this protect is a new one but most interesting!

the code encrypt and import encrypt is very useful and hard to broken.

code: it separate origin code to several small piece code.
import table:scan string and not use the GetProcaddress Api.

my qustion is that bpm breakpoint (hardware breakpoint)and memory breakpoint (cc)is can be detected .

how can i trace such things?

i hope not overrun the rules of the forum

What program ?
be more precise.

you will find this interesting protecter!

The author states:

"Obsidium is a software protection system that was designed as an affordable and easy to implement yet reliable way to protect your software applications from unauthorized modifications (i.e. "cracking". It is mainly aimed at shareware programmers and companies who would like to provide evaluation versions of their applications. Key features include encryption and compression of application code and data, counter-measures against common attacks, protection SDK, public key licensing system."

There is a download version to play with.

Regards,

Seems like it works with the keygen.dll (which is packed which upx) and the tmlib.dll which is needed for the API's?

For the Protector and packed exe files, he only access one time at main code from the ole32.dll then not more. The whole process is processed by the tmlib.dll hook dll <-> goto main but in packed programs you can easily access after some bytes on the main code. example:

Normal :

01012420 > $ 55 PUSH EBP
01012421 . 8BEC MOV EBP,ESP
01012423 . 6A FF PUSH -1
01012425 . 68 20160001 PUSH calc.01001620
0101242A . 68 80270101 PUSH <JMP.&MSVCRT._except_handler3> ; SE handler installation
0101242F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
01012435 . 50 PUSH EAX
01012436 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0101243D . 83C4 98 ADD ESP,-68
01012440 . 53 PUSH EBX
01012441 . 56 PUSH ESI
01012442 . 57 PUSH EDI
01012443 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
01012446 . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0101244D . 6A 02 PUSH 2
0101244F . FF15 B8100001 CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type

Decrypted:

01012420 4F DEC EDI
01012421 94 XCHG EAX,ESP
01012422 96 XCHG EAX,ESI
01012423 49 DEC ECX
01012424 5E POP ESI
01012425 99 CDQ
01012426 F0:8325 A5ABC4D>LOCK AND DWORD PTR DS:[DAC4ABA5],32
0101242E C7C1 0C611232 MOV ECX,3212610C
01012434 6382 FAF525F7 ARPL DWORD PTR DS:[EDX+F725F5FA],EAX
0101243A 6365 63 ARPL DWORD PTR SS:[EBP+63],ESP
0101243D FF21 JMP DWORD PTR DS:[ECX]
0101243F E7 16 OUT 16,EAX
01012441 98 CWDE
01012442 78 47 JS SHORT kalk.0101248B
01012444 A2 0933E288 MOV BYTE PTR DS:[88E23309],AL
01012449 AD LODS DWORD PTR DS:[ESI]
0101244A A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
0101244B EB 2A JMP SHORT kalk.01012477
0101244D C5CC LDS ECX,ESP ; Illegal use of register
0101244F FF15 B8100001 CALL DWORD PTR DS:[10010B8]

<- first real access on main code !
...
...

So Only Problems are:

1. Find OEP
2. Replace first 2Fh bytes of OEP
3. Restore IAT (Seems the hard way cause they are stored in tmlib.dll

google search:

--->how can i trace such things?<------

Obsidium uses stolen techniques (without credits) from Daemon page. Bad idea Martin


Gaia

to Soldat:

sorry for the google search "XXX" but the forum don't allow direct link so i did it in this way.maybe make you angry.

can you tell me how you trace the app use si?a small piece note is enough.

thanks.

to gaia:
have you unpacked the app?
can you give me some hints?

I have no time these days to play with this, but to give you a hint about bpmb.

1. Switch on SuperBpmb and try to run program
2. Close SuperBpmb and notice the difference

i have unpacked one.

2 QUESTIONS
to CAIA:
point me, which one of "stolen techniques" you mean? something newest?

to Information:
>>have unpacked one.
??
So after Soldat suggested you "use SUPERBPMB", you quickly unpacked Obsidium?
Or you unpacked NOTEPAD!?

i unpacked the notepad,nice protecter.

before i post this question i have unpacked notepad,for post this thread i want to find a rapid way to unpacked it.
at all,there is many advance reversers on this forum.

Hi Evaluator,

"Stole" (in quotation marks) --> use techniques/tricks of others without credits


Gaia

to Information:
thanx for answer.

Major thing i like in this Obsidium is image relocating.
Did you try to unpack relocated exe!? enjoe..

to Gaia:
1. I not asked you, what is "stolen".
I asked: which of "stolen techniques" you meet(mean).

2. Harder Question: how you detect TRUE, ORIGIN AUTHOR of some "technique"??
USA PATENT!?

Hi !

Nice see you Eval you are interested about this.

So far I concluded next:

1. superBPM are detected and program will not run (that is what I suggetsted to Information)

2. He uses same technics like Aspr to rip OEP and to make code where is jump to EOP everytime on different place. But the bad thing is that I can't catch him how he does that. I tried GetSystemTime, GetLocalTime but nothing. So I'm wondering what is his way to achive such random managing

3. He uses "Ilegal Instruction" UD2 (in this case is 0f,0b) but can be any, to hit his own exception handler. That must be because bpm preserving, I'm not sure. But seems that in exceprion routine he erases bpm set on the beginning and that is why I couldn't catch the ripped OEP.

If you have (Eval) something or anybody some idea about OEP catching say

regards

In the mean time I found the way how to locate OEP.

1. Seems that he sets first his own breakpoints and after checks for them, so if there is superBpm switched on he will refuse to run after checking.

2. After checking he erases your bpmb set after that so they thought there was no way to avoid that.

But there is a way, little messy but works. My tactics was next:

1. Load program with Syd's loader and put bpx on ret in VirtualFree. Remember the esp value, with me it was
12ffc4

2. Wait until he breaks on ret in VirtualFree (when he does that it means that own bpmb check out passed and that after that he just erases bpmb)

3. After ret he will be in code and there is 2 bytes jmp
there I locked program with jmp eip and then switch on SuperBmb

4. Then put bpmb 12ffc0 w and SI poped at OEP in ripped code, so there is no need for stoping code jumping

blah!

I located "after-OEP" using my tracer..
& I YET NOT located that stolen bytes(i was lazy)!
I set OEP on that continued instruction & my unpacked prog runs.
Curious!?
Nop.

GUYS! BIG PLEASE!
Don't be mystified by future called "OEP ripping".
Because this rip for most compilers does nothing.
You MUST activate your pHuntasy & that will di all..

1. Not found ripped code?
Try without it, maybe will run!

2. Not runs? look at same compilered prog..
3. Write you own code ..
etc..etc..etc..

bE happi!

So for remember for future, ripped OEP is not your main Enemy

Work on this target further, there is many another
things beside OEp..

Evaluator, about stolen tricks:

hxxp://www.obsidium.de/phpbb/viewtopic.php?t=4


And some interesting information: (unpacker)

hxxp://disc.server.com/discussion.cgi?id=203830;article=84



I am making a Imprec plugin for wrappeds apis...

Regards,
Gaia

GAIA,
there is in german lang, translate..

Nice, but can you send me your tracer to check for it capabilities, I don't remember I've seen that before.

You had luck with stolen bytes because there were I think just two instruction

I'm not quite sure (don't remember well) but think they were

push edx
push 00

maybe some more, but just few of them

And OEP was 9b144a in Obsidium packer, and first Api seems is GetModuleHandle, did you get the same Evaluator ?



Not at all, but can be very usefull friend, because you can know by that where OEP suppose to be

If you want to send me your tracer

SOLDAT,

I see, you not trust in my words, when I recommend something???

>>I think just two instruction

NOP! I AM SURE, there must be more!!
Why?
Because I already recommended you(& other):

DETERMINE COMPILER,
FIND SOME EXE,
COMPILED BY SAME COMPILER,
&&& LOOK AT ITS EIP.

Did I sad before or no?? Look just 3 replay upper!

Now I ADVISE(!) to you this EXERSIZE:
1. DETERMINE COMPILER
2. FIND SOME EXE, COMPILED BY SAME COMPILER
3. LOOK AT ITS EIP & tell me where was true OEP offset+how many instructions ripped

//ye, continued OEP is at XXXX144A

***
about tracer,
OBSIDIUM checks RV by device name..
so if you rename every strings "RvtracerDevice0"
in REVIRGIN.EXE, in TRACER.DLL, in Rvtracer.SYS(here also rename UNICODE string),
you will able use RV for trace, & you will found some tricks..

Here a Imprec plugin for Obsidium. Only few apis continue invalid after my plugin. This apis are hooked by obsidium and need manual fix

Evaluator, use a translator (altavista)

Yes, Obsidium checks for \\.\RvtracerDevice0 (win2k) in a thread every 1500 ms


Gaia

Evaluator

I see, you not trust in my words, when I recommend something???

I trust you, and you are right that there are more instruction, but I haven't seen yet such compiled by official compilers. Here they are

mov eax, [00a7208b] (in eax will be 0000000)
shl eax,2
mov [00a7208f],eax ( again nothing--> useless)
push edx
push 00

if you don't believe me try to do what I did.

1. Lock the program after reaching code after ret in VirtualFree
2. Switch on SuperBPM
3. Return in SI and put bpmb 12ffc0 r

you will hit mov eax, [00a7208b], and the rest of code is similar like in other cases packed exes, so I'm 90% sure that is the point where he goes on OEP= 9b144a (after some trace you will reach OEP continued)

Why is not possible they wrote first several bytes in their packer just to look different as usual ?

Thank for the tracer hint, will try to manage that.
Will that work with any packer after that ?

SOLDAT,

until you not finished YOUR EXERSIZE(in all 3 steps),
I am closed for you

PS:
I know, in your PC is at least 1 EXE, same compiler compiled..

standard oep from bcc (builder)

am i rite?

Evaluator, don't be angry.http://images.bravenet.com/brpics/smilie/wave1.gif

Seems Bart has overcome me in my exercise. You must give then to me something more to make you open for further coperation.

Seems I lack expirience with compilers, is that so bad ?

I know, in your PC is at least 1 EXE, same compiler compiled..

Hmm, I'm wondering how many files form Winnt dir I have to load to find out that. http://images.bravenet.com/brpics/smilie/28_spin.gif

you wont find any bcc file in your winnt directory, guess why (except uninstallers)

I believe what our Musician Friend is trying to tell you is that the different compilers for Windows programs have "patterns" at OEP which can be "recognized" for RCE purposes. Many of the "automatic pilot" OEP finder- Dumper programs search for these "patterns" to find the "OEP."

Protection Programers, recognizing that RCE's use these "patterns" to locate the "OEP" try different methods to "confuse" or "disguise" that code so "dumpers" and the unschooled can't locate this point as easily. If you've read some of +Spl/\j's discussions you will recall discussion of "signature bytes." These are "patterns" that identify the "protector" is about to, or has jumped to the OEP.

Ripping, generally means that the protector has taken a piece of the compiler specific code that represents "OEP" and had moved part of it somewhere else to confuse the "innocent." But the "fact" remains that the program, compiled by a specific compiler" needs that piece of code to "hit the starter button," to use an automotive analogy.

The protector can "steal" a few of the bytes of this "starter" and move it somewhere else in its own code (or maybe even an attached dll) and jump back to the "target" or it could execute the entire "starter" and jump back to the following code. Maybe they get really clever and write some different "looking" code that does the same thing as the "original."

Now if you have studied various compiler-specific code for OEP and are looking at a “target” and see “part” of the code for a specific compiler’s OEP, do you not then “already” know what the “missing” bytes need to be? So Eval suggests you might “write your own” as in “jump somewhere” create your own damn OEP code, filing in your own knowledge of the “missing” bytes” and then “jump back” to the code that comes next.

Now, granted, this may be a hell of a lot of more work in the beginning than having someone else “tell” you, here, or in a dumper,” where the OEP is and what it needs to contain(i.e. “missing bytes”), but then, when the protector changes the technique again “you”are screwed again and "once again" you do not know “Mr. Jack Sh*t.)

Eval suggests that there should be other “execs” (i.e. other programs) on your machine that have been compiled by the same compiler, for your studying pleasure. “These” programs are usually NOT protected and you can “look” at the OEP to your heart’s content, (i.e., study them).

“Impatience” leads to only wanting to solve “this” program “right now.” “Patience” leads to acquiring the skills to solve “this” program and, most “others,” in the future. “Your” choice.

Regards.

http://images.bravenet.com/brpics/smilie/surprise.gif

SOLDAT,

don't look at bart, yet you have chanse!
search for that one EXE, >1mb..(why in \winnt??)

Now I'm serious

Don't have time two days more because faculty obligations http://images.bravenet.com/brpics/smilie/17_wink.gif

But as soon as I finish with that will contue to play with this http://images.bravenet.com/brpics/smilie/user.gif

I started to rebiuld IAT and in first try found about 49 APIs, patch I wrote in memory didn't handle calls through memory so I lacked to catch all of them. But will continue to play around.
Especialy am interested because code relocation and almost whole exe rebulding manually http://images.bravenet.com/brpics/smilie/bouncer.gif

So will ask for help if fail somewhere http://images.bravenet.com/brpics/smilie/banghead.gif

Gaia !

Your plug doesn't work on win2K (with unpacking obs packer). Did you plane it in that direction or ........

quite nice discussion you started here... i like it

probably (when i feel it's time to... (this can take a few months (years ?))) we'll release the unpacker for it...

obsidium is a quite cool protection system, the author deserves the money (guess he invested really much time in this project it)

^DAEMON^

Hi Soldat

My SO is win2k(SP3) and the plugin works perfectly. Have you indicated the IAT RVA in Imprec correctly?

Gaia

I'm pretty sure about IAT

was on A85000 (685000 RVA) . And now I'm confused a bit. http://smilies.sofrayt.com/%5E/_950/upset.gif
When I wrote a patch as I said I found only several APIs, will improve my patch.

If you wanna see here is semi-resolved IAT

Gaia !
I was wrong about your plug http://smilies.sofrayt.com/%5E/q/rotz.gif

It works (I realized it later) but should be used one by one entry in IAT

I don't know how did you manage that, but there are enries when you use plug, program will terminate.
And that's why thought it doesn't work, firstly I selected all invalids and then, because there is one "uresolvable" API on the beginning, I conluded wrong.

What's with that APIs, some of them I found through patching (will attach that patch when solve calls through memory, now it manages only direct calls and half of redirected ALPis are resloved after this)

Do you force calls in IAT and in that way find APIs, or you do different. If you want send me source.
In regular work he overwrites calls with redirecting jumps addresses with original ones, maybe this was problem with several uresolved APIS, and program blokade after plugging

See your pm Soldat


Gaia

every last thunk in each DLL imports is..
debug it..

Gaia I improved your resolver http://smilies.sofrayt.com/%5E/r/bigstar.gif
with several emulated APIs, and the rest of them (1 or 2 ) are emulated too, but it didn't match the concept previously adopted so they can't be resolved yet (I sent you a source and hope you don't mind because I attached this dll here, without your permission)

one of them in Kernel32 is FreeResource (easy to be caught by name)

xor eax, eax
ret4

and the other one is emulated too, but I didn't trace for it http://fool.exler.ru/sm/bud.gif


I didn't undedstand you well about hooikng by Obsidium several unresolved APIs. What did you mean? http://smilies.sofrayt.com/%5E/_950/upset.gif


Evaluator http://fool.exler.ru/sm/git.gif

I'm waiting for your opinion or critics. I hope now I don't have to do my execrise about compiler, but if you are still unsatisfied then must do
http://fool.exler.ru/sm/kngt.gif

Evaluator !

I have question for you. Till now I haven't buckled with unpacking Obsidium, just with API redirection.

How did you solve IAT rebuilding

I attached Region009B0000-00A88000.dmp (I'm not sure if this was the only section to be attached, but just to try out)
From last dumped section in OBsDumped.exe to RVA 6B0000 I added zero filled section, after that I attached Region009B0000-00A88000.dmp. Then tried to add in usual way with ImpRec resolved IAT, but he didn't want to correct jmps to last added section by ImpRec.

All jumps stayed as before, to previous IAT generated by Obsidium.

Then tried just to replace redirected bytes like 7exxxx in
correct bytes (API pointers) with option in ImpRec "Create New Iat " disabled, and RVA 685000 as you have when file is packed.

But he did something well, but some locations were full of junks. ??? Also screwed dll names in names part ?

mostly i'm not imprec user.
sometimes, for be more sure in correctness,
i use it for compare results.

yep, attacments not works. later..

Long time has passed !!
Thanks friend for replay. After my question I succeeded to fix everything, IAT and to solve problem with relocation.
I can send to you fixed version, I secceeded to remove ugly message on every packed program about packed with Demo Version of Obsidium.

If you want mail me on , of course if you hadn't time to fix it by yourself.

Regards

congratz!

But in all aspects you solve?

Test this:
produse some key in Obsi, then open
it's registration form, paste key here.

Look what happens.

wb guys



after tracing my protected app some bit i saw that the "stolen bytes" are processed before returning to oep (like old aspr) so if you subract from EP 2f bytes and insert stolen without jmps you have your OEP not new news for everbody but cheers

No I didn't try anything with keys. What happends there with that.?
My version of Obsidium was attached on www.wasm.ru, and I signed as Zilot there. Dunno if is still there.

> What happends there with that?

Do that & you will see.

PS. seems search function not works in that forum, so not found your..
make direct link to thread.

NO there wasn't thread. It was attached in tools section. But seems Volodya has deleted it. If you want leave me your mail will send to you ( don't afraid I'm not virus or spam man )

And you want to torture me a little bit request to try key functionality. Have no time to play with, so that's why I asked to tell me.

Is there some new packer, last I dealt with was ACProtect packer, but again I didn't resolve key managing. Interesting stuff, he has some code ripping liike BitArt, but I wrote patch (code) in memory to back old bytes. And he ripped only 5 bytes instructions, and then had table resembles IAT redirection table.
Try interesting........

nice one, ACProtector. I found the 5 byte ripper and wrote an external program to fix my dump. Easy IAT is simple to recover with ImpREC 1.6. I've unpacked the ACProtect application itself now too.

I DO have to say the byte ripper is a cool idea, but its been done everywhere already (SafeDisc, etc.)

-nt20

Tesla, you are right about 5 bytes ripper. I didn't fix dump, but I wrote code into memory before OEP reaching to do that for me. To recover original bytes. So had clear dump.

Attach your program in case to find some application packed with this.

Zilot

I would rather send it to you privately. Don't need to be helping out protection authors by giving them my information.

-niko20

You may find this screenshot of information interesting.

Just look at this for a little while and think, and you can probably come up with a way to fix these ripped bytes. My Auto-Fixer was based off of this info.


http://webpages.charter.net/nikolatesla20/ACProtectNotes.gif


-niko20

Yes that is exactly the way how I managed bytes ripping. I searched for calls and after checking for ff25 I was sure it was right place . I should've saved my asm lines. Anyway you can send me your fixer



And your excuse for not attaching your tool is more than good. For Long time I haven't visited forum, and almost forgotten about curious eyes of protector maker.

Its written in Visual C, will that be useful to you ? I don't use ASM as much because there is no real size/speed increase over plain C code, and C is easier to read.

I'll try and send it soon.

-niko20

Of Course will be interesting,
do you make your programs in Object Oriented manner, or in procedural?

for projects such as this, I use procedural.

Here's the code

This is all manually set up. In my unpacker its ALL automatic now, using code similar to this.

You have to enter hardcoded values and recompile for now, this was my test project (although it does work)

-nt20

Works very good after i got no answer from you i thought you was gone thanks for sharing your source makes life easyer.

Thanks Tesla.

Will see it later http://smilies.sofrayt.com/%5E/r/happy.gif

Zilot, my friend, glad to see you and thanks for your help with linked lists. Concerning your question about Obsidium on wasm. It is still there, I didn't remove it. You are able to find it at
hxxp://www.wasm.ru/toollist.php?list=12

BTW, interesting topic. I'm watching it with pleasure.

Batchushka ? http://smilies.sofrayt.com/%5E/y/kiss.gif

Exactly, the beleiver in aliens

http://smilies.sofrayt.com/%5E/u/grdmartien.gif http://smilies.sofrayt.com/%5E/u/alieneyesa.gif http://smilies.sofrayt.com/%5E/u/faga.gif http://smilies.sofrayt.com/%5E/u/ptitmartien.gif

Ok guys, get a room... Or at least take it to the off-topic forum or PM.


dELTA