Note I have not virus scanned or tested all of the apps linked to in this page! user beware!
So today we are going to cover some resources on reversing VB6.
VB6 can be compiled to either native or pcode. Even when native the program flow is not linear from the entry point but is based on form, module and class structures passed into the vb runtime at startup. IDA can have a hard time locating everything however the vb.idc by Reginald Wong helps a lot. I am not aware of any vb6 pcode loaders for IDA yet so I would not recommend it for this case.
While these structures are not documented by MS reverse engineers have stepped in and figured a lot of its inner operations.
If you want to really get to the core of it take a look at the following resources:
So first thing..we need something that parses these VB6 structures and can tell us the project structure and where each function is in the binary. This is valid for both native and pcode projects and is all defined in the vb structures. From this we can determine the number of forms, classes, user controls, modules etc. For forms we can recover the form definition and objects used, along with their properties. At this stage we can also recover offsets for the code in all of the functions and even names for things like event handlers or public classes (in ActiveX dlls)
For this we can use a commercial app such as vb-decompiler.org ($99 home/$230 business) or VB-Reformer (free/$58 pro)
Free alternatives also exist. The formerly commercial, now open source semi-vbdecompiler by vbgamer45 looks very cool. (installer here)
Also be sure to check out p32dasm and racevb. For the sake of history you can also check out exdec by Josephco (possible newer version here)
There also exists some runtime analysis tools for VB6 apps. For native code Numega SmartCheck is an interesting tool that may be of some help if you can find it. Another tool I havent had a chance to play with yet is vb6tracer by Jurriaan Bremer and Marion Marschalek.
My favorite tool, and one that was like magic to me back in the day, is the WKTVBDE pcode v1.4 and v4.3 debugger by Mr. Silver & Mr. Snow. Also check out this tools help file for a listing of the vb opcodes, number of arguments etc. The VB P-code Information article by Mr Silver also goes into details on how the vb6 runtime processes pcode and how they implemented their debugger.
If your working with older versions of VB different tools apply. VB3 had a decompiler called DoDi's VB decompiler. (newer version. There is also an untested port of this is the vb semi-decompiler repo as well as on psc (local copy)
That should fill your noodle for a while.
Research I still want to do:
Smartcheck uses a combination of techniques. It runs the target process in its own debugger, but also injects some substantial hook dlls. If you have time run hook explorer over a binary that is under analysis by smart check. Its interesting.
If you are dealing with vba pcode in office thats a different thing. You might want to look at pcodedmp