Level : beginner
Yoda Protector 1.03.3 - manually unpacking
This tutorial will describe manually unpacking last Yoda Protector version 1.03.3. Tutorial will focus on main yP problem, running protected file under debugger.
Hi, friends and welcome to new unpacking tutorial. As I sad, yP 1.03.3 is last yoda protector version and author has decided to stop project. He is planing to start new one. I have already wrote tutorial for unpacking 1.03.2beta vesion, which is prety indentical as this one, but that tutorial didn't described how to run protected file under debugger. This tutorial will show how anti-debug tricks can be easy avoided and bypassed.
We will need some tools:
- OllyDbg 1.10
- Windows XP
- Target is here http://www.reversing.be/binaries/articles/20060103202404818.rar
This tutorial will not go in details because there is no need for that. Rebuilding imports is very easy and that is all we need to do after we reach OEP.
Yoda Protector is based on Yoda's Cryptor frame, only that new tricks are added from time to time. Old tricks are PE header erasing (which is pointless), CRC checking (code and file), IsDebuggerPresent check, API redirecting and destroying import information. This old tricks are already described in my tutorial about ExeStealth v2.74a (this protector is just rip of yoda). New tricks are terminating Olly and possible freesing Windows XP.
Let's see how Olly is killed. Protector is using combination of API's to get PID number of all running processes. Then it search for process that started (ollydbg in our case) and terminate it. It compares PID of that process with it's own PID. If those PID's are not same (ei. exe is started trough olly) it will terminate that process.
Second trick is more annoying. Protector will use BlockInput API before any other check. That API blocks input devices (mouse, keyboard, etc..) so we are blocked from our system. Then protector will do other checks and decrypting. If in meantime protector stops on some exception or Olly is found , our system will wait for us to take action but we cannot do nothing except restart windows. If everything is passed fine, protector will again use BlockInput API to unblock input devices. Pretty smart trick.
2. Reaching OEP
OK, time to unpack target. Grab crackme and load it in Olly. In olly , ignore all exceptions then set in Events to "Break on new module (DLL)". We need to break on user32.dll loading in order to intercept BlockInput API. Then press F9 untill you see that User32.dll is loaded:
Base Size Entry Name File version Path
00400000 0001F000 004166ED Crackme0 D:yodayP1.03.3Crackme05.exe
77D40000 0008C000 77D53A05 User32 5.1.2600.1561 (x C:WINDOWSsystem32User32.dll
77E60000 000E6000 77E7ADB3 kernel32 5.1.2600.1560 (x C:WINDOWSsystem32kernel32.dll
77F50000 000A7000 ntdll 5.1.2600.1106 (x C:WINDOWSSystem32ntdll.dll
After that we can uncheck option for breaking on new module. Now we need just to patch BlockInput API so it doesn't block devices. Simply select, "go to, expression" and enter BlockInput. Ok and we land in user32.dll on that API (this looks on my system):
77D98A69 > B8 36110000 MOV EAX,1136
77D98A6E BA 0003FE7F MOV EDX,7FFE0300
77D98A73 FFD2 CALL EDX
77D98A75 C2 0400 RETN 4
To kill API, just NOP all to RETN 4:
77D98A69 > 90 NOP
77D98A6A 90 NOP
77D98A6B 90 NOP
77D98A6C 90 NOP
77D98A6D 90 NOP
77D98A6E 90 NOP
77D98A6F 90 NOP
77D98A70 90 NOP
77D98A71 90 NOP
77D98A72 90 NOP
77D98A73 90 NOP
77D98A74 90 NOP
77D98A75 C2 0400 RETN 4 <---- Place breakpoint here!
And place bp on RETN 4. We will need this later.
We have killed this api and with that we avoid blocking devices, but we need to prevent Olly killing. There is similar simple solution for that. Yoda uses CreateToolhelp32Snapshot to get all processes and couple others to walk trough all processes. But it uses GetCurrentProcessId to get PID of itself. Then yoda will check is process who started it has same PID as itself (ei. did protected file started trough some debugger or not) and if not, it will terminate that process. We can do next to prevent killing Olly:
- Open LordPE and get PID of OllyDbg.exe. Mine is 478.
- "Go to , expression", enter GetCurrentProcessId and click ok. You are in API:
77E76914 > 64:A1 18000000 MOV EAX,DWORD PTR FS:
77E7691A 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20]
77E7691D C3 RETN
That api will return PID of protected file, but I will patch it to return Olly PID. And our protected file will think that it is Olly itself, he he, check:
77E76914 > B8 78040000 MOV EAX,478
77E76919 90 NOP
77E7691A 90 NOP
77E7691B 90 NOP
77E7691C 90 NOP
77E7691D C3 RETN
And that's it! Now we need use plugin to hide Olly from IsDebugerPresent check and run (remember bp on BlockInput). We will stop two times on bp on patched BlockInput API. Then we open "Memory Map" window and place memory bp on access on first section and run. OEP is reached:
004079D0 55 PUSH EBP ; Crackme0.00417058
004079D1 8BEC MOV EBP,ESP
004079D3 83C4 F4 ADD ESP,-0C
004079D6 53 PUSH EBX
004079D7 56 PUSH ESI ; Crackme0.00418370
004079D8 57 PUSH EDI ; Crackme0.0041837D
004079D9 B8 98794000 MOV EAX,Crackme0.00407998
004079DE E8 D1CBFFFF CALL Crackme0.004045B4
004079E3 BE CC954000 MOV ESI,Crackme0.004095CC
004079E8 BF E4954000 MOV EDI,Crackme0.004095E4
004079ED BB A0954000 MOV EBX,Crackme0.004095A0
004079F2 33C0 XOR EAX,EAX
004079F4 55 PUSH EBP ; Crackme0.00417058
004079F5 68 847C4000 PUSH Crackme0.00407C84
004079FA 64:FF30 PUSH DWORD PTR FS:[EAX]
004079FD 64:8920 MOV DWORD PTR FS:[EAX],ESP
00407A00 A1 80824000 MOV EAX,DWORD PTR DS:
00407A05 8B00 MOV EAX,DWORD PTR DS:[EAX]
All we need to do now is dumping and rebuilding IAT. For dumping you should use OllyDump (LordPE couse loss of icon) and for rebuilding IAT - ImpREC.
3. Final words
And that is all :) Unpacking yoda protected dll's is even easier. Sorry for spelling and grammar mistakes.
Thanks and greets to detten for publishing my tutorials, all BIW crew. Special greets to friends on artem and crackmes.de comunity.
See you in next tutorial and Happy New Year to all of you :)
[ haggar, somewhere at the beggining of 2006 ]