Hello:
Some products of Microsoft use the the DLL "MSO.DLL" for activation procedure. I found that the Activation method by using telephone (as in Visual Studio .NET) is:

Calling the DepositConfirmationId(LPCTSTR bstrVal) passing it the ID provided. If the functions returns 0, it means success, otherwise, I always got 0xCCCCCCCC.

Now, the DepositConfirmationId function is in the ILicAgent Interface.
I tried to debug a program I created to see how the function can return 0, but I was lost in the function body:




How can I know the method the function is based on? (I mean how to follow the debug code in SoftIce)

Is the MSO.DLL code for the function loaded into my app address space?

Hey,

Obviously, you'd need to step into the InvokeHelper function to get to the code which actually invokes the method.
Could you elaborate on where the snippet is from and perhaps rephrase your question (im affraid i don't see what your problem is)?

Thanks.

Actually, I am trying to activate Visual Studio .NET 2002 using telephone method. The serial you enter in the text boxes is concatenated and passed to the function DepositConfirmationId to check and complete the registration.
My question is: Is it possible to know where exactly the function DepositConfirmationId code reside in the DLL, the virtual address, file offset, exported function, so I can unassemble it. Because when I tried to debug the program, I got lost in the big OLE code, too many calls, jumps and pushes.

Is it clear, now?

As far as I understand, you are looking for a way to get the entrypoint of a function exported in a COM interface by a module? There are several COM analysis tools, try to search for "COM analysis", "COM reverse" etc.

Also, this one might be good:

http://www.ddevel.com/Home/Main.asp

Yeah, i get it now.
You want to locate a method of an COM object.

COM objects implements one or more interfaces, each interface has it's own methods.
The methods of all the interfaces that an object implements is stored is stored in the objects virtual function table (vft).
The order in which the methods are stored is pre-defined, for each interface the methods are stored in the same order as in the interface definition.
The interfaces methods are ordered from the top of the inheritance tree, that is, the methods of the base interface are stored first.
The first argument to all methods in the vft is a pointer to an instance of the object (the memory allocated for the object).
In msvc++ the the entries in the vft points to compiler generated stubs, which sets the *this* pointer and calls the actual method.
A pointer to the vft is stored at the first 32 bits word of the objects instance
data.

So, once you have the vft of an COM object, you've got pointers to all it's methods.
The easiest way to locate the vft is using ida (you could also do it from softice, but i'd need more information on where you're at, to give an explanation).
If you can get the com interface plugin (http://www.datarescue.com/freefiles/com_plugin_V1_21.zip) to work, then that should name the methods for you.
The plugin didn't work for me, so what i did was a binary search for the uuid of ILicAgent, because the uuid is needed for the implementation of IUnknown::QueryInterface, which all COM objects implements.
I found one instance of the uuid in the text section, but there were no references to it, since ida wasn't finished with it's analysis.
I then did a new search for the virtual address of the uuid, which turned up one result, in a function which has the characteristics of a c++ constructor.
One of the last instructions in the function was obviously initializing the vtf pointer of the object instance:
mov dword ptr [esi], offset vftILicAgent

So, now all that remains is to locate the right entry in the vft.
The first methods belongs to IUnknown, then IDispatch and finally comes the methods of ILicAgent.

Have fun.

http://www.woodmann.net/forum/showthread.php?t=5046&highlight=matt

and

http://www.woodmann.net/forum/showthread.php?t=5437&highlight=vtable

-nt20

Could you tell me how to locate it (the entry) exactly, please?

Hello:
I tried CoClassSyms with MSO.DLL but Windows displayed a runtime error while the program was executing.

Could you generate the debug file for me, please?
I don't have IDA; how can I use it in SoftIce?

Just curious, how did you know its MSO.DLL that does the activation, and how did you originally come upon the ILicAgent interface...

Stupid questions, but I haven't looked at many windows components like this lately.

-nt20

Well, I might be wrong but I don't think so. The call to the ILicAgent interface resides in a .DLL file, in a .HTML page, as a JScript code. The Activation assistant uses this code when you try to activate by telephone, I found this by debugging using SoftIce.
You can check that yourself!!

Could anyone generate the .DBG file for me, please?

InvokeHelper is a mfc function which prepares the arguments for a call to IDispatch::Invoke and processes the return value.
Think about this for a minute.
What's required to make a call to an interface method?
What would such a call look like?

Thanks, but I don't know much about COM programming. Can you explain more?

Try this:
COM Plugin V 1.2 by Dieter Spaar
hxxp://www.sport-und-event.de/backtrace.de/plugins.htm

I don't have IDA?
Does it work within SoftIce or C/C++ itself?

I have downloaded IDA, but the plugin doesn't work with MSO.DLL, it seems that nothing works with this DLL.
I just want to know how to determine the RVA of the function (DepositConfirmationId) in MSO.DLL from its Type Library (.tlb)?

After I have loaded the .EXE that uses MSO.DLL, where does the code for DepositConfirmationId reside? (In MFCO42D.DLL,
MFC42.DLL, OLE32.DLL)

The 2 links that I gave you GIVES YOU THE INFO you seek. Try reading BOTH threads to the full !

In some cases, you CANT just get the VA from the tlb, because the object might only have a dispatch interface, in which case there will BE NO VA TABLE ! In this case, you'll have to try to step thru the Invoke() routine to land in the code you seek.

READ READ READ ! I know it takes effort, but it's the only way to learn!



You've convicted yourself here...learn MORE about COM programming then! There is plenty of info on the 'net.

-nt20

Well, I know that but I don't even know where the DepositConfirmationId code resides. Which DLLs to search?

First you have to become familiar with the structure of IDispatch. GetIDsOfNames is part of the IDispatch Interface. Once you know the correct offset of the GetIDsOfNames routine, you can query for an IDispatch pointer, and then put a bpx on the offset from the pointer you get. This would then be a BPX on GetIDsOfNames. You can then watch for the name (it will be a BSTR or a char string) to come thru as an agrument, and then see which ID it returns.

Better yet, you could put a BPX on Invoke() and go from there..

IDispatch interface: in vtable order

(IUnknown part)

QueryInterface
AddRef
Release

(IDispatch part)

GetTypeInfoCount
GetTypeInfo
GetIDsOfNames
Invoke

If you query for an IDispatch interface (Use QueryInterface on the original object, and ask for an IDispatch interface), and you get a pointer back, then [pointer + sizeof(DWORD)*6] will be the GetIDsOfNames address. Notice the dereference !

[pointer to IDispatch + sizeof(DWORD)*6]

the value at this address will be the address to GetIDsOfNames in memory. Now you can BPX on this address, and when a program tries to call it, such as a VBScript that does any function call on the object, you should break. YOu could also alternatively set a BPX on Invoke().

If unsure, then you can always make your own simple COM object using VC++, and then debug it with Olly and watch how it works. Throw some strings in it so you can see them in the disasm, and know where you are.

-nt20