PDA

View Full Version : Need help for Revirgin 1.2


ash
November 9th, 2001, 04:13
Well i tried to crack Freehand10 italian version protected with Vbox 4.5 .

I got to the entry point dumped the .exe then came to revirgin
to resolve the import table. It took some time to resolve it
but even after that when i selected the show unresolved option there many of them unresolved.

The tracer didn't helped.

Please help me.

Solomon
November 9th, 2001, 05:56
"trace" the unresolved ones, then "resolve again".

Just try it.


SpeKKeL
November 9th, 2001, 06:13
Strange,

Just Dl freehand10 >are you sure it's Vbox protected ????
I couldn't find nothing..Just reversed some jumps in the exe-file

CIao SpeKKel

ash
November 10th, 2001, 01:01
Quote:
Originally posted by SpeKKeL
Strange,

Just Dl freehand10 >are you sure it's Vbox protected ????
I couldn't find nothing..Just reversed some jumps in the exe-file

CIao SpeKKel


U may have downloaded the english version which is Rsagent protected but the italian and other versions are Vbox wrapped.
Need ur help!

ash
November 10th, 2001, 01:04
Already tried it tracing the unresolved one's makes the sytem reboot.

tsehp
November 10th, 2001, 06:14
ok two reasons :

1-the tracer is sent to a tracer's trap (some useless instrcutions like push[0] that will make a terrible crash.

2-vbox 4.3 has changed again and I could need to make some improvments, so send the downloaded app to my mailbox + iat entries you can't trace

btw, what's best to do concerning the bad iat to trace ?
The only way to guess them is to locate the refs = 0 , they don't have refs into loaded target's code

I just don't have the time to code an "intelligent" disassembler that will decide to throw the tracer or not in the entry, mangled code schemes will also hide some useless code that will anyway crash the tracer

I usually check some entries with sice before tracing them, maybe putting a small window that disass the entry could add something interesting ?

I'm waiting for everybody's suggestions on this.

tsehp
November 10th, 2001, 22:24
and the problem is fixed, the tracer was stopping too early so rv was displaying the address correspondind as iat first address entry as result.

Here's the first part of iat listing, with first entries resolved, I'll let all of you take the time to trace the ones with ????
freehand 10.exe
10F8
index IAT_address value hint module function
--- -------- -------- ---- -------- --------
0 003FC000 77DBA3D0 01A7 ADVAPI32.dll RegQueryValueA
1 003FC004 77DB83EE 0185 ADVAPI32.dll RegCloseKey
2 003FC008 77DBA900 0195 ADVAPI32.dll RegEnumValueA
3 003FC00C 77DB89F0 019E ADVAPI32.dll RegOpenKeyExA
4 003FC010 77DB8C69 01A8 ADVAPI32.dll RegQueryValueExA
5 003FC014 77DB9200 0189 ADVAPI32.dll RegCreateKeyExA
6 003FC018 77DBA5DE 0188 ADVAPI32.dll RegCreateKeyA
7 003FC01C 77DB9514 01B3 ADVAPI32.dll RegSetValueExA
8 003FC020 77DBE77D 01B2 ADVAPI32.dll RegSetValueA
9 003FC024 77DB8B3F 019D ADVAPI32.dll RegOpenKeyA
10 003FC028 77DBA3A4 0191 ADVAPI32.dll RegEnumKeyA
11 003FC030 77B736C3 0056 COMCTL32.dll PropertySheet
12 003FC034 77B55482 0032 COMCTL32.dll ImageList_Draw
13 003FC038 77B6824A 005A COMCTL32.dll _TrackMouseEvent
14 003FC03C 77B55C19 002D COMCTL32.dll ImageList_Destroy
15 003FC040 77B55986 0046 COMCTL32.dll ImageList_ReplaceIcon
16 003FC044 77B560B8 002C COMCTL32.dll ImageList_Create
17 003FC048 77B54C2F 0033 COMCTL32.dll ImageList_DrawEx
18 003FC04C 77B55AA3 004B COMCTL32.dll ImageList_SetBkColor
19 003FC050 77B521C7 0011 COMCTL32.dll InitCommonControls
20 003FC058 77F4B076 0053 GDI32.dll DeleteEnhMetaFile
21 003FC05C 77F4E693 008E GDI32.dll EnumEnhMetaFile
22 003FC060 77F48154 0045 GDI32.dll CreatePatternBrush
23 003FC064 77F43F9E 0211 GDI32.dll UnrealizeObject
24 003FC068 77F68525 000C GDI32.dll Arc
25 003FC06C 77F46CD6 016F GDI32.dll GetTextCharacterExtra
26 003FC070 77F464BF 0050 GDI32.dll DPtoLP
27 003FC074 77F4819F 01F0 GDI32.dll SetPixel
28 003FC078 77F576E6 0038 GDI32.dll CreateFontA
29 003FC07C 77F45BD6 018B GDI32.dll InvertRgn
30 003FC080 77F4A439 0162 GDI32.dll GetROP2
31 003FC084 77F471AD 0128 GDI32.dll GetCurrentPositionEx
32 003FC088 77F4825B 015F GDI32.dll GetPixel
33 003FC08C 77F58504 0027 GDI32.dll CreateBitmapIndirect
34 003FC090 77F456D5 010E GDI32.dll GetBitmapBits
35 003FC094 77F456B3 01D3 GDI32.dll SetBitmapBits
36 003FC098 77F48B40 011B GDI32.dll GetCharWidthA
37 003FC09C 77F68DAA 00B3 GDI32.dll FrameRgn
38 003FC0A0 77F682F1 004C GDI32.dll CreateRoundRectRgn
39 003FC0A4 77F4125A 0167 GDI32.dll GetRgnBox
40 003FC0A8 77F4551D 01AE GDI32.dll Polygon
41 003FC0AC 77F682DA 0035 GDI32.dll CreateEllipticRgnIndirect
42 003FC0B0 77F43F59 004B GDI32.dll CreateRectRgnIndirect
43 003FC0B4 77F45C29 0020 GDI32.dll CombineRgn
44 003FC0B8 77F5ECF4 01C2 GDI32.dll RoundRect
45 003FC0BC 77F561FE 00AE GDI32.dll FillRgn
46 003FC0C0 77F4F3CB 0133 GDI32.dll GetEnhMetaFileA
47 003FC0C4 77F459CF 016E GDI32.dll GetTextAlign
48 003FC0C8 77F56C6E 01A0 GDI32.dll Pie
49 003FC0CC 77F494FC 002D GDI32.dll CreateDCA
50 003FC0D0 77F568CB 009A GDI32.dll Escape
51 003FC0D4 77F4A5D5 005E GDI32.dll EndPage
52 003FC0D8 77F4A4DB 0207 GDI32.dll StartPage
53 003FC0DC 77F68FDA 0001 GDI32.dll AbortDoc
54 003FC0E0 77F4A6C5 005C GDI32.dll EndDoc
55 003FC0E4 77F4AB24 0204 GDI32.dll StartDocA
56 003FC0E8 77F5893A 014A GDI32.dll GetKerningPairs
57 003FC0EC 77F4954C 00A0 GDI32.dll ExtEscape
58 003FC0F0 77F573DB 008F GDI32.dll EnumFontFamiliesA
59 003FC0F4 77F574C7 0090 GDI32.dll EnumFontFamiliesExA
60 003FC0F8 77F477AA 00A3 GDI32.dll ExtTextOutA
61 003FC0FC 77F4804C 0039 GDI32.dll CreateFontIndirectA
62 003FC100 77F47987 0179 GDI32.dll GetTextExtentPointA
63 003FC104 77F46D29 01F7 GDI32.dll SetStretchBltMode
64 003FC108 77F43FC6 01D0 GDI32.dll SelectPalette
65 003FC10C 77F4810D 01B4 GDI32.dll RealizePalette
66 003FC110 77F45719 019E GDI32.dll PatBlt
67 003FC114 77F46323 01F4 GDI32.dll SetROP2
68 003FC118 77F463F8 01B7 GDI32.dll Rectangle
69 003FC11C 77F41F4D 0123 GDI32.dll GetClipBox
70 003FC120 77F479A1 0177 GDI32.dll GetTextExtentPoint32A
71 003FC124 77F43297 0159 GDI32.dll GetObjectType
72 003FC128 77F43A04 004A GDI32.dll CreateRectRgn
73 003FC12C 77F449AA 0124 GDI32.dll GetClipRgn
74 003FC130 77F5652B 01FD GDI32.dll SetViewportExtEx
75 003FC134 77F42FF3 018A GDI32.dll IntersectClipRect
76 003FC138 77F46E60 0049 GDI32.dll CreatePolygonRgn
77 003FC13C 77F6E06D 0135 GDI32.dll GetEnhMetaFileDescriptionA
78 003FC140 77F44E7E 01DF GDI32.dll SetDIBitsToDevice
79 003FC144 77F53D97 0152 GDI32.dll GetMetaFileBitsEx
80 003FC148 77F45693 0044 GDI32.dll CreatePalette
81 003FC14C 77F47EF2 0158 GDI32.dll GetObjectA
82 003FC150 77F44A5C 0110 GDI32.dll GetBkColor
83 003FC154 77F449DA 0172 GDI32.dll GetTextColor
84 003FC158 77F450A4 01C8 GDI32.dll SaveDC
85 003FC15C 77F45171 01C1 GDI32.dll RestoreDC
86 003FC160 77F44B67 020D GDI32.dll TextOutA
87 003FC164 77F4590D 01F9 GDI32.dll SetTextAlign
88 003FC168 77F616E0 0142 GDI32.dll GetGlyphOutline
89 003FC16C 77F573F7 017C GDI32.dll GetTextFaceA
90 003FC170 77F57770 015B GDI32.dll GetOutlineTextMetricsA
91 003FC174 77F5EA2A 0164 GDI32.dll GetRasterizerCaps
92 003FC178 77F47A1A 017F GDI32.dll GetTextMetricsA
93 003FC17C 77F453D5 01DE GDI32.dll SetDIBits
94 003FC180 77F469AB 0032 GDI32.dll CreateDIBitmap
95 003FC184 77F470AE 012D GDI32.dll GetDIBits
96 003FC188 77F44505 002B GDI32.dll CreateCompatibleBitmap
97 003FC18C 77F41B02 01D6 GDI32.dll SetBkMode
98 003FC190 77F41D83 004F GDI32.dll CreateSolidBrush
99 003FC194 77F412F9 0168 GDI32.dll GetStockObject
100 003FC198 77F56F4A 005A GDI32.dll Ellipse
101 003FC19C 77F43F70 01CD GDI32.dll SelectClipRgn
102 003FC1A0 77F44AAA 0046 GDI32.dll CreatePen
103 003FC1A4 77F45F0C 0192 GDI32.dll MoveToEx
104 003FC1A8 77F45FF9 018E GDI32.dll LineTo
105 003FC1AC 77F4427F 012E GDI32.dll GetDeviceCaps
106 003FC1B0 77F41DB1 002C GDI32.dll CreateCompatibleDC
107 003FC1B4 77F43C2C 0052 GDI32.dll DeleteDC
108 003FC1B8 77F41E25 0026 GDI32.dll CreateBitmap
109 003FC1BC 77F4158A 01CF GDI32.dll SelectObject
110 003FC1C0 77F418D0 01D5 GDI32.dll SetBkColor
111 003FC1C4 77F419E6 01FB GDI32.dll SetTextColor
112 003FC1C8 77F46E79 0208 GDI32.dll StretchBlt
113 003FC1CC 77F43673 0055 GDI32.dll DeleteObject
114 003FC1D0 77F433E0 01FE GDI32.dll SetViewportOrgEx
115 003FC1D4 77F68F23 0212 GDI32.dll UpdateColors
116 003FC1D8 77F46985 0028 GDI32.dll CreateBrushIndirect
117 003FC1DC 02370000 0000 ?????? ??????
118 003FC1E0 77F45ABA 018C GDI32.dll LPtoDP
119 003FC1E4 02380000 0000 ?????? ??????
120 003FC1E8 77F5550C 0097 GDI32.dll EnumMetaFile
121 003FC1EC 77F6838C 01C0 GDI32.dll ResizePalette
122 003FC1F0 02390000 0000 ?????? to_Resolve
123 003FC1F4 023A0000 0000 ?????? ??????
124 003FC1F8 023B0000 0000 ?????? ??????
125 003FC1FC 77F45A1D 01EA GDI32.dll SetMapMode
126 003FC200 77F455BC 01AF GDI32.dll Polyline
127 003FC204 023C0000 0000 ?????? ??????
128 003FC208 77F50AA9 001B GDI32.dll CloseEnhMetaFile
129 003FC20C 023D0000 0000 ?????? ??????
130 003FC210 023E0000 0000 ?????? ??????
131 003FC214 77F460AE 0202 GDI32.dll SetWindowOrgEx
132 003FC218 77F4E407 0036 GDI32.dll CreateEnhMetaFileA
133 003FC21C 023F0000 0000 ?????? ??????
134 003FC220 77F4E369 00BA GDI32.dll GdiComment
135 003FC224 77F56E92 0165 GDI32.dll GetRegionData
136 003FC228 02400000 0000 ?????? ??????
137 003FC22C 77F45659 015D GDI32.dll GetPaletteEntries
138 003FC230 02410000 0000 ?????? ??????
139 003FC234 77F51E67 0134 GDI32.dll GetEnhMetaFileBits
140 003FC238 02420000 0000 ?????? ??????
141 003FC23C 77F446AE 0127 GDI32.dll GetCurrentObject
***TRUNCATED



as you can see, the 3fc004 leads to regclosekey and this is the first one traced, the same procedure can be applied to whatever entry, just make them one by one and save the text file regularly you sometime can have a crash if you repeat tracing too often.

Thanks for submitting the problem and helping me improve the tool's accuracy.

and if you want to laugh, read the bad side of the thread on general forum

ash
November 11th, 2001, 00:39
Thanks !!!!!

evaluator
November 11th, 2001, 05:19
Hi!

Question:
1. This VBOX wrapper works like ASPRotect with IT (emulates), or
like telock or PCGUARD (executes IT and then erases).

Can you tell me what proggs (with not big download size)
uses this protection. I will check this protection.

+SplAj
November 11th, 2001, 06:06
Tsehp

I unpacked latest Sm*rtWh**s 3.3 and C*mmV**wRA addon from
tamosoft - greetz to them.

Whilst the CVRA was pretty straight forward in W98/ME I had some pronb in Win2K cos RV can't see the process as runs a service ????

SWhois3.3 had 3 or so layers of call to get LockResource and FreeResource !

This was the first time I saw these API called in *normal* 4xxxxx program code, not high aspr code . I had a lot of manual tracing to do to get the real call (actually I new what the API was from the resolved.txt already), but manually traced to see wtf was going on. Someone (hi SV) could confirm this please.....rastaman, cos i got high ...........

Also the hash/crc code was different. Someone has *optimized*
the routine to save a few clock cycles ! movsd x 4 instead of repz.

Looks like Alexey has been giving some tips


Spl/\j

tsehp
November 11th, 2001, 13:24
I'm overworked !
I'm actually finishing some clean emulation for all anti tracing tricks that spekkel sent me (thanks a lot, spekkel for your searching work)
Then I'll switch to this problem splaj, can u send the download urls to my mail box, this will remind me the next step !

soon,

tsehp

ash
November 12th, 2001, 01:38
Hi
tsehp

Well i tried what u suggested for Freehand10 i tried tracing the unresolved imports 1 by 1 and the tracer puts a text in the particular import "traced" then i clicked resolve again and nothing happened .

What should i do.

tsehp
November 12th, 2001, 03:06
download latest version

SpeKKeL
November 13th, 2001, 05:02
HowdY Splay,

Did unpack Smwh3.3 and i think all works fine.....
But had to adjust some things cause i've doubts about 2-api's like 53d35c and 53d400 (ret004 ?? virtualfree ???)
That's why looping in next code goes wrong:

0177:0040439E JLE 004043B4
0177:004043A0 MOV EAX,[EBX*8+EDI]
0177:004043A3 INC EBX
0177:004043A4 MOV [0053B640],EBX
0177:004043AA TEST EAX,EAX
0177:004043AC JZ 004043B0
0177:004043AE CALL EAX
0177:004043B0 CMP ESI,EBX <value esi: AC
0177:004043B2 JG 004043A0
when ebx reaches 42 the value ac whitch supposed to be in
esi changes i think it has to do with an wrong api call
that doesn't set esi back.
(well i think they're wrong)
When i manually put esi back on ac all runs smooth...

Greetz,
SPekkeL

SpeKKeL
November 13th, 2001, 05:29
Sorry my scream was to early !

I thouht if they wheren't to resolve they must be ret 004 !
And yes they were, so all resolved and skiped the
jz 87200 !(size sw3.3)

See you...

Spek

+SplAj
November 13th, 2001, 06:16
SpeKK hehehe Lock & Load

Tsehp, nice anime of you 'bashing away' , but your thingy is a whopping 8k !!!! thought we had to be <2k .......

hmmmmm

now I make my 'tongue in cheek' anime gif ........

SpeKKeL
November 13th, 2001, 16:22
Been everywhere seen everything ,only the lock loadresource
api i missed ??!?
I could use some tips resolving those two(seems indeed that
as diplaying some windows(options) the prog gives errors on reading...


T I A (maria) Spekkellllll

ash
November 14th, 2001, 02:15
The latest version worked great thanks

+SplAj
November 14th, 2001, 02:44
SpeKK

heer is my iat for SWho3.3


hmmmmm its an '.ace' file just delete the .zip ext............

SpeKKeL
November 14th, 2001, 04:18
Thanks,

Just the same...only the 13D35C lockresource and 0013D400 freeresource........

Can you remember how you discovered those 2 ?!!?

Spek and play ?

+SplAj
November 14th, 2001, 08:43
SpeKK

as I said, I did a *lot* of manual tracing with F8 key to get these final 2 api's

Is this API redirection code in 'regular' exe code or aspr code ????
.............tamosoft are learning/teaching some co-operative anti -rebuilding tricks with Alexey............

does your rebuild work ???


Spl/\j

SpeKKeL
November 14th, 2001, 09:21
Sometimes ??

I discovered that i don't have to use load and freeresource but can use the ord_2f ** B U T** when setting breakpoints in the prog. the options like"country-codes" doesn't work >> ERROR reading*(&(%$(&*_ or something like that.
Allso changing the jz in a jmp (eb) has the same effect .
Ahum go reading your latest tut. remember something about
hash crc


Still bbizzy SpeKK

SpeKKeL
November 14th, 2001, 15:37
Yeah Yeah,


After looking your Beautifull tut aspr. all works Super gut..
No more errors after hash correction! (hash,hash..)
(still using ord_2f ((sorry))

See you



VAn der Spek

tsehp
November 18th, 2001, 03:36
Quote:
Originally posted by +SplAj
SpeKK hehehe Lock & Load

Tsehp, nice anime of you 'bashing away' , but your thingy is a whopping 8k !!!! thought we had to be <2k .......

hmmmmm

now I make my 'tongue in cheek' anime gif ........


I could have mistaken, but the actual limit is 20k...