Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
CodeExplorer

Obsidium v1.6.1.9

Question

CodeExplorer

Difficulty : 5   (I think) Not sure
Language : Visual C++ 6.0
Platform : Windows  x32
OS Version : Windows All
Packer / Protector : Obsidium v1.6.1.9

Description :

This is just one of my program protected
The objective is unpack it.

Screenshot :

322203926_2018-12-1119_57_34-CompareInfo1.0byCodeCracker.png.c9425bda38108477a908f42e9bb95c8b.png

 

CompareInfo_Obs.zip

Edited by CodeExplorer (see edit history)

Share this post


Link to post

9 answers to this question

Recommended Posts

  • 0
BambooQJ

My English is very poor,So, I recorded a tutorial...HAHAHAHA

思路

Quote

55 8B EC 6A FF 68 78 34 40 00 68 16 2C 40 00 //OEP

00402A8F 

脱壳方法
先对 CreateThread 的CALL地址下断点,然后对新建线程的入口 RET 4
 随后 为了过反调试,对kernel32. GetSystemTimeAsFileTime 的返回值 下断
 单步跟踪到  CMP EAX, 0x7 
 下方jl 改为 jmp 绕过检测
   对代码段下内存访问断点 找到偷取处理IAT地方. 然后 修改 处理call 记录特征码 
   50 52 E8 04 01 00 00 EB 05
    稍后处理 重载程序
 
 
被偷取的代码 
 
 0040267D 
 0040256B
 004018F3
 004012B1
 0040121F
 
 MOV REG32,[IAT]
 CALL REG32 

 

脚本

var IAT_Statr
var IAT_End
var Temp_IAT
Var bakup_EIP


mov bakup_EIP,eip
mov IAT_Statr,403000     //IAT表开始位置
mov IAT_End,403208 //IAT结束地址
bp 00414CA9   //85 C0 74 28 64 67 8F 06 00 00 83 C4 04 5F 5E 5B 8B E5 5D C2 14 00
GetAPIAddr:
mov Temp_IAT,[IAT_Statr]
cmp Temp_IAT,0
je INC_IATADDR
cmp Temp_IAT,6FFFFFFF
ja  INC_IATADDR
mov eip,Temp_IAT
run
mov [IAT_Statr],eax

INC_IATADDR:
add IAT_Statr,4
cmp IAT_Statr,IAT_End
ja RETIATFIX
jmp GetAPIAddr

RETIATFIX:
mov eip,bakup_EIP
pause
ret

教程(tutorial)

https://mega.nz/#!AhFBCAzA!gCL_2iXmcvlwPCk8AQ31gSQbGEiulcdPpVBgKg8ke88

 

I hope it will help later people.

CompareInfo_Obs_dump_.exe

Obsidium unpack.7z

  • Thanks 3

Share this post


Link to post
  • 0
Lumusfor

Is this protector really so tough to unpack 😮 ? I do not see an public unpackers for the present versions for the past 2-3 years?

Share this post


Link to post
  • 0
CodeExplorer

Overall it isn't that hard. But nice anti-debug tricks, is the only protector I still can't debug!
 

Share this post


Link to post
  • 0
Mad Max

I would be glad, it would also show someone how it was unpacked.
Not always just unpackme's upload without a solution.
Do not be against CodeCracker right now, it's common.

Share this post


Link to post
  • 0
GautamGreat

not starting on win7 x86

Capture.PNG

Share this post


Link to post
  • 0
Kalo
On 4/3/2019 at 6:20 PM, CodeExplorer said:

Found a olly modification that I've created that works ok with Obsidium;
I called it OLLY_(Orig_Safengine).rar
since it also works for Safengine.
A tutorial by Nieo is the most recent:
https://tuts4you.com/e107_plugins/download/download.php?view.3678

Let the cracking begin!
 

OLLY_(Orig_Safengine).rar 1.46 MB · 97 downloads

sorry, what are the configs on plugins? i still can't debug with this...

Share this post


Link to post
  • 0
Xjun
On 1/5/2020 at 7:56 PM, BambooQJ said:

My English is very poor,So, I recorded a tutorial...HAHAHAHA

思路

 

脚本


var IAT_Statr
var IAT_End
var Temp_IAT
Var bakup_EIP


mov bakup_EIP,eip
mov IAT_Statr,403000     //IAT表开始位置
mov IAT_End,403208 //IAT结束地址
bp 00414CA9   //85 C0 74 28 64 67 8F 06 00 00 83 C4 04 5F 5E 5B 8B E5 5D C2 14 00
GetAPIAddr:
mov Temp_IAT,[IAT_Statr]
cmp Temp_IAT,0
je INC_IATADDR
cmp Temp_IAT,6FFFFFFF
ja  INC_IATADDR
mov eip,Temp_IAT
run
mov [IAT_Statr],eax

INC_IATADDR:
add IAT_Statr,4
cmp IAT_Statr,IAT_End
ja RETIATFIX
jmp GetAPIAddr

RETIATFIX:
mov eip,bakup_EIP
pause
ret

教程(tutorial)

https://mega.nz/#!AhFBCAzA!gCL_2iXmcvlwPCk8AQ31gSQbGEiulcdPpVBgKg8ke88

 

I hope it will help later people.

CompareInfo_Obs_dump_.exe 140 kB · 8 downloads

Obsidium unpack.7z 37.76 MB · 16 downloads

刀哥牛逼

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...