Next step is manual unpacking of this protector, to do this, as usual, first task is finding the OEP for the program then dump the process and last reebuild the IAT (if this is encrypted). In order to search the real entry point load the executable in OllyDbg:

Fig. 3 Debugging options window.

OllyDbg tell us about some packing code, press OK button to continue:

Fig. 4 Starting code.

Press F9 in order to run the executable, OllyDbg now break due to INT3 instruction:

Fig. 5 First exception.

Press SHIFT+F7 to skip the exception, press F9 to run the program, you get another exception:

Fig. 6 Second exception.

Skip again the exception with SHIFT+F7 and press F9 to run the program, OllyDbg show this message:

Fig. 7 Message about the VBOX module loading.

press OK to continue, there are a nag message from VBOX protector about debugger relevation:

Fig. 8 VBOX debugger window.

when you press OK button program stop then you've to restart OllyDbg and activate the IsDebuggerPresent plugin in order to hide the debugger:

Fig. 9 Set the IsDebuggerPresent plugin.

Press F9 to run the program, skip all the exception with SHIFT+F7/F9 and now you’re able to reach the main window of the program, you can look the message at the bottom of the window about the time of the evaluation remaining:

Fig. 10 Main VBOX window about trial time residual.

Now press the Try button on the main program window, there is another INT 3 break, press SHIFT+F7 to skip the exception, now if you press F9 program start:

Fig. 11 After nag window there is the first program window.

Ok, program is started this means which is already unpacked in memory, then restart OllyDbg and repeat all step until you reach the last exception after you press the Try button, remember also to activate the IsDebuggerPresent plugin.
When you reach the last exception press ALT+M to show the Memory Map or simply select it from the View menu:

Fig. 12 Defeat the nag message.

Now go to the 00401000 Address which is the section CODE and put on it a memory breakpoint on access:

Fig. 13 Setting a memory breakpoint on access on the section CODE.

Return on OllyDbg code window and press SHIFT+F9, now you must begins to have more stop from memory breakpoint when writing to [……..] where the address reside on section CODE, take a look on the code window:

Fig. 14 Breakpoint when writing ...

This break is due to the REP MOVS instruction which write into section CODE, to skip in a faster way this cycle you have to place a breakpoint on the next JMP instruction and skip all REP MOVS instruction with F9.
To do this you must remove the previous breakpoint on memory into the CODE section and then press F9 to reach the new breakpoint on the JMP instruction.

Fig. 15 Step 1: skip the REP MOVS cycle.

Press the Finish button to start the process, after some file loading a new message box arise:

Fig. 16 Step2: removing the memory breakpoint.

press F9, OllyDbg stop on our JMP breakpoint, now you must restore the breakpoint on memory access on the section CODE and remove the last breakpoint on the JMP instruction (press F2), press F9 to run the program, OllyDbg stop again into memory breakpoint then you must remove the breakpoint on the section CODE and place a breakpoint on the PUSH 1 instruction which is after the JL conditional jump:

Fig. 17 Snipped of code related another breakpoint on section CODE.

run again the program (F9) and after some time OllyDbg stop on your breakpoint.
Now you can put again the breakpoint on section CODE and press F9 to run program, there is another break due to our breakpoint on section CODE; if you reach a single instruction like MOV press F9 to continue execution, when you reach REP MOVS instruction try to place a breakpoint on the next instruction and remove the section CODE breakpoint to skip the cycle in a fast way, then restore the breakpoint on the section CODE and try again with this process.
After some play with this technique you’re able to reach the entry point, of course this is the real OEP, i'm sure about this because this is the first instruction which is into the section CODE (other instruction is only a read and write in this section of code, but OEP must reside into this area):

Fig. 18 Real OEP for the program.

To show the code put the cursor on 004A32C8 and press CTRL+A to force OllyDbg to re-analise the code:

Fig. 19 Snipped of code at the real OEP.

Now we have reach the OEP and is time to dump the program using the OllyDump plugin, be care of all your dump option is equal with all reported below:

OEP = Real_Entry_Point - Image_Base = 004A32C8 – 00400000 = 00A32C8

Fig. 20 OllyDump plugin.

press the Dump button to write the process memory on your hard-disk, about this you can choose a dumped.exe name (file size is approximately three time more large than the original executable).
Other tutorial about VBOX says now to use dumpfixer feature (RS=VS & RO=VO) but really isn’t necessary to do, the reasons is because you’ve made the dump with Fix Raw Size & Offset of Dump Image option set (see figure 20).
Only for sake of clarify you can open the dumped file with PEditor:

Fig. 21 PEditor main window.

To load the dumped file into PEditor just press the browse button and go to the directory where the dumped file reside:

Fig. 22 Loading the dumped file into PEditor.

Press the sections button which is into the Tables frame:

Fig. 23 Section for the dumped file.

How you can see the Virtual size (VS) is equal for each section with Raw Size (RS), and Virtual Offset (VO) is equal to the Raw Offset (RO) then step through the PEditor is not necessary.

Now is time to check if our dumped file is working or not, when you try to launch the dumped file an error message arise then you’ve to repair the IAT because this packer make a IAT destruction (by redirection).

Fig. 24 Error during the execution of the dumped file.

You can rebuild the IAT avoiding the encryption which is made from the packer, to do this restart OllyDbg (press CTRL+F2) and set the IsDebuggerPresent plugin, run the program with F9. Skip all the exception with SHIFT+F7 and SHIFT+F9 until you reach the main window with the day evaluation remaining (fig. 10).

Press ALT+E to show the executable module:

Fig. 25 Execution module window.

Double-click on the vboxt430.dll module:

Fig. 26 Snipped of vboxt430.dl module.

Now is time to search the "magic jump", with this you’re able to avoid the IAT encryption and then keep the right IAT with ImpREC in order to rebuid the dumped file to work perfectly; to do this press CTRL+G and then write 0700BB52 (this place is easily to find, just trace with F8 into vboxt430.dll and see for API name, there are some API which jump is taken and other about no jump is taken, instead the right address there are a redirection into VBOX module, a general approach can be follow the redirection to find the right API and write it into the IAT, this approach is much similar to one used in ASProtect to rebuild the IAT bad entry, more general but can take some time than the method of magic jump which is reported below):

Fig. 27 CTRL+G dialog box.

press OK button to land on this piece of code:

Fig. 28 Magic jump instruction.

With this jump you can avoid the IAT encryption, to do this you have to place a memory breakpoint on access on this address:

Fig. 29 Place a memory breakpoint on access on magic jump section.

Press the try button on the program main window and OllyDbg stop on the vboxt430 module, press F9 and skip all the exception and memory breakpoint until you reach the JE location, then try to change this conditional jump with a JMP instruction (press space and write JMP instead of JE). If you have trouble to reach the JE location due to the VBOX debugger relevation before this point you have to restart the process again:

Fig. 30 Patch the JE instruction to avoid encryption.

When you have reached the JE instruction and changed this into JMP instruction press CTRL+G and write 004A32C8 (this is the real OEP which we’ve finded in our previous analysis) then place another breakpoint on memory access on this address.

Fig. 31 Place a BPM on the OEP.

Press F9 (this rebuild the IAT before jump to the real OEP), when rebuiding process is finished OllyDbg must stop in our OEP. When OllyDbg stop the IAT is still rebuilded in memory and all entry is valid, hence start ImpREC and choose the derive6.exe process.
Write our OEP into the IAT infos needed frame (remember this is the OEP offset hence you have to subtract the image base which is equal to 00400000) and press the IAT AutoSearch button, next press Get Imports button:

Fig. 32 Load IAT into ImportREConstructor.

All entry are still valid and you can rebuild the IAT in your dumped file, to do this press Fix Dump button and choose the dumped.exe file to rebuild it (ImpREC now save a new file namely dumped_.exe):

Fig. 33 Fixing the dumped file.

Now check if your fixed dumped executable work, rename the file dumped_.exe in Derive6.exe and launch it, well it’s working now and we don’t have any nag screen about VBOX and trial time limitation. Work done!

Fig. 34 Derive 6 main screen without VBOX nag screen.

Well, this is my first approach with VBOX manual unpacking, this protector is little difficult than UPX and less than ASProtect, there is also API redirection but defeating is much simple than ASProtect. A limit of this protector is built in trial evaluation time protection, defeating the VBOX means also remove trial limit then original program is also unprotected and can work as registered version without problem. I hope this tutorial can be useful as me, if you find some imprecision please let me know in order to fix it.

Remember, if you plan to use this software you must purchase the product in order to support the author to develop other good software.

Any suggest, correction or criticism is welcome, if you need help about this tutorial or other stuff you can reach me on ARTeam forum.

[MAIN TEAM]
| Nilrem | Ferrari | MaDMAn_H3rCuL3s | EJ12N | Kruger | Shub-Nigurrath | Jdog45 | Teerayoot | R@Dier |

[TRIAL MEMBERS]
| ThunderPwr | Eggi |

 Special thanks goes to Ricardo Narvaja and OrniacO for first tutorial about this packer.

ThunderPwr