Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Obsidium v1.6.1.9

CodeExplorer
CodeExplorer
in UnPackMe

Featured Replies

Posted

Difficulty : 5   (I think) Not sure
Language : Visual C++ 6.0
Platform : Windows  x32
OS Version : Windows All
Packer / Protector : Obsidium v1.6.1.9

Description :

This is just one of my program protected
The objective is unpack it.

Screenshot :

322203926_2018-12-1119_57_34-CompareInfo1.0byCodeCracker.png.c9425bda38108477a908f42e9bb95c8b.png

 

CompareInfo_Obs.zip

Edited by CodeExplorer

Solved by BambooQJ

Go to solution

Is this protector really so tough to unpack 😮 ? I do not see an public unpackers for the present versions for the past 2-3 years?

  • Author

Overall it isn't that hard. But nice anti-debug tricks, is the only protector I still can't debug!
 

I would be glad, it would also show someone how it was unpacked.
Not always just unpackme's upload without a solution.
Do not be against CodeCracker right now, it's common.

not starting on win7 x86

Capture.PNG

  • 3 months later...
  • 3 months later...
On 4/3/2019 at 6:20 PM, CodeExplorer said:

Found a olly modification that I've created that works ok with Obsidium;
I called it OLLY_(Orig_Safengine).rar
since it also works for Safengine.
A tutorial by Nieo is the most recent:
https://tuts4you.com/e107_plugins/download/download.php?view.3678

Let the cracking begin!
 

OLLY_(Orig_Safengine).rar 1.46 MB · 97 downloads

sorry, what are the configs on plugins? i still can't debug with this...

  • 5 months later...
  • Solution

My English is very poor,So, I recorded a tutorial...HAHAHAHA

思路

Quote

55 8B EC 6A FF 68 78 34 40 00 68 16 2C 40 00 //OEP

00402A8F 

脱壳方法
先对 CreateThread 的CALL地址下断点,然后对新建线程的入口 RET 4
 随后 为了过反调试,对kernel32. GetSystemTimeAsFileTime 的返回值 下断
 单步跟踪到  CMP EAX, 0x7 
 下方jl 改为 jmp 绕过检测
   对代码段下内存访问断点 找到偷取处理IAT地方. 然后 修改 处理call 记录特征码 
   50 52 E8 04 01 00 00 EB 05
    稍后处理 重载程序
 
 
被偷取的代码 
 
 0040267D 
 0040256B
 004018F3
 004012B1
 0040121F
 
 MOV REG32,[IAT]
 CALL REG32 

 

脚本 

var IAT_Statr
var IAT_End
var Temp_IAT
Var bakup_EIP


mov bakup_EIP,eip
mov IAT_Statr,403000     //IAT表开始位置
mov IAT_End,403208 //IAT结束地址
bp 00414CA9   //85 C0 74 28 64 67 8F 06 00 00 83 C4 04 5F 5E 5B 8B E5 5D C2 14 00
GetAPIAddr:
mov Temp_IAT,[IAT_Statr]
cmp Temp_IAT,0
je INC_IATADDR
cmp Temp_IAT,6FFFFFFF
ja  INC_IATADDR
mov eip,Temp_IAT
run
mov [IAT_Statr],eax

INC_IATADDR:
add IAT_Statr,4
cmp IAT_Statr,IAT_End
ja RETIATFIX
jmp GetAPIAddr

RETIATFIX:
mov eip,bakup_EIP
pause
ret

教程(tutorial)

https://mega.nz/#!AhFBCAzA!gCL_2iXmcvlwPCk8AQ31gSQbGEiulcdPpVBgKg8ke88

 

I hope it will help later people.

CompareInfo_Obs_dump_.exe

Obsidium unpack.7z

    •
    • Like 2
    • Thanks 5
    • Haha 1
    On 1/5/2020 at 7:56 PM, BambooQJ said:

    My English is very poor,So, I recorded a tutorial...HAHAHAHA

    思路

     

    脚本 

    
var IAT_Statr
var IAT_End
var Temp_IAT
Var bakup_EIP


mov bakup_EIP,eip
mov IAT_Statr,403000     //IAT表开始位置
mov IAT_End,403208 //IAT结束地址
bp 00414CA9   //85 C0 74 28 64 67 8F 06 00 00 83 C4 04 5F 5E 5B 8B E5 5D C2 14 00
GetAPIAddr:
mov Temp_IAT,[IAT_Statr]
cmp Temp_IAT,0
je INC_IATADDR
cmp Temp_IAT,6FFFFFFF
ja  INC_IATADDR
mov eip,Temp_IAT
run
mov [IAT_Statr],eax

INC_IATADDR:
add IAT_Statr,4
cmp IAT_Statr,IAT_End
ja RETIATFIX
jmp GetAPIAddr

RETIATFIX:
mov eip,bakup_EIP
pause
ret

    教程(tutorial)

    https://mega.nz/#!AhFBCAzA!gCL_2iXmcvlwPCk8AQ31gSQbGEiulcdPpVBgKg8ke88

     

    I hope it will help later people.

    CompareInfo_Obs_dump_.exe 140 kB · 8 downloads

    Obsidium unpack.7z 37.76 MB · 16 downloads

    刀哥牛逼

    • 1 year later...
    On 1/5/2020 at 2:56 PM, BambooQJ said:

    My English is very poor,So, I recorded a tutorial...HAHAHAHA

    思路

     

    脚本 

    
var IAT_Statr
var IAT_End
var Temp_IAT
Var bakup_EIP


mov bakup_EIP,eip
mov IAT_Statr,403000     //IAT表开始位置
mov IAT_End,403208 //IAT结束地址
bp 00414CA9   //85 C0 74 28 64 67 8F 06 00 00 83 C4 04 5F 5E 5B 8B E5 5D C2 14 00
GetAPIAddr:
mov Temp_IAT,[IAT_Statr]
cmp Temp_IAT,0
je INC_IATADDR
cmp Temp_IAT,6FFFFFFF
ja  INC_IATADDR
mov eip,Temp_IAT
run
mov [IAT_Statr],eax

INC_IATADDR:
add IAT_Statr,4
cmp IAT_Statr,IAT_End
ja RETIATFIX
jmp GetAPIAddr

RETIATFIX:
mov eip,bakup_EIP
pause
ret

    教程(tutorial)

    https://mega.nz/#!AhFBCAzA!gCL_2iXmcvlwPCk8AQ31gSQbGEiulcdPpVBgKg8ke88

     

    I hope it will help later people.

    CompareInfo_Obs_dump_.exe 140 kB · 58 downloads

    Obsidium unpack.7z 37.76 MB · 168 downloads

    Thank yuo very much can yuo PM me please?

    • 4 months later...

    Anyone has the key for the Mega link?

    @Stuttered

    Just use the full link: copy also the red text.

    Anyway @BambooQJ attached the file to the post (.7z file), so there's  no need to use mega link at all, actually.

    Thanks to him :)

    Regards,
    Tony

    Edited by tonyweb
    little formatting

    • Like 1
    13 hours ago, tonyweb said:

    @Stuttered

    Just use the full link: copy also the red text.

    Anyway @BambooQJ attached the file to the post (.7z file), so there's  no need to use mega link at all, actually.

    Thanks to him :)

    Regards,

    Tony

    I see now!  The red was the key (my old eyes)...  And didn't notice EXE was a VID TUT.  😄

    Edited by Stuttered

    • 2 weeks later...
    On 4/8/2019 at 3:06 PM, CodeExplorer said:

    Used protector (I've forget to specify):
    https://www.52pojie.cn/thread-652274-1-1.html
    http://distro.crack.vc/index.php?dir=RceTools/Packers/

    Finally made scripts and a tutorial on how to restore stolen bytes:
    https://forum.tuts4you.com/topic/41211-obsidium-olly-scripts/
    BR.
     

    Hi,

    The aforementioned websites do not allow downloads without registration and the Chinese do not allow registration easily outside of China.

    distro.crack.vc is completely died.
    Obsidium.v1.6.1.9_x32.NONAG from Mega download link needs a password.
    pan.baidu.com/s/1gfcTv83 needs account for download.

    For the above, can anyone provide the password for the mega.nz .rar for Obsidium.v1.6.1.9_x32.NONAG (Yoza's release) ?

    Cheers.

    Hi

    this isn't what you want but may help you.

    Obsidium1.6.7.b1.rar

    •
    • Like 2
    • 10 months later...
    On 10/9/2021 at 11:07 PM, Stuttered said:

    Anyone has the key for the Mega link?

    !gCL_2iXmcvlwPCk8AQ31gSQbGEiulcdPpVBgKg8ke88

    • 9 months later...

    Obsidium Test x86-Protected.exelicense.key          Version v1.6.7 (build 1) [Jan 27 2019] protected one.

    try to unpack it. or bypass license. password is "789".

    sean.

    • Like 2

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.