I've been looking into how VBOX v4.5 works, and after following the tutorials that are already out there (dEZZY's and r2/+Tsehp's) I keep having the same problem.

My target is wpwin10.exe, and it's definately VBOXed with v4.5. TNT already put a crack out for this suite, but I wanted to investigate further. "So, I'll use TNT's unpacked wpwin10.exe for comparison." I thought.

I used the following setup to get the dump: SoftIce v4.05, latest IceDump, SoftIce Backdoor Keeper, etc. All under Windows 98 Second Edition. I followed the tutorials and all went as planned. I found the OEP at 00401480, about 10 lines above a break at GetVersion (thankfully it wasn't as hard as I'd feared). The unpacked executable from the TNT release has its entrypoint at 00401480 as well. So at least I know that's correct.

I then did a 'bpm cs:OEP x' and relaunched the application. SoftIce snapped and I was right at the OEP with the code staring me right in the face. This is my first time using IceDump, so I was hoping someone could help me out with this problem I keep coming across: I use the /PEDUMP feature of IceDump and make the PE file as needed. I don't know if I'm getting the parameters right, but I thought the imagebase was 00400000 and the EIP was 00001480. The file gets dumped and I exit SoftIce.

When I inspect the dumped file, it doesn't run (crashes, something to do with kernel32.dll) and the PE sections are called "PREVIEW", "WeiJunLi" and ".rsrc". Something's up here. It sounds like I'm dumping the wrong process.. I thought those were markers of a VBOXed file, not an unpacked VBOX file. I've tried running Revirgin, Imprec and all the other tools I can think of to get the dump to work, but no luck as of yet.

Any ideas as to what I'm doing wrong?

dx50azlm:

You indicate that you have read a couple of tuts on VBox and you have made a good effort to show your work, but you have left out one important part of the Posting Guidelines. That is that you do a search of the forum to see whether your question has been asked, and possibly answered, before. Because VBox 4.5 is not the latest version of VBox, there is a good chance that there is information here and on the Web about this protection, You have not indicated that you have read the VBox threads here and I just did a quick check with the "Search" button and there are several, including one titled "VBox 4.5," with a seven step solution from Admiral +Tsehp himself.

Check out those threads and see if they give you a clue to your issue, try them out on your exe and then come back and ask further questions.

Regards.

Sorry for not stating that I had used the search feature already. I searched the message board first for 'VBOX', not 'VBOX v4.5' so my criteria was most likely too broad. Thanks for the tip.



My fault on this one. I knew that Vbox v4.5 was old, but I didn't know just how old. Now that I know, I'll be prepared when I come across a more advanced future version



I read that thread already, and the various tips/methods posted in that thread still wouldn't give me a correct dump (mangled IAT or not). However, I don't give up easily. I will go back and triple check everything to make sure I didn't make a silly mistake setting up SoftIce, etc. I won't ask another question about this until I've read every previous thread and only if my dump is still not working.

Thanks for your help.

dx50azlm:

I'm glad that you searched, but a little confused why a search here with "VBox" would not have shown you the VBox 4.5 threads. (It gave me three pages of threads.) I found at least three directly titled something relating to VBox 4.5. One titled "vbox 4.5, trace X 6.025 & DreamWeaver 6" , one just VBOX 4.5, and the last "vbox 4.5 tut some problem with iat fixing proc" from as recently as 8-05-02, discussing problems with the r2 tut.

All of these threads discuss rebuilding the IAT. Nothing in your post mentions that you have investigated this issue or which OS you are running. You may have been mislead by the r2 tuts comment by +Tsehp that he didn't find a mangled IAT on Win2000, but he still describes using ReVirgin to fix the Imports, as do all of the threads here. There are also comments that there may be relevant materials in the VBox 4.3 tuts. In any case, if you haven't fixed the IAT, this is most likely your problem.

By the way, I own this program and the exe that comes off the disk is 49,202 K. The wpwin10.dll is 7+ mg and the wpwen.dll is 4+mg. This tells you something about the comments in the threads that the exe is just a "loader" for the main components of the program. If it cant' find its imports it isn't going to function.

So, next question: Did you repair the import table? Did you check the IAT manually or with ReVirgin/Imprec??

Regards.

Hi,
>Nothing in your post mentions that you have investigated this >issue or which OS you are running

He did you didn't read throughly

***I used the following setup to get the dump: SoftIce v4.05, ***latest >IceDump, SoftIce Backdoor Keeper, etc. All under ***Windows 98 >Second Edition

Hints: w9x/doc/icedump6.txt and '/hydra' and '/option p'.

TheSearcher and dx50azlm:

TheSearcher is correct that I missed noticing that dx50azlm specified that dx50azlm is using Win98se. I recall that the r2 tut is discussing the reversing effort on Win2K and +Tsehp's comments were about that OS. I still suspect that the problem is the rebuilding of the IAT, but we'll have to await further word from dx50azlm to know for sure. I again notice that he has said that he has tried revirgin and imprec, but problems with this process are not that unusual.

I think username is suggesting that you check whether you have rebuilt the PE header when making the dump, which is an option in /PEDump configured with the /option p command. If you haven't reset the virtual and physical sizes (which I also forgot a few times) you dump will not run. See the "doc" subdirectory in your icedump directory.

Regards.

JMI said:



I'm sorry for not being more clear I meant that I had searched for posts on VBox v4.5 and I was looking for something more specific. I should have added in the word "revirgin" to my search because I believe that's where all of my problems are happening. I will read those posts immediately!

JMI said:



I thought so. I tried for 2 days after I posted my second reply to this thread to rebuild the imports. I used Revirgin v1.3 as it was the last version to run under Windows 98. This is where my problem was (and still is). I couldn't figure out how to work the program at first (it runs fine, but the documentation is difficult to follow) and that's what kept holding me back. I would load the initial wpwin10.exe and then launch Revirgin. It would be in the processes list just as expected. After clicking on it and entering the right OEP that I fished out of SoftIce (I found it by using +Tsehp's suggestions for breakpoints), I tried figuring out what to do next. I clicked "Fetch IAT" and Revirgin did it's thing, showing me a lot of imports in the big listbox. Many of them were all "??????", and others were the more familiar "kernel32.dll" type. My main problem was, I couldn't figure out how to make the it.BIN file like many tutorials suggest..

JMI said:



Funny thing.. I own WP 6/7/8 and 9, but not this one. I just didn't need a word processor anymore a few years back because I started using LaTeX for everything But then someone asked me if I had WP 10 and after looking around, it didn't turn up. So I grabbed the trial version from Corel's website and when I saw the VBox logo on the nag screen, I was happy. I've been out of cracking for a few years (life always gets in the way, right?) and decided it was time to have a new look at VBox. I knew the EXE was just a loader because it was so small, but I still couldn't rebuild its imports. So that's why it wouldn't run.. going outside and getting natural sunlight must be slowing my mind!

TheSearcher said:



That was my setup at the time. Since then I've given that computer a new home and I'm back to my Windows 2000 machine. Now I have another problem: SoftIce for Win2K won't work due to a video card issue. I'm going to try installing DriverStudio v2.6 to see if it goes away. The problem is when I try to bring up SoftIce with Ctrl+D, either nothing happens or the screen freezes with no SoftIce window visible. Crazy. I've got an nVidia TNT2 Ultra 32MB AGP 2x card under Win2K with the latest (v40.41) Detonator drivers. I've had this dumb problem for years on my Win2K machine, which is why I kept the Win98se box around. I'm going to try a new setup and see what happens. Maybe using an ATI Radeon card would help matters here.

username said:



Which brings me to the other problem I had when trying to unpack this VBox'ed program.. I loaded ProcDump v1.6.2 up and started the Bhrama server. I set a 'bpm OEP x' and SoftIce snapped. I tried using the '/hydra' command and specified the target Bhrama server window as required.. but ProcDump kept crashing. Something to do with kernel32.dll. I could never get ProcDump working normally under that installation (clean Win98se install with just SoftIce and other tools loaded), which I always thought was really strange. So, this method didn't work for me.

JMI said:



Thanks for your help, it's greatly appreciated. You are right in assuming my problems were with rebuiling the IAT. No matter how hard I tried, I couldn't get Revirgin to work, but that was under Win98se. I'm using Win2K now so things should be different. The tutorial gave great directions that worked under Win98, but the part on rebuilding the IAT was a little sketchy at first. Now it's clear what needs to be done. ImpRec came up with an error probably because the IAT was all mangled to begin with.

I did make a PE dump using /PEDump and loaded it up in a PE editor right after. I then fixed the checksum and it looked like the virtual/physical sizes were correct, but then again it's probably something I overlooked being so rusty at reversing right now

I'll go read those docs over again, and I'll try unVBoxing a different program to see if it's any easier to do than unpacking WP 10.

Thanks again!

dx50azlm:

Good response and effort at solving the problems. I seem to recall reading some comments/articles about softice and the nVidia TNT2 video card. You might want to check you have the latest drivers. Also try a search here with "softice+ nVidia" and/or "softice + video" type queries and maybe a google search for good measure.

Also revirgin 1.3 is the last update for Win98 and it still has some issues and is not being updated. Win2K is the way to go unless and until all WinXP softice problems are resolved. The new DriverStudio v2.7 is "out." Haven't had time to install it yet. Maybe this weekend. Real life, as you stated. It's supposed to have some improvements for WinXP and such. There are threads here about the new features.

There is also an updated icedump to check out.

Good luck.

Regards.

Hmm, I think there is some misunderstanding here. /hydra has nothing whatsoever to do with Procdump/Bhrama, i don't know where you got that from. Basically when you're at OEP and just about to use /pedump, you specify a plugin to be used during import rebuilding by /hydra. All the rest is automatically done (or so i think, the VBox plugin should work up to 4.6 at least, maybe even newer).

dx50azlm!

Did you tried RV for resolving imports?

Hello dx50azlm !

You wrote you're using the latest ICEDump.

Maybe there's a bug in the newest ICEDump which detains the import rebuilding work. At least ICEDump 6.0.2.6 isn't compatible any more with SoftICE 4.05.334 on Win98. As soon as I load any executable (protected or not) with either ICELoad or the SoftICE Symbol Loader, I get a BSOD and the only way out is switching to SoftICE without seeing it on the screen and typing hboot.

After many reboots, some lost clusters and many crosswise connected files I switched back to 6.0.2.5. Now the only dangerous thing on my computer is Windows. ICEDump 6.0.2.5 works without problems.

ImpREC is also a good choice, maybe the best if you're not familiar with import rebuilding and must choose between ICEDump, Revirgin and ImpREC. (and manual rebuilding of course )

Revirgin needs the most manual work and is difficult to understand for people new to it, so it might be a good choice to try one of the other two possibilities first.

To DakienDX, evaluator, username, JMI and TheSearcher: thank you so much for the help thus far. As of tonight I was able to make a working dump by properly rebuilding the imports of wpwin10.exe. It took some figuring out, but it seems the problem was with IceDump and the version of SoftIce I was using. I used the latest version of IceDump with the /hydra option and the dump was made without any problems thanks to the handy vbox plugin.

Here are some personal replies:

JMI said:


I just installed the latest Detonator drivers (v40.41) and I'm going to install SoftIce once again to see if the problems go away. I'm going to run the search as soon as I post this reply and I know that someone out there has had the same video card/softice issues that I've had.

I noticed revirgin 1.4 is much better than 1.3. I'm running it under Win2K without any problems and am loving every minute of it After homework is out of the way for some courses I'm taking at the moment, I'll throw DriverStudio v2.7 on and see what happens. Also, the updated IceDump is what I used to get a my good working un-vbox'ed dump. It turns out the old version didn't play very well with Win98se and my particular version of SoftIce (even /hydra was broken!). Thanks for all your help.

username said:


This is exactly what I ended up doing, but after unpacking the latest version of IceDump. Everything is much, much better now.

evaluator said:


I did. It turned out that running v1.3 under Win98se wasn't as stable as it could have been. But running v1.4 under Win2K solved all the problems. To make my dump I used /hydra and the vbox plugin like username mentioned, but also managed to fix the bad IAT with revirgin v1.4 too. The GUI was a little hard to figure out at first, but the tool did its job, and for that I am thankful for such wonderful software.

DakienDX said:


I switched to an even newer version of IceDump and all of the problems I described went away. I've never had a BSOD by using either of the loaders, but I'd get GPFs in kernel32.dll for no reason when the OS was just sitting idle. That's why I couldn't ever get ProcDump to work. As soon as I switched to the newest IceDump (v6.026) everything worked as it should. Strange, no? So I go to v6.026 and things start working, but you go to the same version and things stop working. Interesting to say the least!

ImpRec is my favourite tool right now, but it sometimes is unable to do what's mentioned in some tutorials (the ones that recommend revirgin for example). It's very friendly compared to revirgin, which IMHO is a powerful software that needs an illustrated manual for first time users that goes through the most common steps needed to get a working IAT for your dump. I just simply couldn't figure it out, but that's probably a byproduct of aging

Thanks everyone for your help. The target is dumped and fixed now, and I understand more about vbox. In the end, understanding is really all that matters. The dumped programs are fine, but nothing beats sniffing the inner workings out of a commercial protection.