3 of the

Reverse Engineeringseries. What is intermodular in Ollydbg? We will look at what kind of data we can access.. There will be no packaging on the file in the operations we will do.

What is intermodular?

Intermodular term. Its main purpose is to list the events that the codes in the program call from the windows system.. For example, let’s consider a microsoft word program.. While we are operating in word, printer operations do not run without a command.. The printer command, which is in Word but does not work without calling us, is located in the word program.. This is how our event list, which will be called later, is named as intermodular calls in ollydbg. We can see the events with Ctrl + N combination in Ollydbg program. or we can access by right clicking and “Search For -> All intermodular Calls”.

Target:

We will access the license code with Intermodular Calls. We found the serial code in the first lesson. However, the serial code we found was already in the program.. This time we will find it with the help of events, not with string search.. Because there is no serial code written in our program.. Our file was encoded with visual basic. Programs coded with Visual basic need a component called “msvbvm60.dll” to run.. It continues all its operations with the Windows library by assigning it over this file.. The events I will give below are the particles running through this file.. For example, let’s say we have a text called “Webdeyazim”. Commands that change according to the programming language we use, such as “Len“,”StrLen“,”Lenght” that we use to find the length of the text, but do the same, can set certain events. performs calculations by calling. The event we need to extract is that every code we write is actually superficial codes, and as we go deeper, we understand that the commands that perform the operations are at the base of the system we write.

Events :

__vbaVarTstEq
__vbaVarTstNe
__vbaVarCmpEq
__vbaStrCmp
__vbaStrComp
__vbaStrCompVar
__vbaStrCopy

I just mentioned that the codes are superficial and there are events that do these operations at the base.. These events have a certain structure in assembly language.. However, this example only applies to a program written in vb6 .

.text:00401961 mov edx, offset aString ; “Webdesoftware”
.text:00401966 lea ecx, [ebp-1Ch]
.text:00401969 mov [ebp-1Ch], esi
.text:0040196C call ds:__vbaStrCopy
.text:00401972 mov eax, [ebp-1Ch]

__vbaStrCopyThe event is used to carry some kind of value. Let’s look at it with a code in Basic.

Dim constantKey As String
Dim key      As String

hardKey = “”
key        = hardkey & “incoming data”

Events are called from required offsets when the scripts run. They do the transfer. Here we can see more clearly how superficial the codes are.

Video Lecture :