Hi Guys,

I found a little and interesting app on the web. I suspect the possibility of this utility being a hoax and I would like to ear an opinion.

Let me explain :

First of all this app is protected by a packer named ExeStealth that I have already unpacked and have presented me with a VB P-Code exe .

0040104C > $ 68 C8954000 PUSH Xxxxxxx.004095C8
00401051 . E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>

it jumps to MSVBVM60.dll and the only call to the app code is to do this:

0040A91C . B8 4C000000 MOV EAX,4C
0040A921 . 66:3D 33C0 CMP AX,0C033
0040A925 . BA B0AB4000 MOV EDX,Xxxxxxx.0040ABB0
0040A92A . 68 3E104000 PUSH <JMP.&MSVBVM60.MethCallEngine>
0040A92F . C3 RETN

and return to the VB library and call the the app again for Form Load procedure. Ok I have decompiled the target and this is what I take:

[Form]
Private Sub Form_Load()
'-=-=-=-=-=-=-= ProcAddr Range: [0040AB74 - 0040ABB0] , ProcSize: 3C =-=-=-=-=-=-=-
0040AB74: 27 08 FF LitVar_Missing PushVarError 80020004 (missing) VT_ERROR signifies an optional argument that is missing
0040AB77: 27 28 FF LitVar_Missing PushVarError 80020004 (missing) VT_ERROR signifies an optional argument that is missing

*********** Referent String: "WARNING UNAUTHORIZED! Dongle not found." ***********
|
0040AB7A: 3A 58 FF 00 00 LitVarStr PushVarString Ptr_00409C48

0040AB7F: 4E 48 FF FStVarCopyObj [local_B8]=vbaVarDup(Pop)
0040AB82: 04 48 FF FLdRfVar Push local_B8
0040AB85: F5 10 00 00 00 LitI4: Push 00000010
0040AB8A: 1B 01 00 LitStr: Push Ptr_00409B58
0040AB8D: 1B 02 00 LitStr: Push Ptr_00409BB8
0040AB90: 2A ConcatStr vbaStrCat
0040AB91: 23 78 FF FStStrNoPop SysFreeString [local_88]; [local_88]=[stack]
0040AB94: 1B 03 00 LitStr: Push Ptr_00409BC4
0040AB97: 2A ConcatStr vbaStrCat
0040AB98: 46 68 FF CVarStr
0040AB9B: 0A 04 00 14 00 ImpAdCallFPR4 Call Ptr_00401020; check stack 0014 (no return value)
0040ABA0: 2F 78 FF FFree1Str SysFreeString [local_88]; [local_88]=0
0040ABA3: 36 08 00 68 FF 48 FFreeVar Free 0008 variants : 68 FF 48 FF 28 FF 08 FF
FF 28 FF 08 FF
0040ABAE: 13 ExitProcHresult
0040ABAF: 00 A4 LargeBos IDE beginning of line with A4 byte codes

Now what do you think it is a hoax or not ?

Rgds

Spencer

Do you think WHAT is a hoax...your question is not clear.

First, you start out describing an "app", which you apparently have to unpack. Then you say that (something?) presented you with a "VB P-Code exe". Do you mean that, when the app was unpacked, you discovered it was a VB program, compiled to PCode?

Now, you say you decompiled the "target". Do you mean you decompiled the VB program you just unpacked? Or did you use the program you just unpacked to decompile some other target program? Or maybe you used it to decompile itself?

Finally, what part of this operation do you think might be the hoax? If you mean does your data dump look like real, viable P-Code, well, yes it does.

The datadump format you have shown is very reminisicent of one of the PCode decompilers I have seem from (I think) China, although I have to look that up. Why not try one of the other PCode dumpers and compared the outputs?

Sarge

would you mind telling us which program you used to produce that pcode output? sarge, i know you're a pcode guru too.. mind posting the name of that chinese dumper once you find it?

Hi

1 - yes. after unpacked discovered that was a VB prog compiled to p-code.

2 - Decompiled the VB prog that just unpacked

3 - I mean that this is a prog that don't do anything. It only present us with this error message for 20 times on every textbox, label, button or option box. yes it was decompiled with VBParser. ExDec give an error when try to load. P-Code Loader 4.2 works fine but as explain after loaded it stops on Form Load routine.

Now I used SI, Ollydbg and nothing!!!! It seams that the prog loads de VB library and only go out to the the Form Load routine. The author use the same routine error for about 20 times as I said for any mouse click on Text Box, Command Buttons, Label’s and Options Box’s.

If you want I will send the file by e-mail for your analyses. Only see this prog you understand what I mean. It have 0,97 mb zip compressed.


rgds

Spencer

1.
I can be reached at sargeant_g@hotmail.com.

2.
No problem on the China stuff, if I can find it. I'll take a look this weekend. As I said, it looks very familiar...it may be that VBParser is it.

3. There are a few other analyzers you might try for VB:
a. VBRezQ
b. VBReformer
c. WKTDebugger
d. VBEditor
e. RACEVB6

Sarge

Hi,

Thnks for yr reply.

i will try the tools mentioned. I allready have the WKTDebugger - Loader 4.2. It works but don't accept any BPX on any address only stop on the begin of Form Load routine.

Target sent by email and your opinion about it will be very, very apreciated.


Thnks again

Spencer

Disavowed:
I have found a cryptic note to myself referencing the "Chinese" program I mentioned. It has only an email address and a sample decompiled code; the format of that decompiled code is similar to Spencers post, which is why I thought it looked familiar. I really believe I have further info here someplace, but I haven't found it yet. At any rate, you may wish to contact the author. The address I have is "?jtt@yeah.net"; the "?" is either an upper case "I" or a lower case "L"; they both look the same in print. (No joke here---it really is "yeah.net". I'll keep looking to see if I can find the actual proggie.


Spencer:
Never had a problem with the WKT breakpoints. Since the prog stops on the FORMLOAD, that is certainly the SUM (StartUp Module) for your target. You can then single step, set breakpoints, etc, like any debugger.

Sarge

Hi Sarge,

I have sent you an email with this project. Sorry if haven´t received but you can find it at :

h**p://id-discussions.com/vbulletin/attachment.php?s=&postid=302176

This is packed with EXEStealth. You can find an unpack tool on te web at cobans site :

h**p://www.cobans.net/unstealth.php.

As i said the decompiled of this P-code was made with VBParser 1.2. You can find it at:
h**p://www.pediy.com/tools/Decompilers/VB_pcode/VBParser/VBParser1.2.zip

But i do not give my time with this project as a lost, because this was a very intersting way of contact with p-code and discovery very intersting tools to play with.

Wayting you opinions about this. For me, this a fake program with a fake protection.

Thnks again for your time and it is a pleasure to participate in this forum.

Tgds

Spencer

Spencer:
I'll check it out as soon as I can

Disavowed:
I found the proggie. It's from the China Cracking Group. It's simply called VBparser. But it's 95percent in Chinese. Of course, it's available if you want it.

Sarge

Spencer:
Finally got the progs dl'ed. Sorry it took so long, been ill lately.

Now, company is sending me out of town for a few days. So I don't think I'll get to actually look at the progs until next weekend. But I won't forget!

Sarge

--------------------------EDIT-----------------------------
I am unable to DL the x-factor zip file properly...I always get an invalid file error. I'm using Win XP. Any ideas?

S

Hi Sarge,

Take your time, no problem

No problem with XP. It's probably some file demage when sent by e-mail.

pls chk my last post where you have all the links for down the app, the unpacker and the decompiler that i used.

rgds

Spencer

That's my point....the DL didn't work..twice

Sarge

Hi Sarge,

I hv try to send an email with de x-factor but it was returned.

pls confirm you email to spencer@faston.cjb.net

Thnks n rgds

Spencer

Done!

Sarge