Hi,

I'm trying to unpack a vbox4.30 wrapped prog (NTI CD Maker v5.1.9) but I am totally not succesful. The tutorials don't correspond... THe GetProcAddress is called from within shell32 and I never return to regions even coming near to the ones in the tuts. In the end I suddenly return to the program/preview code (416E08) and another F12 completely fires up the program. The only code I see in the meanwhile is from shell32. Even the standard tools (ByeVbox and The UCF unpacker) are unsuccesful. Does ne1 have a clue what might be wrong? I have neither found any sign of anti softice code... it runs just fine with softice loaded and all. Totally blank here :/

Tia.

Hello DGR !

The problem with this application is that it the debugger check was disabled during protection. So there is never an INT 03h executed to check if a debugger is present and therefore the tutorials and the automatic unpackers don't work.

I'll take a look at it this evening. It shouldn't be too hard to find an other breakpoint to set.

Hello DGR !

It seems the program is not protected by VBox itself. It uses a VBox-like encryption like the one found in VBoxBuilder.exe (4.3). It only encrypts, but does not limit the execution or display nag screens.

This application uses the VBox API. (I don't know if such a thing exists, but I would call it this way) It imports some functions from VBOXS430.DLL. You should first unpack the program. It isn't difficult, here's a clue: OEP=0047D300h

It says "Could not verify license file" and quits when unpacked, but it should be easier to analyse it this way.

Hello DGR !

The whole thing ends up in a single Call xxx; Test EAX, EAX; Je BadBoy. So you need only to NOP out the procedure called before the check and patch the conditional jump.

Hi there Dakien, first of all thanks for your help... I tried unpacking the proggie aswell before I posted here but it didn't seem to work (even tho the OEP u mention looks hella familiar). Perhaps I made a few stupid and simple booboo's (not totally impossible with me hehe), I did find the check in softice and indeed... passing it is simple as hell. It was just the vbox part (or appearantly the lack of the real vbox) which made me stumble.

I will be looking at it tomorrow again, now is sleepy time

Thanks again and take care,

D.