Exetools
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Obsidium protection scheme as a target! (https://forum.exetools.com/showthread.php?t=16245)

ahmadmansoor 10-15-2014 08:15
No my friend it should work fine .
I test it here ( win 7.0 x64) with this options :
hxxp://s000.tinyupload.com/?file_id=55501563102665112295
maybe ur Antivirus make some trouble .

SubzEro 10-15-2014 13:22
@ahmadmansoor can you share your "exetools ollydbg"

cybercoder 10-15-2014 13:52
Obsidium is fun to unpack if you have a lot of time.. crypted calls, sometimes direct calls to api's. Took me a long time the first time..

Carbon 10-15-2014 13:58
I don't have much time at the moment, but this is what I found so far:

Breakpoint on CreateFileW is very good.

After some breaks:
Code:
0018FD8C    757A3F66  /CALL to CreateFileW from kernel32.757A3F61
0018FD90    00C882F0  |FileName = "\\\\.\\VBoxGuest"
0018FD94    C0000000  |Access = GENERIC_READ|GENERIC_WRITE
0018FD98    00000003  |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0018FD9C    00000000  |pSecurity = NULL
0018FDA0    00000003  |Mode = OPEN_EXISTING
0018FDA4    40000080  |Attributes = NORMAL|OVERLAPPED
0018FDA8    00000000  \hTemplateFile = NULL
Obsidium is checking for Virtual Box VM! If Obsidium is run under VBox, some anti-debug stuff will be disabled. I guess it is a hardware anti-debug check. Maybe something with HWBP.

Yeh, this is a hot trick in general...

here is the vbox check

00383929 83F8 FF CMP EAX,-1
0038392C 74 20 JE 0038394E

don't let it jump and enjoy less anti-debug

Mr.reCoder 10-15-2014 16:26
Hi,
now I used your tricks to set HWBP in IAT and successfully found where IAT writes. :)
See this viedo! password: exetools.com
time to trace! use shift-f9 to run!
I used win7-32bit and ScyllaHideOlly1 and fresh-unchanged copy of olly.
B.R.

mm10121991 10-21-2014 07:30
on DP Animation Maker
you can restore IAT with my script
just change the line
"je @dx2" to "jne @dx2"
still,you have to do the vm.

SubzEro 10-21-2014 12:49
@mm10121991 awesome stuff can you tell me something about vm short explain i don know about that what i need to do. i know its lame to you tell me all but i wanna learn obsidium is hard to unpack thx.

Mr.reCoder 10-21-2014 22:24
calling recovery
 
Hi,
there is no problem with IAT. main problem is VM unvirtualize or decrypttion.
also there is changes in calling some IAT functions with EDI,ESI,EBX,EBP. like:

Code:
006DF06A  MOV ESI,0x5D2C2BD9
006DF06F  NOP
006DF070  CALL ESI
but original code is:

Code:
006DF06A  MOV ESI,DWORD PTR DS:[0x6F9EB4]
006DF070  CALL ESI
calling with register is a common method in VC++ compilers. I wrote a little script to restore original code. (change code section address, IAT start and end addresses if desired. (target EditorGIF.exe))

Code:
VAR CONST
VAR CODE_SECTION
VAR IAT_START
VAR IAT_END

MOV IAT_START,006F9000
MOV IAT_END,006FA2A8
MOV CODE_SECTION,00401000

FINDCMD CODE_SECTION, "MOV R32,CONST;NOP"
MOV LINE,0
DONEXTCALL:
INC LINE
GREF LINE
MOV C_ADDR,$RESULT
CMP C_ADDR,0
JE DONE
MOV CONST,[C_ADDR+1]
FIND IAT_START,CONST
CMP $RESULT,0
JE DONEXTCALL
CMP $RESULT, IAT_END
JG DONEXTCALL
CMP [C_ADDR],0BF,1
JNE NOEDI
EVAL "MOV EDI, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEDI:
CMP [C_ADDR],0BB,1
JNE NOEBX
EVAL "MOV EBX, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEBX:
CMP [C_ADDR],0BE,1
JNE NOESI
EVAL "MOV ESI, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOESI:
CMP [C_ADDR],0BD,1
JNE NOEBP
EVAL "MOV EBP, DWORD PTR DS:[{$RESULT}]"
ASM C_ADDR,$RESULT
NOEBP:
JMP DONEXTCALL
DONE:
RET

SinaDiR 06-02-2015 13:11
1 Attachment(s)
Obsidium unpacking:
1.use ObsiduimOEP.asm to find OEP;{Tnx to mm10121991}
2.use Mr.reCoder Script;
3.use attached file;{Mr.reCoder script fixed}
4.use ObsiduimIATFixer.asm;
5.enjoy. file was unpacked but vm not fixed.

giv 06-05-2015 16:25
Here is some advice.
Instead of manual imput of code base VA:
Quote:
MOV CODE_SECTION,00401000
just use:
Quote:
gmi eip, CODEBASE
mov CODE_SECTION, $RESULT
Is more safe IMHO.

cybercoder 06-06-2015 20:20
You can also use universal import fixer to find direct calls and fix them.

the_beginner 07-08-2015 02:23
Quote:
Originally Posted by SinaDiR (Post 99900)
Obsidium unpacking:
1.use ObsiduimOEP.asm to find OEP;{Tnx to mm10121991}
2.use Mr.reCoder Script;
3.use attached file;{Mr.reCoder script fixed}
4.use ObsiduimIATFixer.asm;
5.enjoy. file was unpacked but vm not fixed.
can someone upload this script somewhere for me please, I can not download any files since few days, I don't know why, 2 weeks ago there was no problem
Thanks in advance


All times are GMT +8. The time now is 07:57.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX