Vbox 4.6.2
 

Hi All -

I'm working on unwrapping an app contained in Vbox 4.6.2. I have found the OEP, found the "standard" Vbox code, performed the code injection, set the break on the infinite loop to check the new code and everything works fine. However, when I go back to Imprec there are lots of imports in the kernel32.dll that are still invalid. I have studied and followed a tut by Lunar_Dust and one by RemedY and I can't make any further headway. :confused:

Any suggestions??

Thanks
LetMeIn

One added piece of information - each one these invalid imports in the kernel32.dll are calls to the vbox routine that i patched.

try trace level 1,2 and 3 (in imprec)... one of them should help you to fix the iat :).

Manual IAT reconstruction
 

Is there a way to reconstruct the IAT without the use of Imprec, revirgin, etc.? I know that this is or would be taking the "scenic route," but I'm curious. The semi-manual process does not seem to be working for me.

Look here:

In english
h**p://mup.anticrack.de/PETut.html
h**p://www.absolutelock.de/construction/infobase.html

and here:

In spanish
h**p://www.crackslatinos.hispadominio.net/miembros/teorias/t241-260.htm

253 Import tables a mano 1/4
254 Import tables a mano 2/4
255 Import tables a mano 3/4
256 Import tables a mano 4/4

Maybe someone has got english version incase you do not understand spanish ;)

I have English copies of the Ricardo tuts. My question is this, is the target exe file the only file that needs unpacking? I remember reading a post in either this forum or the woodman forum that there are possibly three files - the target exe and two vbox dlls. These three files are the ones that have PREVIEW listed as a section header. Does that sound right?