VBOX upnacking question

hello.
i tired to unpack VBOX recently, and i ran into a problem....when i am setting a breakpoint on the .code section...my program has like 4 of the .code section.
So i set teh bp on the one at 04010000. But when it breaks it breaks hell knows where, to some string declaration or something.

A/w My question is, is this normal to have more then one .code section?
and how do i know on whihc one to set BP on?
Thx

[D-Jester]

Code:

Memory map
Address    Size       Owner      Section    Contains                     Type   Access    Initial
00400000   00001000   Thisapp-              PE header                    Imag   R         RWE
00401000   00D5B000   Thisapp-   .text      code                         Imag   R         RWE
0115C000   00207000   Thisapp-   .rdata                                  Imag   R         RWE
01363000   000BC000   Thisapp-   .data      data                         Imag   R         RWE
0141F000   00172000   Thisapp-   .rsrc      resources                    Imag   R         RWE
01591000   00016000   Thisapp-   PREVIEW    SFX,imports,exports          Imag   R         RWE

Use memory Breakpoints they can be effective when all else fails. Almost...well always as far as I know when you want to break on the OEP section, it should be the first section (not the PE Header) often with the section header as ".text".

Vbox is easy...
Load app, clear IsDebuggerPresent Byte, Run the app until the trial screen appears, set a "BP FreeLibrary" when you break set a memory breakpoint on the code section, run...and your at the OEP, dump the app, change entrypoint to OEP, run the packed app not under a debugger, rebuild imports with ImpREC using "Hook", and "Trap Flag", any unresolved imports shouuld be "PeekMessage", and "GetMessage"

Read my tutorial on VBOX 4.6 for a detailed overview.

http://www.exetools.com/forum/showthread.php?t=5953

But since you don't have download privledges yet, if you PM with your email I will be nice enough to send it to you.

Quote:

Originally Posted by ReVeR

...is this normal to have more then one .code section?

This is not uncommon, its just a charateristic of a packed application where one code section unpacks/decrypts the other before executing it.

Regards...

k, thx alot, i think i solved my problem, though i haven't gotten teh app unpacked, i analysed the code it broke on wheh i put the mem break point. And now it is no longer gibberish, but a normal code...so i will try to dump it tonight and see if it workes...
Thx for te info.

[ivanov]

D-Jester,
is there any generic manual unp for vbox? my target is protected with vbox 4.10, how to reach the OEP using Olly? btw, is your tuts applicable for this version?

[N0P]

Quote:

Originally Posted by ivanov

D-Jester,
is there any generic manual unp for vbox? my target is protected with vbox 4.10, how to reach the OEP using Olly? btw, is your tuts applicable for this version?

this tut is applicable for (IMHO) all vBox craps (maybe privilege) or you can try eCRap OEP verify plugin for PEID by MAXX...
http://www.exetools.com/forum/showthread.php?t=4160

[ivanov]

yes, i have followed that tuts and also the one from D-jester. It "seemed" I reached the OEP, but no exe's worked. Please, I need more guidance. Here is my target:
h__ttp://www.qfile.de/dl/33934/target.rar.html.

[hobferret]

Hi

From what I remember of VBOX4.1, the entry point is from the PREVIEW section

The last 2 instructions I think (if I remember correctly) are:-

PUSH FFFFFFFF
CALL EAX - - > To EIP

LONG TIME AGO vbox4.1

/hobferret

If you have a dump and it wont run, have you fixed the IAT

[ivanov]

right,hobferret.
i have reached that section and jump into the call, do nothing and dumped the process using OllyDump. After fixing IAT, i got only one valid imported function and the exe is not working/error.

[hobferret]

Hey man

If you only have one reference in the IAT it has gotta be wrong

When at the IAT check to see where the calls are from, do a search for FF25 and you should find the IAT area, make a note of it and use that in Imprec

/hobferret

[Jay]

Quote:

Originally Posted by ivanov

yes, i have followed that tuts and also the one from D-jester. It "seemed" I reached the OEP, but no exe's worked. Please, I need more guidance. Here is my target:
h__ttp://www.qfile.de/dl/33934/target.rar.html.

hey ivanov,
target requires at least 2 non-system dll's not included in the archive.
vboxp410.dll
GEAR32PD.dll

[D-Jester]

Hello ivanov, please PM me with a download link for the FULL package, I can't run this on my system without its dependacies.

Thanks

[hobferret]

Hi ivanov

Likewise, PM the link

Don't know what exactly the program is but sounds like some old Adobe thing

/hobferret

[ivanov]

I have tried Lunar_Dust tuts "Unpacking VBOX 4.6.2 (Privilege Client)
Semi - Manually�..". I don't fixed the import table, just change the EP manually after dumping the program using LordPE. It works fine on Win XP SP2. But, I cannot run it on Win ME. It seems IAT is the problem, but I am not sure to fix it, :-).

The only imported function I see when loading the original program into ImpRec, entering the OEP I just found (using Lunar_Dust tuts, or the one that PEiD suggested), is Kernel32.dll. I don't know why ..:-).

[hobferret]

Hi ivanov

Is it by any chance set last error

/hobferret

[hobferret]

OK ivanov

Just very quickly unpacked target with Ollydbg

OEP==0056EA64

IAT
START@006C6018
END@006C6E84

So I don't know why you are only "seeing" one function

Forgot how easy VBOX 4.1 was

/hobferret