Log in

View Full Version : vbov 6.4 (Flash mx)


bytexus
May 21st, 2002, 22:43
If any one could help me with this new vbox version please tell me how to rip this vbox 4.6 protection. I've found oep and IAT address and i tried to rebuild the iat with imprec but i dont know what to do with the imports found from vboxa.dll.
An interesting thing i've discovered with this new version. If you put a breakpoint on registerhotkey You will get an hot key witch activates a window where you can reset the trial. My combination was Ctrl+a.

crUsAdEr
May 21st, 2002, 23:09
hi bytexus,

have you tried API emulator from revirgin, personally i neva really tried it but i heard it works...

You can also do it manually, read r2's tutorial on some quad metal on fravia site... the IAT can be built very similiarly...

The hot key sounds like interesting stuff :>>... maybe we need to dig into that sometimes....

regards,
crUsAdEr

Solomon
May 22nd, 2002, 02:08
yes please try ReVirgin. It works well with VBOX

bytexus
May 23rd, 2002, 22:58
I,ve downloaded revirgin v1.3 because i have used 1.4 on my Win98 system and i found some bugs(tracer always blocked the program) and i'll try to rebuild the iat. If i'll succed you will find out.

tsehp
May 25th, 2002, 09:29
if you have problems with 1.3, please write me a msg with the app's url, I'll make some parallel test with new 1.5 version and 1.3 on w98.

I want to be sure it's only a w98 issue, otherwise I'll update the tracer.

later,

tsehp

bytexus
May 26th, 2002, 00:30
Rv 1.3 works fine, and the tracer also works O.K. on my WIN98 SE. I've discovered that with this program the real address of the IAT and length were wrong althoug i,ve used the REAL OEP. I have managed to rebuild all the imports (3 of them i've manualy traced them because the tracer could not resolve those [crash!!!] peekmessagea-getmessagea-getinputstate) but when i run the new dumped target with all the imports restored i receive a message could not fiind sheet.dll. I've seerched this file on my HDD but there was no sign of it.What should i do?
The web site where you can fiind Flash mx http://www.macromedia.com/software/trial_download/

ThrawN
May 27th, 2002, 12:34
I've used imprec on this exact target( gday necrotoad ) with limited success in win2k but 100% no probs in 98se

ThrawN

bytexus
May 28th, 2002, 10:29
I've tried Imprec but he doesn't resolve a lot of functions (he finds a lot of references to VBOXTA.dll that remains the same after i've traced them so i dont know what to do with them)

haec_est
July 5th, 2002, 18:46
:bpx getstartupinfoa+xx

ctrl+up ... and trace back

Oep : 828864

Break due to BPMB #001B:00828864 X DR2 (ET=4.18 seconds)
MSR LastBranchFromIp=02BE099D
MSR LastBranchToIp=00828864

001b:02be099d ffe3 jmp ebx

it's obfuscated inside an INT 20 VXDCall instruction

:map32 flash
Owner Obj Name Obj# Address Size Type
Flash .text 0001 001B:00401000 006B5905 CODE RW
Flash .rdata 0002 0023:00AB7000 000FADC5 IDATA RO
Flash .data 0003 0023:00BB2000 00133BEA IDATA RW
Flash .idata 0004 0023:00CE6000 00005F92 IDATA RW
Flash .rsrc 0005 0023:00CEC000 0031CFCC IDATA RO
Flash .reloc 0006 0023:01009000 00069A65 IDATA RO
Flash PREVIEW 0007 001B:01073000 00016264 CODE RW

:dd ce6000

...look down

Iat rva : 8e73a8
Iat len : ce85a4 - ce73a8 = 11FC

809 imported functions

...after dumping and fixing the iat it still crash why ??? may be a vbox presence check ???

regards,

haec_est



NB: rv 1.5 hang up after the first trace, but rv 1.4 work fine...

nikolatesla20
July 5th, 2002, 19:41
I rebuilt Flash MX a long time ago, when it first came out, and the biggest problem I had was bad imports.

Let me tell you, you cannot beat SI for making sure your imports are correct !!!

Some problems I encountered with FlashMX were incorrect imports such as Unicode functions, like LoadStringW, etc. YOU MUST GET THESE CORRECT. This is why I use BOTH win 98 AND win2K machines. Although my original dump / IAT was on win98, it wouldn't run on Win2K - because the unicode functions have no mapping in win98, so revirgin didn't know what to put in there. So I had to rebuild the IAT on win2K over again - AND EVEN THEN some imports were wrong.

Remember, a good tool still cannot replace your brain! Look thru your IAT that you've got so far and examine the unicode functions. FlashMX has several (GetEnvironmentStringsW is a biggie). If it looks suspicious, trace into it with SI.

-nt20

haec_est
July 6th, 2002, 17:11
...yes, there was a (only one !) bad import, rv resolved
it as Kernel32!InterlockedIncrement instead of
...
500 008E7E80 77E193FE 012E USER32.dll GetMessageA
...

no vbox presence check, just an error ;-)

NB: the same problem also in Dreamweaver MX and Fireworks MX, the fake address is the same for Drmwr Flash and Frwks... may be Rv don't like vbox ;-)

thanks,

haec_est