Main | Index

Flash MX- VBOX

Type : Animation program
Protection : VBOX
Tech : Case Study

Crack : I gave up the idea of cracking Flash MX.This baby is protected by VBOX.Dumping and finding the real OEP was very easy.But fixing the IAT was realy boring.
Dreamweaver MX had only one API CALL encrypted by VBOX [ See my tutorial about it].
But here there are about 200 API CALLS encrypted by VBOX.I traced about 100 APIs but remaining APIs are only activated when we do something with the program ... i.e you work with FlashMX and explore every aspect .... my point is that rest of the APIs are only called occasionaly ... when user works with API.So i gave up the idea of fixing it.

Any way here is a breif tutorial about this :

Dumping can be done by putting a BPX GETVERSION after VBOX shows its BOX.Now click "Try" button.When we break in main program module just look few lines up ....

015F:00828864 55 PUSH EBP --- Real EP
015F:00828865 8BEC MOV EBP,ESP
015F:00828867 6AFF PUSH FF
015F:00828869 68D068B000 PUSH 00B068D0
015F:0082886E 68E4BD8200 PUSH 0082BDE4
015F:00828873 64A100000000 MOV EAX,FS:[00000000]
015F:00828879 50 PUSH EAX
015F:0082887A 64892500000000 MOV FS:[00000000],ESP
015F:00828881 83EC58 SUB ESP,58
015F:00828884 53 PUSH EBX
015F:00828885 56 PUSH ESI
015F:00828886 57 PUSH EDI
015F:00828887 8965E8 MOV [EBP-18],ESP
015F:0082888A FF15187BCE00 CALL [KERNEL32!GetVersion] --- we are here
015F:00828890 33D2 XOR EDX,EDX --- Dump here it will work
015F:00828892 8AD4 MOV DL,AH
015F:00828894 89159095C100 MOV [00C19590],EDX
015F:0082889A 8BC8 MOV ECX,EAX
015F:0082889C 81E1FF000000 AND ECX,000000FF
015F:008288A2 890D8C95C100 MOV [00C1958C],ECX
015F:008288A8 C1E108 SHL ECX,08
015F:008288AB 03CA ADD ECX,EDX

Find out the IAT Range [ CE73A8 TO CE85A4].Use ImpRec ...

OEP = 428864
RVA = 8E73A8
SIZE = 11FD

Click "GetImports" ... we can see a lot of invalid pointers .... these are nothing but VBOX routines which will give actual API address.I think FLASH MX TEAM has used VBOX to its full extend.It was realy easy to fix in the case of DreamweaverMX.Trace routine in Imprec fails...

Here is how these API call are made ...

API Emulation in VBOX
*****************
FLASH!.text ----------------------------------------------------------

015F:0082CE07 FF15E878CE00 CALL [00CE78E8] ---> VBOX Code .. Go Inside
015F:0082CE0D 3BC7 CMP EAX,EDI
015F:0082CE0F 89460C MOV [ESI+0C],EAX
015F:0082CE12 7514 JNZ 0082CE28

VBOX ------------------------------------------------------------------
015F:01EA0000 E8C7E51605 CALL 0700E5CC <--- We reach here.Go Inside
015F:01EA0005 698BA000000000000000IMUL ECX,[EBX+000000A0],00000000

VBOXTA!PREVIEW -------------------------------------------------------

015F:0700E5D2 53 PUSH EBX <--- we reach here
015F:0700E5D3 8945FC MOV [EBP-04],EAX 
015F:0700E5D6 895DF8 MOV [EBP-08],EBX
015F:0700E5D9 894DF4 MOV [EBP-0C],ECX
015F:0700E5DC 8955F0 MOV [EBP-10],EDX
015F:0700E5DF 8D45F0 LEA EAX,[EBP-10]
015F:0700E5E2 50 PUSH EAX
015F:0700E5E3 8D45F4 LEA EAX,[EBP-0C]
015F:0700E5E6 50 PUSH EAX
015F:0700E5E7 8D45F8 LEA EAX,[EBP-08]
015F:0700E5EA 50 PUSH EAX
015F:0700E5EB 8D45FC LEA EAX,[EBP-04]
015F:0700E5EE 50 PUSH EAX
015F:0700E5EF E812000000 CALL 0700E606
015F:0700E5F4 83C410 ADD ESP,10
015F:0700E5F7 8B45FC MOV EAX,[EBP-04]
015F:0700E5FA 8B5DF8 MOV EBX,[EBP-08]
015F:0700E5FD 8B4DF4 MOV ECX,[EBP-0C]
015F:0700E600 8B55F0 MOV EDX,[EBP-10]
015F:0700E603 5B POP EBX
015F:0700E604 C9 LEAVE 
015F:0700E605 C3 RET -->> RET to Win32API Address
Inside CALL 0700E606 -------------------------------------------------

015F:0700E613 56 PUSH ESI 
015F:0700E614 8B750C MOV ESI,[EBP+0C] 
015F:0700E617 FF760C PUSH DWORD PTR [ESI+0C]
015F:0700E61A E88EDAFFFF CALL 0700C0AD
015F:0700E61F 59 POP ECX
015F:0700E620 89460C MOV [ESI+0C],EAX = BFF7FFE7 -- API Address
015F:0700E623 85C0 TEST EAX,EAX
015F:0700E625 5E POP ESI
015F:0700E626 7561 JNZ 0700E689

EAX Holds API Address ...

Inside CALL 0700C0AD -------------------------------------------------

015F:0700C0C9 FF742408 PUSH DWORD PTR [ESP+08]
015F:0700C0CD 50 PUSH EAX
015F:0700C0CE E856000000 CALL 0700C129
015F:0700C0D3 59 POP ECX
015F:0700C0D4 8BF0 MOV ESI,EAX = BFF7FFE7
015F:0700C0D6 59 POP ECX
015F:0700C0D7 EB02 JMP 0700C0DB

Put BPMB CS:700C0D4 X
Trace Back.We can find all API and from where it is called ...But realy boring and some APIs are never called in normal working .... you will have to do all sort of thing with this baby to make that API call so that we can find from where it is called.

Inside Win32 API -----------------------------------------------------

015F:BFF7FFE4 C20400 RET 0004 
KERNEL32!VirtualAlloc 
015F:BFF7FFE7 55 PUSH EBP --- Here !!!
015F:BFF7FFE8 8BEC MOV EBP,ESP
015F:BFF7FFEA 83EC08 SUB ESP,08
015F:BFF7FFED 817D0C0000C07F CMP DWORD PTR [EBP+0C],7FC00000
015F:BFF7FFF4 53 PUSH EBX
015F:BFF7FFF5 56 PUSH ESI
015F:BFF7FFF6 57 PUSH EDI
015F:BFF7FFF7 760C JBE BFF80005

This means : CALL [00CE78E8] ---> CALL KERNEL32!VirtualAlloc

We can use IAT editor in ImpRec to fill this API ...But any way i got full version of FlashMX from warez .... who cares about this silly demo ...