VBox 4.1脱壳

核心提示： Yes,you can find these code in VBOTT410.DLL It is almost same when you bpm xxxx:07001c06 or bpm xxxx:07001c74 Frankly, I did not find an elegant

Yes,you can find these code in VBOTT410.DLL

It is almost same when you bpm xxxx:07001c06 or bpm xxxx:07001c74 Frankly, I did not find an elegant way to patch it.

It modifies itself quite a lot.

If find an elegant way to patch it, please let me know.

Now I try to get a clean routine using another approach.

But it does not always work, beware!

So let's forget for a while our VBOXT402.DLL. We just want a clean routine.

Run TRW.

Change eax at:

1. 07006079: call [dword dialogparama]
2. 07001c06: jne 07001c2c
3. 07001c74: jne 07001f9b

So I just run our 'Official phrozen crew trial crackme' a window pop-up. Press 'ok', enter it's main routine window.

Now find its hwnd (you know how to do this, I hope :-), and then just bpmsg on it inside TRW.

Now: g; go back to phrozen's window,press 'exit'.

Just like before TRW pop-up.

Press F12 as long as needed to find the relevant code ...

00401029: push 00
00401030: push 00401046
00401032: push 00
00401034: push 01
0040103a: push dword 0402dd87
0040103f: call 00401313
00401041: push 00 ; you land here
00401046: call 0040127d
.......: ...

You can go to xxxx:00401029 directly and dump it from memory using 'pedump' command.

Then you get dump1.exe.

MKPE dump1.exe -a -s -f -i3 -ldlllist.sam

FILEOUT.EXE is our 'clean' routine, and it works very well ... so byebye VBox 4.2

As you can now see -once more- commercial ready-made protections are not so secure as they claim (look at http://www.previewsoftware.com).

But at times my FILEOUT.EXE approach doesn't work ... I wonder why ... Unfortunately I did not find any clear patterns to reverse this little mistery. If you understand this, or if you have any other good methods for this target, please let me know, we will modify together this essay.