VBox 4.1脱壳 -pc6资讯

VBox 4.1脱壳 时间：2004/10/15 1:02:00来源：本站整理作者：蓝点我要评论(0)

其实VBox 4.1脱壳和VBox 4.0.3 脱壳时的入口点差不多，可以手动脱或 Procdump脱。这里附一篇英文的文章。

You may have already heard of TR&TRW. It is a wonderful debugger provided by Liutaotao. I could't say have much I like it. VBOXT410.DLL can't find TRW at all. I could't give you a patch for VBox. I just can tell VBox how to work.

First of all, install the VBox builder (you need to get a .prv file from their webserver, so connect to the internet for this and fill the form needed). Then choose a .EXE file to protect (you could choose also a .DLL or an .OCX, but choose an .EXE because it's better and easier for cracking purposes. I choose Official phrozen crew trial crackme) and wrap it with VBox using the builder (choose now the Trial days protection).

Now the fun begins. And as we can easily see, the whole VBox protection scheme consist of only one dll which is copied into your \WINDOWS\VBox\command directories. The name of our target DLL is VBOXT402.DLL. It is packed.

Step 1
Let's change time to 30 days later. Now you can run CRACKME.EXE. When VBox window appears, CTRL-N, enter TRW. You can use 'hwnd' to find VBox window's hwnd. Something like xxxx.

bpmsg xxxx wm_destroy - just like in SoftICE
g - come back to VBox

Press 'quit' button.
Now you are in TRW.

bc * - clear break point

Press F12 a few times, until you come here in VBOXT402.DLL


 　　07006079: call [dword dialogparama] 
 　　0700607f: mov esi,eax　　　　　　　 ; if you press 'try' eax=0, 'quit' eax=1; so
 　　　　　　　　　　　　　　　　　　　　　change eax to 0 ... r eax 0.

There have some others check


 　　07001c03: cmp [ebp-10],eax　　　　　; if eax=[ebp-10], error dialog will appear; so
 　　　　　　　　　　　　　　　　　　　　　change eax
 　　07001c06: jne 07001c2c 
 　　07001c08: lea eax,[ebp+10] 
 　　07001c0b: lea ecx,[ebp-74] 
 　　07001c0e: push eax 
 　　07001c0f: mov [ebp-78],ebx 
 　　07001c12: call 0702e7d0 
 　　07001c17: lea eax,[ebp-7c] 
 　　07001c1a: push 07070568 
 　　07001c1f: push eax 
 　　07001c20: mov [dword ebp-7c],0706e004 
 　　07001c27: call 070570a0 
 　　07001c2c: lea ecx,[ebp-28] 
 　　07001c2f: mov [byte ebp-040,04 
 　　07001c2c: lea ecx,[ebp-28] 
 　　07001c2f: mov [byte ebp-04],04 
 　　07001c33: call 0702d440 
 　　07001c38: lea ecx,[ebp-18] 
 　　07001c3b: mov [byte ebp-04],02 
 　　07001c3f: call 0702d440 
 　　 .......
 　　07001c7c: call 07032570 
 　　07001c71: cmp [ebp-10],eax　　　　　　 ; Another check. 
 　　07001c74: jne 07001f9b　　　　　　　　 ; if eax=[ebp-10], error dialog will appear. So
 　　　　　　　　　　　　　　　　　　　　　　 change eax

Ok, now theoretically our patch is done ...


  1. 07006079: call [dword dialogparama] patch to 
 　　07006079: xor eax,eax 
 　　0700607b: nop 
 　　0700607c: nop 
 　　0700607d: nop 
 　　0700607e: nop 
 
 2. 07001c06: jne 07001c2c patch to
 　 07001c06: jmp 07001c2c 
 
 3. 07001c74: jne 07001f9b patch to
 　 07001c74: jmp 07001f9b

VBox screen will not appear anymore BUT: we just did it in memory, that's not permanent, as you all know very well ... We must now apply our patch on the real file. But VBOXT403.DLL is packed?

Step 2 Close TRW. (TRW's bpm function doesn't seem to work there)
Let's run SoftICE. (VBox Unpacked code firstly, then check SoftICE)

load crackme.exe

bpm xxxx: 07006079 w;

Ok, so set this breakpoint and rerun. You will land in VBOXT410.DLL here:


 009c01b7: repz movsd 
 009c01b9: mov ecx,edx 
 009c01bb: and ecx,03 
  .......

Oh my GOD!! It is encrypted before running. Therefore you could't find these code inside VBOXT410.DLL.

bpm xxxx: 009c01b7 w;

So set this breakpoint and re-run. You will land in here:


 00a001b7:repz movsd 
 00a001b9:mov ecx,edx 
 00a001bb:and ecx,03 
  .......

Try again.

bpm xxxx:00a001b7 w;

So set this breakpoint and re-run. You will land in here:


 07093c27:mov [edi],al 
 07093c23:inc edi 
 07093c24:inc ebp 
  .......

Try again.

bpm xxxx:070093c27 w;

So set this breakpoint and rerun. You will land in here:


  :07093422 03D0　　　add edx, eax
  :07093424 C1E902　　shr ecx, 02
  :07093427 F3　　　　repz
  :07093428 A5　　　　movsd　　　　　　　　　　　　 ; here!!!
  :07093429 8BCD　　　mov ecx, ebp
  :0709342B 89542414　mov dword ptr [esp+14], edx
  :0709342F 83E103　　and ecx, 00000003
  :07093432 F3　　　　repz
  :07093433 A4　　　　movsb
  :07093434 8B4344　　mov eax, dword ptr [ebx+44]

Yes,you can find these code in VBOTT410.DLL

It is almost same when you bpm xxxx:07001c06 or bpm xxxx:07001c74
Frankly, I did not find an elegant way to patch it. It modifies itself quite a lot. If find an elegant way to patch it, please let me know.

Now I try to get a clean routine using another approach. But it does not always work, beware!

So let's forget for a while our VBOXT402.DLL. We just want a clean routine.

Run TRW.

Change eax at:


 1. 07006079: call [dword dialogparama] 
 2. 07001c06: jne 07001c2c 
 3. 07001c74: jne 07001f9b

So I just run our 'Official phrozen crew trial crackme' a window pop-up. Press 'ok', enter it's main routine window.

Now find its hwnd (you know how to do this, I hope :-), and then just bpmsg on it inside TRW.

Now: g; go back to phrozen's window,press 'exit'.

Just like before TRW pop-up. Press F12 as long as needed to find the relevant code ...


 00401029: push 00 
 00401030: push 00401046 
 00401032: push 00 
 00401034: push 01 
 0040103a: push dword 0402dd87 
 0040103f: call 00401313 
 00401041: push 00　　　　　　　　　　　　 ; you land here 
 00401046: call 0040127d 
  .......: ...

You can go to xxxx:00401029 directly and dump it from memory using 'pedump' command.

Then you get dump1.exe.
MKPE dump1.exe -a -s -f -i3 -ldlllist.sam

FILEOUT.EXE is our 'clean' routine, and it works very well ... so byebye VBox 4.2

As you can now see -once more- commercial ready-made protections are not so secure as they claim (look at http://www.previewsoftware.com).

But at times my FILEOUT.EXE approach doesn't work ... I wonder why ...
Unfortunately I did not find any clear patterns to reverse this little mistery. If you understand this, or if you have any other good methods for this target, please let me know, we will modify together this essay.

　　　　
　　　　
　　　　　
　　　　
　　　　
　　　　　

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法