VB Decompiler

[MrUnleaded]

I figured its about time i repost what i have for commonApp 1.0 seeing how i am just about done....just need to do one thing now....and im very close....as soon as i finsih i will post it.

Feel free to post what you have also

[MrUnleaded]

heres this_is_the_project_title.vbp

Code: Select all

1. Type=Exe
2. Form=Form\frmMain.frm
3. Module=Module\modMain.bas
4. HelpFile="help_file_name.hlp"
5. Title="this_is_the_project_title"
6. ExeName32="CommonApp"
7. Name="this_is_the_project_name"
8. CompilationType=-1

modMain.bas
[vb]

1. VERSION 5.00
2. Attribute VB_Name = "modMain"
3.  
4. Option Explicit
5.  
6.  
7. ' Procedure modMain_1C48
8. 7231:
9. 7232:   Call modMain_1EC8()                    
10. 7237:                                           
11. ' End Procedure
12.  
13.  
14. ' Procedure modMain_1EC8
15.     Dim local_A4 As Variant
16. 7791:
17. 7792:                                           
18. 7795:                                           
19. 7798:                                           
20. 7801:                                           
21. 7806:   
22. 7811:   local_A4 = "tester called"              
23. 7814:   
24. 7817:   Call MsgBox(local_A4, 0)
25. 7822:   
26. 7833:                                           
27. 7836:                                           
28. 7840:                                           
29. 7843:                                           
30. 7846:                                           
31. 7849:   .                                      
32. 7854:   
33. 7857:                                           
34. 7860:   
35. 7861:                                           
36. 7864:   
37. 7865:                                           
38. 7868:                                           
39. 7871:   .                                      
40. 7876:                                           
41. ' End Procedure

[/vb]

frmMain.frm
[vb]

1. VERSION 5.00
2. Begin VB.Form frmMain
3.     Caption = "Common Application"
4.     ScaleMode = 1
5.     WhatsThisButton = False
6.     LinkTopic = "Form1"
7.     ClientLeft = 60
8.     ClientTop = 345
9.     ClientWidth = 3645
10.     ClientHeight = 1965
11.     StartUpPosition = 3
12.     Begin VB.TextBox txtItem
13.         Left = 120
14.         Top = 120
15.         Width = 2415
16.         Height = 285
17.         TabIndex = 2
18.     End
19.     Begin VB.ListBox lstItems
20.         Left = 120
21.         Top = 600
22.         Width = 3375
23.         Height = 1230
24.         TabIndex = 1
25.     End
26.     Begin VB.CommandButton cmdAdd
27.         Caption = "Add"
28.         Left = 2640
29.         Top = 120
30.         Width = 855
31.         Height = 255
32.         TabIndex = 0
33.     End
34. End
35. Attribute VB_Name = "frmMain"
36.  
37. Option Explicit
38.  
39.  
40. ' Procedure cmdAdd_Click
41.     Dim local_8C As Variant
42. 7539:
43. 7540:                                           
44. 7543:   
45. 7544:   
46. 7547:   
47. 7548:   
48. 7551:   
49. 7554:   
50. 7557:   local_8C = txtItem.Text                
51. 7562:   
52. 7565:   
53. 7566:   
54. 7569:   
55. 7572:   
56. 7575:   Call lstItems.AddItem(local_8C)        
57. 7580:   
58. 7583:   
59. 7590:   
60. ' End Procedure
61.  
62.  
63. ' Procedure Form_Load
64. 7351:
65. 7352:                                           
66. 7355:   
67. 7356:   
68. 7359:   
69. 7360:   
70. 7363:   
71. 7366:   
72. 7369:   Call lstItems.AddItem("this item added on form load")
73. 7374:   
74. 7377:   
75. ' End Procedure
76.  
77.  
78. ' Procedure Form_Click
79.     Dim local_A4 As Variant
80. 7431:
81. 7432:                                           
82. 7435:                                           
83. 7438:                                           
84. 7441:                                           
85. 7446:   
86. 7451:   local_A4 = "form was clicked"          
87. 7454:   
88. 7457:   Call MsgBox(local_A4, 0) 'this should be MsgBox Import
89. 7462:   
90. 7473:   
91. ' End Procedure

[/vb]

[sarge]

And at what point were you going to share the secrets of getting that output with us?

Seriously, this is neat stuff! So much for those "can't decompile"
smarta??es. I get the feeling you guys are way ahead of me in the actual decompile ability! Guess I'm spending too much time on RACE and not enough on my decompiler.

Good job.

Sarge

[MrUnleaded]

well i finally made the link....and i got the name of the Imports...

heres what i did...

I looked at CommonApp's Imports....and then loaded the PE stuff for the requesting DLLs[only one in this case MSVBVM60.DLL] and Cross Referenced the Exports for MSVBVM60 with the Imports in CommonApp....this includes the FunctionName,Hint,Ordinal,Offset

then a created a Collection with the Index of the Addresses\Offsets

Also...I made a Part Called FunctionAlias....

to get the Alias i trim a couple of prefixes[rtc,_,__] and suffixes[Var,Bstr,Char]

ok i think im about done with CA1... on to CA2

[moogman]

MrU:
Eww! At the moment, im just sticking with the ordinal. I dont like the sound of chopping up strings to suit the user (; Like we discussed, MrU there are many circumstances that this method would break. I try to stay away from string manipuation as much as possible heehee. Oh well, I guess you have a time-constraint to stick to... (;

Sarge:
As far as I can see, we're not *that* far ahead of you now. Basically, you need to implement the argument string handler for the opcodes and you'll automagically be up to the same ability. If you need help in doing that, then ask away! But MrU and I do have a couple of difference in processing the arguments. For example, MrU would sometimes use "u" to push things onto the stack, whereas I would not. Both approaches are just as effective as you can see, but we're gonna have to be careful not to get confused

[Guest]

Well, I decided to look at this section today in more depth. I always try and relate to the logic of "if VB can do it, then so can I". So, I messed around with the type library stuff a little more. You'll like this:
@ MSVBVM??.DLL is com-compatible.
@ There is a function GetDLLEntry.

A sample use of this follows:

[vb]

1. Function NameFromOrdinal( _
2.                          LibName As String, _
3.                          Ordinal As Integer _
4.                         ) As MemberInfo
5.   Dim TypeInfo As TypeInfo
6.   Dim Member As MemberInfo
7.  
8.   Dim sDLLName As String
9.   Dim sEntryName As String
10.   Dim iOrdinal As Integer
11.  
12.   On Error Resume Next
13.  
14.   For Each TypeInfo In TypeLibInfo.TypeInfos
15.     For Each Member In TypeInfo.Members
16.       Member.GetDllEntry sDLLName, sEntryName, iOrdinal
17.       If Ordinal = iOrdinal Then
18.         Set NameFromOrdinal = Member
19.         Exit Function
20.       End If
21.     Next
22.   Next
23. End Function

[/vb]

This returns a member in the type library when given an ordinal number. It is almost encapsulated providing the following points are noted:

@ Private TLI As New TLIApplication
@ Private TypeLibInfo As TypeLibInfo
@ Set TypeLibInfo = TLI.TypeLibInfoFromFile(<filename>)

And of course, the type library must be loaded

I was going to say something else... nope its gone. Oh well, couldnt have been that important hehe!

Sorry, in a bit of a rush - pub is calling!

Ciao,
moog

[Guest]

Guys (and Gals),
Do you like the idea of making all achieved techniques/algorithms/programs for decompiling parts of VB EXE as a bundle of classes/procedures so that it can be easilly enhanced when someone finds something new?

[guest]

Well, it WOULD make things somewhat easier and convenient. But there's the problem of VersionControl; that is, testing/debugging by others, or even propagation of a flawed version to the outside world. Maybe each procedure/wrapper/class for the various parts of the "VB Investigator" should be in a separate section/thread to allow mods/updates/fixes by various supporting/contributing individuals. That way, when everyone agrees that a particular procedure is right, it most likely will be. At that point, make it an officially available offering.

Or maybe some other equivalent method could be used so that there aren't 45 different code blocks out there, of which none agree with the Master that we would have here.

Anyone volunteer to admin THAT mess?

Sarge

[Guest]

Guys (and Gals),
Do you like the idea of making all achieved techniques/algorithms/programs for decompiling parts of VB EXE as a bundle of classes/procedures so that it can be easilly enhanced when someone finds something new?

That would be a great idea. I support you. Keep on. When do we expect this move?

[moogman]

Guys (and Gals),
Do you like the idea of making all achieved techniques/algorithms/programs for decompiling parts of VB EXE as a bundle of classes/procedures so that it can be easilly enhanced when someone finds something new?

To some extent, we have tried to standardise the decompiling procedure by listing some of the standard structures in a vb exe file. This is really all you need (with a base understanding of file handling in your desired language) to create a vb file analyser.

I dont believe that we should start giving out specific classes etc because we then effectively get a decompiler to the masses, and this could be a bad thing from some peoples' points of view.

[Warning]

Hello,

here is what we get after using it with the last version of VBReFormer (5.3) on the commonapp (native):
http://www.decompiler-vb.net/documentation/commonapp_output_by_vbreformer.zip

Example:

Code: Select all

1.  
2. Sub Main()
3. var_pv2 = ("tester called")
4. var_pv3 = MsgBox(var_pv2, 0)
5. Dim var_pv4 As New frmMain
6. Set var_pv5 = var_pv4
7. Call Load(var_pv5)
8. Call var_pv4.Show()
9. 'var_num6 = -256 + 20 + 20
10. End Sub
11.  

Code: Select all

1.  
2. '   ////////////////////////////////////////////////////////
3. '  //   VBReFormer 2008 © Sylvain Bruyere
4. ' //  Assembly: this_is_the_project_name.frmMain (Form)
5. '////////////////////////////////////////////////////////
6.  
7. 'Event for cmdAdd
8. Private Sub cmdAdd_Click
9. Set var_pv2 = Me.lstItems()
10. Set var_pv3 = Me.txtItem()
11. var_pv4 = var_pv3.Text()
12. Call var_pv2.AddItem(var_pv4)
13. 'var_num6 = -52 - 12 + 12
14. 'var_num6 = 'var_num6 + 12
15.  
16. End Sub
17.  
18.  
19. 'Event for Form
20. Private Sub Form_Load
21. Set var_pv2 = Me.lstItems()
22. Call var_pv2.AddItem("this item added on form load")
23.  
24. End Sub
25.  
26.  
27. Private Sub Form_Click
28. var_pv2 = ("form was clicked")
29. var_pv3 = MsgBox(var_pv2, 0)
30. 'var_num6 = -52 - 12 + 20
31. 'var_num6 = 'var_num6 + 20
32.  
33. End Sub
34.  

No changes has been done after decompiling, and all work perfectly (execution + compilation).

You can see other example of complete native decompilation here: http://www.decompiler-vb.net/documentation/example%20book.pdf .

The interest is that it's native decompilation.