Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-01-2003, 01:05
newbie007
 
Posts: n/a
Smile "newbie" question for crackers ;)

Hi... Couple quick questions, kind of new to this

1. How easy is it to decompile VB5/VB6 programs -- not that i want to do it, i want to protect my own apps.
(a) Apparently decompilers *do* exist (not easily available), but how many people actually do that? And how much of a threat is that?
(b) Would you recommended obfuscating the symbols (i.e., do vb .exes compiled into native code keep (which would be stupid) the symbol names, such as "form1", "checkBoxRegistration", etc, etc -- in which case -- is it REALLY really easy to get source from that? If so, looks like I might have to manually (arg! tedious) obfuscate)
(c) Which is better (to prevent reverse engineering), p-code or n-code? My understanding would be n-code, because p-code could be resolved to the actual instructions?

2. What would you say the *hardest* protector/packer/etc to unprotect/unpack/etc, is, and why? And how long would it take a skilled cracker to break, i.e., 30 minutes or less? (I.e., say armadillo, aspprotect, activelock, etc... apparently there are unpackers for all of these, but how easy is it for someone to figure out which one is being used and then crack it?)

3. I know I had some really other good questions, but unfortunately forget them now ...

4. I'm curious -- I've "seen" stuff for this (3rd party apps), but am more interested in knowing how it is coded... http i.p. spoofing (i.e., kind of like a proxy server, but not really, sending http requests)? not sure if someone would want to post it here, c++ (or VB?? ) but how would I go about finding out info about that,
as mr. google and a few other buddies of his don't seem to know.

thx!
Reply With Quote
  #2  
Old 10-01-2003, 04:04
Sarge
 
Posts: n/a
Changing the name of an object in a VB proggie isn't going to affect the "ease" of decompiling that proggie; you don't need the name to find the related code (whether N or P). The name just makes it easier for us poor humans. The code blocks are related to the object by pointers and not the actual textual ASCII name.

P code is closer to the source, but a bit harder to learn. N code is simply disassembled opcodes, but it takes a lot of them to do a simple task. I would suspect N code is easier to analyze for the obvious reason that thousands of non-VB apps, when compiled, result in the same, well-known, machine code that so many disassemblers can disect; virtually every software reverse engineer has a working knowledge of machine opcodes and can "feel" what the code is doing. It's not necessary to re-create the exact source code, either.

There are a number of progs out there that are half-decompilers; you might want to check their operation and see just what data in a VB exe is really significant in its operation and what is not; at least, then, you could concentrate on the right stuff.

Sarge
Reply With Quote
  #3  
Old 10-05-2003, 03:43
newbie007
 
Posts: n/a
thx for the reply...

yes, wanted to know what ppl "skilled" in this area thought,
just in case I'm not aware of something, etc (although of
course should check it out myself)...

Which symbols are stored in a n-code app? I.e., how easy
is it to get say "Form1.doCheckMark(byVal asdfasdf as String)"?
Does it have the param list, actual names, or is it just offsets, etc?
Are regular variables stored this way too? Thx!
Reply With Quote
  #4  
Old 10-06-2003, 21:14
Sarge
 
Posts: n/a
Warning! This explanation simplified for the faint-of-heart


>"Form1.doCheckMark(byVal asdfasdf as String)"<

While the name of the control (in this case "Form1") will certainly be easily found because it's actual text, the attributes, events and procedures won't. For example, "doCheckmark" does not appear in the exe in any way related to Form1; rather, a pointer to the address of that procedure will appear; that pointer will be what is related to Form1. Since that address is the only relationship between the control and the procedure, you would usually use the address as the name of the procedure; that way, any reference to the address indicates a reference to the procedure. Later, you can rename the procedure (and any calls to it) to something that makes sense, if you can detrmine what that something is. For example, after examining the above procedure, you realize that it relates to CheckMark. So, you could call it anything form "CheckMarkActivated" to "EnableChkMrk" to <whatever>, as long as it is consistant and helps you realize what the code does.

As for the "(byVal asdfasdf as String)", all variables are pushed onto the stack before usage by a call. So, the only way to determine that a variable is even used it to check for a Push of some kind before the prodecure call. But, you'll never know the name ("asdfasdf"), only the stack pointer position. Like the procedure address above, the stack pointer then becomes the name, which you can also later rename, of course. Then, you can examine the procedure to see how the variable is used (in this case, "byVal") . You can determine the type ("String") by looking at what the pushed value is pointing to, assuming it's a pointer and NOT a value.

This process is loosely called Heuristic Processing (HPP = Hueristic Post Processing). Rather than being a step-by-step process of analysis, you look at the whole picture to determine what the intent is, THEN you go back and look at the details to see how they are used to support that intent.

Sarge
Reply With Quote
  #5  
Old 10-07-2003, 04:46
lonewolf55
 
Posts: n/a
I'm not real sure but to the best of my knowledge if a program of any kind can be loaded into memory, then a "snapshot" can be taken of the memory and at that point whatever is in memory is fair game.

not saying it is real simple to reverse at that point, but it sure is a good start.

also there are some programs out there that will allow you to capture and modify forms pretty easily.

for example: the Customizer works well but this dosen't disassemble anything, just allows a person to modify forms or windows.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wlscgen: Are "Vendor Id" and "Developer Id" different ? Numega Softice General Discussion 6 02-12-2007 18:12
I am Newbie and need Help about "Visual protect" Reversing Matrixx virus General Discussion 1 09-09-2003 04:22
IDA Question about db "? ; unexplored" kade General Discussion 6 06-02-2003 21:11


All times are GMT +8. The time now is 19:10.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )