I have read deZZY's tutorial on vbox cracking and tested it on a program, it worked perfectly so i thank him and tsehp+ both for their hard work.

however i have run up against a program with a vboxed .dll instead of the .exe being packed...i follow the tutorial but it jumps right over the crucial 'jmp ebx'. i tried a few different methods of finding eop and dumping the .dll but i just cant do it. if i have overlooked something and am being stupid feel free to say so

any help on this subject would be appreciated.

NchantA

More precisions :
bump on jmp ebx ? Means that your debugger is going nowhere after
this instruction. What if your dll base address ? Did you came just
before the jmp ebx while into an interrupt handler ?
Anyway, you can use the latest icedump 9 with the pedump option,
don't forget to protect it with the protection option, it's a real vbox killer, even if the IAT is well destroyed.
regards,

tsehp

wow, icedump 9, that must be a real killer, not even i have it ;-)

seriously, what you probably want to try is 6.020 pre-release, it is
on the site (icedump.tsx.org) but not yet linked, just do a dir
listing and you'll see. pls DO rtfm, especially the plugin system stuff
as this latest version has one specific plugin for vbox 4.30.

as for /protect, i don't think it's needed for vbox, it is useful for
new protections when one wants to quickly find 'suspicious' code,
ie. where the code attempts to enter ring-0 illegally.

Excuse me for the number, my monitor was put upside down
The vboxed app I last reversed was videowave 3, but if you don't
dwelve inside vbox4.3 to stop redirectors/decrypters to install in the
thunks, then the auto rebuild feature miss a lot of imports.
I never used the trace feature, maybe it could manage to do such a
thing without the vbox plugin. The actual problem is that the 4.3
holds at least three different versions considering my attempts, how
can the plugin recognise them ?
v1:it not encrypted
v2:it encrypted, iat pointers still valid.
v3 (actual):it encrypted, iat messed up after the nag.
regards,

tsehp

VBOX 4.3 Hydra plugin works efficiently on what I tried. Before asking or saying how could it works blabla... TRY IT and RTFM.

VBOX protection is really a joke imho.

Cheers,
G-RoM

No doubt, even without using the hydra plugin it works if you disable
the jz inside vbox to redirect the jumps inside vbox, I'll never try to
put any critic on what you've done, g-rom.
I would like to follow your tracks, but coding in c++, I almost have to
start from the beginning, I just don't want to include your work by
linking my app to your pe.lib, the purpose is to understand how this works, al this level, there is no docs, no clear c++ to get, just your
several years of experience on this topic.
Lets put a direct question : Where can I find the most relevant help
to save me some time, avoiding me to reinvent the wheel ?
TIA

i am ecstatic that three of the most profound influences on cracking and indeed my cracking experience have answered my small post!

im sorry if i was unclear before, when i go offline i will try and save some code of what happens, but in general this is it:

i follow dezzy's tut all the way upto the jmp eax (eax==&GetProcAddress) after which i step into the important call that when debugging vbox usually jmps to the new unpacked code, i step through for a while and down below you see a jmp ebx with 2/3 push's above it, but unfortunately it never reach's this instruction, it jumps over it at some point, and i have no idea when/where the OEP of the .dll lies or at what time i should dump it.

im sorry g-rom, i dont know what Hydra is

Thanks Guys

NchantA

apologies to you all, i see now Hydra is a plugin for icedump ;p

ill do my best with this, but i am kinda unsure of *when* to dump the file. usually this is when the packed has finished the unpacking and is about to jump to the new code. i am sorry to say i have no friggin idea the protocol it uses with .dll's. hehe

thanx again for your time

NchantA

sigh... lots of it ;-)

so, let me make another effort of repeating myself re: OEP & DLL & you name it.

1.
people/me produce/release tools because they/me think that they serve some
purpose other than their/my own. however this does not put them/me into the
same group as the users. in particular, i have stated it several times already that
i am *not* a cracker, but i *do* share certain interest and knowledge with them.
this should not come as a surprise as i consider myself a reverse engineer and
such knowledge is a prerequisitive for learning and evading software protection
schemes as well.

2.
i tend to make little or no effort to try to 'sell' our stuff (so your and others'
ignorance is a more or less forgivable 'sin' ;-), but that doesn't mean that once
you make it on the icedump site, you should ignore what *else* you find there,
nor does it mean that your are not required to RTFM and understand it and make
conclusions which we didn't explicitly stated anywhere (ie. *think* ;-). see, i'm
not a document/tutorial writer, i expect the reader/user do his/her homework as
well (but i welcome others' contributions in this area).

3.
so, as for your particular requests:

finding OEP: icedump has a tracer engine designed just for this. the commands
you want to check out are /TRACE and /TRACEX, the latter being probably the
more applicable. the generic use is something like this:

1. load the target into softice so that softice pops on the first instruction (see
next point regarding DLLs).

2. start the tracer like this: /TRACEX 401000 450000, where the two params
should cover the area in which you expect the OEP to be (typically the first
section of a PE file).

3. sit back and wait. after a while softice should pop up at the OEP (or at
least when EIP reaches the specified range for the first time, at this point
it takes some thinking to decide whether to continue tracing or not) or the
app will start up (meaning the range was wrong, try again with another one)
or the tracer crashes (in which case let me know about it). in most cases
you'll get softice pop up, just be patient (i recall VBOX took some 20 minutes
on a P5-200, with a few hundred million instructions traced). of course this
was just the bare minimum you need to know to use the tracer, there are
several options that have to be properly set for a successful trace (eg. for
VBOX child process tracing is not required, whereas for peshield you want
to trace threads in the same process, as nice as i am ;-), the default settings
reflect this already, but that's not always good enough - one more reason
to RTFM and think).

DLL issue: loader32 is incapable of loading a DLL and getting softice break on its
entry point. it is an artificial limitation, which our iceload removes (imho it is
good enough to replace loader32 for most users). so, get it, RTFM again and
think ;-). a little hint for your case: since VBOX uses several interoperating DLLs
plus the protected app, iceload should be used to notify softice only and not to
load the target DLL directly (into its own address space). this means, that once
iceload notified softice, you have to start the target app, which will eventually
make the OS load the target DLL on which then softice will break. then you can
start to trace.

As owl said, I will forward you to master the icedump tool.
But at first, I would like to help you more, so could you post a snip
of the code you're in (about 20 lines before/after the eip) , just before
the jmp ebx you talked about.
It's better to learn do to it manually at first, then you can automate the repetitive tasks with icedump and its wonderful new features.
When I look at what they did, I feel like a monkey trying to read Einstein's theory of relativity
regards,

tsehp

Whole Routine

015F:008E04AD AND EAX,04
015F:008E04B0 TEST EAX,EAX
015F:008E04B2 JNZ 008E04BB
015F:008E04B4 MOV EAX,003B37FF
015F:008E04B9 JMP 008E051E
015F:008E04BB MOV ECX,[EBP-08]
015F:008E04BE CMP DWORD PTR [ECX+0C],000000C7
015F:008E04C5 JNZ 008E04FD
015F:008E04C7 MOV EDX,[EBP+0C]
015F:008E04CA MOV EAX,[EBP-08]
015F:008E04CD MOV ECX,[EAX+18]
015F:008E04D0 MOV [EDX],ECX
015F:008E04D2 MOV EDX,[EBP-08]
015F:008E04D5 CMP DWORD PTR [EDX+1C],00
015F:008E04D9 JZ 008E04FB
015F:008E04DB MOV EAX,[EBP+08]
015F:008E04DE CMP DWORD PTR [EAX+50],00
015F:008E04E2 JNZ 008E04FB
015F:008E04E4 MOV ECX,[EBP-04]
015F:008E04E7 MOV EDX,[ECX+64]
015F:008E04EA PUSH EDX
015F:008E04EB MOV EAX,[EBP+08]
015F:008E04EE CALL [EAX+6C]
015F:008E04F1 MOV ECX,[EBP-04]
015F:008E04F4 MOV DWORD PTR [ECX+64],00000000
015F:008E04FB JMP 008E0519
015F:008E04FD MOV EDX,[EBP-08]
015F:008E0500 MOV EAX,[EDX+14]
015F:008E0503 MOV [EBP-10],EAX
015F:008E0506 MOV EBX,[EBP-10]
015F:008E0509 JMP EBX // ehere u usually jump (ebx==eop)
015F:008E050B MOV ECX,[EBP-08]
015F:008E050E MOV EDX,[ECX+14]
015F:008E0511 MOV [EBP-0C],EDX
015F:008E0514 MOV EAX,[EBP-0C]
015F:008E0517 CALL [EAX]
015F:008E0519 MOV EAX,00533700
015F:008E051E POP EDI
015F:008E051F POP ESI
015F:008E0520 POP EBX
015F:008E0521 MOV ESP,EBP
015F:008E0523 POP EBP
015F:008E0524 RET


The Routine as is traced...

015F:008E0470 MOV EBP,ESP
015F:008E0472 SUB ESP,10
015F:008E0475 PUSH EBX
015F:008E0476 PUSH ESI
015F:008E0477 PUSH EDI
015F:008E0478 MOV EAX,[EBP+08]
015F:008E047B MOV ECX,[EAX+0000011C]
015F:008E0481 MOV [EBP-08],ECX
015F:008E0484 MOV EDX,[EBP+08]
015F:008E0487 MOV EAX,[EDX+00000120]
015F:008E048D MOV [EBP-04],EAX
015F:008E0490 MOV ECX,[EBP-04]
015F:008E0493 MOV EDX,[ECX]
015F:008E0495 AND EDX,01
015F:008E0498 TEST EDX,EDX
015F:008E049A JZ 008E04B4 (NO JUMP)
015F:008E049C MOV EAX,[EBP-04]
015F:008E049F MOV ECX,[EAX]
015F:008E04A1 AND ECX,02
015F:008E04A4 TEST ECX,ECX
015F:008E04A6 JZ 008E04B4 (NO JUMP)
015F:008E04A8 MOV EDX,[EBP-04]
015F:008E04AB MOV EAX,[EDX]
015F:008E04AD AND EAX,04
015F:008E04B0 TEST EAX,EAX
015F:008E04B2 JNZ 008E04BB (JUMP )
015F:008E04BB MOV ECX,[EBP-08]
015F:008E04BE CMP DWORD PTR [ECX+0C],000000C7
015F:008E04C5 JNZ 008E04FD (NO JUMP)
015F:008E04C7 MOV EDX,[EBP+0C]
015F:008E04CA MOV EAX,[EBP-08]
015F:008E04CD MOV ECX,[EAX+18]
015F:008E04D0 MOV [EDX],ECX
015F:008E04D2 MOV EDX,[EBP-08]
015F:008E04D5 CMP DWORD PTR [EDX+1C],00
015F:008E04D9 JZ 008E04FB (JUMP )
015F:008E04FB JMP 008E0519 (JUMP )
015F:008E0519 MOV EAX,00533700
015F:008E051E POP EDI
015F:008E051F POP ESI
015F:008E0520 POP EBX
015F:008E0521 MOV ESP,EBP
015F:008E0523 POP EBP
015F:008E0524 RET