Using ida5.0 for VB Reverse Analysis-how can I reduce my workload?

I just entered the cracking industry and used OD. A piece of software was broken in a confused manner. Later I tried several of them, but they all failed. From that point on, I had access to IDA and liked to read the compilation. (To be honest, I am a programmer and familiar with VB and Assembly)
Compilation looks like a low-level version of QB a few years ago. (A Lot Of goto exists in QB, just like JMP in compilation.) I have learned 8-bit and 16-bit assembly, as well as the microcomputer principle and computer composition principle, we have designed a sixteen-bit arithmetic calculator and its micro-commands (that is, the next layer of assembly. Seeing 32-bit assembly, I feel very comfortable. Reading e instructions is better than looking at the rows of small lights in the experiment box. Therefore, I think it is not difficult to look at assembly, but some new commands (such as floating point commands) are difficult to understand.
I am very happy to see the identified VB functions using IDA disassembly VB. In a graphical attempt of a function, click and select any call to make the call of the entire function yellow. Then, you can look at the VB Function from the beginning, it generally starts with _ VBA or RTC. You can probably understand what operations this function has done and what you want to do. If you think this function has done some operations, such as operating the registry, operating files, or a large number of string operations, it may be the location of registration. This is what I have analyzed many vbprograms.
Most of the systems using VB are compiled into DLL, that is, Com. It can be called by other programs or ASP (this is a lot ). To deal with such a program, I generally use the VB Object Browser to view this COM (how to register if it is introduced, I don't need to talk about it, the Object Browser is F2), to see what classes it has, attributes and methods. In general, you can find registration-related places, and then write a bit of code using VB to call this COM, generate an EXE, and then load it with OD, specially debug this DLL, huh, huh, this time, it is no longer inconvenient because of other restrictions. Debug the target function with OD, remember the address, and open the DLL with IDA to view the corresponding location. Remember to rename the function in IDA, so you don't know what the function is next time.
The above method has been used for a long time. It is very boring-too much, tired!
I like some features of IDA:
1. Rename the tag. This should be my favorite one. Look at the variable names in numerical sorting. Therefore, whenever I can determine the name of a function, I change the name of the function.
2. comment. This is no worse than the first one. The comment I am talking about here is not a code comment like od, but a variable comment, a label comment, or a function comment in Ida. Write comments after a variable, Tag, or function. The comments will be followed in all references. For example, if you can write a comment to a function, you can not only see the "real" Name of the function where other functions are referenced, we can also see in detail what this function is doing.
3. Double-click to jump. This function is also frequently used. Recently, it was discovered that not only can the code label be redirected by double-clicking, but also can be included in the comments. Don't blame me for being ignorant. I have figured out the usage in this article. In the graphic view, double-click a line to jump to another code segment. For double-click jump, if you want to look back at the previous Code, Press ESC.
Some tips for dealing with VB:
1. The parameter pressure stack mode of the VB Function is from right to left. At the same time, because VB is an OO language (although not completely), there is usually a default parameter, it is the object itself. If there is a return value, the address of the returned value will be used as the first parameter to press the stack. Therefore, the complete parameter pressure stack method is: [return value address], from right to left parameters, the object itself.
2. After learning about the parameter pressure stack method, I like to enter the function and modify the local variable name of the function. It was originally in the form of var_xx and arg_xx. First, arg_8 is the first parameter. Change it to this. Of course, you need to change it to me or self. Change the last parameter Arg to return. Of course, if this function has no return value, do not change it like this. If you can use the VB Object Browser to determine the parameter name, you can also change the name here.
3. If you know whether a function has a return value? 1. Check that the parameter of the first pressure stack is used immediately after the function is called. If this variable is used, it is worth returning. 2. Check the function, in the graphic view, in general, VB functions are divided into three parts in the graphic view: Theme, return processing, and error processing. One big, two small, and one small, whether the last Arg is used. If it is used, it is worth returning. This is a general method. I am not sure it is all like this.
4. In the function header, a lot of var_xx is usually first followed by arg_xx, and then ESP is processed. Then there is an XOR eax and eax. This eax can be unique, exclusive, or zeroed, there should be a lot of mov [esp + var_xx] And eax. Here is the local variable initialization. Most of the time, you will see a call [xxx + 4], which is used to install Seh. Honestly, I don't know what seh is. But don't worry about it. The text is later.
5. Check the corresponding parameters. Generally, the copy or move Command copies the parameters to the local variable var_xx, which is also changed to the VaR _ parameter name, indicates that this is a copy of a parameter.
6. Look at the return processing of the top header, that is, one of the two major and small values. Find return, which is generally seen as follows:
MoV ECx, [esp + return]
MoV eax, [esp + var_xx]
MoV [ECx], eax
Here, we copy the return value address to ECx, which can be another register, copy a local variable to eax, and then write it to the corresponding location of ECx. This also explains why a common function will return values in eax even if it has a specified return value. Okay. Change this var_xx to var_return. This is good. "Two-side attack" makes it easier to look at the code in the middle.
7. This time, the OD came out. Follow this function in a single step with od to see if there will be some ADO. xxxxxx or CAPICOM. xxxxxx in the middle. These are the com methods such as ADO and CAPICOM. The addresses of these methods are generally fixed. You can use them here by accumulating Some table corresponding to the method addresses.
8. Locate the corresponding location of this method in IDA and flip it up. Generally, you can find new2, where the instantiation of the ADO object or CAPICOM object is located. In new2, two or three rows will copy a String constant, which is the corresponding object class name. For example, set OBJ = Createobject ("ADODB. Connection"), copy the string ADODB. Connection. It's just my guess. The first thing we need to do this time is to rename the label of this string. In this way, other places that need to use this class can obviously be seen. Then, new2 will copy the result to a var_xx and change the name of the VaR _ object.
9. It's the turn of the struct. This var_xx is usually used in this way.
MoV eax, [esp + var_xx]
MoV edX, [eax]
Call [edX + xxh]; execute the method with the displacement of xxh
This kind of object positioning will make us very depressed, even though we know the absolute address. However, the powerful IDA has helped us a lot. First, create a struct (such as adoconn). You can refer to the tutorial of xueda University to define a member with a displacement of xxh (such as open) and write the name. Right-click xxh in Cal [eax + xxh] and Ida will list the appropriate structure members. You only need to select one. For example, adoconn. Open. The idea is that if this object has properties, its usage will be slightly different, for example:
MoV edX, [esp + var_xx]
MoV eax, [edX + xxh]; take the attribute with the displacement of xxh
We can see that the first address of the method list is the first member of the object. Therefore, the struct we just created is not suitable for use. Create a New struct with special attributes. In addition, you can right-click all constants and select structure members. Of course, a struct member can also write comments, which appear in each referenced place.
10. In addition to the public class, a COM still has some classes that are invisible to the Object Browser. However, in the file header, you can see that such a class exists, but you may need to be familiar with the file format. But it doesn't matter. During the analysis, I felt like this class should be something. Just give it a name and I will show it to myself.
11. If these structs are analyzed once in every file to be analyzed, that would be a lot of trouble. It doesn't matter. IDA is ready for us. "File"-"Create File"-"create IDC File", you can export a file. In another file to be analyzed, "file"-"IDC File" can be imported. I learned this method by myself, but I don't know what to do.

Well, I have some ideas above and I am very happy to share them with you. As you can see, I am a cainiao ......
I also encountered many problems:
1. For example, the preceding ADO and CAPICOM common com class library methods are displaced. It would be nice if there is a comprehensive IDC. For example, as I wrote in "Reverse Analysis of Software", it would be nice if I had a JVM. dll IDC.
2. I cannot understand many string constants, and IDA cannot give me correct restrictions. I found that the first two bytes of the VB string pointed to by the variable are the string length. I created a struct in this way, but still cannot see the complete VB string, I tried to write code using VB myself.
3. How to use IDA plug-ins or scripts? How to write? There are also some articles on the Forum, but there are too few materials.
4. I want to write a plug-in or script to automatically annotate the parameters of common VB functions. In this way, I can understand most of the content as long as I read the annotations. In fact, I wanted to develop a VB anti-compiler A long time ago, but the problem of time and difficulty cannot be solved. Now I want to do this on the basis of Ida. As mentioned above, I am a programmer and like to write code.
5. The vbprogram file contains the member structures of all classes, including attributes and methods. The names of all classes (including non-public) in COM are available, while the public classes have the names of all members. Therefore, I want to write a plug-in to create a corresponding struct for these classes, and then change the displacement value to the struct directly for the corresponding places in the Code, so that I do not need to select one by one, this may be difficult later.
6. Ida often does not recognize all user functions, but needs to be created manually. It is annoying to write plug-ins, because these are purely manual work.