A tutorial about defeating VBox 5 Macromedia Homesite 5 formerly know as Allaire Homesite is back and evil(?) Difficulty: Intermediate For many years I was told that VBox aint nothing to either bother with and just since a couple of weeks ago, I was laughed at in #cracking4newbies but that didnt help be defeating this target so I gave it a shot anyhow. The tools that I recommend is SoftIce, ImportReConstructor, ReVirgin or any other IAT fixer. PEeditor or procdump, IceDump and some optionals programs (see below). The target can be found at www.macromedia.com Start be loading the target in Loader and fire it up. You will hit the crypted part of the exe so just travel a bit down (about 10-15 lines) and the use the /tracex command as IceDump supplies. What tracex will do is all the dirty work through the exe so type the following line: /tracex 400000 A8D271 where A8D271 is the address area you´re currently in so change it after your own needs. If you choose A8D271 or A8D270 or something above doesnt matter. After launching the command take a break for like 11-17 mins ;) That was about what it took me so...come back later. -------------------------------------------------------------------------------------------------------- Ok lets continue, but whats this! If you look at the code you landed it looks "normal" and if you got a funny feeling thats ok because its the OEP that you landed on (I got 858D84) so dont fuck it up and type /dump 400000 6F5000 somename.exe After the dump is complete, press F5 and make a copy of the dumped file (just in case). Launch any copy in PEeditor and change the OEP and fix the sections. Now is a chapter where I think its some smoother ways to do it but mine worked so the rest is for the guys with no lifes (of course comments are ok but accept this approach!). I did it like this: I looked up the IAT with ReVirgin by entering the OEP (why?, IMPReConstructor did find any with the OEP). Take the right IAT and paste it in IMPReConstructor and hit the "get imports" Thats it, the imports are there and they feel alright. So fix the dump now and save your work. The question is if its gonna work or not but since I´m writing it now its kinda boring but anyway: "WOW it worked" ;P anyhow, theres a diffrence, 4 messages appear after the launch but this is just the functions to VBox(?) that fails. And another thing is that the time is up, the copy expired. But the unpacking went ok so the thing to fix now is how to make it work even though VBox is gone? My solution was based on the thought "Just make the fucker run" so my solution was to make sure the MsgBoxes never appear and by checking the routine of how the working copy runs I could figure out which jumps to change. I also used a hexeditor to change the texts since its never funny to have cracked a program but stills says "Unregistered" or similar (I think you know what I´m talking about) But anyhow this is the source from FileCompare for the changes: <offset> <File 1 Byte> <File 2 Byte> 3A37F1h EBh 74h //these 6 3A388Ah EBh 74h //rows was 3A395Ah 90h 75h //for the 3A395Bh 90h 5h //4 MsgBoxes 3A3A32h 90h 75h //So continue 3A3A33h 90h 5h //reading.... 3CE3E9h 47h 51h //--> 3CE3EAh 6Fh 75h //Text editing 3CE3EBh 21h 69h // 3CE3ECh 21h 74h 40307Bh 52h 45h 40307Ch 45h 56h 40307Dh 47h 41h 40307Eh 49h 4Ch 40307Fh 53h 55h 403080h 54h 41h 403081h 45h 54h // 403082h 52h 49h 403083h 45h 4Fh 403084h 44h 4Eh //--> 458F8Eh 90h 74h //<-- 458F8Fh 90h DBh 458FA6h 90h 75h this is for the jumps 458FA7h 90h 18h and I know it´s more then 458FC8h 90h 74h neccesarly but you can never 458FC9h 90h 14h patch to much (?) 458FF2h 90h 74h Anyway, as I said, it works like 458FF3h 90h Ah a charm and doesnt say 45903Eh EBh 74h "Unregistered" 459094h 90h 75h or similar 459095h 90h Ch //<-- 579388h 46h 54h //Text editing 57938Ah 75h 72h // 57938Ch 6Ch 69h 57938Eh 6Ch 61h 579390h 20h 6Ch 579392h 56h 20h 579394h 65h 45h 579396h 72h 78h // 579398h 73h 70h 57939Ch 6Fh 72h 57939Eh 6Eh 65h 5793A0h 20h 64h //<-- Final words: I wish to greet all the guys in the Lockless Crew, you know who you are and a special thanks to Yado (for teaching my some about the unpacking scheme, even though I might seem slow sometimes), to Anshar for bringing me to the crew since 97´..... Hope that you learned something in this tut...especially that you worst enemy can be just such a pussy as you wanted it to be =) questions, remarks can be sent to bobafett@lockless.com or join us in the #lockless chan on Efnet.... Byez.......... Boba Fett Lockless Cracking Crew 12 sept. 20026 E875B90F00 call 00506BF0