my spanish friends to translate them to english. By the way if anyboy that is reading this and understands spanish please if you have the time translate them .

While the papers are waiting for translation i could point all of you to the following forum about vb decompilation:

http://www.decompiler.com

There you'll find some VB internal specifications published recently by other fellows

Keep the good work friends

mrsilver, I understand that you are busy and don't have time for translations (thanks for the forum link btw). If you look above in this thread, naides has already volunteered to do the translation if more than 5 people were interested, that's why I was asking for people to show their interest, not to pressure you.

Anyway, two signatures to go people...
*hovering mouse over mass-ban button*

Btw, I saw someone called "golem" was a moderator back at that forum, I wonder if it's our old friend...


dELTA

OK guys I am working on it. Gimme 24 hours

hah.. the troll

Didn't he get a job on "Lord of the Rings"?

Regards,

Hey naides, after you translate it, it will be good if you could send me a copy to mrsilver@softhome.net and i'll do a quick look to it before you post it here just to increase the correctnes with the original one.

Mr. Silver

Really a good idea!

I was thinking about writing some IDA plugin... So let's do this!!
Seems to be really interesting ! !

Just awaiting some doc (in english) to start development.

Byeezzz

I was planning to do that.

OK i sent my translation to Mr Silver for proof-reading and corrections. Either he will post it here or I will when he gives me the green light

Ok naides I've got the translation but it's to late here now 5:16 gonna go to sleep now, i'll check it tomorrow and post the corrections directly here during the morning to avoid delaying it (if you don't mind)

Nites ... xD

Here it is the translation, let me now if you need more help

to mrsilver:

Sir:
I also study the decompile of vb6 app.
Though I can do as well as VBDE, I find your knowledge of vb decompile is advanced so far than mine. Especially pcode app structure shown in wkt vb debugger "advanced info" and your recognization of IDispatch Vptr used in pcode, such as
402780: 80 VCallAd: crackme1.text

I wonder how can you do it? Is just deassembled the msvbvm60.dll or see in vb6.olb?
Also I find some vptrs are losed in Idispatch or in vb6.olb, do you know the reason?

As you know,the structures of both of native and pcode vb6 app are same. May I suggest you extracting the function "advanced info" in wkt vb debugger as a single software?

I think for developping ida plunin, it is difficult in recognize the start of pcode data and what's name of this event , not the pcode opcode. Do you think so?

my mail: xixiaolou(at)hotmail(dot)com
I mail you last week, but mo reply.

About the information shown by wktvbdebugger in the advanced info it's all documented in the link i've posted days ago (http://www.decompiler.com), about how to recognize methods called by objects, it a bit weird i've got to re-read my own code cos i don't remember very well how i did it. As far as i remember part of the opcode is and index (well you need to divide it by 4 to get the real index) after that you use should that index in the method table of that specific table to get the name of the method. That method table is hardcoded in wktvbdebugger because it's not located in the VM. ¿How you get the table of each object?, It's fairly easy there is .tbl file (these kind of files that you register inside VB compiler to make your controls to work, vb5???.tbl maybe don't have the file on my pc to check it) that contains the names and propierties of the objects. I was able to extract these tables and hardcode it inside wktvbdebugger. I've used a program that comes with VB wich showns you the hierarchy and structure of every object (also i don't remember the name and i don't have VB installed on my machine know to verify it )
This is and example of the table for a timer object that I've xtracted:


VB5Sym_Tab VB5Symb_Timer[39]= {
"QueryInterface",
"__stdcallAddRef",
"__stdcallRelease",
"GetTypeInfoCount",
"GetTypeInfo",
"GetIDsOfNames",
"Invoke",
"HctlDemandLoad",
"ChkProp",
"SetPropA",
"GetPropA",
"GetPropHsz",
"LoadProp",
"SaveProp",
"GetPalette",
"Reset",
"get_DefaultProp",
"put_DefaultProp",
"get__ipropCTLNAMETIMER",
"put__ipropCTLNAMETIMER",
"get__ipropINDEXTIMER",
"put__ipropINDEXTIMER",
"get__ipropENABLEDTIMER",
"put__ipropENABLEDTIMER",
"get__ipropINTERVALTIMER",
"put__ipropINTERVALTIMER",
"get__ipropPARENTTIMER",
"put__ipropPARENTTIMER",
"get__ipropTAGTIMER",
"put__ipropTAGTIMER",
"get__ipropLOCATIONTIMER",
"put__ipropLOCATIONTIMER",
"get__ipropLEFTNORUNTIMER",
"put__ipropLEFTNORUNTIMER",
"get__ipropTOPNORUNTIMER",
"put__ipropTOPNORUNTIMER",
"meth__imethADDITEM",
"meth__imethREMOVEITEM",
"meth__imethCLEAR"
};

get__* means you can retrieve the info for this propiertie

put__* means you can set the value of the propiertie

meth__* means that it's a method

and there are other commond methods for every object like the QueryInterface

How these gives you some clues

Thanks for the translation naides, and thanks for the proof-reading and original document mrsilver!


dELTA

naides & mrsilver:
Thanks for translation and sharing the information.

mrsilver:
Do you have p-code instructions explaination? I mean, what this or that command does. I understand that such reference won't be full (I actually think it can't be full), but at least the most common opcodes? As far as I understand the structure of some mnemonics is slightly similar to x86 floating-point instructions and could be understood with a little assumption. But the others make a problem. I have two papers explaining that thing - one from John Chamberlain who wrote an article at Programmer's Heaven site (you should know, because you added comments there) and the other one is from h**p://www.decompiler.theautomaters.com. Both papers is not full. I'm trying to merge it and if you share some information (of course, if you have it) I'd add it to result file too. I think nowadays it's exciting topic and some people would be interested in such thing.

dear mrsilver:
Thanks for your apply.
2 Questions:

(1)you defined the IDispatch table of timer
VB5Sym_Tab VB5Symb_Timer[39]= {
"QueryInterface",
"__stdcallAddRef",
"__stdcallRelease",
"GetTypeInfoCount",
"GetTypeInfo",
"GetIDsOfNames",
"Invoke",
"HctlDemandLoad",
"ChkProp",
"SetPropA",
"GetPropA",
"GetPropHsz",
"LoadProp",
"SaveProp",
"GetPalette",
"Reset",
......

From first to seventh vptr are the standard beginning of IDispatch table, but how do you know other vptr names, such as "HctlDemandLoad", which is not index in the vb6.olb


(2)in textbox control, we can define the IDispatch table
......
Property Get _Default() As String ' call DWORD PTR [IDispatch+0x0040]
Property Let _Default(RHS As String)
Property Get Name() As String ' call DWORD PTR [IDispatch+0x0048]
Property Get Index() As Integer ' call DWORD PTR [IDispatch+0x0050]l
......

but after the vptr:
Property Get OLEDropMode() As Integer ' call DWORD PTR [IDispatch+0x01F0]
Is
Property Get CausesValidation() As Boolean ' call DWORD PTR [IDispatch+0x0230]
That means some vptrs are lost, do you know why?

wich program r you using to see the object info?

There are some apps can do it, Such as MS ole viewer with vb6 installed. tlbviewer, even you can write a tiny program to use tlbinf32.dll to see the objects in activex and olb.

About the question 2, I see in the vb6.olb, index the order of vptr. try to write demo in vb6. So I find some vptr are lost in it ,the reason id some index of vptr are not continued.

I've documented few opcodes of the VM just to give you and example:

04 FLdRfVar -> Loads a reference to a variable into the stack. Usually references to local variables of the
current routime.

VB6:
Size: (3 bytes)
Format: 04h / SIGNED WORD Offset

Offset: Signed displacement to add to the current stack address (EBP). The result
points to and address containing a number to add to the computed address (EBP+Offset).
The result is a pointer to a local variable.

1c BranchF -> Branch if False, Jumps if the word pointed by ESP is equal to 0

VB6:
Size: (3 bytes)
Format: 1Ch / WORD Size

Size: A word indicating the number of bytes to add to the address of the
current routine or function where the BranchF is located. To obtain the
jump address you must add the relative address and the size.

To get the relative address of the current routine you must get the dword
placed on (EBP-58h)

23 FStStrNoPop : Stores a pointer to a widechar string into the stack.

Size: (3 bytes)
Format: 23h / SIGNED WORD Stack Offset

StrOffset: A signed WORD to add to EBP. The result is and address
containing the pointer to the widechar string.

On ESP you'll find the pointer to the WideChar stored in StrOffset.


64 NextI2:
VB6:
Size (5 bytes)

Format: 64h / SIGNED WORD Unknow WORD jump Offset

Jump Offset: Displacement to add to the the entry point of the current routine.
This entry point is stored in EBP-58h. ESP points to a signed word containing the
current loop counter.

These are few of the opcodes that we've documented most of them work on similars ways i think is not hard to find what each opcode does, it's simply a matter of tracing the routiine that interprets the opcode and also looking at the death listing of the vm. I leave the door open for you guys to try to figure out some of the opcodes :-)

Important thing to note is that always the interpreted use the stack to manage everything so it's very important you dig inside the values pointed by ESP, as a clue this values contains always the following:

ebp-58 -> contains a pointer to the current running routine or procedure.

ebp-50 -> a pointer to the current Form (the form object structure is defined on the www.decompiler.com forum)

ebp-54 -> pointer to a table to pointers of wide char strings (these are the string references if you prefer )

This information is quite useful and gives you a lot of clues on how to figure out the rest of things, so go ahead the point of all this is learning

Mr. Silver

Thanks mrsilver, I supposed something like that.

OK, it's time to get hands dirty

Well, it has been a long time since I was here last. An I am very excited to see a thread about VB decompilation. I am expecially excited to see that Mr. Silver (and, presumably, Mr. Snow) are "real" people! Gentlemen, you have no idea how much your program has helped me in my quest to understand the internals of VB. Incidently, I was the one who pointed out a small problem you had with file overwritting on the install; you probably don't recall it, as it was a long time ago.

For those of you who are sincerely interested in VB RE, here's a couple of items fo interest...

The extensive discussions on the decompiler.com MB are no more. Due to "space restrictions", months and months of work, discussions, and secrets are gone. However, an very good (but not perfect) source of info can be found at "decompiler.theautomaters.com". Yes, you will see me there too, as an avid contributer.

(Con't next msg)

Although there are a few errors in the structure hierarchies, for the most part, it's good stuff. It includes structure info for each type of object/project/form, etc, with offsets and pointers to flags, child structures, etc,....right down to finding the PCode/NCode for each event and function! Make use of this, guys! And, please feel free to post any thoughs, comments, corrections, etc.

As for a start in actually decompiling stuff, may I offer two contributions...at decompiler.com, in the EXTRAs section, are two programs RACE and SKELETON (both are mine, I take responsibility for them). RACE will analyze many VB6 exe's and give you some interesting output; SKELETON, which includes source code, will show you have to analyze a PE file to determine if it IS a VB6 file, and how to find the reference pointers that are used as the starting point in the previously mentioned structures.



Now, having all this info (and it IS a lot), and a few VERY interested parties that I know, can we put together something? How about that IDA plugin? How about a really good VB decompiler? How about....???

Enjoy!

Sarge

Hmm, it seems I haven't mentioned the very subject that prompted me to write, opcodes. There are somewhere in the vicinity of 1000 of them by number, but not all are active. And, don't get caught up in the "illegal opcode" trap. Many times you will see such an opcode in the pcode symbols of an exe, and wonder why/how the program could possibly have been compiled in that manner. You should be aware that (oh, oh, here comes a VB "secret" the exe contains more info in it's code than just the symbols for the source code equivalents. The "illegal opcodes" are that extra info, and have no effect on the actual step-by-step opcode functions.

But I think that's getting too far ahead, although granted I don't know the extent of the knowledge of VB that is available on this board. I do know, from my long tenure here, that there are some very intelligent people here, and that we could make a lot of progress very fast.

And, IMHO, it is not difficult to make a PCode decompiler that can give me near-English decoding of the PCodes. If you look at the output file from RACE, you can see that it is only one more step to get there.

Mr. Silver & Mr. Snow, please keep yourselves available here. I know that it may be difficult to draw the line between having the knowledge to create such a program as yours, and at the same time giving that knowledge away in a forum like this. Further, you are (and you know you are) only one step away from such a decompiler yourselves. But, man, if we work together, we can blow MS VB out of the water!

Thanks, all, for you time. In the future, I'll try not to hog the thread.

Sarge

Ok, it should be "h??p://decompiler.theautomaters.com"

Sarge


---------------
Um, I posted this before I figured out how to edit. I guess you moderators can remove this post if you like, now that I've edited the original posts.

After having collected some experience in IDA pro plugin development, I would like to point out that a "plugin" will not be enough for this project.

The problem is solvable in 2 ways:

- developing an ida-pro processor module
- developing a standalone p-code disassembler

In my opinion, we would have to go standalone (dealing with IDA deep internals is not the most relaxing thing to do...)

Will Mr Silver ever release a decompiler?
Impressive paper Mr Silver.... you must've stayed up late many nites

Just wondering...