Jump to content
Tuts 4 You

[ Unpack Me ] Obsidium 1.4


BLaCkViRuS

Recommended Posts

EvOlUtIoN

interesting! i like obsidium usually :)

EDIT Why it does not show any window? just closes itself?

Edited by EvOlUtIoN
Link to comment
BLaCkViRuS

Hi Dear EvOlUtIoN

File run fine with out any problem for me.just after run show demo message of obsidium :D and after confirmation message .Program is shown

File will not run for you?

Does anyone have this problem ?

Edited by Mr.BLaCkViRuS
Link to comment
EvOlUtIoN

same here...

I unpacked application successfully, it is a plain vb appòlication with no import protection. One form, but never loads due to an unhandled exception.

Link to comment
BLaCkViRuS

same here...

I unpacked application successfully, it is a plain vb appòlication with no import protection. One form, but never loads due to an unhandled exception.

mMm Very Nice Dear EvOlUtIoN.Do You can Make tutorial for this?

i make new unpack me :sweat:

Link to comment
BLaCkViRuS

Dear EvOlUtIoN

New Unpack Mes Attached.Please Test New Files.Two file ( VB & VC++ )

Have a Nice Day Friends :flowers:

VB & VC++.rar

Edited by Mr.BLaCkViRuS
Link to comment
EvOlUtIoN

vb one still not working, and please compile the vc++ application with a release configuration and not debug one, or debug dll cannot be found.

EDIT both crackmes are not working here, even with all dll's.

Edited by EvOlUtIoN
Link to comment
BLaCkViRuS

Please make the unpack me yourself :D:^

This is Obsidium 1.4


/>http://www.load.to/palducWEb2/ObsidiumSetup.exe

Or
/>http://www.softpedia.com/dyn-postdownload.php?p=1908&t=4&i=1

Thank You EvOlUtIoN :thumbsup:

Link to comment

Hi,

1. All unpackmes does not start,just get DEMO nag and then exit.

2. Bypassed Demo NAG + get codesection code.

3. Unpacked one file [smart way] :)

Unpack Level: 2 | 10

No special protections used!Just IAT RD.

Here my unpacked file.Just test it.

PS: Next time protect the files not with DEMO mode so that the files also run normaly without to patch the code to get it run.

greetz

Unpack Me Obsidium 1.4 ( VB )-OK_Unpacked.rar

post-27695-0-22955100-1304442708_thumb.p

Link to comment
BLaCkViRuS

Hi,

1. All unpackmes does not start,just get DEMO nag and then exit.

2. Bypassed Demo NAG + get codesection code.

3. Unpacked one file [smart way] :)

Unpack Level: 2 | 10

No special protections used!Just IAT RD.

Here my unpacked file.Just test it.

PS: Next time protect the files not with DEMO mode so that the files also run normaly without to patch the code to get it run.

greetz

Thank You Dear LCF-AT :yahoo:

Please make tutorial for this :flowers:

Link to comment
BLaCkViRuS

my interest in unpacking a demo version of protector is very very low.

Hi Dear EvOlUtIoN

:( just make unpack me with protector and test in your system maybe the problem is in the your system :^

how ever thank you very much :flowers:

Edited by BLaCkViRuS
Link to comment

Your DEMO files are not run normaly on other systems.In this case you have to catch the place where the code will overwritten again.Also your files will never reach the OEP.You have to fix the IAT RD normaly and after this you can dump & fix from the OBS section.Just rebuild OEP and then you have your unpacked DEMO files. :)

I will note your wish for a OBS tut. :)

greetz

Link to comment
EvOlUtIoN

prolly demo protected programs won't run on a different machine than the one on where they are protected. Anyway the limitation can be simply removed since there is a simple patch to do in order to avoid to overwrite some garbage code on the application.

Link to comment
Apuromafo

Your DEMO files are not run normaly on other systems.In this case you have to catch the place where the code will overwritten again.Also your files will never reach the OEP.You have to fix the IAT RD normaly and after this you can dump & fix from the OBS section.Just rebuild OEP and then you have your unpacked DEMO files. :)

I will note your wish for a OBS tut. :)

greetz

i was see now in other forum in unpack.cn saying that unpack armadillo is easy , and shared there a loader (that maybe ziggy was done),and other ENIGMA app packed (your speciality lCF)

not know how learn this friend, but if LCF share the theme, maybe is a little update from old script ;) in a new theme please, because not wana lost good write text.

greetings Apuromafo

idea:SND 2.0 shared by LCF can be used to debug, normally obsidium have a key by a file and rsa bassed, not sure if author can check the tutorials, but in old times, when was released a tutorial as how unpack, in the other day the author add more protection and loop and more..

LCF ask, wy not putted there way the oep?

00401122  -FF25 5C104000    JMP DWORD PTR DS:[<&msvbvm60.ThunRTMain>>; msvbvm60.ThunRTMain
00401128 68 18904100 PUSH 00419018
0040112D E8 F0FFFFFF CALL 00401122 // <JMP.&msvbvm60.ThunRTMain>

greetings Apuromafo

pd:in vc++ checking beside


00401B5F FF15 B4754100 CALL DWORD PTR DS:[4175B4]
Edited by Apuromafo
Link to comment

@ Apuromafo

So just tell me what you want to know then I will see what I can do.Do you have a problem with any ENIGMA or OBS target | UnpackMe [OBS & ENIGMA are one of my favorites]?So I got already written some scripts in the past also for this two protections which I have not released till now. :)

So its not so important where you put the OEP bytes in the code so long its working.

greetz

Link to comment
Apuromafo

@ok ^^ but are stetic for decompiling

pd:

the other maybe if some day have time was to check where have troubles in recovering the code ;)

pd:the app normally are from snd board, wait some time to check by my self , if not can, some day check if are possible

the unique there the script dones not worked was some app that have to vmprotector, because not was studed, but when have time will check

in spoiler because not wana desviate more the thread of Mr.BLaCkViRuS

greetings

see ya Apuromafo

Link to comment

Hi,

ok for all they want to unpack the file "Unpack Me Obsidium 1.4 ( VB )-OK.exe" can use this small script by me now.It patched also the after DEMO DWORD check.

pause
pause
; Fast Unpack script for "Unpack Me Obsidium 1.4 ( VB )-OK.exe" only!
; Disable Phant0m's DRx!
; Press OK on the DEMO NAG!
; --------------------------
; LCF-AT
////////////////////
bphwc
bpmc
bc
pusha
exec
MOV EAX,DWORD PTR FS:[18]
MOV EAX,DWORD PTR DS:[EAX+30]
MOV EAX,DWORD PTR DS:[EAX+8]
ende
mov $RESULT, eax
popa
mov IMAGEBASE, $RESULT
////////////////////
CHECK:
cmp eip, IMAGEBASE+50000
je START
bp IMAGEBASE+50000
esto
bc
jmp CHECK
////////////////////
START:
gpa "VirtualAlloc", "kernel32.dll"
find $RESULT, #C21000#
mov VA, $RESULT
////////////////////
TEST:
bp VA
esto
sto
esto
mov TEST, eax
////////////////////
LOOP:
find TEST, #66A92000EB0?#
cmp $RESULT, 00
jne FOUND
esto
jmp LOOP
////////////////////
FOUND:
bc
mov SEC, TEST
mov TEST, $RESULT
bp TEST
esto
bc
add eip, 04
mov [eip], #EB09#
sub eip, 04
bp IMAGEBASE+060EA6
run
bc
mov [IMAGEBASE+060A74],E990, 02
bp IMAGEBASE+112D
esto
bc
mov push, [esp]
sub eip, 05
mov [eip], 68, 01
mov [eip+1], push
add esp, 04
ret

greetz

  • Like 2
Link to comment

@ Larkaros

What about the DEMO NAG?

There are 3 files on this topic.The only file which is full working is the "Unpack Me Obsidium 1.4 ( VB )-OK.exe" [+ my script to bypass the DEMO NAG] the other 2 files are broken so they will not work correctly also if you bypass the DEMO NAG.

greetz

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...