OpenRCE

Visual Basic Reversed – A Decompiling Approach
by Andrea Geddon
27 pages, 20 of code.

Update 2006.02.11: more intuitive structure list and directions of use.

This is would have made for a good introduction to reversing Visual Basic if it were not for a few errors. One can still learn a bit about the data structure used by the runtime engine but towards the end when trying to find objects the author mixes names he gave structures, or isn’t clear enough to keep them in order to. Regardless, a great deal of the structure is described and some of it in a coherent manner.

The author looks at an example VB program with the objective of finding the serial generation code. He starts from the very first data structure (RT_MainStruct). Here is a bulleted list of the different levels in the vb structure which should make it easier to follow. The author is looking for the onClickCheck event handler. The handlers are not named but can be found working through various levels. 1. First we must find the form name of interest. 2. Then we find the control (button) name of interest (perhaps “Check Serial”). 3. We find the onClick event handle for that button.

The form names can be found under ProjectStruct.Tree.ModulesList. Each ModulesList represents values of either a form or a module object and contains a ObjName which is the internal ASCII name of the Form/Module.
For Forms you will find a FormDescriptor structure referenced. This structure contains substructures for each control in the form. Buttons, text boxes, labels, etc. The author named them FD0_ControlsList[*]. Inside each of these structures you will find the ASCII name (aText_2_0) given to each control, such as “btnSerialChk”, etc.
Inside the structure with the control/button you wish to examine you will find a LocalDispatcher structure referenced. And finally, it is here that you will find references to the functions for each event handler (onClick, onChange, etc). They are not named, only appearing as raw references. So, to determine what is onClick, onChange, onOver, etc… you can either look for familiar signs in the disassembly (such as calls to message box functions) or build an example project that has every event defined and compare the disassembly of each to it. Once the onSerialClick event handler is found you can follow its value to the serial check function.