Page 1 of 4 1234 LastLast
Results 1 to 15 of 59

Thread: VBox 4.6.2

  1. #1
    jabz
    Guest

    VBox 4.6.2

    Hey Im trying to crack the newest VBox 4.6.2 and I have stumbled on a bunch of possible OEP. How do i find out the correct one?

    All help is appreciated
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    jabz

    Before anyone here will help you, you need to post what you have achieved so far.

    Apart from that there are numerous items on the board regarding this very topic.

    /hobferret

  3. #3
    jabz
    Guest

    sorry

    sorry ok..i guess what im saying is i need help finding the correct OEP. i have read a lot of tutoirals on Vbox.. well not a lot but whatever is available, and every which one has a different method. When i use these methods on my program, i get different OEP possibilities. For example if i break on GetVersionExA i get in the part of code and a few lines up, i could see the stack being set up, with PUSH EBP.....and so on, if i break on GetVersion...i get the same result with the stack being set up..but at a different address. Furthermore when i have tried to trace it manually, i got to parts of code that looked like this

    INT 3
    INT 3
    INT 3
    INT 3
    PUSH EBP
    MOVE ESP,EBP
    . ;so on
    .
    .
    INT 3
    INT 3
    INT 3
    PUSH EBP
    MOVE ESP,EBP
    . ;so on


    as you can see, im clearly not sure what is happening, ill be glad if someone can explain this.
    Thanks.
    Jabz
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I have been messing around with some VBox 4.6.2 protected apps that will go unmentioned here. I have tried to manually unpack it.

    the first few bytes before the OEP, which set up the stack frame, are stolen, and you can reconstruct them if you carefully trace the last 10 to 20 instructions of the Vbox module, lost in between obfuscated code.

    There are traps, so quick shortcuts, like braking in GetVersion and GetVersionExA often land in some senseless code which appears in partially unpacked-decoded segments but jump back into Vbox code.

    I hope I made some sense

    Naides

  5. #5
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    naides

    I have never seen a VBox with stolen bytes, maybe I am wrong but unlikely

    Most likely if you set a break on an API [NOT GOING TO SAY WHICH ONE] After the NAG you will be a few lines down from the EP, code may appear obfuscated if you just scroll up, however, if you look for the bytes which create the stack frame and then do U ADDRESS it will appear. It's the way some debuggers show the code following the break

    If you wanna PM me a program that has STOLEN bytes I would like to see it

    /hobferret

  6. #6
    LetMeIn
    Guest
    I have a target wrapped in VBox 4.6.2 that I want to unwrap. I have been using the tut written by Lunar_Dust as a guide. The first several steps match almost exactly even though the target app is different. However, I get completely lost when I try to find the OEP. I have tried breaking on GetVersion, but the code I get doesn't match the tut. I'm not sure where to go from here. Any help would be much appreciated.

    BTW, I am brand new to unpacking. This is my first attempt.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Eggi
    Guest
    maybe a bpm on access on the code section can help you.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by LetMeIn
    However, I get completely lost when I try to find the OEP. I have tried breaking on GetVersion, but the code I get doesn't match the tut. I'm not sure where to go from here. Any help would be much appreciated.

    BTW, I am brand new to unpacking. This is my first attempt.
    GetVersion has been used and abused. It worked in old programs, not any more. Try reading HobFerret Tut, try Ricardo Narvaja manual unpacking tuts, do not stick to the tutors so tighly. They are good, Lunar Dust one is very well written, but they do not have universal applicability.

  9. #9
    LetMeIn
    Guest
    Where can I find the Hobferret tut? I have found it on the exetools forum, however, I am not elegible to download until I make "3 valid postings." As yet, I cannot talking intelligently enough about the subject to make such postings.

    I have used google, etc. and there is not much out there on vbox 4.6.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Winds of Change
    Join Date
    Feb 2004
    Location
    Reality, unlike some people
    Posts
    43
    PM me with the target, I would like to try my method of finding the OEP on this program.

    hobferret tut:
    http://www.exetools.com/forum/showthread.php?t=4160
    Last edited by %UNDEFINED%; October 2nd, 2004 at 07:42.
    Regards,
    %UNDEFINED%

    "Without change one cannot evolve."

  11. #11
    %UNDEFINED%:

    He already said he found it on the exetools forum, but couldn't download there yet. Paying attention is useful.


    regards,
    JMI

  12. #12
    Well, sometime we are so anxious to be helpful, we forget to pay attention to the details. And a thank you to Naides for reminding me that this tut contains target specific information and, as such, is not appropriate for posting on this Forum. If you want to PM %UNDEFINED% I'm sure he can e-mail it to you or put it up somewhere where it might be permitted,

    Regards,
    JMI

  13. #13
    Winds of Change
    Join Date
    Feb 2004
    Location
    Reality, unlike some people
    Posts
    43
    I am so sorry JMI, I actually hadn't read it yet.

    My thanks to Naides for catching that, I should have been more careful.

    And you are right JMI, somtimes I get that way, I am not the most experienced Unpacker, I don't get into keygening or other types of R.E., so when someone asks for help on a packer target that I have spend many hours exploring, I tend to jump without thinking, but I guess that it why you are here.

    Not to babysit or wipe my pooper, to moderate and protect this forum from honest mistakes as well as blatant disreguard or forum policy.

    I thank you for not banning me for breakinig Woodmann rules.
    Regards,
    %UNDEFINED%

    "Without change one cannot evolve."

  14. #14
    We aren't really that heartless that we would ban you simply for violating a rule about attaching a tut with target specific code. At least not on the first instance. I had actually read it when it was first posted on exetools and I also had forgotten that it contained target specific code. It is sufficient that the error was recognized and corrected. Punishment is generally reserved for more flagrant and/or intentional violations. These rule are in place to protect the Board from efforts to shut it down and not as a tool for banning the unwarry or even careless.

    Enough said.

    Regards,
    JMI

  15. #15
    LetMeIn
    Guest

    kernel32.dll

    I have made some small steps, but steps none the less. After completing the code injection similar to what is described by Lunar_Dust, I used imprec and I still have lots of imports in the kernel32.dll that are still invalid. These invalid calls are to the vboxtb.dll that I used in my code injection. I tried all of the different trace options in imprec with no success. Does anyone have a clue what's going on and/or suggestions on a possible fix?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Remove a VBox 4.3 protection
    By Onit in forum The Newbie Forum
    Replies: 2
    Last Post: August 29th, 2002, 05:56
  2. Unpacking VBox 4.20 Experied
    By Acid_Cool_178 in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: August 23rd, 2002, 21:32
  3. VBox 4.5 & revirgin... need some help
    By garph0 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: July 14th, 2001, 18:39
  4. VBox 4.3 expired
    By eLastx in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: May 5th, 2001, 12:50
  5. VBox v4.3 .DLL Help
    By NchantA in forum Advanced Reversing and Programming
    Replies: 10
    Last Post: November 10th, 2000, 06:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •