|
|
Contact
Me : dheeraj_np@usa.net
or vbox_gl@usa.net
http://mxb.cjb.net
How to manually
remove a VBOX 4.3 protection.
Published by +Tsehp, 26 March 2000.
*Note from Tsehp : This essay is actually working on the builder version of
vbox 4.3.
It actually doesn't work on older versions, like netfusion 5 for example.
-----------------------------------------------------------
A quick crap tutorial written by dEZZY / Drink or Die
General
--------
This document is written as a guidance to manually remove a
vbox 4.3 protection. This is a tough commercial file protector
which will wrap an unprotected program into a system where
it can be distributed on Internet as trial software. Info
on VBOX can be found at http://www.previewsystems.com.
Tools used
-----------
* SoftICE 4.01 (or TRW2000 v1.13)
* SoftICE Backdoor Keeper
* Procdump 1.6.2 FINAL by G-RoM (hi mate!)
All tools can be downloaded at http://protools.cjb.net
Getting started
----------------
If you have patched SoftICE with icepatch or sice backdoor
keeper, skip on to the next section. Else you have to defeat
sice detection routine code manually.
Note: You can also bypass this annoying detection thing by
using TRW2000 with Faults=off.
Bypassing SoftICE detection
-----------------------------
Load the program using sice or trw with the "faults = on" option
set. The program will break in a part of code that looks like this:
MOV ECX,ESP
MOV EAX,ECX <-- Breaks here
POP EDI
POP ESI
POP EBP
RET
And the debugger gives you the following message:
"Break Due on Fault 03"
Trace to the RET and you exit to a routine that looks like this:
070049D9 8B45F8 MOV EAX,[EBP-08]
070049DC 8B4024 MOV EAX,[EAX+24]
070049DF 8945FC MOV [EBP-04],EAX <-- BMP here
070049E2 68EA490007 PUSH DWORD 070049EA
070049E7 FF65FC JMP NEAR [EBP-04]
070049EA 33C0 XOR EAX,EAX <-- We sort here
070049EC 5F POP EDI
070049ED 5E POP ESI
070049EE 5B POP EBX
070049EF C9 LEAVE
070049F0 C3 RET
Now, put a bpm for execution in 070049DF (bpm cs:070049DF x) and
restart the program. Once it breaks there, move 0 to EAX (r eax 0)
and continue reading the tutor pressing F5.
Note: If you cant find the above mentioned routine, put a bpx in
Kernel32!RaiseException, once sice breaks, debug inside the next
CALL [sumaddress], and then inside the next CALL, and inside an
INT 2E and go on debugging until u reach the IRETD, step F8 into
it and you appear in a RET right after the INT 2E. now keep on
debugging until you exit a CALL VirtualFree. Well, take a look
50 or 60 lines below on the code window and you'll see the routine.
Bypassing IAT encryption (New from VBOX v4.2)
--------------------------------------------------
"Main VBOX v4.3 code is pretty much like the old 4.2 version.
The only difference is that now VBOX encrypts the IAT while
loading the program. And redirect the addresses of the imported
functions to a routine in VBOXT430.DLL that decrypts them. This
way the program depends on VBOXT430.DLL for working and a normal
dump will result in a unusable IAT. So, we'll crack that too."
Before you press the try-button, enter sice and do a
'bpx GetProcAddress'. When sice pops up inside GetProcAddress,
do a 'p ret' to exit this. Now you should be looking at the
following code:
015F:0700BB36 PUSH DWORD PTR [EBP-20]
015F:0700BB39 CALL [KERNEL32!GetProcAddress]
015F:0700BB3F MOV EDI,EAX <-- you are here
015F:0700BB41 CMP EDI,EBX
015F:0700BB43 JZ 0700BCE6
015F:0700BB49 MOV ESI,[ESI+16]
015F:0700BB4C ADD ESI,[EBP+08]
015F:0700BB4F CMP [EBP-24],EBX <-- encyrpt function call?
015F:0700BB52 JZ 0700BB89 <-- jump if not
015F:0700BB54 LEA EAX,[EBP-0114]
015F:0700BB5A PUSH EAX
015F:0700BB5B PUSH DWORD PTR [EBP-20]
015F:0700BB5E PUSH EDI
015F:0700BB5F CALL 0700BF61
015F:0700BB64 ADD ESP,0C
015F:0700BB67 TEST EAX,EAX
015F:0700BB69 JZ 0700BB89
015F:0700BB6B PUSH DWORD PTR [EBP+28]
015F:0700BB6E PUSH EDI
015F:0700BB6F PUSH DWORD PTR [EBP+24]
015F:0700BB72 PUSH DWORD PTR [EBP+20]
015F:0700BB75 CALL 0700BDFE
015F:0700BB7A ADD ESP,10
015F:0700BB7D CMP EAX,EBX
015F:0700BB7F JZ 0700BDD6
015F:0700BB85 MOV [ESI],EAX <-- eax=encrypted
015F:0700BB87 JMP 0700BB8B
015F:0700BB89 MOV [ESI],EDI <-- eax=not encrypted
015F:0700BB8B INC DWORD PTR [EBP-28]
015F:0700BB8E MOV EAX,[EBP-28]
015F:0700BB91 CMP EAX,[EBP-4C]
015F:0700BB94 JL 0700B9E3
This code is working as an OS loader. After getting the function
addresses, some of these are encrypted before stored back in the
IAT. What we must do here is to patch the routine to skip
encryption of all function addresses. This is done by changing
the JZ instruction at 700BB52 to a JMP 0700BB89.
Getting ready for dumping
---------------------------
Now you can do 'p ret' many times till you return from a 'call edi'.
Put a bmp in execution on that and exit sice. When it breaks again,
step into that function call. You will notice that the code changes
while tracing through it. That's ok. Step into the first function call
here. Now look for a 'call eax' with EAX pointing to GetProcAddress
about 50-70 lines down. Trace down to it. Then, step over it and step
into the next function call.
Here you will see the following code about 30 lines down:
015F:011604E0 MOV EDX,[EBP-08]
015F:011604E3 MOV EAX,[EDX+14] <-- get app entry point
015F:011604E6 MOV [EBP-10],EAX
015F:011604E9 MOV EBX,[EBP-10] <-- app entry point to EBX
015F:011604EC JMP EBX <-- jump to real entry point
Trace till your reach JMP EBX. Now Assemble and write 'JMP EIP'
(a eip; jmp eip) so it will look like this:
015F:011604EC JMP 011604EC <-- locked, jumps to itself
(In case you cant assemble byte codes for JMP EIP are: EB FE)
Thus, when you exit sice, the process will lock itself at this
instruction. Press F5 to go on.
Start up procdump.exe, go into options. Under 'structure',
select everything. Under imports, select 'rebuild new import
table'. Select the process in Procdump with your right mouse button,
and do a dump (full). Give it a name (dump.exe). Now, click on
"PE Editor" and select the new dump.exe file. In the box "Entry
Point" you must enter the correct entry point. Remember this is
the value of EBX in the last instruction (JMP EBX) - ImageBase.
PE Entry Point = EBX - ImageBase (00400000)
So, for example, if EBX was 450983, the entry point you have to
enter in the PE header of your dump.exe file is:
450983-400000 = 50983
Press Ok to save the changes.
Now you have a working exe without vbox protection on your hd.
Congrats.
Now what?
-----------
Optionally you can reoptimize the PE header with MakePE or
something. And as an ending you can pack it with PECompact or
another executable file packer.
------------------------------------------------------
Addendum: Ultrafast cracking of Vbox 4.3 using TRW2000
------------------------------------------------------
Tools needed: Only registered TRW2000 v1.11+
Estimated cooking time: 30 secs
1) run TRW2000 and press OK to leave it resident in memory
2) Ctrl+M to go into TRW2000 and set: Faults off
3) run the Vboxed program until it goes to the "Try" screen
4) Ctrl+M and set: bpx kernel32!getprocaddress
5) press the "Try" button
6) in TRW2000, press F12 and F10 to exit the CALL
015F:0700BB39 CALL [KERNEL32!GetProcAddress]
015F:0700BB3F MOV EDI,EAX <-- you are here
015F:0700BB41 CMP EDI,EBX
015F:0700BB43 JZ 0700BCE6
015F:0700BB49 MOV ESI,[ESI+16]
015F:0700BB4C ADD ESI,[EBP+08]
015F:0700BB4F CMP [EBP-24],EBX <-- encyrpt function call?
015F:0700BB52 JZ 0700BB89 <-- jump if not
7) in TRW type: a cs:700bb52 (address of 2nd JZ)
and type into it: jmp short 0700bb89
8) now enter: bl
that will shows you the current breakpoints (only 1 in GetProcAddress)
sumthing like this: bpx 015F:BFF79834
now type: bpe 1 (to edit it)
make it look like this: bpx 015F:BFF79834 if (eax==BFF79834)
(note that address in eax is the same than GetProcAddress' address)
9) press F5 to continue. Each time TRW breaks, press F12 and then F10,
and see that you just exited a CALL EAX.
10) repeat step 9 (6 or 7 times) until you see code like this:
CALL EAX
TEST EAX,EAX <-- you are here
MOV [EBX+8C],EAX
JNZ 01170233
POP EDI
POP ESI
POP EBP
11) trace with F8 thru the JZ and get into next call. This is the last
call that executes the real program. 30 lines down, you'll see:
015F:011604E0 MOV EDX,[EBP-08]
015F:011604E3 MOV EAX,[EDX+14] <-- get app entry point
015F:011604E6 MOV [EBP-10],EAX
015F:011604E9 MOV EBX,[EBP-10] <-- app entry point to EBX
015F:011604EC JMP EBX <-- jump to real entry point
12) keep on tracing with F8 and make the JMP EBX. Now you are in the
first instruction of the real program. enter this in TRW: makepe
13) Voila! now you have a file called newpe.exe in the default dir
which is an unvboxed copy on the prog (with correct EntryPoint).
THE END