Vbox 4.6 ??? [Archive] - RCE Messageboard's Regroupment

View Full Version : Vbox 4.6 ???

Dissektor

September 30th, 2001, 06:15

Ran into this in Authorware 6 trail. tried previous essays 'bout v4.5 . dont work an crashes . looks like new encryptions.

Any help is welcome

meaculpa

January 23rd, 2002, 05:04

Hi,
Your assumptions are correct!
The newest version is 4.6.1, could someone please help us out
by supplying a Vbox Builder SDK of the newer versions (from 4.3 up).

Thanks in advance.

ciao,

Solomon

January 24th, 2002, 04:29

I have tried Authorware 6 trial with ReVirgin & ImpREC, both can successfully resolve the API entries. Only 2 redirected have to be manually fixed.

Code:



IAT RVA     API Name

240DA0     GetMessageA

24104C     PeekMessageA

OEP = 61BA30, IAT RVA = 24095C, IAT Length = 814

my unpacked exe runs well. WeiJunLi has to work hard

+SplAj

January 24th, 2002, 05:31

Hi Sol

What was the trick code that stopped IAT builders finding those API's ?

I am baulking at D/L 65megs just to DIY. Thanks.....

Spl/\j

Solomon

January 24th, 2002, 05:39

hi SplAj,

here are the 2 redirected ones. The 2 "CALL 0700EB6E" are the trick. It's not a long journey to trace into this call.

Code:



:u *640da0 l 40

0023:0700EB50  CALL      0700EB6E

0023:0700EB55  PUSH      DWORD PTR [ESP+10]

0023:0700EB59  PUSH      DWORD PTR [ESP+10]

0023:0700EB5D  PUSH      DWORD PTR [ESP+10]

0023:0700EB61  PUSH      DWORD PTR [ESP+10]

0023:0700EB65  CALL      [USER32!GetMessageA]

0023:0700EB6B  RET       0010



:u *64104c l 40

0023:0700EBBF  PUSH      EBP

0023:0700EBC0  MOV       EBP,ESP

0023:0700EBC2  CALL      0700EB6E

0023:0700EBC7  PUSH      DWORD PTR [EBP+18]

0023:0700EBCA  PUSH      DWORD PTR [EBP+14]

0023:0700EBCD  PUSH      DWORD PTR [EBP+10]

0023:0700EBD0  PUSH      DWORD PTR [EBP+0C]

0023:0700EBD3  PUSH      DWORD PTR [EBP+08]

0023:0700EBD6  CALL      [USER32!PeekMessageA]

0023:0700EBDC  POP       EBP

0023:0700EBDD  RET       0014