Hi,

I'm a newbie in RCE. I try to remove a vbox 4.3 protection from an app using Dezzy/DoD tutorial - "How to manually remove a vbox 4.3 protection", but the dumped file didn't work (generate a page fault).

After a bunch of trial & error (and crash), I finally get a running app, simply by changing the option in Procdump -> 'rebuild import table' instead of 'rebuild new import table'.

Anybody can tell the difference of those settings ?

My second question, the new exe is bigger than the original. Is it ok? or maybe there are a lot of unuseful code in the app which could be removed ?

Thanks

Hello Onit !

The difference between the two settings is described in the ProcDump manual.
A VBoxed .EXE is always packed, so the unpacked .EXE will be bigger. There will be probably also much useless code in the unpacked file, but if you're a newbie to RCE, as you say, you shouldn't care much about it.

Hi DakienDX,

Thanks for the explanation.

I read the manual eventhough I didn't understand the details . I'm just curious why the dumped file didn't run correctly when I use the full import rebuild, as described in the tutorial : "Under imports, select 'rebuild new import table', and according to the manual : "There is a BIG chance that generated PE runs perfectly". So I thought I missed something during the dumping process.

Anyway, thanks again.