Thread: Trouble with a VBox prot
View Single Post
  #1  
Old 09-18-2006, 03:46
Sharky_Canada
 
Posts: n/a
Trouble with a VBox prot
Hi all,

I've been playing around with an older VBox protection (version 4.3) that doesn't appear to be like others I've dealt with in the past.

I have searched for and read all vbox tutorials I can find, but.....

Here's what I've tried:

1. UCF2000 VBox unpacker crashes trying to find EP

2. Run program to trial window, Hardware BP on FreeLibrary, then set Memory Access BP on .code section (this should put you at EP, but doesn't work)

3. Run program to trial window, Hardware BP on GetVersion, trace back to user code.
a) This "appears" to be the correct EntryPoint, and ImpRec can find all imports (that weren't encrypted by the call 0700BB52 JE SHORT vboxt430.0700BB89)
b) But, no dumps work
c) Also, by bypassing the IAT encryption function (JE at 0700BB52) with a JMP, VBox pops up complaining about tampering with xxxxxStreams.dll. I did manage to rebuild the import table, but dumps still don't work.

4. I even tried variations of techniques by the earlier vbox crackers Marigold/Xoanan et al, but to no avail.

Any other ideas for verifying that I have the correct EP?

Thanks in advance,

Sharky
Reply With Quote