Unconfigured Ad Widget

Collapse

Anúncio

Collapse
No announcement yet.

Unpacking Yodas Protector 1.03.3

Collapse
X
 
  • Filter
  • Tempo
  • Show
Clear All
new posts

  • Font Size
    #1

    Unpacking Yodas Protector 1.03.3

    Acredito que vale a pena dar uma conferida nesse material, afinal, conhecimento nunca é demais!

    Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...

    Fonte: Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...

    Informações
    C:\Yodas Protector Unpacking.swf
    Build 2 successfully completed
    Created at: Sat Aug 14 08:28:53 2010
    Flash player required: v6.0 or above
    Size: 1654 KB
    Total frames in main movie: 5160
    Playback frame rate: 20
    Approximate playback time: 258 seconds

    Annotated text transcript:

    Unpacking Yoda's Protector 1.03.3
    Tools :

    -OllyDBG
    -OllyDump
    -IsDebugPresent (If you need)
    -LordPE
    -TargetFile

    This Tutorial is writen by Richard Irfan Yusan

    richardyusan@rocketmail.com
    The TargetFile ;-)
    yoda's Protector 1.03.3 -> Ashkbiz Danehkar
    Entryopy : PACKED
    EP Check : PACKED
    Load the target file to OllyDBG
    Set your Exceptions Settings like this
    make sure this checkbox is checked
    If User32.dll already loaded into memory, set your ollydbg events setting back to normal
    Uncheck !
    Right Click > Go To > Expression

    Or

    CTRL + G
    Type "BlockInput"
    Fill with NOPs
    Place Breakpoint here
    F2
    Now, we must fix IsDebuggerPresent

    there are two method :

    1.Manual Fix : Continue watching
    2. Using IsDebuggerPresent OllyDBG plugin , you can skip this step
    MOV EAX,0
    GetCurrentProcessId

    Case sensitive
    Yoda uses CreateToolhelp32Snapshot to retrieve all running processes. Then , yoda search for process that started unpackme and it checks does that proces has same PID as unpackme itself. If not, yoda terminates that process which is OllyDbg.exe in our case. If we patch CreateToolhelp32Snapshot API, we will get Invalid_Handle exception. But there is another very easy way how to trick yoda. Yoda uses GetCurrentProcessId API to retrieve it's own PID. We can make yoda think that it is ollydbg.exe if we set that API to retireve olly's PID. How we can do that? By injecting simple patch.
    00000730 is OllyDBG PID
    730 mean ollydbg pid
    Run Debugged Program

    F9
    We land at this breakpoint
    Run Debugged Program Again

    F9
    Set Memory BP on access
    OEP
    CTRL+A to analyze this code
    UnPackMe file run without error
    ;-)
    Entropy : NOT PACKED
    EPCheck : NOT PACKED
    And UnPackMe Unpacked succesfully !

    My Blog :
    richardyusan.wordpress.com
    sigpic




    R.I.P - 2008 —— 2015
    Capiroto, descanse em paz!

    русский Империя

    Phishing's job. PM me!! $$$
X
Working...
X