How to manually remove a VBOX 4.3 protection.
26th March 2000 - A quick tutorial written by dEZZY / Drink or Die.
This document is written as a guidance to manually remove a vbox 4.3 protection. This is a tough commercial file protector which will wrap an unprotected program into a system where it can be distributed on the Internet as trial software. Info on VBOX can be found at http://www.previewsystems.com.
SoftICE 4.01 (or TRW2000 v1.13)
SoftICE Backdoor Keeper
Procdump 1.6.2 FINAL by G-RoM
All tools can be downloaded at http://protools.cjb.net
If you have patched SoftICE with icepatch or sice backdoor keeper, skip on to the next section. Else you have to defeat sice detection routine code manually. Note: You can also bypass this annoying detection thing by using TRW2000 with Faults=off.
Load the program using sice or trw with the "faults = on" option set. The program will break in a part of code that looks like this :-
MOV ECX,ESP
MOV EAX,ECX <-- Breaks here
POP EDI
POP ESI
POP EBP
RET
And the debugger gives you the following message :- "Break Due on Fault 03"
Trace to the RET and you exit to a routine that looks like this :-
070049D9 MOV EAX,[EBP-08]
070049DC MOV EAX,[EAX+24]
070049DF MOV [EBP-04],EAX <-- BPM here
070049E2 PUSH DWORD 070049EA
070049E7 JMP NEAR [EBP-04]
070049EA XOR EAX,EAX <-- We sort here
070049EC POP EDI
070049ED POP ESI
070049EE POP EBX
070049EF LEAVE
070049F0 RET
Now, put a bpm for execution in 070049DF (bpm cs:070049DF x) and restart the program. Once it breaks there, move 0 to EAX (r eax 0) and continue reading the tutor pressing F5. Note: If you cant find the above mentioned routine, put a bpx in Kernel32!RaiseException, once sice breaks, debug inside the next CALL [someaddress], and then inside the next CALL, and inside an INT 2E and go on debugging until you reach the IRETD, step F8 into it and you appear in a RET right after the INT 2E. now keep on debugging until you exit a CALL VirtualFree. Well, take a look 50 or 60 lines below on the code window and you'll see the routine.
Main VBOX v4.3 code is pretty much like the old 4.2 version. The only difference is that now VBOX encrypts the IAT while loading the program and redirects the addresses of the imported functions to a routine in VBOXT430.DLL that decrypts them. This way the program depends on VBOXT430.DLL for working and a normal dump will result in a unusable IAT. So, we'll crack that too. Before you press the try-button, enter sice and do a 'bpx GetProcAddress'. When sice pops up inside GetProcAddress, do a 'p ret' to exit this. Now you should be looking at the following code :-
015F:0700BB36 PUSH DWORD PTR [EBP-20]
015F:0700BB39 CALL [KERNEL32!GetProcAddress]
015F:0700BB3F MOV EDI,EAX <-- you are here
015F:0700BB41 CMP EDI,EBX
015F:0700BB43 JZ 0700BCE6
015F:0700BB49 MOV ESI,[ESI+16]
015F:0700BB4C ADD ESI,[EBP+08]
015F:0700BB4F CMP [EBP-24],EBX <-- encrypt function call?
015F:0700BB52 JZ 0700BB89 <-- jump if not
015F:0700BB54 LEA EAX,[EBP-0114]
015F:0700BB5A PUSH EAX
015F:0700BB5B PUSH DWORD PTR [EBP-20]
015F:0700BB5E PUSH EDI
015F:0700BB5F CALL 0700BF61
015F:0700BB64 ADD ESP,0C
015F:0700BB67 TEST EAX,EAX
015F:0700BB69 JZ 0700BB89
015F:0700BB6B PUSH DWORD PTR [EBP+28]
015F:0700BB6E PUSH EDI
015F:0700BB6F PUSH DWORD PTR [EBP+24]
015F:0700BB72 PUSH DWORD PTR [EBP+20]
015F:0700BB75 CALL 0700BDFE
015F:0700BB7A ADD ESP,10
015F:0700BB7D CMP EAX,EBX
015F:0700BB7F JZ 0700BDD6
015F:0700BB85 MOV [ESI],EAX <-- eax=encrypted
015F:0700BB87 JMP 0700BB8B
015F:0700BB89 MOV [ESI],EDI <-- eax=not encrypted
015F:0700BB8B INC DWORD PTR [EBP-28]
015F:0700BB8E MOV EAX,[EBP-28]
015F:0700BB91 CMP EAX,[EBP-4C]
015F:0700BB94 JL 0700B9E3
This code is working as an OS loader. After getting the function addresses, some of these are encrypted before stored back in the IAT. What we must do here is to patch the routine to skip encryption of all function addresses. This is done by changing the JZ instruction at 700BB52 to a JMP 0700BB89.
Now you can do 'p ret' many times till you return from a 'call edi'. Put a bpm in execution on that and exit sice. When it breaks again, step into that function call. You will notice that the code changes while tracing through it. That's ok. Step into the first function call here. Now look for a 'call eax' with EAX pointing to GetProcAddress about 50-70 lines down. Trace down to it. Then, step over it and step into the next function call. Here you will see the following code about 30 lines down :-
015F:011604E0 MOV EDX,[EBP-08]
015F:011604E3 MOV EAX,[EDX+14] <-- get app entry point
015F:011604E6 MOV [EBP-10],EAX
015F:011604E9 MOV EBX,[EBP-10] <-- app entry point to
EBX
015F:011604EC JMP EBX <-- jump to real entry point
Trace till your reach JMP EBX. Now Assemble and write 'JMP EIP' (a eip; jmp eip) so it will look like this :-
015F:011604EC JMP 011604EC <-- locked, jumps
to itself
(In case you cant assemble byte codes for JMP EIP are: EB FE). Thus, when you exit sice, the process will lock itself at this instruction. Press F5 to go on. Start up procdump.exe, go into options. Under 'structure', select everything. Under imports, select 'rebuild new import table'. Select the process in Procdump with your right mouse button, and do a dump (full). Give it a name (dump.exe). Now, click on "PE Editor" and select the new dump.exe file. In the box "Entry Point" you must enter the correct entry point. Remember this is the value of EBX in the last instruction (JMP EBX) - ImageBase.
PE Entry Point = EBX - ImageBase (00400000)
So, for example, if EBX was 450983, the entry point you have to enter in the PE header of your dump.exe file is:
450983-400000 = 50983
Press Ok to save the changes. Now you have a working exe without vbox protection on your hd.
Congrats.
Optionally you can reoptimize the PE header with MakePE or something. And as an ending you can pack it with PECompact or another executable file packer.
Tools needed: Only registered TRW2000 v1.11+
1) run TRW2000 and press OK to leave it resident in memory.
2) Ctrl+M to go into TRW2000 and set: Faults off.
3) run the Vboxed program until it goes to the "Try"
screen.
4) Ctrl+M and set: bpx kernel32!getprocaddress
5) press the "Try" button.
6) in TRW2000, press F12 and F10 to exit the CALL.
015F:0700BB39 CALL [KERNEL32!GetProcAddress]
015F:0700BB3F MOV EDI,EAX <-- you are here
015F:0700BB41 CMP EDI,EBX
015F:0700BB43 JZ 0700BCE6
015F:0700BB49 MOV ESI,[ESI+16]
015F:0700BB4C ADD ESI,[EBP+08]
015F:0700BB4F CMP [EBP-24],EBX <-- encrypt function call?
015F:0700BB52 JZ 0700BB89 <-- jump if not
7) in TRW type: a cs:700bb52 (address of 2nd JZ) and type into
it: jmp short 0700bb89.
8) now enter: bl that will shows you the current breakpoints (only
1 in GetProcAddress) something like this: bpx 015F:BFF79834, now
type: bpe 1 (to edit it), make it look like this: bpx 015F:BFF79834
if (eax==BFF79834) (note that address in eax is the same than
GetProcAddress' address).
9) press F5 to continue. Each time TRW breaks, press F12 and then
F10, and see that you just exited a CALL EAX.
10) repeat step 9 (6 or 7 times) until you see code like this
:-
CALL EAX
TEST EAX,EAX <-- you are here
MOV [EBX+8C],EAX
JNZ 01170233
POP EDI
POP ESI
POP EBP
11) trace with F8 through the JZ and get into next call. This is the last call that executes the real program. 30 lines down, you'll see :-
015F:011604E0 MOV EDX,[EBP-08]
015F:011604E3 MOV EAX,[EDX+14] <-- get app entry point
015F:011604E6 MOV [EBP-10],EAX
015F:011604E9 MOV EBX,[EBP-10] <-- app entry point to
EBX
015F:011604EC JMP EBX <-- jump to real entry point
12) keep on tracing with F8 and make the JMP EBX. Now you are
in the first instruction of the real program. enter this in TRW:
makepe
13) Voila! now you have a file called newpe.exe in the default
dir which is an unvboxed copy on the prog (with correct EntryPoint).