In the year 2002, while I was working on my Visual Basic decompiler, VBReFormer, I discovered an interesting way on how to bypass the startup login form of any secured Visual Basic 6.0 application.

Any information presented here is only for learning purposes.

This is an important issue for the following reasons:

• This issue affects almost 100% of Visual Basic applications secured by a startup security form or startup license form
• This issue is common to Visual Basic 4.0 to Visual Basic 6.0
• This issue does not need any assembler knowledge to be applied, really quick and fast to apply

In this article, I will show you how your application can be bypassed by this vulnerability, and how you can secure your application against this issue.

Description of the vulnerability:

The internal Visual Basic application structure provides a table in which each form configuration properties are stored.

The main data of each user form, user control and designer are stored on a table of form header which provides the following information: signature, unique identifier, startup attribute, address of the form, and reserved bytes.

The issue is that the startup attribute is really easy to change in order to make the main form of an application the startup form of your application.

Scenario of attack:

We will work with a hexadecimal editor in order to analyze and edit the application. It's the only needed tool.

In the following scenario, the sample application we will bypass has two form called "frmMain" and "frmLicense". The "frmMain" form is the Main form, and the "frmLicense" form is a form asking licensing information in order to access to the Main form, then the application is secured by a "frmLicense" form which is the startup form.

First of all, you must search and found the Visual Basic Header, which contains all important information of your application. To find it, just search the Visual Basic Header signature ("VB5!") into the binary:

Note that the Visual Basic header has a length of 0x68 bytes, but this is not the most important information because we only need 2 bytes from this header to continue.

The information we need is the address of the Form Header Table, stored at the offset 0x4D of the Visual Basic Header.

Here we can read the address 0x0040123C. This is the Virtual Address of the Form Header Table, and we must convert it into a real address.

Basically, if your software is a Visual Basic 6.0 application, it mean that the Form Header Table is stored at the real address 0x0000123C = (0x0040123C - 0x00400000) in your application.

We now have to go to the address 0x123C to see the Form Header Table:

We can see on the above sample there is a table of two "Form Header", one header per form: "frmLicense" and "frmMain".

A Form Header starts with the 0x50000000 signature, and has a length of 0x50 bytes.

The information we need, here highlighted in blue is the Control Flag.

The Control Flag can take the following values:

The above example show that the "frmLicense" Control Flag is set to 0x0010 (SDI Form [startup]) and the "frmMain" Startup Flag is set to 0x0000 (SDI Form [no startup]) meaning the "frmLicense" form is the startup form of the application.

The objective being to bypass the "frmLicense" form, we now have to exchange the startup flag of the both forms in order to make the "frmMain" form the startup form of the application.

This is so simple to apply, just one byte to change, and the "frmMain" form is set to startup form of the application.

Now, when you start the application, you have a direct access to the "frmMain" form, bypassing the "frmLicense" form.

How to protect your application against this vulnerability ?

We have seen on the above scenario that all Visual Basic 4.0 to 6.0 applications are potentially affected by this issue; there are existing applications, commonly called "Visual Basic Universal Cracker" which allows making this work on automatic way, just with one click.

Then it's very important, when you write your application, to think about this issue in order to prevent against applying it on your application. There are different ways to setup protection your application against the application of this issue.

The different solutions are grouped into two categories, which are the code side solutions, and the binary side solutions.

Binary side solutions are applied after the application has been compiled, like packers, compressors, or external solutions of licensing.

Code source side solutions are directly applied on the source code of your application. For example you can define a simple global variable which will be checked during all the execution of your application, and on each form. Another solution is to define the startup form on the Sub Main() procedure of your application. Of course, that is not sufficient to secure your application against advanced crackers, but on this way you will protect your software against a common and simple vulnerability.

Introduction

This article has been written to provide a better and essential information to users of decompilers since I got many complaints from customers of others Visual Basic decompilers because their application weren’t recovered by these decompilers.

The reason is, when you write a Visual Basic 6.0 application you may choose a P-Code or Native code compilation, then your application will be compiled to P-Code or Native code which are very different approaches of compilation, so the decompilation will be different too.

There is a question you may absolutely ask yourself when you need a decompiler for a specific application: Is my application compiled into native or P-Code mode ?

The main problem is that a lot of users got a P-Code decompiler in order to decompile their application, but released with Native Code…

In fact, P-Code decompiler are today almost useless because 90% of Visual Basic 6 application are released with Native Code mode. This article will explain first the difference between P-Code and Native code, and then explain why the rate of Native code application is so important compared to P-Code applications.

I. P-Code Versus Native Code

When you write a line of code in the IDE, Visual Basic breaks it down into expressions and encodes the expressions into a preliminary format called op-codes. In other words, each line is partially precompiled as it is written. Some lines contain shared information that cannot be precompiled independently (mainly Dim statements and procedure definitions). This is why you have to restart if you change certain lines in break mode. The opcodes are compiled into p-code instructions when you compile (in the background if you have the Compile On Demand and Background Compile options set).

At run time, the p-code interpreter works through the program, decoding and executing p-code instructions. These p-code instructions are smaller than equivalent native code instructions, thus dramatically reducing the size of the executable program. But the system must load the p-code interpreter into memory in addition to the code, and it must decode each instruction.

It’s a different story with native code. You start with the same opcodes, but instead of translating to p-code instructions, the compiler translates to native instructions. Because you’re not going to be expecting an instant response while stepping through native code instructions in the IDE, the compiler can look at code from a greater distance; it can analyze blocks of code and find ways to eliminate inefficiency and duplication. The compiler philosophy is that, since you compile only once, you can take as long as you want to analyze as much code as necessary to generate the best results possible.

These two approaches create a disjunction. How can you guarantee that such different ways of analyzing code will generate the same results? Well, you can’t. In fact, if you look at the Advanced Optimizations dialog box (available from the Compile tab of the Project Properties dialog box) you’ll see a warning: "Enabling the following optimizations might prevent correct execution of your program." This might sound like an admission of failure, but welcome to the real world of compilers. Users of other compiled languages understand that optimization is a bonus. If it works, great. If not, turn it off.

On the other hand, very few developers are going to be used to the idea of working in an interpreter during development but releasing compiled code. Most compilers have a debug mode for fast compiles and a release mode for fast code. Visual Basic doesn’t worry about fast compiles because it has a no-compile mode that is faster than the fastest compiler. You get the best of both worlds, but it’s going to take a little while for people to really trust the compiler to generate code that they can’t easily see and debug.

Source : http://vb.mvps.org/hardcore/html/p-codeversusnativecode.htm

II. Proportion of P-Code application in the world

The amount of P-Code developed application is very small compared to Native Code developed application (90% of Visual Basic 6 applications are compiled with Native Code setting -default setting in VB6-), that is one of the reason why I decided to develop VBReFormer more for Native Code than for P-Code.

The massive number of Visual Basic Native application compared to P-Code applications is probably more important due to the fact the default value in the compiler is set up to « Native Code », and of course because native application are almost fast than C++ applications contrary to P-Code applications.

Before choosing a decompiler you must know if it was released for Native application, or for P-Code applications, and if your application was released in P-Code or Native mode.

Note that P-Code is more easy to decompile than Native Code because of it’s high level property.

English:

One of the most exiting feature of VBReFormer is design edition mode for binaries Visual Basic applications.

I have done this webcast to show that we can easily edit and alter an executable written with Visual Basic 6 with help of my half-decompiler VBReFormer 2007 Professional Edition.

For more information about VBReFormer: http://www.decompiler-vb.net/.

French:

L'une des plus importante fonction de VBReFormer est la possibilité d'éditer le design de vos applications Visual Basic même une fois compilé.

J'ai donc réalisé ce petit webcast pour montrer que l'on peut facilement éditer un exécutable écrit en Visual Basic 6 avec l'aide de mon semi-décompilateur VBReFormer 2007 Professional Edition.

Pour plus de renseignements à propos de VBReFormer: http://www.decompiler-vb.net/ .

D'ailleurs, pour ceux que la traduction d'applications intéresse, je vous conseille d'aller visiter le site de la communauté des traducteurs francophones (http://www.toutfr.com/) qui est une communauté de passionnés très sympathique .

Hello, 

My name is Sylvain Bruyere, I'm a freelance/developer focused on Microsoft development languages, and I develop a native Visual Basic decompiler since the year 1999, called VBReFormer.

After years of research on decompiler technologies, I am glad to announce the opening of this blog that will focus on knowledge-depth development for Visual Basic, related to object modeling, compilation, decompilation, and security.

As you can guess, I will talk in this blog of my experiences with Visual Basic development, and others related experiences.