Obsidium protection scheme as a target!
 

Hi all,
now a days i was looking for a trick to set HWBP on obsidium protected target! it clears HWBPs! when using ProtectDRX in phantom it detects debugger. it seems that obsidium detects KiUserExceptionDispatcher routine patch.
any idea to bypass this? or alternate trick? :)
sincerely.

ScyllaHide plugin for Olly2?

@sendersu:
So thanks, I tested it. but debugger has been detected! none of ScyllaHide in Olly1, Olly2 working fine with Obsidium! I am using Phantom+StrongOlly in win7-32 bit! and there is no problem except hwbp protection!

Yes, obsiduim has a custom way to detect hwbp. If I remember well, It sets the hwbp to some specific location in the code to trigger the seh and the seh will set some values in memory.
after returning from the seh, those values will be tested to detect if hwbps were modified.

if you want to get near oep on 4.x targets, you can use this script.
It worked on many targets but I don't guarantee that it will work always.
Use a hidden olly.No hwbp and start it from entrypoint.

@mm10121991 can you tell me how and which plugins to use to hide olly from obsidium

@mm10121991:
thnx for your share but can't download it! but my problem is not reaching OEP it is easy and I wrote a script that can find Stolen OEP opcodes. my problem is rebuilding IAT in some targets since I can not set hwpb on IAT write! however I will try to patch OBSIDIUM protection layer that detects hwbps! it may be good if you add IAT rebuild feature in your script :)

@Cyber_Coder:
I use StrongOlly and Phantom Plugins in a fresh and unchanged Olly to Hide from Obsidium! but you should disable ProtectDRX option in phantom.

You don't need hwbp. After reaching oep, you just need to trace every redirected jump or call because there are no direct jumps or calls. Do not use shortcut ways. Trace the code and you will find places where to catch the redirected api.

http://ge.tt/47K8CN12/v/0
here you will find a few helper scripts to unpack obsiduim 4.x targets.
For the iat script, you have to modify this lines
mov iatb, 00B6B1B0 // start of iat
mov iate, 00B6C66C //end of iat
and make eip point to one of the redirected calls or jumps

Those scripts have worked on many 4.x targets but i don't guarantee they will always work.

my ollydbg always get detected i try all hide plugins and no use

Edit: ok i got it it work now thx to all

@mm10121991
Perfect answer! so thanks.
OEP finder script needs some changes to work in win 7 32bit:
kernel32.dll -> kernelbase.dll
CreateRemoteThread -> CreateRemoteThreadEx

IAT script need more changes ;-)

@Cyber_Coder:
Disable all options in phantom.
Disable AdvEnumModule in StrongOD.
It works in win7 32bit perfectly.

about CreateThread you can

Bp kernel32.CreateThread it work for me

ScyllaHide v1.3 should work with Obsidium on plain Olly v1 (or show me a target that doesn't work).

https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide_v1.3fix_Olly1.rar

You need to ignore the exceptions.

fail my ollydbg crash

see this video: Click Here!
target: DP Animation Maker
Use fresh copy of original olly and Phantom + StrongOD

--------------------------------------

But "ScyllaHide_v1.3fix_Olly1" fails and debugger detects!: Click Here!

@Mr.reCoder thx you are great

I tested ScyllaHide on Windows XP and Windows 7 32bit. Everything works fine.

ScyllaHide on Win 7 64bit doesn't work :(

Obsidium is really an anti-debug hell. It uses this:
OutputDebugStringA
Illegal Instruction Exception
EnumWindows
NtQuerySystemInformation
NtQueryInformationProcess
NtClose
PEB

OutputDebugStringA is one of the last checks... something is missing on windows x64....

Somebody has any idea?

No my friend it should work fine .
I test it here ( win 7.0 x64) with this options :
hxxp://s000.tinyupload.com/?file_id=55501563102665112295
maybe ur Antivirus make some trouble .

@ahmadmansoor can you share your "exetools ollydbg"

Obsidium is fun to unpack if you have a lot of time.. crypted calls, sometimes direct calls to api's. Took me a long time the first time..

I don't have much time at the moment, but this is what I found so far:

Breakpoint on CreateFileW is very good.

After some breaks:
Obsidium is checking for Virtual Box VM! If Obsidium is run under VBox, some anti-debug stuff will be disabled. I guess it is a hardware anti-debug check. Maybe something with HWBP.

Yeh, this is a hot trick in general...

here is the vbox check

00383929 83F8 FF CMP EAX,-1
0038392C 74 20 JE 0038394E

don't let it jump and enjoy less anti-debug

Hi,
now I used your tricks to set HWBP in IAT and successfully found where IAT writes. :)
See this viedo! password: exetools.com
time to trace! use shift-f9 to run!
I used win7-32bit and ScyllaHideOlly1 and fresh-unchanged copy of olly.
B.R.

on DP Animation Maker
you can restore IAT with my script
just change the line
"je @dx2" to "jne @dx2"
still,you have to do the vm.

@mm10121991 awesome stuff can you tell me something about vm short explain i don know about that what i need to do. i know its lame to you tell me all but i wanna learn obsidium is hard to unpack thx.

calling recovery
 

Hi,
there is no problem with IAT. main problem is VM unvirtualize or decrypttion.
also there is changes in calling some IAT functions with EDI,ESI,EBX,EBP. like:

but original code is:

calling with register is a common method in VC++ compilers. I wrote a little script to restore original code. (change code section address, IAT start and end addresses if desired. (target EditorGIF.exe))

Obsidium unpacking:
1.use ObsiduimOEP.asm to find OEP;{Tnx to mm10121991}
2.use Mr.reCoder Script;
3.use attached file;{Mr.reCoder script fixed}
4.use ObsiduimIATFixer.asm;
5.enjoy. file was unpacked but vm not fixed.

Here is some advice.
Instead of manual imput of code base VA:
just use:
Is more safe IMHO.

You can also use universal import fixer to find direct calls and fix them.

can someone upload this script somewhere for me please, I can not download any files since few days, I don't know why, 2 weeks ago there was no problem
Thanks in advance