其实VBox 4.1脱壳和VBox 4.0.3 脱壳时的入口点差不多,可以手动脱或 Procdump脱。这里附一篇英文的文章。
You may have already heard of TR&TRW. It is a wonderful debugger provided by Liutaotao. I could't say have much I like it. VBOXT410.DLL can't find TRW at all. I could't give you a patch for VBox. I just can tell VBox how to work.
First of all, install the VBox builder (you need to get a .prv file from their webserver, so connect to the internet for this and fill the form needed). Then choose a .EXE file to protect (you could choose also a .DLL or an .OCX, but choose an .EXE because it's better and easier for cracking purposes. I choose Official phrozen crew trial crackme) and wrap it with VBox using the builder (choose now the Trial days protection).
Now the fun begins. And as we can easily see, the whole VBox protection scheme consist of only one dll which is copied into your \WINDOWS\VBox\command directories. The name of our target DLL is VBOXT402.DLL. It is packed.
Step 1
Let's change time to 30 days later. Now you can run CRACKME.EXE. When VBox window appears, CTRL-N, enter TRW. You can use 'hwnd' to find VBox window's hwnd. Something like xxxx.
bpmsg xxxx wm_destroy - just like in SoftICE
g - come back to VBox
Press 'quit' button.
Now you are in TRW.
bc * - clear break point
Press F12 a few times, until you come here in VBOXT402.DLL
There have some others check
07006079: call [dword dialogparama]
0700607f: mov esi,eax ; if you press 'try' eax=0, 'quit' eax=1; so
change eax to 0 ... r eax 0.
Ok, now theoretically our patch is done ...
07001c03: cmp [ebp-10],eax ; if eax=[ebp-10], error dialog will appear; so
change eax
07001c06: jne 07001c2c
07001c08: lea eax,[ebp+10]
07001c0b: lea ecx,[ebp-74]
07001c0e: push eax
07001c0f: mov [ebp-78],ebx
07001c12: call 0702e7d0
07001c17: lea eax,[ebp-7c]
07001c1a: push 07070568
07001c1f: push eax
07001c20: mov [dword ebp-7c],0706e004
07001c27: call 070570a0
07001c2c: lea ecx,[ebp-28]
07001c2f: mov [byte ebp-040,04
07001c2c: lea ecx,[ebp-28]
07001c2f: mov [byte ebp-04],04
07001c33: call 0702d440
07001c38: lea ecx,[ebp-18]
07001c3b: mov [byte ebp-04],02
07001c3f: call 0702d440
.......
07001c7c: call 07032570
07001c71: cmp [ebp-10],eax ; Another check.
07001c74: jne 07001f9b ; if eax=[ebp-10], error dialog will appear. So
change eax
VBox screen will not appear anymore BUT: we just did it in memory, that's not permanent, as you all know very well ... We must now apply our patch on the real file. But VBOXT403.DLL is packed?
1. 07006079: call [dword dialogparama] patch to
07006079: xor eax,eax
0700607b: nop
0700607c: nop
0700607d: nop
0700607e: nop
2. 07001c06: jne 07001c2c patch to
07001c06: jmp 07001c2c
3. 07001c74: jne 07001f9b patch to
07001c74: jmp 07001f9b
Oh my GOD!! It is encrypted before running. Therefore you could't find these code inside VBOXT410.DLL.
009c01b7: repz movsd
009c01b9: mov ecx,edx
009c01bb: and ecx,03
.......
Try again.
00a001b7:repz movsd
00a001b9:mov ecx,edx
00a001bb:and ecx,03
.......
Try again.
07093c27:mov [edi],al
07093c23:inc edi
07093c24:inc ebp
.......
Yes,you can find these code in VBOTT410.DLL
:07093422 03D0 add edx, eax
:07093424 C1E902 shr ecx, 02
:07093427 F3 repz
:07093428 A5 movsd ; here!!!
:07093429 8BCD mov ecx, ebp
:0709342B 89542414 mov dword ptr [esp+14], edx
:0709342F 83E103 and ecx, 00000003
:07093432 F3 repz
:07093433 A4 movsb
:07093434 8B4344 mov eax, dword ptr [ebx+44]
So I just run our 'Official phrozen crew trial crackme' a window pop-up. Press 'ok', enter it's main routine window.
1. 07006079: call [dword dialogparama]
2. 07001c06: jne 07001c2c
3. 07001c74: jne 07001f9b
You can go to xxxx:00401029 directly and dump it from memory using 'pedump' command.
00401029: push 00
00401030: push 00401046
00401032: push 00
00401034: push 01
0040103a: push dword 0402dd87
0040103f: call 00401313
00401041: push 00 ; you land here
00401046: call 0040127d
.......: ...
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>