Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

lost password tracing...tough one

leandromspleandromsp Member Posts: 2
Hello people, i'm new here.
I have a program developed in Visual Basic 6, I forgot the password and there's no chance of getting the source code with the developer.
I've decompiled it with a vbdecompiler program, I have the source code but the password is not clear in the code. I hope you help me.
Well, the action on the Ok Button to confirm the password :
" loc_0041FA2B: call MSVBVM60.DLL.__vbaHresultCheckObj
loc_0041FA31: mov eax, var_18
loc_0041FA34: push eax
[b][color=Red] loc_0041FA35: call 00414BA0h
loc_0041FA3A: mov edx, eax
loc_0041FA3C: lea ecx, var_1C
loc_0041FA3F: call MSVBVM60.DLL.__vbaStrMove
loc_0041FA45: push eax
loc_0041FA46: call MSVBVM60.DLL.__vbaStrCmp[/color][/b]
loc_0041FA4C: mov edi, eax "

I did another simple program with a textbox to compare the decompiled code, i'm sure the red line above says something about the password. The 'vbaStrCmp' is the If clause in the program. In my simple test program, the password appeared in the code, here in the real lost password program it calls [b]00414BA0h[/b]. There I found this:
"Private sub Unknown_414BA0
loc_00414BA0: push ebp
loc_00414BA1: mov ebp, esp
loc_00414BA3: sub esp, 00000008h
loc_00414BA6: push 00401886h ; MSVBVM60.DLL.__vbaExceptHandler
loc_00414BAB: mov eax, fs:[00h]
loc_00414BB1: push eax
loc_00414BB2: mov fs:[00000000h], esp
loc_00414BB9: sub esp, 00000008h
loc_00414BBC: push ebx
loc_00414BBD: push esi
loc_00414BBE: push edi
loc_00414BBF: mov var_8, esp
loc_00414BC2: mov var_4, 00401210h
loc_00414BC9: mov edx, [00422034h] ;
loc_00414BCF: lea ecx, var_14
loc_00414BD2: mov var_14, 00000000h
loc_00414BD9: call MSVBVM60.DLL.__vbaStrCopy
[b] loc_00414BDF: push 00414BF1h ; "

Comments

  • jeffleydajeffleyda Member Posts: 390
    : loc_0041FA46: call MSVBVM60.DLL.__vbaStrCmp[/color][/b]
    : loc_0041FA4C: mov edi, eax "
    :

    traditionally a routine will check 2 strings, then return the pass/fail results in a register. It's possible here that the results from vbaStrCmp are returned in eax, which in turn get stored in edi and perhaps tested later. If I were hacking this, I'd try changing different results in edi there and see if it alters the outcome of the program.


    : loc_00414BD9: call MSVBVM60.DLL.__vbaStrCopy
    : [b] loc_00414BDF: push 00414BF1h ; "
  • leandromspleandromsp Member Posts: 2
    Thanks for helping me.
    Well, I didn't found the 414bf0h position in the decompilation.
    how can I change the results in edi? Is it possible for me to 'recompile' it?
    If you want, I can send you the executable file and the decompiler program I
  • jeffleydajeffleyda Member Posts: 390
    : Thanks for helping me.
    : Well, I didn't found the 414bf0h position in the decompilation.

    that's weird. doesn't sound like the disassembler is working very well if it can't find a chunk of code that gets called.
    You could probably use a different disassembler to get that data. Perhaps try IDA:
    http://www.hex-rays.com/idapro/

    : how can I change the results in edi?

    Get a windows (I'm assuming this is a windows based program) debugger, like soft-ice for windows, and set a breakpoint at that chunk of code. Then you can change values "on the fly" to experiment with the outcome.

    Once you get something that works (such as forcing EDI to always be 1) then you'd have to physically change the opcodes in the file itself to change the behavior of the code on a permanent basis. If the binary file is at all compressed or encrypted or checksummed, you will have to work around those issues as well.

    : Is it possible for me to 'recompile' it?

    no. that's the problem with disassembling from a high level language down to assembly. things just get wrecked in the process. I mean, you could certainly do it, but it would likely take several months of work to put the pieces back together to make it actually compile again.

    : If you want, I can send you the executable file and the decompiler
    : program I
Sign In or Register to comment.