Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31

Thread: Vbox 4.6.2 confusion

  1. #16
    psy_gr
    Guest
    So, i folowed your method hobferret, as documented in the PgMkr walkthrough. I was able to find the OEP, and after the JMP EBX that lead into the application, i made a dump with ollydump. The next step was to initilize imprec and point it to the running executable. I fed it the OEP, and it loaded the imports from the IAT. Now, there are several thunks (modules) that appear not valid, with pointers to vboxta.dll. I tried tracing them with either Hook (2) or Trap Flag (3), but to no avail. I have also set the timeout on (3) to 300 msec. To my understanding, only two of the imports should need manual intervention, but i am faced with 5 valid modules (thunks) out of 9, which means plenty of functions are not imported on the remaining 4 modules. Any suggestions?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Try looking at this post

    http://woodmann.net/forum/showthread.php?t=5673&page=4

    /hobferret

  3. #18
    psy_gr
    Guest
    I've read that post, along with any relative threads i managed to dig out using the local search feature. I cannot comprehend what i must do. Perhaps you could shed some light to my dead brains cells if we are talking upon a common base. So, i quote below the last thunk of the tree.

    FThunk: 00005290 NbFunc: 00000015
    1 00005290 vboxta.dll 0001
    1 00005294 user32.dll 00C0 DrawTextW
    1 00005298 vboxta.dll 0001
    1 0000529C vboxta.dll 0001
    1 000052A0 vboxta.dll 0001
    1 000052A4 vboxta.dll 0001
    1 000052A8 user32.dll 00EC GetActiveWindow
    1 000052AC vboxta.dll 0001
    1 000052B0 vboxta.dll 0001
    1 000052B4 vboxta.dll 0001
    1 000052B8 user32.dll 0282 SetWindowLongW
    1 000052BC user32.dll 0170 GetWindowLongW
    1 000052C0 user32.dll 029B SystemParametersInfoW
    1 000052C4 user32.dll 0062 CreateWindowExW
    1 000052C8 user32.dll 021A RegisterClassW
    1 000052CC vboxta.dll 0001
    1 000052D0 vboxta.dll 0001
    1 000052D4 user32.dll 009A DestroyWindow
    1 000052D8 vboxta.dll 0001
    1 000052DC user32.dll 02AB TranslateMessage
    1 000052E0 vboxta.dll 0001

    I am aware that the problem lays at the vboxta.dll entries. How am i supposed to trace it in Olly though? In that thread, you mention:

    >Remember what I said before get to the OEP in Olly then look for something
    >like CALL DWORD PTR [ADDRESS]. Any unresolved can be stopped in this
    >block and then traced to see where you end up!

    Does that mean that i have to get back into the OEP in Olly, and then look for a pointer to which address? Assuming OEP is 00403B26 (00003B26 in imprec), with RVA 00005000 sized 000002E8. I hope i don't sound too dumb.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    OK then dumbo

    Your first thunk is 1 00005290 vboxta.dll 0001 so you say

    Get to the OEP then goto memory window and goto the address of this and set breakpoint memory on access (or execution) when it stops trace from there and you should end up in the right place in the dll. You just need to remember what it was

    Then if you are still in trouble repeat this for all unresolved

    ícon duras penas!

    /hobferret

  5. #20
    psy_gr
    Guest
    Hello. I am back again. I've done some progress, interestingly enough. I have rebuilded the IAT using Olly and Imprec, and attempted to fix the dump. Everything went fine. So, i double-click the resulted file, which to my surprise ran fine. But, at some point, as it was loading some application extension, the vbox nag came up once again.

    So, i presume that the particular file is packed as well, besides the regular executable. The problem is, the file isn't a .dll module. It has an arbitrary extension, like this particular application usually does. I do understand that it is of valid PE format (obviously) but how would i go about unpacking it as well?

    Thanks for your valuable contribution so far.

    edit. Fortunatelly enough, i was able to copy that particular file from the legal retail copy i owned, and it worked flawlessly. I now have a fully operational copy of the program without any nag screens. But still, i would be interested in finding out how to completelly unwrap everything.
    Last edited by psy_gr; November 10th, 2004 at 14:23.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by psy_gr
    edit. Fortunatelly enough, i was able to copy that particular file from the legal retail copy i owned,
    Those are plug-in modules, which are .dll in disguise.

    They have their wrinkles, but can be unpacked.
    Watch and learn son:

    1 you have the original one, unpacked, so look at the code pattern around the original entry point. If it is a different version, dissasembly other plugins and learn the code pattern.

    2.That way you find the OEP. dump.

    3. Also look at the IATs of not packed mods and/or original ubnpacked one. IMPREC gets lost detecting the IAT because it is located in some weird areas. you have two options: Reverse IMPREC, and learn how it decides where the IAT is located, then figure out a "correction factor" to manually input in inprec IAT begin box. The autosearch tends to fuck up.

    4. Or learn to fix the IAT by hand without Imprec. Long, slow but etretaining, and instructive.

    5. You need to wipe out the packed plugin module from the folders, because the program scans the Plugin folders, finds the packed mod and loads it even if you change the name.

    6. PEID locates all the packed mods (at least in my app).

    Have fun
    Last edited by naides; November 11th, 2004 at 08:34.

  7. #22
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Quote Originally Posted by psy_gr
    So, i presume that the particular file is packed as well, besides the regular executable. The problem is, the file isn't a .dll module. It has an arbitrary extension, like this particular application usually does. I do understand that it is of valid PE format (obviously) but how would i go about unpacking it as well?
    Hey this sounds interesting can you PM the target

    /hobferret

  8. #23
    psy_gr
    Guest
    Ok. A Private Message is on its way. Regards.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    psy_gr

    That is an upgrade so I cant help with that coz I got nowt to upgrade!, read your PM for another approach.

    Regards

    /hobferret

  10. #25
    psy_gr
    Guest
    Quote Originally Posted by hobferret
    That is an upgrade so I cant help with that coz I got nowt to upgrade!, read your PM for another approach.
    Well, i can assure you that it is not an upgrade of some kind. It is the full program, version 3.0.1 (not mentioning program name there ) and it does not require any previous versions to be installed. I had it installed inside a virgin Virtual Machine, so i kinda have first hand experience. I've also send you a PM with something along the above lines. Regards.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Hmm......

    Well the site says it's an update for programXXXX, and it's 100MB. So you will have to wait a while mate

    But I sort of promise I will have a look

    /hobferret

  12. #27
    psy_gr
    Guest
    Quote Originally Posted by hobferret
    Well the site says it's an update for programXXXX, and it's 100MB. So you will have to wait a while mate
    Yes, indeed. The page title can be (is) a bit misleading i must admit. But fear not, this is the real thing. Ok, take your time. I'll lurk around for any progress you might be doing. Regards.

    edit. @naides: Well, a thorough installation directory scan with peid only revealed the main executable to be protected. Somehow, the plugin was not flaged. But, something seemed fishy from the begining of the debugging session, since Olly was complaining about invalid pointers regarding the particular extension. And yes, obviously the plugin must be removed from the plugins folder, as it will get loaded automatically when the application gets initialized.
    Last edited by psy_gr; November 12th, 2004 at 17:11.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Hi psy_gr

    OK first look at what my friend nadies had to say in this thread

    Then you say PEID only revealed the main EXE, well with a bit of thought you may have realised that you need to do a recursive scan, which will reveal all modules

    You will find there is 1 more file packed with VB which can easily be resolved by renaming it to something PEID will recognise, when you find it load it into Olly and unpack it

    It does seem that you have the IAT correct so just play with the remaining file which for some reason is called twice

    /hobferret

  14. #29
    psy_gr
    Guest
    Quote Originally Posted by hobferret
    Then you say PEID only revealed the main EXE, well with a bit of thought you may have realised that you need to do a recursive scan, which will reveal all modules
    I don't understand what you are talking about here. What do you mean by "recursive scan"? PEID traversed the entire installation directory including plugin subfolders, etc. That module was not flaged.

    Quote Originally Posted by hobferret
    You will find there is 1 more file packed with VB which can easily be resolved by renaming it to something PEID will recognise, when you find it load it into Olly and unpack it
    But i do know which file is packed already! And why should i rename it to anything it order for PEID to pick it up? I thought it scaned files base on having valid PE structrure, not extension!

    Quote Originally Posted by hobferret
    It does seem that you have the IAT correct so just play with the remaining file which for some reason is called twice.
    Yes, i do have the IAT correct, since everything is working! And there is no file that gets called twice! Please re-read my posts.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    NO COMMENT

    And there is a file that gets called twice - unless you have a different program - although I gotten hold of where you pointed me

    BTW rename it to something that Olly will recognise not PEID, my mistake coz I am a thick bas**rd

    Obviously I can't help you anymore coz you know everything

    /hobferret - who is quite obviously thick
    Last edited by hobferret; November 14th, 2004 at 13:38.

Similar Threads

  1. HASP4 TIMEHASP confusion
    By st123 in forum Advanced Reversing and Programming
    Replies: 16
    Last Post: August 31st, 2007, 19:11
  2. HASP confusion
    By blackhat in forum The Newbie Forum
    Replies: 15
    Last Post: April 22nd, 2006, 20:33
  3. Rainbow Sentinel Protocol confusion?
    By korvak in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: December 15th, 2004, 13:46
  4. Vbox 4? help
    By K19 in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: January 25th, 2003, 14:48
  5. Vbox
    By linda in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: January 19th, 2003, 18:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •