|
|
#1
10-07-2006, 06:18
|
|||
|
|||
|
need help unpacking yoda's cryptor 1.x / modified
I have a file which I need to unpack, with the latest PEiD it is recognised as "yoda's cryptor 1.x / modified". Using google I found the script below.
Code:
// Mr.David yoda's cryptor 1.x modified OEP and Patch IAT v0.1b
// This script will quickly put you at the OEP of an yoda's cryptor 1.x modified EXE.
// Just run it!
msg "������OD�쳣���ó����ڴ��쳣��ȫ�����ԣ�Ȼ��Ӳ˵����������нű�"
pause
dbh //���ص�����
var addr
sto
mov addr,esp //ESP����
bphws addr,"r"
var addr1
var addr2
gpa "CloseHandle","kernel32.dll"
mov addr1,$RESULT //�ݾ� API�ϵ�CloseHandle
bp addr1
run
bc addr1 //Clear break point //ȡ���ϵ�
rtu //Alt+F9
findop eip,#8932# //����ָ��
mov addr1,$RESULT
bphws addr1,"x"
run
repl eip, #8932#, #8902#, 10 //�в��β�����ǿ��
BPHWC addr1
findop eip,#33C3# //����ָ��
mov addr2,$RESULT
bphws addr2,"x"
run //����
repl eip, #33c3#, #33c0#, 10 //�в��β�����ǿ��
BPHWC addr2
esto
esto
findop eip,#33DB# //����ָ�� //�жϻ�ʣ�����쳣������·�� ����û�����ǣ�Yoda�Ŀǵ�����·�ߺ�ԭ���ֲ�ͬ! ����������
cmp $RESULT, 0
je lblabel2
esto
esto
esto
run
sto
sto
sto
sto
bphwc addr
cmt eip,"OEP1 Or Next Shell To Get,Please dumped it,Enjoy!" //Yodaȫ��Antiѡ��·��
ret
lblabel2:
esto
esto
run
sto
sto
sto
sto
bphwc addr
cmt eip,"OEP2 Or Next Shell To Get,Please dumped it,Enjoy!" //ûѡ���Softice���쳣��һ�Σ������ʲôAntiѡ���ѡ����ô�ű�����ȷ���У�������ǧ��ʦ��ǧ�������ű�ֻ���ǶԿ�Ĭ��ѡ����ȷִ�еġ�
ret
http://img417.imageshack.us/img417/4434/ansiivh7.png If I save it as unicode or unicode big endian, when I run the script in Olly I get a message like this. http://img176.imageshack.us/img176/8739/unicodeerrorvi5.png And if I save the script as UTF-8, this is what I see when I run it. http://img117.imageshack.us/img117/3878/utf8ey7.png I guess that doesn't really matter though, at least the script seems to run when it is saved as ANSII, I just wont be able to see the chinese text. And I don't speak chinese anyway, so does it really matter? So I am curious, what happens when I run this script. It doesn't look like anything happened :P Thanks 
|
|
|
Threaded Mode