Tuesday, August 23 2005 @ 10:41 PM CEST Contributed by: haggar Views: 28667
Level : beginner
Hi and welcome to my new small tutorial about unpacking latest yoda’s protector. This tutorial will not go in the depth of new yoda’s anti-debug tricks, we will work around that field simply because got lost in all that SetThreadPriority, Block input and all that s**t that Ashkbiz Danehkar has thrown inside. Restarting computer every time when you forget to place bp on a
right place is not funny.
Anyway, here is content:
You will need next tools:
- OllyDbg 1.10 (ollydump plugin too)
- dUP2 - diablo2oo2's Universal Patcher
- target here
In this archive you’ll find next:
- yP1.03.2 - unpacking tutorial.doc , this tutorial
- yP PEiD signatures.txt , correct signatures for PEiD
- yodaOEP.exe , patch for unpacking first target
- keygenme1.exe , target.
As we said, yoda doesn’t steal OEP bytes, it does not interferes with the unpacked program in memory, even IAT redirection is very simple – it’s not changed from the early beginning. This all goes to our favor. We will not approach to unpacking in usual way, tracing to OEP and
avoiding anti-debug tricks, but let’s not just talk. Grab target “keygenme1.exe” that I packed with latest yoda. I used all options that yoda offers, except header erasing because target crushed with that option. So run target and open OllyDbg. In Olly menu chose “File” ->“Attach”, select path to our target and click attach button. Target will freeze and Olly will stop at system bp:
You are in the target code now. Press F9 and target will run normally, you could now do whatever you want with it. Our next step would be to find where is OEP of packed file.
This part that could be the hardest thing for us, but not necessary. There are couple ways to find where OEP should be. This is one approach. Open memory window:
Address Size Owner Section Contains Type Access Initial
00400000 00001000 Crackme_ PE header Imag RW RWE
00401000 00004000 Crackme_ code,data Imag RW RWE
00405000 0000E000 Imag RW RWE
00420000 00006000 Map R E R E
004E0000 00002000 Map R E R E
004F0000 00103000 Map R R
Place memory bp on access to code section and then try to click on crackme. You will probably stop here:
If you are not there – it doesn’t matters. Important is that crackme is suspended so we can dump now. So dump it with OllyDump plugin, but uncheck “Rebuild import” option. Entry point of this dump also isn’t important for now (don’t close olly after dumping). Now scan dumped file with PEiD. It will show “Microsoft Visual C++ 6.0”. This is important because programs compiled
with same version of compilers have similar OEP. Using PEiD, find on your drive some exe that is compiled with this version Visual C++. I found flashget.exe, a download manager. Its OEP looks like this:
OEP in our packed crackme will be very similar to this one so we need to find these combinations of opcodes in it. Of course, scrolling down and trying to recognize something like this is impossible with bigger file, but we can speed that.
Binary copy all bytes from flasget.exe (or some app that you found on your hard drive starting from 4A2F70 to 4A2F84.
Close that olly and go to first one, in which is our target. Scroll to the 401000 address, left click on the first line, then right-click and chose “Search for” -> “Binary String” and paste content of clipboard to “Hex + xx” field. Then check “Entire block” and click “OK” button.
First address where olly found same bytes is here:
If you cannot find OEP, or you find more possible OEP’s, then experiment a little and open different files on your drive to learn how OEP’s looks. You can close all olly’s now.
You could now fix IAT with ImpREC and repair dump with this OEP, but with bigger files that dump will crush. I don’t know the actual reason, but we shouldn’t allow target to run and then dump it. We need to STOP target at the OEP and THEN dump it and fix imports. How we gonna stop file in memory without having target in debugger? I get one idea there, we could make a loader that will find OEP and replace it with EBFE bytes. That is infinite loop jump, a jump that jumps to itself. It means that such file in memory will be fully unpacked , but it will not be executed. Then we can attach to target and make good working dump.
For making loader we will use dUP2 - diablo2oo2's Universal Patcher, a excellent pathing engine made by diablo2oo2 (well, you could use any loader engine that you like, I just lately often use this one which is very good). To learn how to use patcher read help files inside dUP2 packet. If you are lazy, mine loader “YodaOEP.exe” is included in this archive.
You need to substitute these bytes (address --> byte):
4014B4 --> 55
4014B5 --> 8B
with this ones:
4014B4 --> EB
4014B5 --> FE
Make that loader and run it in the same folder with target “keygenme1.exe”. Uuuuups, CPU usage goes to 100%, remember that’s because infinite jump. Good sign, our loader has done it’s job.
Now open Olly and attach to the target, double click to keygen1.exe process in the executables window, press Ctrl+A and in the memory window place memory bp on access to code section. Press F9 and you are at the program OEP:
That’s it! Now dump file with ollydump (uncheck import fixing) and run ImpREC. There attach to keygenme1.exe, input 14B4 as OEP and search for imports. I get two thunks and both are not valid. Newermind, trace with level 1 and you’ll find all imports. If maybe couple bad thunk has left, just cut it. Now fix dump and run it. It works great! Yep, you have defeated yoda’s
protector 1.03.2 :)
3. Final words
This approach to unpacking yoda protected targets seams to be very easy and yet, it works. For example, I packed Mozilla Firefox (~MB) and unpacked it in few minutes. Also, you could use this approach for any protector you like except those ones who debugs itself like armadillo, new PESpin, beria, etc.
The main problem would be to find OEP. In VC++, Borland C++ It’s not hard, VB is the easiest for that. Harder would be with Delphi programs, or ASM. But with some experience and practice it can be done.
Big greets goes to all folks on biw; detten, stingduk, thorpe, TDC ... just to name few.