View Full Version : vbox 4.5 tut some problem with iat fixing proc
LaptoniC
June 6th, 2001, 05:10
I am trying to follow new tut about vbx 4.5.Everything is ok untill this iat fix proc.
Code:
017F:0700ED95 MOV [EBX],EAX ; moving it to its place in the iat
017F:0700ED97 ADD EBX,04
I have tried to enter mov [ebx],eax in softice but it allways change to mov [ebx],ax.I have assembled this proc with masm and now another problem comes.
cmp eax,000 turns to 83F800 which is 3 bytes.
how ever in original proc it is 4 bytes long.
Thanks.
JimmyClif
June 6th, 2001, 06:08
I may be not much of a help with VBox but here are my ramblings:
>I have tried to enter mov [ebx],eax in softice but it allways change to mov [ebx],ax
did you write?: mov dword ptr [ebx],eax
>cmp eax,000 turns to 83F800 which is 3 bytes.
>how ever in original proc it is 4 bytes long.
Most people try to save bytes... you try to have more? *g*
Fill in a nop if you really want to give away this space... it does the same anyway.
PS: test eax,eax is only 2 bytes
and does the same too.
Kilby
June 6th, 2001, 07:51
Something in the back of my head says you should specify that it's a double word, when assembling in softice.
Kilby...
LaptoniC
June 6th, 2001, 16:34
I have tried using dword and it worked.I have dumped this proc to a file and I have tried to load it by icedump load command each time I have tried.I have tried 5 times and every time Vbox gives error at
017F:0700EDFE CALL 0700EE15
and it dies at this call.It doesnt fix the iat.What am I doing wrong.I have done exactly like this.
Found oep bmp oep x.I have traced it the first api call getversion which points to call 0700EDDB to I have wrote a 700ed91 and put proc here.When I am at 700EDDB I have changed ebx to 80f000.I have looked what is at ebx by dd ebx and then wrote e ebp+4 xxxx which is dword at ebx.However it gives two error and never comes to bpx I have put on 700edc3.
What I am doing wrong here ?Any help will be appreciated.
tsehp
June 7th, 2001, 14:35
I wrote droid, for him to read this thread and eventually update the essay if necessary.
I'm trying this app with rv ;-)
later
tsehp
June 8th, 2001, 14:14
still no news from droid.
I used revirgin to fix this one, and it just made it, just as easily as previous vbox versions...;-) Lol Lol Lol
Just read the revisited essay, I added all the info that I paste here for you on win2k
oep 5b002f
iat start 407000
len d10
use the auto section+it paste on the dumped target and this will work fine, btw I absolutely didn't found any traces of mangled scheme inside the new vbox 4.5, I'd also like to know what is really new inside ;-)
If there's nothing new more than the 5 instead of 3, we'll just have to consider all what we said on this thread as useless and switch back to the good old vbox 4.3 essays, waiting for something new to be done.
best regards,
+Tsehp
ps:here are the it.bin + resolved iat for the most lazy of you
LaptoniC
June 8th, 2001, 17:17
I have pasted your it to my dumped xmetal but it didnt worked.My mouse turns to busy state and then program dies only way to close it by ctrl+al+del.What can be wrong ? I have used SV's it includer. I cant use revirgin to paste iat because when I was working with iris 3.1 I have forwarded my clock and opened xmetal accidentaly it is already expired.Sorry for asking so much question but I am trying to learn unpacking
tsehp
June 9th, 2001, 01:42
My it is working on win2000, hope you didn't made it on win9x ;-)
How do you expect revirgin to work if xmetal21 is not working ?
Sorry but you have to learn to reset the vbox 4.5, read the previous essays concerning this on vbox 4.3, publish here what you've found and I could help you
regards
tsehp
LaptoniC
June 9th, 2001, 13:44
I have Xmetal 2.0.3.099
I have found entrypoint same as in essay 5B4865. I have dumped it I have put 5B4865-400000=001B4865 I have pasted your it with Sv's program and it desnt work.I have tried thison both win2k and win98 se
hiya,
may be way off base here but did you remember after you added the new section to go to directory and change iat pointer to point to new section. Just a thought (rare) as I have forgot to do a couple of times.
regards
r2r2
June 9th, 2001, 18:00
laptonic: read the part that follows the inline patch, you'll see it'll never bpx at the intended address, that doesnt mean the work isnt done..
tsehp: you're probably 100% right =)
i'm gonna check how to unpack this program with revirgin in w9x. (i didnt try to, initially)
be sure i'll mail/post results there and update/(remove if useless, tho maybe it can help writing a universal unwrapper?) my tut in consequence.
thanks for your comments,
r2
tsehp
June 10th, 2001, 10:02
laptonic : learn to reverse is the goal of this mb, not learn to insert the it.bin file I provided you to compare with attemps/results...
r2: it should also work on win9x; I didn't tried because on vbox the revirgin's tracer is unstable, you can do it but 5 iat by 5, and save your work every time you trace more, when all the traced is complete,save the text file, then resolve with fix sections checked and rv will auto update your dumped target, add the section and fix the pe.
Actually I'm finishing the new tracer (5 times faster, much more stable, works in ring0) so I don't have the time to try it on win9x because I'm finishing writing some int handlers for the tracer. But tell me your results/problems and I'll help you.
regards,
+Tsehp
madmax
June 10th, 2001, 14:49
I was wondering whether the builtin BHRAMA function of PEDUMP/ICEDUMP should be utilized in such a case...I know a sample vbox plugin still works for 4.3, so 4.5 cant be much different =)
Nothing against RV/imprec (these 2 are lifesavers!) but it might be good to explore plugin coding as a 2nd option...With a working plugin, PEDUMP alone will suffice...Ive not become familar with writing such plugins, but it seems interesting..Plus, you could actually release the plugin and be famous =) (safedisc 2 100% working would be nice!)
madmax!
tsehp
June 10th, 2001, 18:47
Yes, interesting, but following this option you assume that the plugin is protection and version dependant, and open read to everyone, meaning less work for the protectionnists to make them fail. Sad but true, imho one of the reasons that this place is just the tip of the iceberg.
That's why I choosed another way, build an app, without releasing the source, and maybe in the future (with the help of reversers addicted to it) adding some code's obfuscation, but actually the level of attempts to make the tool fail makes this not worth the case.
r2r2
July 8th, 2001, 11:49
just to let you know i'm going to update my tut very soon (now that im on holidays..), because a few details/mistakes were left.
also i really had troubles fixing the iat with revirgin (not an uptodate version), and i'm going to retry with rv 1.10 build9 asap.
thanks for your interest.
hobferret
July 25th, 2002, 10:03
Hi r2r2 did you get anywhere with this I got a prob with 0040f780 if i trace into it it goes to peekmessagea and interlocked increment but none of these work. just wndered if you or somone else had any ideas - this is on w98 not 2000. I am jst doing it for sumthing to do in spare time but it is bugin me cos i cant fix it.
hobferret
July 27th, 2002, 10:12
Hiya I managed to work it out. It wasnt the IA @ 80f780 which was PeekMessageA but another @ 80f74c which was GetMessageA - revirgin told it was InterlockedIncrement. 4 these who are interested I found it by settings a bpm xxxx:0080f74c r and eventualy ended up in the vboxt.dll which gave me the correct call. Ope this is of som interest to sombody out there!
haec_est
August 5th, 2002, 18:56
these two api are often (always ?) redirected in a different
way, at least in v*ox 4.5+ ...
thi was ripped from mm fir*eworks...
Code:
0008:0700eb50 e819000000 call 0700eb6e
0008:0700eb55 ff742410 push dword ptr [esp+10]
0008:0700eb59 ff742410 push dword ptr [esp+10]
0008:0700eb5d ff742410 push dword ptr [esp+10]
0008:0700eb61 ff742410 push dword ptr [esp+10]
0008:0700eb65 ff158cc30407 call [USER32!GetMessageA]
0008:0700eb6b c21000 ret 0010
so rv trace command, will follow the 'call 0700eb6e' but
it call others api so rv will be confused...
Code:
0008:0700eb6e 56 push esi
0008:0700eb6f bed0a30507 mov esi,0705a3d0
0008:0700eb74 56 push esi
0008:0700eb75 ff150cc20407 call [KERNEL32!InterlockedIncrement]
0008:0700eb7b 833dd0a3050764 cmp dword ptr [0705a3d0],64
0008:0700eb82 751b jnz 0700eb9f
0008:0700eb84 e85449ffff call 070034dd
0008:0700eb89 85c0 test eax,eax
0008:0700eb8b 74f7 jz 0700eb84
0008:0700eb8d e8da9fffff call 07008b6c
0008:0700eb92 85c0 test eax,eax
0008:0700eb94 74ee jz 0700eb84
0008:0700eb96 6a00 push 00
0008:0700eb98 56 push esi
0008:0700eb99 ff1508c20407 call [KERNEL32!InterlockedExchange]
0008:0700eb9f 5e pop esi
0008:0700eba0 c3 ret
the same for PeekMessageA :
Code:
001b:0700ebbf 55 push ebp
001b:0700ebc0 8bec mov ebp,esp
001b:0700ebc2 e8a7ffffff call 0700eb6e
001b:0700ebc7 ff7518 push dword ptr [ebp+18]
001b:0700ebca ff7514 push dword ptr [ebp+14]
001b:0700ebcd ff7510 push dword ptr [ebp+10]
001b:0700ebd0 ff750c push dword ptr [ebp+0c]
001b:0700ebd3 ff7508 push dword ptr [ebp+08]
001b:0700ebd6 ff15d4c30407 call [USER32!PeekMessageA]
001b:0700ebdc 5d pop ebp
001b:0700ebdd c21400 ret 0014
these seems to be the only api redirected in this way, so
if your v*oxed proggy import apis from user32.dll check
twice rv generated iat
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.