vb6tracer icon indicating copy to clipboard operation
vb6tracer copied to clipboard

Published 20 hours ago verified publisher icon jbremer

p-code instruction pointer displayed is off by one or more

Open strictlymike opened this issue 7 years ago • 3 comments

It would be nice if the instruction pointer output from vb6tracer matched the values displayed by other tools. Explanation follows.

I was confused that the virtual addresses displayed in C:\logz.txt when using vb6tracer-specific.dll did not appear to correspond to the addresses in the p-code disassembly listing emitted by the tool p32dasm. By searching for specific instructions in common between the p32dasm listing and the vb6tracer output, I discovered they are all off by one in my case. Example:

C:\logz.txt:

00401338 LitStr "some string"

p32dasm_output.txt:

00001337: 1B   LitStr: "some string"

I infer that the instruction pointer value displayed by vb6tracer is displayed after it has been increased by the instruction's opcode length (but not the length of any operand(s)). Since the opcode size for p-code can vary, I surmise that the deviation in what is displayed by vb6tracer may sometimes be greater than 1.

While I'm logging this issue, I wanted to share a bit of praise. I found this tool because @maijin pointed out the presentation Curing a 15 Year Old Disease and I had saved it in my notes until the day I had to deal with a rather large VB6 sample.

I'm glad I found this tool as it saved me from doing something similar to this, and gave me much of the information I wanted in the correct format for me to analyze it (plain text, no GUI) including parsing and displaying operands/arguments. This will go a long way toward helping me where tools like vbDecompiler or other disassemblers leave ambiguities that are time-consuming to resolve. Thank you for your work!

strictlymike avatar Jan 23 '18 19:01 strictlymike

Thanks for the feedback :) Could you try the commit above? I think it should work, makes sense too actually (or will some hooks have an off by two due to the nested table thing?) You can check it out in the addresses branch. You'll have to compile it yourself, though! My best guess would be that I never checked against p32dasm, so please let me know. And thanks for the kind feedback naturally - happy to find somebody found a use for it after all.

jbremer avatar Jan 24 '18 21:01 jbremer

I really really want to but I'm swamped and I couldn't even seem to get the build prerequisites to get started. Sorry to leave you hanging. If you can wait a while I'll get to it when I take a break in a week or two. Maybe we can talk offline about the build details, too.

strictlymike avatar Jan 27 '18 00:01 strictlymike

Alright, I'm going to be realistic. I'm overwhelmed and I might not get around to validating this fix :-(

strictlymike avatar Mar 27 '18 14:03 strictlymike