Jump to content
Tuts 4 You

[unpackme] Obsidium 1.3.6.1

Teddy Rogers

By Teddy Rogers
in UnPackMe

 Share

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
  • Author
Posted

If anyone has finished with this unpackme and they want a little bit more fun here is another unpackme. It is the same version (1.3.6.1) with maximum protection features enabled but this one contains an encrypted overlay with "controlled access". You can download the unpackme from here:

http://rapidshare.com/files/130077264/UnPa...6.1_Overlay.zip

Ted.

pavka

pavka

Posted
Posted

easy way! ;) copy from TEMP folder in app foder

ffplay.exe ,SDL.dll ,pthreadGC2.dll, file.dat & command ffplay.exe file.dat :) )

Teddy Rogers

Teddy Rogers

Posted
  • Author
Posted

Lol! I don't think that was the intended approach... :rolleyes:

Ted.

Sonny27

Sonny27

Posted
Posted (edited)

May someone help me with my IAT script?

I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.

This is the script:

var iat
var iatend
var apiaddress
var oep
var iatbasemov oep,eip
mov iat, 00460818		// edit iat begin here
mov iatend, 00460F2C		// edit iat end here
mov iatbase, 003D0000		// edit iat section here
add iatbase, 00100000
bphws 0047c931, "x"		// edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:
mov apiaddress, [iat]
cmp apiaddress, iatbase	
ja next
mov eip, apiaddress
run
mov [iat], eax
rtr
sti
jmp nextnext:
add iat,4
cmp iat, iatend
je end
jmp startend:
mov eip,oep
ret

Should be clear, only thing I wanted to explain is this:

add iatbase, 00100000

There are some emulated APIs which addresses are way higher than those of the redirected ones.

I leave some out with increasing the redirection

Edited by Sonny27
pavka

pavka

Posted
Posted
May someone help me with my IAT script?

I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.

This is the script:

var iat
var iatend
var apiaddress
var oep
var iatbasemov oep,eip
mov iat, 00460818		// edit iat begin here
mov iatend, 00460F2C		// edit iat end here
mov iatbase, 003D0000		// edit iat section here
add iatbase, 00100000
bphws 0047c931, "x"		// edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:
mov apiaddress, [iat]
cmp apiaddress, iatbase	
ja next
mov eip, apiaddress
run
mov [iat], eax
rtr
sti
jmp nextnext:
add iat,4
cmp iat, iatend
je end
jmp startend:
mov eip,oep
ret

Should be clear, only thing I wanted to explain is this:

add iatbase, 00100000

There are some emulated APIs which addresses are way higher than those of the redirected ones.

I leave some out with increasing the redirection

Sonny27

Sonny27

Posted
Posted

Sorry, but may you explain that?

I don

pavka

pavka

Posted
Posted
Sorry, but may you explain that?

I don

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...