need help unpacking yoda's cryptor 1.x / modified

I have a file which I need to unpack, with the latest PEiD it is recognised as "yoda's cryptor 1.x / modified". Using google I found the script below.

Code:

// Mr.David yoda's cryptor 1.x  modified OEP and Patch IAT  v0.1b
// This script will quickly put you at the OEP of an yoda's cryptor 1.x  modified EXE.
// Just run it!

msg "������OD�쳣���ó����ڴ��쳣��ȫ�����ԣ�Ȼ��Ӳ˵����������нű�"
pause

dbh  //���ص�����

var addr   
sto        
mov addr,esp   //ESP����
bphws addr,"r"


var addr1

var addr2

gpa "CloseHandle","kernel32.dll"
mov addr1,$RESULT                    //�ݾ� API�ϵ�CloseHandle
bp addr1
run

bc addr1    //Clear break point  //ȡ���ϵ�
rtu        //Alt+F9


findop eip,#8932#    //����ָ��
mov addr1,$RESULT         
bphws addr1,"x"     
run
repl eip, #8932#, #8902#, 10       //�в��β����޲�ǿ��
BPHWC addr1


findop eip,#33C3#    //����ָ��
mov addr2,$RESULT 
bphws addr2,"x"     
run               //����


repl eip, #33c3#, #33c0#, 10    //�в��β����޲�ǿ��

BPHWC addr2

esto
esto

findop eip,#33DB#    //����ָ��  //�жϻ�ʣ�����쳣������·�� ����û�����ǣ�Yoda�޸Ŀǵ�����·�ߺ�ԭ���ֲ�ͬ! ����������
cmp $RESULT, 0
je lblabel2

esto
esto
esto
run
sto
sto
sto
sto
bphwc addr 
           
cmt eip,"OEP1 Or Next Shell To Get,Please dumped it,Enjoy!" //Yodaȫ��Antiѡ��·��

ret

lblabel2:
esto
esto
run
sto
sto
sto
sto
bphwc addr    
  
cmt eip,"OEP2 Or Next Shell To Get,Please dumped it,Enjoy!" //ûѡ���Softice���쳣��һ�Σ������ʲôAntiѡ���ѡ����ô�ű��޷���ȷ���У�������ǧ��ʦ��ǧ�������ű�ֻ���ǶԿ�Ĭ��ѡ����ȷִ�еġ�

ret

Firstly when I save that script in notepad if I save it as ANSI I lose the chinese characters and they are replaced by ???, this is what I see when the script runs.

http://img417.imageshack.us/img417/4434/ansiivh7.png

If I save it as unicode or unicode big endian, when I run the script in Olly I get a message like this.

http://img176.imageshack.us/img176/8739/unicodeerrorvi5.png

And if I save the script as UTF-8, this is what I see when I run it.

http://img117.imageshack.us/img117/3878/utf8ey7.png

I guess that doesn't really matter though, at least the script seems to run when it is saved as ANSII, I just wont be able to see the chinese text. And I don't speak chinese anyway, so does it really matter?

So I am curious, what happens when I run this script. It doesn't look like anything happened :P

Thanks

[SLV]

yoda's cryptor 1.x / modified mean a group of protectors which are based on source codes of yC. => Universial ollyscript cant be available... So try to MUP it...

There is a tutorial for unpacking version 1.0 and 1.1 of yoda's crypter on his website http://y0da.cjb.net/ I could try those but those might not work. Maybe I should have a look at several different tutorials for different versions and see if they have anything in common which may help.

Fade, its probably the best if you can upload your target to rapidshare.de or something like this, and i will try to make some small tutorial for you, but look that your target is not the very big size

Best regards.

Quote:

Originally Posted by giga

Fade, its probably the best if you can upload your target to rapidshare.de or something like this, and i will try to make some small tutorial for you, but look that your target is not the very big size

Best regards.

The problem is that the file is malware, which I am trying to take a closer look at. If you still want the EXE I will upload it, but I just want to let you know first

Also while looking for an MUP tut, I found a couple more scripts but they are no good to me, I'll put them here though incase they help anybody else in future.

Code:

// Mr.David yoda's Crypter V1.2 OEP and Patch IAT  v0.1
// This script will quickly put you at the OEP of an yoda's Crypter V1.2 EXE.
// Just run it!

msg "������OD�쳣���ó����ڴ��쳣��ȫ�����ԣ�Ȼ��Ӳ˵����������нű�"
pause

dbh  //���ص�����

var cbase

gmi eip, CODEBASE
mov cbase, $RESULT    
log cbase            //��Դ�����������OllyDbg�ļ�¼����[log window]��,������

var csize           //���ָ����ַ����ģ��������Ϣ,�ڴ澵��ϵ�

gmi eip, CODESIZE
mov csize, $RESULT
log csize

var addr1

var addr2

gpa "CloseHandle","kernel32.dll"
mov addr1,$RESULT                    //�ݾ� API�ϵ�CloseHandle
bp addr1
run

bc addr1    //Clear break point  //ȡ���ϵ�
rtu        //Alt+F9


findop eip,#8932#    //����ָ��
mov addr1,$RESULT         
bphws addr1,"x"     //Ӳ���ϵ����VB����
run
repl eip, #8932#, #8902#, 10       //�в��β����޲�ǿ��
BPHWC addr1

findop eip,#33C3#    //����ָ��
cmp $RESULT, 0
je lblabel1
mov addr2,$RESULT 
bphws addr2,"x"     //Ӳ���ϵ����VB����
run               //����

repl eip, #33c3#, #33c0#, 10    //�в��β����޲�ǿ��

BPHWC addr2

esto

findop eip,#33DB#    //����ָ��
cmp $RESULT, 0
je lblabel2

esto
bprm cbase, csize //�ڴ澵��ϵ�

esto

bpmc
           
cmt eip,"OEP Or Next Shell To Get,Please dumped it,Enjoy!" //Yodaȫ��Antiѡ��·��

ret

lblabel2:

bprm cbase, csize //�ڴ澵��ϵ�

esto

bpmc
           
cmt eip,"OEP Or Next Shell To Get,Please dumped it,Enjoy!" //ûѡ���Softice���쳣��һ�Σ������ʲôAntiѡ���ѡ����ô�ű��޷���ȷ���У�������ǧ��ʦ��ǧ�������ű�ֻ���ǶԿ�Ĭ��ѡ����ȷִ�еġ�

ret

lblabel1:  //For VB����

esto

bprm cbase, csize //�ڴ澵��ϵ�

esto

bpmc
           
cmt eip,"VBOEP Or Next Shell To Get,Please dumped it,Enjoy!"

ret

Code:

//////////////////////////////////////////////////
//  FileName    :  yoda's cryptor V1.2-V1.3.osc
//  Comment     :  yoda's cryptor V1.2/V1.3 UnPacK
//  Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
//  Author      :  fly
//  WebSite     :  http://www.unpack.cn
//  Date        :  2005-10-05 18:00
//////////////////////////////////////////////////
#log

dbh
var T0
var T1
var T2
var T3

//GetProcAddress����������������������������������������������������������������

gpa "GetProcAddress", "KERNEL32.dll"
eob GetProcAddress
bp $RESULT

esto
GoOn0:
esto

GetProcAddress:
cmp eip,$RESULT
jne GoOn0
bc $RESULT
rtu


//yC Some Modified Version����������������������������������������������������������������

/*
004042E6    FFD1            call ecx  ; kernel32.GetCurrentThread
004042E8    6A 00           push 0
004042EA    6A 00           push 0
004042EC    6A 11           push 11
004042EE    50              push eax
004042EF    FFD7            call edi  ; ntdll.ZwSetInformationThread
*/

find eip, #FFD16A006A006A1150FFD78CC932C9E302#
cmp $RESULT, 0
je 7ror
mov T3,$RESULT
mov [T3],#FFD16A016A006A1150FFD78CC932C99090#
log $RESULT
//Pass ZwSetInformationThread


//OepRVA����������������������������������������������������������������

7ror:
find eip, #C1CB07#
cmp $RESULT, 0
je NoFind
mov T0,$RESULT
eob Break0
bp T0
log T0

esto
GoOn1:
esto

Break0:
cmp eip,$RESULT
jne GoOn1
cmp T3, 0
je OepRVA
mov [T3],#FFD16A006A006A1150FFD78CC932C9E302#

OepRVA:
bc T0
mov T1,ebx
log ebx


//Fixed Import Table����������������������������������������������������������������

find eip, #89322BC683E805#
cmp $RESULT, 0
log $RESULT
je NoFind

mov T2,$RESULT
log T2
asm T2,"MOV DWORD PTR [EDX],EAX"
//Fixed Importing Function


find eip, #740261C3#
cmp $RESULT, 0
je NoFind

eob Break1
bp $RESULT
esto
GoOn2:
esto

Break1:
cmp eip,$RESULT
jne GoOn2
bc $RESULT
asm T2,"MOV DWORD PTR [EDX],ESI"
//Revert Code


//GetOep����������������������������������������������������������������

eob Break2
bphws T1,"x"

esto
GoOn3:
esto

Break2:
cmp eip,T1
jne GoOn3
bphwc T1


//GameOver����������������������������������������������������������������

log eip
cmt eip, "This is the OEP! Found By: fly"
MSG "Just : OEP !  Dump and Fix IAT.  Good Luck  "
ret

NoFind:
MSG "Error! Maybe It's not yoda's cryptor V1.2/V1.3 ! "
ret

Fade, ok i will explain you how easy can unpack yodas cryptor v1.3 but on this way you can also unpack v1.x i think
(first you need to dissable all exceptions in ollydbg), then open your target
and hit F9, after this you will probably have something like this

ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL
ADD BYTE PTR DS:[EAX],AL

if you hit F8 this will look that nothing hapening, but you hit F8 1x times
and after this all you need to do is to press SHIFT+F9 and you are on oep
then you need to dump target and to enter repair imports, but there is probably not corumpted imports

well thats easy way to mup yodas crypter, but as you named this topic as (Modified version) maybe this author of modified version of this protector
and insert some features as new antydebuging triks , etc....
but i dont thinks so, because peid show you thats custom version
if you just change name of sections you will probably get same effect with peid but nevermind, try my mup in my way (Easy way) and if you dont sucess
nevermind just upload this mailware and i will look.

Regards

Quote:

Originally Posted by giga

Fade, ok i will explain you how easy can unpack yodas cryptor v1.3 but on this way you can also unpack v1.x i think
(first you need to dissable all exceptions in ollydbg), then open your target
and hit F9, after this you will probably have something like this

When you say disable the exceptions do you mean check all the boxes under the Exceptions tab so that they are all ignored? If I do that and press F9 to run it, wont it run all of the code. Not just the decryption routine but everything after OEP? Which would mean I execute the malicious code :P

fade,when i say to dissable all exeptions i was meen to uncheck all exceptions not to enable
set your olly like this:
http://img113.imageshack.us/img113/6249/untitleddb4.png

and then fallow this litle tutorial i was writen
and dont worry you will not execute malicius the code
after you hit F9,F8,SHIFT+F9 you are 90% oep, this 10% is if autor make litle difficult then previus version but i dont think so
but as i say, i repeat if you dont sucess, send me target and i will be glad to look this malicius code

Regards

I hit F9 and it terminates.

I uploaded it http://rapidshare.de/files/36013371/Here.rar.html
Password is BECAREFUL

ah, thats some crap, i dont think that this is yodas crypter but nevermind
aplication is compiled with Borlan delphi

if you want to get oep by hand you can do this on easy way, but first you need to make some settings in olly, if you probably have ollyadvanced plugin by marcus, turn on all anty debuging just for case i was dont have time to test
then in debuging options in olly in exceptions ignore memory access violations in KERNEL32,
INT3 Breaks, Single-step-Break and Memory access violation, save changes and open you aplication

now hit F8 and use ESP trick, if you dont know ( in right panel (FPU Registers))
on esp right click and fallow on dump, then set bp hardware on access (dword)
hit shift+f9, after this press ALT+M to get memory map and set bp on .code section (bp on access, and hit again shift+f9
if you do this right you are on oep, if dont try to hit shift+f9 couple times, on my olly works after one click.
then you need to dump target and fix import, for fixing imports use trace level 1
thats all
i am not stupid to test is this works, but thats the way, you can test is you want

and now litle about what this crap can do with you

thats the links from this trojan for downloading

hxxp://www.ac66.cn/down/rx.exe
hxxp://www.ac66.cn/down/qq.exe
hxxp://www.ac66.cn/down/gezi.exe
hxxp://www.ac66.cn/down/aichong.exe
hxxp://www.ac66.cn/down/mhxy.exe
hxxp://down.136136.net/down/cq.exe

also C:\WINDOWS\system32\drivers\etc\hosts
http://down.136136.net/down/host.txt

and its create file C:\Program Files\Common Files\update\ubdate.exe
and calling from regedit from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

i hope that you understand me, sorry for my gramatical errors i am from serbia
and i am limited with english.

Best regards

Your English is fine, don't worry about it at all. Thank you very much for your work on this. I only knew about the hosts file being changed and the mutex it creates. Because I checked it with Norman Sandbox, but I didn't know about the EXE's. I thought it was Delphi because anti-viruses detect this as Delf which is what they normally tag Delphi malware as.

Thank you again you done a great job.

How did you know how to do what you did though?