Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: vbox 4.6.2

  1. #1
    arieri
    Guest

    vbox 4.6.2

    hi,

    I have been working on a new target that are protected with vbox 4.6.2
    I have done this a couple of times earlier with success

    I have done as follows

    Put a break on getstartupinfoa and push the try button
    F12 and back in the original program: Scroll some lines up and find the push ebp etc..
    Have dunped the program and fixed the iat with imprec. There where 91 unresolved
    Two of them where the getmessage and peekmessagea that I had to locate with softice, the
    rest where fixed with imprec.
    When I start my dumped exe it runs without the vbox screen and everything looks perfect
    I wanted to test so I turned my clock forward so the program did expire, then I started
    my dumped exe and where very suprised to see the vbox appear on my screen expired. hehe
    Well I`m lost from here so if anyone could help it would be nice

    regards,
    arieri
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Check the OEP of the file again. ImpREC is stupid with OEP - when you use it to paste the new IAT into the file, it will sneak in its OEP value, so make sure that you entered the correct OEP into ImpREC as well! Anyway, have you checked the OEP of the unpacked file yet to make sure it is still the one you found? If it's not the you are still running the vbox code first :P

    Also, are u sure you opened the right file the second time :P I know it's a lame question but it never hurts to check. hehe.

    One more thing, VBOX might have an API so you should look into the possibility that the program imports some VBOX DLL and calls into it. Check that possibility out.

    -nt20

  3. #3
    sars-serum
    Guest
    Hello folks,

    Since you now employed with VBOX.

    I think Adobe Encore DVD be protected with VBOX 4.6.


    I have one question:

    Why cannot remove VBOX protection with the Vbox Cleaner 1.0?

    About VBox Cleaner:
    This tool is able to detect and remove Vbox files and Registry entries which are NOT removed during or after the uninstall procedure of a Vbox protected software product.


    Thanks for help
    Attached Files Attached Files
    Last edited by sars-serum; January 30th, 2004 at 12:26.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    your both 2 questons in your first post are against rules!

  5. #5
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Oh oh....I sense JMI standing nearby...


    sars_senum: Please do not post specific targets in this forum. Not only have you posted a specific target, but then you posted along with it a tool to automatically remove protection on that target. This doesn't teach anyone anything. The whole point of this board is to learn on your own, not to distribute cracks. Please remove at least the references to specific software (and the link), to obey the forum rules. If you are unfamiliar with forum rules, you can find them in the FAQ link at the bottom of the forum.

    As JMI has stated before, if you wish to share such specific information, you can readily send an email or a PM to the user with which you want to share it.


    -nt20 *wonders how well he did for JMI *
    Last edited by nikolatesla20; January 30th, 2004 at 12:08.

  6. #6
    arieri
    Guest
    Thanks for the advice nikolatesla20

    I have checked everything you said
    Strange when the program are within the 30 days trial my dumped exe start
    without the vbox nagscreen. Maybe this is an upgraded version of vbox
    I could not find the oep when breaking on the getversion api. as I usually have done earlier with vbox 4.6.2

    regards
    arieri
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    nt20: Thanks for the assist, but I point out a few fine distinctions with sars-serum post. First, he did "identify" a target, but he did not post any code from his identified target.

    Second he posted a "tool" and asked why it cannot remove the protection from the target. I'm am not sure we actually have a "don't post any tools" rule that applies to non-commercial "Tools of the Trade." Generally, however, such tools are not posted here.

    Third, his tool is actually a very old verson of the "cleaner" from early 2001 and is not actually a self contained working version. It has to be complied to run, as it contains the C source (at least I think that is what it is) for the program and not an exe file. Fourth, he already reported that the program would not make his target work, so, again, nothing to this point would assist anyone in making a working version of the target.

    All that aside, you are absolutely correct that we do not want people to come here asking how to remove the protection from specific targets.

    sars-serum this is not how we want things to be approached here. You are only trying to use an automatic tool to do your reverse engineering and, when it failed, you want someone to fix it for you. That's not what we do here. This is the place where you come if you want to learn how to do the reversing yourself. You are supposed to study on your own and make your own attempt at reversing your target and ask for assistance with your approach to solving the problem, not a solution to a specific target. Time for you to rethink what you are doing and if you do not actually want to learn how to do these things yourself, you will find plenty of other places on the net where they answer the type of question you have asked.

    Regards,
    JMI

  8. #8
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Does the application import any MSVCRT imports? If so, if could be written in MFC. In that case, you should bpx on an API called __set_app_type. If you bpx on getversion or on getmodulefilename or anything else you might end up still in vbox code. My theory for now is that you might not have the correct OEP...or the program is calling a DLL that does some stuff with VBOX, like show dialogs, etc...

    to JMI: I can never say it as well as you can. I hope it didn't offend u sans_serum, If I misconstrued your intentions sorry man.

    -nt20
    Last edited by nikolatesla20; January 30th, 2004 at 13:53.

  9. #9
    maybe this trick helps... in imprec, delete all calls to VBOX-dlls. then open your target in debugger and find the call where vbox-expection happens

  10. #10
    arieri
    Guest
    yes the target import MSVCRT. I did break on getstartupinfoa and it gives the
    same oep as msvcrt __set-app-type. It must be some call back to vboxtb.dll/vboxat.dll

    regards
    arieri
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Registered User cRk's Avatar
    Join Date
    Apr 2003
    Location
    out of hell
    Posts
    152
    this tells me you're dealing with Expired program that has a nag like Vbox used to have.. your unpacking job is done so you need to study program code and defeat time limit

    Regards.

  12. #12
    arieri
    Guest
    When I run my "unnpacked exe" before the trial has expired it starts without the vbox screen,
    but when I run my"unnpacked exe" after the trial period is over the program starts just
    like the original program loading all the vbox stuff first and never reach/load the
    original program codes. It never reach to the real oep. When I push the exit button
    I got a messagea box saying "could not start cooltype.dll"

    regards
    arieri
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Some guy uploaded a dlltester in armadicko thread .Well its regarding on a commercial protection .Did you notice that? Does it violate the forum rules?
    esther


    Reverse the code,Reverse Your Minds First

  14. #14
    Yes, I saw that and wonder why you are posting your comment in THIS thread. As far as I can tell it is directed at a protection system and does not, itself, provide a "solution" to that system, but is just an analysis tool. But I haven't had time to try to test it myself, so am not sure exactly what it might really do.

    Regards,
    JMI

  15. #15
    >>we actually have a "don't post any tools" rule that applies to non-commercial "Tools of the Trade." Generally, however, such tools are not posted here.

    If I'm not wrong there is a rule here that tools should not post here(any forums).They should send it to protools


    Regards
    esther


    Reverse the code,Reverse Your Minds First

Similar Threads

  1. vbox 4.6.2 timelimit
    By venom925 in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: June 12th, 2004, 22:08
  2. vbox vs procdump
    By zare in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: August 29th, 2001, 10:44
  3. Bryce 5 - vbox 4.5
    By MH2K in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: August 23rd, 2001, 07:35
  4. help needed with vbox 4.2-protected app
    By machgun in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: April 29th, 2001, 04:25
  5. some vbox-help needed
    By Silent in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: March 1st, 2001, 20:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •