How to manually remove a VBOX 4

How to manually remove a VBOX 4.3 protection.

Published by +Tsehp, 26 March 2000.

*Note from Tsehp : This essay is actually working on the builder version of vbox 4.3.

It actually doesn't work on older versions, like netfusion 5 for example.

-----------------------------------------------------------

�� A quick crap tutorial written by dEZZY / Drink or Die

General

-------

This document is written as a guidance to manually remove a

vbox 4.3 protection. This is a tough commercial file protector

which will wrap an unprotected program into a system where

it can be distributed on Internet as trial software. Info

on VBOX can be found at http://www.previewsystems.com.

Tools used

----------

* SoftICE 4.01 (or TRW2000 v1.13)

* SoftICE Backdoor Keeper

* Procdump 1.6.2 FINAL by G-RoM (hi mate!)

All tools can be downloaded at http://protools.cjb.net

Getting started

---------------

If you have patched SoftICE with icepatch or sice backdoor

keeper, skip on to the next section. Else you have to defeat

sice detection routine code manually.

Note: You can also bypass this annoying detection thing by

using TRW2000 with Faults=off.

Bypassing SoftICE detection

---------------------------

�Load the program using sice or trw with the "faults = on" option

set. The program will break in a part of code that looks like this:

�MOV ECX,ESP

�MOV EAX,ECX� <-- Breaks here

�POP EDI

�POP ESI

�POP EBP

�RET

�And the debugger gives you the following message:

"Break Due on Fault 03"

�Trace to the RET and you exit to a routine that looks like this:

070049D9 8B45F8�� MOV EAX,[EBP-08]

070049DC 8B4024�� MOV EAX,[EAX+24]

070049DF 8945FC�� MOV [EBP-04],EAX�� <-- BMP here

070049E2 68EA490007� PUSH DWORD 070049EA

070049E7 FF65FC�� JMP NEAR [EBP-04]

070049EA 33C0�� XOR EAX,EAX�� <-- We sort here

070049EC 5F�� POP EDI

070049ED 5E�� POP ESI

070049EE 5B�� POP EBX

070049EF C9�� LEAVE

070049F0 C3�� RET

Now, put a bpm for execution in 070049DF (bpm cs:070049DF x) and

restart the program. Once it breaks there, move 0 to EAX (r eax 0)

and continue reading the tutor pressing F5.

Note: If you cant find the above mentioned routine, put a bpx in

Kernel32!RaiseException, once sice breaks, debug inside the next

CALL [sumaddress], and then inside the next CALL, and inside an

INT 2E and go on debugging until u reach the IRETD, step F8 into

it and you appear in a RET right after the INT 2E. now keep on

debugging until you exit a CALL VirtualFree. Well, take a look

50 or 60 lines below on the code window and you'll see the routine.

Bypassing IAT encryption (New from VBOX v4.2)

--------------------------------------------

"Main VBOX v4.3 code is pretty much like the old 4.2 version.

The only difference is that now VBOX encrypts the IAT while

loading the program. And redirect the addresses of the imported

functions to a routine in VBOXT430.DLL that decrypts them. This

way the program depends on VBOXT430.DLL for working and a normal

dump will result in a unusable IAT. So, we'll crack that too."

Before you press the try-button, enter sice and do a

'bpx GetProcAddress'. When sice pops up inside GetProcAddress,

do a 'p ret' to exit this. Now you should be looking at the

following code:

015F:0700BB36� PUSH�� DWORD PTR [EBP-20]��

015F:0700BB39� CALL�� [KERNEL32!GetProcAddress]��

015F:0700BB3F� MOV�� EDI,EAX�� <-- you are here

015F:0700BB41� CMP�� EDI,EBX��

015F:0700BB43� JZ�� 0700BCE6��

015F:0700BB49� MOV�� ESI,[ESI+16]� ��

015F:0700BB4C� ADD�� ESI,[EBP+08]��

015F:0700BB4F� CMP�� [EBP-24],EBX�� <-- encyrpt function call?

015F:0700BB52� JZ�� 0700BB89�� <-- jump if not

015F:0700BB54� LEA�� EAX,[EBP-0114]��

015F:0700BB5A� PUSH�� EAX��

015F:0700BB5B� PUSH�� DWORD PTR [EBP-20]��

015F:0700BB5E� PUSH�� EDI��

015F:0700BB5F� CALL�� 0700BF61��

015F:0700BB64� ADD�� ESP,0C��

015F:0700BB67� TEST�� EAX,EAX��

015F:0700BB69� JZ�� 0700BB89��

015F:0700BB6B� PUSH�� DWORD PTR [EBP+28]��

015F:0700BB6E� PUSH�� EDI��

015F:0700BB6F� PUSH�� DWORD PTR [EBP+24]��

015F:0700BB72� PUSH�� DWORD PTR [EBP+20]�

015F:0700BB75� CALL�� 0700BDFE��

015F:0700BB7A� ADD�� ESP,10��

015F:0700BB7D� CMP�� EAX,EBX��

015F:0700BB7F� JZ�� 0700BDD6��

015F:0700BB85� MOV�� [ESI],EAX�� <-- eax=encrypted

015F:0700BB87� JMP�� 0700BB8B��

015F:0700BB89� MOV�� [ESI],EDI�� <-- eax=not encrypted

015F:0700BB8B� INC�� DWORD PTR [EBP-28]��

015F:0700BB8E� MOV�� EAX,[EBP-28]��

015F:0700BB91� CMP�� EAX,[EBP-4C]��

015F:0700BB94� JL�� 0700B9E3��

This code is working as an OS loader. After getting the function

addresses, some of these are encrypted before stored back in the

IAT. What we must do here is to patch the routine to skip

encryption of all function addresses. This is done by changing

the JZ instruction at 700BB52 to a JMP 0700BB89.

Getting ready for dumping

-------------------------

Now you can do 'p ret' many times till you return from a 'call edi'.

Put a bmp in execution on that and exit sice. When it breaks again,

step into that function call. You will notice that the code changes

while tracing through it. That's ok. Step into the first function call

here. Now look for a 'call eax' with EAX pointing to GetProcAddress

about 50-70 lines down. Trace down to it. Then, step over it and step

into the next function call.

Here you will see the following code about 30 lines down:

015F:011604E0� MOV�� EDX,[EBP-08]

015F:011604E3� MOV�� EAX,[EDX+14]�� <-- get app entry point

015F:011604E6� MOV�� [EBP-10],EAX

015F:011604E9� MOV�� EBX,[EBP-10]�� <-- app entry point to EBX

015F:011604EC� JMP�� EBX�� <-- jump to real entry point

Trace till your reach JMP EBX. Now Assemble and write 'JMP EIP'

(a eip; jmp eip) so it will look like this:

015F:011604EC� JMP�� 011604EC�� <-- locked, jumps to itself

(In case you cant assemble byte codes for JMP EIP are: EB FE)

Thus, when you exit sice, the process will lock itself at this

instruction. Press F5 to go on.

Start up procdump.exe, go into options. Under 'structure',

select everything. Under imports, select 'rebuild new import

table'. Select the process in Procdump with your right mouse button,

and do a dump (full). Give it a name (dump.exe). Now, click on

"PE Editor" and select the new dump.exe file. In the box "Entry

Point" you must enter the correct entry point. Remember this is

the value of EBX in the last instruction (JMP EBX) - ImageBase.

�PE Entry Point = EBX - ImageBase (00400000)

So, for example, if EBX was 450983, the entry point you have to

enter in the PE header of your dump.exe file is:

�450983-400000 = 50983

Press Ok to save the changes.

Now you have a working exe without vbox protection on your hd.

Congrats.

Now what?

---------

Optionally you can reoptimize the PE header with MakePE or

something. And as an ending you can pack it with PECompact or

another executable file packer.

------------------------------------------------------

Addendum: Ultrafast cracking of Vbox 4.3 using TRW2000

------------------------------------------------------

�Tools needed: Only registered TRW2000 v1.11+

�Estimated cooking time: 30 secs

�1) run TRW2000 and press OK to leave it resident in memory

�2) Ctrl+M to go into TRW2000 and set: Faults off

�3) run the Vboxed program until it goes to the "Try" screen

�4) Ctrl+M and set: bpx kernel32!getprocaddress

�5) press the "Try" button

�6) in TRW2000, press F12 and F10 to exit the CALL

015F:0700BB39� CALL�� [KERNEL32!GetProcAddress]��

015F:0700BB3F� MOV�� EDI,EAX�� <-- you are here

015F:0700BB41� CMP�� EDI,EBX��

015F:0700BB43� JZ�� 0700BCE6��

015F:0700BB49� MOV�� ESI,[ESI+16]��

015F:0700BB4C� ADD�� ESI,[EBP+08]��

015F:0700BB4F� CMP�� [EBP-24],EBX�� <-- encyrpt function call?

015F:0700BB52� JZ�� 0700BB89�� <-- jump if not

�7) in TRW type: a cs:700bb52 (address of 2nd JZ)

�and type into it: jmp short 0700bb89

�8) now enter: bl

�that will shows you the current breakpoints (only 1 in GetProcAddress)

�sumthing like this: bpx 015F:BFF79834

�now type: bpe 1 (to edit it)

�make it look like this: bpx 015F:BFF79834 if (eax==BFF79834)

�(note that address in eax is the same than GetProcAddress' address)

�9) press F5 to continue. Each time TRW breaks, press F12 and then F10,

�and see that you just exited a CALL EAX.

�10) repeat step 9 (6 or 7 times) until you see code like this:

�CALL EAX

�TEST EAX,EAX�� <-- you are here

�MOV [EBX+8C],EAX

�JNZ 01170233

�POP EDI

�POP ESI

�POP EBP

�11) trace with F8 thru the JZ and get into next call. This is the last

�call that executes the real program. 30 lines down, you'll see:

015F:011604E0� MOV�� EDX,[EBP-08]

015F:011604E3� MOV�� EAX,[EDX+14]�� <-- get app entry point

015F:011604E6� MOV�� [EBP-10],EAX

015F:011604E9� MOV�� EBX,[EBP-10]�� <-- app entry point to EBX

015F:011604EC� JMP�� EBX�� <-- jump to real entry point

�12) keep on tracing with F8 and make the JMP EBX. Now you are in the

�first instruction of the real program. enter this in TRW: makepe

�13) Voila! now you have a file called newpe.exe in the default dir

�which is an unvboxed copy on the prog (with correct EntryPoint).

THE END