I read the britedust tutorial for unpacking vbox of Derive and a I never could get to the XOR EDX, EDX line.

How many time I have to press F8 to get there?.

Regards

I am quite sure no one can tell you how many times you have to press the F8 key on your keyboard.
Thank God there are no magic gestures. If cracking was that deterministic we would have to find another job.

Peres

VBOX isn't hard at all.

if you are trying to find the entry point, try to set a bpx on an API used by compilers at entry point, such as GetVersion, GetModuleHandleA etc

for the IAT, i think Imprec can rebuild most of them without problems.

Now, VBOX is named Privilege and its a pile of crap.


There are only 2 redirected api and its always the same api functions it seems.
Takes 5 minutes to unwrap Privilege (Aladdin) "protection".

Hopcode

hxxp://www.reteam.org has a couple of good tuts on VBOX

-niko20

it's also very easy to write your own ASM VBox import resolver because every API is lead to the same address.

http://www.exetools.com/forum/showthread.php?t=4160

I have also posted in the Advanced Forum here, a reference to an Imprec plugin by LaptoniC posted on exetools to help resolve APIs for this protection system.

You will find his post at:

http://www.exetools.com/forum/showthread.php?t=5117

and the cross-reference and the attached plug-in are here at:

http://www.woodmann.net/forum/showthread.php?t=6289

Regards,

The easiest way to find the OEP is to use OllyDbg.

Open the file, run it until the Try/Buy Dialog comes up.

BP FreeLibrary

Press Try, When Olly Breaks, Open Memory Window, Select the Code (First) section of the File, Set Memory Break On Access.

BC FreeLibrary

And Run

Boom your at the OEP, now if you can just fix the IAT