|
You don't need hwbp. After reaching oep, you just need to trace every redirected jump or call because there are no direct jumps or calls. Do not use shortcut ways. Trace the code and you will find places where to catch the redirected api.
http://ge.tt/47K8CN12/v/0
here you will find a few helper scripts to unpack obsiduim 4.x targets.
For the iat script, you have to modify this lines
mov iatb, 00B6B1B0 // start of iat
mov iate, 00B6C66C //end of iat
and make eip point to one of the redirected calls or jumps
Those scripts have worked on many 4.x targets but i don't guarantee they will always work.
|