How to manually remove a VBOX 4.3 protection.

Published by +Tsehp, 26 March 2000.

 

 

 

*Note from Tsehp : This essay is actually working on the builder version of vbox 4.3.

It actually doesn't work on older versions, like netfusion 5 for example.

 

 


-----------------------------------------------------------

   A quick crap tutorial written by dEZZY / Drink or Die

 

General

-------

This document is written as a guidance to manually remove a

vbox 4.3 protection. This is a tough commercial file protector

which will wrap an unprotected program into a system where

it can be distributed on Internet as trial software. Info

on VBOX can be found at http://www.previewsystems.com.

 

Tools used

----------

* SoftICE 4.01 (or TRW2000 v1.13)

* SoftICE Backdoor Keeper

* Procdump 1.6.2 FINAL by G-RoM (hi mate!)

All tools can be downloaded at http://protools.cjb.net

 

Getting started

---------------

If you have patched SoftICE with icepatch or sice backdoor

keeper, skip on to the next section. Else you have to defeat

sice detection routine code manually.

 

Note: You can also bypass this annoying detection thing by

using TRW2000 with Faults=off.

 

Bypassing SoftICE detection

---------------------------

 Load the program using sice or trw with the "faults = on" option

set. The program will break in a part of code that looks like this:

 

 MOV ECX,ESP

 MOV EAX,ECX  <-- Breaks here

 POP EDI

 POP ESI

 POP EBP

 RET

 And the debugger gives you the following message:

"Break Due on Fault 03"

 

 Trace to the RET and you exit to a routine that looks like this:

070049D9 8B45F8      MOV EAX,[EBP-08]

070049DC 8B4024      MOV EAX,[EAX+24]

070049DF 8945FC      MOV [EBP-04],EAX      <-- BMP here

070049E2 68EA490007  PUSH DWORD 070049EA

070049E7 FF65FC      JMP NEAR [EBP-04]

070049EA 33C0        XOR EAX,EAX           <-- We sort here

070049EC 5F          POP EDI

070049ED 5E          POP ESI

070049EE 5B          POP EBX

070049EF C9          LEAVE

070049F0 C3          RET

 

Now, put a bpm for execution in 070049DF (bpm cs:070049DF x) and

restart the program. Once it breaks there, move 0 to EAX (r eax 0)

and continue reading the tutor pressing F5.

 

 

Note: If you cant find the above mentioned routine, put a bpx in

Kernel32!RaiseException, once sice breaks, debug inside the next

CALL [sumaddress], and then inside the next CALL, and inside an

INT 2E and go on debugging until u reach the IRETD, step F8 into

it and you appear in a RET right after the INT 2E. now keep on

debugging until you exit a CALL VirtualFree. Well, take a look

50 or 60 lines below on the code window and you'll see the routine.

 

Bypassing IAT encryption (New from VBOX v4.2)

--------------------------------------------

"Main VBOX v4.3 code is pretty much like the old 4.2 version.

The only difference is that now VBOX encrypts the IAT while

loading the program. And redirect the addresses of the imported

functions to a routine in VBOXT430.DLL that decrypts them. This

way the program depends on VBOXT430.DLL for working and a normal

dump will result in a unusable IAT. So, we'll crack that too."

 

Before you press the try-button, enter sice and do a

'bpx GetProcAddress'. When sice pops up inside GetProcAddress,

do a 'p ret' to exit this. Now you should be looking at the

following code:

 

015F:0700BB36  PUSH      DWORD PTR [EBP-20]                                   

015F:0700BB39  CALL      [KERNEL32!GetProcAddress]                            

015F:0700BB3F  MOV       EDI,EAX              <-- you are here

015F:0700BB41  CMP       EDI,EBX                                               

015F:0700BB43  JZ        0700BCE6                                              

015F:0700BB49  MOV       ESI,[ESI+16]                                           

015F:0700BB4C  ADD       ESI,[EBP+08]                                          

015F:0700BB4F  CMP       [EBP-24],EBX         <-- encyrpt function call?

015F:0700BB52  JZ        0700BB89             <-- jump if not

015F:0700BB54  LEA       EAX,[EBP-0114]      

015F:0700BB5A  PUSH      EAX                 

015F:0700BB5B  PUSH      DWORD PTR [EBP-20]  

015F:0700BB5E  PUSH      EDI                

015F:0700BB5F  CALL      0700BF61            

015F:0700BB64  ADD       ESP,0C              

015F:0700BB67  TEST      EAX,EAX             

015F:0700BB69  JZ        0700BB89            

015F:0700BB6B  PUSH      DWORD PTR [EBP+28]  

015F:0700BB6E  PUSH      EDI                

015F:0700BB6F  PUSH      DWORD PTR [EBP+24]  

015F:0700BB72  PUSH      DWORD PTR [EBP+20] 

015F:0700BB75  CALL      0700BDFE           

015F:0700BB7A  ADD       ESP,10             

015F:0700BB7D  CMP       EAX,EBX            

015F:0700BB7F  JZ        0700BDD6              

015F:0700BB85  MOV       [ESI],EAX            <-- eax=encrypted

015F:0700BB87  JMP       0700BB8B             

015F:0700BB89  MOV       [ESI],EDI            <-- eax=not encrypted

015F:0700BB8B  INC       DWORD PTR [EBP-28]  

015F:0700BB8E  MOV       EAX,[EBP-28]                                          

015F:0700BB91  CMP       EAX,[EBP-4C]                                         

015F:0700BB94  JL        0700B9E3                                         

 

This code is working as an OS loader. After getting the function

addresses, some of these are encrypted before stored back in the

IAT. What we must do here is to patch the routine to skip

encryption of all function addresses. This is done by changing

the JZ instruction at 700BB52 to a JMP 0700BB89.

 

Getting ready for dumping

-------------------------

Now you can do 'p ret' many times till you return from a 'call edi'.

Put a bmp in execution on that and exit sice. When it breaks again,

step into that function call. You will notice that the code changes

while tracing through it. That's ok. Step into the first function call

here. Now look for a 'call eax' with EAX pointing to GetProcAddress

about 50-70 lines down. Trace down to it. Then, step over it and step

into the next function call.

Here you will see the following code about 30 lines down:

 

015F:011604E0  MOV       EDX,[EBP-08]

015F:011604E3  MOV       EAX,[EDX+14]   <-- get app entry point

015F:011604E6  MOV       [EBP-10],EAX

015F:011604E9  MOV       EBX,[EBP-10]   <-- app entry point to EBX

015F:011604EC  JMP       EBX            <-- jump to real entry point

 

Trace till your reach JMP EBX. Now Assemble and write 'JMP EIP'

(a eip; jmp eip) so it will look like this:

 

015F:011604EC  JMP       011604EC       <-- locked, jumps to itself

 

(In case you cant assemble byte codes for JMP EIP are: EB FE)

 

Thus, when you exit sice, the process will lock itself at this

instruction. Press F5 to go on.

 

Start up procdump.exe, go into options. Under 'structure',

select everything. Under imports, select 'rebuild new import

table'. Select the process in Procdump with your right mouse button,

and do a dump (full). Give it a name (dump.exe). Now, click on

"PE Editor" and select the new dump.exe file. In the box "Entry

Point" you must enter the correct entry point. Remember this is

the value of EBX in the last instruction (JMP EBX) - ImageBase.

 PE Entry Point = EBX - ImageBase (00400000)

So, for example, if EBX was 450983, the entry point you have to

enter in the PE header of your dump.exe file is:

 450983-400000 = 50983

Press Ok to save the changes.

 

Now you have a working exe without vbox protection on your hd.

Congrats.

 

Now what?

---------

Optionally you can reoptimize the PE header with MakePE or

something. And as an ending you can pack it with PECompact or

another executable file packer.

 

------------------------------------------------------

Addendum: Ultrafast cracking of Vbox 4.3 using TRW2000

------------------------------------------------------

 Tools needed: Only registered TRW2000 v1.11+

 Estimated cooking time: 30 secs

 

 1) run TRW2000 and press OK to leave it resident in memory

 2) Ctrl+M to go into TRW2000 and set: Faults off

 3) run the Vboxed program until it goes to the "Try" screen

 4) Ctrl+M and set: bpx kernel32!getprocaddress

 5) press the "Try" button

 6) in TRW2000, press F12 and F10 to exit the CALL

 

015F:0700BB39  CALL      [KERNEL32!GetProcAddress]                            

015F:0700BB3F  MOV       EDI,EAX              <-- you are here

015F:0700BB41  CMP       EDI,EBX                                               

015F:0700BB43  JZ        0700BCE6                                              

015F:0700BB49  MOV       ESI,[ESI+16]                                           

015F:0700BB4C  ADD       ESI,[EBP+08]                                          

015F:0700BB4F  CMP       [EBP-24],EBX         <-- encyrpt function call?

015F:0700BB52  JZ        0700BB89             <-- jump if not

 

 7) in TRW type: a cs:700bb52 (address of 2nd JZ)

 and type into it: jmp short 0700bb89

 8) now enter: bl

 that will shows you the current breakpoints (only 1 in GetProcAddress)

 sumthing like this: bpx 015F:BFF79834

 now type: bpe 1 (to edit it)

 make it look like this: bpx 015F:BFF79834 if (eax==BFF79834)

 (note that address in eax is the same than GetProcAddress' address)

 9) press F5 to continue. Each time TRW breaks, press F12 and then F10,

 and see that you just exited a CALL EAX.

 10) repeat step 9 (6 or 7 times) until you see code like this:

 

 CALL EAX

 TEST EAX,EAX         <-- you are here

 MOV [EBX+8C],EAX

 JNZ 01170233

 POP EDI

 POP ESI

 POP EBP

 

 11) trace with F8 thru the JZ and get into next call. This is the last

 call that executes the real program. 30 lines down, you'll see:

 

015F:011604E0  MOV       EDX,[EBP-08]

015F:011604E3  MOV       EAX,[EDX+14]   <-- get app entry point

015F:011604E6  MOV       [EBP-10],EAX

015F:011604E9  MOV       EBX,[EBP-10]   <-- app entry point to EBX

015F:011604EC  JMP       EBX            <-- jump to real entry point

 

 12) keep on tracing with F8 and make the JMP EBX. Now you are in the

 first instruction of the real program. enter this in TRW: makepe

 13) Voila! now you have a file called newpe.exe in the default dir

 which is an unvboxed copy on the prog (with correct EntryPoint).

 

THE END