How to manually remove a VBOX 4.3 protection.

updated by +Tsehp, June 2000.






This small essay is provided, just in case you find a vboxed target not protected by the version described in dezzy's essay about vbox 4.3.

I'm talking about an intermediate version, where the target's imports are not encrypted, and the process is much more simple, you'll see.



-Sice 4.05



-Hex workshop


Target's url:

Perlbuilder is the one.


This essay is fully tested on a windows 2000 system.


Fire softice, start your target, you land on the nag screen.

Put a bpx getmodulehandlea, then click the try button.

Press f12, you land inside vbox at 0x7007190. F12 again, you land at 0x60012f1.

F12 again, until you see a call eax, go inside with F8, you're just at the target's entry.

Calculate the target's length using map32 eip.

Dump your target using icedump : PAGEIN D 40000 L 165012 <your path>

Softice session is finished.


Now we have to refix the pe sections, header and imports.

Fire procdump, then use rebuild pe. Change the prog's entry point to 0001000 (just to start at 401000).


Start your target, it's normally working. Say thank's to wei jun li for his great commercial protection, maybe a future button on vbox 4.4 : crackme !