VB killer

VBKiller Instructions for Use
Killer is a VB-assisted reverse analysis tool. First of all, let me state that it cannot help you decompile a VB program into VB source code. It can only make the disassembly of a VB program look closer to the VB code.
Used with IDA, you can create almost all class structures, method tables, function bodies of VB programs, and create method table structures; you can identify the CLSID of the COM referenced in the VB program and use ProgID to name it; you can create any COM program (non- VB can also compile method tables and function bodies, and create method table structures. These structures can be used in the VB program to be analyzed. After these processes, the VB program to be analyzed has formed a number of very standardized classes and methods in IDA, and it is not far away from reverse engineering the source code.

How to use it:
Click the browse button to select a COM program, DLL or Exe or ocx. If it is not a VB program, check the "Non-VB program" and click to view. The box on the left lists all COM interfaces of the selected program. If you also want to see classes and enumerations, you can select "Show all classes except interfaces". Click on any interface, and all the methods of the interface will be displayed on the right, including the address in the method table and the real address of the method body. If you want to display the first seven basic methods, you need to select "Show methods of basic interfaces". If it is a non-VB program, there are image base address and virtual base address on the right. The image base address is the ImageBase of the program, and the virtual base address is the starting address allocated to the memory space. The program probably calculates this address by default. If it is incorrect, It needs to be modified manually, because the method table address obtained by the program is in the running space, and these two base addresses must be known to be converted into the address in the static file, so it is very important and cannot be filled in, otherwise an error will be recognized. Click Generate IDC to generate the IDC file corresponding to the currently selected interface. Classes and enumerations cannot generate IDC. Load this IDC into IDA and the corresponding method address can be automatically identified and processed. Click Generate All to generate IDC files for all interfaces (put them in the same file). Select "Generate Structure" and use two generate buttons to generate the structure creation script corresponding to this COM. Load this structure IDC into IDA and a batch of corresponding structures will be generated in IDA, such as: One of the analyzed programs uses database operations and encryption and decryption operations. Generally, the structure scripts of ADO and CAPICOM need to be loaded.
VBKiller also has a function of scanning and identifying COM that has not yet been completed.

In the same directory, there are several other c files.
Among them, header.c is included in the above IDC file. This is a public function file;
vb.c is a modified version of vb.idc that is circulated on the Internet. It has not been changed much. It feels like many places are not working. This script can be used to establish the class structure and event table of the VB program;
vboop.c is a script specifically designed to assist in analyzing the object-oriented functions of VB.
The Do_BasicOOP method inside is mainly based on the event table established in vb.c, processing the corresponding function body. If the function is not created, create the function, rename the function to be consistent with the name of the event table, and create each class at the same time. The method table structure will be analyzed later.
ParseAPI is used to process VB internal functions. It will scan the cross-references of all specified functions, add repeatable comments to the function, try to identify parameters, and add comments to each parameter. If the parameter is a register, then search further The source of the register data, with comments. The scanned functions and comments are specified in the code. Currently, most functions are specified. You can add new functions according to your needs.
The ParseNew method is used to scan all _vbaNew and _vbaNew2 cross-references and try to identify the corresponding CLSID. If it can be identified, it will be modified to the corresponding program name for easy viewing. Recognition is implemented built-in. There are not many built-in ones at present. You can add your own as needed. Scanning is, if an unrecognized CLSID is found, the program will write the CLSID to UnKnown.txt in the same directory. After analyzing it, you can check the file. If an unrecognized CLSID is found, go to the registry. Search for the CLSID, and after getting the program name, add it to the corresponding place in the program.