:07005EFB F6451408 cmp eax, [ebp+10]
:07005EFE 7402 jz 7005F02
*NOP it*
and
:7005FAA 3B45F0 cmp eax, [ebp+10]
:7005FAD 751A jnz 7005FC9 *
change it to JMP 7005FC9 *
Ok, now theoretically our patch is done.... VBox screen will not appear anymore BUT: we just did it in memory, how to apply it on the file if vboxt403.dll is packed?
Here comes a little Zen, as our +teacher says.... We know that dll must be unpacked somewhere, so let's start hunting for the unpacking routine setting a BPM 7005EFE W (breakpoint on memory range on write). This means SoftICE will popup just when this memoryspace is accessed for writing (which is, in our case, the unpacking of vboxt403.dll).
Ok, so set this breakpoint and rerun. You will land in our beloved vboxp403.dll here:
-----------------------------------------------------------------------------------------------------------------------------
:0500E856 8BD1 mov edx, ecx
:0500E858 83E203 and edx,
00000003
:0500E85B C1E902 shr ecx, 02
:0500E85E F3 repz
:0500E85F A5
movsd *this write the unpacked code to DS:EDI*
:0500E860
FF249568E80005 jmp dword ptr [4*edx+0500E868]
:0500E867 90 nop
-----------------------------------------------------------------------------------------------------------------------------
As you will notice, this routine is executed many times, since the unpacking is done at little steps. Anyway, we will focus our attention just when EDI reach 07007000. Why? well, simple: since we want to patch at DS:7005xxx, if EDI reach 07007000 it means the code we need is already unpacked and ready for our "rape" :).
Now, problem #2 : we need space to do our memory patch. Easy, look at here.... this code is of no more use, since the protection is killed. So we can use the memoryspace of this datecheck code to implement our memorypatch.
First of all, we have to locate the call to this routine and NOP it, since we want to use it for our purpose. Here it is:
:05002880 6A00 push 00000000
:05002882 E899BE0000 call 0500E720 *
just NOP this and the DLL will not call the datecheck anymore
*
:05002887 83C404 add esp, 00000004
:0500288A 50 push
eax
Now for the memorypatch. We have to jump to our routine right? so we need to modify this code right after the vboxt403.dll is unpacked in memory:
change
:0500E860 FF249568E80005 jmp dword ptr [4*edx+0500E868]
to
:0500E860 E9C1FEFFFF909090 jmp 500E726 *ok, now this jump to the entrypoint of our routine*
Here is the memorypatch routine:
-----------------------------------------------------------------------------------------------------------------------------
:0500E726 81FF00700007 cmp edi, 07007000 *check if the code we need
to patch is unpacked yet*
:0500E72C 7519 jne 0500E747 *act
normally if not*
:0500E72E 66C787FEEEFFFF9090 mov word ptr
[edi+FFFFEEFE], 9090 *patch at EDI-1102 = 7005EFE*
:0500E737
C687ADEFFFFFEB mov byte ptr [edi+FFFFEFAD], EB *patch at EDI-1053 =
7005FA0*
:0500E73E 66C787A5EEFFFF9090 mov word ptr [edi+FFFFEEA5],
9090 *patch at EDI-115B = 7005EA5*
* Referenced by a
(U)nconditional or (C)onditional Jump at
Address:
|:0500E72C(C)
|
:0500E747 FF249568E80005 jmp dword ptr
[4*edx+0500E868] *this is the normal jump executed after
unpacking*
:0500E74E 90 nop
:0500E74F 90 nop
-----------------------------------------------------------------------------------------------------------------------------
You notice i've done another patch at 0500E73E . What's it about? well, it patch this code
-----------------------------------------------------------------------------------------------------------------------------
:7005E9C F6451408 test byte ptr [ebp+14],08
:7005EA0 BE01000000 mov esi,
00000001
:7005EA5 745B jz 7005F02 *NOP it*
-----------------------------------------------------------------------------------------------------------------------------
which bypass the "number of executions" check (another option of VBox, try it with the builder).
Well.... that's all. VBox is totally dead now, thanks to Marigold and your little xOANINO :) Go patch the vboxp403.dll according to this essay, copy it to your \WINDOWS\SYSTEM overwriting the original one and say "CIAO CIAO" to WeiJuhn Li :)
Alla prossima amici... e speriamo che l'Italia vinca 'sti mondiali.... anche se dopo la partita di ieri mi sembra improbabile :(
| Final Notes |
I hope you all liked this essay. As you see, commercial ready-made protections are not so secure as they claim (look at http://www.previewsoftware.com/ and laugh.... they say even SoftICE creators can't crack VBox and TimeLock, i can't believe it). There would be lot of ways to do a very secure protection (like using a decent PE-crypter), but maybe they think all of us +HCUkers are stupid.... bah :)
My greets fly out to: All UCF and CLASS members, Devil, Stone, Miramax, Marquis, Random, SpaceOne, SaiBada, Goku, SoftPJ (pleeeeeeeeeease improve your E-Zine) :)
| Ob Duh |
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its prot ection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.