|
VBOX upnacking question
hello.
i tired to unpack VBOX recently, and i ran into a problem....when i am setting a breakpoint on the .code section...my program has like 4 of the .code section. So i set teh bp on the one at 04010000. But when it breaks it breaks hell knows where, to some string declaration or something. A/w My question is, is this normal to have more then one .code section? and how do i know on whihc one to set BP on? Thx |
Code:
Memory mapVbox is easy... Load app, clear IsDebuggerPresent Byte, Run the app until the trial screen appears, set a "BP FreeLibrary" when you break set a memory breakpoint on the code section, run...and your at the OEP, dump the app, change entrypoint to OEP, run the packed app not under a debugger, rebuild imports with ImpREC using "Hook", and "Trap Flag", any unresolved imports shouuld be "PeekMessage", and "GetMessage" Read my tutorial on VBOX 4.6 for a detailed overview. http://www.exetools.com/forum/showthread.php?t=5953 But since you don't have download privledges yet, if you PM with your email I will be nice enough to send it to you. Quote:
Regards... |
k, thx alot, i think i solved my problem, though i haven't gotten teh app unpacked, i analysed the code it broke on wheh i put the mem break point. And now it is no longer gibberish, but a normal code...so i will try to dump it tonight and see if it workes...
Thx for te info. |
D-Jester,
is there any generic manual unp for vbox? my target is protected with vbox 4.10, how to reach the OEP using Olly? btw, is your tuts applicable for this version? |
Quote:
http://www.exetools.com/forum/showthread.php?t=4160 |
yes, i have followed that tuts and also the one from D-jester. It "seemed" I reached the OEP, but no exe's worked. Please, I need more guidance. Here is my target:
h__ttp://www.qfile.de/dl/33934/target.rar.html. |
Hi :)
From what I remember of VBOX4.1, the entry point is from the PREVIEW section :D The last 2 instructions I think (if I remember correctly) are:- PUSH FFFFFFFF CALL EAX - - > To EIP :cool: LONG TIME AGO vbox4.1 /hobferret If you have a dump and it wont run, have you fixed the IAT :confused: |
right,hobferret.
i have reached that section and jump into the call, do nothing and dumped the process using OllyDump. After fixing IAT, i got only one valid imported function and the exe is not working/error. |
Hey man :)
If you only have one reference in the IAT it has gotta be wrong :D When at the IAT check to see where the calls are from, do a search for FF25 and you should find the IAT area, make a note of it and use that in Imprec :cool: /hobferret |
Quote:
target requires at least 2 non-system dll's not included in the archive. vboxp410.dll GEAR32PD.dll |
Hello ivanov, please PM me with a download link for the FULL package, I can't run this on my system without its dependacies.
Thanks |
Hi ivanov :)
Likewise, PM the link :cool: Don't know what exactly the program is but sounds like some old Adobe thing :D /hobferret |
I have tried Lunar_Dust tuts "Unpacking VBOX 4.6.2 (Privilege Client)
Semi - Manually�..". I don't fixed the import table, just change the EP manually after dumping the program using LordPE. It works fine on Win XP SP2. But, I cannot run it on Win ME. It seems IAT is the problem, but I am not sure to fix it, :-). The only imported function I see when loading the original program into ImpRec, entering the OEP I just found (using Lunar_Dust tuts, or the one that PEiD suggested), is Kernel32.dll. I don't know why ..:-). |
Hi ivanov :)
Is it by any chance set last error :confused: /hobferret |
OK ivanov :)
Just very quickly unpacked target with Ollydbg :D OEP==0056EA64 IAT START@006C6018 END@006C6E84 So I don't know why you are only "seeing" one function :confused: Forgot how easy VBOX 4.1 was :D /hobferret |
| All times are GMT +8. The time now is 21:47. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX