Obsidium protection scheme as a target!

[Mr.reCoder]

Hi all,
now a days i was looking for a trick to set HWBP on obsidium protected target! it clears HWBPs! when using ProtectDRX in phantom it detects debugger. it seems that obsidium detects KiUserExceptionDispatcher routine patch.
any idea to bypass this? or alternate trick?
sincerely.

[sendersu]

ScyllaHide plugin for Olly2?

[Mr.reCoder]

@sendersu:
So thanks, I tested it. but debugger has been detected! none of ScyllaHide in Olly1, Olly2 working fine with Obsidium! I am using Phantom+StrongOlly in win7-32 bit! and there is no problem except hwbp protection!

[mm10121991]

Yes, obsiduim has a custom way to detect hwbp. If I remember well, It sets the hwbp to some specific location in the code to trigger the seh and the seh will set some values in memory.
after returning from the seh, those values will be tested to detect if hwbps were modified.

if you want to get near oep on 4.x targets, you can use this script.
It worked on many targets but I don't guarantee that it will work always.
Use a hidden olly.No hwbp and start it from entrypoint.

@mm10121991 can you tell me how and which plugins to use to hide olly from obsidium

[Mr.reCoder]

@mm10121991:
thnx for your share but can't download it! but my problem is not reaching OEP it is easy and I wrote a script that can find Stolen OEP opcodes. my problem is rebuilding IAT in some targets since I can not set hwpb on IAT write! however I will try to patch OBSIDIUM protection layer that detects hwbps! it may be good if you add IAT rebuild feature in your script

@Cyber_Coder:
I use StrongOlly and Phantom Plugins in a fresh and unchanged Olly to Hide from Obsidium! but you should disable ProtectDRX option in phantom.

[mm10121991]

You don't need hwbp. After reaching oep, you just need to trace every redirected jump or call because there are no direct jumps or calls. Do not use shortcut ways. Trace the code and you will find places where to catch the redirected api.

http://ge.tt/47K8CN12/v/0
here you will find a few helper scripts to unpack obsiduim 4.x targets.
For the iat script, you have to modify this lines
mov iatb, 00B6B1B0 // start of iat
mov iate, 00B6C66C //end of iat
and make eip point to one of the redirected calls or jumps

Those scripts have worked on many 4.x targets but i don't guarantee they will always work.

my ollydbg always get detected i try all hide plugins and no use

Edit: ok i got it it work now thx to all

[Mr.reCoder]

@mm10121991
Perfect answer! so thanks.
OEP finder script needs some changes to work in win 7 32bit:
kernel32.dll -> kernelbase.dll
CreateRemoteThread -> CreateRemoteThreadEx

IAT script need more changes ;-)

@Cyber_Coder:
Disable all options in phantom.
Disable AdvEnumModule in StrongOD.
It works in win7 32bit perfectly.

about CreateThread you can

Bp kernel32.CreateThread it work for me

[Carbon]

ScyllaHide v1.3 should work with Obsidium on plain Olly v1 (or show me a target that doesn't work).

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.3fix_Olly1.rar

You need to ignore the exceptions.

fail my ollydbg crash

Quote:

Originally Posted by Carbon

(or show me a target that doesn't work).

Code:

http://download.animationsoftware7.com/dpa_maker.exe

[Mr.reCoder]

Quote:

Originally Posted by Cyber_Coder

fail my ollydbg crash

see this video: Click Here!
target: DP Animation Maker
Use fresh copy of original olly and Phantom + StrongOD

--------------------------------------

But "ScyllaHide_v1.3fix_Olly1" fails and debugger detects!: Click Here!

@Mr.reCoder thx you are great

[Carbon]

I tested ScyllaHide on Windows XP and Windows 7 32bit. Everything works fine.

ScyllaHide on Win 7 64bit doesn't work

Obsidium is really an anti-debug hell. It uses this:
OutputDebugStringA
Illegal Instruction Exception
EnumWindows
NtQuerySystemInformation
NtQueryInformationProcess
NtClose
PEB

OutputDebugStringA is one of the last checks... something is missing on windows x64....

Somebody has any idea?