Reverse engineer Visual Basic code
Is there anyway to reverse engineer an exe written using Visual Basic? I had this executable thrown at me that now has to run on a new server. It appears the connection string is embedded in the code. Is there anyway to at least extract that?
Martin Liss
You might be able to use a HEX editor to find the string. You might find that it has spaces between the letters like c o n n.
@Martin's comment is the solution + there's a catch.
Depending on exactly how the VB + Compiler version manage strings, this can be tricky.
If the new connection string is shorter, then likely you can dig into the string HEX to determine if the string is terminated with \0 or \n or something else.
If the new connection string is longer... and you just overwrite it... there's a very good chance you'll destroy your code, as this will write over adjacent data structures.
A better solution might be to use a heavy proxy forwarder like HAProxy, as this will almost surely work, if you proxy all TCP traffic as a port proxy likely won't work.
Having had to do this type of Redneckery before, there are many catches, so if you opt for this approach, have your network engineer help.
Depending on exactly how the VB + Compiler version manage strings, this can be tricky.
If the new connection string is shorter, then likely you can dig into the string HEX to determine if the string is terminated with \0 or \n or something else.
If the new connection string is longer... and you just overwrite it... there's a very good chance you'll destroy your code, as this will write over adjacent data structures.
A better solution might be to use a heavy proxy forwarder like HAProxy, as this will almost surely work, if you proxy all TCP traffic as a port proxy likely won't work.
Having had to do this type of Redneckery before, there are many catches, so if you opt for this approach, have your network engineer help.
Or it should be easiest to trick the system by redirecting the original server name to the new by editing the hosts file..if this is the only change
ASKER
I was going to try copying this exe to a completely different network with no connection to the old network. If I break it I try again.
I've had to do something similar YEARS ago and that's exactly what I did - Hex Editor. However, I used a DNS alias so that the server name length matched the length hard coded in the app. Note: I did this with another program that I'm not sure what language it was written in. It's POSSIBLE the application will store the string in the binary code... but it's possible it won't.
Another trick you can use if a hostname is hardcoded into the connection string is just add an /etc/hosts entry where ever the connection is initiated pointing to the new IP.
In my case some lunatic had hardcoded an actual IP address, which had to be hijacked.
In the case of an hostname, /etc/hosts will suffice.
In my case some lunatic had hardcoded an actual IP address, which had to be hijacked.
In the case of an hostname, /etc/hosts will suffice.
As long as you're the legitimate owner of the application, just use a decompiler. There are several out there for classic VB. You won't get the original variable names or code comments or anything but you should get a pretty good representation of what the code does, including values of different variables.
Are you certain that the connection string is hardcoded into the app? There are several ways for configuration values to be provided to the application (stored in separate config files, stored in the registry, passed into the app as command line arguments, piped in, using a preconfigured named pipe).
It might be good to run Sysinternals process monitor, set up the filter to only include the app .exe as the process name, then start capturing and run the app.
Then while it's running, right-click on the process and go to the properties and there should be a tab for strings which should include all the strings in memory for that app. The process monitor entries will also tell you where the app might be looking for any files or any registry entries.
Are you certain that the connection string is hardcoded into the app? There are several ways for configuration values to be provided to the application (stored in separate config files, stored in the registry, passed into the app as command line arguments, piped in, using a preconfigured named pipe).
It might be good to run Sysinternals process monitor, set up the filter to only include the app .exe as the process name, then start capturing and run the app.
Then while it's running, right-click on the process and go to the properties and there should be a tab for strings which should include all the strings in memory for that app. The process monitor entries will also tell you where the app might be looking for any files or any registry entries.
ASKER
We picked up this client last year and they just brought a new server on line. I have everything moved with this one exception. I asked if they had the source and of course the answer was no. There is no config file and I checked two xml files and there is nothing of use in them. This program does have a printing option so I have to do something I have never done before. Writing an application in C# that prints. I will be opening a new case for that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just some thoughts:
When it is really hardcoded, I would guess this means they must have had some legal relation with the author or vendor. So they should contact them.
We picked up this client last year and they just brought a new server on line. I have everything moved with this one exception. I asked if they had the source and of course the answer was no.This is such a technical debt, that it make not really sense to continue to use this application.
When it is really hardcoded, I would guess this means they must have had some legal relation with the author or vendor. So they should contact them.
ASKER
The vendor no longer exists. They are simply going to need to invest in having this application rewritten. I am going to submit a new case on printing. Feel free to comment on that.
ASKER
Thank you everyone for your suggestions.