|
VB6 unpacker?
I have a program that was complied in VB6.
They truly wanted to keep people out of it, and all of the tools that I have found on the net don't know how to work with it. Any suggestions? Ecmhacker |
can you give any more info? how about what are the names of the sections in the PE file? VB is actually easy to unpack usually - it will be hard to crack tho if it's p-code.
Mostly you can use SmartCheck to debug VB programs to try cracking them. If you need it unpacked we need more information. -Lunar |
1 Attachment(s)
if it is compiled to p-code try ExDec from josephco. very usefull and handy tool. look at attachment..;-)
so long Qubert |
I have a program called "RACE", that does a small amount of VB6 untangling. If you give me your email address, I can send it to you.
sarge |
hmm
I insterested to learn how to decompiled vb app.Anyone know how to decompiled it.In a site ,the tool needed to decompile is DODI decompiler full version and VB 3 IDE.
|
Only VB3 [and partially VB4] files can be decompiled with DoDi's tools. VB5 and VB6 Native Code files can be easily debugged (kind of) with SmartCheck. With it, you can see how things work. VB6 P-Code files can be kind of decompiled (disassembled is a more appropriate word) with josephCo's Exdec.
|
how
Can you reliz a tutor for that?
|
stavol: grrrr :mad: Do you know Mr. Google? He can be your best friend...
|
Anyway, visit fravia's site, he has SmartChecking tutorials. exdec is soooo easy. Same with DoDi's. Get the files from the ftp.
|
Re: hmm
Quote:
|
where??
how and where to get vb 3 ide or vb 4 ide?
|
hallo
anyone can help me!!:mad: :confused: :rolleyes:
|
*lol*
search for Eternal Bliss Tutorials...or try to find his site. there are enough vb stuff. i can't remember the adress, but it's still online... |
*lol*
there is no tutor about vb dissambler(i mean the code)not to crack it :p :( |
Quote:
Numega said it was p-code. I have no idea what that is. Numega does not give me the calculations, only the returned values. I am looking for a specific routine that calculates a value.... I also tried the ExDec program without any success. Either I don't know how to use it, or it won't work with the program. Thanks folks... |
EXEDEC gives you the Pcode, you have to decode it yourself.
The WKT debugger will actually let you trace step by step through the PCode with all the register, memory, breakpoint, etc operations (as a debugger should). RACE will display the PCode and the opcode translations, GUI info, extract any graphic images, list the libraries, etc. There are others as well... If your desire is to "decode" some math steps that, perhaps, are the result of manipulation of a serial number, then I recommend WKT. If the math you want to do is to determine how source code data (specifically numeric data), is compiled into the exe, then RACE might be a better choice...only because it gives you the file offsets where the data is stored. Good luck Sarge |
stavol: The VB IDE is the Micro$oft Visual BASIC Programming Environment. If you have VB, you have the IDE.
|
Quote:
so is vbReformer, and many others all have their merits. I find PEexplorer to be somewhat handy also.... I have a few VB6 programs that were compiled to native code, and a few compiled to P-code, however they are also not reconized as Visual Basic programs ... I think due to the headders and such being stripped .... I can say that these programs that I've been investigating have not been protected with any third party protection schemes, and I have had some luck by using HexWorkshop to re-build information so they can be reconized by programs such as RACE and VBReformer, but it has been very slow going for me :D I know these programs will never be de-compiled to exact source, but I have been able to modify code within them to suit my needs just fine, and by tracing the subroutines, has given me an insight to be able to write my own code to replace what I cannot get source for :D SmartCheck is fantastic ... |
Good for you. I give you "high marks" for your efforts.
As an FYI, RACE is very strict in its determination of what is and what is not a VB exe. That's why it won't work on VB5 or VBA. You are correct in your discovery that some progs have the entry point moved, and a fake entry point with a jump to the real entry point instead. Obviously, this works since the program runs, but since it is not strictly the VB6 protocol, RACE will choke. However, I am always willing to help. If you really get stuck with the "moving" functions, just send me the exe and I'll manually force RACE to work around it, then send you back the output. Sarge |
Thanx Sarge
the version of RACE I have is 6_2_7 from like 2-1-2003, you posted it at a decompiler forum that I have seen your posts in many times, BTW very informative posts I might add, you for sure are a credit to this forum. and yes I really do like the way RACE displays offsets, I will say the offset addresses are not always exact, but they are so close that if you open your eyes when you look at that displayed offset you cannot miss the real addy :D now this probally isn't a problem with your RACE it is just due to the specfic VB6 apps that I'm investigating. Thanx again for your reply :D |
Thanks
2 FYI's: 1. Race is up to 3.1 2. The offsets are related to the data, not the commands or opcodes that USE the data. But, as you say, it's easy to find. Sarge |
where?
where i can get the race 3.1?
|
Right now, I have to email it to you (RACE does not yet have a "home" on the web), so I'll need your address. As an FYI, the program is too big for my hotmail account, so I have split it and send it in two separate emails. I'll give you more details when I send it.
You can send me your email address at: [email protected] Sarge |
Ahh that explains why 2 days searching with Copernic and Google haven't turned up any good info on 3.1 :D lol
I also notice that decompiler.com is down and so is vb-decompiler.com .... phpBB : Critical Error Error creating new session : session_begin <--- those were the errors I rceived from one of the sites :( it's a shame 'cause there was a wealth of information at those sites :( Sarge would you mind if I e-mail you for 3.1 ?? I hate to see you get flooded with "I want requests" so I won't unless I have permission ... Thanx again :D |
Go for it!
I, too, am very sorry about those sites. Decompiler.com is, I am fairly sure, permanently dead. It appears that someone didn't pay the bill. Decompiler/automaters IS alive, it's just not conscious right now; don't know why. Hopefully, it won't also die. Sarge PS. It doesn't show in the text of the link, but there is an underscore character just before the "g". |
Thanx Sarge :)
well, I was just messing with another exe that was written in VB6 and after investigation it was packed after compile with UPX... I used PE Explorer with the UPX un-packer plugin to un pack the exe then saved, then tried to open with RACE 2.7 no luck but VBReformer 3.6 just walked right into it with no problems.... now I think I understand why you have 3.1 :D I did send ya an e-mail Sarge |
Thanks Sarge
aka |
Quote:
I tried open my VB6 app with 3.1 and when I tried to extract I get this error ----> Error #206. Not proper VB interpreter. this is same as I get with earlier version of RACE, so this is telling me I need to do some more work on the un-packed exe file that I am trying to investigate .... since VBReformer will extract what I have done so far, that must mean that I am close ... I'm sure it is something I'm overlooking.. I know you said that RACE is very strict in its determination of what is and what is not a VB exe. and I can sure respect that :D Thanx again for your wonderful program :cool: |
General comments:
1. The response has been overpowering. I've fullfilled about half the requests so far. 2. lonewolf55: If you need more details, I'll be happy to help you find whats missing/wrong, to make RACE "happy". However, you can find out for yourself at the Vb decompiler web site by looking at the VB exe format 3. I didn't intend for this thread to be taken over by RACE, I was just trying to help Ecmhacker. I'd like to stay below the moderators radar, so please continue to make requests via my email, rather than here. 4. Any and all comments are welcome, good, bad, or indifferent. sarge |
hello
Sarge / someone Please post detail step by step how to decompiler vb program.Coz all of we here not an advanced.
Regards, |
Sarge, if you're willing to let anyone have RACE 3.1, why don't you upload it to exetools FTP, or send it to volodya so he can put it on wasm.ru (which is easily the best site for getting tools of this nature, kudos volodya! :D)?
|
1. I don't know how
Yes, I suppose someone in authority can tell me that 2. I don't know if I can Yes, I suppose someone in authority can give me the permissions 3. I don't know if I should Bummer here- As I said, I did not intend for this thread to become monopolized by RACE; further, this MB is not generally VB oriented. The engineers here are way, WAY above my head with a lot more esoteric stuff than VB. (what the ^%^$ is "Ring 0" anyway?) ------------------ Little voice: "Hey,sarge, whatever happened to those how-do-I-enable-a-disabled-command-button type questions" Sarge: "(sigh) Those were the good old days" ----------------- sarge |
1. Look in the Announcements and News forum for the upload account info for the exetools FTP. And/or, ask volodya if he would like to put RACE on wasm.ru (I think they already have some VB decompilers there), then send it to him if so.
2. You don't need permission to upload tools to the FTP, this is why it's there. 3. This thread is about reversing VB, RACE is made for reversing VB, why should RACE not be discussed, especially when people are apparently eager to get it? Also, this MB may not be VB oriented, but it is about unpacking and reversing in general, including decompiling, including VB decompiling. There is no elitist mentality on this board (except maybe for sKAMER ;)), it is for beginners and experts alike. VB decompilers are as helpful and necessary as any other decompilation/unpacking tool. |
Well, cool!
I may do just that, thanks. I was worried about having to request that each new upgrade of RACE be uploaded by someone, and I didn't want to continuely bother people too often. If I can do it myself, great. I'll take a look at it. Thanks again sarge |
well Sarge, I'm sorry it wasn't really my intention to turn this into a RACE Thread either, but being as it was about VB6 unpacker .. it caught my eye.
so if anyone turned it into that, it was probally me .. my bad, I apologize for that. I do know that the semi-VB6 decompilers are just that they do not un-pack anything. if it is known that a VB sourced program has been compiled to an exe and then the exe has been packed with another third party packer then it must be unpacked with an un-packer specfic for that third party packer that was use .. or it must be un-packed by other means before any of the semi VB decompilers can be used to explore the program .. sorry just stating the obvious for those that might not know and are interested in this thread :D and Thanx again I have been reading again at vb decomp .. it is back up and not sleeping anymore. if you wish I can up the complete zip after un-splitting to the ftp or I can post it to the Software Release forum of course giving you complete credit for your fine work ... and only with your permission :D Thanx again Sarge |
I certainly don't mind your uping or posting it...it just makes it easier for me, this time. But I still have to learn the ins-and-outs of doing it myself, when the next rev comes along.
Also, I myself certainly don't mind the large quantity of RACE stuff here; I'm just trying to keep from becoming obnoxiously in-your-face to others here who are NOT interested in RACE. And, of course, my offer to help with the details still stands. Yeh, I saw the site today. But it's the first time it has been up in quite a while...I'm just not sure how long it will last. Sarge |
| All times are GMT +8. The time now is 21:21. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX