Hallo,
I have very little experience in reversing.
In
John Chamberlain's site about MS Visual basic VM there is an opcode.txt dated march 2001 which mention a
P-CODE NOP equivalent
FC14 while the Eternal Bliss' VBCrackMe v10.0 is dated June 1999. WKTVBDE dated 2002 assigns to
FC14 the operation
CI2UI1 But I found no documentation about CI2UI1.
Regarding the Eternal Bliss' VBCrackMe Tutorial if
FC14 is truly the PCODE NOP, it couldn't be used to disable the 004048B7: BranchF jump (
1C 07 05) in vbcrackme10.exe like the
one byte X86 NOP is used to overwrite multibyte X86 opcodes.
Also the Eternal Bliss' solution to overwrite EqVarBool (
which test the equality of two boolean vars and pushes -1 or 0 to the stack according to the comparision result) pushing -1 (dword) in the stack leave me a bit confused because EqVarBool takes 2 dwords from the stack and pushes one.
I don't know if the stack is freed correctly when the function returns (who manages this one more dword?).
Another way to bypass the check is to change the BranchFalse jump (
1C 07 05) into an uncoditional Branch (Opcode 1E and LO HI bytes) that jumps to 004048BAh.
So
if BranchFalse(1C) 0705 is equal to BranchFalse 0x0507h and corresponds to BranchFalse 004048E3h.
then Branch 004048BAh corresponds to Branch 0x04DEh (0x0507h - (0x4048E3h - 0x4048BAh)) and is equal to Branch(1E) DE04.
This mean that
1C0705 could be changed to
1EDE04 obtaining the same result but it mess the stack too
(I've just discovered that BranchF pops a dword from the stack)
How does the stack gets balanced in the virual machine? 
Ok! I've read the part of by John Chamberlain's Microsoft P-Code Implementation regarding the stack:
Quote:
|
When a proc exits it cleans up and sets the base and stack pointers to those of the calling function and jumps to the return pointer stored above the base pointer. There is no simple "ret" as in a normal function call. The engine does it manually. When a proc returns it just continues on in whatever handler called it.
|
But if I correctly understand the example in
Microsoft P-Code Technology
Code:
Source code P-code
m = i+j+func(); L1: LdfW i
LdfW j
AddW
CallFCW func
AddW
EQuote
StfW m
n = i + j + func(); Quote L1
StfW n
a function return its value in the stack context of the calling function. In these case I suppose the stack is balanced by the VM,too.
Regarding the PCODE NOP, I don't know if there is a VBVM opcode of the DoNothing VB statement neither a X86 NOP equivalent.
Is there an updated and detailed VB opcode List with mention of values pushed onto the stack?
I edited this post many time as I discovered new infos I did not post new replies to prevent the "Posting of Substance" Feature
.
I hope I've not caused any confusion.
void