converse Posted April 27, 2013 Posted April 27, 2013 Hello to all! suggest to unpacked this unpaсkme preferably with details and video I did not get even hide the debugger(ollydbg) from detection Thank you very much forward to the results unpackme_obsidium_1.4.6.0.rar 1
Teddy Rogers Posted April 27, 2013 Posted April 27, 2013 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
LCF-AT Posted April 27, 2013 Posted April 27, 2013 Hi,here my unpacked file.Just test and tell.So I see just some little changes but not much about the stuff which you have enabled [iAT only].Its also just a little more obfuscated [lots of jumps] etc.-----------------------level: 2 of 10-----------------------PS: Disable DRx / restart & rungreetzunpackme_obsidium_1.4.6.0_Unpacked.rar 1
Dreamer Posted April 27, 2013 Posted April 27, 2013 is there any tut how to unpack obsidium cuz i cannot find
converse Posted April 27, 2013 Author Posted April 27, 2013 (edited) hi LCF-ATgoodWell, I wrote a demo version that is packed to the max PS: Disable DRx / restart & rungreetzcan be more? what plugins to use? with what options, etc. add: As always very good, but I want to hear the details or video on manual unpacking. Edited April 27, 2013 by converse
LCF-AT Posted April 27, 2013 Posted April 27, 2013 Just check the main page and search for it to find some tutorials.Plugins as always so just disable DRx and work with soft BPs.Remember that also CRC checkings are used.So you know that you only need to fix the IAT and there you can use 2 methods.Prevent writing the redirection or get IAT after you did stop at OEP.The second way is more simple and easy to handle so you only need to catch the place where it read the dll exports.Find the right code part [use mem bp / olly trace etc] and then check it and you find quickly the place where you see all APIs in register which you then can move into your IAT locations.Hint: If you found the right place then set also a BP at the end of the routine and if you break at the end and not at the place where it got the API then it means that your IAT ADDR [ADDR | >>IAT ADDR<<] is no API = 00 DWORD and then fill it with a 00 DWORD and as next comes the next module block.So for this you can write a very simple script.greetzgreetz 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now