 |
|
|
|
|
VB RezQ
VB RezQ Native Code Disassembly
|
|
For VB5 and VB6 programs that have been compiled to native code,
VB RezQ can provide a disassembly of the x86 code for each
subroutine.
The disassembly is displayed as commented lines within the subroutine
declaration. The user can select the level of display from none, through
four stages from a brief analysis to a full listing.
VB RezQ analyses the address references in the native code and adds
comments to the disassembly to indicate:-
logic flow jumps to other locations in the same subroutine
calls to other subroutines
calls to routines in the VB Runtime DLL
calls to API routines in other DLLs
and references to text strings.
Examples of the resulting disassembly are shown here for the
GetKeyValue() function in frmAbout.frm of the Actxdoc.dll project
used to demonstrate VB RezQ.
First here is the original source code for the function (stripped of comments for clarity).
Public Function GetKeyValue(KeyRoot As Long, KeyName As String, _
SubKeyRef As String, _
ByRef KeyVal As String) As Boolean
Dim i As Long
Dim rc As Long
Dim hKey As Long
Dim hDepth As Long
Dim KeyValType As Long
Dim tmpVal As String
Dim KeyValSize As Long
rc = RegOpenKeyEx(KeyRoot, KeyName, 0, KEY_ALL_ACCESS, hKey)
If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError
tmpVal = String$(1024, 0)
KeyValSize = 1024
rc = RegQueryValueEx(hKey, SubKeyRef, 0, _
KeyValType, tmpVal, KeyValSize)
If (rc <> ERROR_SUCCESS) Then GoTo GetKeyError
If (Asc(Mid(tmpVal, KeyValSize, 1)) = 0) Then
tmpVal = Left(tmpVal, KeyValSize - 1)
Else
tmpVal = Left(tmpVal, KeyValSize)
End If
Select Case KeyValType
Case REG_SZ
KeyVal = tmpVal
Case REG_DWORD
For i = Len(tmpVal) To 1 Step -1
KeyVal = KeyVal + Hex(Asc(Mid(tmpVal, i, 1)))
Next
KeyVal = Format$("&h" + KeyVal)
End Select
GetKeyValue = True
rc = RegCloseKey(hKey)
Exit Function
GetKeyError:
KeyVal = ""
GetKeyValue = False
rc = RegCloseKey(hKey)
End Function
When the briefest, comments only, option is selected, VB RezQ
displays just the analysis comments as follows:-
'Sub GetKeyValue()
'N * ref: __vbaExceptHandler
'N * ref: __vbaStrToAnsi
'N * API ref: RegOpenKeyExA
'N * ref: __vbaSetSystemError
'N * ref: __vbaStrToUnicode
'N * ref: __vbaFreeStr
'N * ref: String$(
'N * ref: __vbaStrMove
'N * ref: __vbaFreeVar
'N * API ref: RegQueryValueExA
'N * ref: __vbaSetSystemError
'N * ref: __vbaStrToUnicode
'N * ref: __vbaStrToUnicode
'N * ref: __vbaFreeStrList
'N * ref: __vbaStrCopy
'N * ref: Mid(
'N * ref: __vbaStrVarVal
'N * ref: Asc(
'N * ref: __vbaFreeStr
'N * ref: __vbaFreeVarList
'N * ref: Left(
'N * ref: Left(
'N * ref: __vbaStrVarMove
'N * ref: __vbaFreeVar
'N * ref: __vbaLenBstr
'N * ref: Mid(
'N * ref: __vbaStrVarVal
'N * ref: Asc(
'N * ref: Hex(
'N * ref: __vbaVarAdd
'N * ref: __vbaStrVarMove
'N * ref: __vbaFreeStr
'N * ref: __vbaFreeVarList
'N * ref: "&h"
'N * ref: __vbaStrCat
'N * ref: Format$(
'N * ref: __vbaFreeVarList
'N * ref: __vbaStrCopy
'N * API ref: RegCloseKey
'N * ref: __vbaSetSystemError
'N * ref: __vbaFreeStrList
'N * ref: __vbaFreeVarList
'N * ref: __vbaFreeStr
'N * ref: __vbaErrorOverflow
'End Sub
Here we can see references to external DLL API calls
(e.g. RegOpenKeyExA); to calls to the VB runtime DLL for Basic keyword
functions (e.g. String$()); to calls to the VB runtime DLL for internal
VB support functions (e.g.__vbaStrCopy); and to memory locations
holding text strings (e.g. "&h").
The logic flow within GetKeyValue() is not visible in the brief view, but
can be traced in the more detailed listings which show every x86 operation.
The following is the fullest level listing for this function:-
'Sub GetKeyValue()
'N 110059D0 55 push ebp
'N 110059D1 8BEC mov ebp, esp
'N 110059D3 83EC0C sub esp, 0Ch
'N 110059D6 6876120011 push L11001276
'N * ref: __vbaExceptHandler
'N 110059DB 64A100000000 mov eax, dword ptr fs:[L00000000]
'N 110059E1 50 push eax
'N 110059E2 64892500000000 mov dword ptr fs:[L00000000], esp
'N 110059E9 81ECD4000000 sub esp, 0D4h
'N 110059EF 53 push ebx
'N 110059F0 56 push esi
'N 110059F1 57 push edi
'N 110059F2 8965F4 mov dword ptr [ebp-0Ch], esp
'N 110059F5 C745F858120011 mov dword ptr [ebp-8], L11001258
'N 110059FC 33FF xor edi, edi
'N 110059FE 897DFC mov dword ptr [ebp-4], edi
'N 11005A01 8B4508 mov eax, dword ptr [ebp+8]
'N 11005A04 50 push eax
'N 11005A05 8B08 mov ecx, dword ptr [eax]
'N 11005A07 FF5104 call dword ptr [ecx+4]
'N 11005A0A 8B5D10 mov ebx, dword ptr [ebp+10h]
'N 11005A0D 8B35F8100011 mov esi, dword ptr [L110010F8]
'N * ref: __vbaStrToAnsi
'N 11005A13 8D55E8 lea edx, dword ptr [ebp-18h]
'N 11005A16 8D4DC8 lea ecx, dword ptr [ebp-38h]
'N 11005A19 8B03 mov eax, dword ptr [ebx]
'N 11005A1B 52 push edx
'N 11005A1C 683F000200 push 2003Fh
'N 11005A21 57 push edi
'N 11005A22 50 push eax
'N 11005A23 51 push ecx
'N 11005A24 897DE8 mov dword ptr [ebp-18h], edi
'N 11005A27 897DDC mov dword ptr [ebp-24h], edi
'N 11005A2A 897DD4 mov dword ptr [ebp-2Ch], edi
'N 11005A2D 897DD0 mov dword ptr [ebp-30h], edi
'N 11005A30 897DCC mov dword ptr [ebp-34h], edi
'N 11005A33 897DC8 mov dword ptr [ebp-38h], edi
'N 11005A36 897DC4 mov dword ptr [ebp-3Ch], edi
'N 11005A39 897DB4 mov dword ptr [ebp-4Ch], edi
'N 11005A3C 897DA4 mov dword ptr [ebp-5Ch], edi
'N 11005A3F 897D94 mov dword ptr [ebp-6Ch], edi
'N 11005A42 897D84 mov dword ptr [ebp-7Ch], edi
'N 11005A45 89BD74FFFFFF mov dword ptr [ebp-8Ch], edi
'N 11005A4B 89BD64FFFFFF mov dword ptr [ebp-9Ch], edi
'N 11005A51 89BD34FFFFFF mov dword ptr [ebp-0CCh], edi
'N 11005A57 FFD6 call esi
'N 11005A59 8B550C mov edx, dword ptr [ebp+0Ch]
'N 11005A5C 50 push eax
'N 11005A5D 8B02 mov eax, dword ptr [edx]
'N 11005A5F 50 push eax
'N 11005A60 E8FFFFD457 call L11002EBC
'N * API ref: RegOpenKeyExA
'N 11005A65 898530FFFFFF mov dword ptr [ebp-0D0h], eax
'N 11005A6B FF1534100011 call dword ptr [L11001034]
'N * ref: __vbaSetSystemError
'N 11005A71 8B4DC8 mov ecx, dword ptr [ebp-38h]
'N 11005A74 51 push ecx
'N 11005A75 53 push ebx
'N 11005A76 FF1598100011 call dword ptr [L11001098]
'N * ref: __vbaStrToUnicode
'N 11005A7C 8D4DC8 lea ecx, dword ptr [ebp-38h]
'N 11005A7F FF1524110011 call dword ptr [L11001124]
'N * ref: __vbaFreeStr
'N 11005A85 39BD30FFFFFF cmp dword ptr [ebp-0D0h], edi
'N 11005A8B 0F850000009B jnz L11005B2C
'N 11005A91 8D55B4 lea edx, dword ptr [ebp-4Ch]
'N 11005A94 897DBC mov dword ptr [ebp-44h], edi
'N 11005A97 52 push edx
'N 11005A98 6800040000 push 400h
'N 11005A9D C745B402000000 mov dword ptr [ebp-4Ch], 2
'N 11005AA4 FF159C100011 call dword ptr [L1100109C]
'N * ref: String$(
'N 11005AAA 8B1D10110011 mov ebx, dword ptr [L11001110]
'N * ref: __vbaStrMove
'N 11005AB0 8BD0 mov edx, eax
'N 11005AB2 8D4DD0 lea ecx, dword ptr [ebp-30h]
'N 11005AB5 FFD3 call ebx
'N 11005AB7 8D4DB4 lea ecx, dword ptr [ebp-4Ch]
'N 11005ABA FF150C100011 call dword ptr [L1100100C]
'N * ref: __vbaFreeVar
'N 11005AC0 8B4DD0 mov ecx, dword ptr [ebp-30h]
'N 11005AC3 8D45CC lea eax, dword ptr [ebp-34h]
'N 11005AC6 50 push eax
'N 11005AC7 8D55C4 lea edx, dword ptr [ebp-3Ch]
'N 11005ACA 51 push ecx
'N 11005ACB 52 push edx
'N 11005ACC C745CC00040000 mov dword ptr [ebp-34h], 400h
'N 11005AD3 FFD6 call esi
'N 11005AD5 8B4D14 mov ecx, dword ptr [ebp+14h]
'N 11005AD8 50 push eax
'N 11005AD9 8D45DC lea eax, dword ptr [ebp-24h]
'N 11005ADC 8B11 mov edx, dword ptr [ecx]
'N 11005ADE 50 push eax
'N 11005ADF 57 push edi
'N 11005AE0 8D45C8 lea eax, dword ptr [ebp-38h]
'N 11005AE3 52 push edx
'N 11005AE4 50 push eax
'N 11005AE5 FFD6 call esi
'N 11005AE7 8B4DE8 mov ecx, dword ptr [ebp-18h]
'N 11005AEA 50 push eax
'N 11005AEB 51 push ecx
'N 11005AEC E8FFFFD417 call L11002F08
'N * API ref: RegQueryValueExA
'N 11005AF1 8BF0 mov esi, eax
'N 11005AF3 FF1534100011 call dword ptr [L11001034]
'N * ref: __vbaSetSystemError
'N 11005AF9 8B55C8 mov edx, dword ptr [ebp-38h]
'N 11005AFC 8B4514 mov eax, dword ptr [ebp+14h]
'N 11005AFF 52 push edx
'N 11005B00 50 push eax
'N 11005B01 FF1598100011 call dword ptr [L11001098]
'N * ref: __vbaStrToUnicode
'N 11005B07 8B4DC4 mov ecx, dword ptr [ebp-3Ch]
'N 11005B0A 8D55D0 lea edx, dword ptr [ebp-30h]
'N 11005B0D 51 push ecx
'N 11005B0E 52 push edx
'N 11005B0F FF1598100011 call dword ptr [L11001098]
'N * ref: __vbaStrToUnicode
'N 11005B15 8D45C4 lea eax, dword ptr [ebp-3Ch]
'N 11005B18 8D4DC8 lea ecx, dword ptr [ebp-38h]
'N 11005B1B 50 push eax
'N 11005B1C 51 push ecx
'N 11005B1D 6A02 push 2
'N 11005B1F FF15D0100011 call dword ptr [L110010D0]
'N * ref: __vbaFreeStrList
'N 11005B25 83C40C add esp, 0Ch
'N 11005B28 3BF7 cmp esi, edi
'N 11005B2A 741A jz L11005B46
'N
'N L11005B2C:
'N 11005B2C 8B4D18 mov ecx, dword ptr [ebp+18h]
'N 11005B2F BA482D0011 mov edx, L11002D48
'N 11005B34 FF15CC100011 call dword ptr [L110010CC]
'N * ref: __vbaStrCopy
'N 11005B3A 8B55E8 mov edx, dword ptr [ebp-18h]
'N 11005B3D 897DD4 mov dword ptr [ebp-2Ch], edi
'N 11005B40 52 push edx
'N 11005B41 E900000262 jmp L11005DA8
'N
'N L11005B46:
'N 11005B46 8B55CC mov edx, dword ptr [ebp-34h]
'N 11005B49 8D45D0 lea eax, dword ptr [ebp-30h]
'N 11005B4C 8D4DB4 lea ecx, dword ptr [ebp-4Ch]
'N 11005B4F 89856CFFFFFF mov dword ptr [ebp-94h], eax
'N 11005B55 51 push ecx
'N 11005B56 8D8564FFFFFF lea eax, dword ptr [ebp-9Ch]
'N 11005B5C 52 push edx
'N 11005B5D 8D4DA4 lea ecx, dword ptr [ebp-5Ch]
'N 11005B60 50 push eax
'N 11005B61 51 push ecx
'N 11005B62 C745BC01000000 mov dword ptr [ebp-44h], 1
'N 11005B69 C745B402000000 mov dword ptr [ebp-4Ch], 2
'N 11005B70 C78564FFFFFF08400000 mov dword ptr [ebp-9Ch], 4008h
'N 11005B7A FF1564100011 call dword ptr [L11001064]
'N * ref: Mid(
'N 11005B80 8D55A4 lea edx, dword ptr [ebp-5Ch]
'N 11005B83 8D45C8 lea eax, dword ptr [ebp-38h]
'N 11005B86 52 push edx
'N 11005B87 50 push eax
'N 11005B88 FF15AC100011 call dword ptr [L110010AC]
'N * ref: __vbaStrVarVal
'N 11005B8E 50 push eax
'N 11005B8F FF1524100011 call dword ptr [L11001024]
'N * ref: Asc(
'N 11005B95 668BF0 mov si, ax
'N 11005B98 8D4DC8 lea ecx, dword ptr [ebp-38h]
'N 11005B9B 66F7DE neg si
'N 11005B9E 1BF6 sbb esi, esi
'N 11005BA0 46 inc esi
'N 11005BA1 F7DE neg esi
'N 11005BA3 FF1524110011 call dword ptr [L11001124]
'N * ref: __vbaFreeStr
'N 11005BA9 8D4DA4 lea ecx, dword ptr [ebp-5Ch]
'N 11005BAC 8D55B4 lea edx, dword ptr [ebp-4Ch]
'N 11005BAF 51 push ecx
'N 11005BB0 52 push edx
'N 11005BB1 6A02 push 2
'N 11005BB3 FF1518100011 call dword ptr [L11001018]
'N * ref: __vbaFreeVarList
'N 11005BB9 83C40C add esp, 0Ch
'N 11005BBC 663BF7 cmp si, di
'N 11005BBF 7437 jz L11005BF8
'N 11005BC1 8B4DCC mov ecx, dword ptr [ebp-34h]
'N 11005BC4 8D45D0 lea eax, dword ptr [ebp-30h]
'N 11005BC7 83E901 sub ecx, 1
'N 11005BCA 89856CFFFFFF mov dword ptr [ebp-94h], eax
'N 11005BD0 0F800000024A jo L11005E20
'N 11005BD6 8D9564FFFFFF lea edx, dword ptr [ebp-9Ch]
'N 11005BDC 51 push ecx
'N 11005BDD 8D45B4 lea eax, dword ptr [ebp-4Ch]
'N 11005BE0 52 push edx
'N 11005BE1 50 push eax
'N 11005BE2 C78564FFFFFF08400000 mov dword ptr [ebp-9Ch], 4008h
'N 11005BEC FF1500110011 call dword ptr [L11001100]
'N * ref: Left(
'N 11005BF2 8D4DB4 lea ecx, dword ptr [ebp-4Ch]
'N 11005BF5 51 push ecx
'N 11005BF6 EB2C jmp L11005C24
'N
'N L11005BF8:
'N 11005BF8 8B45CC mov eax, dword ptr [ebp-34h]
'N 11005BFB 8D55D0 lea edx, dword ptr [ebp-30h]
'N 11005BFE 89956CFFFFFF mov dword ptr [ebp-94h], edx
'N 11005C04 8D8D64FFFFFF lea ecx, dword ptr [ebp-9Ch]
'N 11005C0A 50 push eax
'N 11005C0B 8D55B4 lea edx, dword ptr [ebp-4Ch]
'N 11005C0E 51 push ecx
'N 11005C0F 52 push edx
'N 11005C10 C78564FFFFFF08400000 mov dword ptr [ebp-9Ch], 4008h
'N 11005C1A FF1500110011 call dword ptr [L11001100]
'N * ref: Left(
'N 11005C20 8D45B4 lea eax, dword ptr [ebp-4Ch]
'N 11005C23 50 push eax
'N
'N L11005C24:
'N 11005C24 FF1510100011 call dword ptr [L11001010]
'N * ref: __vbaStrVarMove
'N 11005C2A 8BD0 mov edx, eax
'N 11005C2C 8D4DD0 lea ecx, dword ptr [ebp-30h]
'N 11005C2F FFD3 call ebx
'N 11005C31 8D4DB4 lea ecx, dword ptr [ebp-4Ch]
'N 11005C34 FF150C100011 call dword ptr [L1100100C]
'N * ref: __vbaFreeVar
'N 11005C3A 8B45DC mov eax, dword ptr [ebp-24h]
'N 11005C3D 48 dec eax
'N 11005C3E 0F840000014D jz L11005D91
'N 11005C44 83E803 sub eax, 3
'N 11005C47 0F8500000150 jnz L11005D9D
'N 11005C4D 8B4DD0 mov ecx, dword ptr [ebp-30h]
'N 11005C50 51 push ecx
'N 11005C51 FF1514100011 call dword ptr [L11001014]
'N * ref: __vbaLenBstr
'N 11005C57 8B7D18 mov edi, dword ptr [ebp+18h]
'N 11005C5A 8BF0 mov esi, eax
'N
'N L11005C5C:
'N 11005C5C B801000000 mov eax, 1
'N 11005C61 3BF0 cmp esi, eax
'N 11005C63 0F8C000000D5 jl L11005D3E
'N 11005C69 8B17 mov edx, dword ptr [edi]
'N 11005C6B 8945BC mov dword ptr [ebp-44h], eax
'N 11005C6E 8D45D0 lea eax, dword ptr [ebp-30h]
'N 11005C71 8D4DB4 lea ecx, dword ptr [ebp-4Ch]
'N 11005C74 89953CFFFFFF mov dword ptr [ebp-0C4h], edx
'N 11005C7A 89856CFFFFFF mov dword ptr [ebp-94h], eax
'N 11005C80 51 push ecx
'N 11005C81 8D9564FFFFFF lea edx, dword ptr [ebp-9Ch]
'N 11005C87 56 push esi
'N 11005C88 8D45A4 lea eax, dword ptr [ebp-5Ch]
'N 11005C8B 52 push edx
'N 11005C8C 50 push eax
'N 11005C8D C78534FFFFFF08000000 mov dword ptr [ebp-0CCh], 8
'N 11005C97 C745B402000000 mov dword ptr [ebp-4Ch], 2
'N 11005C9E C78564FFFFFF08400000 mov dword ptr [ebp-9Ch], 4008h
'N 11005CA8 FF1564100011 call dword ptr [L11001064]
'N * ref: Mid(
'N 11005CAE 8D4DA4 lea ecx, dword ptr [ebp-5Ch]
'N 11005CB1 8D55C8 lea edx, dword ptr [ebp-38h]
'N 11005CB4 51 push ecx
'N 11005CB5 52 push edx
'N 11005CB6 FF15AC100011 call dword ptr [L110010AC]
'N * ref: __vbaStrVarVal
'N 11005CBC 50 push eax
'N 11005CBD FF1524100011 call dword ptr [L11001024]
'N * ref: Asc(
'N 11005CC3 6689459C mov word ptr [ebp-64h], ax
'N 11005CC7 8D4594 lea eax, dword ptr [ebp-6Ch]
'N 11005CCA 8D4D84 lea ecx, dword ptr [ebp-7Ch]
'N 11005CCD 50 push eax
'N 11005CCE 51 push ecx
'N 11005CCF C7459402000000 mov dword ptr [ebp-6Ch], 2
'N 11005CD6 FF15C8100011 call dword ptr [L110010C8]
'N * ref: Hex(
'N 11005CDC 8D9534FFFFFF lea edx, dword ptr [ebp-0CCh]
'N 11005CE2 8D4584 lea eax, dword ptr [ebp-7Ch]
'N 11005CE5 52 push edx
'N 11005CE6 8D8D74FFFFFF lea ecx, dword ptr [ebp-8Ch]
'N 11005CEC 50 push eax
'N 11005CED 51 push ecx
'N 11005CEE FF15F0100011 call dword ptr [L110010F0]
'N * ref: __vbaVarAdd
'N 11005CF4 50 push eax
'N 11005CF5 FF1510100011 call dword ptr [L11001010]
'N * ref: __vbaStrVarMove
'N 11005CFB 8BD0 mov edx, eax
'N 11005CFD 8BCF mov ecx, edi
'N 11005CFF FFD3 call ebx
'N 11005D01 8D4DC8 lea ecx, dword ptr [ebp-38h]
'N 11005D04 FF1524110011 call dword ptr [L11001124]
'N * ref: __vbaFreeStr
'N 11005D0A 8D9574FFFFFF lea edx, dword ptr [ebp-8Ch]
'N 11005D10 8D4584 lea eax, dword ptr [ebp-7Ch]
'N 11005D13 52 push edx
'N 11005D14 8D4D94 lea ecx, dword ptr [ebp-6Ch]
'N 11005D17 50 push eax
'N 11005D18 8D55A4 lea edx, dword ptr [ebp-5Ch]
'N 11005D1B 51 push ecx
'N 11005D1C 8D45B4 lea eax, dword ptr [ebp-4Ch]
'N 11005D1F 52 push edx
'N 11005D20 50 push eax
'N 11005D21 6A05 push 5
'N 11005D23 FF1518100011 call dword ptr [L11001018]
'N * ref: __vbaFreeVarList
'N 11005D29 83C8FF or eax, -1
'N 11005D2C 83C418 add esp, 18h
'N 11005D2F 03C6 add eax, esi
'N 11005D31 0F80000000E9 jo L11005E20
'N 11005D37 8BF0 mov esi, eax
'N 11005D39 E9FFFFFF1E jmp L11005C5C
'N
'N L11005D3E:
'N 11005D3E 8B0F mov ecx, dword ptr [edi]
'N 11005D40 68D4330011 push L110033D4
'N * ref: "&h"
'N 11005D45 51 push ecx
'N 11005D46 C745AC04000280 mov dword ptr [ebp-54h], 80020004h
'N 11005D4D C745A40A000000 mov dword ptr [ebp-5Ch], 0Ah
'N 11005D54 FF1530100011 call dword ptr [L11001030]
'N * ref: __vbaStrCat
'N 11005D5A 8945BC mov dword ptr [ebp-44h], eax
'N 11005D5D 6A01 push 1
'N 11005D5F 8D55A4 lea edx, dword ptr [ebp-5Ch]
'N 11005D62 6A01 push 1
'N 11005D64 8D45B4 lea eax, dword ptr [ebp-4Ch]
'N 11005D67 52 push edx
'N 11005D68 50 push eax
'N 11005D69 C745B408000000 mov dword ptr [ebp-4Ch], 8
'N 11005D70 FF1514110011 call dword ptr [L11001114]
'N * ref: Format$(
'N 11005D76 8BD0 mov edx, eax
'N 11005D78 8BCF mov ecx, edi
'N 11005D7A FFD3 call ebx
'N 11005D7C 8D4DA4 lea ecx, dword ptr [ebp-5Ch]
'N 11005D7F 8D55B4 lea edx, dword ptr [ebp-4Ch]
'N 11005D82 51 push ecx
'N 11005D83 52 push edx
'N 11005D84 6A02 push 2
'N 11005D86 FF1518100011 call dword ptr [L11001018]
'N * ref: __vbaFreeVarList
'N 11005D8C 83C40C add esp, 0Ch
'N 11005D8F EB0C jmp L11005D9D
'N
'N L11005D91:
'N 11005D91 8B55D0 mov edx, dword ptr [ebp-30h]
'N 11005D94 8B4D18 mov ecx, dword ptr [ebp+18h]
'N 11005D97 FF15CC100011 call dword ptr [L110010CC]
'N * ref: __vbaStrCopy
'N
'N L11005D9D:
'N 11005D9D 8B45E8 mov eax, dword ptr [ebp-18h]
'N 11005DA0 C745D4FFFFFFFF mov dword ptr [ebp-2Ch], 0FFFFFFFFh
'N 11005DA7 50 push eax
'N
'N L11005DA8:
'N 11005DA8 E8FFFFD19F call L11002F4C
'N * API ref: RegCloseKey
'N 11005DAD FF1534100011 call dword ptr [L11001034]
'N * ref: __vbaSetSystemError
'N 11005DB3 68F75D0011 push L11005DF7
'N 11005DB8 EB33 jmp L11005DED
'N 11005DBA 8D4DC4 lea ecx, dword ptr [ebp-3Ch]
'N 11005DBD 8D55C8 lea edx, dword ptr [ebp-38h]
'N 11005DC0 51 push ecx
'N 11005DC1 52 push edx
'N 11005DC2 6A02 push 2
'N 11005DC4 FF15D0100011 call dword ptr [L110010D0]
'N * ref: __vbaFreeStrList
'N 11005DCA 8D8574FFFFFF lea eax, dword ptr [ebp-8Ch]
'N 11005DD0 8D4D84 lea ecx, dword ptr [ebp-7Ch]
'N 11005DD3 50 push eax
'N 11005DD4 8D5594 lea edx, dword ptr [ebp-6Ch]
'N 11005DD7 51 push ecx
'N 11005DD8 8D45A4 lea eax, dword ptr [ebp-5Ch]
'N 11005DDB 52 push edx
'N 11005DDC 8D4DB4 lea ecx, dword ptr [ebp-4Ch]
'N 11005DDF 50 push eax
'N 11005DE0 51 push ecx
'N 11005DE1 6A05 push 5
'N 11005DE3 FF1518100011 call dword ptr [L11001018]
'N * ref: __vbaFreeVarList
'N 11005DE9 83C424 add esp, 24h
'N 11005DEC C3 ret
'N
'N L11005DED:
'N 11005DED 8D4DD0 lea ecx, dword ptr [ebp-30h]
'N 11005DF0 FF1524110011 call dword ptr [L11001124]
'N * ref: __vbaFreeStr
'N 11005DF6 C3 ret
'N
'N L11005DF7:
'N 11005DF7 8B4508 mov eax, dword ptr [ebp+8]
'N 11005DFA 50 push eax
'N 11005DFB 8B10 mov edx, dword ptr [eax]
'N 11005DFD FF5208 call dword ptr [edx+8]
'N 11005E00 8B451C mov eax, dword ptr [ebp+1Ch]
'N 11005E03 668B4DD4 mov cx, word ptr [ebp-2Ch]
'N 11005E07 668908 mov word ptr [eax], cx
'N 11005E0A 8B45FC mov eax, dword ptr [ebp-4]
'N 11005E0D 8B4DEC mov ecx, dword ptr [ebp-14h]
'N 11005E10 5F pop edi
'N 11005E11 5E pop esi
'N 11005E12 64890D00000000 mov dword ptr fs:[L00000000], ecx
'N 11005E19 5B pop ebx
'N 11005E1A 8BE5 mov esp, ebp
'N 11005E1C 5D pop ebp
'N 11005E1D C21800 ret 18h
'N
'N L11005E20:
'N 11005E20 FF15B8100011 call dword ptr [L110010B8]
'N * ref: __vbaErrorOverflow
'End Sub
This full listing shows the memory address, the op-code bytes and the
assembler text for each machine code instruction. It also shows
the analysis comments (on the line following the related address) and
labels for the destination of logic flow jumps (on the line before the
destination instruction).
The next lower intermediate level of display omits the op-code bytes
as shown here :-
'Sub GetKeyValue()
'N 110059D0 push ebp
'N 110059D1 mov ebp, esp
'N 110059D3 sub esp, 0Ch
'N 110059D6 push L11001276
'N * ref: __vbaExceptHandler
'N 110059DB mov eax, dword ptr fs:[L00000000]
'N 110059E1 push eax
'N 110059E2 mov dword ptr fs:[L00000000], esp
...
And the final intermediate level of display also omits the memory
addresses as shown here :-
'Sub GetKeyValue()
'N push ebp
'N mov ebp, esp
'N sub esp, 0Ch
'N push L11001276
'N * ref: __vbaExceptHandler
'N mov eax, dword ptr fs:[L00000000]
'N push eax
'N mov dword ptr fs:[L00000000], esp
...
The analysis comments will provide some help to understanding the code
in the routine and act as an 'aide memoire' to manually rewriting it.
It can be seen that native code is far removed from VB source code and
we consider it would be a formidable task to create an automated process
to reverse engineer the x86 code back into VB code.
|
|
|
|
Buy Now