Author: David Zimmer
Date: 06.11.18 - 9:35am

So I have been digging into vbgamers semi-vbdecompiler and started my own branch called vbdec
(Beta installer here)

Note: this is an early build with most testing primarily focused on struct parsing and pcode features

Click to enlarge

I have spent the last couple months going through it and have refactored much of the code to transform it into a class based architecture. This was a good way to familiarize myself with the code and make it easier for me to find things. This also opens up the possibility to convert the analysis engine into a stand alone ActiveX dll in the future and has allowed me to easily add a plugin system to the application.

I have been slowly going through the various opcodes and adding more argument decodings. Darker's P32Dasm really did a great job with this and object resolution. Reginald Wong's vb.idc has also been a great help with understanding the VB6 structures.

An opcode handler hooking engine is now complete which can work either by injecting into a new process, or by attaching to an already running one. Since this app already contains the struct parsing and pcode disassembly, I really only have to integrate a basic debugger UI to get this up and running.

The new pcode debugger will be built along the lines of the ScriptBasic and DukTape debugger UI's I have already written. It will include a smattering of IDAJScripts script->remote process IPC technique

One more super cool and powerful feature in the works, but I am not going to reveal it quite yet :)

A wish list feature I would love to explore is to develop a technique that would allow me to arbitrarily run a pcode function with arguments. This would be a great feature for running decoders and such.

One other note on a feature of semi-vbdecompiler/vbdec I prefer over the others available is that it shows a full hexdump in the disassembly. Some others only show the opcode only and hide the arguments byte code. Also note that NONE of the p-code tools currently decode arguments for all opcodes.

So essentially when trying to learn vb pcode disasm (which is undocumented) your trying to make sense of a partial disassembly and not even realizing it.

At least with vbdec you can see if arg decoding is missing by looking at the byte code hexdump. (for example vcallad and FStAdFunc instructions in the above screen shot)

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 33 + 60 = ? followed by the letter: V 

About Me
More Blogs
Main Site
VB6 Reversing
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation