////////////////////////////////////////////////////////// // FileName : Obsidium V1.3.0.0.osc // Comment : Obsidium V1.3.0.0-V1.3.0.4 UnPacK Script // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92 // Author : heXer & fly // WebSite : http://www.unpack.cn // Date : 2005-11-01 16:00 ////////////////////////////////////////////////////////// #log dbh MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options !" cmp $RESULT, 0 je TryAgain #inc "Get.eXe.PE.Information.osc" var T0 var T1 var temp var FixCode1 var FixCode2 var FixCode3 var FixCode4 var FixCode5 var FixCode6 var Skip var EAX=0 var EAX=1 var EAX=2 var EAX=3 var EAX=4 var IsDebuggerPresent var JmpAddress var SpecialFiXed var SpecialFiXedOver var bpcnt var VirtualAlloc var AllocMemory var AllocMemory2 var AllocMemory2Size var AllocMemory3 var AllocMemory3Size var LoadLibraryA var CreateRemoteThread var VirtualFree var DecodeFinal var StolenOEP //UnhandledExceptionFilter!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! gpa "UnhandledExceptionFilter", "KERNEL32.dll" cmp $RESULT, 0 je Only Win2K/XP WinXP: find $RESULT, #0F849600000064A1180000008B4030# cmp $RESULT, 0 je Win2K log $RESULT mov [$RESULT],#E997000000# jmp CheckRemoteDebuggerPresent Win2K: gpa "UnhandledExceptionFilter", "KERNEL32.dll" find $RESULT, #395DC80F8549020000# cmp $RESULT, 0 je Only Win2K/XP log $RESULT mov [$RESULT],#395DC8EB0490909090# jmp CreateToolhelp32Snapshot //CheckRemoteDebuggerPresent!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! CheckRemoteDebuggerPresent: gpa "CheckRemoteDebuggerPresent", "KERNEL32.dll" cmp $RESULT, 0 je CreateToolhelp32Snapshot find $RESULT, #33C040# cmp $RESULT, 0 je CreateToolhelp32Snapshot mov [$RESULT], #33C090# //CreateToolhelp32Snapshot!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! CreateToolhelp32Snapshot: gpa "CreateToolhelp32Snapshot", "KERNEL32.dll" cmp $RESULT, 0 je NoFind mov [$RESULT], #B8FFFFFFFFC20800# //CreateRemoteThread!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! gpa "CreateRemoteThread", "KERNEL32.dll" cmp $RESULT, 0 je NoFind mov [$RESULT], #33C0C21C00# //FindWindowA!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! gpa "FindWindowA", "USER32.dll" cmp $RESULT, 0 je NoFind mov [$RESULT], #33C0C20800# //CloseHandle!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! gpa "CloseHandle", "KERNEL32.dll" cmp $RESULT, 0 je NoFind mov [$RESULT], #C20400# //VirtualAlloc!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! gpa "VirtualAlloc", "KERNEL32.dll" cmp $RESULT, 0 findop $RESULT,#C21000# cmp $RESULT, 0 je NoFind mov VirtualAlloc,$RESULT eob VirtualAlloc bp VirtualAlloc esto GoOn0: esto VirtualAlloc: cmp eip,VirtualAlloc jne GoOn0 inc bpcnt cmp bpcnt,2 log bpcnt jb GoOn0 ja AllocMemory3 mov AllocMemory2,eax mov temp,esp add temp,08 mov AllocMemory2Size,[temp] inc bpcnt log AllocMemory2 log AllocMemory2Size jmp GoOn0 AllocMemory3: mov AllocMemory3,eax mov temp,esp add temp,08 mov AllocMemory3Size,[temp] log AllocMemory3 log AllocMemory3Size bc VirtualAlloc mov bpcnt,0 //LoadLibraryA!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! FindChance: gpa "LoadLibraryA", "KERNEL32.dll" cmp $RESULT, 0 je NoFind mov LoadLibraryA,$RESULT eob LoadLibraryA bpwm LoadLibraryA, 5 esto LoadLibraryA: inc bpcnt find AllocMemory2,#66F7062000# cmp $RESULT, 0 je FindChance //FixedImportingFunction!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! log bpcnt bpmc mov FixCode1,$RESULT log FixCode1 //jmp Final mov [FixCode1],#66F7060800# /* FixCode1: 00908035 66:F706 2000 test word ptr ds:[esi],20 Modified: 66:F706 0800 test word ptr ds:[esi],8 ¥ */ find FixCode1,#0F84??000000# cmp $RESULT, 0 je NoFind mov FixCode2,$RESULT log FixCode2 mov T0,$RESULT add T0,2 mov T1,[T0] add T0,4 add T0,T1 mov JmpAddress,T0 log JmpAddress eval "jne {JmpAddress}" asm FixCode2, $RESULT /* FixCode2: 00908040 0F84 ??000000 je 009080DB Modified: 0F85 95000000 jnz 009080DB ¥ */ find FixCode2,#0F84??000000# cmp $RESULT, 0 je NoFind mov FixCode3,$RESULT log FixCode3 eval "je {JmpAddress}" asm FixCode3, $RESULT mov temp,FixCode3 add temp,2 fill temp, 4, 90 /* FixCode3: 00908085 0F84 88000000 je 00908113 Modified: 7454 90909090 je 009080DB ¥ */ find FixCode3,#74??EB??# cmp $RESULT, 0 je NoFind mov FixCode4,$RESULT log FixCode4 eval "je {JmpAddress}" asm FixCode4, $RESULT /* FixCode4: 009080CE 74 43 je 00908113 Modified: 74 0B je 009080DB ¥ */ find FixCode2,#75??EB# cmp $RESULT, 0 je NoFind mov Skip,$RESULT log Skip mov [Skip],#EB# /* 00908FAC 66:F706 0200 test word ptr ds:[esi],2 00908FB1 EB 03 jmp short 00908FB6 00908FB6 75 47 jnz short 00908FFF Modified: EB 47 jmp short 00908FFF ¥ 00908FB8 EB 02 jmp short 00908FBC */ find FixCode1,#891F83C30AE9# cmp $RESULT, 0 je NoFind mov FixCode5,$RESULT log FixCode5 fill FixCode5, 2, 90 /* 00909127 891F mov dword ptr ds:[edi],ebx Modified: 9090 NOP ¥ 00909129 83C3 0A add ebx,0A 0090912C E9 49FFFFFF jmp 0090907A */ //IsDebuggerPresent!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! gpa "IsDebuggerPresent", "KERNEL32.dll" cmp $RESULT, 0 je NoFind find $RESULT,#C3# cmp $RESULT, 0 je NoFind mov IsDebuggerPresent,$RESULT eob IsDebuggerPresent bp IsDebuggerPresent //SpecialImportingFunction!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! find FixCode1,#C214008B# cmp $RESULT, 0 je NoFind mov SpecialFiXed,$RESULT log SpecialFiXed find FixCode1,#FF501850# cmp $RESULT, 0 je NoFind mov EAX=3,$RESULT log EAX=3 find EAX=3,#FF5018EB1C# cmp $RESULT, 0 je NoFind mov EAX=0,$RESULT log EAX=0 find EAX=3,#FF5018EB0D# cmp $RESULT, 0 je NoFind mov EAX=1,$RESULT log EAX=1 find EAX=3,#FF5018C603# cmp $RESULT, 0 je NoFind mov EAX=2,$RESULT log EAX=2 EAX: eob SpecialImportingFunction bp SpecialFiXed bp EAX=0 bp EAX=1 bp EAX=2 bp EAX=3 esto GoOn1: log eip esto /* 009090FC 8B46 04 mov eax,dword ptr ds:[esi+4] 009090FF 83F8 00 cmp eax,0 00909102 74 45 je short 00909149 00909104 83F8 01 cmp eax,1 00909107 74 4F je short 00909158 00909109 83F8 02 cmp eax,2 0090910C 74 59 je short 00909167 0090910E 83F8 03 cmp eax,3 00909111 74 12 je short 00909125 00909113 83F8 04 cmp eax,4 00909116 75 CA jnz short 009090E2 00909118 8B45 14 mov eax,dword ptr ss:[ebp+14] 0090911B 8B90 E8000000 mov edx,dword ptr ds:[eax+E8] 00909121 8917 mov dword ptr ds:[edi],edx 00909123 EB BD jmp short 009090E2 00909125 8B45 14 mov eax,dword ptr ss:[ebp+14] 00909128 68 C5B1662D push 2D66B1C5 0090912D 6A 00 push 0 0090912F FF50 18 call dword ptr ds:[eax+18] 00909132 50 push eax 00909133 53 push ebx 00909134 E8 98020000 call 009093D1 00909139 53 push ebx 0090913A E8 19020000 call 00909358 0090913F 8BCB mov ecx,ebx 00909141 8D5C03 01 lea ebx,dword ptr ds:[ebx+eax+1] 00909145 8BC1 mov eax,ecx 00909147 EB 2B jmp short 00909174 00909149 8B45 14 mov eax,dword ptr ss:[ebp+14] 0090914C 68 0F1ACF4C push 4CCF1A0F 00909151 6A 00 push 0 00909153 FF50 18 call dword ptr ds:[eax+18] 00909156 EB 1C jmp short 00909174 00909158 8B45 14 mov eax,dword ptr ss:[ebp+14] 0090915B 68 A41A86D0 push D0861AA4 00909160 6A 00 push 0 00909162 FF50 18 call dword ptr ds:[eax+18] 00909165 EB 0D jmp short 00909174 00909167 8B45 14 mov eax,dword ptr ss:[ebp+14] 0090916A 68 E313B41D push 1DB413E3 0090916F 6A 00 push 0 00909171 FF50 18 call dword ptr ds:[eax+18] 00909174 C603 B8 mov byte ptr ds:[ebx],0B8 00909177 8943 01 mov dword ptr ds:[ebx+1],eax 0090917A 8B45 14 mov eax,dword ptr ss:[ebp+14] 0090917D 8B90 A4010000 mov edx,dword ptr ds:[eax+1A4] 00909183 8D43 0A lea eax,dword ptr ds:[ebx+A] 00909186 2BD0 sub edx,eax 00909188 C643 05 E9 mov byte ptr ds:[ebx+5],0E9 0090918C 8953 06 mov dword ptr ds:[ebx+6],edx 0090918F 90 nop 00909190 90 nop 00909191 83C3 0A add ebx,0A 00909194 E9 49FFFFFF jmp 009090E2 00909199 55 push ebp 0090919A 8BEC mov ebp,esp 0090919C 83EC 04 sub esp,4 0090919F 53 push ebx 009091A0 56 push esi 009091A1 57 push edi 009091A2 EB 04 jmp short 009091A8 */ SpecialImportingFunction: log eip cmp eip,EAX=0 je Luck cmp eip,EAX=1 je Luck cmp eip,EAX=2 je Luck cmp eip,EAX=3 je Luck cmp eip,SpecialFiXed je SpecialFiXed cmp eip,SpecialFiXedOver je IsDebuggerPresent cmp eip,IsDebuggerPresent je IsDebuggerPresent jmp GoOn1 Luck: mov temp,eip bc temp add temp,3 eob temp bphws temp, "x" sti find eip,#FF5354EB04????????85C0EB# cmp $RESULT, 0 je NoFind mov FixCode6,$RESULT log FixCode6 add FixCode6,9 mov [FixCode6],#8907EB# esto temp: cmp eip,temp jne SpecialImportingFunction bphwc temp mov [FixCode6],#85C0EB# jmp GoOn1 SpecialFiXed: bc SpecialFiXed sti find eip,#33C0EB02# cmp $RESULT, 0 je NoFind mov SpecialFiXedOver,$RESULT log SpecialFiXedOver bp SpecialFiXedOver jmp GoOn1 IsDebuggerPresent: bc SpecialFiXedOver bc IsDebuggerPresent bc EAX=0 bc EAX=1 bc EAX=2 bc EAX=3 MSG "Fixed ImportTable. There is some Special API need Handed Repaired. " //DecodeFinal!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Final: bc SpecialFiXedOver log LastSectionVA mov temp,LastSectionVA add temp,2600 find temp,#83????0F85# cmp $RESULT, 0 je NoFind add $RESULT,9 mov DecodeFinal,$RESULT log DecodeFinal eob DecodeFinal bp DecodeFinal esto GoOn2: esto DecodeFinal: cmp eip,DecodeFinal jne GoOn2 bc DecodeFinal rtr sti //JmpEDI!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! mov temp,eip and temp,0FFFF000 log temp find temp,#FFE7EB# cmp $RESULT, 0 je NoFind log $RESULT eob JmpEDI bp $RESULT esto GoOn3: esto JmpEDI: cmp eip,$RESULT jne GoOn3 bc $RESULT sti //StolenOEPCode!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! find eip,#035610EB02# cmp $RESULT, 0 je NoFind /* 0090C237 0356 10 add edx,dword ptr ds:[esi+10] 0090C23A EB 02 jmp short 0090C23E */ add $RESULT,3 eob CountOEP bp $RESULT esto CountOEP: bc $RESULT mov StolenOEP,edx find eip,#61EB# cmp $RESULT, 0 je NoFind /* 0090C25A 61 popad 0090C25B EB 04 jmp short 0090C261 */ eob StolenOEP bp $RESULT esto StolenOEP: bc $RESULT mov temp,eip cmt temp,"Fixed ImportTable. " inc temp cmt temp,"There is some Special API need Handed Repaired. " /* 0090C06E E9 2A53AFFF jmp 0040139D 0090C073 EB 04 jmp short 0090C079 */ find eip,#E9????????EB# log $RESULT cmt $RESULT, "Jump StolenOEP ! Found by heXer & fly " //GameOver!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! eval " OEP/Stolen= {StolenOEP} ! Plz Watch Stack to Fix StolenOEPCode and Dump and Fix IT + SDK !" MSG $RESULT ret NoFind: MSG "Error! Don't find. Maybe It's not Obsidium V1.3.0.0-V1.3.0.4 ! " ret Only Win2K/XP: MSG "Error! This Script only Run on the Win2K.SP4/WinXP.SP2 ! " ret TryAgain: MSG " Plz Try Again ! " ret