Hello people, i'm new here.
I have a program developed in Visual Basic 6, I forgot the password and there's no chance of getting the source code with the developer.
I've decompiled it with a vbdecompiler program, I have the source code but the password is not clear in the code. I hope you help me.
Well, the action on the Ok Button to confirm the password :
" loc_0041FA2B: call MSVBVM60.DLL.__vbaHresultCheckObj
loc_0041FA31: mov eax, var_18
loc_0041FA34: push eax
loc_0041FA35: call 00414BA0h
loc_0041FA3A: mov edx, eax
loc_0041FA3C: lea ecx, var_1C
loc_0041FA3F: call MSVBVM60.DLL.__vbaStrMove
loc_0041FA45: push eax
loc_0041FA46: call MSVBVM60.DLL.__vbaStrCmp
loc_0041FA4C: mov edi, eax "

I did another simple program with a textbox to compare the decompiled code, i'm sure the red line above says something about the password. The 'vbaStrCmp' is the If clause in the program. In my simple test program, the password appeared in the code, here in the real lost password program it calls 00414BA0h. There I found this:
"Private sub Unknown_414BA0
loc_00414BA0: push ebp
loc_00414BA1: mov ebp, esp
loc_00414BA3: sub esp, 00000008h
loc_00414BA6: push 00401886h ; MSVBVM60.DLL.__vbaExceptHandler
loc_00414BAB: mov eax, fs:[00h]
loc_00414BB1: push eax
loc_00414BB2: mov fs:[00000000h], esp
loc_00414BB9: sub esp, 00000008h
loc_00414BBC: push ebx
loc_00414BBD: push esi
loc_00414BBE: push edi
loc_00414BBF: mov var_8, esp
loc_00414BC2: mov var_4, 00401210h
loc_00414BC9: mov edx, [00422034h] ;
loc_00414BCF: lea ecx, var_14
loc_00414BD2: mov var_14, 00000000h
loc_00414BD9: call MSVBVM60.DLL.__vbaStrCopy
loc_00414BDF: push 00414BF1h ; "‹Mð‹Eì_^d‰'#1"
loc_00414BE4: jmp 414BF0h
loc_00414BE6: lea ecx, var_14
loc_00414BE9: call MSVBVM60.DLL.__vbaFreeStr
loc_00414BEF: ret
End Sub"

I really think the red code above it's the password, in my program that's how it has appeared. At this one I couldn't recognize these weird characters.
Well, just to finish, I don't know nothing about Assembly.
If you know something to help me, please let me know. thank you.

: loc_0041FA46: call MSVBVM60.DLL.__vbaStrCmp[/color][/b]
: loc_0041FA4C: mov edi, eax "
:

traditionally a routine will check 2 strings, then return the pass/fail results in a register. It's possible here that the results from vbaStrCmp are returned in eax, which in turn get stored in edi and perhaps tested later. If I were hacking this, I'd try changing different results in edi there and see if it alters the outcome of the program.


: loc_00414BD9: call MSVBVM60.DLL.__vbaStrCopy
: loc_00414BDF: push 00414BF1h ; "‹Mð‹Eì_^d‰'#1"
: loc_00414BE4: jmp 414BF0h
: loc_00414BE6: lea ecx, var_14
: loc_00414BE9: call MSVBVM60.DLL.__vbaFreeStr
: loc_00414BEF: ret
: End Sub"

If you see there, it's doing a jmp to 414bf0h, which is exactly where you stopped disassembling code. If you can post what the code is a little bit further down, it might shed some light on what it's doing.

I rarely do disassembly from higher level languages because it's just so ugly to determine what is real code and what is language overhead with variable passing. I do quite enjoy little projects like this though!

-jeff!

Thanks for helping me.
Well, I didn't found the 414bf0h position in the decompilation.
how can I change the results in edi? Is it possible for me to 'recompile' it?
If you want, I can send you the executable file and the decompiler program I´m using.
thanks


: : loc_0041FA46: call MSVBVM60.DLL.__vbaStrCmp[/color][/b]
: : loc_0041FA4C: mov edi, eax "
: :
:
: traditionally a routine will check 2 strings, then return the
: pass/fail results in a register. It's possible here that the
: results from vbaStrCmp are returned in eax, which in turn get stored
: in edi and perhaps tested later. If I were hacking this, I'd try
: changing different results in edi there and see if it alters the
: outcome of the program.
:
:
: : loc_00414BD9: call MSVBVM60.DLL.__vbaStrCopy
: : loc_00414BDF: push 00414BF1h ; "‹Mð‹Eì_^d‰'#1"
: : loc_00414BE4: jmp 414BF0h
: : loc_00414BE6: lea ecx, var_14
: : loc_00414BE9: call MSVBVM60.DLL.__vbaFreeStr
: : loc_00414BEF: ret
: : End Sub"
:
: If you see there, it's doing a jmp to 414bf0h, which is exactly
: where you stopped disassembling code. If you can post what the code
: is a little bit further down, it might shed some light on what it's
: doing.
:
: I rarely do disassembly from higher level languages because it's
: just so ugly to determine what is real code and what is language
: overhead with variable passing. I do quite enjoy little projects
: like this though!
:
: -jeff!

: Thanks for helping me.
: Well, I didn't found the 414bf0h position in the decompilation.

that's weird. doesn't sound like the disassembler is working very well if it can't find a chunk of code that gets called.
You could probably use a different disassembler to get that data. Perhaps try IDA:
http://www.hex-rays.com/idapro/

: how can I change the results in edi?

Get a windows (I'm assuming this is a windows based program) debugger, like soft-ice for windows, and set a breakpoint at that chunk of code. Then you can change values "on the fly" to experiment with the outcome.

Once you get something that works (such as forcing EDI to always be 1) then you'd have to physically change the opcodes in the file itself to change the behavior of the code on a permanent basis. If the binary file is at all compressed or encrypted or checksummed, you will have to work around those issues as well.

: Is it possible for me to 'recompile' it?

no. that's the problem with disassembling from a high level language down to assembly. things just get wrecked in the process. I mean, you could certainly do it, but it would likely take several months of work to put the pieces back together to make it actually compile again.

: If you want, I can send you the executable file and the decompiler
: program I´m using.

sorry, but no thanks. I've got too much on my plate at the moment as it is.

-jeff!