Hi to all!
The target I`m working on is Adobe Photoshop 7.0.1 Tryout. This is Vbox protected not like older versions that were demos so is a fully functional program only that at the program start Vbox nag appears...
I didn`t found any tutorial on this so I had to start from the bottom. The Vbox files in this version are vboxa.dll, vboxat.dll, vboxm.dll, vboxr.dll, VBOXTA.dll, VBOXTB.dll, vboxten-us.vboxlm

I`ve somehow managed to make Psp. expire so I had to make my copy work and did that with softice( If I could only patch VBOXs vboxm.dll). I then followed the code and found the Photoshop`s EIP, and so on...
What I`ve concluded is that the IAT is not messed up but the problem is there are some calls through the IAT that call a routine in vbox that returns the real function(I don`t know how it gets those APIs). Now, I could make a patch to put the real calls in the IAT and then dump it. The only problem is that after I enter the call from Psp there is no record in memory from where that call came from so I don`t know where to put the good APIs in memory in correct order.

Any help would be appreciated!

hmm..

Have you the toolz ? Like LordPE etc etc ?????
_________________________________________________
What I`ve concluded is that the IAT is not messed up but the problem is there are some calls through the IAT that call a routine in vbox that returns the real function(I don`t know how it gets those APIs). Now, I could make a patch to put the real calls in the IAT and then dump it.

The only problem is that after I enter the call from Psp there is no record in memory from where that call came from so I don`t know where to put the good APIs in memory in correct order.
___________________________________________________

Did you try a tracer tool like RV / Imprec .. They do - and did the
job on those 2 whoppper exe's (ImageReady/Photoshop)

The few thing I can add is HAVE PATIENCE. Turn 'Faults OFF@ in SI and keep 'HOOK' or 'TRAP' the re-directed API. Keep saving the iat.txt and IGNORE ANY 'Program has crashed , press OK to exit...' just carry on and get the IAT.

The other part is that it can take ~15 minutes for the Imprec to tag the dumped exe with a new IT and save it to disk.... these are 15meg whoppers.

Have phun.....I didn't.....same old VBox

Spl<>j

Thanks +SplAj for the infos!
I managed to rebuild the IAT but now I`m really stucked. Revirgin did it`s job with the API calls except for one. When I try to trace it windows gives me a bluescreen. I traced with Sice the call and saught that is not a windows API call, it is a subroutine in vboxtb.dll and what`s worse is that I THINK it`s linked with Photoshop`s message processing because it is working in background; the code looks like shown below:

-----PHOTOSHOP!.rdata+06E0-------
0177:00F6D6E0 00 00 4A 03 EF CA F4 BF-EA CA F4 BF 8D 58 F4 BF ..J..........X..
0177:00F6D6F0 E7 47 F4 BF 00 00 4B 03-00 00 4C 03 00 00 4D 03 .G....K...L...M.
0177:00F6D700 FB C8 F4 BF 5A 59 F4 BF-00 00 4E 03 2A 11 F4 BF ....ZY....N.*...
0177:00F6D710 4C 4E F4 BF 2C 1C F4 BF-00 00 4F 03 00 00 50 03 LN..,.....O...P.
0177:00F6D720 6D 24 F4 BF D3 24 F4 BF-1D CA F4 BF 00 00 51 03 m$...$........Q.
0177:00F6D730 00 00 52 03 6A 43 F4 BF-00 00 53 03 00 00 54 03 ..R.jC....S...T.
-----

016F:00BE7601 PUSH EDX
016F:00BE7602 CALL [00F6D6E0] = 034A0000 (RV/Imprec freezes)
016F:00BE7608 MOV [EBP-54],EAX
016F:00BE760B TEST EAX,EAX
---------
016F:00BE761D CALL [USER32!TranslateMessage]
016F:00BE7623 LEA ECX,[EBP-50]
016F:00BE7626 PUSH ECX
---------
016F:00BE7627 CALL [USER32!DispatchMessageA]
016F:00BE762D JMP 00BE75E8
-------------------
016F:00BE763C JZ 00BE767B
016F:00BE763E CALL [KERNEL32!GetTickCount]


The call @BE7602 then goes here:
016F:034A0000 CALL 0700E61F
016F:034A0005 INC ESI
016F:034A0006 XOR [EBX+00000000],EBX

and,

016F:0700E61F PUSH EBP
016F:0700E620 MOV EBP,ESP
--------------------------------
016F:0700E642 CALL 0700E659 -> calls are decrypted
016F:0700E647 ADD ESP,10
016F:0700E64A MOV EAX,[EBP-04]
016F:0700E64D MOV EBX,[EBP-08]
016F:0700E650 MOV ECX,[EBP-0C]
016F:0700E653 MOV EDX,[EBP-10]
016F:0700E656 POP EBX
016F:0700E657 LEAVE
016F:0700E658 RET -> ret`s to Winapis usually
---VBOXTB.DLL---

this time returned in VBOXTB.DLL :

016F:0700EBA3 CALL 0700EBC1
016F:0700EBA8 PUSH DWORD PTR [ESP+10]
016F:0700EBAC PUSH DWORD PTR [ESP+10]
016F:0700EBB0 PUSH DWORD PTR [ESP+10]
016F:0700EBB4 PUSH DWORD PTR [ESP+10]
016F:0700EBB8 CALL [USER32!GetMessageA]
016F:0700EBBE RET 0010
016F:0700EBC1 PUSH ESI
016F:0700EBC2 MOV ESI,0705A3D0
016F:0700EBC7 PUSH ESI
016F:0700EBC8 CALL [KERNEL32!InterlockedIncrement]
016F:0700EBCE CMP DWORD PTR [0705A3D0],64
016F:0700EBD5 JNZ 0700EBF2
016F:0700EBD7 CALL 070034DD
016F:0700EBDC TEST EAX,EAX
016F:0700EBDE JZ 0700EBD7
016F:0700EBE0 CALL 07008BBF
016F:0700EBE5 TEST EAX,EAX
016F:0700EBE7 JZ 0700EBD7
016F:0700EBE9 PUSH 00
016F:0700EBEB PUSH ESI
016F:0700EBEC CALL [KERNEL32!InterlockedExchange]
016F:0700EBF2 POP ESI
016F:0700EBF3 RET
------VBOXTB!PREVIEW+DB9E------

Well, some ideas? I really don`t know from where to start with this...

Regards,
K19.

But you found it already !!!!

____________________________________________
016F:0700EBA3 CALL 0700EBC1
016F:0700EBA8 PUSH DWORD PTR [ESP+10]
016F:0700EBAC PUSH DWORD PTR [ESP+10]
016F:0700EBB0 PUSH DWORD PTR [ESP+10]
016F:0700EBB4 PUSH DWORD PTR [ESP+10]
016F:0700EBB8 CALL [USER32!GetMessageA] <--
016F:0700EBBE RET 0010
_____________________________________________

Hi K19

R U A 10 legged K9 or what

There is another to look out for in this mess and that is USER32.dll PeekMessageA

/have fun - ferretman

Splaj you are my g0d

Did they (eldos) blocked G.B. key?

bart

u mean anycalc key ? v1.76... I don't know...this app is toooo boring to play with. May '02 was last time I deleted it from HD

BTW it's been ~5 months without playing with ASPR.... i'm nearly cured

send PM

Spl<>j

Thanks everyone for the help!
Sorry my response comes this late but I had an exam and couldn't follow the messageboard.
+Splaj, you were right about the GetMessageBoxA, but the odd thing is that it works even with the same parameters pushed (00) for w_param and l_param and EDX is no hwnd!? Same thing with another call that remained unresolved that was PeekMessageA (I also nopped this call and it worked; didn't work with the other one).
Another strange thing (for me), after I traced all the calls with RV I still got 3 calls that RV detected that were from "newasn.dll" . Of course there was no such file and I was getting lots of errors so I traced with Sice in the original program and it found it was calling "asn.dll". There was no such file either.
I got the filename in the end and it's "asn.er.dll".

Now all works except when I want to open a dialog like "File/New" or the menu it gives me a "Program execution error" dialog... and the problem is not in the patched calls because I also patched in the original program and it gave no errors... Well, I'll just have to try harder

Thanks to all again.

K19.

Shit, you know, after breezing thru Corel Graphics Suite 11 and Wordperfect Suite 10 (both vbox 4.6.2), I got the Adobe Illustrator 10 trial and have run into trouble. Clicking on the Vbox logo on the trial screen reveals that its v4.6.2, but there is a notable difference in the section table. Most 4.6.2 I've seen looks normal but with a ".PREVIEW" section as the last one. This one looks sort of the section table of an app protected with v4.3.

I dumped it easily enough but RV comes up with only a 50% complete import table. It worked fine resolving all imports (except the usual getmessagea and peekmessagea) on the two corel packages (8 .exe files and 2 .dll files total). The funny thing is, I ran into the same problem with a vbox 4.3 protected app. The import table was 50% botched but if I started up the program with the IAT encryption skipped, everything resolved fine. I'm going to see tomorrow if that same thing works on AI 10, as soon as I figure out how to skip over the encryption/redirection to vboxm.dll in v4.6.2. You can find the IAT routine easily enough with a bpx on getprocaddress before hitting the "try" button.

bart

Just found that key on my cd archive and d/l latest anycalc. all is ok. still registered

I searched the net but could not find any 'escaped' keys...so G. B. is safe ;

btw a lot of sql worms out there today .......

Spl/\j