|
|
Contact
Me : dheeraj_np@usa.net
or vbox_gl@usa.net
http://mxb.cjb.net
Ripping vbox
4.2 out of paradise - By Alpine
hello!
Wanted to do something "special" before i've to join the military
forces, to fight for peace in Austria.
*sighs* We call the few inexpierenced poeple with aged weapons an
army, although we all know even a group of terrorists could win a
war against Austria.
Anyway that's another topic we don't wanna discuss here.This essay
discribes how to rip vbox 4.2 out of any prog,which got wrapped
with it.
tools needed
^^^^^^^^^^^^
#standard tools (softice,procdump,...)
#a debugger which automatically stops at an int3 like TurboDebugger
#either a prog wrapped with vbox or make your own one and wrap it then
i assume you have these tools at home...coz i dunno the urls where to
get them :) hehe
let's get started
^^^^^^^^^^^^^^^^^
a.) the annoying anti-debug trick
start your os without softice enabled.Load your prog into TurboDebugger
and run it (F9).It will brek on an int3.
Look at si and di and you gonna see the magic values
(si=4647h;di=4A4Dh).step over the int3 till you passed the ret.
Write down the address of the jump (jmp [ebp-07]).You can now quit
TurboDebugger.
ebp-07 points to the temporary buffer where the int3 and other
instructions are executed.Now reboot with softice enabled.
#how the ad-trick works: vbox sets up SEH and then calls our int3
#if softice is present it will handle the int3 without raising an
#exception,therefore vbox knows softice is installed.
If an exception #gets raised program continues as normal.
#
Load the prog into Symbol loader.Now set a breakoint on that location,
you wrote down before.But don't use bpx due to CRC-checks.
Use bpmb
exception.edit the value stored at [ebp-07] to 0 by typing
ed (ebp-07) 0 .That will cause one.now f5 and you don't get that
annoying temper message but you get a dialogbox.
Press Try and you'll get kicked back to softice again.
Another time change the value at [ebp-07] to 0.
Before pressing f5....we've to set a breakpoint...
b.)finding final jump
...In order to find the final jump we've to know what the prog is
doing next.At least we can assume it :).It has to get the addresses
of the apis we use in our prog.This is done through GetProcAddress.
Break on that using bpx GetProcAddress .Now f5....Back in softice
disable all breakpoints and get out of the GetProcAddress call by
using f12.
Now a kind of annoying thing comes: stepping through masses of code :)
It's not that hard....i gonna shorten it up.
You could search for the opcodes to short it up:
53,53,ff,d6,5b,85,c0,74,2e,68,00,80,00
this should be something like that:
push ebx
push ebx
call esi
anyway you'll find your way till there (1 min to step to that
location).Trace into call esi there you'll only one call step intoit..
then step,step,step till come accross a call eax don't step into it...
the next call is the last we gonna step into.Trace...and you'll find
mov ebx,[ebp-14]
jmp ebx
that's the final jump (ebx is of course the entry point of your prog)
jump (write down ebx). Step to it,but don't execute the jump. now
enter an infinite loop with
' a eip'
'jmp eip'
c.) dumping the paradise
Open procdump;select the prog from task list;rightclick and select
full dump; save it; open up pe-edior and change the entry point to
what you saw in ebx (remember entrypoint= 'what you saw in
ebx'-'imagebase').
Now just make it more comatible and open the file into rebuild pe.
You've now a prog without vbox
Have fun....
Greetings to
Volatility,Torn@do,LordSoth,Lucifer48,Acid_Burn,Xom,Einride(for
helping mewithseh),Halvar,
knotty,WarezPup,icecream,Lazarus(sheepy:),RevX,CarckZ
AB4DS, whole #cracking4newbies, and all i forgot (maybe a lot sorry)
and of course to previewsystems for developing vbox
contact me through email : alpine@ImmortalDescendants.com
or visit us at : www.ImmortalDescendants.com