Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Remove a VBox 4.3 protection

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
Locked
Onit

Remove a VBox 4.3 protection

Post by Onit »

Hi,

I'm a newbie in RCE. I try to remove a vbox 4.3 protection from an app using Dezzy/DoD tutorial - "How to manually remove a vbox 4.3 protection", but the dumped file didn't work (generate a page fault).

After a bunch of trial & error (and crash), I finally get a running app, simply by changing the option in Procdump -> 'rebuild import table' instead of 'rebuild new import table'.

Anybody can tell the difference of those settings ?

My second question, the new exe is bigger than the original. Is it ok? or maybe there are a lot of unuseful code in the app which could be removed ?

Thanks
DakienDX

Post by DakienDX »

Hello Onit !

The difference between the two settings is described in the ProcDump manual.
* Rebuild import table.

Detect import table using heuristical criterea and fixup the import ta-
ble if found.

* Full Import rebuild. (=rebuild new import table)

Detect import table, generate a new import section, generate import
function names & ordinals. There is a BIG chance that generated PE runs
perfectly ;) . In order to be 100% perfect, RUN PROCDUMP32 From Target di-
rectory in this specific mode.
A VBoxed .EXE is always packed, so the unpacked .EXE will be bigger. There will be probably also much useless code in the unpacked file, but if you're a newbie to RCE, as you say, you shouldn't care much about it.
Onit

Post by Onit »

Hi DakienDX,

Thanks for the explanation.

I read the manual eventhough I didn't understand the details ;) . I'm just curious why the dumped file didn't run correctly when I use the full import rebuild, as described in the tutorial : "Under imports, select 'rebuild new import table', and according to the manual : "There is a BIG chance that generated PE runs perfectly". So I thought I missed something during the dumping process.

Anyway, thanks again.
Locked