#16
|
||||
|
||||
No my friend it should work fine .
I test it here ( win 7.0 x64) with this options : hxxp://s000.tinyupload.com/?file_id=55501563102665112295 maybe ur Antivirus make some trouble .
__________________
Ur Best Friend Ahmadmansoor Always My Best Friend: Aaron & JMI & ZeNiX |
#17
|
|||
|
|||
@ahmadmansoor can you share your "exetools ollydbg"
|
#18
|
|||
|
|||
Obsidium is fun to unpack if you have a lot of time.. crypted calls, sometimes direct calls to api's. Took me a long time the first time..
|
#19
|
|||
|
|||
I don't have much time at the moment, but this is what I found so far:
Breakpoint on CreateFileW is very good. After some breaks: Code:
0018FD8C 757A3F66 /CALL to CreateFileW from kernel32.757A3F61 0018FD90 00C882F0 |FileName = "\\\\.\\VBoxGuest" 0018FD94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE 0018FD98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 0018FD9C 00000000 |pSecurity = NULL 0018FDA0 00000003 |Mode = OPEN_EXISTING 0018FDA4 40000080 |Attributes = NORMAL|OVERLAPPED 0018FDA8 00000000 \hTemplateFile = NULL Yeh, this is a hot trick in general... here is the vbox check 00383929 83F8 FF CMP EAX,-1 0038392C 74 20 JE 0038394E don't let it jump and enjoy less anti-debug
__________________
My blog: https://ntquery.wordpress.com |
The Following User Gave Reputation+1 to Carbon For This Useful Post: | ||
ahmadmansoor (10-16-2014) |
#20
|
|||
|
|||
Hi,
now I used your tricks to set HWBP in IAT and successfully found where IAT writes. See this viedo! password: exetools.com time to trace! use shift-f9 to run! I used win7-32bit and ScyllaHideOlly1 and fresh-unchanged copy of olly. B.R. |
#21
|
|||
|
|||
on DP Animation Maker
you can restore IAT with my script just change the line "je @dx2" to "jne @dx2" still,you have to do the vm. |
The Following User Gave Reputation+1 to mm10121991 For This Useful Post: | ||
#22
|
|||
|
|||
@mm10121991 awesome stuff can you tell me something about vm short explain i don know about that what i need to do. i know its lame to you tell me all but i wanna learn obsidium is hard to unpack thx.
|
#23
|
|||
|
|||
calling recovery
Hi,
there is no problem with IAT. main problem is VM unvirtualize or decrypttion. also there is changes in calling some IAT functions with EDI,ESI,EBX,EBP. like: Code:
006DF06A MOV ESI,0x5D2C2BD9 006DF06F NOP 006DF070 CALL ESI Code:
006DF06A MOV ESI,DWORD PTR DS:[0x6F9EB4] 006DF070 CALL ESI Code:
VAR CONST VAR CODE_SECTION VAR IAT_START VAR IAT_END MOV IAT_START,006F9000 MOV IAT_END,006FA2A8 MOV CODE_SECTION,00401000 FINDCMD CODE_SECTION, "MOV R32,CONST;NOP" MOV LINE,0 DONEXTCALL: INC LINE GREF LINE MOV C_ADDR,$RESULT CMP C_ADDR,0 JE DONE MOV CONST,[C_ADDR+1] FIND IAT_START,CONST CMP $RESULT,0 JE DONEXTCALL CMP $RESULT, IAT_END JG DONEXTCALL CMP [C_ADDR],0BF,1 JNE NOEDI EVAL "MOV EDI, DWORD PTR DS:[{$RESULT}]" ASM C_ADDR,$RESULT NOEDI: CMP [C_ADDR],0BB,1 JNE NOEBX EVAL "MOV EBX, DWORD PTR DS:[{$RESULT}]" ASM C_ADDR,$RESULT NOEBX: CMP [C_ADDR],0BE,1 JNE NOESI EVAL "MOV ESI, DWORD PTR DS:[{$RESULT}]" ASM C_ADDR,$RESULT NOESI: CMP [C_ADDR],0BD,1 JNE NOEBP EVAL "MOV EBP, DWORD PTR DS:[{$RESULT}]" ASM C_ADDR,$RESULT NOEBP: JMP DONEXTCALL DONE: RET |
The Following User Gave Reputation+1 to Mr.reCoder For This Useful Post: | ||
The Following User Says Thank You to Mr.reCoder For This Useful Post: | ||
SinaDiR (06-02-2015) |
#24
|
|||
|
|||
Obsidium unpacking:
1.use ObsiduimOEP.asm to find OEP;{Tnx to mm10121991} 2.use Mr.reCoder Script; 3.use attached file;{Mr.reCoder script fixed} 4.use ObsiduimIATFixer.asm; 5.enjoy. file was unpacked but vm not fixed.
__________________
UnREal RCE - Persian Crackers |
The Following 4 Users Say Thank You to SinaDiR For This Useful Post: | ||
giv (06-05-2015), KuNgBiM (07-08-2015), Mr.reCoder (06-06-2015), tonyweb (06-27-2015) |
#25
|
||||
|
||||
Here is some advice.
Instead of manual imput of code base VA: Quote:
Quote:
|
#26
|
|||
|
|||
You can also use universal import fixer to find direct calls and fix them.
|
#27
|
|||
|
|||
Quote:
Thanks in advance |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Adobe protection scheme | Dark Intentions | General Discussion | 0 | 07-09-2015 03:35 |
Request for a good protection scheme in Java | DaGoN | General Discussion | 7 | 02-20-2014 04:42 |