Obsidium protection scheme as a target! - Page 2

ahmadmansoor · #16 10-15-2014, 08:15

No my friend it should work fine .
I test it here ( win 7.0 x64) with this options :
hxxp://s000.tinyupload.com/?file_id=55501563102665112295
maybe ur Antivirus make some trouble .

#17 10-15-2014, 13:22

@ahmadmansoor can you share your "exetools ollydbg"

cybercoder · #18 10-15-2014, 13:52

Obsidium is fun to unpack if you have a lot of time.. crypted calls, sometimes direct calls to api's. Took me a long time the first time..

Carbon · #19 10-15-2014, 13:58

I don't have much time at the moment, but this is what I found so far:

Breakpoint on CreateFileW is very good.

After some breaks:

Code:

0018FD8C     757A3F66  /CALL to CreateFileW from kernel32.757A3F61
0018FD90     00C882F0  |FileName = "\\\\.\\VBoxGuest"
0018FD94     C0000000  |Access = GENERIC_READ|GENERIC_WRITE
0018FD98     00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0018FD9C     00000000  |pSecurity = NULL
0018FDA0     00000003  |Mode = OPEN_EXISTING
0018FDA4     40000080  |Attributes = NORMAL|OVERLAPPED
0018FDA8     00000000  \hTemplateFile = NULL

Obsidium is checking for Virtual Box VM! If Obsidium is run under VBox, some anti-debug stuff will be disabled. I guess it is a hardware anti-debug check. Maybe something with HWBP.

Yeh, this is a hot trick in general...

here is the vbox check

00383929 83F8 FF CMP EAX,-1
0038392C 74 20 JE 0038394E

don't let it jump and enjoy less anti-debug

Mr.reCoder · #20 10-15-2014, 16:26

Hi,
now I used your tricks to set HWBP in IAT and successfully found where IAT writes.

See this viedo! password: exetools.com
time to trace! use shift-f9 to run!
I used win7-32bit and ScyllaHideOlly1 and fresh-unchanged copy of olly.
B.R.

mm10121991 · #21 10-21-2014, 07:30

on DP Animation Maker
you can restore IAT with my script
just change the line
"je @dx2" to "jne @dx2"
still,you have to do the vm.

#22 10-21-2014, 12:49

@mm10121991 awesome stuff can you tell me something about vm short explain i don know about that what i need to do. i know its lame to you tell me all but i wanna learn obsidium is hard to unpack thx.

Mr.reCoder · #23 10-21-2014, 22:24

Hi,
there is no problem with IAT. main problem is VM unvirtualize or decrypttion.
also there is changes in calling some IAT functions with EDI,ESI,EBX,EBP. like:

Code:

006DF06A  MOV ESI,0x5D2C2BD9
006DF06F  NOP
006DF070  CALL ESI

but original code is:

Code:

006DF06A  MOV ESI,DWORD PTR DS:[0x6F9EB4]
006DF070  CALL ESI

calling with register is a common method in VC++ compilers. I wrote a little script to restore original code. (change code section address, IAT start and end addresses if desired. (target EditorGIF.exe))

Code:

VAR CONST
VAR CODE_SECTION
VAR IAT_START
VAR IAT_END

MOV IAT_START,006F9000
MOV IAT_END,006FA2A8
MOV CODE_SECTION,00401000

FINDCMD CODE_SECTION, "MOV R32,CONST;NOP"
MOV LINE,0
DONEXTCALL:
INC LINE
GREF LINE
MOV C_ADDR,$RESULT
CMP C_ADDR,0
JE DONE
MOV CONST,[C_ADDR+1]
FIND IAT_START,CONST
CMP $RESULT,0
JE DONEXTCALL
CMP $RESULT, IAT_END
JG DONEXTCALL
CMP [C_ADDR],0BF,1
JNE NOEDI
EVAL "MOV EDI, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEDI:
CMP [C_ADDR],0BB,1
JNE NOEBX
EVAL "MOV EBX, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEBX:
CMP [C_ADDR],0BE,1
JNE NOESI
EVAL "MOV ESI, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOESI:
CMP [C_ADDR],0BD,1
JNE NOEBP
EVAL "MOV EBP, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEBP:
JMP DONEXTCALL 
DONE:
RET

SinaDiR · #24 06-02-2015, 13:11

Obsidium unpacking:
1.use ObsiduimOEP.asm to find OEP;{Tnx to mm10121991}
2.use Mr.reCoder Script;
3.use attached file;{Mr.reCoder script fixed}
4.use ObsiduimIATFixer.asm;
5.enjoy. file was unpacked but vm not fixed.

giv · #25 06-05-2015, 16:25

Here is some advice.
Instead of manual imput of code base VA:

Quote:

MOV CODE_SECTION,00401000

just use:

Quote:

gmi eip, CODEBASE
mov CODE_SECTION, $RESULT

Is more safe IMHO.

cybercoder · #26 06-06-2015, 20:20

You can also use universal import fixer to find direct calls and fix them.

the_beginner · #27 07-08-2015, 02:23

Quote:

Originally Posted by SinaDiR

Obsidium unpacking:
1.use ObsiduimOEP.asm to find OEP;{Tnx to mm10121991}
2.use Mr.reCoder Script;
3.use attached file;{Mr.reCoder script fixed}
4.use ObsiduimIATFixer.asm;
5.enjoy. file was unpacked but vm not fixed.

can someone upload this script somewhere for me please, I can not download any files since few days, I don't know why, 2 weeks ago there was no problem
Thanks in advance

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Adobe protection scheme	Dark Intentions	General Discussion	0	07-09-2015 03:35
Request for a good protection scheme in Java	DaGoN	General Discussion	7	02-20-2014 04:42

The Following User Gave Reputation+1 to Carbon For This Useful Post:
ahmadmansoor (10-16-2014)

The Following User Says Thank You to Mr.reCoder For This Useful Post:
SinaDiR (06-02-2015)

The Following 4 Users Say Thank You to SinaDiR For This Useful Post:
giv (06-05-2015), KuNgBiM (07-08-2015), Mr.reCoder (06-06-2015), tonyweb (06-27-2015)