Software name : Obsidium
Version : 1.6.1.9
Release Date : 13-October-2017
Published : 15-October-2017
OS : WinAll
Developer : Obsidium Software
Web-site : www.obsidium.de
Here my little Analys for Obsidium v1.6.1.9_x32 NO NAG.
Maybe usefull for someone...
NO NAG FUNCTION (ENCRYPTED / VM) CODE :
0106CAFC SUB_L0106CAFC:
0106CAFC 686E010000 push 0000016Eh
0106CB01 FF154471A201 call [L01A27144]
0106CB07 7228 jc L0106CB31
0106CB09 102462 adc [edx],ah
0106CB0C L0106CB0C:
0106CB0C 51 push ecx
0106CB0D 12A34764391D adc ah,[ebx+1D396447h]
0106CB13 95 xchg eax,ebp
0106CB14 EE out dx,al
0106CB15 A0A94BD876 mov al,[76D84BA9h]
0106CB1A DABA3FC781EC fidivr dword ptr [edx-137E38C1h]
0106CB20 93 xchg eax,ebx
0106CB21 E56A in eax,6Ah
0106CB23 30BB0EF03D26 xor [ebx+263DF00Eh],bh
0106CB29 93 xchg eax,ebx
0106CB2A 886F3D mov [edi+3Dh],ch
0106CB2D 16 push ss
0106CB2E 58 pop eax
0106CB2F B046 mov al,46h
0106CB31 L0106CB31:
0106CB31 70CA jo L0106CAFD
0106CB33 06 push es
0106CB34 3F aas
0106CB35 6BA807B0C3C723 imul ebp,[eax-383C4FF9h],23h
0106CB3C 30F5 xor ch,dh
0106CB3E 07 pop es
0106CB3F 91 xchg eax,ecx
0106CB40 F1 icebp
0106CB41 F1 icebp
0106CB42 1F pop ds
0106CB43 46 inc esi
0106CB44 17 pop ss
0106CB45 FB sti
0106CB46 3DD75F0812 cmp eax,12085FD7h
0106CB4B 58 pop eax
0106CB4C 16 push ss
0106CB4D 4A dec edx
0106CB4E 7279 jc L0106CBC9
0106CB50 E9 db E9h; '©'
0106CB51 30 db 30h; '0'
0106CB52 E1 db E1h; '¡'
0106CB53 90 db 90h; '?'
0106CB54 A5 db A5h; '?'
0106CB55 89 db 89h; '%'
0106CB56 91 db 91h; '''
0106CB57 L0106CB57:
0106CB57 8C9F34784702 mov [edi+02477834h],ds
0106CB5D 0B7A4E or edi,[edx+4Eh]
0106CB60 B734 mov bh,34h
0106CB62 DD27 frstor [edi]
0106CB64 9E sahf
0106CB65 F5 cmc
0106CB66 7D5F jge L0106CBC7
0106CB68 27 daa
0106CB69 B26F mov dl,6Fh
0106CB6B 5D pop ebp
0106CB6C 93 xchg eax,ebx
0106CB6D EF out dx,eax
0106CB6E F4 hlt
0106CB6F A0B3FB8432 mov al,[3284FBB3h]
0106CB74 L0106CB74:
0106CB74 7BE1 jpo L0106CB57
0106CB76 AC lodsb
0106CB77 4F dec edi
0106CB78 7962 jns L0106CBDC
0106CB7A L0106CB7A:
0106CB7A 8B17 mov edx,[edi]
0106CB7C 57 push edi
0106CB7D 98 cwde
0106CB7E 69 db 69h; 'i'
0106CB7F 55 db 55h; 'U'
0106CB80 DA db DAh; 'š'
0106CB81 7B db 7Bh; '{'
0106CB82 L0106CB82:
0106CB82 7514 jnz L0106CB98
0106CB84 6D insd
0106CB85 7AF3 jpe L0106CB7A
0106CB87 5E pop esi
0106CB88 84DD test ch,bl
0106CB8A A882 test al,82h
0106CB8C 54 push esp
0106CB8D 3328 xor ebp,[eax]
0106CB8F D344B725 rol dword ptr [edi+esi*4+25h],cl
0106CB93 AD lodsd
0106CB94 AF scasd
0106CB95 2D db 2Dh; '-'
0106CB96 14 db 14h;
0106CB97 E8 db E8h; '¨'
0106CB98 L0106CB98:
0106CB98 E4FF in al,FFh
0106CB9A 4C dec esp
0106CB9B B21A mov dl,1Ah
0106CB9D A5 movsd
0106CB9E F3 db F3h; 'ã'
0106CB9F 8E db 8Eh; '?'
0106CBA0 7C db 7Ch; '|'
0106CBA1 D6 db D6h; '–'
0106CBA2 4E db 4Eh; 'N'
0106CBA3 CD db CDh; ''
0106CBA4 A4 db A4h; 'ý'
0106CBA5 7A db 7Ah; 'z'
0106CBA6 2B db 2Bh; '+'
0106CBA7 2D db 2Dh; '-'
0106CBA8 DF db DFh; 'Ÿ'
0106CBA9 61 db 61h; 'a'
0106CBAA 84 db 84h; '"'
0106CBAB B1 db B1h; '+'
0106CBAC 37 db 37h; '7'
0106CBAD 2F db 2Fh; '/'
0106CBAE A8 db A8h; 'ð'
0106CBAF 7B db 7Bh; '{'
0106CBB0 3C db 3Ch; '<'
0106CBB1 24 db 24h; '$'
0106CBB2 2A db 2Ah; '*'
0106CBB3 CC db CCh; 'Œ'
0106CBB4 E5 db E5h; '¥'
0106CBB5 4C db 4Ch; 'L'
0106CBB6 B6 db B6h;
0106CBB7 A0 db A0h; 'ÿ'
0106CBB8 30 db 30h; '0'
0106CBB9 80 db 80h; '?'
0106CBBA C1 db C1h; ''
0106CBBB 5C db 5Ch; '\'
0106CBBC 8E db 8Eh; '?'
0106CBBD 1D db 1Dh;
0106CBBE 08 db 08h;
0106CBBF 84 db 84h; '"'
0106CBC0 CD db CDh; ''
0106CBC1 83 db 83h; '?'
0106CBC2 D0 db D0h; ''
0106CBC3 EA db EAh; 'ª'
0106CBC4 E1 db E1h; '¡'
0106CBC5 7F db 7Fh; ''
0106CBC6 AB db ABh; '<'
0106CBC7 L0106CBC7:
0106CBC7 8A db 8Ah; '?'
0106CBC8 7A db 7Ah; 'z'
0106CBC9 L0106CBC9:
0106CBC9 91 xchg eax,ecx
0106CBCA 8C2C7D95F33691 mov [9136F395h+edi*2],gs
0106CBD1 CE into
0106CBD2 0B5F6A or ebx,[edi+6Ah]
0106CBD5 E09D loopnz L0106CB74
0106CBD7 69 db 69h; 'i'
0106CBD8 0E db 0Eh;
0106CBD9 DC db DCh; 'œ'
0106CBDA 28 db 28h; '('
0106CBDB 11 db 11h;
0106CBDC L0106CBDC:
0106CBDC DE8D4A66AF9A fimul word ptr [ebp-655099B6h]
0106CBE2 L0106CBE2:
0106CBE2 30D8 xor al,bl
0106CBE4 L0106CBE4:
0106CBE4 EE out dx,al
0106CBE5 59 pop ecx
0106CBE6 L0106CBE6:
0106CBE6 7E9A jle L0106CB82
0106CBE8 38D5 cmp ch,dl
0106CBEA BA377F5CD5 mov edx,D55C7F37h
0106CBEF 6F outsd
0106CBF0 4F dec edi
0106CBF1 98 cwde
0106CBF2 47 inc edi
0106CBF3 B88DDE1D5F mov eax,5F1DDE8Dh
0106CBF8 C83AB35B enter B33Ah,5Bh
0106CBFC 3039 xor [ecx],bh
0106CBFE 64C713DA1B91A6 mov dword ptr fs:[ebx],A6911BDAh
0106CC05 E4F3 in al,F3h
0106CC07 641DBD7F283D sbb eax,3D287FBDh
0106CC0D 2BD6 sub edx,esi
0106CC0F AE scasb
0106CC10 BEF4C7379B mov esi,9B37C7F4h
0106CC15 D576 aad 76h
0106CC17 8903 mov [ebx],eax
0106CC19 70C9 jo L0106CBE4
0106CC1B 7AC5 jpe L0106CBE2
0106CC1D 95 xchg eax,ebp
0106CC1E 78C6 js L0106CBE6
0106CC20 35F59B7500 xor eax,L00759BF5
0106CC25 9B wait
0106CC26 36FFB1C75B9D65 push ss:[ecx+659D5BC7h]
0106CC2D 5D pop ebp
0106CC2E F2 db F2h; 'â'
0106CC2F 0A db 0Ah;
0106CC30 10 db 10h;
0106CC31 55 db 55h; 'U'
0106CC32 2E db 2Eh; '.'
0106CC33 9C db 9Ch; '?'
0106CC34 93 db 93h; '"'
0106CC35 73 db 73h; 's'
0106CC36 CF db CFh; ''
0106CC37 6B db 6Bh; 'k'
0106CC38 BE db BEh; '?'
0106CC39 4C db 4Ch; 'L'
0106CC3A BF db BFh; 'õ'
0106CC3B 6A db 6Ah; 'j'
0106CC3C AF db AFh; 'ô'
0106CC3D FC db FCh; 'ì'
0106CC3E 53 db 53h; 'S'
0106CC3F 84 db 84h; '"'
0106CC40 47 db 47h; 'G'
0106CC41 D5 db D5h; '•'
0106CC42 90 db 90h; '?'
0106CC43 96 db 96h; '-'
0106CC44 2A db 2Ah; '*'
0106CC45 04 db 04h;
0106CC46 6D db 6Dh; 'm'
0106CC47 A4 db A4h; 'ý'
0106CC48 EF db EFh; '¯'
0106CC49 BB db BBh; '>'
0106CC4A A8 db A8h; 'ð'
0106CC4B 04 db 04h;
0106CC4C 44 db 44h; 'D'
0106CC4D FE db FEh; 'î'
0106CC4E B0 db B0h; 'ø'
0106CC4F 64 db 64h; 'd'
0106CC50 64 db 64h; 'd'
0106CC51 FF db FFh; 'ï'
0106CC52 76 db 76h; 'v'
0106CC53 C1 db C1h; ''
0106CC54 80 db 80h; '?'
0106CC55 16 db 16h;
0106CC56 E8 db E8h; '¨'
0106CC57 11 db 11h;
0106CC58 D9 db D9h; '™'
0106CC59 2C db 2Ch; ','
0106CC5A 1E db 1Eh;
0106CC5B 9D db 9Dh; '?'
0106CC5C AB db ABh; '<'
0106CC5D 27 db 27h; '''
0106CC5E 3A db 3Ah; ':'
0106CC5F 3D db 3Dh; '='
0106CC60 D9 db D9h; '™'
0106CC61 D0 db D0h; ''
0106CC62 CE db CEh; 'Ž'
0106CC63 86 db 86h; 'Å'
0106CC64 15 db 15h;
0106CC65 D2 db D2h; '’'
0106CC66 29 db 29h; ')'
0106CC67 2C db 2Ch; ','
0106CC68 92 db 92h; '''
0106CC69 1B db 1Bh;
0106CC6A 3A db 3Ah; ':'
0106CC6B 94 db 94h; '"'
0106CC6C AC db ACh; '¿'
0106CC6D 2E db 2Eh; '.'
0106CC6E 52 db 52h; 'R'
0106CC6F 32 db 32h; '2'
0106CC70 B7 db B7h; 'ú'
0106CC71 97 db 97h; '-'
0106CC72 66 db 66h; 'f'
0106CC73 96 db 96h; '-'
0106CC74 78 db 78h; 'x'
0106CC75 SUB_L0106CC75:
0106CC75 686E010000 push 0000016Eh
0106CC7A FF154C71A201 call [L01A2714C]
0106CC80 C3 retn
DECRYPTED CODE:
0106CAFC SUB_L0106CAFC:
0106CAFC EB09 jmp L0106CB07
0106CAFE 90 db 90h; '?'
0106CAFF 90 db 90h; '?'
0106CB00 90 db 90h; '?'
0106CB01 90 db 90h; '?'
0106CB02 90 db 90h; '?'
0106CB03 90 db 90h; '?'
0106CB04 90 db 90h; '?'
0106CB05 90 db 90h; '?'
0106CB06 90 db 90h; '?'
0106CB07 L0106CB07:
0106CB07 58 pop eax
0106CB08 FFE0 jmp eax
0106CB0A 8BC0 Align 4
0106CB0C L0106CB0C:
0106CB0C 55 push ebp
0106CB0D 8BEC mov ebp,esp
0106CB0F 81EC00010000 sub esp,00000100h
0106CB15 53 push ebx
0106CB16 56 push esi
0106CB17 E800000000 call SUB_L0106CB1C
0106CB1C SUB_L0106CB1C:
0106CB1C 5B pop ebx
0106CB1D 8BF3 mov esi,ebx
0106CB1F 8B5BEC mov ebx,[ebx-14h]
0106CB22 8D8649010000 lea eax,[esi+00000149h]
0106CB28 8D9500FFFFFF lea edx,[ebp-00000100h]
0106CB2E 6880000000 push 00000080h
0106CB33 50 push eax
0106CB34 52 push edx
0106CB35 FF93A0000000 call [ebx+000000A0h]
0106CB3B 8D9500FFFFFF lea edx,[ebp-00000100h]
0106CB41 8D8E9B000000 lea ecx,[esi+0000009Bh]
0106CB47 689D000000 push 0000009Dh
0106CB4C 51 push ecx
0106CB4D 50 push eax
0106CB4E 52 push edx
0106CB4F FF5364 call [ebx+64h]
0106CB52 FF83F0000000 inc [ebx+000000F0h]
0106CB58 8D9500FFFFFF lea edx,[ebp-00000100h]
0106CB5E 8D8E38010000 lea ecx,[esi+00000138h]
0106CB64 6A11 push 00000011h
0106CB66 90 nop
0106CB67 90 nop
0106CB68 90 nop
0106CB69 51 push ecx
0106CB6A 6A0A push 0000000Ah
0106CB6C 52 push edx
0106CB6D FF5364 call [ebx+64h]
0106CB70 8D8E9B000000 lea ecx,[esi+0000009Bh]
0106CB76 8D8638010000 lea eax,[esi+00000138h]
0106CB7C 6A10 push 00000010h
0106CB7E 50 push eax
0106CB7F 51 push ecx 0106CB80 6A00 push 00000000h <---- PATCH HERE WITH : 6A01 push 00000001h
0106CB82 688E5D2D57 push 572D5D8Eh
0106CB87 6A01 push 00000001h
0106CB89 FF93A8010000 call [ebx+000001A8h]
0106CB8F 83F801 cmp eax,00000001h 0106CB92 7506 jnz L0106CB9A <---- PATCH HERE/DON'T JUMP : 7500 or 9090
0106CB94 5E pop esi
0106CB95 5B pop ebx
0106CB96 8BE5 mov esp,ebp
0106CB98 5D pop ebp
0106CB99 C3 retn
;----------------------------------------------------------------------------------------------
0106CB9A L0106CB9A:
0106CB9A 33C9 xor ecx,ecx
0106CB9C 8B4358 mov eax,[ebx+58h]
0106CB9F C70007000000 mov dword ptr [eax],00000007h
0106CBA5 894804 mov [eax+04h],ecx
0106CBA8 894808 mov [eax+08h],ecx
0106CBAB 8343580C add dword ptr [ebx+58h],0000000Ch
0106CBAF 50 push eax
0106CBB0 51 push ecx
0106CBB1 FFA3E0010000 jmp [ebx+000001E0h]
0106CBB7 EA db EAh; 'ª'
0106CBB8 ED db EDh; '­'
0106CBB9 04 db 04h;
0106CBBA 1E db 1Eh;
0106CBBB 11 db 11h;
0106CBBC A9 db A9h; 'c'
0106CBBD F5 db F5h; 'å'
0106CBBE 84 db 84h; '"'
0106CBBF A3 db A3h; '?'
0106CBC0 81 db 81h; '?'
0106CBC1 56 db 56h; 'V'
0106CBC2 06 db 06h;
0106CBC3 8B db 8Bh; '<'
0106CBC4 85 db 85h; ':'
0106CBC5 33 db 33h; '3'
0106CBC6 C2 db C2h; '‚'
0106CBC7 84 db 84h; '"'
0106CBC8 E1 db E1h; '¡'
0106CBC9 67 db 67h; 'g'
0106CBCA 29 db 29h; ')'
0106CBCB F4 db F4h; 'ä'
0106CBCC 51 db 51h; 'Q'
0106CBCD A6 db A6h; '³'
0106CBCE 7C db 7Ch; '|'
0106CBCF F5 db F5h; 'å'
0106CBD0 E2 db E2h; '¢'
0106CBD1 9A db 9Ah; '?'
0106CBD2 3A db 3Ah; ':'
0106CBD3 BB db BBh; '>'
0106CBD4 9A db 9Ah; '?'
0106CBD5 55 db 55h; 'U'
0106CBD6 74 db 74h; 't'
0106CBD7 4D db 4Dh; 'M'
0106CBD8 EC db ECh; '¬'
0106CBD9 F2 db F2h; 'â'
0106CBDA 14 db 14h;
0106CBDB A0 db A0h; 'ÿ'
0106CBDC 36 db 36h; '6'
0106CBDD 2C db 2Ch; ','
0106CBDE CF db CFh; ''
0106CBDF E0 db E0h; ' '
0106CBE0 8F db 8Fh; '?'
0106CBE1 B2 db B2h; 'I'
0106CBE2 00 db 00h;
0106CBE3 B2 db B2h; 'I'
0106CBE4 F2 db F2h; 'â'
0106CBE5 1E db 1Eh;
0106CBE6 FB db FBh; 'ë'
0106CBE7 D5 db D5h; '•'
0106CBE8 7F db 7Fh; ''
0106CBE9 5F db 5Fh; '_'
0106CBEA F9 db F9h; 'é'
0106CBEB 52 db 52h; 'R'
0106CBEC DA db DAh; 'š'
0106CBED 6D db 6Dh; 'm'
0106CBEE 31 db 31h; '1'
0106CBEF 49 db 49h; 'I'
0106CBF0 7A db 7Ah; 'z'
0106CBF1 03 db 03h;
0106CBF2 CD db CDh; ''
0106CBF3 20 db 20h; ' '
0106CBF4 BD db BDh; '?'
0106CBF5 AD db ADh; '-'
0106CBF6 A1 db A1h; 'ö'
0106CBF7 19 db 19h;
0106CBF8 8D db 8Dh; '?'
0106CBF9 58 db 58h; 'X'
0106CBFA 37 db 37h; '7'
0106CBFB 4D db 4Dh; 'M'
0106CBFC 4A db 4Ah; 'J'
0106CBFD 05 db 05h;
0106CBFE 58 db 58h; 'X'
0106CBFF 1D db 1Dh;
0106CC00 1F db 1Fh;
0106CC01 84 db 84h; '"'
0106CC02 B7 db B7h; 'ú'
0106CC03 BA db BAh; 'ó'
0106CC04 A9 db A9h; 'c'
0106CC05 F0 db F0h; 'à'
0106CC06 B1 db B1h; '+'
0106CC07 8D db 8Dh; '?'
0106CC08 49 db 49h; 'I'
0106CC09 5F db 5Fh; '_'
0106CC0A 89 db 89h; '%'
0106CC0B 60 db 60h; '`'
0106CC0C 1E db 1Eh;
0106CC0D 9E db 9Eh; '?'
0106CC0E A0 db A0h; 'ÿ'
0106CC0F 51 db 51h; 'Q'
0106CC10 F9 db F9h; 'é'
0106CC11 17 db 17h;
0106CC12 3F db 3Fh; '?'
0106CC13 E0 db E0h; ' '
0106CC14 6D db 6Dh; 'm'
0106CC15 7E db 7Eh; '~'
0106CC16 7F db 7Fh; ''
0106CC17 11 db 11h;
0106CC18 15 db 15h;
0106CC19 8A db 8Ah; '?'
0106CC1A 7D db 7Dh; '}'
0106CC1B 6B db 6Bh; 'k'
0106CC1C 0F db 0Fh;
0106CC1D 52 db 52h; 'R'
0106CC1E 16 db 16h;
0106CC1F 96 db 96h; '-'
0106CC20 FB db FBh; 'ë'
0106CC21 8E db 8Eh; '?'
0106CC22 B3 db B3h; 'i'
0106CC23 96 db 96h; '-'
0106CC24 66 db 66h; 'f'
0106CC25 8E db 8Eh; '?'
0106CC26 B3 db B3h; 'i'
0106CC27 7E db 7Eh; '~'
0106CC28 DA db DAh; 'š'
0106CC29 FB db FBh; 'ë'
0106CC2A BA db BAh; 'ó'
0106CC2B E9 db E9h; '©'
0106CC2C D6 db D6h; '–'
0106CC2D 0C db 0Ch;
0106CC2E 24 db 24h; '$'
0106CC2F 1C db 1Ch;
0106CC30 A2 db A2h; '÷'
0106CC31 23 db 23h; '#'
0106CC32 F7 db F7h; 'ç'
0106CC33 2A db 2Ah; '*'
0106CC34 74 db 74h; 't'
0106CC35 CB db CBh; '‹'
0106CC36 4D db 4Dh; 'M'
0106CC37 8C db 8Ch; '?'
0106CC38 69 db 69h; 'i'
0106CC39 47 db 47h; 'G'
0106CC3A 54 db 54h; 'T'
0106CC3B FC db FCh; 'ì'
0106CC3C 53 db 53h; 'S'
0106CC3D 1C db 1Ch;
0106CC3E 22 db 22h; '"'
0106CC3F 23 db 23h; '#'
0106CC40 C6 db C6h; '†'
0106CC41 04 db 04h;
0106CC42 FD db FDh; 'í'
0106CC43 CE db CEh; 'Ž'
0106CC44 0C db 0Ch;
0106CC45 AA db AAh; 'ò'
0106CC46 BB db BBh; '>'
0106CC47 61 db 61h; 'a'
0106CC48 67 db 67h; 'g'
0106CC49 65 db 65h; 'e'
0106CC4A 73 db 73h; 's'
0106CC4B 2E db 2Eh; '.'
0106CC4C 00 db 00h;
0106CC4D 00 db 00h;
0106CC4E 00 db 00h;
0106CC4F 00 db 00h;
0106CC50 00 db 00h;
0106CC51 00 db 00h;
0106CC52 00 db 00h;
0106CC53 00 db 00h;
0106CC54 35 db 35h; '5'
0106CC55 75 db 75h; 'u'
0106CC56 A4 db A4h; 'ý'
0106CC57 21 db 21h; '!'
0106CC58 05 db 05h;
0106CC59 D8 db D8h; '˜'
0106CC5A 07 db 07h;
0106CC5B 64 db 64h; 'd'
0106CC5C F2 db F2h; 'â'
0106CC5D 04 db 04h;
0106CC5E 2C db 2Ch; ','
0106CC5F 52 db 52h; 'R'
0106CC60 CC db CCh; 'Œ'
0106CC61 91 db 91h; '''
0106CC62 96 db 96h; '-'
0106CC63 E4 db E4h; '¤'
0106CC64 00 db 00h;
0106CC65 35 db 35h; '5'
0106CC66 3F db 3Fh; '?'
0106CC67 DE db DEh; 'ž'
0106CC68 3C db 3Ch; '<'
0106CC69 24 db 24h; '$'
0106CC6A 57 db 57h; 'W'
0106CC6B 2C db 2Ch; ','
0106CC6C D4 db D4h; '”'
0106CC6D 15 db 15h;
0106CC6E 98 db 98h; '?'
0106CC6F 69 db 69h; 'i'
0106CC70 57 db 57h; 'W'
0106CC71 18 db 18h;
0106CC72 25 db 25h; '%'
0106CC73 42 db 42h; 'B'
0106CC74 92 db 92h; '''
0106CC75 SUB_L0106CC75:
0106CC75 EB09 jmp L0106CC80
0106CC77 90909090909090+ Align 16
0106CC80 L0106CC80:
0106CC80 C3 retn
Sorry If my quote attachment unproperly...
(To Admin, please fix my quote text above.. I am in bad connection server condition).
Download link for Obsidium.v1.6.1.9_x32.NONAG, here :
发表于 2017-10-16 10:03
发表于 2017-10-15 21:03
收藏
淘帖
有用
分享到朋友圈
