Exetools - Scene Behind VbaStrCmp v2.1

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Scene Behind VbaStrCmp v2.1 (https://forum.exetools.com/showthread.php?t=14832)

ontryit

02-25-2013 17:48

Scene Behind VbaStrCmp v2.1

Hello Masters,
I am a newbie on RCE world, i would to know how the VbaStrCmp tool can attach to the victim programs? Can anyone explain to me how did VbaStrCmp tool works on behind, and also what it changed to the MSVBVM60.DLL?

regards
Ontryit

Av0id

02-25-2013 21:35

vbaStrCmp is like strcmp, both are internal runtime functions which compare strings, i guess VbaStrCmp tool just hooking that function inside msvbvm60.dll

Loki	02-25-2013 23:30

It uses a patched version of msvbvm60.dll -IIRC the entry point has some custom code to set hooks etc. As every VB6 app uses the dll, every app gets hooked.

wilson bibe

02-26-2013 01:36

A few times I have had success in finding the serial number strings for VB6 app, it works fine, but not always, to VB6 I think that the Ollydebug and some decompiler as like P32dasm or VB decompiler(any version), are the way to create a keygen or patch. If you want to find out how the patched version of Msvbvm60.dll works, use any tool to compare two .exe files, in this case I used the UltraCompare.

Shub-Nigurrath

02-26-2013 17:22

most VB apps in this case controls the path of the loaded module, if it's not a system path just refuse to load. Better could be to dynamically inject to avoid such controls.

All times are GMT +8. The time now is 14:55.