网站 › 『逆向资源区』 › Obsidium 1.x.x Deobfuscator v4.0

Hmily 发表于 2011-9-18 18:07

Obsidium 1.x.x Deobfuscator v4.0

Obsidium is a huge fan and has relied on these jump obfuscation techniques forever. Of course now they have VM code. This is somewhat easy to get around using a script. Here is a script I made a while ago for this. You may have to analyze the script commands if it don't work and it should be simple to add new jumps to it if need be.
VAR ep
VAR NumOfBytes
VAR endaddr

CMP $VERSION, "1.82"                              ; checks ODBGScript version
JAE above_ver
MSG "Use ODBGScript v1.82.6 or newer!"
above_ver:

GCI eip, DESTINATION                              ; checks for AV modified EP, fixes if found
CMP $RESULT, 10000000
JB no_av
;MSG "Are you sure this is Obsidium EP. Is your AntiVirus changing the EP?"
BPHWS eip, "x"
EOB above_ver
ERUN
BPHWC eip
no_av:

BC
BPHWC
MOV ep, eip

loop:
    OPCODE ep

    CMP $RESULT_2, 2                              ; checks for invalid opcode
    JNE skip_opcode_fill
    SCMP "EB", $RESULT, 2                        ; checks for short jmp instruction
    JE fix_opcode
    SCMP "73", $RESULT, 2                        ; checks for short jnb instruction
    JE fix_opcode
    SCMP "71", $RESULT, 2                        ; checks for short jno instruction
    JE fix_opcode
    SCMP "74", $RESULT, 2                        ; checks for short je instruction
    JE fix_opcode                        
    JMP skip_opcode_fill

fix_opcode:
    MOV eax,
    SHR eax, 8
    XOR ecx, ecx
    MOV cl, al
    ADD ecx, 2

    FILL ep, ecx, 90
    ADD ep, ecx
    JMP loop
   
skip_opcode_fill:

    SCMP $RESULT_1, "??", 2
    JE end_loop

    ADD ep, $RESULT_2
    JMP loop


end_loop:

MOV endaddr, ep

/********************************************* SCAN and LABEL **********************************************/

MOV ep, eip

loop2:
    OPCODE ep
    SCMP "90", $RESULT, 1                ; check for nop instruction
    JNE another_nop
    SCMP "E8", $RESULT, 1                ; check for call instruction
    JE label_instruction
    SCMP "E9", $RESULT, 1                ; check for jmp instruction
    JE label_instruction
    SCMP "0F87", $RESULT, 2                ; check for ja instruction
    JE label_instruction
    SCMP "0F85", $RESULT, 2                ; check for jnz instruction
    JE label_instruction
    SCMP "0F86", $RESULT, 2                ; check for jbe instruction
    JE label_instruction
    SCMP "0F84", $RESULT, 2                ; check for je instruction
    JE label_instruction
    SCMP "0F83", $RESULT, 2                ; check for jnb instruction
    JE label_instruction
    JMP another_nop
   
label_instruction:
   
   
another_nop:
    ADD ep, $RESULT_2
    CMP ep, endaddr
    JAE scan_done
    JMP loop2

scan_done:

RET               

残风恋 发表于 2011-9-18 18:12

老大！！！你说得真好， 但是你这些英文下次能用有道过一过 好么
把意思翻译个大概就ＯＫ拉　　呵呵　恩　我知道不是给我这样的小鸟看得，
但是总让我能有个念想吧，让我懂个千分之一　

xie83544109 发表于 2011-9-18 20:09

看不懂,先收藏好了

booyd 发表于 2012-10-11 22:16

支持一个

查看完整版本: Obsidium 1.x.x Deobfuscator v4.0