ImpAdCallNonVirt


Author: David Zimmer
Date: 08.24.19 - 11:16am



Ok here is an interesting vb6 pcode implementation. So far I have only found this one used when calling a friend method. Consider the following:
Friend Property Let ReplaceFormActive(x As Boolean)
    bReplaceFormActive = x
End Property

Private Sub Form_Load()
    Me.ReplaceFormActive = True
End Sub

4017C8 Form1.Form_Load:
4017C8    F4 FF                 LitI2_Byte 255
4017CA    2B 7AFF               PopTmpLdAd2 var_86
4017CD    6C 0800               ILdRf [arg_8]  <-- obj target fx is on
4017D0    FF1E 00000800         ImpAdCallNonVirt
4017D6    13                    ExitProcHresult 
We are trying to figure out what 0000 0800 represents so we can resolve the target method in the disassembly.

Looking at the native handler we see that the arg byte stream is loaded as two int args (two bytes each). The second is used as a stack check after the call:
movzx   edi, word ptr [esi+2]
add     edi, esp
...call...
cmp     edi, esp
jnz     StackErr_0
Ok cool I like the sanity checking..so whats the 0000? It is an const pool index to load a literal value from. In my test case it loads 4013a8 which is then used in a call eax

004013A8   . B8 00000000    MOV EAX,0
004013AD   . 66:3D 33C0     CMP AX,0C033    <-- reserve 4 bytes as do nothing
004013B1   . BA 441B4000    MOV EDX,401B44  <-- target pcode fx Last Offset: 401B44
004013B6   . 68 38104000    PUSH 401038     <-- next native address to jump to
004013BB   . C3             RETN

.text:00401038                 jmp     ds:MethCallEngine

So to get back to the pcode, they had to embed a custom thunk configured as a loader for that function. To decode this one in the disassembler I am going to have to add a new post processor specifically for this command.

It is very interesting to watch how they implemented things.

On a funny side note, I have been programming in Vb6 for almost 20 years now, using it pretty much every day and I am still finding new language features I did not know about.

I had never seen the following before until I found the OnGoSub pcode instruction and went googling:
Sub OnGosubGotoDemo() 
  Dim Number, MyString 
  Number = 2 ' index to jump to
  On Number GoSub Sub1, Sub2 ' calls sub 2 resumes here after 
  On Number GoTo Line1, Line2 ' Branch to Line2. 
  ' Execution does not resume here after On...GoTo. 
 Exit Sub 
Sub1: 
   MyString = "In Sub1" : Return 
Sub2: 
   MyString = "In Sub2" : Return 
Line1: 
   MyString = "In Line1" 
Line2: 
   MyString = "In Line2" 
End Sub
Searching out unhandled opcodes in the pcode disasm also lead me to some (handled) errors in my programs that went unnoticed for years. I had apparently removed a control on the form and not stripped out its resizing code in Form_Resize that was handled with on error resume next. The calls in the pcode just transitioned to late bound calls so no compile error (I was lazy and didnt use Option Explicit in that small form).

I also noticed there is built in pcode instructions for things like MidStr. Eventually they do bubble up to the vba export version, but its interesting they still exist in the pcode set itself. In this case its only used in a specific instance where you call Mid(str,str,len) = str.

Couple other interesting structures I have found that I have no idea how to decode yet (any tips appreciated for those in the know:)
  • After a pcode functions raw addr, there is a data structure with (ProcDscInfo)
  • udt (structs) get their own const pool entry probably describing udt?
  • some stack vars point to structs used in stack unwinding on exitproc
  • some tls vals point to more structs
That reminds me I still need to figure out how to extract a call stack for the debugger. I already found a way for the debugger to get an objects type name from a pointer.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 26 + 29 = ? followed by the letter: O 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (year)
2021 (4)
     VB6 Hijacking
     rtcTypeName
     VB6 Gosub
     VB App object
2020 (8)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 (12)
     Yara WorkBench
     SafeArrayGetVartype
     vbdec dbg updates
     vb6 PCode NOP
     vb6 API and call backs
     how pcode works Pt1
     PrintFile
     ImpAdCallNonVirt
     Reversing PCode Args
     VB6 PCode Disassembly
     VB6 PCode Debugger
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (6)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
     packet reassembly
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation