ripping vbox out of paradise hello! Wanted to do something "special" before i've to join the military forces, to fight for peace in Austria.*sighs* We call the few inexpierenced poeple with aged weapons an army, although we all know even a group of terrorists could win a war against Austria. Anyway that's another topic we don't wanna discuss here.This essay discribes how to rip vbox 4.2 out of any prog,which got wrapped with it. tools needed ^^^^^^^^^^^^ #standard tools (softice,procdump,...) #a debugger which automatically stops at an int3 like TurboDebugger #either a prog wrapped with vbox or make your own one and wrap it then i assume you have these tools at home...coz i dunno the urls where to get them :) hehe let's get started ^^^^^^^^^^^^^^^^^ a.) the annoying anti-debug trick start your os without softice enabled.Load your prog into TurboDebugger and run it (F9).It will brek on an int3.Look at si and di and you gonna see the magic values (si=4647h;di=4A4Dh).step over the int3 till you passed the ret. Write down the address of the jump (jmp [ebp-07]).You can now quit TurboDebugger.ebp-07 points to the temporary buffer where the int3 and other instructions are executed.Now reboot with softice enabled. #how the ad-trick works: vbox sets up SEH and then calls our int3 #if softice is present it will handle the int3 without raising an #exception,therefore vbox knows softice is installed.If an exception #gets raised program continues as normal. # Load the prog into Symbol loader.Now set a breakoint on that location,you wrote down before.But don't usw bpx due to CRC-checks. Use bpmb x.now run it;back in softice we gonna raise an exception.edit the value stored at [ebp-07] to 0 by typing ed (ebp-07) 0 .That will cause one.now f5 and you don't get that annoying temper message but you get a dialogbox.Press Try and you'll get kicked back to softice again.Another time change the value at [ebp-07] to 0.Before pressing f5....we've to set a breakpoint... b.)finding final jump ...In order to find the final jump we've to know what the prog is doing next.At least we can assume it :).It has to get the addresses of the apis we use in our prog.This is done through GetProcAddress.Break on that using bpx GetProcAddress .Now f5....Back in softice disable all breakpoints and get out of the GetProcAddress call by using f12. Now a kind of annoying thing comes: stepping through masses of code :) It's not that hard....i gonna shorten it up. You could search for the opcodes to short it up: 53,53,ff,d6,5b,85,c0,74,2e,68,00,80,00 this should be something like that: push ebx push ebx call esi anyway you'll find your way till there (1 min to step to that location).Trace into call esi there you'll only one call step into it.. then step,step,step till come accross a call eax don't step into it... the next call is the last we gonna step into.Trace...and you'll find mov ebx,[ebp-14] jmp ebx that's the final jump (ebx is of course the entry point of your prog) jump (write down ebx). Step to it,but don't execute the jump. now enter an infinite loop with ' a eip' 'jmp eip' c.) dumping the paradise Open procdump;select the prog from task list;rightclick and select full dump; save it; open up pe-edior and change the entry point to what you saw in ebx (remember entrypoint= 'what you saw in ebx'-'imagebase'). Now just make it more comatible and open the file into rebuild pe. You've now a prog without vbox Have fun.... Greetings to Volatility,Torn@do,LordSoth,Lucifer48,Acid_Burn,Xom,Einride(for helping mewithseh),Halvar,knotty,WarezPup,icecream,Lazarus(sheepy:),RevX,CarckZ AB4DS, whole #cracking4newbies, and all i forgot (maybe a lot sorry) and of course to previewsystems for developing vbox contact me through email : alpine@ImmortalDescendants.com or visit us at : www.ImmortalDescendants.com