Trouble with a VBox prot

Hi all,

I've been playing around with an older VBox protection (version 4.3) that doesn't appear to be like others I've dealt with in the past.

I have searched for and read all vbox tutorials I can find, but.....

Here's what I've tried:

1. UCF2000 VBox unpacker crashes trying to find EP

2. Run program to trial window, Hardware BP on FreeLibrary, then set Memory Access BP on .code section (this should put you at EP, but doesn't work)

3. Run program to trial window, Hardware BP on GetVersion, trace back to user code.
a) This "appears" to be the correct EntryPoint, and ImpRec can find all imports (that weren't encrypted by the call 0700BB52 JE SHORT vboxt430.0700BB89)
b) But, no dumps work
c) Also, by bypassing the IAT encryption function (JE at 0700BB52) with a JMP, VBox pops up complaining about tampering with xxxxxStreams.dll. I did manage to rebuild the import table, but dumps still don't work.

4. I even tried variations of techniques by the earlier vbox crackers Marigold/Xoanan et al, but to no avail.

Any other ideas for verifying that I have the correct EP?

Thanks in advance,

Sharky

Update....

Well, after almost a week of playing, I decided to cheat a little. I grabbed a crack from the net for this app, and tried to reverse what they had done. Turns out I did everything right with the .exe file, but three other dlls were also changed. Without these changes, the app kept launching to the "try" nag window.

I know vbox 4.3 is old and outdated, but I'd still like to learn how it worked in this case...I'd love to analyse further, but without a license key from previewsystems, my downloaded copy of the packer is kinda useless.

Anyone else know of vbox encrypting/packing DLLs?

Note, I'm not talking about vbox dlls either, these are part of the application, not the vbox protection.

Thanks,

Sharky

[Naides]

Yes.

I am not completetely familiar with the rules of the board, so I will mention the app by name. please correct me if it is not proper.

The demo version of Photoshop CS (Not CS2) came packed with Vbox 4.3 Several of it plug-in files were Vboxed. The files had weird extensions .apl, but were in fact .dll in disguise. They had a valid PE format and IDA recognized them as .DLL and disassembled them.

There was no major problem in finding the OEP and dumping them, using Olly: I placed a BP on execution (Using a patched version of olly) to the whole .text segment.

Repairing the IAT was a harder problem, because IMPREC got lost while searching for imports. I had to reconstruct the IATs manually, which is a major pain.

So Vbox packed dll can be unpacked using near-standard methods

[D-Jester]

A simple search of this forum would reveal a tutorial on VBox and Photoshop that I wrote

http://forum.exetools.com/showthread.php?t=5953

VBox is old but always a great target for beginners