I was bored so I figured I would write this, basicaly it's going to show you how to bypass anti sandbox features of a bot or somthing.

First you need to find some bot, preferably unpacked.



First of all open up ollydbg INSIDE VMWARE OR SANDBOX

open up the .exe inside olly now. we will come back to it soon.


open up IDA pro


Anti sandbox is usually called at the very start of a program

so we go to winmain()/main()

Code:
.text:004026FB ; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
.text:004026FB _WinMain@16     proc near               ; CODE XREF: start+180p
.text:004026FB
.text:004026FB var_4A0         = byte ptr -4A0h
.text:004026FB var_39C         = byte ptr -39Ch
.text:004026FB var_298         = byte ptr -298h
.text:004026FB Str             = byte ptr -194h
.text:004026FB var_90          = byte ptr -90h
.text:004026FB var_8D          = byte ptr -8Dh
.text:004026FB var_60          = dword ptr -60h
.text:004026FB var_4B          = byte ptr -4Bh
.text:004026FB var_3F          = byte ptr -3Fh
.text:004026FB var_34          = dword ptr -34h
.text:004026FB var_30          = word ptr -30h
.text:004026FB Dst             = dword ptr -1Ch
.text:004026FB var_18          = dword ptr -18h
.text:004026FB var_C           = dword ptr -0Ch
.text:004026FB var_4           = dword ptr -4
.text:004026FB hInstance       = dword ptr  8
.text:004026FB hPrevInstance   = dword ptr  0Ch
.text:004026FB lpCmdLine       = dword ptr  10h
.text:004026FB nShowCmd        = dword ptr  14h
.text:004026FB
.text:004026FB                 push    ebp
.text:004026FC                 mov     ebp, esp
.text:004026FE                 sub     esp, 4A0h
.text:00402704                 push    ebx
.text:00402705                 push    esi
.text:00402706                 push    edi
.text:00402707                 call    sub_40419E
.text:0040270C                 call    sub_4014D6      ; this is the second function called after the file is executed
.text:00402711                 call    ds:GetTickCount
.text:00402717                 push    eax             ; Seed
.text:00402718                 call    ds:srand
.text:0040271E                 mov     esi, ds:rand
.text:00402724                 xor     edi, edi
.text:00402726                 pop     ecx
.text:00402727                 mov     [ebp+var_C], edi
.text:0040272A                 call    esi ; rand
.text:0040272C                 cdq
.text:0040272D                 push    0Ah
.text:0040272F                 pop     ecx
.text:00402730                 idiv    ecx
.text:00402732                 mov     ebx, edx
.text:00402734                 call    esi ; rand
.text:00402736                 imul    eax, ebx
.text:00402739                 push    14h
.text:0040273B                 cdq
.text:0040273C                 pop     ecx
.text:0040273D                 idiv    ecx
.text:0040273F                 test    edx, edx
.text:00402741                 jle     short loc_40276
the anti sandbox function as labeled:

Code:
.text:004014D6 ; =============== S U B R O U T I N E =======================================
.text:004014D6
.text:004014D6 ; Attributes: bp-based frame
.text:004014D6
.text:004014D6 sub_4014D6      proc near               ; CODE XREF: WinMain(x,x,x,x)+11p
.text:004014D6
.text:004014D6 Str             = byte ptr -230h
.text:004014D6 var_22F         = byte ptr -22Fh
.text:004014D6 var_2E          = byte ptr -2Eh
.text:004014D6 var_2D          = byte ptr -2Dh
.text:004014D6 var_2C          = byte ptr -2Ch
.text:004014D6 var_1F          = byte ptr -1Fh
.text:004014D6 var_1C          = byte ptr -1Ch
.text:004014D6 var_18          = byte ptr -18h
.text:004014D6 var_17          = byte ptr -17h
.text:004014D6 var_16          = byte ptr -16h
.text:004014D6 var_14          = dword ptr -14h
.text:004014D6 var_C           = dword ptr -0Ch
.text:004014D6 var_4           = dword ptr -4
.text:004014D6
.text:004014D6                 mov     eax, offset loc_404C22
.text:004014DB                 call    __EH_prolog
.text:004014E0                 sub     esp, 224h
.text:004014E6                 push    esi
.text:004014E7                 push    edi
.text:004014E8                 xor     edi, edi
.text:004014EA                 mov     [ebp+var_14], edi
.text:004014ED                 call    sub_401710
.text:004014F2                 test    al, al
.text:004014F4                 jnz     loc_40168F
.text:004014FA                 call    loc_4016A3
.text:004014FF                 test    al, al
.text:00401501                 jnz     loc_40168F
.text:00401507                 push    5AD2EB41h
.text:0040150C                 lea     ecx, [ebp+var_1C]
.text:0040150F                 call    sub_40106F
.text:00401514                 push    eax             ; lpModuleName
.text:00401515                 call    ds:GetModuleHandleA
.text:0040151B                 push    5403B4CAh
.text:00401520                 lea     ecx, [ebp+var_2E]
.text:00401523                 mov     esi, eax
.text:00401525                 call    sub_4011A9
.text:0040152A                 push    eax             ; lpProcName
.text:0040152B                 push    esi             ; hModule
.text:0040152C                 call    ds:GetProcAddress
.text:00401532                 push    eax
.text:00401533                 call    sub_401000
.text:00401538                 test    al, al
.text:0040153A                 pop     ecx
.text:0040153B                 jnz     loc_40168F
.text:00401541                 push    200h            ; nSize
.text:00401546                 lea     eax, [ebp+Str]
.text:0040154C                 push    eax             ; lpFilename
.text:0040154D                 push    edi             ; hModule
.text:0040154E                 call    ds:GetModuleFileNameA
.text:00401554                 lea     eax, [ebp+Str]
.text:0040155A                 push    eax             ; Str
.text:0040155B                 call    strlen
.text:00401560                 pop     ecx
.text:00401561                 jmp     short loc_40156E
.text:00401563 ; ---------------------------------------------------------------------------
.text:00401563
.text:00401563 loc_401563:                             ; CODE XREF: sub_4014D6+9Aj
.text:00401563                 cmp     [ebp+eax+Str], 5Ch
.text:0040156B                 jz      short loc_401574
.text:0040156D                 dec     eax
.text:0040156E
.text:0040156E loc_40156E:                             ; CODE XREF: sub_4014D6+8Bj
.text:0040156E                 cmp     eax, edi
.text:00401570                 jg      short loc_401563
.text:00401572                 jmp     short loc_40157C
.text:00401574 ; ---------------------------------------------------------------------------
.text:00401574
.text:00401574 loc_401574:                             ; CODE XREF: sub_4014D6+95j
.text:00401574                 mov     [ebp+eax+var_22F], 0
.text:0040157C
.text:0040157C loc_40157C:                             ; CODE XREF: sub_4014D6+9Cj
.text:0040157C                 push    ebx
.text:0040157D                 push    17C9709Dh
.text:00401582                 lea     ecx, [ebp+var_1F]
.text:00401585                 call    sub_4012E3
.text:0040158A                 xor     ebx, ebx
.text:0040158C                 inc     ebx
.text:0040158D                 push    eax             ; SubStr
.text:0040158E                 mov     [ebp+var_4], edi
.text:00401591                 mov     [ebp+var_14], ebx
.text:00401594                 call    sub_40134B
.text:00401599                 mov     esi, ds:strstr
.text:0040159F                 push    eax             ; Str
.text:004015A0                 call    esi ; strstr
.text:004015A2                 test    eax, eax
.text:004015A4                 pop     ecx
.text:004015A5                 pop     ecx
.text:004015A6                 push    3
.text:004015A8                 pop     edi
.text:004015A9                 jz      short loc_4015E9
.text:004015AB                 mov     eax, offset aEblojasqumAv ; "փP"
.text:004015B0                 sub     eax, 2DCA445Fh
.text:004015B5                 push    eax
.text:004015B6                 lea     ecx, [ebp+var_2D]
.text:004015B9                 call    sub_401316
.text:004015BE                 push    eax             ; SubStr
.text:004015BF                 mov     [ebp+var_4], ebx
.text:004015C2                 mov     [ebp+var_14], edi
.text:004015C5                 call    sub_4013AB
.text:004015CA                 push    eax             ; Str
.text:004015CB                 call    esi ; strstr
.text:004015CD                 test    eax, eax
.text:004015CF                 pop     ecx
.text:004015D0                 pop     ecx
.text:004015D1                 jz      short loc_4015E9
.text:004015D3                 lea     eax, [ebp+Str]
.text:004015D9                 push    eax             ; Str
.text:004015DA                 call    strlen
.text:004015DF                 cmp     eax, 5
.text:004015E2                 pop     ecx
.text:004015E3                 jnb     short loc_4015E9
.text:004015E5                 mov     al, bl
.text:004015E7                 jmp     short loc_4015EB
.text:004015E9 ; ---------------------------------------------------------------------------
.text:004015E9
.text:004015E9 loc_4015E9:                             ; CODE XREF: sub_4014D6+D3j
.text:004015E9                                         ; sub_4014D6+FBj ...
.text:004015E9                 xor     al, al
.text:004015EB
.text:004015EB loc_4015EB:                             ; CODE XREF: sub_4014D6+111j
.text:004015EB                 or      ebx, 0FFFFFFFFh
.text:004015EE                 test    al, al
.text:004015F0                 mov     [ebp+var_4], ebx
.text:004015F3                 jnz     loc_40168F
.text:004015F9                 push    1CCC948Ch
.text:004015FE                 lea     ecx, [ebp+var_18]
.text:00401601                 call    sub_401279
.text:00401606                 push    eax
.text:00401607                 mov     [ebp+var_4], 2
.text:0040160E                 call    sub_401417
.text:00401613                 test    al, al
.text:00401615                 pop     ecx
.text:00401616                 mov     [ebp+var_4], ebx
.text:00401619                 jnz     short loc_40168F
.text:0040161B                 push    3F87F26Ah
.text:00401620                 lea     ecx, [ebp+var_16]
.text:00401623                 call    sub_4011DE
.text:00401628                 push    eax             ; SubStr
.text:00401629                 mov     [ebp+var_4], edi
.text:0040162C                 call    sub_401463
.text:00401631                 push    eax             ; Str
.text:00401632                 call    esi ; strstr
.text:00401634                 test    eax, eax
.text:00401636                 pop     ecx
.text:00401637                 pop     ecx
.text:00401638                 mov     [ebp+var_4], ebx
.text:0040163B                 jnz     short loc_40168F
.text:0040163D                 push    38CF1786h
.text:00401642                 lea     ecx, [ebp+var_17]
.text:00401645                 call    sub_401211
.text:0040164A                 push    eax             ; SubStr
.text:0040164B                 mov     [ebp+var_4], 4
.text:00401652                 call    sub_401463
.text:00401657                 push    eax             ; Str
.text:00401658                 call    esi ; strstr
.text:0040165A                 test    eax, eax
.text:0040165C                 pop     ecx
.text:0040165D                 pop     ecx
.text:0040165E                 mov     [ebp+var_4], ebx
.text:00401661                 pop     ebx
.text:00401662                 jnz     short loc_40168F
.text:00401664                 mov     eax, offset unk_405138
.text:00401669                 sub     eax, 539220F5h
.text:0040166E                 push    eax
.text:0040166F                 lea     ecx, [ebp+var_2C]
.text:00401672                 call    sub_401246
.text:00401677                 push    eax             ; SubStr
.text:00401678                 mov     [ebp+var_4], 5
.text:0040167F                 call    sub_40134B
.text:00401684                 push    eax             ; Str
.text:00401685                 call    esi ; strstr
.text:00401687                 test    eax, eax
.text:00401689                 pop     ecx
.text:0040168A                 pop     ecx
.text:0040168B                 pop     edi
.text:0040168C                 pop     esi
.text:0040168D                 jz      short loc_401697
.text:0040168F
.text:0040168F loc_40168F:                             ; CODE XREF: sub_4014D6+1Ej
.text:0040168F                                         ; sub_4014D6+2Bj ...
.text:0040168F                 push    0FFFFFFFEh      ; uExitCode
.text:00401691                 call    ds:ExitProcess
as you can it calls a bunch of sub's which return info about the pc, username etc then uses strstr to compair them and exit if they match something.


so now we copy down the offset of the anti sandbox function aka 0040270C

go to that address in your sandboxed olly , rightclick > binary > fill with nops


Code:
004026FC  |. 8BEC           MOV EBP,ESP
004026FE  |. 81EC A0040000  SUB ESP,4A0
00402704  |. 53             PUSH EBX
00402705  |. 56             PUSH ESI
00402706  |. 57             PUSH EDI
00402707  |. E8 921A0000    CALL load.0040419E
0040270C     90             NOP
0040270D     90             NOP
0040270E     90             NOP
0040270F     90             NOP
00402710     90             NOP

then press f9 and the bot will run in sandbox.