I am trying to learn VB debugging and have chosen to do so on 3DFTP 4.0. The only tool I have for p-code debugging is WKTVBDE. I know that Smartcheck is the recommended app, but some of us that haven't been able to find it have to resort to less able applications.

Can someone out there throw me a bone here? Being my first VB attempt... I am quickly learning that IT SUCKS!

Hi..
Is this a good idea? P-Coded apps are not friendly. I would suggest you to try the normal compiled VB apps for the start. When you become familiar with the function calls in msvbvm*0.dll, move on to p-code

P-Coded apps use the same functions, from the same msvbvm*0.dll... So, they are crackable, but getting off with a starting point is a bit hard..(as disassembly is always a problem)

p-code tip,
Try JosephCos VB discompiler if you want.

Read Razzia's tut, about VB reversing. Serial fishing is dealt with..

regards
riPPadoGG



NB: I myself have struggled a lot with p-code apps... Since this forum has helped me a lot(with unpacking thank you all!!) Can someone come up with some good tuts/posts/anything ???

Ok, well I agree that working with p-code wasn't the smartest thing for a newbie like me. BUT I tried to load the app into JosephCo's VB Decomp and it crashed with a fatal error that I emailed to him a few days ago. Second I was able to finally break on the "Verify" button click. Being the inexperienced person that I am.... I stepped through the whole process until the "Invalid MessageBox" appears. So I came up with this block of code <pasted below> that I am currently working on deciphering. Another important note is that it compares parts of the serial I entered against all of these strings:

A563E9NL2Q72
A343J5JJS222
AC4KJ3228Q64
A442682QQ87A
A322X6NQSS3S
AA6KK3J4JU74
AC4KS6NQJW7A
AG6KP922LN64
AG6JF828Y83U
A982GTC4BH52
AA4P4QUNBB4U
A727UQY89M5S
AF4PZPU2K582
AE8NVNCJTK82
AG2N5MUJ5Z8J
AK67NWWMU2F5
AP26FYERCSBT
AX2P7YSR8SBD
AT2K5PJPYJAV
AK23VN292CFT
TJ4E79ALH4L.

So it looks like there is some heavy math involved. Here is some comments that I extracted from the Verify process as well:
;Decrypt
;01
;Encrypt
;Scramble
;Unscramble
;BinToSer
;SerToBin
;IntToBin
;BinToInt
;GetDivs
;Error: Can't split data into groups because is a prime number!
;RearrangeBits
;Error on xorStrings

These give me a good idea that he is doing quite a bit with the code entered and the way he is comparing it to stored value.

Any more thoughts? Tell me if I am way off base and I don't have a clue... But I think I have done some pretty good analysis work so far. Especially for a new new newbie. Someone has already posted a working serial online, so this is strictly for learning purposes at this point.


<Verify Button Clicked>
741BEA99 . 66:83F8 00 CMP AX,0
741BEA9D > B8 00000000 MOV EAX,0
741BEAA2 . 0F94C0 SETE AL
741BEAA5 . F7D8 NEG EAX
741BEAA7 . 50 PUSH EAX
741BEAA8 . 33C0 XOR EAX,EAX
741BEAAA . 8A06 MOV AL,BYTE PTR DS:[ESI]
741BEAAC . 46 INC ESI
741BEAAD .^FF2485 94ED1B7>JMP DWORD PTR DS:[EAX*4+741BED94] ; MSVBVM50.741BE058

741BE058 > 58 POP EAX
741BE059 . 090424 OR DWORD PTR SS:[ESP],EAX
741BE05C . 33C0 XOR EAX,EAX
741BE05E . 8A06 MOV AL,BYTE PTR DS:[ESI]
741BE060 . 46 INC ESI
741BE061 . FF2485 94ED1B7>JMP DWORD PTR DS:[EAX*4+741BED94]

741BD947 > 0FBF06 MOVSX EAX,WORD PTR DS:[ESI]
741BD94A . FF3428 PUSH DWORD PTR DS:[EAX+EBP]
741BD94D . 33C0 XOR EAX,EAX
741BD94F . 8A46 02 MOV AL,BYTE PTR DS:[ESI+2]
741BD952 . 83C6 03 ADD ESI,3
741BD955 . FF2485 94ED1B7>JMP DWORD PTR DS:[EAX*4+741BED94]

741BDE59 > 0FB706 MOVZX EAX,WORD PTR DS:[ESI]
741BDE5C . 8B55 AC MOV EDX,DWORD PTR SS:[EBP-54]
741BDE5F . FF3482 PUSH DWORD PTR DS:[EDX+EAX*4]
741BDE62 . 33C0 XOR EAX,EAX
741BDE64 . 8A46 02 MOV AL,BYTE PTR DS:[ESI+2]
741BDE67 . 83C6 03 ADD ESI,3
741BDE6A . FF2485 94ED1B7>JMP DWORD PTR DS:[EAX*4+741BED94]

741BEC87 > 33C0 XOR EAX,EAX
741BEC89 . 8A06 MOV AL,BYTE PTR DS:[ESI]
741BEC8B . 46 INC ESI
741BEC8C . FF2485 94F11B7>JMP DWORD PTR DS:[EAX*4+741BF194]

741BEA92 > 6A 00 PUSH 0
741BEA94 > E8 635BF0FF CALL MSVBVM50.740C45FC

740C45FC $ 66:837C24 04 0>CMP WORD PTR SS:[ESP+4],0
740C4602 . B8 00000000 MOV EAX,0
740C4607 . 0F85 D9F20500 JNZ MSVBVM50.741238E6
740C460D > FF7424 0C PUSH DWORD PTR SS:[ESP+C]
740C4611 . FF7424 0C PUSH DWORD PTR SS:[ESP+C]
740C4615 . 50 PUSH EAX
740C4616 . E8 48EFFFFF CALL MSVBVM50.__vbaStrComp

740C3563 > $ 55 PUSH EBP
740C3564 . 8BEC MOV EBP,ESP
740C3566 . 53 PUSH EBX
740C3567 . 56 PUSH ESI
740C3568 . 57 PUSH EDI
740C3569 . 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
740C356D . BE 00000000 MOV ESI,0
740C3572 . 74 06 JE SHORT MSVBVM50.740C357A
740C3574 . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
740C3577 . 8B70 FC MOV ESI,DWORD PTR DS:[EAX-4] ; EAX=UNICODE "AZZZZZ" Entered String
740C357A > 837D 0C 00 CMP DWORD PTR SS:[EBP+C],0
740C357E . BF 00000000 MOV EDI,0
740C3583 . 74 06 JE SHORT MSVBVM50.740C358B
740C3585 . 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] ; 3dftp.00446868
740C3588 . 8B79 FC MOV EDI,DWORD PTR DS:[ECX-4] ; ECX=UNICODE "AP26FYERCSBT" From App
740C358B > 3BFE CMP EDI,ESI
740C358D . 8BDF MOV EBX,EDI
740C358F . 73 25 JNB SHORT MSVBVM50.740C35B6

740C35B6 > 8BDE MOV EBX,ESI
740C35B8 .^EB D7 JMP SHORT MSVBVM50.740C3591

740C3591 > 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
740C3595 . 75 36 JNZ SHORT MSVBVM50.740C35CD
740C3597 . 85DB TEST EBX,EBX
740C3599 . 74 28 JE SHORT MSVBVM50.740C35C3
740C359B . 8BC3 MOV EAX,EBX
740C359D . D1E8 SHR EAX,1
740C359F . 50 PUSH EAX
740C35A0 . FF75 0C PUSH DWORD PTR SS:[EBP+C]
740C35A3 . FF75 10 PUSH DWORD PTR SS:[EBP+10]
740C35A6 . E8 3FA40000 CALL MSVBVM50.740CD9EA

740CD9EA /$ 56 PUSH ESI
740CD9EB |. 57 PUSH EDI
740CD9EC |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10]
740CD9F0 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
740CD9F4 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
740CD9F8 |. 33C0 XOR EAX,EAX
740CD9FA |. F3:66:A7 REPE CMPS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
740CD9FD |. 74 05 JE SHORT MSVBVM50.740CDA04
740CD9FF |. 1BC0 SBB EAX,EAX
740CDA01 |. 83D8 FF SBB EAX,-1
740CDA04 |> 5F POP EDI
740CDA05 |. 5E POP ESI
740CDA06 \. C2 0C00 RETN C

740C35AB . 85C0 TEST EAX,EAX
740C35AD . 74 0B JE SHORT MSVBVM50.740C35BA
740C35AF > 5F POP EDI
740C35B0 . 5E POP ESI
740C35B1 . 5B POP EBX
740C35B2 . 5D POP EBP
740C35B3 . C2 0C00 RETN C

740C461B . C2 0C00 RETN C

Well i think WKT is better in this case
using it u can step the code and see where the problem is

One of the probl is to learn what opcodes mean but after a little bit of stepping think ull learn the most important ones

Just be careful to Branch opcodes that make u jmp away

Well i've just cracked some pcoded apps even if i've never seen pcode before and havent read any tute about it
Think WKT debugger is really great tool

See ya
NikDH

The algo is a bit complex. BTW do you have symbols loaded into softice? It might help a bit, but then again maybe not hehe. I haven't tried much, but you've got an email or 2.

Good luck!!


joe

Hi JosephCo,

Nice to find you here.
I have also tried to crack p-coded apps too... But with very limited success. I very comfortable with normal VB proggies.
I am even unable to break into the actual program code of a p-cde app.(like the one you get when you disassemble the normal one)
Also, every VB app starts like this...
call Thruntmain

and jumps off into msvbvm*.dll..
How can I go into the real start-up code??

I have been searching for the answers for too long...Any good docs to be read?

regards and tks in advance..
Cheers for the work you have done on VB decompiling..

doGG

Hehe PCode is an interpreted language. This means that 1 byte will be read and then there will be a jump to the corresponding (inside msvbvm*.dll) procedure that will work its magic. All your tracing inside msvbvm*.dll is the actual code being executed. You'll see something like MOV AL, BYTE PTR [ESI] then a JUMP EAX*4+XXXXXX (where XXXX is some address). When you execute those commands, then you have just read a new excode and jumped to its procedure. If you have symbols loaded into softice, you should be able to get a vague feel for how everything works. Using an old (most likely buggy) version of exdec, you might be able to have more success. There is no current version available and I most likely don't plan on releasing anything new. I would however help in the creation of any new tools (provided the author is serious and not wanting everything handed to him on a silver platter). I firmly believe in helping those that try to help themselves

joe

Hi JosephCo..
Big thanks for the response.
One more clarification needed.

What is this call to ThRuntMain?
This seems to go into msvbvm*.dll and never come back. I do not have the patience(apologies, that is a born trait) press F8 till it breaks back..
Please throw some light.

regards
doGG..

*****VERY SIMPLIFIED EXPLANATION******
*****DETAILS OMITTED FOR CLARITY******

"ThunderForm" is the name of the VB window (the one that you don't see; its sizes are set to 0) that contains the code that makes up your app. Basically, to run VB, windows gets the location of the procedure that handles VB apps, then jumps to the entry point of it (Main). When your app terminates, the procedure is ended (usually with a return value that is ignored), and the program is ended.

Note that the start address is very significant to a decompiling effort; you should start there, with a hex dumper/editor.

SargeG


PS: Two thoughts:
1. The start of this discussion sounds like a "Crack Help" request; is this the place for it?

2. If this discussion is/was not a crack help request, but a real desire to learn, why not try the MiniProjects Area, under decompiler stuff, where the ins-and-outs of writing a decompiler are discussed in much greater detail.