Thread: Unpacking DLLs
View Single Post
  #21  
Old 03-18-2005, 01:34
Izak
 
Posts: n/a
Generic method finding 4.6.2 VBOXed DLL OEP
Quote:
Originally Posted by TechLord
nikola:
If you have tryout version of A*obe Phot* sho* CS or any of the recent ad*be tryout products, you can find at least one or two dll which are vboxed there.
Photosh*p CS has cooltype.dll for instance...( Admins : I hope I am not breaking any of the rules by naming the target since I am not giving any application-specific code here...Please correct me and the post if anything in the post is illegal... )
PEiD will very easily let you find the dlls which are packed.
Let simply stop Ollydbg on each new dll (Debugging options Events Break on new module). After VBOXTB is loaded set a hardware breakpoint to VBOXTB.070081B9 where OEP of DLL is copied to EAX. Remove Debugging options Events Break on new module and run. On VBOX trial dialog press Try. Ollydbg will stop on hardware breakpoint and show OEP of DLL.

VBOXTB is loaded to memory address 0A000000 (address may be different)

VBOXTB.0A0081B9 (Offset 81B9) MOV EAX, [ESI+14] (EAX = OEP DLL)
...
VBOXTB.0A0081CB PUSH [EBP+14]
VBOXTB.0A0081CE PUSH [EBP+10]
VBOXTB.0A0081D1 PUSH [EBP+0C]
VBOXTB.0A0081D4 (Offset 81D4) CALL EAX (EAX = OEP of DLL)


Another generic approach is setting a memory breakpoint to section .text of VBOXed DLL when Ollydbg stops after loading this DLL. First time the memory breakpoint (type memory on access) stops execution is when some bytes at OEP will be changed. Second time memory breakpoint stops due to execution of OEP (same approach as finding OEP of VBOXed exe files).


Both generic approaches needs still remaining trial days. If trial period is exeeded - no problem. Infos about remaining days are stored in a .LIC (shared folder in programs path \VBOX\Licenses, C:\os??????.BIN (? = numeric characters) and in registry HKEY_CLASSES_ROOT\CLSID\..., look for entries with no subtrees and only one registry entry @ = a long cryptic text string.

If You want to get exact registry entry and exact filename of .BIN You have to patch RUNDLL32.EXE at OEP with JMP OEP (EB FE). Ollydbg will stop at entry of RUNDLL32 when VBOX tries to load VBOXR.DLL. Patch RUNDLL32 back at OEP (E8 0A), set breakpoints at KERNEL32!GetFileAttributesA and ADVAPI32!RegOpenKeyA and run. Ollydbg will serve file name and registry entry.

How to reset trial period to original value:
Delete both RUNDLL processes (e.g. using Sysinternals ProcessExplorer 'Kill process tree'), delete registry entry and file .BIN. Finally remove .LIC and copy original .LIC (you have on HDD after install of program - don't forget to make backup) to destination. You can easily recognise original .LIC regarding date/time stamp, if equal with corresponding .PRF then it is original file. If not available reinstall programm and make backup of .LIC

Greets

Izak
Reply With Quote