ImpAdCallNonVirt


Author: David Zimmer
Date: 08.24.19 - 11:16am



Ok here is an interesting vb6 pcode implementation. So far I have only found this one used when calling a friend method. Consider the following:
Friend Property Let ReplaceFormActive(x As Boolean)
    bReplaceFormActive = x
End Property

Private Sub Form_Load()
    Me.ReplaceFormActive = True
End Sub

4017C8 Form1.Form_Load:
4017C8    F4 FF                 LitI2_Byte 255
4017CA    2B 7AFF               PopTmpLdAd2 var_86
4017CD    6C 0800               ILdRf [arg_8]  <-- obj target fx is on
4017D0    FF1E 00000800         ImpAdCallNonVirt
4017D6    13                    ExitProcHresult 
We are trying to figure out what 0000 0800 represents so we can resolve the target method in the disassembly.

Looking at the native handler we see that the arg byte stream is loaded as two int args (two bytes each). The second is used as a stack check after the call:
movzx   edi, word ptr [esi+2]
add     edi, esp
...call...
cmp     edi, esp
jnz     StackErr_0
Ok cool I like the sanity checking..so whats the 0000? It is an const pool index to load a literal value from. In my test case it loads 4013a8 which is then used in a call eax

004013A8   . B8 00000000    MOV EAX,0
004013AD   . 66:3D 33C0     CMP AX,0C033    <-- reserve 4 bytes as do nothing
004013B1   . BA 441B4000    MOV EDX,401B44  <-- target pcode fx Last Offset: 401B44
004013B6   . 68 38104000    PUSH 401038     <-- next native address to jump to
004013BB   . C3             RETN

.text:00401038                 jmp     ds:MethCallEngine

So to get back to the pcode, they had to embed a custom thunk configured as a loader for that function. To decode this one in the disassembler I am going to have to add a new post processor specifically for this command.

It is very interesting to watch how they implemented things.

On a funny side note, I have been programming in Vb6 for almost 20 years now, using it pretty much every day and I am still finding new language features I did not know about.

I had never seen the following before until I found the OnGoSub pcode instruction and went googling:
Sub OnGosubGotoDemo() 
  Dim Number, MyString 
  Number = 2 ' index to jump to
  On Number GoSub Sub1, Sub2 ' calls sub 2 resumes here after 
  On Number GoTo Line1, Line2 ' Branch to Line2. 
  ' Execution does not resume here after On...GoTo. 
 Exit Sub 
Sub1: 
   MyString = "In Sub1" : Return 
Sub2: 
   MyString = "In Sub2" : Return 
Line1: 
   MyString = "In Line1" 
Line2: 
   MyString = "In Line2" 
End Sub
Searching out unhandled opcodes in the pcode disasm also lead me to some (handled) errors in my programs that went unnoticed for years. I had apparently removed a control on the form and not stripped out its resizing code in Form_Resize that was handled with on error resume next. The calls in the pcode just transitioned to late bound calls so no compile error (I was lazy and didnt use Option Explicit in that small form).

I also noticed there is built in pcode instructions for things like MidStr. Eventually they do bubble up to the vba export version, but its interesting they still exist in the pcode set itself. In this case its only used in a specific instance where you call Mid(str,str,len) = str.

Couple other interesting structures I have found that I have no idea how to decode yet (any tips appreciated for those in the know:)
  • After a pcode functions raw addr, there is a data structure with (ProcDscInfo)
  • udt (structs) get their own const pool entry probably describing udt?
  • some stack vars point to structs used in stack unwinding on exitproc
  • some tls vals point to more structs
That reminds me I still need to figure out how to extract a call stack for the debugger. I already found a way for the debugger to get an objects type name from a pointer.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 99 + 81 = ? followed by the letter: H 



About Me
More Blogs
Main Site
Posts:
SafeArrayGetVartype
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
PrintFile
ImpAdCallNonVirt
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
KANAL Mod
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
findDll
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
BootLoaders
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation