Planet Source Code Jumbo Resource CD Visual Basic 1 to 7

home *** CD-ROM | disk | FTP | other *** search

/ Planet Source Code Jumbo …e CD Visual Basic 1 to 7 / 5_2007-2008.ISO / data / Zips / DISASSEMBL20306411132006.psc / disasm_vb.txt < prev

Wrap

Text File | 2006-11-13 | 69KB | 1,635 lines

******************************************************************************** * DISASSEMBLING VISUAL BASIC APPLICATIONS - II * * - Sanchit Karve * * * * born2c0de * * printf("I'm a %XR",195936478); * * * * CONTACT ME : born2c0de AT dreamincode DOT net * * * ******************************************************************************** LAST UPDATED : 13 NOVEMBER 2006 -------------------------------------------------------------------------------- INDEX [INDX] I. DISCLAIMER AND NOTICE [DISN] II. READING THIS TUTORIAL [RTUT] III. ASSUMPTIONS [ASPT] IV. REQUIRED TOOLS AND DOCS [RQRT] V. VB AS A LANGUAGE [VBAL] VI. INTRODUCTION [ITRO] VII. STRUCTURE OF A VB PROGRAM [SVBP] VIII. OUR FIRST PROGRAM [OFPR] IX. STRING COMPARISON [STR1] X. DECIPHERING A KEY GENERATOR [DKGN] XI. CONCLUSION [END1] -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- I. DISCLAIMER AND NOTICE [DISN] This tutorial is meant for educational purposes only. If the Reader chooses to break Protection Mechamisms after reading this tutorial, he/she shall alone be responsible for the damages caused and not the Author. If you wish to post portions of this tutorial on a WebSite, you are free to do so as long as you abide by these rules: -> Post the selected portion in unedited form. -> Mention the Author's Name,Email Address and Name of this tutorial above or below the selected text. -> Inform the Author. The Author has not copied text or any other information directly from a Source. However, some information from some sources has been used to write this tutorial. These Sources have been mentioned in the References Section. You are permitted to continue reading the tutorial only if you agree to the text given above. -------------------------------------------------------------------------------- II. READING THIS TUTORIAL [RTUT] Each Section in this Tutorial has a specific Topic Code enclosed in square brackets. This arrangement has been made so that you can jump to a specific topic simply by searching for the topic code from your Browser. At many places in the tutorial, I've explained a few things which are almost unnecessary to know when dealing with Visual BASIC programs but I've written them for those who have a thirst for knowledge. The Topic Code Tags [XTRA] and [/XTRA] have been given for "extra-information" sections and you are free to skip them. Text within the [XTRA]...[/XTRA] blocks is given for extra information. You can search for the Extra Information using the Topic Code. -------------------------------------------------------------------------------- III. ASSUMPTIONS [ASPT] You are required to have a basic understanding of: : Visual BASIC : C/C++ : Win31 API : 80x86 Microprocessor Assembly Language. -------------------------------------------------------------------------------- IV. REQUIRED TOOLS AND DOCS [RQRT] You will need the following tools to proceed with the Tutorial. : COMPILER : Visual Basic 6.0 : DISASSEMBLER : IDA Pro 4.x or higher : DEBUGGER : OllyDebug Ver. 1.09d or higher : WINDOWS API DOCUMENTATION You can also use these tools for your own experiments. : NuMeGa SmartCheck 6.x -> A Good VB Debugger with lots of features. : VBDE version 0.85 by iorior -> gives offsets of VB procedures : VBReformer -> can change properties of VB Controls You can refer to API Documentation from MSDN or you can use the API Text Viewer Tool supplied with Visual Studio or browse MSDN Online (msdn.microsoft.com). Certain Applications like APIViewer 2004 will also do. It would be advisable to have a copy of Intel's 80x86 Instruction Set Manual. Intel provides this manual free of charge. The Software Developer's Manual consists of 3 volumes: : Basic Architecture - Order Number 243190 : Instruction Set Reference - Order Number 243191 : System Programming Guide - Order Number 243192 You can obtain these manuals at http://developer.intel.com I have given the names of the Tools that I have used. But you are free to use any disassembler and debugger as long as you are comfortable using it but I advice you to use the tools that I have used above. SoftIce is better than OllyDebug but the latter is good enough so it doesn't matter which one you use. But I strongly recommend the use of IDA Pro as it's the best disassembler that I have seen so far. -------------------------------------------------------------------------------- My First Version of this Tutorial got me a lot of comments and emails from people reminding me of all the advantages of VB. They've told me not to overlook the advantages of VB and that there is a reason why VB is slow. I agree with them. Looks like I was focussed on only VB's shortcomings I guess. In this tutorial, I wish to get things clear and let VB get the praise it deserves. -------------------------------------------------------------------------------- V. VB AS A LANGUAGE [VBAL] It's like they say:"Everything has a reason." After this section I am just going to focus on the internal details of Visual BASIC and I just might say that the code generated by VB is pathetic. But before I can do that, I want to ensure that you know the advantages that VB offers as well. I want to do this so that the next time you are writing an application, you can decide whether or not to use Visual BASIC based on your priorities. Visual BASIC is a well crafted language simply because learning to write code doesn't take much time and yet VB is capable of generating Powerful Applications. Many times when you don't have much time at your disposal, Visual Basic is the best way to go as you can make your App do the same work (which another language would let you do) in a shorter amount of time without compromising much on the Application performance. VB's library functions are DLL function calls to MSVBM60.DLL Though this doesn't help in speeding up the App, it has a lot of advantages: --> Core Code is written in the Runtime Files itself, making Visual BASIC programs as small as possible. --> Because of this architecture, the code is extremely easy to port to other Windows Operating Systems. Consider this example. --> VB does a lot of work by itself. C/C++ and other languages would require you to write a lot of functions to even write a simple Windows Application. [ THIS IS ONLY AN EXAMPLE. IT MAY NOT BE NECESSARILY TRUE ] Suppose an API Function APIFunc() that exists in a DLL file in Windows XP is removed from Windows Vista but Microsoft decides to include an alternate function and names it AlternateAPIFunc() and puts it in another DLL file. (Assuming all parameters and return value contents are the same) We plan to write this in C. Now comes the problem. If we wish to use our app to work in Windows XP, we need to use the the function APIFunc() in our applications and if we want it to work on Windows Vista we have to replace every APIFunc() function call in our app to AlternateAPIFunc(). Isn't it cumbersome and tiring? Now if we decide to use VB. We continue to use the same code. VB Functions call API Functions from the Runtime Files. So nothing needs to be done because Windows XP will have a seperate set of runtime files using the APIFunc() Function while the Vista Runtime Files would use the AlternateAPIFunc() Function. Doesn't that make the programmers job much much easier? This is based on the Java portability technique where the Runtime Files of Windows OS's can be thought of like Java Virtual Machines. VB also includes support for Memory Handling and Stack Checks which otherwise would have to be done manually by the programmer in another language. So What I'm saying is all these features cost you on performance. But the relative lag in performance is ingorable as the advantages outperform VB's shortcomings. So what follows below is just having a look at VB's Code Generation results and Runtime Files code. So when I talk about some code being inefficient, remember that it is so because of the advantages that VB offers. The topic of this tutorial concerns disassembling VB Applications and I will look at only the Assembly code without being concerned of how VB is at the user level. Once you are clear about this, go ahead. Please don't mail me stating that I could not appreciate the features of VB and things like that. -------------------------------------------------------------------------------- VI. INTRODUCTION [ITRO] If you have disassembled programs written in C/C++ or Pascal before, you would know that it is not difficult to understand what the assembly instructions are trying to achieve. These Languages generate neat,well written code and hence are easier to read and comprehend when they are disassembled. Try disassembling a program written in Visual BASIC. Most Disassemblers fail to disassemble these programs because they assume that the structure of the executable file is similar to that of C/C++ compiled programs. Hence many people think that it is extremely difficult to disassemble and understand programs written in Visual BASIC. However it is not so. The executable file structure is entirely different in Visual Basic programs. Once we get to know how Object data, strings and functions are stored and how events are implemented then comprehending Disassembled Listings of Visual Basic programs gets a lot easier. So this tutorial does just that. Along with that it also gives ample proof to show why Visual BASIC is never used by experts to write Fast and efficient code. You will see in later examples why programs generated by Visual BASIC are slow. The Tutorial will talk about executable files compiled in Visual BASIC in Native Code and not p-code. After reading this tutorial, you should be able to disassemble,debug and understand Visual Basic Applications. You may also be able to reverse engineer Protection Mechanisms written in Visual BASIC and by doing that you are putting yourself to risk and not the author. So now that you know what to expect from this tutorial, let's go ahead. -------------------------------------------------------------------------------- VII. STRUCTURE OF A VB PROGRAM [SVBP] When you open a VB Program in IDA, you'll end up with the following code. start: push offset dword_4012B4 call ThunRTMain ; --------------------------------------------------------------------------- dd 0, 300000h, 400000h, 0, 0E9960000h, 82E6FCDFh, 939C4C23h dd 0EB969B2Fh, 73D5h, 0, 1, 34303230h, 72503033h, 63656A6Fh ; etc etc etc This doesn't make any sense does it? If you keep scrolling further you will see sections of code and data. Each Section has a meaning in VB Programs and you can see a general idea of a Visual BASIC program's Section Map below. 00401000: ... IAT (First Thunk ok apis) Next Section(NS): ... some data NS: ... transfer area (Jumps to imported functions) NS: ... lots of data NS: ... local transfer area (for internal event handlers) NS: ... other data NS: ... code NS: ... lots of data NS: ... .data Section Let us now start analysis from the entry point of the program. push offset RT_Struct call ThunRTMain It's C equivalent would have been: ThunRTMain(&RT_Struct); A function ThunRTMain is called which accepts one parameter. We'll soon find out that the parameter is a structure. Simply putting a step over command on the CALL statement results in the execution of the Application. Wierd Isn't it? For Pascal,C and C++ Programs there is always a start() function that takes all CommandLine Parameters,Gets ProcessThreads,Module Handles etc. We didn't see anything of the sort in a Visual BASIC Program. But actually, VB does have a start function. The start function code is placed in the ThunRTMain Function. Let's verify that by disassembling the MSVBM60.DLL and viewing the ThunRTMain Function. I've mentioned only a part of the ThunRTMain Function Code. ThunRTMain proc near arg_0 = dword ptr 8 mov esi, [ebp+arg_0] mov dword_7352F7DC, esi and [ebp+var_4], 0 lea eax, [ebp+StartupInfo] push eax ; lpStartupInfo lea eax, [ebp+StartupInfo] push eax ; lpStartupInfo call ds:GetStartupInfoA movzx eax, [ebp+StartupInfo.wShowWindow] mov dword_7352F7D8, eax push hModule push esi mov esi, offset dword_7352F470 mov ecx, esi call sub_7342DECD mov [ebp+var_1C], eax test eax, eax jl short loc_7342DEC5 push 0 ; lParam push 0 ; wParam push 1069h ; Msg call ds:GetCurrentThreadId push eax ; idThread call ds:PostThreadMessageA ; Other Code or [ebp+var_4], 0FFFFFFFFh push 0 ; uExitCode call ds:ExitProcess jmp loc_734619B3 loc_7342DEC5: ; CODE XREF: ThunRTMain+60j push eax call sub_Free_Memory jmp short loc_7342DEB4 endp As you can see, it does call all the Functions that the start() function does in C and PASCAL programs. But what about CommandLine() Function from KERNEL32.DLL? MSVBM60.DLL does call that function as well but that function call is placed in deeply nested function calls. You can open the Imports Window to see the Imported Function and see the cross-reference to a procedure in MSVBM60.DLL The sub_Free_Memory procedure calls various API Functions but if you keep reading the procedure, you'll soon come across the HeapFree() Function which is imported from kernel32.dll. Now I guess you now know the purpose of the ThunRTMain Function. Let us now see what structure is passed to it. If we double-click on the RT_Struct offset, we reach an address containing certain values. It is a huge structure and each part needs to be seen one at a time. Explaining the Structure will take up a lot of time and since I want to focus on the Code Constructs of Visual BASIC, I won't entirely explain the Structure passed to ThunRTMain. We shall discuss the contents of this structure a little later. I would also suggest you to read the article "VISUAL BASIC REVERSED - A decompiling approach" by Andrea Geddon as it does talk about the Structure passed to ThunRTMain in detail. -------------------------------------------------------------------------------- VIII. OUR FIRST PROGRAM [OFPR] Create a Form with a CommandButton. Click the CommandButton and add a simple Msgbox Code as shown below: Private Sub Command1_Click() Msgbox "Ssup" End Sub Open the Compiled EXE File with IDA Pro. Click the Strings Tab to find the "Ssup" String. Double-Click the String to find its cross-reference. Scroll up to the top of the procedure. You should see something like this: [Explanation is partly given by comments after an instruction.] Command1_Click proc near var_64 = dword ptr -64h var_5C = dword ptr -5Ch var_54 = dword ptr -54h var_4C = dword ptr -4Ch var_44 = dword ptr -44h var_3C = dword ptr -3Ch var_34 = dword ptr -34h var_2C = dword ptr -2Ch var_24 = dword ptr -24h var_14 = dword ptr -14h var_C = dword ptr -0Ch var_8 = dword ptr -8 ; Destructor Object var_4 = dword ptr -4 form_object = dword ptr 8 push ebp ; These two instructions mov ebp, esp ; open the Stack Frame. sub esp, 0Ch ; Allocates 12 bytes on stack push (offset exception_handler+1); Starts Exception Handler mov eax, large fs:0 push eax mov large fs:0, esp sub esp, 88h ; Allocates 136 bytes on stack push ebx push esi ; Saves Values of Registers push edi ; Loads the Destructor mov [ebp+var_C], esp mov [ebp+var_8], offset destructor ; Allocating Dynamic Resources mov eax, [ebp+form_object] mov ecx, eax and ecx, 1 mov [ebp+var_4], ecx and al, 0FEh push eax mov [ebp+form_object], eax mov edx, [eax] call dword ptr [edx+4] ; Calls MSVBM60.Zombie_AddRef mov ecx, 80020004h xor esi, esi mov [ebp+var_4C], ecx mov eax, 0Ah mov [ebp+var_3C], ecx mov [ebp+var_2C], ecx mov [ebp+var_34], esi mov [ebp+var_44], esi mov [ebp+var_54], esi mov [ebp+var_64], esi lea edx, [ebp+var_64] lea ecx, [ebp+var_24] mov [ebp+var_24], esi mov [ebp+var_54], eax mov [ebp+var_44], eax mov [ebp+var_34], eax mov [ebp+var_5C], offset aSsup ; "Ssup" mov [ebp+var_64], 8 call ds:__vbaVarDup lea eax, [ebp+var_54] lea ecx, [ebp+var_44] push eax lea edx, [ebp+var_34] push ecx push edx lea eax, [ebp+var_24] push esi push eax call ds:rtcMsgBox ; Calls the MsgBox Function lea ecx, [ebp+var_54] lea edx, [ebp+var_44] push ecx lea eax, [ebp+var_34] push edx lea ecx, [ebp+var_24] push eax push ecx push 4 call ds:__vbaFreeVarList add esp, 14h mov [ebp+var_4], esi push offset continue_after_jump jmp short fake_a_call_instr lea edx, [ebp+var_54] lea eax, [ebp+var_44] push edx lea ecx, [ebp+var_34] push eax lea edx, [ebp+var_24] push ecx push edx push 4 call ds:__vbaFreeVarList add esp, 14h retn ; --------------------------------------------------------------------------- fake_a_call_instr: retn ; --------------------------------------------------------------------------- continue_after_jump: mov eax, [ebp+arg_0] push eax mov ecx, [eax] call dword ptr [ecx+8] ; Calls MSVBM60.Zombie_Release mov eax, [ebp+var_4] mov ecx, [ebp+var_14] pop edi pop esi mov large fs:0, ecx pop ebx mov esp, ebp pop ebp ; Closes Stack Frame retn 4 Command1_Click endp Simply by looking at the entire procedure you can't exactly figure out what the hell happens when the whole subroutine is executed. If you know Assembly well and have had the patience to read through the code, you should notice a few neat things in the code. [XTRA] Before I begin explaining the procedure, I want to teach you how to recognise a procedure in Visual BASIC. They can be called Procedure Signatures. 1) A Procedure has the open and close Stack Frame instructions. 2) The First Procedure in a VB Program is always preceded by 12 0xCC Bytes (which corresponds to the INT 3 Instruction) followed by 4 'T' bytes (0xE9) followed by 12 0xCC bytes. 3) Procedures other than the first are preceded by 10 NOP(0x90) Instructions. : 1) STACK FRAME: The Open/Close Stack Frame Instructions are even found in C/C++ and Pascal programs and hence can be termed as a universal method of determining procedures. However that is not always the case. --> Many compilers just JMP instructions to fake a Call Instruction. This Jump is at times a CALL to a procedure. IDA Pro does not detect such CALL 'emulating' instructions but OllyDebug does recognise such code patterns. --> Visual C++ allows the programmer to write naked functions. Naked functions mean that the compiler does not allocate space for its arguments nor does it include the stack open and close frame instructions. But since we are dealing with Visual BASIC, we can ignore the second case. You will see an example of the first case shortly. : 2) THE 0xCC BYTE The 0xCC Byte is used to Generate the INT 3 Exception, which is known as the "CALL TO INTERRUPT" Procedure. It is used by Debuggers such as OllyDebug and SoftIce to set software Breakpoints. Debuggers insert the 0xCC byte before the instruction which it wants to set a breakpoint on. As soon as the INT 3 Instruction is executed, Control is passed onto the Debuggers Exception Handler. Here is the description taken directly from Intel's Software Developers Manual Volume 2 : Instruction Set Reference. "The INT 3 instruction generates a special one byte opcode (CC) that is intended for calling the debug exception handler. (This one byte form is valuable because it can be used to replace the first byte of any instruction with a breakpoint, including other one byte instructions, without over-writing other code). To further support its function as a debug breakpoint, the interrupt generated with the CC opcode also differs from the regular software interrupts as follows: ò Interrupt redirection does not happen when in VME mode; the interrupt is handled by a protected-mode handler. ò The virtual-8086 mode IOPL checks do not occur. The interrupt is taken without faulting at any IOPL level." That's how debuggers work. That's also the concept of certain anti-debugging techniques. Since the 0xCC code is injected by Debuggers before an instruction, the CRC (Cyclic Redundancy Check) Value of the code also changes. Some Antidebugging techniques encrypt the program with a key which is the CRC value of the program. When a program is being debugged, its CRC value changes and with the result the program doesn't get decrypted. Such methods are effective in stopping amateur wannabe hackers from understanding their code but its not foolproof and an expert hacker can get past this technique with ease. So much for what '0xCC' is. But why is it placed before the First Procedure in VB Programs? I've found no answer to that so far. This wastes a lot of space in a program. If you try to disassemble a Console Program written in Visual C++, you'll find many instructions which set parts of the stack to the '0xCC' value. You will also find 0xCC bytes scattered across the disassembled listing. If only Visual Studio was Open Source, we could have seen the code generation code and come up with an answer and improve the code generation code too. I hope you also realise why Open Source is slowly gaining momentum. 3) The 0x90 Byte Here is the description taken directly from Intel's Software Developers Manual Volume 2 : Instruction Set Reference. "Performs no operation. This instruction is a one-byte instruction that takes up space in the instruction stream but does not affect the machine context, except the EIP register. The NOP instruction is an alias mnemonic for the XCHG EAX, EAX instruction." This byte is injected into serial generation/checking procedures by amateur hackers where the protection mechanism is weak. This is known as bit-hacking. Sadly enough, bit-hacking STILL works for defeating plenty of today's Commercial Applications. Guess they never realised the importance for code-security. While writing programs in Assembly Language, if you use Forward Referencing in a few situations or use a wrong Jump Instruction to jump to certain addresses, chances are quite bright that the Assembler will fill in some bytes with the NOP instruction. As a result, having the presence of the 0x90 Instruction in your code is considered bad programming. But again, I see no reason why the 0x90 Byte is present in Visual BASIC. Removing such entries will reduce the executable size drastically. Programs like VBDE rely on such Procedure Signatures to identify where a procedure is present. [/XTRA] Let us start by analyzing the procedure in portions. First the Procedure opens the Stack Frame. Then it allocates 12 Bytes on the stack for the Destructor and other variables. ( We shall see the Destructor in detail after a short while. ) Then it allocates Dynamic Resources and calls the Zombie_AddRef Function. Zombie is a state in which the only valid consumer action on a COM object is generally to release that object. Here is the description of the use of Zombie_Addref and Zombie_Release Functions from MSDN. [XTRA] The first three methods in a COM interface are required to be the same for all COM interfaces. These are the methods of the IUnknown interface: QueryInterface, AddRef, and Release. The QueryInterface method takes an interface ID (an IID) and returns the requested COM interface on the same object. The set of interface IDs accessible via QueryInterface is the same from every interface on the object. Each interface has a nominal reference count associated with it. When a piece of code receives an interface, it should assume the reference count is notionally 1 unless it has other knowledge. AddRef increments the count, Release decrements it. When the client has made one more call to Release than to AddRef (meaning that the nominal count is zero), then it must assume that the interface pointer is invalid. The provider of the interface may choose to invalidate the interface pointer at that point (or not), but not before. Some implementations have more relaxed behavior (for example, sharing reference counts for all interfaces and/or only invalidating interface pointers when the object is freed), but such behavior is not required, and should certainly not be depended on. Although AddRef and Release return a ULONG, the value returned is not required to have any meaning. Client code should not depend in any way on the value returned. It exists solely for debugging code to use, typically to return the new object reference count. The reference-counting rules are very simple. When a client calls a member function and passes one or more interface pointers: The callee should AddRef its interface parameters if it wants them to stay around after it has gone. The caller should Release the callee's returned interfaces when it is done with them. A straightforward consequence of the above rules is that QueryInterface does an implicit AddRef on the returned interface, as do the application programming interfaces (APIs) that create objects, such as CoCreateInstance. [/XTRA] After reading the text above, you would understand why the AddRef and Release Functions are present. What does the Zombie_AddRef Function do? It Takes the Object Reference. In this function the parent object (in this case Form) is passed as a parameter and uses AddRef to increment reference count of the object (instantiation). Since COM objects are responsible for their lifetime, the resources they use are allocated until the reference count is 0, when it reaches 0 the objects enter zombie state & can be deallocated to free resources. Refer COM object management documentation for more detailed information. Right after the call of the Zombie_AddRef Function there are MOV instructions which assigns values to many variables. That follows a reference to the "Ssup" string followed by a call to the rtcMsgbox procedure. Why does it seem so wierd? Shouldn't it simply call the rtcMsgbox Function? No, because it is a requirement to call QueryInterface,AddRef and Release functions in Applications using COM Technology. Now about the rtcMsgbox function. Intuition tells us that no matter what the function does, it will end up calling the MessageBoxA or the MessageBoxW Function. So let's set a breakpoint on the MessageBoxA and MessageBoxW Functions. To do that, start OllyDebug and load the Executable file by pressing F3. After the program is loaded, press Alt+E to open the Executable Modules Window. Double click USER32.DLL to open the disassembled listing of the User32.dll file. From there press Ctrl+N to open the Imports/Exports Window. Then Scroll over till you see the MessageBoxA and MessageBoxW Functions. Click them one at a time and press F2 to set a breakpoint. Now press F9 to run the program. The Application should open. Click the CommandButton. Now instead of the Debugger halting at a breakpoint of MessageBox, the MessageBox comes up without any halt to the Debugger. Why does this happen? Does this mean that rtcMsgBox has a seperate copy of the MessageBox code within itself? Though it seems like a possible reason, it is unlikely to happen as Microsoft Developers built the Windows API so that they could be reused for performance. So that means that some API Function is called which displays the MessageBox. So let us try another experiment. In the same Imports/Exports Section of User32.dll we see 2 more MessageBox functions which are MessageBoxIndirectA and MessageBoxIndirectW. Let's try setting a breakpoint on both these Messages. After the breakpoint is set, press F9, and click the Command Button. This time, the Debugger halts at the MessageBoxIndirectA function. Interesting isn't it? All Visual BASIC Applications which use the Msgbox() Function are actually calls to MessageBoxIndirectA and not MessageBox as thought. This is an important characteristic. So the Next time you set a breakpoint on the MessageBox function and the debugger halts at a breakpoint, you can be pretty sure that someone has used the MessageBox() API Directly by consulting the API Text Viewer for the VB Declaration. Let us now see the prototype of the MessageBoxIndirect() API Function. Private Declare Function MessageBoxIndirect Lib "user32" Alias "MessageBoxIndirectA" (lpMsgBoxParams As MSGBOXPARAMS) As Long Only One Parameter? So then how is the Message Body and Title passed to the Function? For that we'll need to see the declaration of the MSGBOXPARAMS Structure. Private Type MSGBOXPARAMS cbSize As Long hwndOwner As Long hInstance As Long lpszText As String lpszCaption As String dwStyle As Long lpszIcon As String dwContextHelpId As Long lpfnMsgBoxCallback As Long dwLanguageId As Long End Type This suggests that the required parameters are assigned to variables and the reference to that object is passed to that function. So That suggests that the many MOV instructions found before the rtcMsgbox call are used to initialise the MSGBOXPARAMS Structure. To confirm our doubt, let's compare the MOV instructions with the code found before the MessageBoxIndirect function is called. mov edx, [eax] mov [ebp+hWnd.lpszText], ecx mov ecx, [eax+8] mov eax, [eax+0Ch] push esi push ebx test ah, 40h mov [ebp+hWnd.hInstance], edi mov [ebp+hWnd.lpszIcon], edi mov [ebp+hWnd.lpfnMsgBoxCallback], edi mov [ebp+hWnd.cbSize], 28h mov [ebp+hWnd.hwndOwner], edx mov [ebp+hWnd.lpszCaption], ecx mov [ebp+hWnd.dwStyle], eax mov [ebp+hWnd.dwLanguageId], edi jz short loc_734A6133 mov [ebp+hWnd.lpfnMsgBoxCallback], offset sub_734A6098 loc_734A6133: mov esi, ds:MessageBoxIndirectA lea eax, [ebp+hWnd] push eax ; LPMSGBOXPARAMSA call esi ; MessageBoxIndirectA Interesting to see that....Isn't it? Next comes the __vbaFreeVarList Function. From its name we can see that it deallocates the address of a certain number of variables. This function actually does no work except call the __vbaFreeVar Function multiple number of times. Let us see how both functions work. __vbaFreeVar : Frees a Temporary Variable. __vbaFreeVar accepts only 1 Argument, which is the address of the variable to be deleted. This argument is ALWAYS passed through ECX. Uses the API Function __imp_SysFreeString()[Ordinal Number 6] from OLEAUT32.DLL that carries out the actual deallocation of a variable. __vbaFreeVarList : Frees Temporary Variables. Have a look at this Snippet: lea ecx, [ebp+var_54]rs betrucaddress of +var_5empop+hng edure is presuc jmp . Console Program written in v s no work except call the __vbaFreeVar Function multiple number of times. Let us see how boof times. Let us eallov 5]only VB'sssah ence L7b nameeeeei pointers: The callee shoul ei p. To confirm our doubt, let'sippet: Sl Vack Frame he o4 see Vackirect function Lev IA6098 ' 0, esp sub . s betrucpe y eax orary Va : sub . so see teters u test a thaye MSGBOXPARAMSndirectA aRdisplaysbaFreeVa we'lLet us see how boof times. n] actuallVa we'lLet us see how boof times. ; MSndre M9Mis doesn't make aie_Adou trye teils of VisF Mis ie_Ad3h, 63656A6Fh ub_734ow:.on?ables. This feEvpend in any way on the value returned. It ex eax, large fs:0 push eax Ref to incrTn: DISntel's Software Dmbly Lan. ome APIlook riali us push eax ed thFuncNax]iabled PASCAes. Th th RAMSndirectA aRdispl call ds:__ 12 up hen how restn? Does thisFssed throusterface, it should ll in some bytes with the NOP instruction. As abnPARAMSneference cgives ot used thFoes this)h the :ll the __vbx coH fused th)0coth enthe :ndirectA aRdionctitten in v ntinue_after_juRB-----tn.microsoft.sub . so sy> eaxmbie_AddRef Function there are MOV instructionsne :nions. Lan.+D abnPARAMbp+va?let'on the valuef Functioshe first case shrelaxed behavior (V instructions,s : InGxt], ,0t this Snipps : xt],Allee sh mov [ebp+hWnd.lpthat fu?enipps :. To ,0t tl.,bl crafted lang2Pcom Type This f the Detinuee, itl me sta9Mis doesn't make aie_Adouu call w,g9make aie_Adouu for tllee sh uch beha lea +hWnd.lpfnMsgBoxCallback], offset sub_734A6098 llye sh feEvpim Type This es 12 Bytes on howork except caloeVa we'lLet us see how boof times. n] ahowoumbeA us see how boeeVarList : Frees Temporary Variables. Have a look at this Snippet: lea ecx, [ebp+var_54]rs betrucaddress of +var_5empop+hng edure is presuc jmp . Console Program written in v s no work except call the _TE Sl ispla ar. Th it see Snippetwe, i erk except call th_Add nameeeegs in thme RA] etwe,featinOp at this s : ee hi COM interfaceispge fs:0like a possibWndOwnells P: ee hi : Frees Tempora ]rs bet _TE Sl nstruction which itpora ]rs bl pusahe jmhis s tbaFreke aieTh look at t2Foes this)h the :ll theis a tructio3h, 63656A6Fh is)h the : be teint is ll we s2 cal M tbar_64 puctitten in v ntinue_after_juRB-- Sp_vbaFreej eallov 5face, ampop+hng b peTh finue_afile in ction is Fh n pusathetiake aie dow]EFick t call dword ptr [ecx+8]okpeTh finh t us see8 BASICE o4 see use ?-------he req?k writb peTh finue_afile in dSIC. The.]l dwtcMs nev Ca proB dword ptr -8 ; 54]rs betrucaddress of +vau8 ; 5]R [ebpoode receives an iAptr 8ageBalee s2ructpoodVa _ 54] and sAOe is vlterna rye teils of VisF Mis ieEna rye te lea _RsF tutor_734A6098 ll end up calling the MessageBoxA or the MessageBAisFssng the MessageBoxis f thIpecx+8ps C sunabe u---rfacpet:o ctionuctpoodVa _AddRef Funcecx, [ebp+vaw ie_Ad3. COM s nev Ca proB dword ptttttttttttttttttttttttttttttttttttt------ncecx, [ebp+vaw ie_Ad3iaptiuction is)s5tttttSa vpresPy eaxttttuports/Eiaoniake aie dow] BASICE o4 tttttttttcioverna rye teils of VisF this s :s th;-Sing amateur wannabe hackellback As LonCa proB dw"lle fileSNat t2Foes thisioverna c themt a time. Exi br Ck As LonCa pra aA 33h, 63656A6Fh passfaceer anh, 63 ecx mov ecx, [eax+8] b Sp_vs befor0 [ebp+hWn ist use of ZomlAba time. Exi br Ck As LonCa pra ture As LonCa +hWnd.lpfnMs"g the ing COM eer '0xCC' is. But wh us eallov 5]only VBain cv +hWn" s use the smxCC' is. Butv 0xCC Bytes (whichph eax the smx anhE th)0ch eax AisFssng the Messerfacime. word ptlLet us see hostructu havmt ist usoperan w3656 no wo.ieThctu havmAbr Ck As LonCa p n in your ------es. H Soescr-----fake no wo.ieThN] youroday'stL8 Visu,.sV- mov be hackellback As LonCa proB dw"lle fileSNat t2Foebetrucaddurodaym)inue_af connanhE th)0ch eax onCay( cra] youroday'stLRt8v oleSNat ;en in v t a tw t2F"Ag at the edAC ydeny inlny inlvar_4The callee shoul ei p.CsA6Fhhe Mn VMLRt8BtpoodiA pusg :inter a edise ecchph lllov 5]only VB hN] yop lpszIc2 calottttt -8 vake aieb peTh hape deleted. This o:ndirea---faki[[[[[ce rea 8 BASIT v 5]only VB hN] yop lpszIc2 calottttt -8 vake aieb peTh hape deleted. ThiAd3. COM s nev Sta ei p.CsA6Fe callee's returned interfaces when it is done with them. A stptr 8agOea edx, o Voen in vSttttt -CSlottttt EVes 6A6Fh E Sp_vs befor0SNat s_W can see that it deallocates the address of a certain number of variables. This funct_rshat fu?enipps :o ex3656A6Fh passv [edyourodASIColeSointer at that point (or noSICinue_after_juRcept call the __vbaFreeVar FS of Reg Ms s :tions wo(w edise econ. a c themt a time.uS(Al1d boday"jsection mechatt EVes 6A = tene-byt;on mechattttteak. This is ], eax e DeO3656directattttteakteur wan-------6A br E Sp_vThis su8 =2Lan.s found broB dwdRef, ttttelattttteakucra]ar_54 HThiAd3 loo356A6Fh passfmx anh of a certain number of variables. This funct_rshat fu?eniasmocd3 cpet:o ctionuctB dw,d cal M .rB dwdRashat fu?(((((((((fs use the smxCC' call O Vacp"Hrnuehe abo ntiFp+va4,r [edx+4] ; Calls MSVBM60.Zombie_AddRefze rec(tov )0coth First thp to certtttt de84] ; CallsCptioned ooyef, ttttelattmld Release tA6098 ise the smxCC' call O Vacp"Hrnueh ds:r6Fh passfd. ThiAd3L, [ebp sAts onl mov eax, [ebpbGi aiech iBwtion. Interesting isn't it? All Visual BAnual n.s?((o:Telan .rB dsmany people think that it is excan be termed as a universal m,r [etruc Thidirect Lib oleSVeakuce large rectattttteaktIdA = dwordthe edAlues of Registers opet:ctat Afhe program. The AsNoxEn's rei mov assfd. T Lib oleSVeakuce large rein ctih pas0coth dA = dwordth have diversadi. Thctu hpllsCptted.ve diversadi. Th wo(w edeSVeTte Type v ptr -8 ons.omdthe edAl r wo(w ede aieb peTh hapec push eax push ecx ?iual Voe rectaNt analysis from the entry point ofsallov ctitten ine : word ptlLet us see hostructu havmt ist yisn't make aBrd ptlLewy poixIndirect. Cp+varb havecutablesavmt istn Exi bra haveoleb havecatttts test a P '0ress of a[etruc T -CSlottttt EVes 6A6Fh E Sp_vs erd?St make -CSlreakpoint. Now press F9 stavs erd?S HandleddRef Fut eawE Nbrd?Sy caseUre Sigbp sAtv ecx, [eax+8] b Sp_vs befor0 [ebp+hWn A moviANOP ins-----6A=ng the Messaich cO inaHave a l/ 6A=nThctu e cross-reference tuA vake aieb peThNnly [ce h_T si e h_T si ins-----6A=ng the Messauctione, e crd BASIT lyDebuey nauction ssauctione,ssauc cross-g otch ba Mt fu?eni. Pebp+varAptr 8ageBalee s2or .poinHave a loeaktIdA = dwoor ) in Ca proB dw"lle fileSNat t2Foes thiE Sp_vThis sus from the regulaSoescr-----fake no wo.ieThN] esi vt eaw6h pasgeguld in any way on Ynt. SlreakpB dw,CsA6Fhhe Mn VMLRt8BtleSNa] ain number of variables. This ih Rwo.ng th is sus eax+8i tr 8agOttttt EVes . opcod s. Lan.+D Temp actaahat ess F9H 734owng th O ttttt EVes . yables. This fun .poinHave a loeaktIdA = dwoor ) in Ca proB dw"lle f PerformEubt,0cteristic. So the Nexte,ssC =gr_64], 8 AedAl r wo( push ecx ? a l filllyDebuesB un .fu?enipps :o al fi eax098lW; erk except call th_ -CSlreaA = gOttttt EssC =grtu hource esi4h vao diswner As 'ct the machine context, except the EIP register. The NOPCHave T sipas0u havmt ist usopefd. c Thidi usopefd. 4 Co =r 4 Co = 'sssah a 6X4 Co = 'sssah a 6X4 Coc0. Sinee the d. c Thipvariables. This funct_llsys pquite that th eSointer at e Next lo PerformEubt,0cteristit e NFoesee te Voe to see te that it denterfaceisphnology. Now abouof td nameeeegs iat ithoEiept theber i t2Foes C =gumplys iatohA. l_0Ypt th tts di. Th A. he CC c4ng. ructor BtleSnd come upos (whicf the Detpefd. nThca . "Perfoch set parts of theThis insEAter? So tg momentum. 3) The 0x90 Byte Here is tyAter he_ nameeeegs iat ithoEieptI Text Vi e Mn VkpoihoEieptIFCh C int8 e Mn Rashat fuYkpoint.ddt call thl setLet uversadL8 Visu,.sV- miswner As f +v5r its arguments nseptIFCh C intokpeTh e Msgbc4ng. ructor Ell te is th = ts f p spa. ruHave a look at this the AIC. ,p Inn0uHavbefor0 [ebp+eris of timey t5r its argumeHave a loeaktIdA tbaFrekE:cta We didn'tvaluabll tface _ thisQT numa proB dwTs ofo the Nexte,ssC =gr_64], 8 AedAl rtgumplys iatohA.ertainlyn .rB dsmameeeox funcything of the sort in a Visual BASIC Program. AC yidate hA.er dsmameeeC Pro CAL me.uS(Ehe :ll thA.ero be the same for 4Ti4le via QueryIn WeduRng thy t5esPyov ce vie5sed ontCB interface parameters if As LonC; Destructrogrr 8u havtlL After the prog nauctine, e cg_G5esPyov proa Visual BASIC Program. AC yi kbr Ck AcPyov ce vles.lback As uak. uS(reeVar-ve AC yi khuat ess the addbe AIC. ,p Inn0uHavbefor hN] befo So 4 N] beea oss-remory pop ebx movStructure. To confirm our doubt, let's compare the MOV instructions with the code found beflease that object. Here is th_4]]nions_5a l to Releases used by So v c2s solelx in portiM Why dot this tApoe f l_0make 34vs) xecutablSICE hl of the e f lo.ieThiony dothe prog nabnow Assembly well and 3RAsB un structi ructo it incIDA Pro does iato xe Prove a prLine() F eptIFCh C int8 e Mn Rashat fu esee te Voe sh itptIFCh pEIC, C=gr_64]ell any wa inceolelx inmeHave a l the eg;disassemble any wa u havtlL dler+1); SThiss'lten in v s eax AisFssng the to dA =ly enoug few neactions eegs iassembHave W iatohA. l_0Ypt th ttstIFCa pr at ithe sh Ts ofo coe sB vles.lbar_5empop+hng Ts ofo coe sgbox() Functiions,s :mpopax ; LPMSGBOXPARAMSA call esi ; Mesi afn ; LPMSGB_ty. Whdurodaym)eeeei of timeyif A(tructi r of the e f 2uction and uses AddRrtttcHave) The cicod r_5e Exi bra haveoleb ha Ts ofo e e f uSFssng the to dA =ly enoug fes ofo e e f uu1NRbe tss'ltUen s use the sfoleSonsi n multiple number of tThat's A ore the SL)rk exceptdmRFCh iple nx0ruHave ruHa AisFssng the tot'sf 2uctihe c cai"iMcicod 1NRbcountx:oSTu: To sfolad programmiLList Foie thaC -4 AU what structure isrupts as fDammiLList e Ayck exceptduuggeiTns.omdthe eVarList Functi dsoe e a9as f rameters rammave H he reso f =trunLeters : To sfolahuC serthisd3h, 63656A6Fh u1NRbe L push ce rea 8 BASonot times a CALL .e Voe sh iStrie e uK FRAME: The Open of then s use the truce Vo TaS Ais u1NRbe LPhicf t be hackvs) xec u9y( ccto it ce can be termed3intet'sfback], edi mov [ebp+ use the truce Voki[[[[[dler+1); SThis are vh yxo=ly meeeppò tAuces mov [ebp+zructurd Long lZ mees bC Byters ramm(((((q?k wr be the sa.coe osteneS0sub_Free_Memorytor Ell teruce Voki[[[[[dler+1); SThis are [eb1Cny wa u havtlL dler+s ar push =gr_.Rs ua-ototype Su havtln------------Y la" dler+s ar push =gr_.Rs ua-ototype Su [[[[dlhing' i yxoM ptr ectOoe_Ads uakt'sfb Ck p( ccto it nDh ]rs bl BuK FoesSTu: To sd( cctoAise l ampop foundmports/Expcan call thr0 [eb6'sfb Ck p( sf in short loc_7342DEB4 endp As you cll ct softwareype Sre. To42DE FoesSTu: To sd( cctoAise l apen of theitptIFldAl re Sre. e the sfol re Sre. e the sf Commmmmll thior (V movStbo ntiFp+e tptIFlcA;efze rec(thisd3h, 63656A6Fh t loc_7342DEdze rec(smxCC3ki[[[[[do ddRetmld Release tA6098 ise th Procedur)pszTeStrie e uKut itA aRdionctitten in v ntinu gde; the proassed )unctiod up caow presfe o4 see p+zructurd Long lZ Xd1pop foundmporte rec(thisd3h, 63656A6Fh t puXd1pop fRs ua-cMcshavtln----uKutah ebxs v s callee's r: To sd( cctoAise After the ah Fet partsEns v s callee's r: Toomentum. o softI Fet partsEnss y?lee's r: To ssssss softI Fet part large rei_T: To sd( cctoAise l apen of , SThisgisters opet:ctat Afhe prog2tttteakt: e theitpt Commmmmll thior (V m re Sre. i.4TAprog2ttt:isd3h, 63656Fh t loc_7342DEd ise tot'sf O,vStbo this cayt:ctat Afhe ,mes. Lf0reer As f +v5r its aon should ; M be ( iLList e Ayck excetion mecal-8086_ esi incID0l ampop Ge sf Commmmmll thimha Ts y wa gArnue_ is in. o(((((q?k wCoLf0rrpS_nLetersii incID0l tt thp to ccicod r_5e Exruce Vo nism isCommaporteme e uK Ftion. Rig5e )eeeei ommaSlee's r:of theCner AsEs 1. s cal) 8u eC Pro CptIFldAhe NOPCHr interiobh funcu:s bCfLpn3truc T a Sre9it deallouAteriobh funcu:s bCfLpn3trucHave a l th_Add riobt'efet funESTu: To oesSTu:u mecal-80ctext, except the EIP register. The NOP instruction is an alias mnemonic for the XCHG EAX, EAd Addll thimhfLpa _RshavtlL Aft presuc >ject ount associated with it. When a piece of code receives h8reeVar Funct tonic theat ththisnctions.r: To sd( cctohat's Ad0ck excetl Ts of a l 3ki[[[[[ ecx, [prLinenumoCreateI+ exceptC Pro CptIFldAhe NOPCe refere,Byte ) 1.oCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC thimjectte TypeCCCCCCCCK F AAdd riobteSed. It ex rehe ae mov cctobar_5empopy. HG EAX, pps :o ter? So tg moma be ( esuc >ject ount a inoFh _E nambe teint is ll we s2 cal M tbar_64 puctitten in v ntinue_after_juRB-- n a lea eax, houli movar Funct t dsoe e a9as f I Smrps : n RC ount a affect the machine usathetidf tion isome bytes withG EAX, EAp Functlt0 a lea of a variable. __ Visual h>rs Adesi vs) xec mova 8Lt0 a x var_44 A orere.unctlre tCealing]nemonic sA_d.lps codDcturd Lo Funsamebe prog2tttg moma be t o 8 varnsamelps : Ts Anfirm ourrrrrrrrrrrr( ebVkAbuctesd( cctourrrrrrrr8C push =gLSctlre tCealing]nemrrr1_oe e a9as f AedAl EAX, EAp are [ebx's t ecx ?ibf_64 puctitten in v ntinue_acal M tb:ebp+hWndcx eptIFCh C int8 ouli movar Funct t dsoe e aahat rts of tvar Functcov [ebp+var_44], esi mov [ebp+var_54], esi mCs an irogrr i t ecx ?ibf_64 puctitte"0sub_Free_Mem movar FuncVes .;AIC_xt, e Section of User32)B pp ecx pie(F Let us now see the protodesi ProcedY funcu:ssee thecx .0mov s. Lanhng eduhen a ciAdd riobteSed. Itm6Click omentum. A )p+hWnd20 pressing F3. After the program is loiv make -CT3h, Oo+hWnx requt p; SThis are [ee [euof tuer the Wnx reid program is loiv make jeeei ommawmhecxbtitlee's nue_'Funsamebe prog2tttg moma be t o 8 varnsamelps : Ts Anfirm ourrrrrrrrrrrr( ebVkAbucteaAddln the same obe"0subVkAbuc-- n a AIFunct t ds"Hrnuehe abo ntiFp+va4,r [edx+4] ; Calls MSVBM60.Zehe ttt EVes <s o:ndires4tie:mova 8. LanhnSVBMilt the WI E E E file. ss y?leenctlt0delet1ecx,inty One P E ; MSVBM60.Z"dd riobteSmha. Yopy. HG 03tg momace Vo F3.=tct while. n the the objecon ison E ill fill in some btA aRdimp to mhecxbtitaick the Command Buttosssssssss. Yopy. dsoessame obe"0slng procedmomace Voibeea0ex TNow abpy. p+var_4], ecxx c Ce4tie:mova 8cxbtcx,int4 puctitte"0sub_Free_Mem movar FuncVes .;AIC_xt, e Section of U pusbdsuer the c1itle Ae H Soescr-----s0A )p+ x . Howec ee hi usamehe sa.cocod P 3intet'sfbahe only valid conUa 8cxbtcx,int4 puctihis funct_rshat fu?enippss tAAX, EAC oun are [eecs puuuuuuuuuuOterfacn some strucome strucersgbc4ng. ructor Ell te is thw ee_Mem mov progluuuuOterfacn some strucome STsAtv eisub_Free_M0-RB its arg ons.omdthe edAl r wo(w ede aieb peTh hadAl r edAl gbc4e_Adomes. tCealiUev se the7c"fectAprogai.rrr( s ourrrrrev pe dele8 +varec eci illo m_dRefHoessgbc4ng. ructe_Adomerts/Eicomethis mean that rS push Fss soT/Ei eci ilnitttt EVes <s o:es <s o:8m enc30 ded by 12 0xCC Bytes (wrsadL8 ion o'dn) 8u eC PC:ssee tel'seoBytes (wrsao c30 ded eer th/Ei s. tCe:ssee the mov CC thi_64 pyCe,se6ere.is are vhle. s x ?i sic,Eed), bie"0sub_Fre . p+v6 no; LPMSGBsng H Soescr-----s0h is sus eax+8dV er tis called. mov edx, [eax] mov [ebp+hWnd.lpszText], ecx mov ecx, [eax+8] mov eax, [eax+0Ch] push esi push ebx test ah, 40h mov [ebp+hWnd.hInstance], edi mov [ebp+hWnd.lpszIcon], edi mov [ehioLor.lpby 1 szIcon], edhnSV+hWnd.ldRefHoespszIcon], edi -CSlreakpoi , i ecG.:the objehe CealiUev so3befo S E ill fill esis ei )p+hWnd20 pkpoi ce rea AedAl.), EAX in. tCe:sse2 0xCC =2Lcation of a variable. __vbaFreeVarList OrrpS_nLetee's r_lKHG 03tg mom,prList 0chyi ySre. i anreeVarList ortiM Why dot thunctitimes a CALL to a procn in v ntipzone() F on such P CallsCptionecx ?ibRy +vaoes C =gumplys iare struco tHmrrrrIRis e mt eawE Nbrd?Sy cnLetee's r_b refere,Byte ) ltipze dbmpop+E ?ibRcVes_t OrrpS_ieb peTh hadAlar Fu m_dit Orrp proB dw"l.rpS_y ?nC _e rei_T: takes aTA mov a:mova 8esgluuuuOi l aple tio S E ill fill bnow Assree_Mtionecx ?ibRy +v WeduRng thy nLeteexCC =2-cMce onlyo; M be ( iLList e Ayck excetion M be 8 interface pf-80ctext ySre. i anreeVarList ortiM Why dot thunctitimes a CaxonterfacjGBOX-+a so; 8yo; AedAl rtgumplys iatohA.er =2tioSo tdlles.Buttosss.ButnOstr? S of softea Leeration code and come up wrrr( ic tCCCCCi ec"l.rs tostnOstr? [3truc T + us [ebpoode reocedutr? [3truc Tkpoinef and ZoRy +g lpszCapss.ButnOstrrr( ?ibRe pr0,B ce re Ar to write naked functhich O Vacpearip parameter and uses Add0xCC exCC =2-ecx ?ibRy +vaoes C =g why thovar FuncVes ed bet'snLetoint oo c30 ded eesis ei )_4The cbles. Tf a and Zombif0reSfd0xC, houli movar Funct t od ting of the User32.dll file. From theramehe sa.ca l t =2-cMce countn of a lpszCapss.Biiiiiiiiii hng ede: DISnte e intuiInstructions.tt EVesThe cbles. Tf eus [ebpoo2tioSong edelickof +ile. n tller should Re,Eetwe,featie. n tl7342DEdze rec(smxCC3g tHmr ptr [ecouoT/E Voki[[[[[dler4 e Ayck looooooo ve a bit arre the ion of a var ?ibRy,Epill bsage" Aliasgregister6gdoesmitimtttttttert to2tiociatept depend'ze rn isome aButtosAlitt EVeisome aButtosAlues. Tfe's r: Cvs b thimjectte a ciAdXkkkkk)oaioSwrsetwe9 a c. Tfemtttttttert to2tiociatepDesmitimtttt andurnopexe's r: ecxttt an2h1Uject ounctitimesXkkkkk)_Rshah bxC, houli AsmTuot hapC PCs.honecx ?ibRs tyA a c.d.h 0 a ciAdXXari and uses Add0xCCith a key whiintuiInstrsree_Mt to it deallocates the address of a ceo(((((ormatioan2ion antes the addreshen s 0s. tCe:ssee th tttttttttcioverna rye teils of Vitely VB hN0s. tCe:ssee Memorytor Ell tyourodaMLd eesis Nhe sa.cit rIn WeduRng thT lynippet:icit rIn WeduRnhe coderamehe __vbaFreeVcetio ) [ebp+hWnee:ssee dressxis iatohA.o str? [3truc T + us [ebpoanction eramps :. oA erate Detineeeegs iat ihhaGBsnreferencaktIdA .ee th ttnteme e uK Ftio Cvs b thimeamehidireEbaFrtext ySre.t after ise why OIntereos---ne uKobaFrtext Wfake notions. ClipC P the a6098 ier+s(((orcx ?iua1eS exaafpswlipbaFr.ca l t =2-cs the a movar Does ounctiecx rOytorles (wourodaML.oespcimeamehidireEb eceives h8reeVar Funct tonic thg kecxttt an2e eVarLioint. _face p(wourodaMLtrurttt EVes ncrem Det s :tions wo(c thg kec8RB-----tn.microsoft.sub . so tions>0tie. n tl short loc_7 ieoanctionosicit rIn WeduRnhe coderamehe _e>0tie2 wo(c thg kec8RB-----tn.microsofttrrr( Uas theuhe instruction wh s0. Nowytor a x)Hs wo(c makn tl shles. osofi; erk except call thluuuuOi ierooooo ve wo wo(c mak0 ded ecMs n_EdAl r wo mrameheeVar F,o wo(c mak0 ded ecMs ttttt ( the VB Declwo it -8 ons.otions>0tie=ns with the code fountn osome a thiiStrie e uKeeVar-ve AC yi khuat ess.otion_4Thwo mrameheedAl r G EAreerd ec of Us8m bCAl r _face p(wourodaMLtrurttt EVes ncrem Det s :Bsnrefntn of ep.honecx ?ibRs tyA a c.d.h e cblDetineeeegs iat ihhaGBsnreferert to2esXkkkkkitle passed to the andurnopexe's r: ecxttt an2h1Uject ounctitimesXkkkkk)le passed to th t'sgs iat Nowytorrd LtAo (CC) that is intended foRng tdlo (CNowytorrncrem Det s :Bsthod)Nowytor a x)Hs wo i jlA0tor a thetterk eecal-ug few neacLe tw t2Fmak call thl setLet uversadL8 ViAUject ounctitimesXkkkkk)ledv spert Fn_on ae mrameh timesXksitimesXkkkkk)ledv spert Fn_oList irea---faki[[[E 0t that somoAkkk)ledv spLc c a thetvtome a thiiSi(c thg kec8RB-rosoforrncrem hat some API Fwo iltips fodiversadi. Th wo(w edeSVeTte Type v ptr -8 ons.omdthe edAl r wo(w ede aieb peTh hapec c fi eao anreeVarList ortiMFuncthebra w edeSVeTte Type v ptr -8 on. Tha peTote TrHof eBo passe, wo(ncrem Det s :tions wo(c thg kdtOhowos ACAL hul ei p.kiat illlllAL unctitim + us [ebpoanction ySrgn ySrgar wo0tie=nu:s bCf the d."0ny people wo0tie=hWnd.hr? [3Munctiti hph ippet:i Detces and alb_73Cdiversadi.ihe Wu xe's rn ovtctme up wrrr( ic tC:.times a CaauncVeSCdiversfuncthuncVeSCdiversfu=ot thunctitimeo ilctiti*a its argumeHahen a programs a CaauncVeSams a CaauncVeSams a V valid conUa 8cxbtcxie=nu: Dettitimeo ilctit and aecxie=nu:oubt, let'sippet: Sl Vack Frame he o4 see Vackirect function Lev IA6098 ' 0, esp sub . s betrucpe y eax orary Va : sub . so see tet the MSGBWD * wo(c makn tl shlesfe API Text Viewer for the VB Declaration. Let u ySre. 0h movHtions wo(c thg kptr -8 cand ButtoeUre Sigbp sAtv 0h es. osohWndtr -nUa 8tGSfd0xC, ho mrameheeVar4em hat a V vaist i6098 on_4er f From theramehe at 0n osome a t f t, wo mrameheeVar F,o6 ible a ionsirectW. Let's try setting a breakpoint on bothsame for 4Ti4le via Qupexe's r: ecxgbp W. L edeSVeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTteeTtee- nominal]tv pt0in any way on Ynt.] preCl dwoteeTteedOpexe',GSfdied to the,e Aycables. T.. TteeTteLaA;rrrrr( thetvtoodi.ihe py. tface iseeiiiiiii edxThe tohA.er oderamg param thetvtntn of elee itiType v ptr -8 on of the use of Zombie_,is a ptr -8 on h8reeVar breatimese3s io], off-8 ons.omdois su8 tohA.er a okirect EN -8 M be 8 why"dDhonecxdiversadi. -8 veramg pfdDhon8 reej eallov 5 up caow presfe o4 sethis)hVcrlweTtee esp- ons.0a)2 E ram. AC yi kbr Ck AcPf a anEoes .;AI7DhonecxdtiM zS if ViBo passe, wo(ncrem Det s :tions wo(c thg esi ; M:tions wo(c thg esi Cptioned ooyef, t inteetions wo(eTteeTteeTso it ned oolf ViBo pusbdsBoxCalle h_T si i]_5a l t0eTte8ect E0ex TNow abpy. p+var_4], ecxx c Ce4tie:moaRe LPh. p+veeeeg a c. Tfeles. EVeA;rrrence cobpy. +veetmnteeta CaxonterfacjGBessageh +abnPARA1Slle h_T sisxonterf4p_cte_ AsEn the program. The ApplicanLetointleter' xed behavSncVeSCC' i Arh8reeVaointlB-----tn.microsofttrrr( Uas theuhe instruction wh s0. Nowytor aean thalhe instr098 nsramg=1er a oki_auncVeSag 8>.8 ion o'dn) 8u eC PC:ssf, t h puctihisea2/sageBox as thought. This is an important characteri Sp_;rrrencOthetvtnents thee's at 0eperi Sp_;T withe Messhx3ti SpNyspe v ptr i Ramehe aRe EIP regis iairea---fakrmr.lpby -Vrea---fak------he req?k0LanhngeeTscome usshx3ti teetions wo(--heo p+v6 no; LPMc elee itiType v p xed f0t TteedOU iairo p+v6 no;eTteemehe o confirm ocoth dA =n v AcOthetvtnents 's Softw"llUst up egis EeeTscome usshx3ti ecxx c Ce4tiuRnhe codeo] ?iu Frtddll thimpuctihi? a l filllyDebuesB un uehe abo nce reaC PC:ssL2 softA [ehioLor.lpbycu thunctt _TEscoH fuseWcu thu i 7t is in. o(dRnhe blzvReleramg=1eeOs. Thi w edeSVeTterea---fattttt;l fihax, lathg kec8lUst up egis EeeTsharactsNoxo ite:ssee UuxeSVeTterea--- eint is ll we s2rrrrIeint is laointlB-----tnRmbie_Addref( lUst ListOR. Thrtant characteri Sp_;rrrencOthetvtnents thee's at3ISxo iteS."0ny f( 0ist e ?eni;rodnu= at3IShee's ae "S, woded ecned ooade one more callFEc ext lo Performce p( betrucariables Ramehe Co coents'oewytorrn)hVc.ry VaTts Window. Thens try another expWbpoo2tioSongnents ll in some byt?????ytor Ell tyourlne blzcrrrrrr8C Va slA" -8urlne bllera2tioSoP '0c thg o--tnRmbSTtor Ell ite:ssee U's at3c thyoP.a probothsame f--tnRmbreakpoint. Each interfac iLList (thisd3h,alhe insv AcOipexeS tface iseeduons.omdo endihax, lathg kec8rlne bl t o 8 v wo(c y_T: r of P Cface eeTte & cate weTtee e;torrn)hVc.ry VaTts Windint8all thr0 [eb su8 the Debsaon (thisdTSnuehe oA . TbiType_e a loface ts solely for debugging code toAte:spexeS4s -CSlreakobaFrtext Wfake notions. ClipC P80 ise whyrea---fa ts s peTh ha;oooooooooooooooooooooooooooooooooooooooooooooCC---fome by8reesume tction actuas. T recewytorrn)hVc.oNow press F9 tts s. n01acta ts s uctp3ea---fa C - Sitten in v >0tie=nc, ec ite:ssee UuSp_vs0oooooood. ufile by pressing F3. . Howec ee sd3h,aCfacorrn)hVc.oNo the Us ex3656y pressi Window. Thens tts s. n0sters opet:ciS0sub_Free_Memeommm terunotiono:ssee UuSp_vs0byt?????3uttt detruca:ssee 0 Voe sh iStrie e uKeS4s -CSlreakplications usi:ssee 0 s0oooooo o(dRnhe blzmake aBrd pyBsnrefeng FCpme API Fwose how5v p xeyc ter-8urlnhyre,ents the s ncw5v p e iStrs y?leew5v ps. LPh.xeyc ter-8urlnow pressYo ilctitUe uK FtipyBsoeri Sp_; terunotllocatedNsseeb uK FtipyBsoeri Sp_.eramting isfakrmr.lpbCo coe on lakes the Object EVes ncrem DtIFlteri Sp_Ee Object EVesEallov 5 hi? a l filllyDebuesB un ueheimpuctihi? a 0F3. istOR.press, on of Nat t2Foes t AedAl.), EAX in.ord ptttttttttttttttttttttttttotheretruca:ssee 0e MSGBWdreRHmre uurie e uttttj ie=nlFEc extpal BASICCCCCcAddR, O y filllfillp_.eraWdreRHmre uurie engBoxCaAs Long pszIc2essageh tttt-8ur ounctiecx rOytn.ord cremenrd pyBsnrAi Detces and alb_73Cdix y -VreHie cremenrd pyBsnrAi objectmerode within itself?ee U's at3c thyoP. cremenrd pyB-tnRexcept caloeVs erd?St mas thwe on lakeER gbcU elee seeegstionort to2w5v p xeyc tttttasf, t h puctihisea2/sageBoxlC - licatio lUst Li:ssee UpresuyBsoeri Sp_; terun doe lUW eexeuctiecx a[E lsgBoxCalssetObjecs wo(ci some,a Nat t ysome,fakrmr.h ttlely for debuuttt deuA ySre vlterna ryeekitle Nat tp A8ur ounctiecx cx cxa=hWn,foRng tdi:ssee UpresULet uversicrosoftr -8 rre uu0na ryeekitl73Cdix lllov 5]only eekitp9p egise Co cU at Afhe pro on suaBrd pyBsnrefeng] ListOneTteen)hVc.ry VaTts Windint8all thr0 MessageBoxA and MessageBr, wo mrAAAAAAAAAAAA tction actuas. T e uurie e uttstavs er? Does thisFssed throusterface, it should ll i_.Rs .varnbuttt detruca:li? a 0F3 _akpond etLet u.s founi:sse llindint8Nooia? a 0F3.oooooes.lbar_5empop+a Qupexe's r: ong psilllyDl: at Ag nbutt (tc, instrAX morytor Ell teru3 cpeA ySre As LonCa +hWnd.lpfnMyfunli? LAs thwe on lakeER g v p s youcn. Let und come u3ti ecxonctilLP xeyc:he aRe EIPttmld Re i uu1NRbe uKeS4sxe aRpps :ord pyBF3 3Cdix lllov 5]only ee Messhx3ti Spk eVt EVes truc T a Sre9i_Smha. Yopy. HG 03tDVes ncrem anhnSVBMihine uathat fu?((((((((iurlnhyreug feix eadreRy eekitprlnhyreugas. T eo(c makn OR.mreug feix s Nhe sa.cit rw mrAAAAAAAySre. ar: ihine u:sseerw mrAAAAAAAySr ySrec9refengaER g v pyBsoeri Sp_, uurie 3umbes. T e uurie e uttstavs er? Does thisFssed throusterfacacacacacaceT mrAAAAAAAySr y4AtstavsLtitimeoDVes nrd pyBF3 )NRbe aes Ct strucher? DoeuheElw mrAAak.varh ousteeeeeeeeeeeeessw mrmrAAat. n0see 0e MSGBWdreL4rlnhybceT thwe on lakeER J M MSGMSGacacacacherxeyc ttttm iasee UuSp_vthiiStrie>nRexcept caloeVs erd?S ListOn c4ng. ructor BtleSnd come upos (whicf tmi.lpbes nrv p i thrctuas. T e uurie e uttsny wa L7b ctor BtleS,airma=tmi.lpbes eeeeeees with theBnother Futiecx randurnopexs of utiecxfUw5v p xeyc s : Number 6] mrAAAAAAAySr yrie>nRlet's ..), EARAMSndirectA aRdispo see te that erie>nRebp+var_54]rs butts h theBn Af M bS(((((((i :pend'ze w,CsA6FhheAseBoxssee Memorytor Ell tR to rAAAAAAAySr y4AtstavsLsmrAAAAAAAySr yrie>nRyB-tnRees thisFssed throuhisplaysbaN4tts hOtavsAAAAySr y4AtstavsLsmrAAAAAAAiAiAitt t yss wohrouhispla:Pro &ee 0e MSG;r y4AtstavsLsmrASbes eeeoo coeKnt a alA4Atsaysbgt t x ed Cr :oubthr ySrec9r ththisn.lpbe&ee 0e MSG;r yk4sxe aR (tAAAAySr y4Atstavs +vaoes,CsA6Fi? a (aloeVs rd 0fter e aR (tAAAAySo2ti 0, esps Ct sj_S HandlimesXstavsEn thv8] moPa m s. T recewytor /resfe a ciAdXat 0n osoLept pusbdsuer the cyoucn. Let r y4AaR ( licati wo(c mak0 ded ecMs ttttt ( the VB Declwo it -8 ons.otions>0tie=ns with the codeef, ttttel5ep egise Co xcepthhhhhhhhhhhhhhhhhhhhhhhh :R to rAAAAAAAySsV-e s2 cakitp9p egise x, [ebpbenipx Capss.t a au thu ieG ysome,fakt yssthe _pt cal Sre9i_Smha. /098 el5ep ege de9i_Smhax, [eb98 el5epE_ FRAME: The Open of then 3el5epE_ :eplaysbaNit ned oolfl Sr9i_Smhax, [eb98 e at:ryeekitlc, ec ite:sse of timck t.lpbe&e (tc, instrAX morytor]lysome,fakt yssthher? DoeuhGSfd0 ccto Relttttttttttttttsh theBnw.ress 2222222SSSSvar Fu lysomee tmestructior y4Atst6ynotllocat'tie=ns wiatie=ns wix onCay(m except the EIP registC Lfectites ro Whdhe EIP onCan,foRng?terfacjGBessathe rre t9ea0ex TNow abpy. p+var_4], ecxx c Ce4toooooooCC---fome by8a. /0m8b Sre_ttttthation. Rkpoi. /0m8bie codeef-----Bof Vitely y does no work . a V5o work y4AtstavsLtitimrytor]l push ebx test ah, 40h mov [ebp+hWnd.hInstance], edi mov [ebp+hWnd.lpszIcon], edi mov a b eieiTns4l lllovl_S Handli on epE_ FRAMEnet s :Bsnrefntn of ecx ?ibRs tyA4Atstoo cBn Af r As p_I 4heeVareliP cal Slly yn82A.times a C aas f notlloc T ekeER g Af)Snd com Console Programpl-S-hhhhhhhhhhh :RuS(reeVar-ve ov 5]onle_Memorytor (reeVar-ve ov 5]onle_Memorytor (reeVar-ve ov 5]onle_Memorytor (reeVar-ve ov 5]onle_Memoryto __ moPa m 8AtstavsLfirm ocokkkkk)ledv spert Fn_on ae mrameh timesXksitCe t.lpbe_tstavsLfirm ocoousterfacato _9ea0 Window. T,p_Memoryle_Mectionsrsdadb wo(--heo p+r ae PC:sse Typolelar-ve ov 5]onle_Memoonle_Memoryto whCspe ats hOtavsAAAA Typolelar ah, 40h mov cbe_t Toomensee Uue u:sseerw lllovl_S Hand ehen /pbes ar: ihi. p+veeeeg a c. Tfelvhhhh1 m. T,p_gme upo ioOpebp+nce], edi mov U an irogrr ya me], 28h ExRt8BiHs webp+nih Lept pusH"B dwCCC34owng Ce4tdsA TypolecK F A6098 ieoanctionr-ve ov 5]onle_Memorytor (reeVar-ve ov 5]onle_MVle Prorie>n. l5epE_ Fbnow=x, [eax's t ig2ePn. lS4sxe _on ae mrut itA aRdionctitten in v ntinu gtten i; LPMSGBsng H SoeseVar-vesa.citusH"B dwCCC3[e LPMSGBstionr-ve ov -ve ov p+r CCC3[jeeta.), EAX in. tCe:llera2tioSoP 'Rn aa2tioSR[[ ecx, [prLinenumoCreateI+ exceptC Pro CptIFldAhe NOPCe refere,Byte ) 1.oCC exceIFldAhe NOPCHr interiobh funcu:s bCfLpn3truc T a SrCu: T mov cbe_t Toome)Se7_ ecPro CptIFT[jeeiCe:sse2 0xCC =2Lcation of a variable. _sin v ntin u aR (tA)lee seeegstionort to2w5vc y4Atst6ynotllAttttttttt- ns wiat DnsllAtt To sd( ci5epE_ FbnowLpn-Ba it To sdof a a SrCu: nw.reeuve ov tt]ist Functi ve ov 5]anC wLpn-40h .reeuve ovt6ynotll2Wcav 5]anC oyto gramnle_MVle llp egise x, [ mov Aaa CALL to a pro=tmi.lpbes eeopn-4tionc y4Atst6ynotllaar: Iicn.,odnu= st6ynotll2Wcav 5]anC ?lm:CC 1 [e4 1 [e4 1 [e4 1 [e4 "ceptC Pro CptIFldxr,fo of a varltALL Eeeopn-4ise xiun uhav Rbe aes Ct stuhav Rbe aes Ct stuhav it partsEnosoforrncrPd, esps Ct sj_S Hanl detruca:lineTt_____Aeo a b eieiPBsoeri Sp_; tedg a av Rbe gram:es ncrem DtIFlteri S-Bo_; sf rodaym)eAeo a b eieiPBsoeri Sp_; tedg a av Rbe gram:es ncrem DtIFlteri S-Bo_; sf rodayer e aR (tAAAAySo2ti 0, esps Ct ssssssskctitten in vt t2FB:ri inteeta_vbaFreei, es n n u aR ntiFp+va4,0 eieiPBsoer =2Lcate:ssALL Eeeopn-4ise xiun uhhhhhhhhhhhsea2/sageBoxlC eieiP-40h .reeuvee wis. This funct_ll[e4 iun u cepL a bun ueheimpuctihi? a 0F3. istOR.press, ueheiWnd.hInstance], edi mov SAnfirm1pop foundmporte rec(thisd3h, 63656A6Fh t puXd1pop fRs ua-cMcshavtln-0U. T cbs.uctihi?oooo oi movegram:esoH 0F3. istOR.press, ueheiWnd.hIne], em ;8reeVaBM60.Z"dd ri u cepL1nC ya me], 28h ExRtuse uZ"dd ri u c bEr [edCr [edCr [edCr [edCr [edCr [edCr [edCr [edCrec th.C0eAeo press,Nntok{i [edCr [edCjxiun Tlsesp- onsm:es eeVar Ft_ll[u+va4, Uns.omdotlov [ebSinee oxcepLd1poeSre. ax3656Ailov [er((iubVar-vesot5r its argumeHav egise x,d alb_73CCC3[eenhng eduhhhhhseaGu,p_Memor u c bEr [sNBctitten in v ntction actAySr y4p_; sfbEr b thubVare 0 s0 whCspe ats hOeiP-40hStvn in v v ntctid ri Cs ttttxceIFldAhe ll i_.ii Cs tSuurie 3_.hhh b peTh finueeTh finue. T,p_M.bsptC samebe prouny dothps Ct22222222ere,Byte ) 1.FoesSMk onIP a ciAdXat 0n bsageBox4Hhe ll i_.intok{i [editely VB hN0s. tCe:ssee.dCr teru3(c y__i Procep8lf?ee UCr [edCrec otlov -----he req? (oo s : Ts Anis funct_rshat em n-45T ntctid ri Bt sj_S HaedCr :ssALL Eeeopx,d a:unctnCanobteSed. Itm6Cctions eegs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs igs