Posted July 13, 200817 yr This is the latest version to date. Of interest is the updated dynamic protection API access over the previous posted Obsidium unpackme release...http://www.tuts4you.com/download.php?view.2341Ted.
July 16, 200817 yr Author If anyone has finished with this unpackme and they want a little bit more fun here is another unpackme. It is the same version (1.3.6.1) with maximum protection features enabled but this one contains an encrypted overlay with "controlled access". You can download the unpackme from here:http://rapidshare.com/files/130077264/UnPa...6.1_Overlay.zipTed.
July 17, 200817 yr easy way! copy from TEMP folder in app foder ffplay.exe ,SDL.dll ,pthreadGC2.dll, file.dat & command ffplay.exe file.dat )
July 17, 200817 yr May someone help me with my IAT script?I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.This is the script:var iatvar iatendvar apiaddressvar oepvar iatbasemov oep,eipmov iat, 00460818 // edit iat begin heremov iatend, 00460F2C // edit iat end heremov iatbase, 003D0000 // edit iat section hereadd iatbase, 00100000bphws 0047c931, "x" // edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:mov apiaddress, [iat]cmp apiaddress, iatbase ja nextmov eip, apiaddressrunmov [iat], eaxrtrstijmp nextnext:add iat,4cmp iat, iatendje endjmp startend:mov eip,oepretShould be clear, only thing I wanted to explain is this:add iatbase, 00100000There are some emulated APIs which addresses are way higher than those of the redirected ones.I leave some out with increasing the redirection Edited July 17, 200817 yr by Sonny27
July 18, 200817 yr May someone help me with my IAT script?I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.This is the script:var iatvar iatendvar apiaddressvar oepvar iatbasemov oep,eipmov iat, 00460818 // edit iat begin heremov iatend, 00460F2C // edit iat end heremov iatbase, 003D0000 // edit iat section hereadd iatbase, 00100000bphws 0047c931, "x" // edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:mov apiaddress, [iat]cmp apiaddress, iatbase ja nextmov eip, apiaddressrunmov [iat], eaxrtrstijmp nextnext:add iat,4cmp iat, iatendje endjmp startend:mov eip,oepretShould be clear, only thing I wanted to explain is this:add iatbase, 00100000There are some emulated APIs which addresses are way higher than those of the redirected ones.I leave some out with increasing the redirection
Create an account or sign in to comment