Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: vbox 4.5 tut some problem with iat fixing proc

  1. #1

    vbox 4.5 tut some problem with iat fixing proc

    I am trying to follow new tut about vbx 4.5.Everything is ok untill this iat fix proc.
    Code:
    017F:0700ED95  MOV     [EBX],EAX   	; moving it to its place in the iat
    017F:0700ED97  ADD     EBX,04
    I have tried to enter mov [ebx],eax in softice but it allways change to mov [ebx],ax.I have assembled this proc with masm and now another problem comes.
    cmp eax,000 turns to 83F800 which is 3 bytes.
    how ever in original proc it is 4 bytes long.

    Thanks.

  2. #2
    I may be not much of a help with VBox but here are my ramblings:

    >I have tried to enter mov [ebx],eax in softice but it allways change to mov [ebx],ax
    did you write?: mov dword ptr [ebx],eax

    >cmp eax,000 turns to 83F800 which is 3 bytes.
    >how ever in original proc it is 4 bytes long.
    Most people try to save bytes... you try to have more? *g*
    Fill in a nop if you really want to give away this space... it does the same anyway.
    PS: test eax,eax is only 2 bytes and does the same too.

  3. #3
    Kilby
    Guest
    Something in the back of my head says you should specify that it's a double word, when assembling in softice.

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    I have tried using dword and it worked.I have dumped this proc to a file and I have tried to load it by icedump load command each time I have tried.I have tried 5 times and every time Vbox gives error at
    017F:0700EDFE CALL 0700EE15
    and it dies at this call.It doesnt fix the iat.What am I doing wrong.I have done exactly like this.
    Found oep bmp oep x.I have traced it the first api call getversion which points to call 0700EDDB to I have wrote a 700ed91 and put proc here.When I am at 700EDDB I have changed ebx to 80f000.I have looked what is at ebx by dd ebx and then wrote e ebp+4 xxxx which is dword at ebx.However it gives two error and never comes to bpx I have put on 700edc3.
    What I am doing wrong here ?Any help will be appreciated.

  5. #5
    tsehp
    Guest
    I wrote droid, for him to read this thread and eventually update the essay if necessary.
    I'm trying this app with rv ;-)

    later
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    tsehp
    Guest
    still no news from droid.

    I used revirgin to fix this one, and it just made it, just as easily as previous vbox versions...;-) Lol Lol Lol

    Just read the revisited essay, I added all the info that I paste here for you on win2k
    oep 5b002f
    iat start 407000
    len d10

    use the auto section+it paste on the dumped target and this will work fine, btw I absolutely didn't found any traces of mangled scheme inside the new vbox 4.5, I'd also like to know what is really new inside ;-)

    If there's nothing new more than the 5 instead of 3, we'll just have to consider all what we said on this thread as useless and switch back to the good old vbox 4.3 essays, waiting for something new to be done.

    best regards,

    +Tsehp

    ps:here are the it.bin + resolved iat for the most lazy of you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    I have pasted your it to my dumped xmetal but it didnt worked.My mouse turns to busy state and then program dies only way to close it by ctrl+al+del.What can be wrong ? I have used SV's it includer. I cant use revirgin to paste iat because when I was working with iris 3.1 I have forwarded my clock and opened xmetal accidentaly it is already expired.Sorry for asking so much question but I am trying to learn unpacking

  8. #8
    tsehp
    Guest
    My it is working on win2000, hope you didn't made it on win9x ;-)

    How do you expect revirgin to work if xmetal21 is not working ?
    Sorry but you have to learn to reset the vbox 4.5, read the previous essays concerning this on vbox 4.3, publish here what you've found and I could help you

    regards

    tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    I have Xmetal 2.0.3.099
    I have found entrypoint same as in essay 5B4865. I have dumped it I have put 5B4865-400000=001B4865 I have pasted your it with Sv's program and it desnt work.I have tried thison both win2k and win98 se

  10. #10
    hz
    Guest
    hiya,
    may be way off base here but did you remember after you added the new section to go to directory and change iat pointer to point to new section. Just a thought (rare) as I have forgot to do a couple of times.
    regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    r2r2
    Guest
    laptonic: read the part that follows the inline patch, you'll see it'll never bpx at the intended address, that doesnt mean the work isnt done..

    tsehp: you're probably 100% right =)
    i'm gonna check how to unpack this program with revirgin in w9x. (i didnt try to, initially)
    be sure i'll mail/post results there and update/(remove if useless, tho maybe it can help writing a universal unwrapper?) my tut in consequence.

    thanks for your comments,
    r2
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    tsehp
    Guest
    laptonic : learn to reverse is the goal of this mb, not learn to insert the it.bin file I provided you to compare with attemps/results...

    r2: it should also work on win9x; I didn't tried because on vbox the revirgin's tracer is unstable, you can do it but 5 iat by 5, and save your work every time you trace more, when all the traced is complete,save the text file, then resolve with fix sections checked and rv will auto update your dumped target, add the section and fix the pe.

    Actually I'm finishing the new tracer (5 times faster, much more stable, works in ring0) so I don't have the time to try it on win9x because I'm finishing writing some int handlers for the tracer. But tell me your results/problems and I'll help you.

    regards,

    +Tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    madmax
    Guest
    I was wondering whether the builtin BHRAMA function of PEDUMP/ICEDUMP should be utilized in such a case...I know a sample vbox plugin still works for 4.3, so 4.5 cant be much different =)
    Nothing against RV/imprec (these 2 are lifesavers!) but it might be good to explore plugin coding as a 2nd option...With a working plugin, PEDUMP alone will suffice...Ive not become familar with writing such plugins, but it seems interesting..Plus, you could actually release the plugin and be famous =) (safedisc 2 100% working would be nice!)

    madmax!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    tsehp
    Guest
    Yes, interesting, but following this option you assume that the plugin is protection and version dependant, and open read to everyone, meaning less work for the protectionnists to make them fail. Sad but true, imho one of the reasons that this place is just the tip of the iceberg.

    That's why I choosed another way, build an app, without releasing the source, and maybe in the future (with the help of reversers addicted to it) adding some code's obfuscation, but actually the level of attempts to make the tool fail makes this not worth the case.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    r2r2
    Guest
    just to let you know i'm going to update my tut very soon (now that im on holidays..), because a few details/mistakes were left.

    also i really had troubles fixing the iat with revirgin (not an uptodate version), and i'm going to retry with rv 1.10 build9 asap.

    thanks for your interest.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. EXECryptor (Latest version) dump fixing
    By rockdh in forum The Newbie Forum
    Replies: 31
    Last Post: August 6th, 2006, 17:00
  2. fixing IAT Armadillo 3.78
    By NoLOcK´s in forum The Newbie Forum
    Replies: 1
    Last Post: August 9th, 2005, 15:48
  3. problem fixing imports
    By jolopez in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: February 17th, 2004, 09:23
  4. vbox 4.6.2
    By arieri in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: February 1st, 2004, 23:59
  5. Replies: 3
    Last Post: November 4th, 2003, 00:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •