change in VB EXE file.

[ivanov]

Hi again,

I only have made a single change from JNE to JMP (jump to Good-Guy code) in an .EXE file compiled by Visual Basic 6.0. The program runs, but in some part, error happens when showing a Form (window dialog). I thought this is a PE-related problem. I tried to re-adjust the TimeStamp, but still the problem occurs. My question, how can I fixed the file after change made?

[JMI]

ivanov:

You are not "Releasing Software" and your post does not belong in that Forum. It really is mostly a Request, but there is some "Discussion," so I moved it here.

Regards,

[Shub-Nigurrath]

dear ivanov,

you haven't told if it's a native VB app or a p-code one, anyway changing VB apps isn't anything different than normal applications, the only difference is that there's a more frequent access to the VB runtime dlls, which complicates to follow the program's flow.
Generally speaking the only things you shouldn't change (up to you don't know what are you doing) are the jmps tables, which are used to find message handler in the program..

The behaviour you told can be due to some crc-like checks, try to see with Peid and the Karnal plug if there's one..

You also didnt specify where in the vb code you changed a jump... If it is in a generated Form initialization routine... or something similar - you will have some issues

[ivanov]

I force the JNE jumps to PUSH 0000CC81 ("Professional Version" for About dialogbox). But, if the previous TEST EAX, EAX is Zero, next JMP to PUSH 0000CC82 ("Trial Version").

[bilbo]

Quote:

Originally Posted by Shub-Nigurrath

The behaviour you told can be due to some crc-like checks, try to see with Peid and the Karnal plug if there's one..

As far as I know, correct me if I am wrong, the plugin you are telling about is called KANAL, and it cannot detect CRC checks but simple crypto algorithms (by signatures).

Regards, bilbo

What is the specific error it throws... or does it crash without an error.

You should load your modified exe in IDA Pro and step through the code after your modified Jump to see if it is infact doing CRC checks or not and just go in and jump past those as well.

If you debug it you can see where in the code its erroring and for what specific reason, and take appropriate action. At the very least it will give ppl you ask a better clue as to what is going wrong.

[ivanov]

The errors occur when displaying a Form/(Window) Dialog which is not related with the modified JUMP (this JUMP is in About dialog box). But, nothing happens using the original EXE. I don't quite sure if it uses CRC Check. No crash, the program just shows an error dialog that are automatically reported to developer's Website.