need help unpacking yoda's cryptor 1.x / modified
 

I have a file which I need to unpack, with the latest PEiD it is recognised as "yoda's cryptor 1.x / modified". Using google I found the script below.

Firstly when I save that script in notepad if I save it as ANSI I lose the chinese characters and they are replaced by ???, this is what I see when the script runs.

http://img417.imageshack.us/img417/4434/ansiivh7.png

If I save it as unicode or unicode big endian, when I run the script in Olly I get a message like this.

http://img176.imageshack.us/img176/8739/unicodeerrorvi5.png

And if I save the script as UTF-8, this is what I see when I run it.

http://img117.imageshack.us/img117/3878/utf8ey7.png

I guess that doesn't really matter though, at least the script seems to run when it is saved as ANSII, I just wont be able to see the chinese text. And I don't speak chinese anyway, so does it really matter?

So I am curious, what happens when I run this script. It doesn't look like anything happened :P

Thanks

yoda's cryptor 1.x / modified mean a group of protectors which are based on source codes of yC. => Universial ollyscript cant be available... So try to MUP it...

There is a tutorial for unpacking version 1.0 and 1.1 of yoda's crypter on his website http://y0da.cjb.net/ I could try those but those might not work. Maybe I should have a look at several different tutorials for different versions and see if they have anything in common which may help.

Fade, its probably the best if you can upload your target to rapidshare.de or something like this, and i will try to make some small tutorial for you, but look that your target is not the very big size ;)

Best regards.

The problem is that the file is malware, which I am trying to take a closer look at. If you still want the EXE I will upload it, but I just want to let you know first ;)

Also while looking for an MUP tut, I found a couple more scripts but they are no good to me, I'll put them here though incase they help anybody else in future.

Fade, ok i will explain you how easy can unpack yodas cryptor v1.3 but on this way you can also unpack v1.x i think
(first you need to dissable all exceptions in ollydbg), then open your target
and hit F9, after this you will probably have something like this

ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL

if you hit F8 this will look that nothing hapening, but you hit F8 1x times :)
and after this all you need to do is to press SHIFT+F9 and you are on oep
then you need to dump target and to enter repair imports, but there is probably not corumpted imports ;)

well thats easy way to mup yodas crypter, but as you named this topic as (Modified version) maybe this author of modified version of this protector
and insert some features as new antydebuging triks , etc....
but i dont thinks so, because peid show you thats custom version
if you just change name of sections you will probably get same effect with peid but nevermind, try my mup in my way (Easy way) and if you dont sucess
nevermind just upload this mailware and i will look.

Regards

When you say disable the exceptions do you mean check all the boxes under the Exceptions tab so that they are all ignored? If I do that and press F9 to run it, wont it run all of the code. Not just the decryption routine but everything after OEP? Which would mean I execute the malicious code :P

fade,when i say to dissable all exeptions i was meen to uncheck all exceptions not to enable :)
set your olly like this:
http://img113.imageshack.us/img113/6249/untitleddb4.png

and then fallow this litle tutorial i was writen
and dont worry you will not execute malicius the code :p
after you hit F9,F8,SHIFT+F9 you are 90% oep, this 10% is if autor make litle difficult then previus version but i dont think so :rolleyes:
but as i say, i repeat if you dont sucess, send me target and i will be glad to look this malicius code :D

Regards

I hit F9 and it terminates. :p

I uploaded it http://rapidshare.de/files/36013371/Here.rar.html
Password is BECAREFUL

ah, thats some crap, i dont think that this is yodas crypter but nevermind
aplication is compiled with Borlan delphi

if you want to get oep by hand you can do this on easy way, but first you need to make some settings in olly, if you probably have ollyadvanced plugin by marcus, turn on all anty debuging just for case i was dont have time to test
then in debuging options in olly in exceptions ignore memory access violations in KERNEL32,
INT3 Breaks, Single-step-Break and Memory access violation, save changes and open you aplication

now hit F8 and use ESP trick, if you dont know ( in right panel (FPU Registers))
on esp right click and fallow on dump, then set bp hardware on access (dword)
hit shift+f9, after this press ALT+M to get memory map and set bp on .code section (bp on access, and hit again shift+f9 :)
if you do this right you are on oep, if dont try to hit shift+f9 couple times, on my olly works after one click.
then you need to dump target and fix import, for fixing imports use trace level 1
thats all :)
i am not stupid to test is this works, but thats the way, you can test is you want :)

and now litle about what this crap can do with you :p

thats the links from this trojan for downloading

hxxp://www.ac66.cn/down/rx.exe
hxxp://www.ac66.cn/down/qq.exe
hxxp://www.ac66.cn/down/gezi.exe
hxxp://www.ac66.cn/down/aichong.exe
hxxp://www.ac66.cn/down/mhxy.exe
hxxp://down.136136.net/down/cq.exe

also C:\WINDOWS\system32\drivers\etc\hosts
http://down.136136.net/down/host.txt

and its create file C:\Program Files\Common Files\update\ubdate.exe
and calling from regedit from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

i hope that you understand me, sorry for my gramatical errors i am from serbia
and i am limited with english.

Best regards

Your English is fine, don't worry about it at all. Thank you very much for your work on this. I only knew about the hosts file being changed and the mutex it creates. Because I checked it with Norman Sandbox, but I didn't know about the EXE's. I thought it was Delphi because anti-viruses detect this as Delf which is what they normally tag Delphi malware as.

Thank you again you done a great job.

How did you know how to do what you did though?