VBox 4.1脱壳

核心提示： 07001c06: jmp 07001c2c 3. 07001c74: jne 07001f9b patch to07001c74: jmp 07001f9b VBox screen will not appear anymore BUT: we just did it in memory

07001c06: jmp 07001c2c

3. 07001c74: jne 07001f9b patch to

07001c74: jmp 07001f9b

VBox screen will not appear anymore BUT:

we just did it in memory, that's not permanent, as you all know very well ...

We must now apply our patch on the real file. But VBOXT403.DLL is packed?

Step 2 Close TRW. (TRW's bpm function doesn't seem to work there)

Let's run SoftICE. (VBox Unpacked code firstly, then check SoftICE)

load crackme.exe

bpm xxxx: 07006079 w;

Ok, so set this breakpoint and rerun. You will land in VBOXT410.DLL here:

009c01b7: repz movsd
009c01b9: mov ecx,edx
009c01bb: and ecx,03
.......


Oh my GOD!! It is encrypted before running.

Therefore you could't find these code inside VBOXT410.DLL.

bpm xxxx: 009c01b7 w;

So set this breakpoint and re-run. You will land in here:

00a001b7:repz movsd 00a001b9:mov ecx,edx 00a001bb:and ecx,03 .......

Try again.

bpm xxxx:00a001b7 w;

So set this breakpoint and re-run. You will land in here:

07093c27:mov [edi],al 07093c23:inc edi 07093c24:inc ebp .......

Try again.

bpm xxxx:070093c27 w;

So set this breakpoint and rerun. You will land in here:

:07093422 03D0 add edx, eax
:07093424 C1E902 shr ecx, 02
:07093427 F3 repz
:07093428 A5 movsd ; here!!!
:07093429 8BCD mov ecx, ebp
:0709342B 89542414 mov dword ptr [esp+14], edx
:0709342F 83E103 and ecx, 00000003
:07093432 F3 repz
:07093433 A4 movsb
:07093434 8B4344 mov eax, dword ptr [ebx+44]