hi,

I have been working on a new target that are protected with vbox 4.6.2
I have done this a couple of times earlier with success

I have done as follows

Put a break on getstartupinfoa and push the try button
F12 and back in the original program: Scroll some lines up and find the push ebp etc..
Have dunped the program and fixed the iat with imprec. There where 91 unresolved
Two of them where the getmessage and peekmessagea that I had to locate with softice, the
rest where fixed with imprec.
When I start my dumped exe it runs without the vbox screen and everything looks perfect
I wanted to test so I turned my clock forward so the program did expire, then I started
my dumped exe and where very suprised to see the vbox appear on my screen expired. hehe
Well I`m lost from here so if anyone could help it would be nice

regards,
arieri

Check the OEP of the file again. ImpREC is stupid with OEP - when you use it to paste the new IAT into the file, it will sneak in its OEP value, so make sure that you entered the correct OEP into ImpREC as well! Anyway, have you checked the OEP of the unpacked file yet to make sure it is still the one you found? If it's not the you are still running the vbox code first :P

Also, are u sure you opened the right file the second time :P I know it's a lame question but it never hurts to check. hehe.

One more thing, VBOX might have an API so you should look into the possibility that the program imports some VBOX DLL and calls into it. Check that possibility out.

-nt20

Hello folks,

Since you now employed with VBOX.

I think Adobe Encore DVD be protected with VBOX 4.6.


I have one question:

Why cannot remove VBOX protection with the Vbox Cleaner 1.0?

About VBox Cleaner:
This tool is able to detect and remove Vbox files and Registry entries which are NOT removed during or after the uninstall procedure of a Vbox protected software product.


Thanks for help

your both 2 questons in your first post are against rules!

Oh oh....I sense JMI standing nearby...


sars_senum: Please do not post specific targets in this forum. Not only have you posted a specific target, but then you posted along with it a tool to automatically remove protection on that target. This doesn't teach anyone anything. The whole point of this board is to learn on your own, not to distribute cracks. Please remove at least the references to specific software (and the link), to obey the forum rules. If you are unfamiliar with forum rules, you can find them in the FAQ link at the bottom of the forum.

As JMI has stated before, if you wish to share such specific information, you can readily send an email or a PM to the user with which you want to share it.


-nt20 *wonders how well he did for JMI *

Thanks for the advice nikolatesla20

I have checked everything you said
Strange when the program are within the 30 days trial my dumped exe start
without the vbox nagscreen. Maybe this is an upgraded version of vbox
I could not find the oep when breaking on the getversion api. as I usually have done earlier with vbox 4.6.2

regards
arieri

nt20: Thanks for the assist, but I point out a few fine distinctions with sars-serum post. First, he did "identify" a target, but he did not post any code from his identified target.

Second he posted a "tool" and asked why it cannot remove the protection from the target. I'm am not sure we actually have a "don't post any tools" rule that applies to non-commercial "Tools of the Trade." Generally, however, such tools are not posted here.

Third, his tool is actually a very old verson of the "cleaner" from early 2001 and is not actually a self contained working version. It has to be complied to run, as it contains the C source (at least I think that is what it is) for the program and not an exe file. Fourth, he already reported that the program would not make his target work, so, again, nothing to this point would assist anyone in making a working version of the target.

All that aside, you are absolutely correct that we do not want people to come here asking how to remove the protection from specific targets.

sars-serum this is not how we want things to be approached here. You are only trying to use an automatic tool to do your reverse engineering and, when it failed, you want someone to fix it for you. That's not what we do here. This is the place where you come if you want to learn how to do the reversing yourself. You are supposed to study on your own and make your own attempt at reversing your target and ask for assistance with your approach to solving the problem, not a solution to a specific target. Time for you to rethink what you are doing and if you do not actually want to learn how to do these things yourself, you will find plenty of other places on the net where they answer the type of question you have asked.

Regards,

Does the application import any MSVCRT imports? If so, if could be written in MFC. In that case, you should bpx on an API called __set_app_type. If you bpx on getversion or on getmodulefilename or anything else you might end up still in vbox code. My theory for now is that you might not have the correct OEP...or the program is calling a DLL that does some stuff with VBOX, like show dialogs, etc...

to JMI: I can never say it as well as you can. I hope it didn't offend u sans_serum, If I misconstrued your intentions sorry man.

-nt20

maybe this trick helps... in imprec, delete all calls to VBOX-dlls. then open your target in debugger and find the call where vbox-expection happens

yes the target import MSVCRT. I did break on getstartupinfoa and it gives the
same oep as msvcrt __set-app-type. It must be some call back to vboxtb.dll/vboxat.dll

regards
arieri

this tells me you're dealing with Expired program that has a nag like Vbox used to have.. your unpacking job is done so you need to study program code and defeat time limit

Regards.

When I run my "unnpacked exe" before the trial has expired it starts without the vbox screen,
but when I run my"unnpacked exe" after the trial period is over the program starts just
like the original program loading all the vbox stuff first and never reach/load the
original program codes. It never reach to the real oep. When I push the exit button
I got a messagea box saying "could not start cooltype.dll"

regards
arieri

Some guy uploaded a dlltester in armadicko thread .Well its regarding on a commercial protection .Did you notice that? Does it violate the forum rules?

Yes, I saw that and wonder why you are posting your comment in THIS thread. As far as I can tell it is directed at a protection system and does not, itself, provide a "solution" to that system, but is just an analysis tool. But I haven't had time to try to test it myself, so am not sure exactly what it might really do.

Regards,

>>we actually have a "don't post any tools" rule that applies to non-commercial "Tools of the Trade." Generally, however, such tools are not posted here.

If I'm not wrong there is a rule here that tools should not post here(any forums).They should send it to protools


Regards

There are many places where tools could ultimately be posted, but I do not recall an express: "Do Not Post Tools Here" directive from the management. The express rule is "Do Not Ask for the Tools of the Trade."

Regards,

Well thats was discussed in the admin forum when I was a mod here.Btw I'm not sure if this rules stills stands.

Regards