Jump to content
Tuts 4 You

[unpackme] Obsidium 1.3.6.1


Teddy Rogers

Recommended Posts

Teddy Rogers

If anyone has finished with this unpackme and they want a little bit more fun here is another unpackme. It is the same version (1.3.6.1) with maximum protection features enabled but this one contains an encrypted overlay with "controlled access". You can download the unpackme from here:

http://rapidshare.com/files/130077264/UnPa...6.1_Overlay.zip

Ted.

Link to comment
Share on other sites

easy way! ;) copy from TEMP folder in app foder

ffplay.exe ,SDL.dll ,pthreadGC2.dll, file.dat & command ffplay.exe file.dat :) )

Link to comment
Share on other sites

May someone help me with my IAT script?

I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.

This is the script:

var iat
var iatend
var apiaddress
var oep
var iatbasemov oep,eip
mov iat, 00460818 // edit iat begin here
mov iatend, 00460F2C // edit iat end here
mov iatbase, 003D0000 // edit iat section here
add iatbase, 00100000
bphws 0047c931, "x" // edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:
mov apiaddress, [iat]
cmp apiaddress, iatbase
ja next
mov eip, apiaddress
run
mov [iat], eax
rtr
sti
jmp nextnext:
add iat,4
cmp iat, iatend
je end
jmp startend:
mov eip,oep
ret

Should be clear, only thing I wanted to explain is this:

add iatbase, 00100000

There are some emulated APIs which addresses are way higher than those of the redirected ones.

I leave some out with increasing the redirection

Edited by Sonny27
Link to comment
Share on other sites

May someone help me with my IAT script?

I already have a script for fixing Delphi IATs but this is C++ so a new one was needed.

This is the script:

var iat
var iatend
var apiaddress
var oep
var iatbasemov oep,eip
mov iat, 00460818 // edit iat begin here
mov iatend, 00460F2C // edit iat end here
mov iatbase, 003D0000 // edit iat section here
add iatbase, 00100000
bphws 0047c931, "x" // edit api holding place here (search for: 6A 01 50 6A 00 FF 76 04 FF 37 FF 53 54, enter the CALL, search for: 8B 04 90 03 C3 8B 55 F8 3B C2, use address: MOV EDX,DWORD PTR SS:[EBP-8])start:
mov apiaddress, [iat]
cmp apiaddress, iatbase
ja next
mov eip, apiaddress
run
mov [iat], eax
rtr
sti
jmp nextnext:
add iat,4
cmp iat, iatend
je end
jmp startend:
mov eip,oep
ret

Should be clear, only thing I wanted to explain is this:

add iatbase, 00100000

There are some emulated APIs which addresses are way higher than those of the redirected ones.

I leave some out with increasing the redirection

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...