VBox (05/98 - 06/98)
PreviewParadise R.I.P.
Written by xOANON [UCF/CLASS]
Introduction |
Heya ol' Fravia+! Long time i'm not on your pages :) It's time to come back i think..... Don't bug me if i don't support +HCU as often as it would deserve, but you know.... i'm one of the "crackers-for-the-masses" you don't love so much :) Well, it's a choice... i like people use my cracks, i like to be known, etc... But it's another story.
Last week i found a program called "Script Driven Internet" and it appeared as protected with VBox. I read the essay last month by Marigold (very interesting indeed), so i took a look at it just to know something more about this protection.
Marigold (amazing) technics is the virginity-restoration, i
present here a patching method instead.... much clear, much (not
so) easier and (i think) much useful coz it's goal is to produce
an universal cracked DLL which you can put in you \WINDOWS\SYSTEM
to crack *EVERY* Vboxed program.
Tools required |
SoftIce
W32D/ASM
Your favourite HexEditor
Cigarettes (5)
A fan (very hot here)
Some good grunge music (Nirvana, Stone Temple Pilots, etc...)
Target's URL/FTP |
VBox Builder (a tool to add Vbox to your programs, very useful for cracking purposes too.... eheheh :)
Program History |
TimeLock by PreviewSoft has long and glorious history (of its cracking). Vbox is
"a new beginning" of a kind. It's different from its
predecessors almost to the loss of the ancestorial resemblance.
Essay |
Here we are.... let's start. First of all, install the VBox builder (you need to get a .prv file from their webserver, so connect to the internet for this and fill the form needed). Then choose a .EXE file to protect (you could choose also a .DLL or an .OCX, but choose an .EXE coz it's better and easier for cracking purposes) and wrap it with VBox using the builder (choose now the Trial days protection).
Now the fun begins. As Marigold says, and as we easily can see, VBox protections const of 3 dlls which are copied into your \WINDOWS\SYSTEM directories. These DLLs are : vboxp403.dll - vboxb403.dll - vboxt403.dll. All these dlls except the first are packed, so we will focus our attention on vboxp403.dll.This dll acts as a loader/unpacker for the others (among the other things, again just look at marigold's essay for a complete explanation), so i tought this: if i find the code which unpacks the dll, right after the unpacking i can patch *from inside of vboxp403.dll* the protection code which resides in vboxt403.dll memoryspace .... and i did :) Smart approach isn't it ? :)
Note: This kind of patching can be done much easily with a memory patch (see Stone's essay), but memorypatch always need a loader, or a TSR-like program to load just before the target. In this way, we can obtain (as i said) a clean and universal crack which only need to be copied in place of the original DLL.
So, stop talking and go on with cracking now......
First of all, move your system clock ahead so the target expires.
Now, you VBoxed your .EXE with Trial days protection, right? so it will be vulnerable to BPX GETLOCALTIME from our beloved SoftICE. You will land in this code (after PRET from the API routine) inside vboxp403.dll. We will use the space of this code later to add our memorypatching code.
------------------------------------------------------------------------------------------------------------------------------
:0500E720 81ECCC000000 sub esp, 000000CC
:0500E726 8D442410 lea eax, dword ptr [esp+10] *we will add memorypatch code here later*
:0500E72A 56 push esi
:0500E72B 50 push eax
* Reference To: KERNEL32.GetLocalTime, Ord:00F5h
|
:0500E72C FF1544C50105 Call dword ptr [0501C544]
:0500E732 8D4C2404 lea ecx, dword ptr [esp+04]
:0500E736 51 push ecx
* Reference To: KERNEL32.GetSystemTime, Ord:0135h
|
:0500E737 FF1540C50105 Call dword ptr [0501C540]
:0500E73D 668B4C240E mov cx, word ptr [esp+0E]
:0500E742 66390D32AC0105 cmp word ptr [0501AC32], cx
:0500E749 7540 jne 0500E78B
:0500E74B 668B44240C mov ax, word ptr [esp+0C]
:0500E750 66390530AC0105 cmp word ptr [0501AC30], ax
:0500E757 7532 jne 0500E78B
(......... etc..... etc......... )
-----------------------------------------------------------------------------------------------------------------------------
Going ahead with tracing, you will find this code in vboxt403.dll which checks if the target is expired or not :
:07005EFB F6451408 cmp eax, [ebp+10]
:07005EFE 7402 jz 7005F02 *NOP it*
and
:7005FAA 3B45F0 cmp eax, [ebp+10]
:7005FAD 751A jnz 7005FC9 * change it to JMP 7005FC9 *
Ok, now theoretically our patch is done.... VBox screen will not appear anymore BUT: we just did it in memory, how to apply it on the file if vboxt403.dll is packed?
Here comes a little Zen, as our +teacher says.... We know that dll must be unpacked somewhere, so let's start hunting for the unpacking routine setting a BPM 7005EFE W (breakpoint on memory range on write). This means SoftICE will popup just when this memoryspace is accessed for writing (which is, in our case, the unpacking of vboxt403.dll).
Ok, so set this breakpoint and rerun. You will land in our beloved vboxp403.dll here:
-----------------------------------------------------------------------------------------------------------------------------
:0500E856 8BD1 mov edx, ecx
:0500E858 83E203 and edx, 00000003
:0500E85B C1E902 shr ecx, 02
:0500E85E F3 repz
:0500E85F A5 movsd *this write the unpacked code to
DS:EDI*
:0500E860 FF249568E80005 jmp dword ptr [4*edx+0500E868]
:0500E867 90 nop
-----------------------------------------------------------------------------------------------------------------------------
As you will notice, this routine is executed many times, since the unpacking is done at little steps. Anyway, we will focus our attention just when EDI reach 07007000. Why? well, simple: since we want to patch at DS:7005xxx, if EDI reach 07007000 it means the code we need is already unpacked and ready for our "rape" :).
Now, problem #2 : we need space to do our memory patch. Easy, look at here.... this code is of no more use, since the protection is killed. So we can use the memoryspace of this datecheck code to implement our memorypatch.
First of all, we have to locate the call to this routine and NOP it, since we want to use it for our purpose. Here it is:
:05002880 6A00 push 00000000
:05002882 E899BE0000 call 0500E720 * just NOP this and
the DLL will not call the datecheck anymore *
:05002887 83C404 add esp, 00000004
:0500288A 50 push eax
Now for the memorypatch. We have to jump to our routine right? so we need to modify this code right after the vboxt403.dll is unpacked in memory:
change
:0500E860 FF249568E80005 jmp dword ptr [4*edx+0500E868]
to
:0500E860 E9C1FEFFFF909090 jmp 500E726 *ok, now this jump to the entrypoint of our routine*
Here is the memorypatch routine:
-----------------------------------------------------------------------------------------------------------------------------
:0500E726 81FF00700007 cmp edi, 07007000 *check if the
code we need to patch is unpacked yet*
:0500E72C 7519 jne 0500E747 *act normally if not*
:0500E72E 66C787FEEEFFFF9090 mov word ptr [edi+FFFFEEFE], 9090 *patch
at EDI-1102 = 7005EFE*
:0500E737 C687ADEFFFFFEB mov byte ptr [edi+FFFFEFAD], EB *patch
at EDI-1053 = 7005FA0*
:0500E73E 66C787A5EEFFFF9090 mov word ptr [edi+FFFFEEA5], 9090 *patch
at EDI-115B = 7005EA5*
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0500E72C(C)
|
:0500E747 FF249568E80005 jmp dword ptr [4*edx+0500E868] *this
is the normal jump executed after unpacking*
:0500E74E 90 nop
:0500E74F 90 nop
-----------------------------------------------------------------------------------------------------------------------------
You notice i've done another patch at 0500E73E . What's it about? well, it patch this code
-----------------------------------------------------------------------------------------------------------------------------
:7005E9C F6451408 test byte ptr [ebp+14],08
:7005EA0 BE01000000 mov esi, 00000001
:7005EA5 745B jz 7005F02 *NOP it*
-----------------------------------------------------------------------------------------------------------------------------
which bypass the "number of executions" check (another option of VBox, try it with the builder).
Well.... that's all. VBox is totally dead now, thanks to Marigold and your little xOANINO :) Go patch the vboxp403.dll according to this essay, copy it to your \WINDOWS\SYSTEM overwriting the original one and say "CIAO CIAO" to WeiJuhn Li :)
Alla prossima amici... e speriamo che l'Italia vinca 'sti mondiali.... anche se dopo la partita di ieri mi sembra improbabile :(
Final Notes |
I hope you all liked this essay. As you see, commercial ready-made protections are not so secure as they claim (look at http://www.previewsoftware.com and laugh.... they say even SoftICE creators can't crack VBox and TimeLock, i can't believe it). There would be lot of ways to do a very secure protection (like using a decent PE-crypter), but maybe they think all of us +HCUkers are stupid.... bah :)
My greets fly out to: All UCF and CLASS members, Devil, Stone, Miramax, Marquis, Random, SpaceOne, SaiBada, Goku, SoftPJ (pleeeeeeeeeease improve your E-Zine) :)
Ob Duh |
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its prot ection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
You are deep inside Fravia's page of reverse engineering, choose your way out:
Back to the Timelock project
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?