Author: David Zimmer
Date: 06.11.18 - 9:35am
So I have been digging into vbgamers semi-vbdecompiler and started my own branch called vbdec
(Beta installer here)
Note: this is an early build with most testing primarily focused on struct parsing and pcode features
Click to enlarge
I have spent the last couple months going through it and have refactored much of the code to transform it into a class based architecture. This was a good way to familiarize myself with the code and make it easier for me to find things. This also opens up the possibility to convert the analysis engine into a stand alone ActiveX dll in the future and has allowed me to easily add a plugin system to the application.
I have been slowly going through the various opcodes and adding more argument decodings. Darker's P32Dasm really did a great job with this and object resolution. Reginald Wong's vb.idc has also been a great help with understanding the VB6 structures.
An opcode handler hooking engine is now complete which can work either by injecting into a new process, or by attaching to an already running one. Since this app already contains the struct parsing and pcode disassembly, I really only have to integrate a basic debugger UI to get this up and running.
The new pcode debugger will be built along the lines of the ScriptBasic and DukTape debugger UI's I have already written. It will include a smattering of IDAJScripts script->remote process IPC technique
One more super cool and powerful feature in the works, but I am not going to reveal it quite yet :)
A wish list feature I would love to explore is to develop a technique that would allow me to arbitrarily run a pcode function with arguments. This would be a great feature for running decoders and such.
One other note on a feature of semi-vbdecompiler/vbdec I prefer over the others available is that it shows a full hexdump in the disassembly. Some others only show the opcode only and hide the arguments byte code. Also note that NONE of the p-code tools currently decode arguments for all opcodes.
So essentially when trying to learn vb pcode disasm (which is undocumented) your trying to make sense of a partial disassembly and not even realizing it.
At least with vbdec you can see if arg decoding is missing by looking at the byte code hexdump. (for example vcallad and FStAdFunc instructions in the above screen shot)
Note: I am currently taking some time off work as I go to physical therapy and letting my tendonitis heal up. This project is currently on hold until I either find an assistant or arms are better.