VB Decompiler Forum
 
 * Forums * Register * Reply * Search * Statistics *
VB decompiling Forum VB Decompiler Forum / VB decompiling Forum /

Decompile questions

Author htumblin
Registered
#1 * Posted: 27 Jan 2012 16:51
My VB is very rusty so if some of these questions are answered elsewhere, please let me know. I'm trying to recover a program
whose source has been lost.

1. Prior to any function definitions, I see the statement "Object: AutoMain".
Is this a built-in or well known object or is it the Namespace for the
current set of functions?
2. I see constructs of "call AutoMain.VTable_<hex address>()" Is this calling
a virtual function or a function in a dll? How can I determine what is
being called?
3. I see calls into the VB runtime, for example, __vbaLsetFixStr. Is there
documentation somewhere about the vba runtime so I can translate
these calls back into vb source?
4. Within a function definition, after any Dim statements, I see
"var_8 = &H<hex address>". But var_8 doesn't appear to be used
anywhere within the function. Any idea what this is doing?
5. I see a statement like "var_D8 = var_D8 - Me.%x1 = func() " and other
statements referring to %x2, etc. Is the %xn syntax refer to the
positional calling arguments of the function, i.e. %x = first parameter,
%x2 = second, etc.
6. I see statements of the form "shl eax, 05h" and arithmetic on eax.
Is this because the decompiler cannot figure out what the proper
VB statement is?
7. I see statements of the form "Unknown_VTable_Call[edx+54h]. What
are these? Are they inline compiler functions? Any way of figuring
out what they are doing?

Any help is greatly appreciated.

Thanks!
Author Support
Admin
#2 * Posted: 27 Jan 2012 17:55
htumblin:
1. Prior to any function definitions, I see the statement "Object: AutoMain".
Is this a built-in or well known object or is it the Namespace for the
current set of functions?

Object in this case is a module/form/classmodule. VB Decompiler use this naming only in "Saving all to one file" to split code from different files.

htumblin:
2. I see constructs of "call AutoMain.VTable_<hex address>()" Is this calling
a virtual function or a function in a dll? How can I determine what is
being called?

If GUID (id like {58DA8D8B-9D6A-101B-AFC04210102A8DA7} )is presented before VTable ID or Dispatch ID than you may open TypeLib information for GUID and check Method/Property with VTable or DispID. VB Decompiler is support all standard GUIDs and detect methods automatically. May be this Call to User defined control or type. t this time VB Decompiler is not support this calls and show only ID on VTable (table for virtual methods of any class).

htumblin:
3. I see calls into the VB runtime, for example, __vbaLsetFixStr. Is there
documentation somewhere about the vba runtime so I can translate
these calls back into vb source?

Where are no documentation for any call to msvbvmXX.dll from Microsoft. The only way is to analyze each function manually and add decompilation signature to VB Decompiler. We work on Native Code decompilation every day but at this time is not all functions can be decompiled automatically.

htumblin:
4. Within a function definition, after any Dim statements, I see
"var_8 = &H<hex address>". But var_8 doesn't appear to be used
anywhere within the function. Any idea what this is doing?

After emulation of Native Code procedure VB Decompiler has a large listing of code. Decompiler use more filters to delete intermediate code (used in error checking in assembler code and don't used in original source). Some code can't be filtered automatically. Simply ignore unused variables if this vars is not contain a critical data.

htumblin:
5. I see a statement like "var_D8 = var_D8 - Me.%x1 = func() " and other
statements referring to %x2, etc. Is the %xn syntax refer to the
positional calling arguments of the function, i.e. %x = first parameter,
%x2 = second, etc.

%x1, %x2, etc - is a reference to stack value 1, 2, etc. If you're use in original code (for example):
Me.SomeUserProperty = "Test"
VB translate it to Native Code as:
1) Get reference to Me (arg_8, Self, current object)
2) Push "Text"
3) Push SomeUserProperty
4) Call procedure from first push (%x1) with parameter from second push (%x2).

If you'll see in VB Decompiler "%x1" etc, than stack is empty at this line and %x1 = "". May be one of previous line is processed incorrectly and stack is not filled. Usualy it possible only if one of previous lines call unknown (at this time) function from msvbvmXX.dll or call to user defined function (VB Decompiler can't detect number of parameters to user defined function and push all stack variables to this call).

htumblin:
6. I see statements of the form "shl eax, 05h" and arithmetic on eax.
Is this because the decompiler cannot figure out what the proper
VB statement is?

Shl - is a Shift left assembler command. This is a binary shifting bytes to 5 elements left. For example, if eax contain 11010110 after shifting left to 5 bits it will contain 11000000. This operation is used only if in Project settings of original source checked optimization feature. This code can't be converted to correct VB code. The only way is analyze emulated and assembler variants in Vb Decompiler. Uncheck "Parse stack parameters" and double click on function twice - VB Decompiler will show pure assembler command and you may compare emulated and assembler lines on address with this command (shl), may be this operation can help you to correctly convert this line to VB.


htumblin:
7. I see statements of the form "Unknown_VTable_Call[edx+54h]. What
are these? Are they inline compiler functions? Any way of figuring
out what they are doing?

Where are to possible problems:
1) edx is contain reference to unknown class or user defined class
2) 54h element of class with edx pointer is not presented
The only way is check edx manually at assembler mode and check GUID of unknown class.
VB decompiling Forum VB Decompiler Forum / VB decompiling Forum / Decompile questions Top
Your Reply Click this icon to move up to the quoted message

» Username  » Password 
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.