Oh, last version is
5.0.0.59. Above address is for this version.
Look at the patched code :
Code:
1102C723 . E8 F8470100 CALL VLMenu.11040F20 ->Reg check
1102C728 . 8B7D D0 MOV EDI,DWORD PTR SS:[EBP-30]
1102C72B . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
1102C72E . F7D7 NOT EDI
1102C730 . FF15 7C120011 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
1102C736 . 66:85FF TEST DI,DI
1102C739 74 1B JE SHORT VLMenu.1102C756 -> patch to jump over NAG sub-routine
1102C73B . 8B16 MOV EDX,DWORD PTR DS:[ESI]
1102C73D . 56 PUSH ESI
1102C73E . FF92 84080000 CALL DWORD PTR DS:[EDX+884] ; VLMenu.1100889D -> Shows Nag
Reg check
Code:
11040F20 $ 55 PUSH EBP
11040F21 . 8BEC MOV EBP,ESP
11040F23 . 83EC 08 SUB ESP,8
11040F26 . 68 46380011 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
11040F2B . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
11040F31 . 50 PUSH EAX
...
...
...
11040FC2 . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
11040FC5 . 68 DCD90011 PUSH VLMenu.1100D9DC ; UNICODE "Unknown"
11040FCA . 52 PUSH EDX
11040FCB . FFD6 CALL ESI ; <&MSVBVM60.__vbaStrToAnsi>
11040FCD . 50 PUSH EAX
11040FCE . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
11040FD1 . 68 CCD90011 PUSH VLMenu.1100D9CC ; UNICODE "User"
11040FD6 . 50 PUSH EAX
11040FD7 . FFD6 CALL ESI ; <&MSVBVM60.__vbaStrToAnsi>
11040FD9 . 50 PUSH EAX
11040FDA . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
11040FDD . 68 14950011 PUSH VLMenu.11009514 ; UNICODE "VLMenu2"
Find these unicode strings. This sub-routine is called by 5 Call + 1 JMP. First Call is which we want.
If you cann't find it, use following sig to find
NAG sub-routine. Maybe this is applicable :
Code:
FF 15 ?? ?? ?? ?? 83 EC ?? B9 ?? 00 00 00 8B DC B8 ?? ?? ?? ?? 83 EC 10 8B 3E 89 0B 8B 4D ?? 8B 17 89 4B
Patch the first instruction to
RETN 4.
Please check this sig too, for finding above mentioned JE :
Code:
FF 15 ?? ?? ?? ?? 66 85 FF ?? 1B 8B ?? 56 FF ?? ?? ?? ?? 00 85 C0 7D ?? 68
Please upload the OCX for more analysis, if these worked or not.
Regards.