View Full Version : VBOX 4.5
lucita
March 17th, 2001, 06:27
Whats happening with the cracking scene today?.
VBOX 4.5 was out a lot of time ago and there is no essay about reversing it. Anyone here tryed to reverse/crack an application protected with VBOX 4.5?. Was able to unwrap it?.
Thnx in adv.
Armadillo Killer
March 17th, 2001, 07:14
Give us the link for a protected app, please.
tsehp
March 17th, 2001, 08:09
hi,
you should read the past threads.
vbox has an iat encrypted scheme.
first you find the oep with icedump's tracer.
then you dump the target, and finally fix the iat's with revirgin.
and this is finished.
Actually the difficult one (IMHO) is safecast, safedisk 2 , currently working to fisnish revirgin's adapt to it.
regards,
+Tsehp
lucita
March 19th, 2001, 06:03
The main feature of VBOX 4.5 (yes 4.5 not 4.3) isn't the encrypted iat, the great problem is that the main application is "distributed" into a couple of dll's, the exe is a 200kb shit that only loads the dlls and unwraps all to execute the app.
There is a *GREAT* difference between 4.3 and 4.5. (BTW: im able to crack 4.3). U cannot dump the exe, bcoz its only a loader, it actually dont have a single byte from the original exe. (well, i guess the icon).
I cannot point any URL coz the app i have encrypted is visio2000 from a Mocosoft cd.
Kilby
March 19th, 2001, 13:53
Not wishing to start an arguement, so if I phrase this in a way which offends please forgive me, that is not the intent, I just can't think of another way to phrase it.
I cannot speak for VBox 4.3, though I can for earlier versions.
Quote:
The main feature of VBOX 4.5 (yes 4.5 not 4.3) isn't the encrypted iat, the great problem is that the main application is "distributed" into a couple of dll's, the exe is a 200kb shit that only loads the dlls and unwraps all to execute the app.
End Quote
Are you saying that VBox does this, or are you saying that thats how Visio is behaving ?
The version of Visio 2000 which I have installed (on this machine) which is an original version of Visio from last year is an exe of 45KB.
Visio32.exe :- 44.0 KB (45,056 bytes)
By Visios very nature it is a small .exe which calls multiple .dll files, it's a loader in it's normal state anyway.
Other progs of this kind are Adobe Indesign and Adobe Incopy.
This can cause fun with unpacking, as I discovered while experimenting with Crunch2. The uncrunch routine was re-entered multiple times, before the app actually ran.
It can look very strange when watching all the exits and re-entrys with SIce.
I know that .dll files are not that very different from .exe at a basic level, but are you suggesting that VBox, creates all nessicary exports within an .exe file and then calls them all in the correct order at the correct time ?
I could see an .exe being renamed to .dll but it is still an .exe.
Even at another level for a .dll wrapper being placed around the file with an export to the OEP, but that's about it.
Regards,
Kilby...
tsehp
March 19th, 2001, 14:35
Quote:
lucita (03-19-2001 03:03):
The main feature of VBOX 4.5 (yes 4.5 not 4.3) isn't the encrypted iat, the great problem is that the main application is "distributed" into a couple of dll's, the exe is a 200kb shit that only loads the dlls and unwraps all to execute the app.
There is a *GREAT* difference between 4.3 and 4.5. (BTW: im able to crack 4.3). U cannot dump the exe, bcoz its only a loader, it actually dont have a single byte from the original exe. (well, i guess the icon).
I cannot point any URL coz the app i have encrypted is visio2000 from a Mocosoft cd. |
It's not also a problem and this feature was also quoted in the past thread
You notify sice loader to break at dll load and dump it, so it will make the main exe.
You can also rebuild the *dll's* iat with revirgin.
read this post, this crack was done in 10 minutes, the most difficult is to learn how to force sice to break at the dll main routine.
lucita
March 20th, 2001, 00:27
Yes, maybe im wrong and VBOX 4.5 doesnt do that. Maybe i can rebuild the iat, if u can say me how to intercept the dll load.
Take note that if i set the Entry Point of the exe to zero, the application runs anyway bcoz when the OS resolve the iat, and it calls the dll main routine it makes some dirty tricks and all works fine. If there isnt a *HEAVY* relationship between the exe and the dll's when i set the EP of the exe to zero, obliously the exe MUST crash.
Maybe some of u (Killby, Tsehp) can explain those relation between exe and dll, and/or unrapping all those.
Kilby
March 22nd, 2001, 05:10
Sorry about the delay, I have been a bit busy playing with an OCX file.
The only play I have had wth VBox was a very quick dumping session a couple of months ago.
If U want to point me towards a 4.5 target I will have a look at that and even take some notes too
Kilby...
tsehp
March 25th, 2001, 01:21
Quote:
lucita (03-19-2001 21:27):
Yes, maybe im wrong and VBOX 4.5 doesnt do that. Maybe i can rebuild the iat, if u can say me how to intercept the dll load.
Take note that if i set the Entry Point of the exe to zero, the application runs anyway bcoz when the OS resolve the iat, and it calls the dll main routine it makes some dirty tricks and all works fine. If there isnt a *HEAVY* relationship between the exe and the dll's when i set the EP of the exe to zero, obliously the exe MUST crash.
Maybe some of u (Killby, Tsehp) can explain those relation between exe and dll, and/or unrapping all those. |
Here's an extract of an answer (made by the owl) to such a question :
for OEP: icedump/tracex
for dumping: icedump/hydra/unvbox.dll/pedump
a quick receipt just in case:
1. iceload -n vboxed.dll
2. run your exe, click 'Try' or whatever to pass by the nag
3. winice breaks as vboxed.dll!DllMain gets called for the first time
4. still in winice: /tracex <start VA of first section> <end VA of first section>
addresses can be fetched from map32 output
5. wait for first break, then you will have to issue another /tracex with a
slightly lower upper bound (no algo here, use zen to guess it, trying never
hurts)
6. 2nd break should normally be at the OEP, time to dump
7. /hydra unvbox.dll
8. /pedump <dll base VA> <RVA of DllMain> unvboxed.dll
you can remove the point 7 if it doesn't work and rebuild the iat's with revirgin.
regards,
+Tsehp
lvcita
March 26th, 2001, 22:59
I will try it, Thanks a lot.
Mario
December 7th, 2001, 07:52
VBOX 4.5 target (5 megs)
http://www.morphink.com/cgi-bin/dl.pl?MorphInkTrial
Solomon
December 7th, 2001, 09:13
Here is another interesting target packed by VBOX 4.5:
Visual SlickEdit v6.0c (you need to fill the form and get a trial key)
h**p://w#w.slickedit.com/purchase/pu_regtrial.php?platform=wb-nt
This time the packed target is not an EXE, but a DLL called vsapi.dll
BTW: it's really a great IDE for programmers
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.