Thread: Help for unknown protector
View Single Post
  #7  
Old 12-28-2010, 21:24
uLysse uLysse is offline
Family
  
Join Date: Feb 2009
Posts: 15
Rept. Given: 3
Rept. Rcvd 39 Times in 12 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
uLysse Reputation: 39
It's Obsidium v1.4

API redirections like that :
Code:
003E1858   60                   PUSHAD
003E1859   9C                   PUSHFD
003E185A   66:BD F6AD           MOV BP,0ADF6
003E185E   EB 03                JMP SHORT 003E1863
003E1860   0253 24              ADD DL,BYTE PTR DS:[EBX+24]
003E1863   66:BB 0E99           MOV BX,990E
003E1867  -E9 752EFDFF          JMP 003B46E1
are typical of Obsidium.

And this (mov reg32, API / nop) :
Code:
00A268C6   . BB 49AA807C    MOV EBX,kernel32.GetProcessHeap
00A268CB   . 90             NOP
00A268CC   . FFD3           CALL EBX                                 ; [GetProcessHeap
is typical of the 1.4 version of Obsidium
Reply With Quote
The Following User Gave Reputation+1 to uLysse For This Useful Post:
Newbie_Cracker (01-11-2011)