Obsidium V1.3.0.0-V1.3.0.4 UnPacK Script
//////////////////////////////////////////////////////////
// FileName : Obsidium V1.3.0.0.osc
// Comment : Obsidium V1.3.0.0-V1.3.0.4 UnPacK Script
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author : heXer & fly
// WebSite : http://www.unpack.cn
// Date : 2005-11-01 16:00
//////////////////////////////////////////////////////////
#log
dbh
MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options !"
cmp $RESULT, 0
je TryAgain
#inc "Get.eXe.PE.Information.osc"
var T0
var T1
var temp
var FixCode1
var FixCode2
var FixCode3
var FixCode4
var FixCode5
var FixCode6
var Skip
var EAX=0
var EAX=1
var EAX=2
var EAX=3
var EAX=4
var IsDebuggerPresent
var JmpAddress
var SpecialFiXed
var SpecialFiXedOver
var bpcnt
var VirtualAlloc
var AllocMemory
var AllocMemory2
var AllocMemory2Size
var AllocMemory3
var AllocMemory3Size
var LoadLibraryA
var CreateRemoteThread
var VirtualFree
var DecodeFinal
var StolenOEP
//UnhandledExceptionFilter————————————————————————————————
gpa "UnhandledExceptionFilter", "KERNEL32.dll"
cmp $RESULT, 0
je Only Win2K/XP
WinXP:
find $RESULT, #0F849600000064A1180000008B4030#
cmp $RESULT, 0
je Win2K
log $RESULT
mov [$RESULT],#E997000000#
jmp CheckRemoteDebuggerPresent
Win2K:
gpa "UnhandledExceptionFilter", "KERNEL32.dll"
find $RESULT, #395DC80F8549020000#
cmp $RESULT, 0
je Only Win2K/XP
log $RESULT
mov [$RESULT],#395DC8EB0490909090#
jmp CreateToolhelp32Snapshot
//CheckRemoteDebuggerPresent————————————————————————————————
CheckRemoteDebuggerPresent:
gpa "CheckRemoteDebuggerPresent", "KERNEL32.dll"
cmp $RESULT, 0
je CreateToolhelp32Snapshot
find $RESULT, #33C040#
cmp $RESULT, 0
je CreateToolhelp32Snapshot
mov [$RESULT], #33C090#
//CreateToolhelp32Snapshot————————————————————————————————
CreateToolhelp32Snapshot:
gpa "CreateToolhelp32Snapshot", "KERNEL32.dll"
cmp $RESULT, 0
je NoFind
mov [$RESULT], #B8FFFFFFFFC20800#
//CreateRemoteThread————————————————————————————————
gpa "CreateRemoteThread", "KERNEL32.dll"
cmp $RESULT, 0
je NoFind
mov [$RESULT], #33C0C21C00#
//FindWindowA————————————————————————————————
gpa "FindWindowA", "USER32.dll"
cmp $RESULT, 0
je NoFind
mov [$RESULT], #33C0C20800#
//CloseHandle————————————————————————————————
gpa "CloseHandle", "KERNEL32.dll"
cmp $RESULT, 0
je NoFind
mov [$RESULT], #C20400#
//VirtualAlloc————————————————————————————————
gpa "VirtualAlloc", "KERNEL32.dll"
cmp $RESULT, 0
findop $RESULT,#C21000#
cmp $RESULT, 0
je NoFind
mov VirtualAlloc,$RESULT
eob VirtualAlloc
bp VirtualAlloc
esto
GoOn0:
esto
VirtualAlloc:
cmp eip,VirtualAlloc
jne GoOn0
inc bpcnt
cmp bpcnt,2
log bpcnt
jb GoOn0
ja AllocMemory3
mov AllocMemory2,eax
mov temp,esp
add temp,08
mov AllocMemory2Size,[temp]
inc bpcnt
log AllocMemory2
log AllocMemory2Size
jmp GoOn0
AllocMemory3:
mov AllocMemory3,eax
mov temp,esp
add temp,08
mov AllocMemory3Size,[temp]
log AllocMemory3
log AllocMemory3Size
bc VirtualAlloc
mov bpcnt,0
//LoadLibraryA————————————————————————————————
FindChance:
gpa "LoadLibraryA", "KERNEL32.dll"
cmp $RESULT, 0
je NoFind
mov LoadLibraryA,$RESULT
eob LoadLibraryA
bpwm LoadLibraryA, 5
esto
LoadLibraryA:
inc bpcnt
find AllocMemory2,#66F7062000#
cmp $RESULT, 0
je FindChance
//FixedImportingFunction————————————————————————————————
log bpcnt
bpmc
mov FixCode1,$RESULT
log FixCode1
//jmp Final
mov [FixCode1],#66F7060800#
/*
FixCode1:
00908035 66:F706 2000 test word ptr ds:[esi],20
Modified: 66:F706 0800 test word ptr ds:[esi],8 ★
*/
find FixCode1,#0F84??000000#
cmp $RESULT, 0
je NoFind
mov FixCode2,$RESULT
log FixCode2
mov T0,$RESULT
add T0,2
mov T1,[T0]
add T0,4
add T0,T1
mov JmpAddress,T0
log JmpAddress
eval "jne {JmpAddress}"
asm FixCode2, $RESULT
/*
FixCode2:
00908040 0F84 ??000000 je 009080DB
Modified: 0F85 95000000 jnz 009080DB ★
*/
find FixCode2,#0F84??000000#
cmp $RESULT, 0
je NoFind
mov FixCode3,$RESULT
log FixCode3
eval "je {JmpAddress}"
asm FixCode3, $RESULT
mov temp,FixCode3
add temp,2
fill temp, 4, 90
/*
FixCode3:
00908085 0F84 88000000 je 00908113
Modified: 7454 90909090 je 009080DB ★
*/
find FixCode3,#74??EB??#
cmp $RESULT, 0
je NoFind
mov FixCode4,$RESULT
log FixCode4
eval "je {JmpAddress}"
asm FixCode4, $RESULT
/*
FixCode4:
009080CE 74 43 je 00908113
Modified: 74 0B je 009080DB ★
*/
find FixCode2,#75??EB#
cmp $RESULT, 0
je NoFind
mov Skip,$RESULT
log Skip
mov [Skip],#EB#
/*
00908FAC 66:F706 0200 test word ptr ds:[esi],2
00908FB1 EB 03 jmp short 00908FB6
00908FB6 75 47 jnz short 00908FFF
Modified: EB 47 jmp short 00908FFF ★
00908FB8 EB 02 jmp short 00908FBC
*/
find FixCode1,#891F83C30AE9#
cmp $RESULT, 0
je NoFind
mov FixCode5,$RESULT
log FixCode5
fill FixCode5, 2, 90
/*
00909127 891F mov dword ptr ds:[edi],ebx
Modified: 9090 NOP ★
00909129 83C3 0A add ebx,0A
0090912C E9 49FFFFFF jmp 0090907A
*/
//IsDebuggerPresent————————————————————————————————
gpa "IsDebuggerPresent", "KERNEL32.dll"
cmp $RESULT, 0
je NoFind
find $RESULT,#C3#
cmp $RESULT, 0
je NoFind
mov IsDebuggerPresent,$RESULT
eob IsDebuggerPresent
bp IsDebuggerPresent
//SpecialImportingFunction————————————————————————————————
find FixCode1,#C214008B#
cmp $RESULT, 0
je NoFind
mov SpecialFiXed,$RESULT
log SpecialFiXed
find FixCode1,#FF501850#
cmp $RESULT, 0
je NoFind
mov EAX=3,$RESULT
log EAX=3
find EAX=3,#FF5018EB1C#
cmp $RESULT, 0
je NoFind
mov EAX=0,$RESULT
log EAX=0
find EAX=3,#FF5018EB0D#
cmp $RESULT, 0
je NoFind
mov EAX=1,$RESULT
log EAX=1
find EAX=3,#FF5018C603#
cmp $RESULT, 0
je NoFind
mov EAX=2,$RESULT
log EAX=2
EAX:
eob SpecialImportingFunction
bp SpecialFiXed
bp EAX=0
bp EAX=1
bp EAX=2
bp EAX=3
esto
GoOn1:
log eip
esto
/*
009090FC 8B46 04 mov eax,dword ptr ds:[esi+4]
009090FF 83F8 00 cmp eax,0
00909102 74 45 je short 00909149
00909104 83F8 01 cmp eax,1
00909107 74 4F je short 00909158
00909109 83F8 02 cmp eax,2
0090910C 74 59 je short 00909167
0090910E 83F8 03 cmp eax,3
00909111 74 12 je short 00909125
00909113 83F8 04 cmp eax,4
00909116 75 CA jnz short 009090E2
00909118 8B45 14 mov eax,dword ptr ss:[ebp+14]
0090911B 8B90 E8000000 mov edx,dword ptr ds:[eax+E8]
00909121 8917 mov dword ptr ds:[edi],edx
00909123 EB BD jmp short 009090E2
00909125 8B45 14 mov eax,dword ptr ss:[ebp+14]
00909128 68 C5B1662D push 2D66B1C5
0090912D 6A 00 push 0
0090912F FF50 18 call dword ptr ds:[eax+18]
00909132 50 push eax
00909133 53 push ebx
00909134 E8 98020000 call 009093D1
00909139 53 push ebx
0090913A E8 19020000 call 00909358
0090913F 8BCB mov ecx,ebx
00909141 8D5C03 01 lea ebx,dword ptr ds:[ebx+eax+1]
00909145 8BC1 mov eax,ecx
00909147 EB 2B jmp short 00909174
00909149 8B45 14 mov eax,dword ptr ss:[ebp+14]
0090914C 68 0F1ACF4C push 4CCF1A0F
00909151 6A 00 push 0
00909153 FF50 18 call dword ptr ds:[eax+18]
00909156 EB 1C jmp short 00909174
00909158 8B45 14 mov eax,dword ptr ss:[ebp+14]
0090915B 68 A41A86D0 push D0861AA4
00909160 6A 00 push 0
00909162 FF50 18 call dword ptr ds:[eax+18]
00909165 EB 0D jmp short 00909174
00909167 8B45 14 mov eax,dword ptr ss:[ebp+14]
0090916A 68 E313B41D push 1DB413E3
0090916F 6A 00 push 0
00909171 FF50 18 call dword ptr ds:[eax+18]
00909174 C603 B8 mov byte ptr ds:[ebx],0B8
00909177 8943 01 mov dword ptr ds:[ebx+1],eax
0090917A 8B45 14 mov eax,dword ptr ss:[ebp+14]
0090917D 8B90 A4010000 mov edx,dword ptr ds:[eax+1A4]
00909183 8D43 0A lea eax,dword ptr ds:[ebx+A]
00909186 2BD0 sub edx,eax
00909188 C643 05 E9 mov byte ptr ds:[ebx+5],0E9
0090918C 8953 06 mov dword ptr ds:[ebx+6],edx
0090918F 90 nop
00909190 90 nop
00909191 83C3 0A add ebx,0A
00909194 E9 49FFFFFF jmp 009090E2
00909199 55 push ebp
0090919A 8BEC mov ebp,esp
0090919C 83EC 04 sub esp,4
0090919F 53 push ebx
009091A0 56 push esi
009091A1 57 push edi
009091A2 EB 04 jmp short 009091A8
*/
SpecialImportingFunction:
log eip
cmp eip,EAX=0
je Luck
cmp eip,EAX=1
je Luck
cmp eip,EAX=2
je Luck
cmp eip,EAX=3
je Luck
cmp eip,SpecialFiXed
je SpecialFiXed
cmp eip,SpecialFiXedOver
je IsDebuggerPresent
cmp eip,IsDebuggerPresent
je IsDebuggerPresent
jmp GoOn1
Luck:
mov temp,eip
bc temp
add temp,3
eob temp
bphws temp, "x"
sti
find eip,#FF5354EB04????????85C0EB#
cmp $RESULT, 0
je NoFind
mov FixCode6,$RESULT
log FixCode6
add FixCode6,9
mov [FixCode6],#8907EB#
esto
temp:
cmp eip,temp
jne SpecialImportingFunction
bphwc temp
mov [FixCode6],#85C0EB#
jmp GoOn1
SpecialFiXed:
bc SpecialFiXed
sti
find eip,#33C0EB02#
cmp $RESULT, 0
je NoFind
mov SpecialFiXedOver,$RESULT
log SpecialFiXedOver
bp SpecialFiXedOver
jmp GoOn1
IsDebuggerPresent:
bc SpecialFiXedOver
bc IsDebuggerPresent
bc EAX=0
bc EAX=1
bc EAX=2
bc EAX=3
MSG "Fixed ImportTable. There is some Special API need Handed Repaired. "
//DecodeFinal————————————————————————————————
Final:
bc SpecialFiXedOver
log LastSectionVA
mov temp,LastSectionVA
add temp,2600
find temp,#83????0F85#
cmp $RESULT, 0
je NoFind
add $RESULT,9
mov DecodeFinal,$RESULT
log DecodeFinal
eob DecodeFinal
bp DecodeFinal
esto
GoOn2:
esto
DecodeFinal:
cmp eip,DecodeFinal
jne GoOn2
bc DecodeFinal
rtr
sti
//JmpEDI————————————————————————————————
mov temp,eip
and temp,0FFFF000
log temp
find temp,#FFE7EB#
cmp $RESULT, 0
je NoFind
log $RESULT
eob JmpEDI
bp $RESULT
esto
GoOn3:
esto
JmpEDI:
cmp eip,$RESULT
jne GoOn3
bc $RESULT
sti
//StolenOEPCode————————————————————————————————
find eip,#035610EB02#
cmp $RESULT, 0
je NoFind
/*
0090C237 0356 10 add edx,dword ptr ds:[esi+10]
0090C23A EB 02 jmp short 0090C23E
*/
add $RESULT,3
eob CountOEP
bp $RESULT
esto
CountOEP:
bc $RESULT
mov StolenOEP,edx
find eip,#61EB#
cmp $RESULT, 0
je NoFind
/*
0090C25A 61 popad
0090C25B EB 04 jmp short 0090C261
*/
eob StolenOEP
bp $RESULT
esto
StolenOEP:
bc $RESULT
mov temp,eip
cmt temp,"Fixed ImportTable. "
inc temp
cmt temp,"There is some Special API need Handed Repaired. "
/*
0090C06E E9 2A53AFFF jmp 0040139D
0090C073 EB 04 jmp short 0090C079
*/
find eip,#E9????????EB#
log $RESULT
cmt $RESULT, "Jump StolenOEP ! Found by heXer & fly "
//GameOver————————————————————————————————
eval " OEP/Stolen= {StolenOEP} ! Plz Watch Stack to Fix StolenOEPCode and Dump and Fix IT + SDK !"
MSG $RESULT
ret
NoFind:
MSG "Error! Don't find. Maybe It's not Obsidium V1.3.0.0-V1.3.0.4 ! "
ret
Only Win2K/XP:
MSG "Error! This Script only Run on the Win2K.SP4/WinXP.SP2 ! "
ret
TryAgain:
MSG " Plz Try Again ! "
ret