Teddy Rogers Posted July 13, 2008 Share Posted July 13, 2008 This is the latest version to date. Of interest is the updated dynamic protection API access over the previous posted Obsidium unpackme release...http://www.tuts4you.com/download.php?view.2341Ted. Link to comment Share on other sites More sharing options...
Teddy Rogers Posted July 16, 2008 Author Share Posted July 16, 2008 If anyone has finished with this unpackme and they want a little bit more fun here is another unpackme. It is the same version (1.3.6.1) with maximum protection features enabled but this one contains an encrypted overlay with "controlled access". You can download the unpackme from here:http://rapidshare.com/files/130077264/UnPa...6.1_Overlay.zipTed. Link to comment Share on other sites More sharing options...
pavka Posted July 17, 2008 Share Posted July 17, 2008 easy way! copy from TEMP folder in app foder ffplay.exe ,SDL.dll ,pthreadGC2.dll, file.dat & command ffplay.exe file.dat ) Link to comment Share on other sites More sharing options...
Teddy Rogers Posted July 17, 2008 Author Share Posted July 17, 2008 Lol! I don't think that was the intended approach... Ted. Link to comment Share on other sites More sharing options...
Sonny27 Posted July 17, 2008 Share Posted July 17, 2008 (edited) May someone help me with my IAT script?I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.This is the script:var iatvar iatendvar apiaddressvar oepvar iatbasemov oep,eipmov iat, 00460818 // edit iat begin heremov iatend, 00460F2C // edit iat end heremov iatbase, 003D0000 // edit iat section hereadd iatbase, 00100000bphws 0047c931, "x" // edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:mov apiaddress, [iat]cmp apiaddress, iatbase ja nextmov eip, apiaddressrunmov [iat], eaxrtrstijmp nextnext:add iat,4cmp iat, iatendje endjmp startend:mov eip,oepretShould be clear, only thing I wanted to explain is this:add iatbase, 00100000There are some emulated APIs which addresses are way higher than those of the redirected ones.I leave some out with increasing the redirection Edited July 17, 2008 by Sonny27 Link to comment Share on other sites More sharing options...
pavka Posted July 18, 2008 Share Posted July 18, 2008 May someone help me with my IAT script?I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.This is the script:var iatvar iatendvar apiaddressvar oepvar iatbasemov oep,eipmov iat, 00460818 // edit iat begin heremov iatend, 00460F2C // edit iat end heremov iatbase, 003D0000 // edit iat section hereadd iatbase, 00100000bphws 0047c931, "x" // edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:mov apiaddress, [iat]cmp apiaddress, iatbase ja nextmov eip, apiaddressrunmov [iat], eaxrtrstijmp nextnext:add iat,4cmp iat, iatendje endjmp startend:mov eip,oepretShould be clear, only thing I wanted to explain is this:add iatbase, 00100000There are some emulated APIs which addresses are way higher than those of the redirected ones.I leave some out with increasing the redirection Link to comment Share on other sites More sharing options...
Sonny27 Posted July 18, 2008 Share Posted July 18, 2008 Sorry, but may you explain that?I don Link to comment Share on other sites More sharing options...
pavka Posted July 19, 2008 Share Posted July 19, 2008 Sorry, but may you explain that?I don Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now